From b80204f4751eabb0dc95fbf02eb8b7b0521706ad Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 01 2017 03:29:08 +0000
Subject: import pki-core-10.4.1-11.el7


---

diff --git a/.gitignore b/.gitignore
index ec79473..b52c028 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-core-10.3.3.tar.gz
+SOURCES/pki-core-10.4.1.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index a9389db..59de659 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-4b632673e6e3cfe391277f73bd2782f9f60de985 SOURCES/pki-core-10.3.3.tar.gz
+5187b494ec33ba6f11e5fc3204d891b2c46ac9b2 SOURCES/pki-core-10.4.1.tar.gz
diff --git a/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch b/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch
new file mode 100644
index 0000000..5be0f9c
--- /dev/null
+++ b/SOURCES/pki-core-Always-check-FIPS-mode-at-installation-time.patch
@@ -0,0 +1,28 @@
+From ad8c47aaf675bbda7b2ab50e6fc20b22862f83c3 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Tue, 23 May 2017 11:46:41 -0600
+Subject: [PATCH] Always check FIPS mode at installation time
+
+- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
+
+(cherry picked from commit 3249ddc2c19f6f5ded11823b345c9c58bae4750b)
+---
+ base/server/python/pki/server/deployment/scriptlets/initialization.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+index 0e31543..4dc4e9a 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+@@ -42,6 +42,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         # ALWAYS establish 'uid' and 'gid'
+         deployer.identity.set_uid(deployer.mdict['pki_user'])
+         deployer.identity.set_gid(deployer.mdict['pki_group'])
++        # ALWAYS check FIPS mode
++        deployer.fips.is_fips_enabled()
+         # ALWAYS initialize HSMs (when and if present)
+         deployer.hsm.initialize()
+         if config.str2bool(deployer.mdict['pki_skip_installation']):
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-BASE-format-G-and-D-cards.patch b/SOURCES/pki-core-BASE-format-G-and-D-cards.patch
deleted file mode 100644
index 8a97b0c..0000000
--- a/SOURCES/pki-core-BASE-format-G-and-D-cards.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 618a17ad33363633c6589c4ce7170c34f21bf459 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Tue, 15 Nov 2016 17:37:07 -0800
-Subject: [PATCH] Change lifecycle at end of enrollment if it is not already
- set.
-
-TPS throws "err=6" when attempting to format and enroll G&D Cards.
-https://bugzilla.redhat.com/show_bug.cgi?id=1320283
-
-This fix addresses this bug , but also:
-Fixes this issue:
-
-Applet upgrade during rekey operation results in formatted token.
-
- Also, it takes care of a related issue where the new apdu needed for the
-lifecycle state causes the testing tool "tpslcient" to seg fault.
-The fix here is a minimal fix to have tpsclient return an error when it gets
-this apdu it can't handle, instead of crashing.
-
-(cherry picked from commit 4027d3caa872f2950dae0b3d2208c0c54ceb4a4c)
-(cherry picked from commit fbb7cf7d70263aa63274a41ecba235bc87c961f0)
----
- base/common/src/org/dogtagpki/tps/apdu/APDU.java   |  3 +-
- .../org/dogtagpki/tps/apdu/GetLifecycleAPDU.java   | 35 +++++++++++++
- 2 files changed, 37 insertions(+), 1 deletions(-)
- create mode 100644 base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
-
-diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDU.java b/base/common/src/org/dogtagpki/tps/apdu/APDU.java
-index 86f07ee..390252f 100644
---- a/base/common/src/org/dogtagpki/tps/apdu/APDU.java
-+++ b/base/common/src/org/dogtagpki/tps/apdu/APDU.java
-@@ -56,7 +56,8 @@ public abstract class APDU {
-         APDU_IMPORT_KEY_ENC,
-         APDU_SET_ISSUERINFO,
-         APDU_GET_ISSUERINFO,
--        APDU_GENERATE_KEY_ECC
-+        APDU_GENERATE_KEY_ECC,
-+        APDU_GET_LIFECYCLE
-     }
- 
-     protected byte cla;
-diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
-new file mode 100644
-index 0000000..6f55b01
---- /dev/null
-+++ b/base/common/src/org/dogtagpki/tps/apdu/GetLifecycleAPDU.java
-@@ -0,0 +1,35 @@
-+package org.dogtagpki.tps.apdu;
-+
-+import org.dogtagpki.tps.main.TPSBuffer;
-+
-+
-+public class GetLifecycleAPDU extends APDU {
-+    public GetLifecycleAPDU() {
-+        setCLA((byte) 0xB0);
-+        setINS((byte) 0xf2);
-+        setP1((byte) 0x0);
-+        setP2((byte) 0x0);
-+    }
-+
-+    @Override
-+    public Type getType()
-+    {
-+        return Type.APDU_GET_LIFECYCLE;
-+    }
-+
-+    @Override
-+    public TPSBuffer getEncoding()
-+    {
-+        TPSBuffer encoding = new TPSBuffer();
-+
-+        encoding.add(cla);
-+        encoding.add(ins);
-+        encoding.add(p1);
-+        encoding.add(p2);
-+        encoding.add((byte) 0x01);
-+
-+        return encoding;
-+    } /* Encode */
-+
-+
-+}
--- 
-1.8.3.1
diff --git a/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch b/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch
deleted file mode 100644
index 4bacf4a..0000000
--- a/SOURCES/pki-core-CA-certificate-profiles-startTime-param.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 3ef576f59d5f554ea222754885e88538c2c9c596 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Wed, 26 Apr 2017 15:21:39 -0700
-Subject: [PATCH] CA in the certificate profiles the startTime parameter is not
- working as expected.
-
-This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
-
-(cherry picked from commit d98f20d33378a37898d4d6ffec80b09261504823)
-(cherry picked from commit 47990407d31501ae6c867d2f1a168b4d7cb22a5e)
----
- .../src/com/netscape/cms/profile/def/CAValidityDefault.java  | 12 ++++++------
- .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java     |  4 ++--
- .../netscape/cms/profile/def/RandomizedValidityDefault.java  |  2 +-
- .../src/com/netscape/cms/profile/def/ValidityDefault.java    | 10 +++++-----
- 4 files changed, 14 insertions(+), 14 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
-index 2df256e..2ecd484 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
-@@ -24,6 +24,11 @@ import java.util.Calendar;
- import java.util.Date;
- import java.util.Locale;
- 
-+import netscape.security.x509.BasicConstraintsExtension;
-+import netscape.security.x509.CertificateValidity;
-+import netscape.security.x509.PKIXExtensions;
-+import netscape.security.x509.X509CertInfo;
-+
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.IConfigStore;
- import com.netscape.certsrv.ca.ICertificateAuthority;
-@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException;
- import com.netscape.certsrv.property.IDescriptor;
- import com.netscape.certsrv.request.IRequest;
- 
--import netscape.security.x509.BasicConstraintsExtension;
--import netscape.security.x509.CertificateValidity;
--import netscape.security.x509.PKIXExtensions;
--import netscape.security.x509.X509CertInfo;
--
- /**
-  * This class implements a CA signing cert enrollment default policy
-  * that populates a server-side configurable validity
-@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault {
-         if (startTimeStr == null || startTimeStr.equals("")) {
-             startTimeStr = "60";
-         }
--        int startTime = Integer.parseInt(startTimeStr);
-+        long startTime = Long.parseLong(startTimeStr);
- 
-         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
-         CMS.debug("CAValidityDefault: not before: " + notBefore);
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
-index 6532a13..2f05f32 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
-@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
-             if (startTimeStr == null || startTimeStr.equals("")) {
-                 startTimeStr = "60";
-             }
--            int startTime = Integer.parseInt(startTimeStr);
-+            long startTime = Long.parseLong(startTimeStr);
-             Date notBefore = new Date(CMS.getCurrentDate().getTime() +
-                     (1000 * startTime));
-             long notAfterVal = 0;
- 
-             notAfterVal = notBefore.getTime() +
--                    (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
-+                    (mDefault * Long.parseLong(getConfig(CONFIG_DURATION)));
-             Date notAfter = new Date(notAfterVal);
- 
-             ext = new PrivateKeyUsageExtension(notBefore, notAfter);
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
-index 6308715..ce69c15 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
-@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault {
-         if (startTimeStr == null || startTimeStr.equals("")) {
-             startTimeStr = "60";
-         }
--        int startTime = Integer.parseInt(startTimeStr);
-+        long startTime = Long.parseLong(startTimeStr);
- 
-         String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS);
-         if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) {
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-index 21ec8ea..a74ccdf 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-@@ -24,6 +24,10 @@ import java.util.Calendar;
- import java.util.Date;
- import java.util.Locale;
- 
-+import netscape.security.x509.CertificateValidity;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509CertInfo;
-+
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.IConfigStore;
- import com.netscape.certsrv.ca.ICertificateAuthority;
-@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException;
- import com.netscape.certsrv.property.IDescriptor;
- import com.netscape.certsrv.request.IRequest;
- 
--import netscape.security.x509.CertificateValidity;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509CertInfo;
--
- /**
-  * This class implements an enrollment default policy
-  * that populates a server-side configurable validity
-@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault {
-         if (startTimeStr == null || startTimeStr.equals("")) {
-             startTimeStr = "60";
-         }
--        int startTime = Integer.parseInt(startTimeStr);
-+        long startTime = Long.parseLong(startTimeStr);
- 
-         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
-         CMS.debug("ValidityDefault: not before: " + notBefore);
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch b/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch
new file mode 100644
index 0000000..2783a45
--- /dev/null
+++ b/SOURCES/pki-core-CMC-check-HTTPS-client-authentication-cert.patch
@@ -0,0 +1,615 @@
+From 32cf3850935590f7f4cd457b824cc296b6af44b9 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 14 Jun 2017 14:57:10 -0700
+Subject: [PATCH 2/4] Ticket#2737 CMC: check HTTPS client authentication cert
+ against CMC signer
+
+This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
+Some auditing adjustments are also done.
+
+(cherry picked from commit 63c9582009b3858a6878863b9658d04c9aad45c1)
+---
+ base/ca/shared/conf/CS.cfg                         |   3 +-
+ .../com/netscape/certsrv/base/SessionContext.java  |   7 +
+ .../cms/authentication/CMCUserSignedAuth.java      | 220 ++++++++++++++-------
+ .../profile/constraint/UniqueKeyConstraint.java    |   8 +-
+ .../com/netscape/cms/servlet/base/CMSServlet.java  |  10 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |   7 +
+ base/server/cmsbundle/src/LogMessages.properties   |   4 +-
+ 7 files changed, 175 insertions(+), 84 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index d1bf7db..4da7429 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -734,11 +734,10 @@ ca.publish.rule.instance.LdapXCertRule.pluginName=Rule
+ ca.publish.rule.instance.LdapXCertRule.predicate=
+ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher
+ ca.publish.rule.instance.LdapXCertRule.type=xcert
+-cmc.cert.confirmRequired=false
+ cmc.popLinkWitnessRequired=false
+-cmc.revokeCert.verify=true
+ cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+ cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
++cmc.token=internal
+ cms.passwordlist=internaldb,replicationdb
+ cms.password.ignore.publishing.failure=true
+ cms.version=@APPLICATION_VERSION_MAJOR@.@APPLICATION_VERSION_MINOR@
+diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java
+index 8bcb3c1..9323e6e 100644
+--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java
++++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java
+@@ -56,6 +56,13 @@ public class SessionContext extends Hashtable<Object, Object> {
+      * Principal name object of the signed CMC request
+      */
+     public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal";
++    public static final String CMC_SIGNER_INFO = "cmcSignerInfo";
++    public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject";
++
++   /**
++    * authenticated SSL client certificate
++    */
++    public static final String SSL_CLIENT_CERT = "sslClientCert";
+ 
+     /**
+      * User object of the authenticated user in the current thread.
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index 2e4d6dc..6c3ee8f 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -28,6 +28,7 @@ package com.netscape.cms.authentication;
+ import java.io.ByteArrayInputStream;
+ import java.io.ByteArrayOutputStream;
+ import java.io.IOException;
++import java.security.cert.X509Certificate;
+ import java.math.BigInteger;
+ import java.security.MessageDigest;
+ import java.security.PublicKey;
+@@ -260,11 +261,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+         CMS.debug(method + "begins");
+ 
+         String auditMessage = null;
+-        String auditSubjectID = auditSubjectID();
++        String auditSubjectID = getAuditSubjectID();
+         String auditReqType = ILogger.UNIDENTIFIED;
+-        String auditCertSubject = ILogger.UNIDENTIFIED;
++        String requestCertSubject = ILogger.UNIDENTIFIED;
+         String auditSignerInfo = ILogger.UNIDENTIFIED;
+ 
++        SessionContext auditContext = SessionContext.getExistingContext();
++
++        // create audit context if clientCert exists
++        X509Certificate clientCert =
++               (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT);
++        // null is okay, as it is not required in case of self-sign;
++        // will be checked later
++        if (clientCert != null) {
++            try {
++                createAuditSubjectFromCert(auditContext, clientCert);
++            } catch (IOException e) { 
++               //unlikely, and not necessarily required at this point
++               CMS.debug("CMSUserSignedAuth: authenticate: after createAuditSubjectFromCert call; " + e);
++            }
++        }
++
+         // ensure that any low-level exceptions are reported
+         // to the signed audit log and stored as failures
+         try {
+@@ -296,8 +313,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                 throw new EInvalidCredentials(msg);
+             }
+ 
+-            SessionContext auditContext = SessionContext.getExistingContext();
+-
+             // authenticate by checking CMC.
+ 
+             // everything OK.
+@@ -364,13 +379,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 }
+                                 // reset value of auditSignerInfo
+                                 if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) {
+-                                    CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim());
+-                                    auditSignerInfo = uid.trim();
++                                    //CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim());
++                                    //auditSignerInfo = uid.trim();
+                                     auditSubjectID = uid.trim();
+                                     authToken.set(IAuthToken.USER_ID, auditSubjectID);
+                                 } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) {
+-                                    CMS.debug(method + "setting auditSignerInfo to userid:" + userid);
+-                                    auditSignerInfo = userid.trim();
++                                    //CMS.debug(method + "setting auditSignerInfo to userid:" + userid);
++                                    //auditSignerInfo = userid.trim();
+                                     auditSubjectID = userid.trim();
+                                     authToken.set(IAuthToken.USER_ID, auditSubjectID);
+                                 }
+@@ -538,16 +553,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 }
+ 
+                                 PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver);
+-                                // reset value of auditCertSubject
++                                // reset value of requestCertSubject
+                                 X500Name tempName = pkcs10.getSubjectName();
+                                 CMS.debug(method + "request subject name=" + tempName.toString());
+                                 if (tempName != null) {
+-                                    auditCertSubject = tempName.toString().trim();
+-                                    if (auditCertSubject.equals("")) {
+-                                        auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                    requestCertSubject = tempName.toString().trim();
++                                    if (requestCertSubject.equals("")) {
++                                        requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                     }
+                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
+-                                            auditCertSubject/*tempName.toString()*/);
++                                            requestCertSubject/*tempName.toString()*/);
++                                    auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
+                                 }
+ 
+                                 if (selfSigned) {
+@@ -632,17 +648,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 // xxx do we need to do anything else?
+                                 X509CertInfo certInfo = CMS.getDefaultX509CertInfo();
+ 
+-                                // reset value of auditCertSubject
++                                // reset value of requestCertSubject
+                                 if (name != null) {
+                                     String ss = name.getRFC1485();
+ 
+-                                    CMS.debug(method + "setting auditCertSubject to: " + ss);
+-                                    auditCertSubject = ss;
+-                                    if (auditCertSubject.equals("")) {
+-                                        auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                    CMS.debug(method + "setting requestCertSubject to: " + ss);
++                                    requestCertSubject = ss;
++                                    if (requestCertSubject.equals("")) {
++                                        requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                     }
+ 
+                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
++                                    auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
+                                     //authToken.set("uid", uid);
+                                     //authToken.set("userid", userid);
+                                 }
+@@ -696,10 +713,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                 authToken.set("uid", uid);
+                 authToken.set("userid", userid);
++            } catch (EMissingCredential e) {
++                throw e;
++            } catch (EInvalidCredentials e) {
++                throw e;
+             } catch (Exception e) {
+-                CMS.debug(method + e);
++                //CMS.debug(method + e);
+                 //Debug.printStackTrace(e);
+-                throw new EInvalidCredentials(e.toString());
++                //throw new EInvalidCredentials(e.toString());
++                throw e;
+             }
+ 
+             // For accuracy, make sure revocation by shared secret doesn't
+@@ -709,11 +731,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+                         AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,
+-                        auditSubjectID,
++                        getAuditSubjectID(),
+                         ILogger.SUCCESS,
+                         auditReqType,
+-                        auditCertSubject,
+-                        auditSignerInfo);
++                        getRequestCertSubject(auditContext),
++                        getAuditSignerInfo(auditContext));
+ 
+                 audit(auditMessage);
+             } else {
+@@ -725,17 +747,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             return authToken;
+         } catch (EMissingCredential eAudit1) {
+             CMS.debug(method + eAudit1);
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+-                    auditSubjectID,
+-                    ILogger.FAILURE,
+-                    auditReqType,
+-                    auditCertSubject,
+-                    auditSignerInfo,
+-                    eAudit1.toString());
+-
+-            audit(auditMessage);
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+@@ -744,11 +755,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+-                    auditSubjectID,
++                    getAuditSubjectID(),
+                     ILogger.FAILURE,
+                     auditReqType,
+-                    auditCertSubject,
+-                    auditSignerInfo,
++                    getRequestCertSubject(auditContext),
++                    getAuditSignerInfo(auditContext),
+                     eAudit2.toString());
+ 
+             audit(auditMessage);
+@@ -760,11 +771,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+-                    auditSubjectID,
++                    getAuditSubjectID(),
+                     ILogger.FAILURE,
+                     auditReqType,
+-                    auditCertSubject,
+-                    auditSignerInfo,
++                    getRequestCertSubject(auditContext),
++                    getAuditSignerInfo(auditContext),
+                     eAudit3.toString());
+ 
+             audit(auditMessage);
+@@ -776,17 +787,17 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+-                    auditSubjectID,
++                    getAuditSubjectID(),
+                     ILogger.FAILURE,
+                     auditReqType,
+-                    auditCertSubject,
+-                    auditSignerInfo,
++                    getRequestCertSubject(auditContext),
++                    getAuditSignerInfo(auditContext),
+                     eAudit4.toString());
+ 
+             audit(auditMessage);
+ 
+-            // rethrow the specific exception to be handled later
+-            throw eAudit4;
++            // rethrow the exception to be handled later
++            throw new EBaseException(eAudit4);
+         }
+     }
+ 
+@@ -935,8 +946,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             SessionContext auditContext, // to capture info in case of failure
+             AuthToken authToken,
+             SignedData cmcFullReq)
+-            throws EBaseException {
++            throws EBaseException, EInvalidCredentials, EMissingCredential {
+         String method = "CMCUserSignedAuth: verifySignerInfo: ";
++        String msg = "";
+         CMS.debug(method + "begins");
+         EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+         OBJECT_IDENTIFIER id = ci.getContentType();
+@@ -1001,7 +1013,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                     if (cmcFullReq.hasCertificates()) {
+                         SET certs = cmcFullReq.getCertificates();
+                         int numCerts = certs.size();
+-                        java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1];
++                        X509Certificate[] x509Certs = new X509Certificate[1];
+                         byte[] certByteArray = new byte[0];
+                         for (int j = 0; j < numCerts; j++) {
+                             Certificate certJss = (Certificate) certs.elementAt(j);
+@@ -1029,25 +1041,44 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         }
+ 
+                         CMS.debug(method + "start checking signature");
+-                        String CN = null;
+                         if (cert == null) {
+                             // find from certDB
+                             CMS.debug(method + "verifying signature");
+                             si.verify(digest, id);
+                         } else {
+-                            CMS.debug(method + "found signing cert... verifying");
++                            CMS.debug(method + "found CMC signing cert... verifying");
++
++                            X509Certificate clientCert =
++                                    (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT);
++                            // user-signed case requires ssl client authentication
++                            if (clientCert == null) {
++                                createAuditSubjectFromCert(auditContext, x509Certs[0]);
++                                msg = "missing SSL client authentication certificate;";
++                                CMS.debug(method + msg);
++                                s.close();
++                                throw new EMissingCredential(
++                                        CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT"));
++                            }
++                            netscape.security.x509.X500Name clientPrincipal =
++                                    (X500Name) clientCert.getSubjectDN();
+ 
+-                            // capture auditSubjectID first in case of failure
+-                            netscape.security.x509.X500Name principal =
++                            netscape.security.x509.X500Name cmcPrincipal =
+                                     (X500Name) x509Certs[0].getSubjectDN();
+ 
+                             // capture signer principal to be checked against
+                             // cert subject principal later in CMCOutputTemplate
+                             // in case of user signed revocation
+-                            auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal);
+-                            CN = principal.getCommonName(); //tempToken.get("userid");
+-                            CMS.debug(method + " Principal name = " + CN);
+-                            auditContext.put(SessionContext.USER_ID, CN);
++                            auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, cmcPrincipal);
++                            auditContext.put(SessionContext.CMC_SIGNER_INFO, cmcPrincipal.getCommonName());
++
++                            // check ssl client cert against cmc signer
++                            if (!clientPrincipal.equals(cmcPrincipal)) {
++                                msg = "SSL client authentication certificate and CMC signer do not match";
++                                CMS.debug(method + msg);
++                                s.close();
++                                throw new EInvalidCredentials(
++                                        CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
++                            }
+ 
+                             PublicKey signKey = cert.getPublicKey();
+                             PrivateKey.Type keyType = null;
+@@ -1064,10 +1095,11 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 byte publicKeyData[] = ((X509Key) signKey).getEncoded();
+                                 pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
+                             } else {
+-                                CMS.debug(method + "unsupported signature algorithm: " + alg);
++                                msg = "unsupported signature algorithm: " + alg;
++                                CMS.debug(method +  msg);
+                                 s.close();
+                                 throw new EInvalidCredentials(
+-                                        CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                                        CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                             }
+ 
+                             String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
+@@ -1095,9 +1127,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         // ...or not;  I think it just checks usage and
+                         // validity, but not revocation status
+                         if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
+-                            CMS.debug(method + "CMC signature failed to be verified");
++                            msg = "CMC signing cert is invalid";
++                            CMS.debug(method + msg);
+                             s.close();
+-                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                         } else {
+                             CMS.debug(method + "CMC signature verified; but signer not yet;");
+                         }
+@@ -1105,28 +1138,28 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                         // now check revocation status of the cert
+                         if (CMS.isRevoked(x509Certs)) {
+-                            CMS.debug(method + "CMC signing cert is a revoked certificate");
++                            msg = "CMC signing cert is a revoked certificate";
++                            CMS.debug(method + msg);
+                             s.close();
+-                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                         }
+                         try { //do this again anyways
+                             cert.checkValidity();
+                         } catch (CertificateExpiredException e) {
+-                            CMS.debug(method + "CMC signing cert is an expired certificate");
++                            msg = "CMC signing cert is an expired certificate";
++                            CMS.debug(method + msg);
+                             s.close();
+-                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                         } catch (Exception e) {
+                             CMS.debug(method + e.toString());
+                             s.close();
+-                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + e.toString());
+                         }
+ 
+                         IAuthToken tempToken = new AuthToken(null);
+-/*
+                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+                         String CN = tempPrincipal.getCommonName(); //tempToken.get("userid");
+                         CMS.debug(method + " Principal name = " + CN);
+-*/
+ 
+                         BigInteger certSerial = x509Certs[0].getSerialNumber();
+                         CMS.debug(method + " verified cert serial=" + certSerial.toString());
+@@ -1137,7 +1170,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         return tempToken;
+ 
+                     } else {
+-                        CMS.debug(method + "no certificate found in cmcFullReq");
++                        msg = "no certificate found in cmcFullReq";
++                        CMS.debug(method + msg);
++                        throw new EMissingCredential(msg);
+                     }
+                 } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) {
+                     CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER");
+@@ -1150,19 +1185,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                     s.close();
+                     return tempToken;
+                 } else {
+-                    CMS.debug(method + "unsupported SignerIdentifier type");
++                    msg = "unsupported SignerIdentifier type";
++                    CMS.debug(method + msg);
++                    throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+                 }
+             } //for
+ 
++        } catch (EMissingCredential e) {
++            throw e;
++        } catch (EInvalidCredentials e) {
++            throw e;
+         } catch (InvalidBERException e) {
+-            CMS.debug(method + e.toString());
+-        } catch (IOException e) {
+-            CMS.debug(method + e.toString());
+-        } catch (NotInitializedException e) {
+-            CMS.debug(method + e.toString());
++            CMS.debug(method + e);
+         } catch (Exception e) {
+-            CMS.debug(method + e.toString());
+-            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++            CMS.debug(method + e);
+         } finally {
+             if ((tokenSwitched == true) && (savedToken != null)) {
+                 cm.setThreadToken(savedToken);
+@@ -1173,6 +1209,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+     }
+ 
++    private void createAuditSubjectFromCert (
++            SessionContext auditContext,
++            X509Certificate cert)
++            throws IOException {
++        String method = "CMCUserSignedAuth:createAuditSubjectFromCert: ";
++
++        // capture auditSubjectID first in case of failure
++        netscape.security.x509.X500Name principal =
++                (X500Name) cert.getSubjectDN();
++
++        String CN = principal.getCommonName();
++        CMS.debug(method + " Principal name = " + CN);
++        auditContext.put(SessionContext.USER_ID, CN);
++    }
++
+     public String[] getExtendedPluginInfo(Locale locale) {
+         return null;
+     }
+@@ -1274,7 +1325,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+      *
+      * @return id string containing the signed audit log message SubjectID
+      */
+-    private String auditSubjectID() {
++    private String getAuditSubjectID() {
+         // if no signed audit object exists, bail
+         if (mSignedAuditLogger == null) {
+             return null;
+@@ -1299,4 +1350,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+         return subjectID;
+     }
++
++    private String getAuditSignerInfo(SessionContext auditContext) {
++        String signerSubject = (String)auditContext.get(SessionContext.CMC_SIGNER_INFO);
++        if (signerSubject == null)
++            signerSubject = "$Unidentified$";
++
++        return signerSubject;
++    }
++
++    private String getRequestCertSubject(SessionContext auditContext) {
++        String certSubject = (String)auditContext.get(SessionContext.CMC_REQUEST_CERT_SUBJECT);
++        if (certSubject == null)
++            certSubject = "$Unidentified$";
++
++        return certSubject;
++    }
++
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+index 33cc7a9..030995a 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+@@ -219,12 +219,14 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+                         Date origNotAfter = null;
+                         boolean first = true;
+                         while (e != null && e.hasMoreElements()) {
++                            CMS.debug(method +  msg);
+                             ICertRecord rec = e.nextElement();
+                             BigInteger serial = rec.getSerialNumber();
++                            msg = msg + "existing cert with same key found: " + serial.toString() + ";";
+ 
+                             if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)
+                                     || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
+-                                msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";";
++                                msg = msg + "revoked cert cannot be renewed;";
+                                 CMS.debug(method + msg);
+                                 rejected = true;
+                                 // this has to break
+@@ -232,7 +234,7 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+                             }
+                             if (!rec.getStatus().equals(ICertRecord.STATUS_VALID)
+                                     && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) {
+-                                CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString());
++                                CMS.debug(method + "invalid cert cannot be renewed; continue;" + serial.toString());
+                                 // can still find another one to renew
+                                 continue;
+                             }
+@@ -297,7 +299,7 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+         } // (size > 0)
+ 
+         if (rejected == true) {
+-            CMS.debug(method + " rejected");
++            CMS.debug(method + " rejected: " + msg);
+             throw new ERejectException(msg);
+         } else {
+             CMS.debug(method + " approved");
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index 9dc7470..65dc06a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -843,6 +843,10 @@ public abstract class CMSServlet extends HttpServlet {
+      * get ssl client authenticated certificate
+      */
+     protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq) throws EBaseException {
++        return getSSLClientCertificate(httpReq, true);
++    }
++
++    protected X509Certificate getSSLClientCertificate(HttpServletRequest httpReq, boolean clientCertRequired) throws EBaseException {
+ 
+         X509Certificate cert = null;
+ 
+@@ -855,7 +859,11 @@ public abstract class CMSServlet extends HttpServlet {
+         X509Certificate[] allCerts = (X509Certificate[]) httpReq.getAttribute(CERT_ATTR);
+ 
+         if (allCerts == null || allCerts.length == 0) {
+-            throw new EBaseException("You did not provide a valid certificate for this operation");
++            if (!clientCertRequired) {
++                return null;
++            } else {
++                throw new EBaseException("You did not provide a valid certificate for this operation");
++            }
+         }
+ 
+         cert = allCerts[0];
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 330b5ff..73195e9 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -19,6 +19,7 @@ package com.netscape.cms.servlet.profile;
+ 
+ import java.io.InputStream;
+ import java.io.OutputStream;
++import java.security.cert.X509Certificate;
+ import java.util.Enumeration;
+ import java.util.Locale;
+ 
+@@ -169,6 +170,12 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         String authMgrID = authenticator.getName();
+         SessionContext sc = SessionContext.getContext();
+ 
++        X509Certificate clientCert =
++                getSSLClientCertificate(request, false /*cert may not be required*/);
++        if (clientCert != null) {
++           sc.put(SessionContext.SSL_CLIENT_CERT, clientCert);
++        }
++
+         try {
+             authToken = authenticator.authenticate(credentials);
+             if (sc != null) {
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 9490098..5e51440 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2208,10 +2208,10 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SI
+ #   are submitted and signature is verified
+ # ReqType must be the request type (enrollment, or revocation)
+ # CertSubject must be the certificate subject name of the certificate request
+-# SignerInfo must be a unique String representation for the signer
++# CMCSignerInfo must be a unique String representation for the CMC request signer
+ #
+ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success
+-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure
++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][CMCSignerInfo={4}][info={5}] User signed CMC request signature verification failure
+ 
+ # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST 
+ # - used for TPS to TKS to get random challenge data
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-Fix-3DES-archival.patch b/SOURCES/pki-core-Fix-3DES-archival.patch
new file mode 100644
index 0000000..a0099e8
--- /dev/null
+++ b/SOURCES/pki-core-Fix-3DES-archival.patch
@@ -0,0 +1,72 @@
+From 1d7117081ad3b623af3938595436a35873b0bac6 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 16 Jun 2017 14:48:27 -0400
+Subject: [PATCH 4/4] Fix 3DES archival
+
+A previous commit mistakenly conflated the wrapping parameters for
+DES and DES3 cases, resulting in incorrect data being stored if the
+storage was successful at all.  This broke ipa vault and probably
+also token key archival and recovery.
+
+This patch sets the right parameters for the 3DES case again.
+Part of BZ# 1458043
+
+Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
+(cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf)
+---
+ .../src/netscape/security/util/WrappingParams.java | 23 ++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
+index cda8870..ded572f 100644
+--- a/base/util/src/netscape/security/util/WrappingParams.java
++++ b/base/util/src/netscape/security/util/WrappingParams.java
+@@ -67,6 +67,10 @@ public class WrappingParams {
+             // New clients set this correctly.
+             // We'll assume the old DES3 wrapping here.
+             encrypt = EncryptionAlgorithm.DES_CBC_PAD;
++        } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) {
++            encrypt = EncryptionAlgorithm.DES3_CBC_PAD;
++        } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) {
++            encrypt = EncryptionAlgorithm.AES_128_CBC_PAD;
+         } else {
+             encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
+         }
+@@ -135,23 +139,26 @@ public class WrappingParams {
+             payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+             payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
+             skLength = 128;
+-        }
+-
+-        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
++        } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
+             skType = SymmetricKey.AES;
+             skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+             payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD;
+             payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
+             skLength = 128;
+-        }
+-
+-        if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
++        } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) {
++            skType = SymmetricKey.DES3;
++            skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
++            skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
++            payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
++            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
++            skLength = payloadEncryptionAlgorithm.getKeyStrength();
++        } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
+             skType = SymmetricKey.DES;
+             skKeyGenAlgorithm = KeyGenAlgorithm.DES;
+             skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+             payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+-            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
+-            skLength = 0;
++            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD;
++            skLength = payloadEncryptionAlgorithm.getKeyStrength();
+         }
+ 
+         if (priKeyAlgo.equals("EC")) {
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-Fix-build-on-Fedora-25.patch b/SOURCES/pki-core-Fix-build-on-Fedora-25.patch
deleted file mode 100644
index 558f016..0000000
--- a/SOURCES/pki-core-Fix-build-on-Fedora-25.patch
+++ /dev/null
@@ -1,280 +0,0 @@
-From 3fdc686c9a4bab492d50cef707beef1f5f043153 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Tue, 28 Jun 2016 15:50:36 +1000
-Subject: [PATCH] Fix build on Fedora 25
-
-Look for the right JAX-RS API JAR (it has moved in Fedora 25).
-
-Also remove a lot of redundant 'find_file' operations for this JAR.
-
-Fixes: https://fedorahosted.org/pki/ticket/2373
----
- base/CMakeLists.txt                    | 10 ++++++++++
- base/ca/src/CMakeLists.txt             |  7 -------
- base/common/src/CMakeLists.txt         |  7 -------
- base/java-tools/src/CMakeLists.txt     |  7 -------
- base/kra/src/CMakeLists.txt            |  7 -------
- base/ocsp/src/CMakeLists.txt           |  7 -------
- base/server/cms/src/CMakeLists.txt     |  7 -------
- base/server/cmscore/src/CMakeLists.txt |  7 -------
- base/server/tomcat/src/CMakeLists.txt  |  7 -------
- base/server/tomcat7/src/CMakeLists.txt |  7 -------
- base/server/tomcat8/src/CMakeLists.txt |  7 -------
- base/tks/src/CMakeLists.txt            |  7 -------
- base/tps/src/CMakeLists.txt            | 14 --------------
- 13 files changed, 10 insertions(+), 91 deletions(-)
-
-diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
-index b9d5c7b..bb156ba 100644
---- a/base/CMakeLists.txt
-+++ b/base/CMakeLists.txt
-@@ -2,6 +2,16 @@ project(base)
- 
- # The order is important!
- if (APPLICATION_FLAVOR_PKI_CORE)
-+
-+    find_file(JAXRS_API_JAR
-+        NAMES
-+            jaxrs-api.jar
-+            jboss-jaxrs-2.0-api.jar
-+        PATHS
-+            ${RESTEASY_LIB}
-+            /usr/share/java
-+    )
-+
-     add_subdirectory(test)
-     add_subdirectory(symkey)
-     add_subdirectory(util)
-diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
-index 2a43c8d..854ce28 100644
---- a/base/ca/src/CMakeLists.txt
-+++ b/base/ca/src/CMakeLists.txt
-@@ -52,13 +52,6 @@ find_file(JACKSON_MAPPER_JAR
-         /usr/share/java/jackson
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
-index 072bd00..ee41b2f 100644
---- a/base/common/src/CMakeLists.txt
-+++ b/base/common/src/CMakeLists.txt
-@@ -83,13 +83,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
-index 9a3c72f..e7ca5db 100644
---- a/base/java-tools/src/CMakeLists.txt
-+++ b/base/java-tools/src/CMakeLists.txt
-@@ -60,13 +60,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/kra/src/CMakeLists.txt b/base/kra/src/CMakeLists.txt
-index bfc8cdd..400ec01 100644
---- a/base/kra/src/CMakeLists.txt
-+++ b/base/kra/src/CMakeLists.txt
-@@ -61,13 +61,6 @@ find_file(COMMONS_CODEC_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/ocsp/src/CMakeLists.txt b/base/ocsp/src/CMakeLists.txt
-index d4a2009..32fcc92 100644
---- a/base/ocsp/src/CMakeLists.txt
-+++ b/base/ocsp/src/CMakeLists.txt
-@@ -46,13 +46,6 @@ find_file(LDAPJDK_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- # '${JAVA_LIB_INSTALL_DIR}' jars
- find_file(JSS_JAR
-     NAMES
-diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
-index 33b1cd3..93f4a8a 100644
---- a/base/server/cms/src/CMakeLists.txt
-+++ b/base/server/cms/src/CMakeLists.txt
-@@ -90,13 +90,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/server/cmscore/src/CMakeLists.txt b/base/server/cmscore/src/CMakeLists.txt
-index ef12938..32e4351 100644
---- a/base/server/cmscore/src/CMakeLists.txt
-+++ b/base/server/cmscore/src/CMakeLists.txt
-@@ -83,13 +83,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
-index 669cc88..4cb40ad 100644
---- a/base/server/tomcat/src/CMakeLists.txt
-+++ b/base/server/tomcat/src/CMakeLists.txt
-@@ -83,13 +83,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt
-index f84369c..18f0b91 100644
---- a/base/server/tomcat7/src/CMakeLists.txt
-+++ b/base/server/tomcat7/src/CMakeLists.txt
-@@ -83,13 +83,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt
-index 0f49ff9..db1b9dc 100644
---- a/base/server/tomcat8/src/CMakeLists.txt
-+++ b/base/server/tomcat8/src/CMakeLists.txt
-@@ -90,13 +90,6 @@ find_file(XERCES_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/tks/src/CMakeLists.txt b/base/tks/src/CMakeLists.txt
-index d1ebbb1..51f98c9 100644
---- a/base/tks/src/CMakeLists.txt
-+++ b/base/tks/src/CMakeLists.txt
-@@ -68,13 +68,6 @@ find_file(COMMONS_LANG_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
-diff --git a/base/tps/src/CMakeLists.txt b/base/tps/src/CMakeLists.txt
-index b8b13a9..5e51f60 100644
---- a/base/tps/src/CMakeLists.txt
-+++ b/base/tps/src/CMakeLists.txt
-@@ -28,13 +28,6 @@ find_file(COMMONS_LANG_JAR
-         /usr/share/java
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(TOMCAT_CATALINA_JAR
-     NAMES
-         catalina.jar
-@@ -77,13 +70,6 @@ find_file(PKI_NSUTIL_JAR
-         /usr/share/java/pki
- )
- 
--find_file(JAXRS_API_JAR
--    NAMES
--        jaxrs-api.jar
--    PATHS
--        ${RESTEASY_LIB}
--)
--
- find_file(RESTEASY_JAXRS_JAR
-     NAMES
-         resteasy-jaxrs.jar
--- 
-2.5.5
-
diff --git a/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch b/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch
new file mode 100644
index 0000000..d2b1f67
--- /dev/null
+++ b/SOURCES/pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch
@@ -0,0 +1,102 @@
+From 887d70ce1b8c4a00f62c2b4eec24326e487da5bd Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 15 Jun 2017 12:38:26 +1000
+Subject: [PATCH 3/4] Fix regression in pkcs12 key bag creation
+
+Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
+file handing to never deal with raw private key material.
+PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
+or fail.  This change missed this case where a PKCS #12 file is
+loaded from file, possibly modified, then written back to a file,
+without involving an NSSDB.  One example is pkcs12-cert-del which
+deletes a certificate and associated key from a PKCS #12 file.
+
+Fix the PKCS12Util.addKeyBag() method to use the stored
+EncryptedPricateKeyInfo if available, otherwise export the
+PrivateKey handle.
+
+Fixes: https://pagure.io/dogtagpki/issue/2741
+Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
+(cherry picked from commit a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de)
+---
+ .../src/netscape/security/pkcs/PKCS12Util.java     | 58 ++++++++++++++--------
+ 1 file changed, 37 insertions(+), 21 deletions(-)
+
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+index 31c7126..1bc1bae 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+@@ -102,33 +102,49 @@ public class PKCS12Util {
+         icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2]));
+     }
+ 
+-    /**
+-     * Used during EXPORT to add a private key to the PKCS12.
++    /** Add a private key to the PKCS #12 object.
++     *
++     * The PKCS12KeyInfo object received comes about in two
++     * different scenarios:
++     *
++     * - The private key could be in encrypted byte[] form (e.g.
++     *   when we have merely loaded a PKCS #12 file for inspection
++     *   or e.g. to delete a certificate and its associated key).
++     *   In this case we simply re-use this encrypted private key
++     *   info byte[].
+      *
+-     * The private key is exported directly from the token, into
+-     * an EncryptedPrivateKeyInfo value, then added as a
+-     * "Shrouded Key Bag" to the PKCS #12 object.  Unencrypted
+-     * key material is never seen.
++     * - The private key could be a be an NSS PrivateKey handle.  In
++     *   this case we must export the PrivateKey from the token to
++     *   obtain the EncryptedPrivateKeyInfo.
++     *
++     * The common final step is to add the encrypted private key
++     * data to a "Shrouded Key Bag" to the PKCS #12 object.
++     * Unencrypted key material is never seen.
+      */
+     public void addKeyBag(PKCS12KeyInfo keyInfo, Password password,
+             SEQUENCE encSafeContents) throws Exception {
+-        PrivateKey k = keyInfo.getPrivateKey();
+-        if (k == null) {
+-            logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN);
+-            return;
+-        }
+-
+         logger.debug("Creating key bag for " + keyInfo.subjectDN);
+ 
+-        PasswordConverter passConverter = new PasswordConverter();
+-        byte[] epkiBytes = CryptoManager.getInstance()
+-            .getInternalKeyStorageToken()
+-            .getCryptoStore()
+-            .getEncryptedPrivateKeyInfo(
+-                /* NSS has a bug that causes any AES CBC encryption
+-                 * to use AES-256, but AlgorithmID contains chosen
+-                 * alg.  To avoid mismatch, use AES_256_CBC. */
+-                passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k);
++        byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes();
++        if (epkiBytes == null) {
++            PrivateKey k = keyInfo.getPrivateKey();
++            if (k == null) {
++                logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN);
++                return;
++            }
++            logger.debug("Encrypting private key for " + keyInfo.subjectDN);
++
++            PasswordConverter passConverter = new PasswordConverter();
++            epkiBytes = CryptoManager.getInstance()
++                .getInternalKeyStorageToken()
++                .getCryptoStore()
++                .getEncryptedPrivateKeyInfo(
++                    /* NSS has a bug that causes any AES CBC encryption
++                     * to use AES-256, but AlgorithmID contains chosen
++                     * alg.  To avoid mismatch, use AES_256_CBC. */
++                    passConverter, password,
++                    EncryptionAlgorithm.AES_256_CBC, 0, k);
++        }
+ 
+         SET keyAttrs = createKeyBagAttrs(keyInfo);
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch b/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch
new file mode 100644
index 0000000..f6f74f2
--- /dev/null
+++ b/SOURCES/pki-core-Fix-token-enrollment-and-recovery-ivs.patch
@@ -0,0 +1,37 @@
+From e5bd4436541b726f128afd18b113ff80ce18a6b5 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 16 Jun 2017 19:25:05 -0400
+Subject: [PATCH 1/4] Fix token enrollment and recovery ivs
+
+In encryption mode, the archival of the geenrated key uses the
+wrapIV, while the recovery uses the encryptIV.  To make sure
+these are consistent, they need to be set to be the same.
+
+Bugzilla BZ #1458043
+
+Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
+(cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c)
+---
+ base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 96d7aae..07333b7 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService {
+ 
+                     try {
+                         params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
++
++                        // In encrypt mode, the recovery side is doing a decrypt() using the
++                        // encryption IV.  To be sure this is successful, we will make sure'
++                        // the IVs are the same.
++                        params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
++
+                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
+                     } catch (Exception e) {
+                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch b/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch
deleted file mode 100644
index f4efa8e..0000000
--- a/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1834a25a1982e2c2c49fde5998efdc7d10d3a29b Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 6 Oct 2016 22:08:15 +0200
-Subject: [PATCH] Fixed ConfigurationUtils.importCertChain().
-
-The ConfigurationUtils.importCertChain() has been modified to
-ignore UNKNOWN_ISSUER error when connecting to a server that
-does not have the complete certificate chain.
-
-https://fedorahosted.org/pki/ticket/2497
-(cherry picked from commit 343a756bb93abf057f2999858ba9e170fa84f143)
-(cherry picked from commit 6e0e2afbbeb1bb7acdf402edf5ca426bfc01a433)
----
- .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java   | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 34500d0..ecf8157 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -261,8 +261,9 @@ public class ConfigurationUtils {
- 
-         IConfigStore cs = CMS.getConfigStore();
-         ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
--        // Ignore untrusted issuer to get cert chain.
-+        // Ignore untrusted/unknown issuer to get cert chain.
-         certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER);
-+        certApprovalCallback.ignoreError(ValidityStatus.UNKNOWN_ISSUER);
-         String c = get(host, port, true, serverPath, null, certApprovalCallback);
- 
-         if (c != null) {
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch b/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
deleted file mode 100644
index 7919499..0000000
--- a/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From fdff7d618958162b3a30d63c9c50bd71faace530 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 29 Oct 2016 07:52:36 +0200
-Subject: [PATCH 1/2] Reformatted SecurityDataRecoveryService.serviceRequest().
-
-The code in SecurityDataRecoveryService.serviceRequest() has been
-reformatted for clarity.
-
-https://fedorahosted.org/pki/ticket/2500
-(cherry picked from commit 613d8e8281cc336d7e1c8291abedb4b2321f93ec)
-(cherry picked from commit ec165a0d6cd805d1b5d4fbd4fff44ff00bfcaee0)
----
- .../netscape/kra/SecurityDataRecoveryService.java  | 30 ++++++++++++++++++----
- 1 file changed, 25 insertions(+), 5 deletions(-)
-
-diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-index f12222b..478f7a8 100644
---- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-@@ -24,6 +24,7 @@ import java.math.BigInteger;
- import java.security.InvalidAlgorithmParameterException;
- import java.security.InvalidKeyException;
- import java.security.NoSuchAlgorithmException;
-+import java.security.PublicKey;
- import java.security.spec.AlgorithmParameterSpec;
- import java.util.Arrays;
- import java.util.Hashtable;
-@@ -31,9 +32,6 @@ import java.util.Random;
- 
- import javax.crypto.spec.RC2ParameterSpec;
- 
--import netscape.security.util.DerValue;
--import netscape.security.x509.X509Key;
--
- import org.dogtagpki.server.kra.rest.KeyRequestService;
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.asn1.OCTET_STRING;
-@@ -73,6 +71,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit;
- import com.netscape.cmscore.dbs.KeyRecord;
- import com.netscape.cmsutil.util.Utils;
- 
-+import netscape.security.util.DerValue;
-+import netscape.security.x509.X509Key;
-+
- /**
-  * This implementation services SecurityData Recovery requests.
-  * <p>
-@@ -184,6 +185,7 @@ public class SecurityDataRecoveryService implements IService {
-         } catch (Exception e) {
-             iv = iv_default;
-         }
-+
-         String ivStr = Utils.base64encode(iv);
- 
-         KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno);
-@@ -200,20 +202,27 @@ public class SecurityDataRecoveryService implements IService {
-             if (allowEncDecrypt_recovery == true) {
-                 CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true.");
-                 unwrappedSecData = recoverSecurityData(keyRecord);
-+
-             } else {
-                 symKey = recoverSymKey(keyRecord);
-             }
- 
-         } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
-             unwrappedSecData = recoverSecurityData(keyRecord);
-+
-         } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
-             try {
-                 if (allowEncDecrypt_recovery == true) {
-                     CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true.");
-                     unwrappedSecData = recoverSecurityData(keyRecord);
-+
-                 } else {
--                    privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(),
--                            X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData())));
-+
-+                    byte[] publicKeyData = keyRecord.getPublicKeyData();
-+                    byte[] privateKeyData = keyRecord.getPrivateKeyData();
-+
-+                    PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
-+                    privateKey = mStorageUnit.unwrap(privateKeyData, publicKey);
-                 }
- 
-             } catch (IOException e) {
-@@ -244,22 +253,29 @@ public class SecurityDataRecoveryService implements IService {
-                 passStr = null;
- 
-                 if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
-+
-                     CMS.debug("SecurityDataRecoveryService: wrap or encrypt stored symmetric key with transport passphrase");
-                     if (allowEncDecrypt_recovery == true) {
-                         CMS.debug("SecurityDataRecoveryServic: allowEncDecyypt_recovery: true, symmetric key:  create blob with unwrapped key.");
-                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
-+
-                     } else {
-                         pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null,
-                                 pass);
-                     }
-+
-                 } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
-+
-                     CMS.debug("SecurityDataRecoveryService: encrypt stored passphrase with transport passphrase");
-                     pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null,
-                             pass);
-+
-                 } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
-+
-                     if (allowEncDecrypt_recovery == true) {
-                         CMS.debug("SecurityDataRecoveryService: allowEncDecyypt_recovery: true, asymmetric key:  create blob with unwrapped key.");
-                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
-+
-                     } else {
-                         CMS.debug("SecurityDataRecoveryService: wrap stored private key with transport passphrase");
-                         pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey,
-@@ -294,9 +310,11 @@ public class SecurityDataRecoveryService implements IService {
-                         CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
-                         unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
-                         Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
-+
-                         if (encryptor != null) {
-                             encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
-                             key_data = encryptor.doFinal(unwrappedSecData);
-+
-                         } else {
-                             auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
-                                     serialno.toString(), "Failed to create cipher encrypting symmetric key");
-@@ -344,9 +362,11 @@ public class SecurityDataRecoveryService implements IService {
-                         CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
-                         unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
-                         Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
-+
-                         if (encryptor != null) {
-                             encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
-                             key_data = encryptor.doFinal(unwrappedSecData);
-+
-                         } else {
-                             auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
-                                     serialno.toString(), "Failed to create cipher encrypting asymmetric key");
--- 
-1.8.3.1
-
-
-From 7fe0c22d09017fc45b251fd4fb2dd5f5dd23c603 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 1 Nov 2016 22:49:22 +0100
-Subject: [PATCH 2/2] Fixed KRA key recovery via CLI in FIPS mode.
-
-Based on investigation and solution provided by cfu and jmagne,
-the SecurityDataRecoveryService.serviceRequest() has been modified
-to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
-FIPS mode.
-
-https://fedorahosted.org/pki/ticket/2500
-(cherry picked from commit 650b00dc57bb0c51c1e327ec3064531c26f80c43)
-(cherry picked from commit 8bef45df5e3d287111df8e0a33519a065e3e7b70)
----
- base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java | 3 +++
- base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java     | 2 +-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
-index 23a1f77..575dda7 100644
---- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
-+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
-@@ -142,6 +142,9 @@ public interface IEncryptionUnit extends IToken {
-     public SymmetricKey unwrap_sym(byte encSymmKey[],
-             SymmetricKey.Usage usage);
- 
-+    public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey)
-+            throws EBaseException;
-+
-     /**
-      * Unwraps data. This method rebuilds the private key by
-      * unwrapping the private key data.
-diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-index 478f7a8..83c1fb1 100644
---- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
-@@ -222,7 +222,7 @@ public class SecurityDataRecoveryService implements IService {
-                     byte[] privateKeyData = keyRecord.getPrivateKeyData();
- 
-                     PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
--                    privateKey = mStorageUnit.unwrap(privateKeyData, publicKey);
-+                    privateKey = mStorageUnit.unwrap_temp(privateKeyData, publicKey);
-                 }
- 
-             } catch (IOException e) {
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-SecurityDataRecoveryService.patch b/SOURCES/pki-core-SecurityDataRecoveryService.patch
new file mode 100644
index 0000000..979abd5
--- /dev/null
+++ b/SOURCES/pki-core-SecurityDataRecoveryService.patch
@@ -0,0 +1,88 @@
+--- patch/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java	2017-06-06 04:56:02.188426066 +0200
++++ pki/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java	2017-06-06 01:50:56.698341052 +0200
+@@ -17,6 +17,8 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.kra;
+ 
++import java.math.BigInteger;
++
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.dbs.keydb.KeyId;
+@@ -41,6 +43,7 @@ public class SecurityDataRecoveryService
+ 
+     private IKeyRecoveryAuthority kra = null;
+     private SecurityDataProcessor processor = null;
++    private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+ 
+     public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) {
+         this.kra = kra;
+@@ -65,8 +68,66 @@ public class SecurityDataRecoveryService
+             throws EBaseException {
+ 
+         CMS.debug("SecurityDataRecoveryService.serviceRequest()");
+-        processor.recover(request);
+-        kra.getRequestQueue().updateRequest(request);
++
++        // parameters for auditing
++        String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
++        BigInteger serialNumber = request.getExtDataInBigInteger("serialNumber");
++        KeyId keyId = serialNumber != null ? new KeyId(serialNumber): null;
++        RequestId requestID = request.getRequestId();
++        String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
++
++        try {
++            processor.recover(request);
++            kra.getRequestQueue().updateRequest(request);
++            auditRecoveryRequestProcessed(
++                    auditSubjectID,
++                    ILogger.SUCCESS,
++                    requestID,
++                    keyId,
++                    null,
++                    approvers);
++        } catch (EBaseException e) {
++            auditRecoveryRequestProcessed(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    requestID,
++                    keyId,
++                    e.getMessage(),
++                    approvers);
++            throw e;
++        }
+         return false;  //TODO: return true?
+     }
++
++    private void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
++    private void audit(String msg) {
++        if (signedAuditLogger == null)
++            return;
++
++        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
++                null,
++                ILogger.S_SIGNED_AUDIT,
++                ILogger.LL_SECURITY,
++                msg);
++    }
++
++    private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
++            KeyId keyID, String reason, String recoveryAgents) {
++        audit(new SecurityDataRecoveryProcessedEvent(
++                subjectID,
++                status,
++                requestID,
++                keyID,
++                reason,
++                recoveryAgents));
++    }
+ }
diff --git a/SOURCES/pki-core-add-profile-component-that-copies-CN-to-SAN.patch b/SOURCES/pki-core-add-profile-component-that-copies-CN-to-SAN.patch
deleted file mode 100644
index a0729af..0000000
--- a/SOURCES/pki-core-add-profile-component-that-copies-CN-to-SAN.patch
+++ /dev/null
@@ -1,484 +0,0 @@
-From fa65ec19458bbd767f54e52f61d920b529936e19 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 1 Feb 2017 16:15:39 +1000
-Subject: [PATCH 1/5] DNSName: add method to get value
-
-To implement a profile default that copies CN to SAN dNSName, we
-need to examine existing dNSName values.  To support this, add the
-'getValue()' method to 'DNSName'.
-
-Part of: https://fedorahosted.org/pki/ticket/1710
-
-(cherry picked from commit f371114134ee3b6a83b747eecf46e001080b1e9c)
-(cherry picked from commit a30f25cbb496b6e24b417a02602e0cdbe079cbd3)
----
- base/util/src/netscape/security/x509/DNSName.java | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/base/util/src/netscape/security/x509/DNSName.java b/base/util/src/netscape/security/x509/DNSName.java
-index 361c235..2161adf 100644
---- a/base/util/src/netscape/security/x509/DNSName.java
-+++ b/base/util/src/netscape/security/x509/DNSName.java
-@@ -79,4 +79,12 @@ public class DNSName implements GeneralNameInterface {
-     public String toString() {
-         return ("DNSName: " + name);
-     }
-+
-+    /**
-+     * Get the raw DNSName value.
-+     */
-+    public String getValue() {
-+        return name;
-+    }
-+
- }
--- 
-1.8.3.1
-
-
-From 6fa86d4f50b5846f5d6f8a12797f61dd5b629cca Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 1 Feb 2017 16:17:51 +1000
-Subject: [PATCH 2/5] GeneralName: add method to get at inner value
-
-The 'GeneralNameInterface' interface represents a single X.509
-General Name value.  Various types are supported.  The 'GeneralName'
-class (which also implements 'GeneralNameInterface') is a singleton
-container for another 'GeneralNameInterface' value.
-
-To implement a profile component that copies CN to a SAN dNSName, we
-need to examine existing General Names in the SAN extension (if
-present), to avoid duplicate values.  We can iterate 'GeneralNames',
-but if the value is of type 'GeneralName' we need a way to "unwrap"
-the value, down to the innermost value which will be of a specific
-General Name type.
-
-Add the 'unwrap' method to 'GeneralName'.
-
-Part of: https://fedorahosted.org/pki/ticket/1710
-
-(cherry picked from commit 225dd099efa7e2f752c3f50157aaec71a9834873)
-(cherry picked from commit 52704d6564800c6872d3343c9aa5d6180637f070)
----
- base/util/src/netscape/security/x509/GeneralName.java | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/base/util/src/netscape/security/x509/GeneralName.java b/base/util/src/netscape/security/x509/GeneralName.java
-index a90ac7b..55b5bfc 100644
---- a/base/util/src/netscape/security/x509/GeneralName.java
-+++ b/base/util/src/netscape/security/x509/GeneralName.java
-@@ -196,4 +196,19 @@ public class GeneralName implements GeneralNameInterface {
-                              constructedForm, (byte) nameType), tmp);
-         }
-     }
-+
-+    /**
-+     * Unwrap this GeneralName until we reach something that is not
-+     * a GeneralName.
-+     */
-+    public GeneralNameInterface unwrap() {
-+        if (this == name)
-+            return null;  // can't happen, but just in case...
-+
-+        if (name instanceof GeneralName)
-+            return ((GeneralName) name).unwrap();
-+        else
-+            return name;
-+    }
-+
- }
--- 
-1.8.3.1
-
-
-From 6eac5bbccb18fe913c43a0b9ec73707180870bb9 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 1 Feb 2017 16:25:11 +1000
-Subject: [PATCH 3/5] SubjectAlternativeNameExtension: add GeneralNames
- getter/setter
-
-To implement a profile default that copies CN to SAN dNSName, we
-need to read and set the 'GeneralNames' of the extension.  This can
-be done via the 'get' and 'set' methods but this interface is
-awkward and requires the caller to deal with exceptions that aren't
-fundamental to the get/set actions.
-
-Add the 'setGeneralNames' and 'getGeneralNames' methods.
-
-Part of: https://fedorahosted.org/pki/ticket/1710
-
-(cherry picked from commit a67816eebbed2332327fbf391f3e23223ee7690e)
-(cherry picked from commit 60f4011c3f4511ac8f86b77940d25b5869204353)
----
- .../security/x509/SubjectAlternativeNameExtension.java    | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
-index d96c821..82f87e1 100644
---- a/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
-+++ b/base/util/src/netscape/security/x509/SubjectAlternativeNameExtension.java
-@@ -199,6 +199,21 @@ public class SubjectAlternativeNameExtension extends Extension
-     }
- 
-     /**
-+     * Set the GeneralNames of this extension.
-+     */
-+    public void setGeneralNames(GeneralNames names) {
-+        clearValue();
-+        this.names = names;
-+    }
-+
-+    /**
-+     * Get the GeneralNames of this extension.
-+     */
-+    public GeneralNames getGeneralNames() {
-+        return names;
-+    }
-+
-+    /**
-      * Get the attribute value.
-      */
-     public Object get(String name) throws IOException {
--- 
-1.8.3.1
-
-
-From da8cab2d15d5bd5e82ad8bd9a2ff0f51f7bad343 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 1 Feb 2017 16:30:50 +1000
-Subject: [PATCH 4/5] X500Name: add method to get all attributes of a given
- type
-
-To implement a profile default that copies the CN to a SAN dNSName,
-we need to examine the CN values present in the Subject DN.
-Specifically, we want to look at the "most specific" CN value.  The
-'getCommonName' method returns the "least specific" value in the
-name, thus is not suitable.
-
-Add the 'getAttributesForOid(ObjectIdentifier)' method, which
-returns an ordered list of values of the given name attribute type,
-from least specific to most specific.
-
-Part of: https://fedorahosted.org/pki/ticket/1710
-
-(cherry picked from commit 979b6a2da433e97c1ada6434b432aa4aabc47ab5)
-(cherry picked from commit 4ba23db518ab285d8a0dce8d4ee493f695867ad8)
----
- base/util/src/netscape/security/x509/X500Name.java | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/base/util/src/netscape/security/x509/X500Name.java b/base/util/src/netscape/security/x509/X500Name.java
-index 0f75f48..c8627a9 100644
---- a/base/util/src/netscape/security/x509/X500Name.java
-+++ b/base/util/src/netscape/security/x509/X500Name.java
-@@ -19,8 +19,10 @@ package netscape.security.x509;
- 
- import java.io.IOException;
- import java.security.Principal;
-+import java.util.ArrayList;
- import java.util.Arrays;
- import java.util.Enumeration;
-+import java.util.List;
- import java.util.Vector;
- 
- import netscape.security.util.DerInputStream;
-@@ -451,6 +453,25 @@ public class X500Name implements Principal, GeneralNameInterface {
-     }
- 
-     /**
-+     * Return a list of attributes of the given type.
-+     *
-+     * The "most specific" value comes last.
-+     *
-+     * If there are no name attributes of the given type, an empty
-+     * list is returned.
-+     */
-+    public List<String> getAttributesForOid(ObjectIdentifier oid)
-+            throws IOException {
-+        List<String> xs = new ArrayList<>();
-+        for (int i = 0; i < names.length; i++) {
-+            DerValue v = names[i].findAttribute(oid);
-+            if (v != null)
-+                xs.add(getString(v));
-+        }
-+        return xs;
-+    }
-+
-+    /**
-      * Returns a Ldap DN String from the X500Name
-      * using the specified LdapDNStrconverter.
-      * For example, RFC1779String converter can be passed to convert the
--- 
-1.8.3.1
-
-
-From 10799f1af01143ffb27fae06f446bb389c0787e8 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 1 Feb 2017 16:39:14 +1000
-Subject: [PATCH 5/5] Add profile component that copies CN to SAN dNSName
-
-Add the 'CommonNameToSANDefault' profile default class.  When used
-on a profile, this will examine the (most-specific) Common Name in
-the Subject DN, and if it looks like a DNS name, will add it to the
-Subject Alternative Name extension, creating the extension if it
-does not already exist.
-
-Also add upgrade scriptlet to add the component to registry.cfg in
-existing installations.
-
-Fixes: https://fedorahosted.org/pki/ticket/1710
-(cherry picked from commit 9cb00049ec731cca36de822f6c1e834f7febcb4f)
-(cherry picked from commit 10d1db00225caf750ccc3c50b9d6e6b7af3655a8)
----
- base/ca/shared/conf/registry.cfg                   |   5 +-
- .../cms/profile/def/CommonNameToSANDefault.java    | 215 +++++++++++++++++++++
- 2 files changed, 219 insertions(+), 1 deletion(-)
- create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/CommonNameToSANDefault.java
-
-diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
-index 0bd7c05..280c713 100644
---- a/base/ca/shared/conf/registry.cfg
-+++ b/base/ca/shared/conf/registry.cfg
-@@ -45,7 +45,7 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
- constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
- constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
- constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
--defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl
-+defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl
- defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
- defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
- defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
-@@ -166,6 +166,9 @@ defaultPolicy.subjectDirAttributesExtDefaultImpl.name=Subject Directory Attribut
- defaultPolicy.inhibitAnyPolicyExtDefaultImpl.class=com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault
- defaultPolicy.inhibitAnyPolicyExtDefaultImpl.desc=Inhibit Any-Policy Extension Default
- defaultPolicy.inhibitAnyPolicyExtDefaultImpl.name=Inhibit Any-Policy Extension Default
-+defaultPolicy.commonNameToSANDefaultImpl.class=com.netscape.cms.profile.def.CommonNameToSANDefault
-+defaultPolicy.commonNameToSANDefaultImpl.desc=Copy Common Name to Subject Alternative Name
-+defaultPolicy.commonNameToSANDefaultImpl.name=Copy Common Name to Subject Alternative Name
- profile.ids=caEnrollImpl,caCACertEnrollImpl,caServerCertEnrollImpl,caUserCertEnrollImpl
- profile.caEnrollImpl.class=com.netscape.cms.profile.common.CAEnrollProfile
- profile.caEnrollImpl.desc=Certificate Authority Generic Certificate Enrollment Profile
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CommonNameToSANDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CommonNameToSANDefault.java
-new file mode 100644
-index 0000000..33828d1
---- /dev/null
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/CommonNameToSANDefault.java
-@@ -0,0 +1,215 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2017 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+
-+package com.netscape.cms.profile.def;
-+
-+import java.io.IOException;
-+import java.security.cert.CertificateException;
-+import java.util.List;
-+import java.util.Locale;
-+
-+import netscape.security.x509.CertificateSubjectName;
-+import netscape.security.x509.DNSName;
-+import netscape.security.x509.GeneralName;
-+import netscape.security.x509.GeneralNameInterface;
-+import netscape.security.x509.GeneralNames;
-+import netscape.security.x509.PKIXExtensions;
-+import netscape.security.x509.SubjectAlternativeNameExtension;
-+import netscape.security.x509.X500Name;
-+import netscape.security.x509.X509CertInfo;
-+
-+import com.netscape.certsrv.apps.CMS;
-+import com.netscape.certsrv.profile.EProfileException;
-+import com.netscape.certsrv.property.IDescriptor;
-+import com.netscape.certsrv.request.IRequest;
-+
-+/**
-+ * This plugin will examine the most specific CN in the Subject DN,
-+ * and if it looks like a DNS name, will add it to the SAN extension.
-+ *
-+ * It will create the SAN extension if necessary.
-+ *
-+ * If there is already a SAN dnsName value that matches
-+ * (case-insensitively) the CN, it will not add the name.
-+ *
-+ * If there is no CN in the subject DN, does nothing.
-+ *
-+ * If the most specific CN does not look like a DNS name, does
-+ * nothing.
-+ *
-+ * This profile component should be configured to execute after
-+ * other profile components that set or modify the Subject DN or the
-+ * SAN extension.
-+ */
-+public class CommonNameToSANDefault extends EnrollExtDefault {
-+
-+    private static final String LOG_PREFIX = "CommonNameToSANDefault: ";
-+
-+    public void populate(IRequest _req, X509CertInfo info)
-+            throws EProfileException {
-+        // examine the Subject DN
-+        CertificateSubjectName subjectName;
-+        try {
-+            subjectName = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
-+        } catch (CertificateException | IOException e) {
-+            CMS.debug(LOG_PREFIX + "failed to read Subject DN: " + e);
-+            return;
-+        }
-+        X500Name sdn;
-+        try {
-+            sdn = (X500Name) subjectName.get(CertificateSubjectName.DN_NAME);
-+        } catch (IOException e) {
-+            CMS.debug(LOG_PREFIX + "failed to retrieve SDN X500Name: " + e);
-+            return;
-+        }
-+        List<String> cns;
-+        try {
-+            cns = sdn.getAttributesForOid(X500Name.commonName_oid);
-+        } catch (IOException e) {
-+            // Couldn't read the CN for some reason.
-+            // Not a likely scenario so just log and return.
-+            CMS.debug(LOG_PREFIX + "failed to decode CN: " + e);
-+            return;
-+        }
-+        if (cns.size() < 1) {
-+            CMS.debug(LOG_PREFIX + "No CN in Subject DN; done");
-+            return;  // no Common Name; can't do anything
-+        }
-+
-+        String cn = cns.get(cns.size() - 1); // "most specific" CN is at end
-+
-+        CMS.debug(LOG_PREFIX + "Examining CN: " + cn);
-+
-+        if (!isValidDNSName(cn)) {
-+            CMS.debug(LOG_PREFIX + "CN is not a DNS name; done");
-+            return;  // CN does not look like a DNS name
-+        }
-+
-+        SubjectAlternativeNameExtension san = (SubjectAlternativeNameExtension)
-+            getExtension(PKIXExtensions.SubjectAlternativeName_Id.toString(), info);
-+
-+        if (san != null) {
-+            // check for existing name matching CN
-+            GeneralNames gns = san.getGeneralNames();
-+            for (GeneralNameInterface gn : gns) {
-+                if (gn instanceof GeneralName)
-+                    gn = ((GeneralName) gn).unwrap();
-+                if (gn instanceof DNSName) {
-+                    String dnsName = ((DNSName) gn).getValue();
-+                    if (cn.equalsIgnoreCase(dnsName)) {
-+                        CMS.debug(LOG_PREFIX
-+                            + "CN already has corresponding SAN dNSName; done");
-+                        return;  // CN is already in SAN
-+                    }
-+                }
-+            }
-+            gns.add(new DNSName(cn));  // add CN to SAN
-+
-+            // reset extension value (encoded value may have been cached)
-+            san.setGeneralNames(gns);
-+            CMS.debug(LOG_PREFIX + "added CN to SAN; done");
-+        } else {
-+            GeneralNames gns = new GeneralNames();
-+            gns.add(new DNSName(cn));
-+            try {
-+                san = new SubjectAlternativeNameExtension(gns);
-+                addExtension(
-+                    PKIXExtensions.SubjectAlternativeName_Id.toString(), san, info);
-+            } catch (IOException e) {
-+                CMS.debug(LOG_PREFIX + "failed to construct SAN ext: " + e);
-+                return;
-+            }
-+            CMS.debug(LOG_PREFIX + "added SAN extension containing CN; done");
-+        }
-+    }
-+
-+    public String getText(Locale locale) {
-+        return "This default add the Subject DN Common Name to the Subject "
-+            + "Alternative Name extension, if it looks like a DNS name.";
-+    }
-+
-+    public IDescriptor getValueDescriptor(Locale locale, String name) {
-+        return null;
-+    }
-+
-+    public String getValue(String name, Locale locale, X509CertInfo info) {
-+        return null;
-+    }
-+
-+    public void setValue(
-+            String name, Locale locale, X509CertInfo info, String value) {
-+    }
-+
-+    /** Validate DNS name syntax per Section 3.5 of RFC 1034
-+     * and Section 2.1 of RFC 1123, and the additional rules
-+     * of RFC 5280 Section 4.2.1.6.
-+     *
-+     * Further to those rules, we also ignore CNs that are valid
-+     * DNS names but which only have a single part (e.g. TLDs or
-+     * host short names).
-+     */
-+    public static boolean isValidDNSName(String s) {
-+        if (s == null)
-+            return false;
-+
-+        if (s.length() < 1 || s.length() > 255)
-+            return false;
-+
-+        String[] parts = s.split("\\.");
-+
-+        if (parts.length < 2)
-+            return false;
-+
-+        for (int i = 0; i < parts.length; i++) {
-+            char[] cs = parts[i].toCharArray();
-+
-+            if (cs.length < 1 || cs.length > 63)
-+                return false;
-+
-+            if (!isLetter(cs[0]))
-+                return false;
-+
-+            if (!isLetDig(cs[cs.length - 1]))
-+                return false;
-+
-+            for (int j = 0; j < cs.length; j++) {
-+                if (!isLetDigHyp(cs[j]))
-+                    return false;
-+            }
-+        }
-+
-+        return true;
-+    }
-+
-+    public static boolean isLetter(char c) {
-+        return c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z';
-+    }
-+
-+    public static boolean isDigit(char c) {
-+        return c >= '0' && c <= '9';
-+    }
-+
-+    public static boolean isLetDig(char c) {
-+        return isLetter(c) || isDigit(c);
-+    }
-+
-+    public static boolean isLetDigHyp(char c) {
-+        return isLetDig(c) || c == '-';
-+    }
-+
-+}
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-added-global-TCP-Keep-Alive-option.patch b/SOURCES/pki-core-added-global-TCP-Keep-Alive-option.patch
deleted file mode 100644
index 5693769..0000000
--- a/SOURCES/pki-core-added-global-TCP-Keep-Alive-option.patch
+++ /dev/null
@@ -1,779 +0,0 @@
-commit 55a18f821446f69331b50b8126f86b30312245c2
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Sat Jan 7 02:32:47 2017 +0100
-
-    Added global TCP Keep-Alive option.
-    
-    A new tcp.keepAlive parameter has been added for CS.cfg to
-    configure the TCP Keep-Alive option for all LDAP connections
-    created by PKI server. By default the option is enabled.
-    
-    The LdapJssSSLSocketFactory has been modified to support both
-    plain and secure sockets. For clarity, the socket factory has been
-    renamed to PKISocketFactory.
-    
-    All codes that create LDAP connections have been modified to use
-    PKISocketFactory such that the TCP Keep-Alive option can be applied
-    globally.
-    
-    https://fedorahosted.org/pki/ticket/2564
-    
-    (cherry picked from commit b3ee1c28f658a70468c5a5fcf3cb4840574be756)
-    (cherry picked from commit 4252656c27f230a5198a01a6085dad4b8e4df59f)
-
-diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
-index bc82a98..907b5bb 100644
---- a/base/common/src/com/netscape/certsrv/apps/CMS.java
-+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
-@@ -91,6 +91,7 @@ import com.netscape.cmsutil.password.IPasswordStore;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPException;
- import netscape.ldap.LDAPSSLSocketFactoryExt;
-+import netscape.ldap.LDAPSocketFactory;
- import netscape.security.util.ObjectIdentifier;
- import netscape.security.x509.Extension;
- import netscape.security.x509.GeneralName;
-@@ -1345,6 +1346,10 @@ public final class CMS {
-         return _engine.getLdapJssSSLSocketFactory();
-     }
- 
-+    public static LDAPSocketFactory getLDAPSocketFactory(boolean secure) {
-+        return _engine.getLDAPSocketFactory(secure);
-+    }
-+
-     /**
-      * Creates a LDAP Auth Info object.
-      *
-diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
-index f781c41..7cf73fa 100644
---- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
-+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
-@@ -75,6 +75,7 @@ import com.netscape.cmsutil.password.IPasswordStore;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPException;
- import netscape.ldap.LDAPSSLSocketFactoryExt;
-+import netscape.ldap.LDAPSocketFactory;
- import netscape.security.util.ObjectIdentifier;
- import netscape.security.x509.Extension;
- import netscape.security.x509.GeneralName;
-@@ -648,6 +649,13 @@ public interface ICMSEngine extends ISubsystem {
-     public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory();
- 
-     /**
-+     * Creates an LDAP socket factory.
-+     *
-+     * @return LDAP SSL socket factory
-+     */
-+    public LDAPSocketFactory getLDAPSocketFactory(boolean secure);
-+
-+    /**
-      * Creates a LDAP Auth Info object.
-      *
-      * @return LDAP authentication info
-diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
-index f740ef3..c7f818a 100644
---- a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
-+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCaCertPublisher.java
-@@ -22,6 +22,15 @@ import java.security.cert.X509Certificate;
- import java.util.Locale;
- import java.util.Vector;
- 
-+import com.netscape.certsrv.apps.CMS;
-+import com.netscape.certsrv.base.EBaseException;
-+import com.netscape.certsrv.base.IConfigStore;
-+import com.netscape.certsrv.base.IExtendedPluginInfo;
-+import com.netscape.certsrv.ldap.ELdapException;
-+import com.netscape.certsrv.ldap.ELdapServerDownException;
-+import com.netscape.certsrv.logging.ILogger;
-+import com.netscape.certsrv.publish.ILdapPublisher;
-+
- import netscape.ldap.LDAPAttribute;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPEntry;
-@@ -32,15 +41,6 @@ import netscape.ldap.LDAPSSLSocketFactoryExt;
- import netscape.ldap.LDAPSearchResults;
- import netscape.ldap.LDAPv2;
- 
--import com.netscape.certsrv.apps.CMS;
--import com.netscape.certsrv.base.EBaseException;
--import com.netscape.certsrv.base.IConfigStore;
--import com.netscape.certsrv.base.IExtendedPluginInfo;
--import com.netscape.certsrv.ldap.ELdapException;
--import com.netscape.certsrv.ldap.ELdapServerDownException;
--import com.netscape.certsrv.logging.ILogger;
--import com.netscape.certsrv.publish.ILdapPublisher;
--
- /**
-  * Interface for publishing a CA certificate to
-  *
-@@ -179,9 +179,11 @@ public class LdapCaCertPublisher
-                 int portVal = Integer.parseInt(port);
-                 int version = Integer.parseInt(mConfig.getString("version", "2"));
-                 String cert_nick = mConfig.getString("clientCertNickname", null);
--                LDAPSSLSocketFactoryExt sslSocket = null;
-+                LDAPSSLSocketFactoryExt sslSocket;
-                 if (cert_nick != null) {
-                     sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
-+                } else {
-+                    sslSocket = CMS.getLdapJssSSLSocketFactory();
-                 }
-                 String mgr_dn = mConfig.getString("bindDN", null);
-                 String mgr_pwd = mConfig.getString("bindPWD", null);
-diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
-index 80ffa3c..64df143 100644
---- a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
-+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapCrlPublisher.java
-@@ -22,6 +22,15 @@ import java.security.cert.X509CRL;
- import java.util.Locale;
- import java.util.Vector;
- 
-+import com.netscape.certsrv.apps.CMS;
-+import com.netscape.certsrv.base.EBaseException;
-+import com.netscape.certsrv.base.IConfigStore;
-+import com.netscape.certsrv.base.IExtendedPluginInfo;
-+import com.netscape.certsrv.ldap.ELdapException;
-+import com.netscape.certsrv.ldap.ELdapServerDownException;
-+import com.netscape.certsrv.logging.ILogger;
-+import com.netscape.certsrv.publish.ILdapPublisher;
-+
- import netscape.ldap.LDAPAttribute;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPConstraints;
-@@ -33,15 +42,6 @@ import netscape.ldap.LDAPSSLSocketFactoryExt;
- import netscape.ldap.LDAPSearchResults;
- import netscape.ldap.LDAPv2;
- 
--import com.netscape.certsrv.apps.CMS;
--import com.netscape.certsrv.base.EBaseException;
--import com.netscape.certsrv.base.IConfigStore;
--import com.netscape.certsrv.base.IExtendedPluginInfo;
--import com.netscape.certsrv.ldap.ELdapException;
--import com.netscape.certsrv.ldap.ELdapServerDownException;
--import com.netscape.certsrv.logging.ILogger;
--import com.netscape.certsrv.publish.ILdapPublisher;
--
- /**
-  * For publishing master or global CRL.
-  * Publishes (replaces) the CRL in the CA's LDAP entry.
-@@ -170,9 +170,11 @@ public class LdapCrlPublisher implements ILdapPublisher, IExtendedPluginInfo {
-                 int portVal = Integer.parseInt(port);
-                 int version = Integer.parseInt(mConfig.getString("version", "2"));
-                 String cert_nick = mConfig.getString("clientCertNickname", null);
--                LDAPSSLSocketFactoryExt sslSocket = null;
-+                LDAPSSLSocketFactoryExt sslSocket;
-                 if (cert_nick != null) {
-                     sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
-+                } else {
-+                    sslSocket = CMS.getLdapJssSSLSocketFactory();
-                 }
-                 String mgr_dn = mConfig.getString("bindDN", null);
-                 String mgr_pwd = mConfig.getString("bindPWD", null);
-diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java
-index a01cf80..e87fca9 100644
---- a/base/server/cms/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java
-+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/LdapUserCertPublisher.java
-@@ -23,15 +23,6 @@ import java.util.Enumeration;
- import java.util.Locale;
- import java.util.Vector;
- 
--import netscape.ldap.LDAPAttribute;
--import netscape.ldap.LDAPConnection;
--import netscape.ldap.LDAPEntry;
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPModification;
--import netscape.ldap.LDAPSSLSocketFactoryExt;
--import netscape.ldap.LDAPSearchResults;
--import netscape.ldap.LDAPv2;
--
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.IConfigStore;
-@@ -42,6 +33,15 @@ import com.netscape.certsrv.logging.AuditFormat;
- import com.netscape.certsrv.logging.ILogger;
- import com.netscape.certsrv.publish.ILdapPublisher;
- 
-+import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPEntry;
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPModification;
-+import netscape.ldap.LDAPSSLSocketFactoryExt;
-+import netscape.ldap.LDAPSearchResults;
-+import netscape.ldap.LDAPv2;
-+
- /**
-  * Interface for mapping a X509 certificate to a LDAP entry
-  *
-@@ -134,9 +134,11 @@ public class LdapUserCertPublisher implements ILdapPublisher, IExtendedPluginInf
-                 int portVal = Integer.parseInt(port);
-                 int version = Integer.parseInt(mConfig.getString("version", "2"));
-                 String cert_nick = mConfig.getString("clientCertNickname", null);
--                LDAPSSLSocketFactoryExt sslSocket = null;
-+                LDAPSSLSocketFactoryExt sslSocket;
-                 if (cert_nick != null) {
-                     sslSocket = CMS.getLdapJssSSLSocketFactory(cert_nick);
-+                } else {
-+                    sslSocket = CMS.getLdapJssSSLSocketFactory();
-                 }
-                 String mgr_dn = mConfig.getString("bindDN", null);
-                 String mgr_pwd = mConfig.getString("bindPWD", null);
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
-index 423fad3..22dd8c1 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/PublisherAdminServlet.java
-@@ -27,9 +27,6 @@ import javax.servlet.ServletException;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- 
--import netscape.ldap.LDAPConnection;
--import netscape.ldap.LDAPException;
--
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.authority.IAuthority;
- import com.netscape.certsrv.authority.ICertAuthority;
-@@ -67,6 +64,9 @@ import com.netscape.certsrv.publish.RulePlugin;
- import com.netscape.certsrv.security.ICryptoSubsystem;
- import com.netscape.cmsutil.password.IPasswordStore;
- 
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPException;
-+
- /**
-  * A class representing an publishing servlet for the
-  * Publishing subsystem. This servlet is responsible
-@@ -770,14 +770,13 @@ public class PublisherAdminServlet extends AdminServlet {
-                 }
-             } else {
-                 try {
-+                    conn = new LDAPConnection(
-+                            CMS.getLDAPSocketFactory(secure));
-                     if (secure) {
--                        conn = new LDAPConnection(
--                                    CMS.getLdapJssSSLSocketFactory());
-                         params.put(Constants.PR_CONN_INITED,
-                                 "Create ssl LDAPConnection" +
-                                         dashes(70 - 25) + " Success");
-                     } else {
--                        conn = new LDAPConnection();
-                         params.put(Constants.PR_CONN_INITED,
-                                 "Create LDAPConnection" +
-                                         dashes(70 - 21) + " Success");
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-index c62087e..af0d44e 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-@@ -143,7 +143,7 @@ import com.netscape.cmscore.ldapconn.LdapAuthInfo;
- import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
- import com.netscape.cmscore.ldapconn.LdapBoundConnection;
- import com.netscape.cmscore.ldapconn.LdapConnInfo;
--import com.netscape.cmscore.ldapconn.LdapJssSSLSocketFactory;
-+import com.netscape.cmscore.ldapconn.PKISocketFactory;
- import com.netscape.cmscore.logging.Auditor;
- import com.netscape.cmscore.logging.LogSubsystem;
- import com.netscape.cmscore.logging.Logger;
-@@ -174,6 +174,7 @@ import com.netscape.cmsutil.util.Utils;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPException;
- import netscape.ldap.LDAPSSLSocketFactoryExt;
-+import netscape.ldap.LDAPSocketFactory;
- import netscape.security.extensions.CertInfo;
- import netscape.security.pkcs.ContentInfo;
- import netscape.security.pkcs.PKCS7;
-@@ -480,9 +481,7 @@ public class CMSEngine implements ICMSEngine {
-         String host = info.getHost();
-         int port = info.getPort();
- 
--        LDAPConnection conn = info.getSecure() ?
--                new LDAPConnection(CMS.getLdapJssSSLSocketFactory()) :
--                new LDAPConnection();
-+        LDAPConnection conn = new LDAPConnection(CMS.getLDAPSocketFactory(info.getSecure()));
- 
-         System.out.println("testLDAPConnection connecting to " + host + ":" + port);
- 
-@@ -1027,11 +1026,15 @@ public class CMSEngine implements ICMSEngine {
- 
-     public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory(
-             String certNickname) {
--        return new LdapJssSSLSocketFactory(certNickname);
-+        return new PKISocketFactory(certNickname);
-     }
- 
-     public LDAPSSLSocketFactoryExt getLdapJssSSLSocketFactory() {
--        return new LdapJssSSLSocketFactory();
-+        return new PKISocketFactory(true);
-+    }
-+
-+    public LDAPSocketFactory getLDAPSocketFactory(boolean secure) {
-+        return new PKISocketFactory(secure);
-     }
- 
-     public ILdapAuthInfo getLdapAuthInfo() {
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
-index 52cdc4b..5d5e142 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapAnonConnection.java
-@@ -40,7 +40,7 @@ public class LdapAnonConnection extends LDAPConnection {
-      */
-     public LdapAnonConnection(LdapConnInfo connInfo)
-             throws LDAPException {
--        super(connInfo.getSecure() ? new LdapJssSSLSocketFactory() : null);
-+        super(new PKISocketFactory(connInfo.getSecure()));
- 
-         // Set option to automatically follow referrals.
-         // rebind info is also anonymous.
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
-index 787967a..a326344 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapBoundConnection.java
-@@ -19,6 +19,8 @@ package com.netscape.cmscore.ldapconn;
- 
- import java.util.Properties;
- 
-+import com.netscape.certsrv.apps.CMS;
-+
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPException;
- import netscape.ldap.LDAPRebind;
-@@ -26,8 +28,6 @@ import netscape.ldap.LDAPRebindAuth;
- import netscape.ldap.LDAPSocketFactory;
- import netscape.ldap.LDAPv2;
- 
--import com.netscape.certsrv.apps.CMS;
--
- /**
-  * A LDAP connection that is bound to a server host, port, secure type.
-  * and authentication.
-@@ -56,8 +56,8 @@ public class LdapBoundConnection extends LDAPConnection {
-         // this LONG line to satisfy super being the first call. (yuk)
-         super(
-                 authInfo.getAuthType() == LdapAuthInfo.LDAP_AUTHTYPE_SSLCLIENTAUTH ?
--                        new LdapJssSSLSocketFactory(authInfo.getParms()[0]) :
--                        (connInfo.getSecure() ? new LdapJssSSLSocketFactory() : null));
-+                        new PKISocketFactory(authInfo.getParms()[0]) :
-+                        new PKISocketFactory(connInfo.getSecure()));
- 
-         // Set option to automatically follow referrals.
-         // Use the same credentials to follow referrals; this is the easiest
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-deleted file mode 100644
-index b54d1e2..0000000
---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-+++ /dev/null
-@@ -1,177 +0,0 @@
--// --- BEGIN COPYRIGHT BLOCK ---
--// This program is free software; you can redistribute it and/or modify
--// it under the terms of the GNU General Public License as published by
--// the Free Software Foundation; version 2 of the License.
--//
--// This program is distributed in the hope that it will be useful,
--// but WITHOUT ANY WARRANTY; without even the implied warranty of
--// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--// GNU General Public License for more details.
--//
--// You should have received a copy of the GNU General Public License along
--// with this program; if not, write to the Free Software Foundation, Inc.,
--// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
--//
--// (C) 2007 Red Hat, Inc.
--// All rights reserved.
--// --- END COPYRIGHT BLOCK ---
--package com.netscape.cmscore.ldapconn;
--
--import java.io.IOException;
--import java.net.InetAddress;
--import java.net.Socket;
--import java.net.UnknownHostException;
--import java.util.Iterator;
--import java.util.Vector;
--
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPSSLSocketFactoryExt;
--
--import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
--import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
--import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
--import org.mozilla.jss.ssl.SSLSocket;
--
--import com.netscape.certsrv.apps.CMS;
--import com.netscape.certsrv.logging.ILogger;
--
--/**
-- * Uses HCL ssl socket.
-- *
-- * @author Lily Hsiao lhsiao@netscape.com
-- */
--public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
--    private String mClientAuthCertNickname = null;
--    private boolean mClientAuth = false;
--
--    public LdapJssSSLSocketFactory() {
--    }
--
--    public LdapJssSSLSocketFactory(String certNickname) {
--        mClientAuthCertNickname = certNickname;
--    }
--
--    public Socket makeSocket(String host, int port) throws LDAPException {
--        SSLSocket s = null;
--
--        try {
--            /*
--             * let inherit TLS range and cipher settings
--             */
--
--            if (mClientAuthCertNickname == null) {
--                s = new SSLSocket(host, port);
--            }
--            else {
--                //Let's create a selection callback in the case the client auth
--                //No longer manually set the cert name.
--                //This two step process, used in the JSS client auth test suite,
--                //appears to be needed to get this working.
--
--                Socket js = new Socket(InetAddress.getByName(host), port);
--                s = new SSLSocket(js, host,
--                        null,
--                        new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
--            }
--
--            s.setUseClientMode(true);
--            s.enableV2CompatibleHello(false);
--
--            SSLHandshakeCompletedListener listener = null;
--
--            listener = new ClientHandshakeCB(this);
--            s.addHandshakeCompletedListener(listener);
--
--            if (mClientAuthCertNickname != null) {
--                mClientAuth = true;
--                CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
--                        mClientAuthCertNickname);
--
--                //We have already established the manual cert selection callback
--                //Doing it this way will provide some debugging info on the candidate certs
--            }
--            s.forceHandshake();
--
--        } catch (UnknownHostException e) {
--            log(ILogger.LL_FAILURE,
--                    CMS.getLogMessage("CMSCORE_LDAPCONN_UNKNOWN_HOST"));
--            throw new LDAPException(
--                    "Cannot Create JSS SSL Socket - Unknown host: " + e);
--
--        } catch (IOException e) {
--            if (s != null) {
--                try {
--                    s.close();
--                } catch (IOException e1) {
--                    e1.printStackTrace();
--                }
--            }
--            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_LDAPCONN_IO_ERROR", e.toString()));
--            throw new LDAPException("IO Error creating JSS SSL Socket: " + e);
--        }
--
--        return s;
--    }
--
--    public boolean isClientAuth() {
--        return mClientAuth;
--    }
--
--    public Object getCipherSuites() {
--        return null;
--    }
--
--    public void log(int level, String msg) {
--    }
--
--    static class ClientHandshakeCB implements SSLHandshakeCompletedListener {
--        Object sc;
--
--        public ClientHandshakeCB(Object sc) {
--            this.sc = sc;
--        }
--
--        public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
--            CMS.debug("SSL handshake happened");
--        }
--    }
--
--    static class SSLClientCertificateSelectionCB implements SSLClientCertificateSelectionCallback {
--        String desiredCertName = null;
--
--        public SSLClientCertificateSelectionCB(String clientAuthCertNickname) {
--            CMS.debug("SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname);
--            desiredCertName = clientAuthCertNickname;
--        }
--
--        @Override
--        public String select(Vector certs) {
--
--            CMS.debug("SSLClientCertificatSelectionCB: Entering!");
--
--            if(desiredCertName == null) {
--                return null;
--            }
--
--            @SuppressWarnings("unchecked")
--            Iterator<String> itr = certs.iterator();
--            String selection = null;
--
--            while(itr.hasNext()){
--                String candidate = itr.next();
--                CMS.debug("Candidate cert: " + candidate);
--                if(desiredCertName.equalsIgnoreCase(candidate)) {
--                    selection = candidate;
--                    CMS.debug("SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName);
--                    break;
--                }
--            }
--
--            CMS.debug("SSLClientCertificateSelectionCB: returning: " + selection);
--            return selection;
--
--        }
--
--    }
--
--}
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
-new file mode 100644
-index 0000000..d0c23ed
---- /dev/null
-+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
-@@ -0,0 +1,211 @@
-+// --- BEGIN COPYRIGHT BLOCK ---
-+// This program is free software; you can redistribute it and/or modify
-+// it under the terms of the GNU General Public License as published by
-+// the Free Software Foundation; version 2 of the License.
-+//
-+// This program is distributed in the hope that it will be useful,
-+// but WITHOUT ANY WARRANTY; without even the implied warranty of
-+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+// GNU General Public License for more details.
-+//
-+// You should have received a copy of the GNU General Public License along
-+// with this program; if not, write to the Free Software Foundation, Inc.,
-+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+//
-+// (C) 2007 Red Hat, Inc.
-+// All rights reserved.
-+// --- END COPYRIGHT BLOCK ---
-+package com.netscape.cmscore.ldapconn;
-+
-+import java.io.IOException;
-+import java.net.InetAddress;
-+import java.net.Socket;
-+import java.net.UnknownHostException;
-+import java.util.Iterator;
-+import java.util.Vector;
-+
-+import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
-+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
-+import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
-+import org.mozilla.jss.ssl.SSLSocket;
-+
-+import com.netscape.certsrv.apps.CMS;
-+import com.netscape.certsrv.base.IConfigStore;
-+
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPSSLSocketFactoryExt;
-+
-+/**
-+ * Uses HCL ssl socket.
-+ *
-+ * @author Lily Hsiao lhsiao@netscape.com
-+ */
-+public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
-+
-+    private boolean secure;
-+    private String mClientAuthCertNickname;
-+    private boolean mClientAuth;
-+    private boolean keepAlive;
-+
-+    public PKISocketFactory() {
-+        init();
-+    }
-+
-+    public PKISocketFactory(boolean secure) {
-+        this.secure = secure;
-+        init();
-+    }
-+
-+    public PKISocketFactory(String certNickname) {
-+        this.secure = true;
-+        mClientAuthCertNickname = certNickname;
-+        init();
-+    }
-+
-+    public void init() {
-+        try {
-+            IConfigStore cs = CMS.getConfigStore();
-+            keepAlive = cs.getBoolean("tcp.keepAlive", true);
-+            CMS.debug("TCP Keep-Alive: " + keepAlive);
-+
-+        } catch (Exception e) {
-+            CMS.debug(e);
-+            throw new RuntimeException("Unable to read TCP configuration: " + e, e);
-+        }
-+    }
-+
-+    public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException {
-+
-+        /*
-+         * let inherit TLS range and cipher settings
-+         */
-+
-+        SSLSocket s;
-+
-+        if (mClientAuthCertNickname == null) {
-+            s = new SSLSocket(host, port);
-+
-+        } else {
-+            // Let's create a selection callback in the case the client auth
-+            // No longer manually set the cert name.
-+            // This two step process, used in the JSS client auth test suite,
-+            // appears to be needed to get this working.
-+
-+            Socket js = new Socket(InetAddress.getByName(host), port);
-+            s = new SSLSocket(js, host,
-+                    null,
-+                    new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
-+        }
-+
-+        s.setUseClientMode(true);
-+        s.enableV2CompatibleHello(false);
-+
-+        SSLHandshakeCompletedListener listener = null;
-+
-+        listener = new ClientHandshakeCB(this);
-+        s.addHandshakeCompletedListener(listener);
-+
-+        if (mClientAuthCertNickname != null) {
-+            mClientAuth = true;
-+            CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
-+                    mClientAuthCertNickname);
-+
-+            //We have already established the manual cert selection callback
-+            //Doing it this way will provide some debugging info on the candidate certs
-+        }
-+        s.forceHandshake();
-+
-+        return s;
-+    }
-+
-+    public Socket makeSocket(String host, int port) throws LDAPException {
-+
-+        Socket s = null;
-+
-+        try {
-+            if (!secure) {
-+                s = new Socket(host, port);
-+
-+            } else {
-+                s = makeSSLSocket(host, port);
-+            }
-+
-+            s.setKeepAlive(keepAlive);
-+
-+        } catch (Exception e) {
-+            CMS.debug(e);
-+            if (s != null) {
-+                try {
-+                    s.close();
-+                } catch (IOException e1) {
-+                    CMS.debug(e1);
-+                }
-+            }
-+            throw new LDAPException("Unable to create socket: " + e);
-+        }
-+
-+        return s;
-+    }
-+
-+    public boolean isClientAuth() {
-+        return mClientAuth;
-+    }
-+
-+    public Object getCipherSuites() {
-+        return null;
-+    }
-+
-+    public void log(int level, String msg) {
-+    }
-+
-+    static class ClientHandshakeCB implements SSLHandshakeCompletedListener {
-+        Object sc;
-+
-+        public ClientHandshakeCB(Object sc) {
-+            this.sc = sc;
-+        }
-+
-+        public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
-+            CMS.debug("SSL handshake happened");
-+        }
-+    }
-+
-+    static class SSLClientCertificateSelectionCB implements SSLClientCertificateSelectionCallback {
-+        String desiredCertName = null;
-+
-+        public SSLClientCertificateSelectionCB(String clientAuthCertNickname) {
-+            CMS.debug("SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname);
-+            desiredCertName = clientAuthCertNickname;
-+        }
-+
-+        @Override
-+        public String select(Vector certs) {
-+
-+            CMS.debug("SSLClientCertificatSelectionCB: Entering!");
-+
-+            if(desiredCertName == null) {
-+                return null;
-+            }
-+
-+            @SuppressWarnings("unchecked")
-+            Iterator<String> itr = certs.iterator();
-+            String selection = null;
-+
-+            while(itr.hasNext()){
-+                String candidate = itr.next();
-+                CMS.debug("Candidate cert: " + candidate);
-+                if(desiredCertName.equalsIgnoreCase(candidate)) {
-+                    selection = candidate;
-+                    CMS.debug("SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName);
-+                    break;
-+                }
-+            }
-+
-+            CMS.debug("SSLClientCertificateSelectionCB: returning: " + selection);
-+            return selection;
-+
-+        }
-+
-+    }
-+
-+}
-diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
-index d2b7fe8..73d039f 100644
---- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
-+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
-@@ -60,6 +60,7 @@ import com.netscape.cmsutil.password.IPasswordStore;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPException;
- import netscape.ldap.LDAPSSLSocketFactoryExt;
-+import netscape.ldap.LDAPSocketFactory;
- import netscape.security.util.ObjectIdentifier;
- import netscape.security.x509.Extension;
- import netscape.security.x509.GeneralName;
-@@ -344,6 +345,10 @@ public class CMSEngineDefaultStub implements ICMSEngine {
-         return null;
-     }
- 
-+    public LDAPSocketFactory getLDAPSocketFactory(boolean secure) {
-+        return null;
-+    }
-+
-     public ILdapAuthInfo getLdapAuthInfo() {
-         return null;
-     }
diff --git a/SOURCES/pki-core-added-option-to-remove-signing-cert-entry.patch b/SOURCES/pki-core-added-option-to-remove-signing-cert-entry.patch
deleted file mode 100644
index dabd033..0000000
--- a/SOURCES/pki-core-added-option-to-remove-signing-cert-entry.patch
+++ /dev/null
@@ -1,193 +0,0 @@
-commit 1dbe79d48ac48d320fb0d2cac0f20329846cdbb1
-Author: Ade Lee <alee@redhat.com>
-Date:   Fri Jan 20 11:01:41 2017 -0500
-
-    Add option to remove signing cert entry
-    
-    In the migration case, it is useful to delete the initially
-    created signing certificate database record and have that be
-    imported through the ldif data import instead.
-    
-    Therefore, we add an option to remove this entry.  The user
-    also needs to provide the serial number for the entry.
-    
-    This resolves the following tickets/BZs:
-    BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
-       on CA website incorrect
-    BZ# 1409946/Trac 2571 -  Request ID undefined for CA signing
-       certificate
-    
-    (cherry picked from commit 049a4e3e09328bfcdff62dc189ad95917647fb22)
-    (cherry picked from commit 42bc6fc8eeef3c8bea036a7fc327696983dcf17c)
-
-diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-index 3c7e483..309f68d 100644
---- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-@@ -24,8 +24,7 @@ import java.net.MalformedURLException;
- import java.net.URL;
- import java.util.StringTokenizer;
- 
--import netscape.ldap.LDAPAttribute;
--
-+import org.apache.commons.lang.StringUtils;
- import org.dogtagpki.server.rest.SystemConfigService;
- 
- import com.netscape.certsrv.apps.CMS;
-@@ -41,6 +40,10 @@ import com.netscape.cms.servlet.csadmin.ConfigurationUtils;
- import com.netscape.cmscore.base.LDAPConfigStore;
- import com.netscape.cmscore.profile.LDAPProfileSubsystem;
- 
-+import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPException;
-+
- /**
-  * @author alee
-  *
-@@ -93,6 +96,19 @@ public class CAInstallerService extends SystemConfigService {
-             CMS.debug(e);
-             throw new PKIException("Error enabling profile subsystem");
-         }
-+
-+        if (! request.createSigningCertRecord()) {
-+            // This is the migration case.  In this case, we will delete the
-+            // record that was created during the install process.
-+
-+            try {
-+                String serialNumber = request.getSigningCertSerialNumber();
-+                deleteSigningRecord(serialNumber);
-+            } catch (Exception e) {
-+                CMS.debug(e);
-+                throw new PKIException("Error deleting signing cert record:" + e, e);
-+            }
-+        }
-     }
- 
-     @Override
-@@ -189,9 +205,37 @@ public class CAInstallerService extends SystemConfigService {
-         configStore.commit(false /* no backup */);
-     }
- 
-+    private void deleteSigningRecord(String serialNumber) throws EBaseException, LDAPException {
-+
-+        if (StringUtils.isEmpty(serialNumber)) {
-+            throw new PKIException("signing certificate serial number not specified in configuration request");
-+        }
-+
-+        LDAPConnection conn = null;
-+        try {
-+            IConfigStore dbCfg = cs.getSubStore("internaldb");
-+            ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("CAInstallerService");
-+            dbFactory.init(dbCfg);
-+            conn = dbFactory.getConn();
-+
-+            String basedn = dbCfg.getString("basedn", "");
-+            String dn = "cn=" + serialNumber + ",ou=certificateRepository,ou=ca," + basedn;
-+
-+            conn.delete(dn);
-+        } finally {
-+            try {
-+                if (conn != null)
-+                    conn.disconnect();
-+            } catch (LDAPException e) {
-+                CMS.debug(e);
-+                CMS.debug("releaseConnection: " + e);
-+            }
-+        }
-+    }
-+
-     private void configureStartingCRLNumber(ConfigurationRequest data) {
-         CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
--        cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
-+        cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber());
- 
-     }
-     private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
-diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-index cd9d3c8..5d69200 100644
---- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-@@ -237,6 +237,12 @@ public class ConfigurationRequest {
-     @XmlElement
-     protected String startingCRLNumber;
- 
-+    @XmlElement
-+    protected Boolean createSigningCertRecord;
-+
-+    @XmlElement
-+    protected String signingCertSerialNumber;
-+
-     public ConfigurationRequest() {
-         // required for JAXB
-     }
-@@ -943,6 +949,30 @@ public class ConfigurationRequest {
-         this.startingCRLNumber = startingCRLNumber;
-     }
- 
-+    public String getIsClone() {
-+        return isClone;
-+    }
-+
-+    public void setIsClone(String isClone) {
-+        this.isClone = isClone;
-+    }
-+
-+    public Boolean createSigningCertRecord() {
-+        return createSigningCertRecord;
-+    }
-+
-+    public void setCreateSigningCertRecord(Boolean createSigningCertRecord) {
-+        this.createSigningCertRecord = createSigningCertRecord;
-+    }
-+
-+    public String getSigningCertSerialNumber() {
-+        return signingCertSerialNumber;
-+    }
-+
-+    public void setSigningCertSerialNumber(String signingCertSerialNumber) {
-+        this.signingCertSerialNumber = signingCertSerialNumber;
-+    }
-+
-     @Override
-     public String toString() {
-         return "ConfigurationRequest [pin=XXXX" +
-@@ -1007,6 +1037,8 @@ public class ConfigurationRequest {
-                ", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
-                ", reindexData=" + reindexData +
-                ", startingCrlNumber=" + startingCRLNumber +
-+               ", createSigningCertRecord=" + createSigningCertRecord +
-+               ", signingCertSerialNumber=" + signingCertSerialNumber +
-                "]";
-     }
- 
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index e79ff06..cd506cc 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -291,6 +291,8 @@ pki_ca_signing_key_algorithm=SHA256withRSA
- pki_ca_signing_key_size=2048
- pki_ca_signing_key_type=rsa
- pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
-+pki_ca_signing_record_create=True
-+pki_ca_signing_serial_number=1
- pki_ca_signing_signing_algorithm=SHA256withRSA
- pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ca_signing_token=
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index b6eacf1..f77c21a 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -4095,6 +4095,12 @@ class ConfigClient:
-         # Misc CA parameters
-         if self.subsystem == "CA":
-             data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
-+            data.createSigningCertRecord = (
-+                self.mdict['pki_ca_signing_record_create'].lower()
-+            )
-+            data.signingCertSerialNumber = (
-+                self.mdict['pki_ca_signing_serial_number'].lower()
-+            )
- 
-         return data
- 
diff --git a/SOURCES/pki-core-added-upgrade-script-to-update-AJP-localhost.patch b/SOURCES/pki-core-added-upgrade-script-to-update-AJP-localhost.patch
deleted file mode 100644
index 9e48d0b..0000000
--- a/SOURCES/pki-core-added-upgrade-script-to-update-AJP-localhost.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-commit 219c633d2aae2ae81724d4588e6aaf6969603ebb
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Thu Jan 19 21:43:24 2017 +0100
-
-    Added upgrade script to update AJP loopback address.
-    
-    An upgrade script has been added to replace IPv4- and IPv6-specific
-    AJP loopback address with a more generic "localhost" in existing
-    instances.
-    
-    https://fedorahosted.org/pki/ticket/2570
-    
-    (cherry picked from commit cb839206d6c1d562e2e4385f6822c7934e9455c6)
-    (cherry picked from commit 6b8c54d29cfc4f448566f50cb27a40eda07052ca)
-
-diff --git a/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress
-new file mode 100755
-index 0000000..b7d5c0e
---- /dev/null
-+++ b/base/server/upgrade/10.3.5/03-UpdateAJPLoopbackAddress
-@@ -0,0 +1,62 @@
-+#!/usr/bin/python
-+# Authors:
-+#     Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; version 2 of the License.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License along
-+# with this program; if not, write to the Free Software Foundation, Inc.,
-+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2017 Red Hat, Inc.
-+# All rights reserved.
-+#
-+
-+from __future__ import absolute_import
-+import os
-+from lxml import etree
-+
-+import pki
-+
-+
-+class UpdateAJPLoopbackAddress(
-+        pki.server.upgrade.PKIServerUpgradeScriptlet):
-+
-+    def __init__(self):
-+        super(UpdateAJPLoopbackAddress, self).__init__()
-+        self.message = 'Update AJP loopback address'
-+
-+        self.parser = etree.XMLParser(remove_blank_text=True)
-+
-+    def upgrade_instance(self, instance):
-+
-+        server_xml = os.path.join(instance.conf_dir, 'server.xml')
-+        self.backup(server_xml)
-+
-+        document = etree.parse(server_xml, self.parser)
-+
-+        server = document.getroot()
-+        connectors = server.findall('.//Connector')
-+
-+        # replace IPv4- or IPv6-specific AJP loopback address with localhost
-+        for connector in connectors:
-+
-+            protocol = connector.get('protocol')
-+            if protocol != 'AJP/1.3':
-+                continue
-+
-+            address = connector.get('address')
-+            if address != '127.0.0.1' and address != '::1':
-+                continue
-+
-+            connector.set('address', 'localhost')
-+
-+        with open(server_xml, 'wb') as f:
-+            document.write(f, pretty_print=True, encoding='utf-8')
diff --git a/SOURCES/pki-core-alpha.patch b/SOURCES/pki-core-alpha.patch
new file mode 100644
index 0000000..8b8c196
--- /dev/null
+++ b/SOURCES/pki-core-alpha.patch
@@ -0,0 +1,18931 @@
+From 8d60caa44803915c153e1919ccaf08b166d38190 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 29 Mar 2017 03:36:39 +0200
+Subject: [PATCH 01/59] Removed duplicate PROP_ROLLOVER_INTERVAL constant.
+
+Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
+---
+ .../src/com/netscape/cms/logging/RollingLogFile.java   | 18 +++++++++---------
+ .../netscape/cms/servlet/admin/LogAdminServlet.java    |  2 +-
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+index 32568da..d84c441 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IExtendedPluginInfo;
++import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.logging.ConsoleError;
+ import com.netscape.certsrv.logging.ELogException;
+@@ -49,7 +50,6 @@ import com.netscape.cmsutil.util.Utils;
+  */
+ public class RollingLogFile extends LogFile {
+     public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
+-    public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval";
+     public static final String PROP_EXPIRATION_TIME = "expirationTime";
+ 
+     /**
+@@ -116,7 +116,7 @@ public class RollingLogFile extends LogFile {
+         super.init(config);
+ 
+         rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
+-                config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL),
++                config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
+                 config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
+     }
+ 
+@@ -585,7 +585,7 @@ public class RollingLogFile extends LogFile {
+         Vector<String> v = super.getDefaultParams();
+ 
+         v.addElement(PROP_MAX_FILE_SIZE + "=");
+-        v.addElement(PROP_ROLLOVER_INTERVAL + "=");
++        v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
+         //v.addElement(PROP_EXPIRATION_TIME + "=");
+         return v;
+     }
+@@ -596,15 +596,15 @@ public class RollingLogFile extends LogFile {
+         try {
+             v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
+             if (mRolloverInterval / 1000 <= 60 * 60)
+-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly");
++                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly");
+             else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
+-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily");
++                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Daily");
+             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7)
+-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly");
++                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Weekly");
+             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30)
+-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly");
++                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Monthly");
+             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366)
+-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly");
++                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Yearly");
+ 
+             //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000);
+         } catch (Exception e) {
+@@ -622,7 +622,7 @@ public class RollingLogFile extends LogFile {
+         }
+         info.addElement(PROP_MAX_FILE_SIZE
+                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
+-        info.addElement(PROP_ROLLOVER_INTERVAL
++        info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
+                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
+         info.addElement(PROP_EXPIRATION_TIME
+                 + ";integer;The amount of time before a backed up log is removed in seconds");
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+index d665224..08c3293 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+@@ -1645,7 +1645,7 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                     }
+ 
+-                    if (key.equals("rolloverInterval")) {
++                    if (key.equals(Constants.PR_LOG_ROLLEROVER_INTERVAL)) {
+                         if (val.equals("Hourly"))
+                             val = Integer.toString(60 * 60);
+                         else if (val.equals("Daily"))
+-- 
+1.8.3.1
+
+
+From 939896c06013065a7566002a2708d4598d3d7b96 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 30 Mar 2017 07:08:52 +0200
+Subject: [PATCH 02/59] Removed duplicate PROP_MAX_FILE_SIZE constant.
+
+Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6
+---
+ base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+index d84c441..4d29715 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils;
+  * @version $Revision$, $Date$
+  */
+ public class RollingLogFile extends LogFile {
+-    public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
+     public static final String PROP_EXPIRATION_TIME = "expirationTime";
+ 
+     /**
+@@ -115,7 +114,7 @@ public class RollingLogFile extends LogFile {
+             EBaseException {
+         super.init(config);
+ 
+-        rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
++        rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE),
+                 config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
+                 config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
+     }
+@@ -584,7 +583,7 @@ public class RollingLogFile extends LogFile {
+     public Vector<String> getDefaultParams() {
+         Vector<String> v = super.getDefaultParams();
+ 
+-        v.addElement(PROP_MAX_FILE_SIZE + "=");
++        v.addElement(Constants.PR_LOG_MAXFILESIZE + "=");
+         v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
+         //v.addElement(PROP_EXPIRATION_TIME + "=");
+         return v;
+@@ -594,7 +593,7 @@ public class RollingLogFile extends LogFile {
+         Vector<String> v = super.getInstanceParams();
+ 
+         try {
+-            v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
++            v.addElement(Constants.PR_LOG_MAXFILESIZE + "=" + mMaxFileSize / 1024);
+             if (mRolloverInterval / 1000 <= 60 * 60)
+                 v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly");
+             else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
+@@ -620,7 +619,7 @@ public class RollingLogFile extends LogFile {
+             if (!p[i].startsWith(IExtendedPluginInfo.HELP_TOKEN) && !p[i].startsWith(IExtendedPluginInfo.HELP_TEXT))
+                 info.addElement(p[i]);
+         }
+-        info.addElement(PROP_MAX_FILE_SIZE
++        info.addElement(Constants.PR_LOG_MAXFILESIZE
+                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
+         info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
+                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
+-- 
+1.8.3.1
+
+
+From 01b510f51992e04ffc84aefdd2d3e1f09b09b480 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 30 Mar 2017 22:57:19 +0200
+Subject: [PATCH 03/59] Removed duplicate PROP_EXPIRATION_TIME constant.
+
+Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3
+---
+ base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java   | 7 +++----
+ .../cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java    | 6 +++---
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+index 4d29715..fb70f46 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils;
+  * @version $Revision$, $Date$
+  */
+ public class RollingLogFile extends LogFile {
+-    public static final String PROP_EXPIRATION_TIME = "expirationTime";
+ 
+     /**
+      * The default max file size in bytes
+@@ -116,7 +115,7 @@ public class RollingLogFile extends LogFile {
+ 
+         rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE),
+                 config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
+-                config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
++                config.getString(Constants.PR_LOG_EXPIRED_TIME, EXPIRATION_TIME));
+     }
+ 
+     /**
+@@ -585,7 +584,7 @@ public class RollingLogFile extends LogFile {
+ 
+         v.addElement(Constants.PR_LOG_MAXFILESIZE + "=");
+         v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
+-        //v.addElement(PROP_EXPIRATION_TIME + "=");
++        //v.addElement(Constants.PR_LOG_EXPIRED_TIME + "=");
+         return v;
+     }
+ 
+@@ -623,7 +622,7 @@ public class RollingLogFile extends LogFile {
+                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
+         info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
+                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
+-        info.addElement(PROP_EXPIRATION_TIME
++        info.addElement(Constants.PR_LOG_EXPIRED_TIME
+                 + ";integer;The amount of time before a backed up log is removed in seconds");
+         info.addElement(IExtendedPluginInfo.HELP_TOKEN +
+                 //";configuration-logrules-rollinglogfile");
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+index 08c3293..13ba52c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+@@ -834,7 +834,7 @@ public class LogAdminServlet extends AdminServlet {
+             // files is no longer supported, it is still a required parameter
+             // that must be present during the creation and modification of
+             // custom log plugins.
+-            substore.put("expirationTime", "0");
++            substore.put(Constants.PR_LOG_EXPIRED_TIME, "0");
+ 
+             // Instantiate an object for this implementation
+             String className = plugin.getClassPath();
+@@ -1591,7 +1591,7 @@ public class LogAdminServlet extends AdminServlet {
+             // files is no longer supported, it is still a required parameter
+             // that must be present during the creation and modification of
+             // custom log plugins.
+-            substore.put("expirationTime", "0");
++            substore.put(Constants.PR_LOG_EXPIRED_TIME, "0");
+ 
+             // IMPORTANT:  save a copy of the original log file path
+             origLogPath = substore.getString(Constants.PR_LOG_FILENAME);
+@@ -1702,7 +1702,7 @@ public class LogAdminServlet extends AdminServlet {
+                             }
+                         }
+                         /*
+-                                                if (key.equals("expirationTime")) {
++                                                if (key.equals(Constants.PR_LOG_EXPIRED_TIME)) {
+                                                     String origVal = substore.getString(key);
+ 
+                                                     val = val.trim();
+-- 
+1.8.3.1
+
+
+From 1d3216aece7381cbac7b812dfbb969b466b31abe Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 30 Mar 2017 22:31:30 +0200
+Subject: [PATCH 04/59] Fixed default subsystems for top-level CLI commands.
+
+The top-level CLI commands have been modified to get the subsystem
+name from the parent subsystem CLI if available, otherwise they
+will use a hard-coded default value.
+
+https://pagure.io/dogtagpki/issue/2626
+
+Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0
+---
+ base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java    | 10 ++++++++--
+ base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java  | 10 ++++++++--
+ base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java      |  9 +++++++--
+ .../src/com/netscape/cmstools/system/SecurityDomainCLI.java    | 10 ++++++++--
+ base/java-tools/src/com/netscape/cmstools/user/UserCLI.java    | 10 ++++++++--
+ 5 files changed, 39 insertions(+), 10 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
+index 9687084..af117a6 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
+@@ -32,6 +32,7 @@ import com.netscape.certsrv.cert.CertReviewResponse;
+ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.MainCLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+ /**
+  * @author Endi S. Dewata
+@@ -81,8 +82,13 @@ public class CertCLI extends CLI {
+         PKIClient client = getClient();
+ 
+         // determine the subsystem
+-        String subsystem = client.getSubsystem();
+-        if (subsystem == null) subsystem = "ca";
++        String subsystem;
++        if (parent instanceof SubsystemCLI) {
++            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
++            subsystem = subsystemCLI.getName();
++        } else {
++            subsystem = "ca";
++        }
+ 
+         // create new cert client
+         certClient = new CertClient(client, subsystem);
+diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+index bd4651d..5ccf70d 100644
+--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+@@ -26,6 +26,7 @@ import com.netscape.certsrv.group.GroupClient;
+ import com.netscape.certsrv.group.GroupData;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.MainCLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+ /**
+  * @author Endi S. Dewata
+@@ -67,8 +68,13 @@ public class GroupCLI extends CLI {
+         PKIClient client = getClient();
+ 
+         // determine the subsystem
+-        String subsystem = client.getSubsystem();
+-        if (subsystem == null) subsystem = "ca";
++        String subsystem;
++        if (parent instanceof SubsystemCLI) {
++            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
++            subsystem = subsystemCLI.getName();
++        } else {
++            subsystem = "ca";
++        }
+ 
+         // create new group client
+         groupClient = new GroupClient(client, subsystem);
+diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
+index b9b27d1..d7c087f 100644
+--- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
+@@ -27,6 +27,7 @@ import com.netscape.certsrv.system.SystemCertClient;
+ import com.netscape.certsrv.util.NSSCryptoProvider;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.MainCLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ /**
+@@ -78,9 +79,13 @@ public class KeyCLI extends CLI {
+         PKIClient client = getClient();
+ 
+         // determine the subsystem
+-        String subsystem = client.getSubsystem();
+-        if (subsystem == null)
++        String subsystem;
++        if (parent instanceof SubsystemCLI) {
++            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
++            subsystem = subsystemCLI.getName();
++        } else {
+             subsystem = "kra";
++        }
+ 
+         // create new key client
+         keyClient = new KeyClient(client, subsystem);
+diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
+index d9db91e..ea6cd29 100644
+--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
+@@ -25,6 +25,7 @@ import com.netscape.certsrv.system.SecurityDomainHost;
+ import com.netscape.certsrv.system.SecurityDomainSubsystem;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.MainCLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+ /**
+  * @author Endi S. Dewata
+@@ -60,8 +61,13 @@ public class SecurityDomainCLI extends CLI {
+         PKIClient client = getClient();
+ 
+         // determine the subsystem
+-        String subsystem = client.getSubsystem();
+-        if (subsystem == null) subsystem = "ca";
++        String subsystem;
++        if (parent instanceof SubsystemCLI) {
++            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
++            subsystem = subsystemCLI.getName();
++        } else {
++            subsystem = "ca";
++        }
+ 
+         // create new security domain client
+         securityDomainClient = new SecurityDomainClient(client, subsystem);
+diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+index 57a132c..1acbf0b 100644
+--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+@@ -27,6 +27,7 @@ import com.netscape.certsrv.user.UserData;
+ import com.netscape.certsrv.user.UserResource;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.MainCLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+ /**
+  * @author Endi S. Dewata
+@@ -70,8 +71,13 @@ public class UserCLI extends CLI {
+         PKIClient client = getClient();
+ 
+         // determine the subsystem
+-        String subsystem = client.getSubsystem();
+-        if (subsystem == null) subsystem = "ca";
++        String subsystem;
++        if (parent instanceof SubsystemCLI) {
++            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
++            subsystem = subsystemCLI.getName();
++        } else {
++            subsystem = "ca";
++        }
+ 
+         // create new user client
+         userClient = new UserClient(client, subsystem);
+-- 
+1.8.3.1
+
+
+From 269f7d62ab3c8d13f7746fccb69cb0b305c46fb9 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 31 Mar 2017 04:48:24 +0200
+Subject: [PATCH 05/59] Fixed pylint errors in pki.server.cli.subsystem.
+
+https://pagure.io/dogtagpki/issue/2627
+
+Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd
+---
+ base/server/python/pki/server/cli/subsystem.py | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
+index 04461f2..ee5d2d2 100644
+--- a/base/server/python/pki/server/cli/subsystem.py
++++ b/base/server/python/pki/server/cli/subsystem.py
+@@ -24,7 +24,6 @@ from __future__ import print_function
+ import getopt
+ import getpass
+ import os
+-import string
+ import subprocess
+ import sys
+ from tempfile import mkstemp
+@@ -789,7 +788,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
+ 
+         # format cert data for LDAP database
+         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
+-        data = string.join(lines, '\r\n') + '\r\n'
++        data = '\r\n'.join(lines) + '\r\n'
+ 
+         if self.verbose:
+             print('Retrieving certificate request from CA database')
+@@ -812,7 +811,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
+                 lines = lines[1:]
+             if lines[-1] == '-----END CERTIFICATE REQUEST-----':
+                 lines = lines[:-1]
+-            request = string.join(lines, '')
++            request = ''.join(lines)
+             subsystem_cert['request'] = request
+ 
+         else:
+-- 
+1.8.3.1
+
+
+From 671157f430eb6fa46ad2132758e3d06f602724f4 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 31 Mar 2017 05:05:37 +0200
+Subject: [PATCH 06/59] Fixed pylint error in pki.authority.
+
+https://pagure.io/dogtagpki/issue/2627
+
+Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
+---
+ base/common/python/pki/authority.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
+index 00c6fd9..f6880b5 100644
+--- a/base/common/python/pki/authority.py
++++ b/base/common/python/pki/authority.py
+@@ -362,7 +362,7 @@ def main():
+     try:
+         subca = ca_client.create_ca(data)
+     except ValueError as e:
+-        print(e.message)
++        print(e)
+ 
+     # Get the host CA
+     print("Getting the host CA")
+-- 
+1.8.3.1
+
+
+From 3e80b04c1de37568d304b2d76f324c026830fd11 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 31 Mar 2017 09:48:07 -0600
+Subject: [PATCH 08/59] Misc pylint, flake8 and tox fixes
+
+---
+ base/common/python/pki/__init__.py                 |  5 ++---
+ base/common/python/pki/authority.py                |  2 ++
+ base/common/python/pki/client.py                   |  1 +
+ base/common/python/pki/feature.py                  |  1 +
+ base/kra/functional/drmclient_deprecated.py        |  3 ++-
+ base/kra/functional/drmtest.py                     |  2 +-
+ base/server/python/pki/server/__init__.py          |  2 +-
+ base/server/python/pki/server/cli/kra.py           |  2 +-
+ .../python/pki/server/deployment/pkiparser.py      |  2 +-
+ base/server/python/pki/server/upgrade.py           |  4 ++--
+ pylint-build-scan.py                               |  1 +
+ tox.ini                                            | 26 +++++++++++++---------
+ 12 files changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
+index 5d2a143..c015126 100644
+--- a/base/common/python/pki/__init__.py
++++ b/base/common/python/pki/__init__.py
+@@ -269,9 +269,8 @@ class RequestNotFoundException(ResourceNotFoundException):
+ class UserNotFoundException(ResourceNotFoundException):
+     """ User Not Found Exception: return code = 404 """
+ 
+-"""
+-Mapping from Java Server exception classes to python exception classes
+-"""
++
++# Mapping from Java Server exception classes to python exception classes
+ EXCEPTION_MAPPINGS = {
+     "com.netscape.certsrv.base.BadRequestException": BadRequestException,
+     "com.netscape.certsrv.base.ConflictingOperationException":
+diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
+index f6880b5..9fa459c 100644
+--- a/base/common/python/pki/authority.py
++++ b/base/common/python/pki/authority.py
+@@ -289,6 +289,7 @@ class AuthorityClient(object):
+ 
+         self.connection.delete(url, headers)
+ 
++
+ encoder.NOTYPES['AuthorityData'] = AuthorityData
+ 
+ 
+@@ -499,5 +500,6 @@ def main():
+     print("-----------------------------------")
+     issue_cert_using_authority(cert_client, sub_subca.aid)
+ 
++
+ if __name__ == "__main__":
+     main()
+diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
+index 3e819cf..90ca4fe 100644
+--- a/base/common/python/pki/client.py
++++ b/base/common/python/pki/client.py
+@@ -224,5 +224,6 @@ def main():
+     conn.set_authentication_cert('/root/temp4.pem')
+     print(conn.get("", headers).json())
+ 
++
+ if __name__ == "__main__":
+     main()
+diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py
+index 0e5171d..1a2d402 100644
+--- a/base/common/python/pki/feature.py
++++ b/base/common/python/pki/feature.py
+@@ -133,6 +133,7 @@ class FeatureClient(object):
+             headers=self.headers)
+         return FeatureCollection.from_json(response.json())
+ 
++
+ encoder.NOTYPES['Feature'] = Feature
+ 
+ 
+diff --git a/base/kra/functional/drmclient_deprecated.py b/base/kra/functional/drmclient_deprecated.py
+index e333913..fe0f100 100644
+--- a/base/kra/functional/drmclient_deprecated.py
++++ b/base/kra/functional/drmclient_deprecated.py
+@@ -1008,7 +1008,8 @@ class KRA:
+         self.debug('%s.recover_security_data()', self.fullname)
+         pass
+ 
+-""" Sample Test execution starts here """
++
++# Sample Test execution starts here
+ parser = argparse.ArgumentParser(description="Sample Test execution")
+ parser.add_argument(
+     '-d',
+diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py
+index 6853987..7e236ef 100755
+--- a/base/kra/functional/drmtest.py
++++ b/base/kra/functional/drmtest.py
+@@ -302,7 +302,7 @@ def usage():
+     print('  -P <protocol>                  KRA server protocol (default: https).')
+     print('  -h <hostname>                  KRA server hostname (default: localhost).')
+     print('  -p <port>                      KRA server port (default: 8443).')
+-    print('  -n <path>                      KRA agent certificate and private key (default: kraagent.pem).')  # nopep8
++    print('  -n <path>                      KRA agent certificate and private key (default: kraagent.pem).')  # noqa: E501
+     print()
+     print('  --help                         Show this help message.')
+ 
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 70734c3..357bad3 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -469,7 +469,7 @@ class ExternalCert(object):
+ @functools.total_ordering
+ class PKIInstance(object):
+ 
+-    def __init__(self, name, instanceType=10):  # nopep8
++    def __init__(self, name, instanceType=10):  # noqa: N803
+ 
+         self.name = name
+         self.type = instanceType
+diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
+index 5c9111d..5558d6a 100644
+--- a/base/server/python/pki/server/cli/kra.py
++++ b/base/server/python/pki/server/cli/kra.py
+@@ -378,7 +378,7 @@ class KRADBVLVAddCLI(pki.cli.CLI):
+             print('KRA VLVs added to the database for ' + instance_name)
+ 
+         except ldap.LDAPError as e:
+-            print("ERROR: " + e.message['desc'])
++            print("ERROR: {}".format(e))
+             sys.exit(1)
+ 
+     def add_vlv(self, subsystem, bind_dn, bind_password):
+diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
+index 15e48ba..e05e0be 100644
+--- a/base/server/python/pki/server/deployment/pkiparser.py
++++ b/base/server/python/pki/server/deployment/pkiparser.py
+@@ -308,7 +308,7 @@ class PKIConfigParser:
+ 
+         return value
+ 
+-    def read_password(self, message, section=None, key=None,  # nopep8
++    def read_password(self, message, section=None, key=None,  # noqa: N803
+                       verifyMessage=None):
+         message = ' ' * self.indent + message + ': '
+         if verifyMessage is not None:  # nopep8
+diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
+index 116ef3d..2c72e48 100644
+--- a/base/server/python/pki/server/upgrade.py
++++ b/base/server/python/pki/server/upgrade.py
+@@ -155,8 +155,8 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
+ 
+ class PKIServerUpgrader(pki.upgrade.PKIUpgrader):
+ 
+-    def __init__(self, instanceName=None, instanceType=None,  # nopep8
+-                 subsystemName=None, upgrade_dir=UPGRADE_DIR,  # nopep8
++    def __init__(self, instanceName=None, instanceType=None,  # noqa: N803
++                 subsystemName=None, upgrade_dir=UPGRADE_DIR,  # noqa: N803
+                  version=None, index=None, silent=False):
+         super(PKIServerUpgrader, self).__init__(
+             upgrade_dir, version, index, silent)
+diff --git a/pylint-build-scan.py b/pylint-build-scan.py
+index 3a7b473..a25bab7 100755
+--- a/pylint-build-scan.py
++++ b/pylint-build-scan.py
+@@ -131,5 +131,6 @@ def main():
+ 
+     return subprocess.call(pylint, cwd=env['sitepackages'])
+ 
++
+ if __name__ == '__main__':
+     sys.exit(main())
+diff --git a/tox.ini b/tox.ini
+index f73818d..7b3d1fd 100644
+--- a/tox.ini
++++ b/tox.ini
+@@ -19,14 +19,23 @@
+ #
+ 
+ [tox]
+-envlist = py27,py35,pep8,pep8py3,lint,lint3k,docs
++envlist = py27,py35,py36,,pep8,pep8py3,lint,lint3,docs
+ skip_missing_interpreters = true
+ 
++[testenv:deps]
++deps =
++    lxml
++    pyldap
++    python-nss
++    requests
++    six
++
+ [testenv]
+ # force installation of sphinx and lint in virtual env, otherwise
+ # the command pick up the `pki` package from the system's site packages.
+ install_command = pip install {opts} --force-reinstall --upgrade {packages}
+ deps =
++    {[testenv:deps]deps}
+     pytest
+ sitepackages = True
+ commands =
+@@ -40,28 +49,24 @@ commands =
+ [testenv:lint]
+ basepython = python2.7
+ deps =
++    {[testenv:deps]deps}
+     pylint
+ commands =
+-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox
+-
+-[testenv:lint3k]
+-basepython = python2.7
+-deps =
+-    pylint
+-commands =
+-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -- --py3k
++    {envpython} {toxinidir}/pylint-build-scan.py tox
+ 
+ [testenv:lint3]
+ basepython = python3
+ deps =
++    {[testenv:deps]deps}
+     pylint
+ commands =
+-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox
++    {envpython} {toxinidir}/pylint-build-scan.py tox
+ 
+ [testenv:pep8]
+ basepython = python2.7
+ sitepackages = False
+ deps =
++    {[testenv:deps]deps}
+     flake8
+     # flake8-import-order
+     pep8-naming
+@@ -72,6 +77,7 @@ commands =
+ basepython = python3
+ sitepackages = False
+ deps =
++    {[testenv:deps]deps}
+     flake8
+     # flake8-import-order
+     pep8-naming
+-- 
+1.8.3.1
+
+
+From 34fe01c204711f0ef02a43a9aba1bf5141465af9 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 31 Mar 2017 10:57:06 -0600
+Subject: [PATCH 10/59] Fix for pylint when using Python 3.6
+
+Added 'pylint: disable=no-member' whenever module 're'
+attempts to reference its 'MULTILINE' member.
+---
+ base/server/python/pki/server/__init__.py             | 6 +++++-
+ base/server/python/pki/server/deployment/pkihelper.py | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 357bad3..5032274 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -858,7 +858,11 @@ class Tomcat(object):
+         output = output.decode('utf-8')
+ 
+         # find "Server version: Apache Tomcat/<major version>.<minor version>"
+-        match = re.search(r'^Server version:[^/]*/(\d+).*$', output, re.MULTILINE)
++        match = re.search(
++            r'^Server version:[^/]*/(\d+).*$',
++            output,
++            re.MULTILINE  # pylint: disable=no-member
++        )
+ 
+         if not match:
+             raise Exception('Unable to determine Tomcat version')
+diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
+index 2e276f5..051778d 100644
+--- a/base/server/python/pki/server/deployment/pkihelper.py
++++ b/base/server/python/pki/server/deployment/pkihelper.py
+@@ -2721,7 +2721,11 @@ class Modutil:
+         output = output.decode('utf-8')
+ 
+         # find modules from lines such as '1. NSS Internal PKCS #11 Module'
+-        modules = re.findall(r'^ +\d+\. +(.*)$', output, re.MULTILINE)
++        modules = re.findall(
++            r'^ +\d+\. +(.*)$',
++            output,
++            re.MULTILINE  # pylint: disable=no-member
++        )
+ 
+         if modulename not in modules:
+             config.pki_log.info(
+-- 
+1.8.3.1
+
+
+From 7fc7d3e8844d4992db60a637370b8599bff5a282 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 31 Mar 2017 19:23:43 +0200
+Subject: [PATCH 11/59] Removed redundant Context attributes.
+
+All subclasses of PKIService have been modified to remove the
+Context attribute since they have been declared in the base class.
+
+Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
+---
+ .../org/dogtagpki/server/ca/rest/AuthorityService.java  | 17 -----------------
+ .../dogtagpki/server/ca/rest/CertRequestService.java    | 17 -----------------
+ .../src/org/dogtagpki/server/ca/rest/CertService.java   | 17 -----------------
+ .../dogtagpki/server/ca/rest/KRAConnectorService.java   | 17 -----------------
+ .../org/dogtagpki/server/ca/rest/ProfileService.java    | 16 ----------------
+ .../dogtagpki/server/kra/rest/KeyRequestService.java    | 17 -----------------
+ .../src/org/dogtagpki/server/kra/rest/KeyService.java   | 17 -----------------
+ .../cms/src/org/dogtagpki/server/rest/AuditService.java | 17 -----------------
+ .../cms/src/org/dogtagpki/server/rest/GroupService.java | 17 -----------------
+ .../dogtagpki/server/rest/SecurityDomainService.java    | 17 -----------------
+ .../src/org/dogtagpki/server/rest/SelfTestService.java  | 17 -----------------
+ .../org/dogtagpki/server/rest/SystemConfigService.java  | 11 -----------
+ .../cms/src/org/dogtagpki/server/rest/UserService.java  | 17 -----------------
+ .../dogtagpki/server/tks/rest/TPSConnectorService.java  |  9 ---------
+ .../org/dogtagpki/server/tps/config/ConfigService.java  | 17 -----------------
+ .../org/dogtagpki/server/tps/rest/ActivityService.java  | 17 -----------------
+ .../dogtagpki/server/tps/rest/AuthenticatorService.java | 17 -----------------
+ .../org/dogtagpki/server/tps/rest/ConnectorService.java | 17 -----------------
+ .../server/tps/rest/ProfileMappingService.java          | 17 -----------------
+ .../org/dogtagpki/server/tps/rest/ProfileService.java   | 17 -----------------
+ .../org/dogtagpki/server/tps/rest/TPSCertService.java   | 17 -----------------
+ .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 -----------------
+ 22 files changed, 359 deletions(-)
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+index c734fbf..215d0fa 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+@@ -27,13 +27,8 @@ import java.util.LinkedHashMap;
+ import java.util.List;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+ import javax.ws.rs.core.GenericEntity;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.IAuthToken;
+@@ -75,18 +70,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
+         hostCA = (ICertificateAuthority) CMS.getSubsystem("ca");
+     }
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
+             "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
+ 
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+index a0d36b9..a0f3d46 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+@@ -24,13 +24,8 @@ import java.util.ArrayList;
+ import java.util.Enumeration;
+ import java.util.List;
+ 
+-import javax.servlet.http.HttpServletRequest;
+ import javax.ws.rs.PathParam;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+ 
+@@ -81,18 +76,6 @@ import netscape.security.x509.X500Name;
+  */
+ public class CertRequestService extends PKIService implements CertRequestResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public static final int DEFAULT_START = 0;
+     public static final int DEFAULT_PAGESIZE = 20;
+     public static final int DEFAULT_MAXRESULTS = 100;
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+index ebbab25..d5fe02f 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+@@ -34,12 +34,7 @@ import java.util.List;
+ import java.util.Map;
+ import java.util.Random;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.catalina.realm.GenericPrincipal;
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+@@ -94,18 +89,6 @@ import netscape.security.x509.X509Key;
+  */
+ public class CertService extends PKIService implements CertResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     ICertificateAuthority authority;
+     ICertificateRepository repo;
+     Random random;
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
+index 4ef1b7e..24c33fa 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
+@@ -17,12 +17,7 @@
+ // --- END COPYRIGHT BLOCK ---
+ package org.dogtagpki.server.ca.rest;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.BadRequestException;
+@@ -38,18 +33,6 @@ import com.netscape.cms.servlet.base.PKIService;
+  */
+ public class KRAConnectorService extends PKIService implements KRAConnectorResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     @Override
+     public Response addConnector(KRAConnectorInfo info) {
+ 
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+index ba648a4..694fb92 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+@@ -32,11 +32,7 @@ import java.util.Map;
+ import java.util.Properties;
+ import java.util.Vector;
+ 
+-import javax.servlet.http.HttpServletRequest;
+ import javax.ws.rs.PathParam;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+ import javax.ws.rs.core.UriBuilder;
+ import javax.ws.rs.core.UriInfo;
+@@ -90,18 +86,6 @@ import com.netscape.cmscore.base.SimpleProperties;
+  */
+ public class ProfileService extends SubsystemService implements ProfileResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
+     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+ 
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index 4138b38..e0c4ca9 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -25,13 +25,8 @@ import java.security.Principal;
+ import java.util.HashMap;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+ import javax.ws.rs.core.MultivaluedMap;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.mozilla.jss.crypto.SymmetricKey;
+ 
+@@ -67,18 +62,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
+  */
+ public class KeyRequestService extends SubsystemService implements KeyRequestResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
+ 
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index e8cb6e9..e15b263 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -29,15 +29,10 @@ import java.util.Hashtable;
+ import java.util.Iterator;
+ import java.util.List;
+ 
+-import javax.servlet.http.HttpServletRequest;
+ import javax.ws.rs.Path;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+ import javax.ws.rs.core.MultivaluedMap;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+ import javax.ws.rs.core.UriBuilder;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+ 
+@@ -82,18 +77,6 @@ import com.netscape.cmsutil.util.Utils;
+  */
+ public class KeyService extends SubsystemService implements KeyResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
+     private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE =
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+index 76a5396..9af95d9 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+@@ -26,12 +26,7 @@ import java.util.Map;
+ import java.util.TreeMap;
+ import java.util.TreeSet;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+@@ -51,18 +46,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class AuditService extends SubsystemService implements AuditResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public AuditService() {
+         CMS.debug("AuditService.<init>()");
+     }
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+index 9d127c8..4ee2810 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+@@ -23,12 +23,7 @@ import java.net.URLEncoder;
+ import java.util.Enumeration;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+@@ -58,18 +53,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class GroupService extends SubsystemService implements GroupResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+ 
+     public GroupData createGroupData(IGroup group) throws Exception {
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
+index 3d708eb..3dccea1 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
+@@ -17,12 +17,7 @@
+ // --- END COPYRIGHT BLOCK ---
+ package org.dogtagpki.server.rest;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.PKIException;
+@@ -37,18 +32,6 @@ import com.netscape.cms.servlet.csadmin.SecurityDomainProcessor;
+  */
+ public class SecurityDomainService extends PKIService implements SecurityDomainResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     @Override
+     public Response getInstallToken(String hostname, String subsystem) {
+         CMS.debug("SecurityDomainService.getInstallToken(" + hostname + ", " + subsystem + ")");
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
+index 9108a45..7cfe85f 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
+@@ -27,12 +27,7 @@ import java.util.ArrayList;
+ import java.util.Collection;
+ import java.util.Iterator;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+ 
+@@ -53,18 +48,6 @@ import com.netscape.cms.servlet.base.PKIService;
+  */
+ public class SelfTestService extends PKIService implements SelfTestResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public SelfTestService() {
+         CMS.debug("SelfTestService.<init>()");
+     }
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+index 18263f7..27a6817 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+@@ -73,17 +67,6 @@ import netscape.security.x509.X509CertImpl;
+  *
+  */
+ public class SystemConfigService extends PKIService implements SystemConfigResource {
+-    @Context
+-    public UriInfo uriInfo;
+-
+-    @Context
+-    public HttpHeaders headers;
+-
+-    @Context
+-    public Request request;
+-
+-    @Context
+-    public HttpServletRequest servletRequest;
+ 
+     public IConfigStore cs;
+     public String csType;
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+index 529c472..eeadba5 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+@@ -32,12 +32,7 @@ import java.util.Iterator;
+ import java.util.List;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+@@ -84,18 +79,6 @@ import netscape.security.x509.X509CertImpl;
+  */
+ public class UserService extends SubsystemService implements UserResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public final static String BACK_SLASH = "\\";
+     public final static String SYSTEM_USER = "$System$";
+ 
+diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
+index 9119d77..77aba1a 100644
+--- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
++++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
+@@ -12,10 +12,7 @@ import java.util.Iterator;
+ import java.util.List;
+ import java.util.TreeSet;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.ArrayUtils;
+ import org.apache.commons.lang.StringUtils;
+@@ -52,12 +49,6 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
+ 
+     IConfigStore cs = CMS.getConfigStore();
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+ 
+     @Override
+diff --git a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
+index 8309a2f..e9590e6 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
+@@ -23,12 +23,7 @@ import java.net.URI;
+ import java.util.HashMap;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+ 
+@@ -45,18 +40,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class ConfigService extends SubsystemService implements ConfigResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public ConfigService() {
+         CMS.debug("ConfigService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
+index 90029ea..37a3083 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
+@@ -23,12 +23,7 @@ import java.net.URI;
+ import java.net.URLEncoder;
+ import java.util.Iterator;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.dogtagpki.server.tps.TPSSubsystem;
+ import org.dogtagpki.server.tps.dbs.ActivityDatabase;
+@@ -49,18 +44,6 @@ import com.netscape.cms.servlet.base.PKIService;
+  */
+ public class ActivityService extends PKIService implements ActivityResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public ActivityService() {
+         CMS.debug("ActivityService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+index 424cd14..50453ee 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+@@ -26,12 +26,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class AuthenticatorService extends SubsystemService implements AuthenticatorResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public AuthenticatorService() {
+         CMS.debug("AuthenticatorService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+index c789f14..01bc132 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+@@ -26,12 +26,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class ConnectorService extends SubsystemService implements ConnectorResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public ConnectorService() {
+         CMS.debug("ConnectorService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+index eca1803..2c070c0 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+@@ -26,12 +26,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class ProfileMappingService extends SubsystemService implements ProfileMappingResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public ProfileMappingService() {
+         CMS.debug("ProfileMappingService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+index b769134..8058caf 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+@@ -26,12 +26,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
+  */
+ public class ProfileService extends SubsystemService implements ProfileResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public ProfileService() {
+         CMS.debug("ProfileService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
+index 074d3d0..9b62752 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
+@@ -25,12 +25,7 @@ import java.util.HashMap;
+ import java.util.Iterator;
+ import java.util.Map;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.dogtagpki.server.tps.TPSSubsystem;
+ import org.dogtagpki.server.tps.dbs.TPSCertDatabase;
+@@ -50,18 +45,6 @@ import com.netscape.cms.servlet.base.PKIService;
+  */
+ public class TPSCertService extends PKIService implements TPSCertResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public TPSCertService() {
+         CMS.debug("TPSCertService.<init>()");
+     }
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+index a624e2a..f3d0d80 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+@@ -29,12 +29,7 @@ import java.util.Map;
+ import java.util.MissingResourceException;
+ import java.util.ResourceBundle;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import javax.ws.rs.core.Context;
+-import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+-import javax.ws.rs.core.UriInfo;
+ 
+ import org.apache.commons.lang.StringUtils;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+@@ -64,18 +59,6 @@ import netscape.ldap.LDAPException;
+  */
+ public class TokenService extends SubsystemService implements TokenResource {
+ 
+-    @Context
+-    private UriInfo uriInfo;
+-
+-    @Context
+-    private HttpHeaders headers;
+-
+-    @Context
+-    private Request request;
+-
+-    @Context
+-    private HttpServletRequest servletRequest;
+-
+     public TokenService() throws Exception {
+         CMS.debug("TokenService.<init>()");
+     }
+-- 
+1.8.3.1
+
+
+From 6749f6bffe92743373d4b86bbd05e5a957e74d96 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 31 Mar 2017 18:42:56 +0200
+Subject: [PATCH 12/59] Refactored AuditCLI.
+
+The AuditCLI has been modified to create the AuditClient with lazy
+initialization.
+
+Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
+---
+ base/common/src/com/netscape/certsrv/tps/TPSClient.java        |  2 --
+ .../java-tools/src/com/netscape/cmstools/logging/AuditCLI.java | 10 +++++++---
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
+index da00225..19273f7 100644
+--- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java
++++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
+@@ -23,7 +23,6 @@ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.client.SubsystemClient;
+ import com.netscape.certsrv.group.GroupClient;
+ import com.netscape.certsrv.logging.ActivityClient;
+-import com.netscape.certsrv.logging.AuditClient;
+ import com.netscape.certsrv.selftests.SelfTestClient;
+ import com.netscape.certsrv.tps.authenticator.AuthenticatorClient;
+ import com.netscape.certsrv.tps.cert.TPSCertClient;
+@@ -46,7 +45,6 @@ public class TPSClient extends SubsystemClient {
+ 
+     public void init() throws URISyntaxException {
+         addClient(new ActivityClient(client, name));
+-        addClient(new AuditClient(client, name));
+         addClient(new AuthenticatorClient(client, name));
+         addClient(new TPSCertClient(client, name));
+         addClient(new ConfigClient(client, name));
+diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+index 1e2273e..ff489dc 100644
+--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+@@ -27,16 +27,20 @@ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.logging.AuditClient;
+ import com.netscape.certsrv.logging.AuditConfig;
+ import com.netscape.cmstools.cli.CLI;
++import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+ /**
+  * @author Endi S. Dewata
+  */
+ public class AuditCLI extends CLI {
+ 
++    public SubsystemCLI subsystemCLI;
+     public AuditClient auditClient;
+ 
+-    public AuditCLI(CLI parent) {
+-        super("audit", "Audit management commands", parent);
++    public AuditCLI(SubsystemCLI subsystemCLI) {
++        super("audit", "Audit management commands", subsystemCLI);
++
++        this.subsystemCLI = subsystemCLI;
+ 
+         addModule(new AuditModifyCLI(this));
+         addModule(new AuditShowCLI(this));
+@@ -52,7 +56,7 @@ public class AuditCLI extends CLI {
+         if (auditClient != null) return auditClient;
+ 
+         PKIClient client = getClient();
+-        auditClient = (AuditClient)parent.getClient("audit");
++        auditClient = new AuditClient(client, subsystemCLI.getName());
+ 
+         return auditClient;
+     }
+-- 
+1.8.3.1
+
+
+From 136d22953d05c459986a98465e4266bac37b44dc Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 29 Mar 2017 10:46:22 -0400
+Subject: [PATCH 14/59] Fix generation of CRMF request for ECC keys
+
+Old CRMFPopClients add the OID for ECC public keys in the encryption
+algorithm OID for no obvious reason (considering the OID was never
+read on the server side to begin with).
+
+Now that we do read and use that field, we need to set it properly,
+and also special case on the server side to handle old clients.
+
+Change-Id: I0d753e572206e9062746c879ce683978e5e657bd
+---
+ .../src/com/netscape/cmstools/CRMFPopClient.java         | 16 +---------------
+ base/util/src/netscape/security/util/WrappingParams.java | 11 ++++++++++-
+ 2 files changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 901528c..9d81a72 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -562,7 +562,7 @@ public class CRMFPopClient {
+         }
+ 
+         byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
+-        AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv);
++        AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+         WrappingParams params = getWrappingParams(encryptAlg, iv);
+ 
+         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
+@@ -600,20 +600,6 @@ public class CRMFPopClient {
+         }
+     }
+ 
+-    private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv)
+-            throws Exception {
+-        AlgorithmIdentifier aid;
+-        if (algorithm.equals("rsa")) {
+-            aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+-        } else if (algorithm.equals("ec")) {
+-            // TODO(alee) figure out what this should be for ECC
+-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
+-        } else {
+-            throw new Exception("Unknown algorithm: " + algorithm);
+-        }
+-        return aid;
+-    }
+-
+     public OCTET_STRING createIDPOPLinkWitness() throws Exception {
+ 
+         String secretValue = "testing";
+diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
+index b2814a3..8fe5df6 100644
+--- a/base/util/src/netscape/security/util/WrappingParams.java
++++ b/base/util/src/netscape/security/util/WrappingParams.java
+@@ -58,7 +58,16 @@ public class WrappingParams {
+ 
+     public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV)
+             throws NumberFormatException, NoSuchAlgorithmException {
+-        EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
++        EncryptionAlgorithm encrypt = null;
++        OBJECT_IDENTIFIER eccOID = new OBJECT_IDENTIFIER("1.2.840.10045.2.1");
++        if (encryptOID.equals(eccOID.toString())) {
++            // old CRMFPopClients send this OID for ECC Keys for no apparent reason.
++            // New clients set this correctly.
++            // We'll assume the old DES3 wrapping here.
++            encrypt = EncryptionAlgorithm.DES_CBC_PAD;
++        } else {
++            encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
++        }
+ 
+         KeyWrapAlgorithm wrap = null;
+         if (wrapName != null) {
+-- 
+1.8.3.1
+
+
+From 2d77ca150ee17238f4b137e3987a69e888141d51 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 29 Mar 2017 12:27:46 -0400
+Subject: [PATCH 15/59] Change default key size for KRA storage unit to 128
+
+Most of the research out there seems to indicate that AES-128 is
+more than sufficient for security.  Use this as default.
+
+Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e
+---
+ base/kra/shared/conf/CS.cfg | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 045a823..bd49a8d 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -279,7 +279,7 @@ kra.storageUnit.wrapping.0.payloadEncryptionIV=AQEBAQEBAQE=
+ kra.storageUnit.wrapping.0.payloadWrapAlgorithm=DES3/CBC/Pad
+ kra.storageUnit.wrapping.0.payloadWrapIV=AQEBAQEBAQE=
+ kra.storageUnit.wrapping.0.sessionKeyType=DESede
+-kra.storageUnit.wrapping.1.sessionKeyLength=256
++kra.storageUnit.wrapping.1.sessionKeyLength=128
+ kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm=RSA
+ kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding
+ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
+-- 
+1.8.3.1
+
+
+From 5dfd6e1c3cc38b5fbfdc4e96476934219f53e13f Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 3 Apr 2017 12:43:05 -0400
+Subject: [PATCH 16/59] Added python info client
+
+Add python client code to read from the InfoResource class and get
+the server version.  As the PKIConnection in the python client
+currently requires a subsystem, it is difficult to add an infoclient
+to an existing KRAClient (or any other client).
+
+To get around this, I modified the PKIConnection to allow using the
+rootURI.
+
+Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
+---
+ base/common/python/pki/client.py | 51 ++++++++++++++++-----
+ base/common/python/pki/info.py   | 98 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 138 insertions(+), 11 deletions(-)
+ create mode 100644 base/common/python/pki/info.py
+
+diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
+index 90ca4fe..805d0fa 100644
+--- a/base/common/python/pki/client.py
++++ b/base/common/python/pki/client.py
+@@ -78,9 +78,8 @@ class PKIConnection:
+         self.port = port
+         self.subsystem = subsystem
+ 
+-        self.serverURI = self.protocol + '://' + \
+-            self.hostname + ':' + self.port + '/' + \
+-            self.subsystem
++        self.rootURI = self.protocol + '://' + self.hostname + ':' + self.port
++        self.serverURI = self.rootURI + '/' + self.subsystem
+ 
+         self.session = requests.Session()
+         self.session.trust_env = trust_env
+@@ -125,7 +124,8 @@ class PKIConnection:
+             self.session.cert = pem_cert_path
+ 
+     @catch_insecure_warning
+-    def get(self, path, headers=None, params=None, payload=None):
++    def get(self, path, headers=None, params=None, payload=None,
++            use_root_uri=False):
+         """
+         Uses python-requests to issue a GET request to the server.
+ 
+@@ -137,12 +137,19 @@ class PKIConnection:
+         :type params: dict or bytes
+         :param payload: data to be sent in the body of the request
+         :type payload: dict, bytes, file-like object
++        :param use_root_uri: use root URI instead of subsystem URI as base
++        :type use_root_uri: boolean
+         :returns: request.response -- response from the server
+         :raises: Exception from python-requests in case the GET was not
+             successful, or returns an error code.
+         """
++        if use_root_uri:
++            target_path = self.rootURI + path
++        else:
++            target_path = self.serverURI + path
++
+         r = self.session.get(
+-            self.serverURI + path,
++            target_path,
+             verify=False,
+             headers=headers,
+             params=params,
+@@ -151,7 +158,8 @@ class PKIConnection:
+         return r
+ 
+     @catch_insecure_warning
+-    def post(self, path, payload, headers=None, params=None):
++    def post(self, path, payload, headers=None, params=None,
++             use_root_uri=False):
+         """
+         Uses python-requests to issue a POST request to the server.
+ 
+@@ -163,12 +171,19 @@ class PKIConnection:
+         :type headers: dict
+         :param params: Query parameters for the POST request
+         :type params: dict or bytes
++        :param use_root_uri: use root URI instead of subsystem URI as base
++        :type use_root_uri: boolean
+         :returns: request.response -- response from the server
+         :raises: Exception from python-requests in case the POST was not
+             successful, or returns an error code.
+         """
++        if use_root_uri:
++            target_path = self.rootURI + path
++        else:
++            target_path = self.serverURI + path
++
+         r = self.session.post(
+-            self.serverURI + path,
++            target_path,
+             verify=False,
+             data=payload,
+             headers=headers,
+@@ -177,7 +192,7 @@ class PKIConnection:
+         return r
+ 
+     @catch_insecure_warning
+-    def put(self, path, payload, headers=None):
++    def put(self, path, payload, headers=None, use_root_uri=False):
+         """
+         Uses python-requests to issue a PUT request to the server.
+ 
+@@ -187,16 +202,23 @@ class PKIConnection:
+         :type payload: dict, bytes, file-like object
+         :param headers: headers for the PUT request
+         :type headers: dict
++        :param use_root_uri: use root URI instead of subsystem URI as base
++        :type use_root_uri: boolean
+         :returns: request.response -- response from the server
+         :raises: Exception from python-requests in case the PUT was not
+             successful, or returns an error code.
+         """
+-        r = self.session.put(self.serverURI + path, payload, headers=headers)
++        if use_root_uri:
++            target_path = self.rootURI + path
++        else:
++            target_path = self.serverURI + path
++
++        r = self.session.put(target_path, payload, headers=headers)
+         r.raise_for_status()
+         return r
+ 
+     @catch_insecure_warning
+-    def delete(self, path, headers=None):
++    def delete(self, path, headers=None, use_root_uri=False):
+         """
+         Uses python-requests to issue a DEL request to the server.
+ 
+@@ -204,11 +226,18 @@ class PKIConnection:
+         :type path: str
+         :param headers: headers for the DEL request
+         :type headers: dict
++        :param use_root_uri: use root URI instead of subsystem URI as base
++        :type use_root_uri: boolean
+         :returns: request.response -- response from the server
+         :raises: Exception from python-requests in case the DEL was not
+             successful, or returns an error code.
+         """
+-        r = self.session.delete(self.serverURI + path, headers=headers)
++        if use_root_uri:
++            target_path = self.rootURI + path
++        else:
++            target_path = self.serverURI + path
++
++        r = self.session.delete(target_path, headers=headers)
+         r.raise_for_status()
+         return r
+ 
+diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
+new file mode 100644
+index 0000000..65d4825
+--- /dev/null
++++ b/base/common/python/pki/info.py
+@@ -0,0 +1,98 @@
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the Lesser GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public License
++#  along with this program; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2013 Red Hat, Inc.
++# All rights reserved.
++#
++# Author:
++#     Ade Lee <alee@redhat.com>
++#
++"""
++Module containing the Python client classes for the InfoClient
++"""
++from six import iteritems
++
++import pki
++
++
++class Info(object):
++    """
++    This class encapsulates the parameters returned by the server's
++    InfoService.
++    """
++
++    json_attribute_names = {
++        'Version': 'version',
++        'Banner': 'banner'
++    }
++
++    def __init__(self, version=None, banner=None):
++        """ Constructor """
++        self.version = version
++        self.banner = banner
++
++    @classmethod
++    def from_json(cls, attr_list):
++        """ Return Info from JSON dict """
++        info = cls()
++        for k, v in iteritems(attr_list):
++            if k in Info.json_attribute_names:
++                setattr(info, Info.json_attribute_names[k], v)
++            else:
++                setattr(info, k, v)
++        return info
++
++
++class Version(object):
++    """
++    This class encapsulates a version object as returned from
++    a Dogtag server and decomposes it into major, minor, etc.
++    """
++
++    def __init__(self, version_string):
++        for idx, val in enumerate(version_string.split('.')):
++            if idx == 0:
++                self.major = val
++            if idx == 1:
++                self.minor = val
++            if idx == 2:
++                self.patch = val
++
++
++class InfoClient(object):
++    """
++    Class encapsulating and mirroring the functionality in the
++    InfoResource Java interface class defining the REST API for
++    server Info resources.
++    """
++
++    def __init__(self, connection):
++        """ Constructor """
++        self.connection = connection
++
++    @pki.handle_exceptions()
++    def get_info(self):
++        """ Return an Info object form a PKI server """
++
++        url = '/pki/rest/info'
++        headers = {'Content-type': 'application/json',
++                   'Accept': 'application/json'}
++        r = self.connection.get(url, headers, use_root_uri=True)
++        return Info.from_json(r.json())
++
++    @pki.handle_exceptions()
++    def get_version(self):
++        """ return Version object from server """
++        version_string = self.get_info().version
++        return Version(version_string)
+-- 
+1.8.3.1
+
+
+From a76ac1ca0472afb6931b9e3be156f1c057fcb161 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 3 Apr 2017 12:53:26 -0400
+Subject: [PATCH 17/59] Add util code to source environment files
+
+This is needed to set the same environment as the pki CLI
+and pick up any client specific changes.
+
+Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
+---
+ base/common/python/pki/util.py | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
+index 68118f4..02ecde8 100644
+--- a/base/common/python/pki/util.py
++++ b/base/common/python/pki/util.py
+@@ -32,6 +32,11 @@ try:
+ except ImportError:
+     WindowsError = None
+ 
++import subprocess
++
++DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf',
++                        '/etc/pki/pki.conf']
++
+ 
+ def copy(source, dest):
+     """
+@@ -245,3 +250,26 @@ def copytree(src, dst, symlinks=False, ignore=None):
+             errors.extend((src, dst, str(why)))
+     if errors:
+         raise Error(errors)
++
++
++def read_environment_files(env_file_list=None):
++    if env_file_list is None:
++        env_file_list = DEFAULT_PKI_ENV_LIST
++
++    file_command = ''
++    for env_file in env_file_list:
++        file_command += "source " + env_file + " && "
++    file_command += "env"
++
++    command = [
++        'bash',
++        '-c',
++        file_command
++    ]
++
++    env_vals = subprocess.check_output(command).split('\n')
++
++    for env_val in env_vals:
++        (key, _, value) = env_val.partition("=")
++        os.environ[key] = value
++
+-- 
+1.8.3.1
+
+
+From 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 28 Mar 2017 00:15:28 +0200
+Subject: [PATCH 19/59] Added audit service and CLI to all subsystems.
+
+Previously the audit service and CLI were only available on TPS.
+Now they have been added to all subsystems.
+
+Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
+---
+ base/ca/shared/conf/acl.properties                          |  5 +++++
+ base/ca/shared/conf/auth-method.properties                  |  1 +
+ base/ca/shared/webapps/ca/WEB-INF/web.xml                   | 13 +++++++++++++
+ base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java |  4 ++++
+ base/java-tools/src/com/netscape/cmstools/cli/CACLI.java    |  2 ++
+ base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java   |  2 ++
+ base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java  |  2 ++
+ base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java   |  2 ++
+ base/kra/shared/conf/acl.properties                         |  5 +++++
+ base/kra/shared/conf/auth-method.properties                 |  1 +
+ base/kra/shared/webapps/kra/WEB-INF/web.xml                 | 13 +++++++++++++
+ .../src/org/dogtagpki/server/kra/rest/KRAApplication.java   |  4 ++++
+ base/ocsp/shared/conf/acl.properties                        |  5 +++++
+ base/ocsp/shared/conf/auth-method.properties                |  1 +
+ base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml               | 13 +++++++++++++
+ .../src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java |  4 ++++
+ base/tks/shared/conf/acl.properties                         |  5 +++++
+ base/tks/shared/conf/auth-method.properties                 |  1 +
+ base/tks/shared/webapps/tks/WEB-INF/web.xml                 | 13 +++++++++++++
+ .../src/org/dogtagpki/server/tks/rest/TKSApplication.java   |  4 ++++
+ base/tps/shared/conf/acl.properties                         |  7 +++++--
+ 21 files changed, 105 insertions(+), 2 deletions(-)
+
+diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
+index 8b3e9d0..c487e48 100644
+--- a/base/ca/shared/conf/acl.properties
++++ b/base/ca/shared/conf/acl.properties
+@@ -7,6 +7,11 @@
+ 
+ account.login = certServer.ca.account,login
+ account.logout = certServer.ca.account,logout
++
++# audit configuration
++audit.read = certServer.log.configuration,read
++audit.modify = certServer.log.configuration,modify
++
+ certs = certServer.ca.certs,execute
+ certrequests = certServer.ca.certrequests,execute
+ groups = certServer.ca.groups,execute
+diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties
+index 8d67690..f7b203d 100644
+--- a/base/ca/shared/conf/auth-method.properties
++++ b/base/ca/shared/conf/auth-method.properties
+@@ -8,6 +8,7 @@
+ 
+ default = *
+ account = certUserDBAuthMgr,passwdUserDBAuthMgr
++audit = certUserDBAuthMgr
+ authorities = certUserDBAuthMgr
+ certs = certUserDBAuthMgr
+ certrequests = certUserDBAuthMgr
+diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+index d887db4..bf8aed4 100644
+--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+@@ -2417,6 +2417,19 @@
+ 
+     <security-constraint>
+         <web-resource-collection>
++            <web-resource-name>Audit</web-resource-name>
++            <url-pattern>/rest/audit/*</url-pattern>
++        </web-resource-collection>
++        <auth-constraint>
++            <role-name>*</role-name>
++        </auth-constraint>
++        <user-data-constraint>
++            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
++        </user-data-constraint>
++    </security-constraint>
++
++    <security-constraint>
++        <web-resource-collection>
+             <web-resource-name>Authority Services</web-resource-name>
+             <url-pattern>/rest/authorities/*</url-pattern>
+         </web-resource-collection>
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+index b0fc73c..ae18e02 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
+ 
+ import org.dogtagpki.server.rest.ACLInterceptor;
+ import org.dogtagpki.server.rest.AccountService;
++import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
+ import org.dogtagpki.server.rest.FeatureService;
+ import org.dogtagpki.server.rest.GroupService;
+@@ -32,6 +33,9 @@ public class CAApplication extends Application {
+         // account
+         classes.add(AccountService.class);
+ 
++        // audit
++        classes.add(AuditService.class);
++
+         // installer
+         classes.add(CAInstallerService.class);
+ 
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
+index 2ec20dc..8e72405 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
+@@ -25,6 +25,7 @@ import com.netscape.cmstools.authority.AuthorityCLI;
+ import com.netscape.cmstools.cert.CertCLI;
+ import com.netscape.cmstools.feature.FeatureCLI;
+ import com.netscape.cmstools.group.GroupCLI;
++import com.netscape.cmstools.logging.AuditCLI;
+ import com.netscape.cmstools.profile.ProfileCLI;
+ import com.netscape.cmstools.selftests.SelfTestCLI;
+ import com.netscape.cmstools.system.KRAConnectorCLI;
+@@ -41,6 +42,7 @@ public class CACLI extends SubsystemCLI {
+         super("ca", "CA management commands", parent);
+ 
+         addModule(new AuthorityCLI(this));
++        addModule(new AuditCLI(this));
+         addModule(new CertCLI(this));
+         addModule(new FeatureCLI(this));
+         addModule(new GroupCLI(this));
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
+index 2db85aa..190be11 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
+@@ -23,6 +23,7 @@ import com.netscape.certsrv.client.SubsystemClient;
+ import com.netscape.certsrv.kra.KRAClient;
+ import com.netscape.cmstools.group.GroupCLI;
+ import com.netscape.cmstools.key.KeyCLI;
++import com.netscape.cmstools.logging.AuditCLI;
+ import com.netscape.cmstools.selftests.SelfTestCLI;
+ import com.netscape.cmstools.user.UserCLI;
+ 
+@@ -36,6 +37,7 @@ public class KRACLI extends SubsystemCLI {
+     public KRACLI(CLI parent) {
+         super("kra", "KRA management commands", parent);
+ 
++        addModule(new AuditCLI(this));
+         addModule(new GroupCLI(this));
+         addModule(new KeyCLI(this));
+         addModule(new SelfTestCLI(this));
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
+index 6348359..15ec5e3 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
+@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.client.SubsystemClient;
+ import com.netscape.certsrv.ocsp.OCSPClient;
+ import com.netscape.cmstools.group.GroupCLI;
++import com.netscape.cmstools.logging.AuditCLI;
+ import com.netscape.cmstools.selftests.SelfTestCLI;
+ import com.netscape.cmstools.user.UserCLI;
+ 
+@@ -35,6 +36,7 @@ public class OCSPCLI extends SubsystemCLI {
+     public OCSPCLI(CLI parent) {
+         super("ocsp", "OCSP management commands", parent);
+ 
++        addModule(new AuditCLI(this));
+         addModule(new GroupCLI(this));
+         addModule(new SelfTestCLI(this));
+         addModule(new UserCLI(this));
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
+index 1afdf64..1e2db2c 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
+@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.client.SubsystemClient;
+ import com.netscape.certsrv.tks.TKSClient;
+ import com.netscape.cmstools.group.GroupCLI;
++import com.netscape.cmstools.logging.AuditCLI;
+ import com.netscape.cmstools.selftests.SelfTestCLI;
+ import com.netscape.cmstools.system.TPSConnectorCLI;
+ import com.netscape.cmstools.user.UserCLI;
+@@ -36,6 +37,7 @@ public class TKSCLI extends SubsystemCLI {
+     public TKSCLI(CLI parent) {
+         super("tks", "TKS management commands", parent);
+ 
++        addModule(new AuditCLI(this));
+         addModule(new GroupCLI(this));
+         addModule(new SelfTestCLI(this));
+         addModule(new TPSConnectorCLI(this));
+diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
+index 3fde904..8cac3ee 100644
+--- a/base/kra/shared/conf/acl.properties
++++ b/base/kra/shared/conf/acl.properties
+@@ -7,6 +7,11 @@
+ 
+ account.login = certServer.kra.account,login
+ account.logout = certServer.kra.account,logout
++
++# audit configuration
++audit.read = certServer.log.configuration,read
++audit.modify = certServer.log.configuration,modify
++
+ groups = certServer.kra.groups,execute
+ keys = certServer.kra.keys,execute
+ keyrequests = certServer.kra.keyrequests,execute
+diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties
+index 108448c..2944e49 100644
+--- a/base/kra/shared/conf/auth-method.properties
++++ b/base/kra/shared/conf/auth-method.properties
+@@ -8,6 +8,7 @@
+ 
+ default = *
+ account = certUserDBAuthMgr,passwdUserDBAuthMgr
++audit = certUserDBAuthMgr
+ groups = certUserDBAuthMgr
+ keys = certUserDBAuthMgr
+ keyrequests = certUserDBAuthMgr
+diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
+index ce0a51e..5b7031a 100644
+--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
++++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
+@@ -1104,6 +1104,19 @@
+         </user-data-constraint>
+     </security-constraint>
+ 
++    <security-constraint>
++        <web-resource-collection>
++            <web-resource-name>Audit</web-resource-name>
++            <url-pattern>/rest/audit/*</url-pattern>
++        </web-resource-collection>
++        <auth-constraint>
++            <role-name>*</role-name>
++        </auth-constraint>
++        <user-data-constraint>
++            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
++        </user-data-constraint>
++    </security-constraint>
++
+    [PKI_OPEN_STANDALONE_COMMENT]
+     <security-constraint>
+         <web-resource-collection>
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+index 773d8dd..6244270 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
+ 
+ import org.dogtagpki.server.rest.ACLInterceptor;
+ import org.dogtagpki.server.rest.AccountService;
++import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
+ import org.dogtagpki.server.rest.GroupService;
+ import org.dogtagpki.server.rest.MessageFormatInterceptor;
+@@ -31,6 +32,9 @@ public class KRAApplication extends Application {
+         // account
+         classes.add(AccountService.class);
+ 
++        // audit
++        classes.add(AuditService.class);
++
+         // installer
+         classes.add(KRAInstallerService.class);
+ 
+diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
+index 9528f11..26b212d 100644
+--- a/base/ocsp/shared/conf/acl.properties
++++ b/base/ocsp/shared/conf/acl.properties
+@@ -7,6 +7,11 @@
+ 
+ account.login = certServer.ocsp.account,login
+ account.logout = certServer.ocsp.account,logout
++
++# audit configuration
++audit.read = certServer.log.configuration,read
++audit.modify = certServer.log.configuration,modify
++
+ groups = certServer.ocsp.groups,execute
+ selftests.read = certServer.ocsp.selftests,read
+ selftests.execute = certServer.ocsp.selftests,execute
+diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties
+index 9f5a7a1..98aee66 100644
+--- a/base/ocsp/shared/conf/auth-method.properties
++++ b/base/ocsp/shared/conf/auth-method.properties
+@@ -8,6 +8,7 @@
+ 
+ default = *
+ account = certUserDBAuthMgr,passwdUserDBAuthMgr
++audit = certUserDBAuthMgr
+ groups = certUserDBAuthMgr
+ selftests = certUserDBAuthMgr
+ users = certUserDBAuthMgr
+diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+index b8eccf1..e610800 100644
+--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
++++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+@@ -726,6 +726,19 @@
+         </user-data-constraint>
+     </security-constraint>
+ 
++    <security-constraint>
++        <web-resource-collection>
++            <web-resource-name>Audit</web-resource-name>
++            <url-pattern>/rest/audit/*</url-pattern>
++        </web-resource-collection>
++        <auth-constraint>
++            <role-name>*</role-name>
++        </auth-constraint>
++        <user-data-constraint>
++            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
++        </user-data-constraint>
++    </security-constraint>
++
+    [PKI_OPEN_STANDALONE_COMMENT]
+     <security-constraint>
+         <web-resource-collection>
+diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
+index 99fefae..8d6e4a9 100644
+--- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
++++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
+@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
+ 
+ import org.dogtagpki.server.rest.ACLInterceptor;
+ import org.dogtagpki.server.rest.AccountService;
++import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
+ import org.dogtagpki.server.rest.GroupService;
+ import org.dogtagpki.server.rest.MessageFormatInterceptor;
+@@ -31,6 +32,9 @@ public class OCSPApplication extends Application {
+         // account
+         classes.add(AccountService.class);
+ 
++        // audit
++        classes.add(AuditService.class);
++
+         // installer
+         classes.add(OCSPInstallerService.class);
+ 
+diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
+index d2c2372..7146d38 100644
+--- a/base/tks/shared/conf/acl.properties
++++ b/base/tks/shared/conf/acl.properties
+@@ -7,6 +7,11 @@
+ 
+ account.login = certServer.tks.account,login
+ account.logout = certServer.tks.account,logout
++
++# audit configuration
++audit.read = certServer.log.configuration,read
++audit.modify = certServer.log.configuration,modify
++
+ groups = certServer.tks.groups,execute
+ selftests.read = certServer.tks.selftests,read
+ selftests.execute = certServer.tks.selftests,execute
+diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties
+index fe91b90..cc80825 100644
+--- a/base/tks/shared/conf/auth-method.properties
++++ b/base/tks/shared/conf/auth-method.properties
+@@ -8,6 +8,7 @@
+ 
+ default = *
+ account = certUserDBAuthMgr,passwdUserDBAuthMgr
++audit = certUserDBAuthMgr
+ groups = certUserDBAuthMgr
+ selftests = certUserDBAuthMgr
+ tpsconnectors = certUserDBAuthMgr
+diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
+index 2d4c029..18c85a3 100644
+--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
++++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
+@@ -406,6 +406,19 @@
+ 
+     <security-constraint>
+         <web-resource-collection>
++            <web-resource-name>Audit</web-resource-name>
++            <url-pattern>/rest/audit/*</url-pattern>
++        </web-resource-collection>
++        <auth-constraint>
++            <role-name>*</role-name>
++        </auth-constraint>
++        <user-data-constraint>
++            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
++        </user-data-constraint>
++    </security-constraint>
++
++    <security-constraint>
++        <web-resource-collection>
+             <web-resource-name>Self Tests</web-resource-name>
+             <url-pattern>/rest/selftests/*</url-pattern>
+         </web-resource-collection>
+diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
+index 278076d..ca19e38 100644
+--- a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
++++ b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
+@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
+ 
+ import org.dogtagpki.server.rest.ACLInterceptor;
+ import org.dogtagpki.server.rest.AccountService;
++import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
+ import org.dogtagpki.server.rest.GroupService;
+ import org.dogtagpki.server.rest.MessageFormatInterceptor;
+@@ -26,6 +27,9 @@ public class TKSApplication extends Application {
+         // account
+         classes.add(AccountService.class);
+ 
++        // audit
++        classes.add(AuditService.class);
++
+         // installer
+         classes.add(TKSInstallerService.class);
+ 
+diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties
+index 2d2dc71..1c581b3 100644
+--- a/base/tps/shared/conf/acl.properties
++++ b/base/tps/shared/conf/acl.properties
+@@ -8,8 +8,11 @@
+ 
+ account.login = certServer.tps.account,login
+ account.logout = certServer.tps.account,logout
+-audit.read = certServer.tps.audit,read
+-audit.modify = certServer.tps.audit,modify
++
++# audit configuration
++audit.read = certServer.log.configuration,read
++audit.modify = certServer.log.configuration,modify
++
+ authenticators.read = certServer.tps.authenticators,read
+ authenticators.add = certServer.tps.authenticators,add
+ authenticators.modify = certServer.tps.authenticators,modify
+-- 
+1.8.3.1
+
+
+From 0b91066c5c5cb20e63d79d58a12a46e2069a11af Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 30 Mar 2017 17:12:02 +0200
+Subject: [PATCH 20/59] Added PKIRESTProvider.
+
+A new PKIRESTProvider has been added to send and receive
+StreamingOutput object through REST API.
+
+Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
+---
+ base/CMakeLists.txt                                |   7 ++
+ base/ca/src/CMakeLists.txt                         |   7 --
+ base/common/src/CMakeLists.txt                     |   2 +-
+ .../com/netscape/certsrv/client/PKIConnection.java |   4 +-
+ .../netscape/certsrv/client/PKIRESTProvider.java   | 118 +++++++++++++++++++++
+ base/java-tools/src/CMakeLists.txt                 |   7 --
+ base/server/cms/src/CMakeLists.txt                 |   7 --
+ 7 files changed, 128 insertions(+), 24 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java
+
+diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
+index d2ea9a5..4140adb 100644
+--- a/base/CMakeLists.txt
++++ b/base/CMakeLists.txt
+@@ -30,6 +30,13 @@ find_file(SLF4J_JDK14_JAR
+         /usr/share/java/slf4j
+ )
+ 
++find_file(COMMONS_IO_JAR
++    NAMES
++        commons-io.jar
++    PATHS
++        /usr/share/java
++)
++
+ find_file(JACKSON_CORE_JAR
+     NAMES
+         jackson-core-asl.jar
+diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
+index 4982ef8..b23782d 100644
+--- a/base/ca/src/CMakeLists.txt
++++ b/base/ca/src/CMakeLists.txt
+@@ -24,13 +24,6 @@ find_file(COMMONS_CODEC_JAR
+         /usr/share/java
+ )
+ 
+-find_file(COMMONS_IO_JAR
+-    NAMES
+-        commons-io.jar
+-    PATHS
+-        /usr/share/java
+-)
+-
+ find_file(COMMONS_LANG_JAR
+     NAMES
+         commons-lang.jar
+diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
+index c08d1b7..705d62c 100644
+--- a/base/common/src/CMakeLists.txt
++++ b/base/common/src/CMakeLists.txt
+@@ -103,7 +103,7 @@ javac(pki-certsrv-classes
+     CLASSPATH
+         ${SLF4J_API_JAR}
+         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
+-        ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
++        ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
+         ${APACHE_COMMONS_LANG_JAR}
+         ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
+         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+index b75e332..c2ffd09 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+@@ -76,7 +76,6 @@ import org.jboss.resteasy.client.jaxrs.ResteasyClient;
+ import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
+ import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
+ import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
+-import org.jboss.resteasy.spi.ResteasyProviderFactory;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.CryptoManager.NotInitializedException;
+ import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+@@ -95,7 +94,6 @@ public class PKIConnection {
+ 
+     ApacheHttpClient4Engine engine;
+     ResteasyClient resteasyClient;
+-    ResteasyProviderFactory providerFactory;
+ 
+     int requestCounter;
+     int responseCounter;
+@@ -204,7 +202,9 @@ public class PKIConnection {
+         });
+ 
+         engine = new ApacheHttpClient4Engine(httpClient);
++
+         resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build();
++        resteasyClient.register(PKIRESTProvider.class);
+     }
+ 
+     public boolean isVerbose() {
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java
+new file mode 100644
+index 0000000..4018da3
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java
+@@ -0,0 +1,118 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.client;
++
++import java.io.File;
++import java.io.FileInputStream;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.lang.annotation.Annotation;
++import java.lang.reflect.Type;
++
++import javax.ws.rs.Consumes;
++import javax.ws.rs.Produces;
++import javax.ws.rs.WebApplicationException;
++import javax.ws.rs.core.MediaType;
++import javax.ws.rs.core.MultivaluedMap;
++import javax.ws.rs.core.StreamingOutput;
++import javax.ws.rs.ext.MessageBodyReader;
++import javax.ws.rs.ext.MessageBodyWriter;
++import javax.ws.rs.ext.Provider;
++
++import org.apache.commons.io.IOUtils;
++
++@Provider
++@Consumes(MediaType.APPLICATION_OCTET_STREAM)
++@Produces(MediaType.APPLICATION_OCTET_STREAM)
++public class PKIRESTProvider implements MessageBodyReader<StreamingOutput>, MessageBodyWriter<StreamingOutput> {
++
++    @Override
++    public boolean isReadable(
++            Class<?> type,
++            Type genericType,
++            Annotation[] annotations,
++            MediaType mediaType) {
++
++        return true;
++    }
++
++    @Override
++    public StreamingOutput readFrom(
++            Class<StreamingOutput> type,
++            Type genericType,
++            Annotation[] annotations,
++            MediaType mediaType,
++            MultivaluedMap<String, String> httpHeaders,
++            InputStream entityStream) throws IOException, WebApplicationException {
++
++        final File file = File.createTempFile("PKIRESTProvider-", ".tmp");
++        file.deleteOnExit();
++
++        FileOutputStream out = new FileOutputStream(file);
++        IOUtils.copy(entityStream, out);
++
++        return new StreamingOutput() {
++
++            @Override
++            public void write(OutputStream out) throws IOException, WebApplicationException {
++                FileInputStream in = new FileInputStream(file);
++                IOUtils.copy(in, out);
++            }
++
++            public void finalize() {
++                file.delete();
++            }
++        };
++    }
++
++    @Override
++    public long getSize(
++            StreamingOutput out,
++            Class<?> type,
++            Type genericType,
++            Annotation[] annotations,
++            MediaType mediaType) {
++
++        return -1;
++    }
++
++    @Override
++    public boolean isWriteable(
++            Class<?> type,
++            Type genericType,
++            Annotation[] annotations,
++            MediaType mediaType) {
++
++        return true;
++    }
++
++    @Override
++    public void writeTo(
++            StreamingOutput so,
++            Class<?> type,
++            Type genericType,
++            Annotation[] annotations,
++            MediaType mediaType,
++            MultivaluedMap<String, Object> httpHeaders,
++            OutputStream entityStream) throws IOException, WebApplicationException {
++
++        so.write(entityStream);
++    }
++}
+diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
+index c2f54d4..7c57eaa 100644
+--- a/base/java-tools/src/CMakeLists.txt
++++ b/base/java-tools/src/CMakeLists.txt
+@@ -37,13 +37,6 @@ find_file(COMMONS_CODEC_JAR
+         /usr/share/java
+ )
+ 
+-find_file(COMMONS_IO_JAR
+-    NAMES
+-        commons-io.jar
+-    PATHS
+-        /usr/share/java
+-)
+-
+ find_file(XALAN_JAR
+     NAMES
+         xalan-j2.jar
+diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
+index c66227c..e72a821 100644
+--- a/base/server/cms/src/CMakeLists.txt
++++ b/base/server/cms/src/CMakeLists.txt
+@@ -30,13 +30,6 @@ find_file(COMMONS_HTTPCLIENT_JAR
+         /usr/share/java
+ )
+ 
+-find_file(COMMONS_IO_JAR
+-    NAMES
+-        commons-io.jar
+-    PATHS
+-        /usr/share/java
+-)
+-
+ find_file(COMMONS_LANG_JAR
+     NAMES
+         commons-lang.jar
+-- 
+1.8.3.1
+
+
+From 6a682f8e56c982ed0e0810326e71f9de23347590 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 4 Apr 2017 14:52:37 -0400
+Subject: [PATCH 24/59] Fix pylint errors
+
+---
+ base/common/python/pki/info.py | 2 ++
+ base/common/python/pki/util.py | 1 -
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
+index 65d4825..b4da8b0 100644
+--- a/base/common/python/pki/info.py
++++ b/base/common/python/pki/info.py
+@@ -21,6 +21,8 @@
+ """
+ Module containing the Python client classes for the InfoClient
+ """
++from __future__ import absolute_import
++from __future__ import print_function
+ from six import iteritems
+ 
+ import pki
+diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
+index 02ecde8..0765bcf 100644
+--- a/base/common/python/pki/util.py
++++ b/base/common/python/pki/util.py
+@@ -272,4 +272,3 @@ def read_environment_files(env_file_list=None):
+     for env_val in env_vals:
+         (key, _, value) = env_val.partition("=")
+         os.environ[key] = value
+-
+-- 
+1.8.3.1
+
+
+From 88cd07655268831e14e7cd4f6f6a65e331f86583 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 28 Mar 2017 21:02:22 +0200
+Subject: [PATCH 25/59] Added CLIs to access audit log files.
+
+New pki audit commands have been added to list and retrieve audit
+log files.
+
+Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
+---
+ base/ca/shared/conf/acl.properties                 |   3 +
+ .../com/netscape/certsrv/logging/AuditClient.java  |  11 ++
+ .../com/netscape/certsrv/logging/AuditFile.java    | 123 +++++++++++++++++++++
+ .../certsrv/logging/AuditFileCollection.java       |  38 +++++++
+ .../netscape/certsrv/logging/AuditResource.java    |  19 +++-
+ .../com/netscape/cmstools/logging/AuditCLI.java    |  11 ++
+ .../cmstools/logging/AuditFileFindCLI.java         |  90 +++++++++++++++
+ .../cmstools/logging/AuditFileRetrieveCLI.java     |  87 +++++++++++++++
+ base/kra/shared/conf/acl.properties                |   3 +
+ base/ocsp/shared/conf/acl.properties               |   3 +
+ .../com/netscape/cms/servlet/base/PKIService.java  |   1 +
+ .../org/dogtagpki/server/rest/AuditService.java    | 107 ++++++++++++++++++
+ base/tks/shared/conf/acl.properties                |   3 +
+ base/tps/shared/conf/acl.properties                |   3 +
+ 14 files changed, 501 insertions(+), 1 deletion(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFile.java
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
+ create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
+ create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
+
+diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
+index c487e48..a8fe65c 100644
+--- a/base/ca/shared/conf/acl.properties
++++ b/base/ca/shared/conf/acl.properties
+@@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout
+ audit.read = certServer.log.configuration,read
+ audit.modify = certServer.log.configuration,modify
+ 
++# audit logs
++audit-log.read = certServer.log.content.signedAudit,read
++
+ certs = certServer.ca.certs,execute
+ certrequests = certServer.ca.certrequests,execute
+ groups = certServer.ca.groups,execute
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
+index 018850c..9451e83 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
+@@ -20,6 +20,7 @@ package com.netscape.certsrv.logging;
+ import java.net.URISyntaxException;
+ 
+ import javax.ws.rs.core.Response;
++import javax.ws.rs.core.StreamingOutput;
+ 
+ import com.netscape.certsrv.client.Client;
+ import com.netscape.certsrv.client.PKIClient;
+@@ -54,4 +55,14 @@ public class AuditClient extends Client {
+         Response response = resource.changeAuditStatus(action);
+         return client.getEntity(response, AuditConfig.class);
+     }
++
++    public AuditFileCollection findAuditFiles() {
++        Response response = resource.findAuditFiles();
++        return client.getEntity(response, AuditFileCollection.class);
++    }
++
++    public StreamingOutput getAuditFile(String filename) throws Exception {
++        Response response = resource.getAuditFile(filename);
++        return client.getEntity(response, StreamingOutput.class);
++    }
+ }
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
+new file mode 100644
+index 0000000..0edfc3a
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
+@@ -0,0 +1,123 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.certsrv.logging;
++
++import java.io.StringReader;
++import java.io.StringWriter;
++
++import javax.xml.bind.JAXBContext;
++import javax.xml.bind.Marshaller;
++import javax.xml.bind.Unmarshaller;
++import javax.xml.bind.annotation.XmlAccessType;
++import javax.xml.bind.annotation.XmlAccessorType;
++import javax.xml.bind.annotation.XmlAttribute;
++import javax.xml.bind.annotation.XmlElement;
++import javax.xml.bind.annotation.XmlRootElement;
++
++/**
++ * @author Endi S. Dewata
++ */
++@XmlRootElement(name="AuditFile")
++@XmlAccessorType(XmlAccessType.NONE)
++public class AuditFile {
++
++    String name;
++    Long size;
++
++    @XmlAttribute(name="name")
++    public String getName() {
++        return name;
++    }
++
++    public void setName(String name) {
++        this.name = name;
++    }
++
++    @XmlElement(name="Size")
++    public Long getSize() {
++        return size;
++    }
++
++    public void setSize(Long size) {
++        this.size = size;
++    }
++
++    @Override
++    public int hashCode() {
++        final int prime = 31;
++        int result = 1;
++        result = prime * result + ((name == null) ? 0 : name.hashCode());
++        result = prime * result + ((size == null) ? 0 : size.hashCode());
++        return result;
++    }
++
++    @Override
++    public boolean equals(Object obj) {
++        if (this == obj)
++            return true;
++        if (obj == null)
++            return false;
++        if (getClass() != obj.getClass())
++            return false;
++        AuditFile other = (AuditFile) obj;
++        if (name == null) {
++            if (other.name != null)
++                return false;
++        } else if (!name.equals(other.name))
++            return false;
++        if (size == null) {
++            if (other.size != null)
++                return false;
++        } else if (!size.equals(other.size))
++            return false;
++        return true;
++    }
++
++    public String toString() {
++        try {
++            Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller();
++            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
++
++            StringWriter sw = new StringWriter();
++            marshaller.marshal(this, sw);
++            return sw.toString();
++
++        } catch (Exception e) {
++            throw new RuntimeException(e);
++        }
++    }
++
++    public static AuditFile valueOf(String string) throws Exception {
++        Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller();
++        return (AuditFile)unmarshaller.unmarshal(new StringReader(string));
++    }
++
++    public static void main(String args[]) throws Exception {
++
++        AuditFile before = new AuditFile();
++        before.setName("audit.log");
++        before.setSize(1024l);
++
++        String string = before.toString();
++        System.out.println(string);
++
++        AuditFile after = AuditFile.valueOf(string);
++        System.out.println(before.equals(after));
++    }
++}
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
+new file mode 100644
+index 0000000..e5c4e20
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
+@@ -0,0 +1,38 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.certsrv.logging;
++
++import java.util.Collection;
++
++import javax.xml.bind.annotation.XmlElementRef;
++import javax.xml.bind.annotation.XmlRootElement;
++
++import com.netscape.certsrv.base.DataCollection;
++
++/**
++ * @author Endi S. Dewata
++ */
++@XmlRootElement(name="AuditFiles")
++public class AuditFileCollection extends DataCollection<AuditFile> {
++
++    @XmlElementRef
++    public Collection<AuditFile> getEntries() {
++        return super.getEntries();
++    }
++}
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
+index 9b14986..4d33735 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
+@@ -20,8 +20,12 @@ package com.netscape.certsrv.logging;
+ import javax.ws.rs.GET;
+ import javax.ws.rs.POST;
+ import javax.ws.rs.Path;
++import javax.ws.rs.PathParam;
++import javax.ws.rs.Produces;
+ import javax.ws.rs.QueryParam;
++import javax.ws.rs.core.MediaType;
+ import javax.ws.rs.core.Response;
++import javax.ws.rs.core.StreamingOutput;
+ 
+ import org.jboss.resteasy.annotations.ClientResponseType;
+ 
+@@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH;
+  */
+ @Path("audit")
+ @AuthMethodMapping("audit")
+-@ACLMapping("audit.read")
+ public interface AuditResource {
+ 
+     @GET
+     @ClientResponseType(entityType=AuditConfig.class)
++    @ACLMapping("audit.read")
+     public Response getAuditConfig();
+ 
+     @PATCH
+@@ -52,4 +56,17 @@ public interface AuditResource {
+     @ACLMapping("audit.modify")
+     public Response changeAuditStatus(
+             @QueryParam("action") String action);
++
++    @GET
++    @Path("files")
++    @ClientResponseType(entityType=AuditFileCollection.class)
++    @ACLMapping("audit-log.read")
++    public Response findAuditFiles();
++
++    @GET
++    @Path("files/{filename}")
++    @Produces(MediaType.APPLICATION_OCTET_STREAM)
++    @ClientResponseType(entityType=StreamingOutput.class)
++    @ACLMapping("audit-log.read")
++    public Response getAuditFile(@PathParam("filename") String filename);
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+index ff489dc..06ba040 100644
+--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+@@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
+ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.logging.AuditClient;
+ import com.netscape.certsrv.logging.AuditConfig;
++import com.netscape.certsrv.logging.AuditFile;
+ import com.netscape.cmstools.cli.CLI;
+ import com.netscape.cmstools.cli.SubsystemCLI;
+ 
+@@ -42,8 +43,13 @@ public class AuditCLI extends CLI {
+ 
+         this.subsystemCLI = subsystemCLI;
+ 
++        // audit configuration
+         addModule(new AuditModifyCLI(this));
+         addModule(new AuditShowCLI(this));
++
++        // audit files
++        addModule(new AuditFileFindCLI(this));
++        addModule(new AuditFileRetrieveCLI(this));
+     }
+ 
+     @Override
+@@ -83,4 +89,9 @@ public class AuditCLI extends CLI {
+             System.out.println("  Link: " + link.getHref());
+         }
+     }
++
++    public static void printAuditFile(AuditFile auditFile) {
++        System.out.println("  File name: " + auditFile.getName());
++        System.out.println("  Size: " + auditFile.getSize());
++    }
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
+new file mode 100644
+index 0000000..5ae9ce7
+--- /dev/null
++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
+@@ -0,0 +1,90 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.cmstools.logging;
++
++import java.util.Collection;
++
++import org.apache.commons.cli.CommandLine;
++
++import com.netscape.certsrv.logging.AuditClient;
++import com.netscape.certsrv.logging.AuditFile;
++import com.netscape.certsrv.logging.AuditFileCollection;
++import com.netscape.cmstools.cli.CLI;
++import com.netscape.cmstools.cli.MainCLI;
++
++/**
++ * @author Endi S. Dewata
++ */
++public class AuditFileFindCLI extends CLI {
++
++    public AuditCLI auditCLI;
++
++    public AuditFileFindCLI(AuditCLI auditCLI) {
++        super("file-find", "Find audit files", auditCLI);
++        this.auditCLI = auditCLI;
++
++        createOptions();
++    }
++
++    public void printHelp() {
++        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
++    }
++
++    public void createOptions() {
++        options.addOption(null, "help", false, "Show help message.");
++    }
++
++    public void execute(String[] args) throws Exception {
++
++        CommandLine cmd = parser.parse(options, args);
++
++        if (cmd.hasOption("help")) {
++            printHelp();
++            return;
++        }
++
++        String[] cmdArgs = cmd.getArgs();
++
++        if (cmdArgs.length > 0) {
++            throw new Exception("Too many arguments specified.");
++        }
++
++        AuditClient auditClient = auditCLI.getAuditClient();
++        AuditFileCollection response = auditClient.findAuditFiles();
++
++        MainCLI.printMessage(response.getTotal() + " entries matched");
++        if (response.getTotal() == 0) return;
++
++        Collection<AuditFile> entries = response.getEntries();
++        boolean first = true;
++
++        for (AuditFile auditFile : entries) {
++
++            if (first) {
++                first = false;
++            } else {
++                System.out.println();
++            }
++
++            AuditCLI.printAuditFile(auditFile);
++        }
++
++        MainCLI.printMessage("Number of entries returned " + entries.size());
++    }
++}
+diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
+new file mode 100644
+index 0000000..07af3a4
+--- /dev/null
++++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
+@@ -0,0 +1,87 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.cmstools.logging;
++
++import java.io.FileOutputStream;
++import java.io.OutputStream;
++
++import javax.ws.rs.core.StreamingOutput;
++
++import org.apache.commons.cli.CommandLine;
++import org.apache.commons.cli.Option;
++
++import com.netscape.certsrv.logging.AuditClient;
++import com.netscape.cmstools.cli.CLI;
++
++/**
++ * @author Endi S. Dewata
++ */
++public class AuditFileRetrieveCLI extends CLI {
++
++    public AuditCLI auditCLI;
++
++    public AuditFileRetrieveCLI(AuditCLI auditCLI) {
++        super("file-retrieve", "Retrieve audit file", auditCLI);
++        this.auditCLI = auditCLI;
++
++        createOptions();
++    }
++
++    public void printHelp() {
++        formatter.printHelp(getFullName() + " <filename> [OPTIONS...]", options);
++    }
++
++    public void createOptions() {
++        Option option = new Option(null, "output", true, "Output file.");
++        option.setArgName("path");
++        options.addOption(option);
++
++        options.addOption(null, "help", false, "Show help message.");
++    }
++
++    public void execute(String[] args) throws Exception {
++
++        CommandLine cmd = parser.parse(options, args);
++
++        if (cmd.hasOption("help")) {
++            printHelp();
++            return;
++        }
++
++        String[] cmdArgs = cmd.getArgs();
++
++        if (cmdArgs.length < 1) {
++            throw new Exception("Missing audit file name.");
++
++        } if (cmdArgs.length > 1) {
++            throw new Exception("Too many arguments specified.");
++        }
++
++        String filename = cmdArgs[0];
++        String output = cmd.getOptionValue("output");
++        if (output == null) output = filename;
++
++        AuditClient auditClient = auditCLI.getAuditClient();
++        StreamingOutput so = auditClient.getAuditFile(filename);
++
++        try (OutputStream out = new FileOutputStream(output)) {
++            so.write(out);
++        }
++    }
++}
+diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
+index 8cac3ee..bcb1456 100644
+--- a/base/kra/shared/conf/acl.properties
++++ b/base/kra/shared/conf/acl.properties
+@@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout
+ audit.read = certServer.log.configuration,read
+ audit.modify = certServer.log.configuration,modify
+ 
++# audit logs
++audit-log.read = certServer.log.content.signedAudit,read
++
+ groups = certServer.kra.groups,execute
+ keys = certServer.kra.keys,execute
+ keyrequests = certServer.kra.keyrequests,execute
+diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
+index 26b212d..e8188b8 100644
+--- a/base/ocsp/shared/conf/acl.properties
++++ b/base/ocsp/shared/conf/acl.properties
+@@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout
+ audit.read = certServer.log.configuration,read
+ audit.modify = certServer.log.configuration,modify
+ 
++# audit logs
++audit-log.read = certServer.log.content.signedAudit,read
++
+ groups = certServer.ocsp.groups,execute
+ selftests.read = certServer.ocsp.selftests,read
+ selftests.execute = certServer.ocsp.selftests,execute
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+index 8dfbef1..e023aa6 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+@@ -59,6 +59,7 @@ public class PKIService {
+             MediaType.APPLICATION_XML_TYPE,
+             MediaType.APPLICATION_JSON_TYPE,
+             MediaType.APPLICATION_FORM_URLENCODED_TYPE,
++            MediaType.APPLICATION_OCTET_STREAM_TYPE,
+             MediaType.valueOf("application/pkix-cert"),
+             MediaType.valueOf("application/pkcs7-mime"),
+             MediaType.valueOf("application/x-pem-file")
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+index 9af95d9..7bb048f 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+@@ -18,16 +18,27 @@
+ 
+ package org.dogtagpki.server.rest;
+ 
++import java.io.File;
++import java.io.FileInputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
+ import java.io.UnsupportedEncodingException;
+ import java.net.URI;
++import java.util.ArrayList;
+ import java.util.Collection;
++import java.util.Collections;
+ import java.util.HashMap;
++import java.util.List;
+ import java.util.Map;
+ import java.util.TreeMap;
+ import java.util.TreeSet;
+ 
++import javax.ws.rs.WebApplicationException;
+ import javax.ws.rs.core.Response;
++import javax.ws.rs.core.StreamingOutput;
+ 
++import org.apache.commons.io.IOUtils;
+ import org.apache.commons.lang.StringUtils;
+ import org.jboss.resteasy.plugins.providers.atom.Link;
+ 
+@@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.PKIException;
++import com.netscape.certsrv.base.ResourceNotFoundException;
+ import com.netscape.certsrv.logging.AuditConfig;
++import com.netscape.certsrv.logging.AuditFile;
++import com.netscape.certsrv.logging.AuditFileCollection;
+ import com.netscape.certsrv.logging.AuditResource;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.SubsystemService;
+@@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource {
+         }
+     }
+ 
++    public File getCurrentLogFile() {
++        IConfigStore cs = CMS.getConfigStore();
++        String filename = cs.get("log.instance.SignedAudit.fileName");
++        return new File(filename);
++    }
++
++    public File getLogDirectory() {
++        File file = getCurrentLogFile();
++        return file.getParentFile();
++    }
++
++    public List<File> getLogFiles() {
++
++        List<String> filenames = new ArrayList<>();
++
++        File currentFile = getCurrentLogFile();
++        String currentFilename = currentFile.getName();
++        File logDir = currentFile.getParentFile();
++
++        // add all log files except the current one
++        for (String filename : logDir.list()) {
++            if (filename.equals(currentFilename)) continue;
++            filenames.add(filename);
++        }
++
++        // sort log files in ascending order
++        Collections.sort(filenames);
++
++        // add the current log file last (i.e. newest)
++        filenames.add(currentFilename);
++
++        List<File> files = new ArrayList<>();
++        for (String filename : filenames) {
++            files.add(new File(logDir, filename));
++        }
++
++        return files;
++    }
++
++    @Override
++    public Response findAuditFiles() {
++
++        AuditFileCollection response = new AuditFileCollection();
++
++        List<File> files = getLogFiles();
++
++        CMS.debug("Audit files:");
++        for (File file : files) {
++            String name = file.getName();
++            CMS.debug(" - " + name);
++
++            AuditFile auditFile = new AuditFile();
++            auditFile.setName(name);
++            auditFile.setSize(file.length());
++
++            response.addEntry(auditFile);
++        }
++
++        response.setTotal(files.size());
++
++        return createOKResponse(response);
++    }
++
++    @Override
++    public Response getAuditFile(String filename) {
++
++        // make sure filename does not contain path
++        if (!new File(filename).getName().equals(filename)) {
++            CMS.debug("Invalid file name: " + filename);
++            throw new BadRequestException("Invalid file name: " + filename);
++        }
++
++        File logDir = getLogDirectory();
++        File file = new File(logDir, filename);
++
++        if (!file.exists()) {
++            throw new ResourceNotFoundException("File not found: " + filename);
++        }
++
++        StreamingOutput so = new StreamingOutput() {
++
++            @Override
++            public void write(OutputStream out) throws IOException, WebApplicationException {
++
++                try (InputStream is = new FileInputStream(file)) {
++                    IOUtils.copy(is, out);
++                }
++            }
++        };
++
++        return createOKResponse(so);
++    }
++
+     /*
+      * in case of failure, "info" should be in the params
+      */
+diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
+index 7146d38..5c072c7 100644
+--- a/base/tks/shared/conf/acl.properties
++++ b/base/tks/shared/conf/acl.properties
+@@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout
+ audit.read = certServer.log.configuration,read
+ audit.modify = certServer.log.configuration,modify
+ 
++# audit logs
++audit-log.read = certServer.log.content.signedAudit,read
++
+ groups = certServer.tks.groups,execute
+ selftests.read = certServer.tks.selftests,read
+ selftests.execute = certServer.tks.selftests,execute
+diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties
+index 1c581b3..6b51485 100644
+--- a/base/tps/shared/conf/acl.properties
++++ b/base/tps/shared/conf/acl.properties
+@@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout
+ audit.read = certServer.log.configuration,read
+ audit.modify = certServer.log.configuration,modify
+ 
++# audit logs
++audit-log.read = certServer.log.content.signedAudit,read
++
+ authenticators.read = certServer.tps.authenticators,read
+ authenticators.add = certServer.tps.authenticators,add
+ authenticators.modify = certServer.tps.authenticators,modify
+-- 
+1.8.3.1
+
+
+From 4ab0608cbda0c9336c5eb9ea40a7d3ca769ab17b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 4 Apr 2017 17:53:53 +0200
+Subject: [PATCH 26/59] Fixed PKIServerSocketListener.
+
+The PKIServerSocketListener.alertReceived() has been fixed to
+generate audit log when the SSL socket is closed by the client.
+
+The log message has been modified to include the reason for the
+termination.
+
+https://pagure.io/dogtagpki/issue/2602
+
+Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
+---
+ .../dogtagpki/server/PKIServerSocketListener.java  | 39 +++++++++++++++++++++-
+ base/server/cmsbundle/src/LogMessages.properties   |  2 +-
+ 2 files changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+index f147c77..adba676 100644
+--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+@@ -41,6 +41,42 @@ public class PKIServerSocketListener implements SSLSocketListener {
+ 
+     @Override
+     public void alertReceived(SSLAlertEvent event) {
++        try {
++            SSLSocket socket = event.getSocket();
++
++            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
++            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
++            InetAddress serverAddress = socket.getLocalAddress();
++            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
++            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
++
++            SSLSecurityStatus status = socket.getStatus();
++            X509Certificate peerCertificate = status.getPeerCertificate();
++            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
++            String subjectID = subjectDN == null ? "" : subjectDN.toString();
++
++            int description = event.getDescription();
++            String reason = SSLAlertDescription.valueOf(description).toString();
++
++            logger.debug("SSL alert received:");
++            logger.debug(" - client: " + clientAddress);
++            logger.debug(" - server: " + serverAddress);
++            logger.debug(" - reason: " + reason);
++
++            IAuditor auditor = CMS.getAuditor();
++
++            String auditMessage = CMS.getLogMessage(
++                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
++                    clientIP,
++                    serverIP,
++                    subjectID,
++                    reason);
++
++            auditor.log(auditMessage);
++
++        } catch (Exception e) {
++            e.printStackTrace();
++        }
+     }
+ 
+     @Override
+@@ -75,7 +111,8 @@ public class PKIServerSocketListener implements SSLSocketListener {
+                         "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+                         clientIP,
+                         serverIP,
+-                        subjectID);
++                        subjectID,
++                        reason);
+ 
+                 auditor.log(auditMessage);
+ 
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index dde53ba..7572db4 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2737,7 +2737,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
+ #    separated by + (if more than one name;;value pair) of config params changed
+ #
+ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
+-<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success] access session terminated
++<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success][Info={3}] access session terminated
+ 
+ 
+ ###########################
+-- 
+1.8.3.1
+
+
+From 8463f5f791ced714d64ff891dc015666a971454b Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 3 Apr 2017 12:56:48 -0400
+Subject: [PATCH 27/59] Add python-cryptography crypto provider
+
+The python-cryptography provider is added.  It will use AES
+mechanisms by default.  The eventual goal is to use this
+provider by default, and to obsolete the NSS CryptoProvider.
+
+Added some methods to determine which crypto keyset levels are
+supported by the crypto provider.
+
+Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
+---
+ base/common/python/pki/crypto.py | 206 ++++++++++++++++++++++++++++++++++++---
+ base/common/python/pki/util.py   |   6 +-
+ 2 files changed, 196 insertions(+), 16 deletions(-)
+
+diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
+index 86fa16e..b767abd 100644
+--- a/base/common/python/pki/crypto.py
++++ b/base/common/python/pki/crypto.py
+@@ -23,13 +23,21 @@ Module containing crypto classes.
+ """
+ from __future__ import absolute_import
+ import abc
+-import nss.nss as nss
+ import os
+-import six
+ import shutil
+ import subprocess
+ import tempfile
+ 
++import nss.nss as nss
++import six
++from cryptography.hazmat.backends import default_backend
++from cryptography.hazmat.primitives.ciphers import (
++    Cipher, algorithms, modes
++)
++from cryptography.hazmat.primitives import padding
++from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
++import cryptography.x509
++
+ 
+ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+     """
+@@ -43,30 +51,32 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+     @abc.abstractmethod
+     def initialize(self):
+         """ Initialization code """
+-        pass
+ 
+-    @staticmethod
+     @abc.abstractmethod
+-    def generate_nonce_iv(mechanism):
++    def get_supported_algorithm_keyset(self):
++        """ returns highest supported algorithm keyset """
++
++    @abc.abstractmethod
++    def set_algorithm_keyset(self, level):
++        """ sets required keyset """
++
++    @abc.abstractmethod
++    def generate_nonce_iv(self, mechanism):
+         """ Create a random initialization vector """
+-        pass
+ 
+     @abc.abstractmethod
+     def generate_symmetric_key(self, mechanism=None, size=0):
+         """ Generate and return a symmetric key """
+-        pass
+ 
+     @abc.abstractmethod
+     def generate_session_key(self):
+         """ Generate a session key to be used for wrapping data to the DRM
+         This must return a 3DES 168 bit key """
+-        pass
+ 
+     @abc.abstractmethod
+     def symmetric_wrap(self, data, wrapping_key, mechanism=None,
+                        nonce_iv=None):
+         """ encrypt data using a symmetric key (wrapping key)"""
+-        pass
+ 
+     @abc.abstractmethod
+     def symmetric_unwrap(self, data, wrapping_key, mechanism=None,
+@@ -77,7 +87,6 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+         The mechanism is the type of key used to do the wrapping.  It defaults
+         to a 56 bit DES3 key.
+         """
+-        pass
+ 
+     @abc.abstractmethod
+     def asymmetric_wrap(self, data, wrapping_cert, mechanism=None):
+@@ -86,12 +95,10 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+         The mechanism is the type of symmetric key, which defaults to a 56 bit
+         DES3 key.
+         """
+-        pass
+ 
+     # abc.abstractmethod
+     def get_cert(self, cert_nick):
+         """ Get the certificate for the specified cert_nick. """
+-        pass
+ 
+ 
+ class NSSCryptoProvider(CryptoProvider):
+@@ -152,6 +159,18 @@ class NSSCryptoProvider(CryptoProvider):
+         """
+         nss.nss_init(self.certdb_dir)
+ 
++    def get_supported_algorithm_keyset(self):
++        """ returns highest supported algorithm keyset """
++        return 0
++
++    def set_algorithm_keyset(self, level):
++        """ sets required keyset """
++        if level > 0:
++            raise Exception("Invalid keyset")
++
++        # basically, do what we have always done, no need to set anything
++        # special here.
++
+     def import_cert(self, cert_nick, cert, trust=',,'):
+         """ Import a certificate into the nss database
+         """
+@@ -170,8 +189,7 @@ class NSSCryptoProvider(CryptoProvider):
+                        '-i', cert_file.name]
+             subprocess.check_call(command)
+ 
+-    @staticmethod
+-    def generate_nonce_iv(mechanism=nss.CKM_DES3_CBC_PAD):
++    def generate_nonce_iv(self, mechanism=nss.CKM_DES3_CBC_PAD):
+         """ Create a random initialization vector """
+         iv_length = nss.get_iv_length(mechanism)
+         if iv_length > 0:
+@@ -237,6 +255,8 @@ class NSSCryptoProvider(CryptoProvider):
+         """
+         :param data            Data to be wrapped
+         :param wrapping_key    Symmetric key to wrap data
++        :param mechanism       Mechanism to user when wrapping
++        :param nonce_iv        Nonce to use when wrapping
+ 
+         Wrap (encrypt) data using the supplied symmetric key
+         """
+@@ -255,6 +275,7 @@ class NSSCryptoProvider(CryptoProvider):
+         """
+         :param data            Data to be unwrapped
+         :param wrapping_key    Symmetric key to unwrap data
++        :param mechanism       Mechanism to use when wrapping
+         :param nonce_iv        iv data
+ 
+         Unwrap (decrypt) data using the supplied symmetric key
+@@ -288,3 +309,160 @@ class NSSCryptoProvider(CryptoProvider):
+         Searches NSS database and returns SecItem object for this certificate.
+         """
+         return nss.find_cert_from_nickname(cert_nick)
++
++
++class CryptographyCryptoProvider(CryptoProvider):
++    """
++    Class that defines python-cryptography implementation of CryptoProvider.
++    Requires a PEM file containing the agent cert to be initialized.
++
++    Note that all inputs and outputs are unencoded.
++    """
++
++    def __init__(self, transport_cert_nick, transport_cert,
++                 backend=default_backend()):
++        """ Initialize python-cryptography
++        """
++        super(CryptographyCryptoProvider, self).__init__()
++        self.certs = {}
++
++        if not isinstance(transport_cert, cryptography.x509.Certificate):
++            # it's a file name
++            with open(transport_cert, 'r') as f:
++                transport_pem = f.read()
++            transport_cert = cryptography.x509.load_pem_x509_certificate(
++                transport_pem,
++                backend)
++
++        self.certs[transport_cert_nick] = transport_cert
++
++        # default to AES
++        self.encrypt_alg = algorithms.AES
++        self.encrypt_mode = modes.CBC
++        self.encrypt_size = 128
++        self.backend = backend
++
++    def initialize(self):
++        """
++        Any operations here that need to be performed before crypto
++        operations.
++        """
++        pass
++
++    def get_supported_algorithm_keyset(self):
++        """ returns highest supported algorithm keyset """
++        return 1
++
++    def set_algorithm_keyset(self, level):
++        """ sets required keyset """
++        if level > 1:
++            raise ValueError("Invalid keyset")
++        elif level == 1:
++            self.encrypt_alg = algorithms.AES
++            self.encrypt_mode = modes.CBC
++            self.encrypt_size = 128
++        elif level == 0:
++            self.encrypt_alg = algorithms.TripleDES
++            self.encrypt_mode = modes.CBC
++            self.encrypt_size = 168
++
++    def generate_nonce_iv(self, mechanism='AES'):
++        """ Create a random initialization vector """
++        return os.urandom(self.encrypt_alg.block_size // 8)
++
++    def generate_symmetric_key(self, mechanism=None, size=0):
++        """ Returns a symmetric key.
++        """
++        if mechanism is None:
++            size = self.encrypt_size // 8
++        return os.urandom(size)
++
++    def generate_session_key(self):
++        """ Returns a session key to be used when wrapping secrets for the DRM.
++        """
++        return self.generate_symmetric_key()
++
++    def symmetric_wrap(self, data, wrapping_key, mechanism=None,
++                       nonce_iv=None):
++        """
++        :param data            Data to be wrapped
++        :param wrapping_key    Symmetric key to wrap data
++        :param mechanism       Mechanism to use for wrapping key
++        :param nonce_iv        Nonce for initialization vector
++
++        Wrap (encrypt) data using the supplied symmetric key
++        """
++        # TODO(alee)  Not sure yet how to handle non-default mechanisms
++        # For now, lets just ignore them
++
++        if wrapping_key is None:
++            raise ValueError("Wrapping key must be provided")
++
++        if self.encrypt_mode.name == "CBC":
++            padder = padding.PKCS7(self.encrypt_alg.block_size).padder()
++            padded_data = padder.update(data) + padder.finalize()
++            data = padded_data
++        else:
++            raise ValueError('Only CBC mode is currently supported')
++
++        cipher = Cipher(self.encrypt_alg(wrapping_key),
++                        self.encrypt_mode(nonce_iv),
++                        backend=self.backend)
++
++        encryptor = cipher.encryptor()
++        ct = encryptor.update(data) + encryptor.finalize()
++        return ct
++
++    def symmetric_unwrap(self, data, wrapping_key,
++                         mechanism=None, nonce_iv=None):
++        """
++        :param data            Data to be unwrapped
++        :param wrapping_key    Symmetric key to unwrap data
++        :param mechanism       Mechanism to use when unwrapping
++        :param nonce_iv        iv data
++
++        Unwrap (decrypt) data using the supplied symmetric key
++        """
++
++        # TODO(alee) As above, no idea what to do with mechanism
++        # ignoring for now.
++
++        if wrapping_key is None:
++            raise ValueError("Wrapping key must be provided")
++
++        cipher = Cipher(self.encrypt_alg(wrapping_key),
++                        self.encrypt_mode(nonce_iv),
++                        backend=self.backend)
++
++        decryptor = cipher.decryptor()
++        unwrapped = decryptor.update(data) + decryptor.finalize()
++
++        if self.encrypt_mode.name == 'CBC':
++            unpadder = padding.PKCS7(self.encrypt_alg.block_size).unpadder()
++            unpadded = unpadder.update(unwrapped) + unpadder.finalize()
++            unwrapped = unpadded
++        else:
++            raise ValueError('Only CBC mode is currently supported')
++
++        return unwrapped
++
++    def asymmetric_wrap(self, data, wrapping_cert,
++                        mechanism=None):
++        """
++        :param data             Data to be wrapped
++        :param wrapping_cert    Public key to wrap data
++        :param mechanism        algorithm of symmetric key to be wrapped
++
++        Wrap (encrypt) data using the supplied asymmetric key
++        """
++        public_key = wrapping_cert.public_key()
++        return public_key.encrypt(
++            data,
++            PKCS1v15()
++        )
++
++    def get_cert(self, cert_nick):
++        """
++        :param cert_nick  Nickname for the certificate to be returned.
++        """
++        return self.certs[cert_nick]
+diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
+index 0765bcf..0de13fd 100644
+--- a/base/common/python/pki/util.py
++++ b/base/common/python/pki/util.py
+@@ -34,8 +34,10 @@ except ImportError:
+ 
+ import subprocess
+ 
+-DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf',
+-                        '/etc/pki/pki.conf']
++DEFAULT_PKI_ENV_LIST = [
++    '/usr/share/pki/etc/pki.conf',
++    '/etc/pki/pki.conf',
++]
+ 
+ 
+ def copy(source, dest):
+-- 
+1.8.3.1
+
+
+From a1e30184b675c69fa858eb4fb85a6d358deb9bf1 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 3 Apr 2017 13:00:03 -0400
+Subject: [PATCH 28/59] Add code in KRA python client to support multiple
+ crypto algorithms
+
+Added code to:
+* Add an InfoClient to the KRAClient
+* Check the server, client and crypto provider keyset levels and
+  select the highest possible level accordingly.
+* Added new fields as returned by the server for retrieval.
+* Added new fields to KeyRecoveryRequest as added in AES changes.
+
+Changes to decode keywrapped symmetirc and asymmetric keys will
+be added in subsequent patches.  Right now, encrypt/decrypt works.
+
+Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
+---
+ base/common/python/pki/info.py |  52 +++++++++++++++-----
+ base/common/python/pki/key.py  | 105 ++++++++++++++++++++++++++++++++++-------
+ base/common/python/pki/kra.py  |  23 ++++++---
+ 3 files changed, 144 insertions(+), 36 deletions(-)
+
+diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
+index b4da8b0..f4ab68c 100644
+--- a/base/common/python/pki/info.py
++++ b/base/common/python/pki/info.py
+@@ -56,20 +56,38 @@ class Info(object):
+         return info
+ 
+ 
+-class Version(object):
+-    """
+-    This class encapsulates a version object as returned from
+-    a Dogtag server and decomposes it into major, minor, etc.
+-    """
++class Version(tuple):
++    __slots__ = ()
++
++    def __new__(cls, version):
++        parts = [int(p) for p in version.split('.')]
++        if len(parts) < 3:
++            parts.extend([0] * (3 - len(parts)))
++        if len(parts) > 3:
++            raise ValueError(version)
++        return tuple.__new__(cls, tuple(parts))
++
++    def __str__(self):
++        return '{}.{}.{}'.format(*self)
++
++    def __repr__(self):
++        return "<Version('{}.{}.{}')>".format(*self)
+ 
+-    def __init__(self, version_string):
+-        for idx, val in enumerate(version_string.split('.')):
+-            if idx == 0:
+-                self.major = val
+-            if idx == 1:
+-                self.minor = val
+-            if idx == 2:
+-                self.patch = val
++    def __getnewargs__(self):
++        # pickle support
++        return str(self)
++
++    @property
++    def major(self):
++        return self[0]
++
++    @property
++    def minor(self):
++        return self[1]
++
++    @property
++    def patchlevel(self):
++        return self[2]
+ 
+ 
+ class InfoClient(object):
+@@ -98,3 +116,11 @@ class InfoClient(object):
+         """ return Version object from server """
+         version_string = self.get_info().version
+         return Version(version_string)
++
++
++if __name__ == '__main__':
++    print(Version('10'))
++    print(Version('10.1'))
++    print(Version('10.1.1'))
++    print(tuple(Version('10.1.1')))
++    print(Version('10.1.1.1'))
+diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
+index da4efd6..6c5641a 100644
+--- a/base/common/python/pki/key.py
++++ b/base/common/python/pki/key.py
+@@ -27,12 +27,15 @@ from __future__ import absolute_import
+ from __future__ import print_function
+ import base64
+ import json
++import os
+ 
+ from six import iteritems
+ from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
+ 
+ import pki
+ import pki.encoder as encoder
++from pki.info import Version
++import pki.util
+ 
+ 
+ # should be moved to request.py
+@@ -58,7 +61,10 @@ class KeyData(object):
+     json_attribute_names = {
+         'nonceData': 'nonce_data',
+         'wrappedPrivateData': 'wrapped_private_data',
+-        'requestID': 'request_id'
++        'requestID': 'request_id',
++        'encryptAlgorithmOID': 'encrypt_algorithm_oid',
++        'wrapAlgorithm': 'wrap_algorithm',
++        'publicKey': 'public_key'
+     }
+ 
+     # pylint: disable=C0103
+@@ -69,6 +75,10 @@ class KeyData(object):
+         self.request_id = None
+         self.size = None
+         self.wrapped_private_data = None
++        self.encrypt_algorithm_oid = None
++        self.wrap_algorithm = None
++        self.public_key = None
++        self.type = None
+ 
+     @classmethod
+     def from_json(cls, attr_list):
+@@ -102,6 +112,11 @@ class Key(object):
+         self.algorithm = key_data.algorithm
+         self.size = key_data.size
+ 
++        self.encrypt_algorithm_oid = getattr(
++            key_data, "encrypt_algorithm_oid", None)
++        self.wrap_algorithm = getattr(key_data, "wrap_algorithm", None)
++        self.public_key = getattr(key_data, "public_key", None)
++
+         # To store the unwrapped key information.
+         # The decryption takes place on the client side.
+         self.data = None
+@@ -341,7 +356,8 @@ class KeyRecoveryRequest(pki.ResourceMessage):
+                  trans_wrapped_session_key=None,
+                  session_wrapped_passphrase=None,
+                  nonce_data=None, certificate=None,
+-                 passphrase=None):
++                 passphrase=None, payload_wrapping_name=None,
++                 payload_encryption_oid=None):
+         """ Constructor """
+         pki.ResourceMessage.__init__(
+             self,
+@@ -354,6 +370,8 @@ class KeyRecoveryRequest(pki.ResourceMessage):
+         self.add_attribute("certificate", certificate)
+         self.add_attribute("passphrase", passphrase)
+         self.add_attribute("keyId", key_id)
++        self.add_attribute("payloadWrappingName", payload_wrapping_name)
++        self.add_attribute("payloadEncryptionOID", payload_encryption_oid)
+ 
+ 
+ class SymKeyGenerationRequest(pki.ResourceMessage):
+@@ -443,8 +461,10 @@ class KeyClient(object):
+ 
+     # default session key wrapping algorithm
+     DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
++    AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
+ 
+-    def __init__(self, connection, crypto, transport_cert_nick=None):
++    def __init__(self, connection, crypto, transport_cert_nick=None,
++                 info_client=None):
+         """ Constructor """
+         self.connection = connection
+         self.headers = {'Content-type': 'application/json',
+@@ -459,6 +479,10 @@ class KeyClient(object):
+         else:
+             self.transport_cert = None
+ 
++        self.info_client = info_client
++        self.encrypt_alg_oid = None
++        self.set_crypto_algorithms()
++
+     def set_transport_cert(self, transport_cert_nick):
+         """ Set the transport certificate for crypto operations """
+         if transport_cert_nick is None:
+@@ -467,6 +491,44 @@ class KeyClient(object):
+         self.transport_cert = self.crypto.get_cert(transport_cert_nick)
+ 
+     @pki.handle_exceptions()
++    def set_crypto_algorithms(self):
++        server_keyset = self.get_server_keyset()
++        client_keyset = self.get_client_keyset()
++        crypto_keyset = self.crypto.get_supported_algorithm_keyset()
++        keyset_id = min([server_keyset, client_keyset, crypto_keyset])
++
++        # set keyset in crypto provider
++        self.crypto.set_algorithm_keyset(keyset_id)
++
++        # set keyset related constants needed in KeyClient
++        if keyset_id == 0:
++            self.encrypt_alg_oid = self.DES_EDE3_CBC_OID
++        else:
++            self.encrypt_alg_oid = self.AES_128_CBC_OID
++
++    def get_client_keyset(self):
++        # get client keyset
++        pki.util.read_environment_files()
++        client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET')
++        if client_keyset is not None:
++            return client_keyset
++        return 0
++
++    def get_server_keyset(self):
++        # get server keyset id
++        server_version = Version("0.0.0")
++        try:
++            server_version = self.info_client.get_version()
++        except Exception:    # pylint: disable=W0703
++            # TODO(alee) tighten up the exception here
++            pass
++
++        if server_version >= (10, 4):
++            return 1
++
++        return 0
++
++    @pki.handle_exceptions()
+     def list_keys(self, client_key_id=None, status=None, max_results=None,
+                   max_time=None, start=None, size=None, realm=None):
+         """ List/Search archived secrets in the DRM.
+@@ -785,7 +847,8 @@ class KeyClient(object):
+             raise TypeError('Missing wrapped session key')
+ 
+         if not algorithm_oid:
+-            algorithm_oid = KeyClient.DES_EDE3_CBC_OID
++            algorithm_oid = KeyClient.AES_128_CBC_OID
++            # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
+ 
+         if not nonce_iv:
+             raise TypeError('Missing nonce IV')
+@@ -910,7 +973,7 @@ class KeyClient(object):
+            approval is required, then the KeyData will include the secret.
+ 
+         *  If the key cannot be retrieved synchronously - ie. if more than one
+-           approval is needed, then the KeyData obect will include the request
++           approval is needed, then the KeyData object will include the request
+            ID for a recovery request that was created on the server.  When that
+            request is approved, callers can retrieve the key using
+            retrieve_key() and setting the request_id.
+@@ -951,7 +1014,9 @@ class KeyClient(object):
+             key_id=key_id,
+             request_id=request_id,
+             trans_wrapped_session_key=base64.b64encode(
+-                trans_wrapped_session_key))
++                trans_wrapped_session_key),
++            payload_encryption_oid=self.encrypt_alg_oid
++        )
+ 
+         key = self.retrieve_key_data(request)
+         if not key_provided and key.encrypted_data is not None:
+@@ -982,12 +1047,13 @@ class KeyClient(object):
+ 
+         1) A passphrase is provided by the caller.
+ 
+-           In this case, CryptoProvider methods will be called to create the data
+-           to securely send the passphrase to the DRM.  Basically, three pieces of
+-           data will be sent:
++           In this case, CryptoProvider methods will be called to create the
++           data to securely send the passphrase to the DRM.  Basically, three
++           pieces of data will be sent:
+ 
+-           - the passphrase wrapped by a 168 bit 3DES symmetric key (the session
+-             key).  This is referred to as the parameter session_wrapped_passphrase.
++           - the passphrase wrapped by a 168 bit 3DES symmetric key (the
++             session key).  This is referred to as the parameter
++             session_wrapped_passphrase.
+ 
+            - the session key wrapped with the public key in the DRM transport
+              certificate.  This is referred to as the trans_wrapped_session_key.
+@@ -999,9 +1065,10 @@ class KeyClient(object):
+         2) The caller provides the trans_wrapped_session_key,
+            session_wrapped_passphrase and nonce_data.
+ 
+-           In this case, the data will simply be passed to the DRM.  The function
+-           will return the secret encrypted by the passphrase using PBE Encryption.
+-           The secret will still need to be decrypted by the caller.
++           In this case, the data will simply be passed to the DRM.
++           The function will return the secret encrypted by the passphrase
++           using PBE Encryption.  The secret will still need to be decrypted
++           by the caller.
+ 
+            The function will return the tuple (KeyData, None)
+         """
+@@ -1053,12 +1120,18 @@ def main():
+     usages = [SymKeyGenerationRequest.DECRYPT_USAGE,
+               SymKeyGenerationRequest.ENCRYPT_USAGE]
+     gen_request = SymKeyGenerationRequest(client_key_id, 128, "AES", usages)
+-    print(json.dumps(gen_request, cls=encoder.CustomTypeEncoder, sort_keys=True))
++    print(json.dumps(gen_request,
++                     cls=encoder.CustomTypeEncoder,
++                     sort_keys=True))
+ 
+     print("printing key recovery request")
+     key_request = KeyRecoveryRequest("25", "MX12345BBBAAA", None,
+                                      "1234ABC", None, None)
+-    print(json.dumps(key_request, cls=encoder.CustomTypeEncoder, sort_keys=True))
++    print(json.dumps(
++        key_request,
++        cls=encoder.CustomTypeEncoder,
++        sort_keys=True)
++    )
+ 
+     print("printing key archival request")
+     archival_request = KeyArchivalRequest(client_key_id, "symmetricKey",
+diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py
+index b98f856..6b2de63 100644
+--- a/base/common/python/pki/kra.py
++++ b/base/common/python/pki/kra.py
+@@ -26,6 +26,7 @@ KeyRequestResource REST APIs.
+ """
+ 
+ from __future__ import absolute_import
++from pki.info import InfoClient
+ import pki.key as key
+ 
+ from pki.systemcert import SystemCertClient
+@@ -41,18 +42,26 @@ class KRAClient(object):
+         """ Constructor
+ 
+         :param connection - PKIConnection object with DRM connection info.
+-        :param crypto - CryptoProvider object.  NSSCryptoProvider is provided by
+-                        default.  If a different crypto implementation is
++        :param crypto - CryptoProvider object.  NSSCryptoProvider is provided
++                        by default.  If a different crypto implementation is
+                         desired, a different subclass of CryptoProvider must be
+                         provided.
+         :param transport_cert_nick - identifier for the DRM transport
+                         certificate.  This will be passed to the
+-                        CryptoProvider.get_cert() command to get a representation
+-                        of the transport certificate usable for crypto ops.
+-                        Note that for NSS databases, the database must have been
+-                        initialized beforehand.
++                        CryptoProvider.get_cert() command to get a
++                        representation of the transport certificate usable for
++                        crypto ops.
++
++                        Note that for NSS databases, the database must have
++                        been initialized beforehand.
+         """
+         self.connection = connection
+         self.crypto = crypto
+-        self.keys = key.KeyClient(connection, crypto, transport_cert_nick)
++        self.info = InfoClient(connection)
++        self.keys = key.KeyClient(
++            connection,
++            crypto,
++            transport_cert_nick,
++            self.info
++        )
+         self.system_certs = SystemCertClient(connection)
+-- 
+1.8.3.1
+
+
+From 60f0adb9205d5c7d4d9294ca620530ff3df2000e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 17 Mar 2017 04:48:07 +0100
+Subject: [PATCH 31/59] Added SSLSocketListener for PKIConnection.
+
+To help troubleshooting the PKIConnection has been modified to
+register an SSL socket listener which will display SSL alerts
+that it has received or sent.
+
+https://pagure.io/dogtagpki/issue/2625
+
+Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83
+---
+ .../com/netscape/certsrv/client/PKIConnection.java | 40 ++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+index c2ffd09..d5e4c00 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+@@ -78,8 +78,13 @@ import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
+ import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.CryptoManager.NotInitializedException;
++import org.mozilla.jss.ssl.SSLAlertDescription;
++import org.mozilla.jss.ssl.SSLAlertEvent;
++import org.mozilla.jss.ssl.SSLAlertLevel;
+ import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
+ import org.mozilla.jss.ssl.SSLSocket;
++import org.mozilla.jss.ssl.SSLSocketListener;
+ 
+ import com.netscape.certsrv.base.PKIException;
+ 
+@@ -352,6 +357,41 @@ public class PKIConnection {
+                 socket.setClientCertNickname(certNickname);
+             }
+ 
++            socket.addSocketListener(new SSLSocketListener() {
++
++                @Override
++                public void alertReceived(SSLAlertEvent event) {
++
++                    int intLevel = event.getLevel();
++                    SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel);
++
++                    int intDescription = event.getDescription();
++                    SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription);
++
++                    if (level == SSLAlertLevel.FATAL || verbose) {
++                        System.err.println(level + ": SSL alert received: " + description);
++                    }
++                }
++
++                @Override
++                public void alertSent(SSLAlertEvent event) {
++
++                    int intLevel = event.getLevel();
++                    SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel);
++
++                    int intDescription = event.getDescription();
++                    SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription);
++
++                    if (level == SSLAlertLevel.FATAL || verbose) {
++                        System.err.println(level + ": SSL alert sent: " + description);
++                    }
++                }
++
++                @Override
++                public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
++                }
++
++            });
+             return socket;
+         }
+ 
+-- 
+1.8.3.1
+
+
+From 0409bfa35601a0b59f75c05cf8a34aed6514fc24 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 8 Apr 2017 09:04:54 +0200
+Subject: [PATCH 32/59] Fixed pki user and group commands.
+
+The UserCLI and GroupCLI have been fixed to use the subsystem name
+in the client configuration object if available.
+
+https://pagure.io/dogtagpki/issue/2626
+
+Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f
+---
+ base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 3 ++-
+ base/java-tools/src/com/netscape/cmstools/user/UserCLI.java   | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+index 5ccf70d..95eb3a2 100644
+--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+@@ -73,7 +73,8 @@ public class GroupCLI extends CLI {
+             SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+             subsystem = subsystemCLI.getName();
+         } else {
+-            subsystem = "ca";
++            subsystem = client.getSubsystem();
++            if (subsystem == null) subsystem = "ca";
+         }
+ 
+         // create new group client
+diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+index 1acbf0b..affda9c 100644
+--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+@@ -76,7 +76,8 @@ public class UserCLI extends CLI {
+             SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+             subsystem = subsystemCLI.getName();
+         } else {
+-            subsystem = "ca";
++            subsystem = client.getSubsystem();
++            if (subsystem == null) subsystem = "ca";
+         }
+ 
+         // create new user client
+-- 
+1.8.3.1
+
+
+From 0c8aedd8a79841751005c531cf6cfbc08a4fd4dd Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 8 Apr 2017 09:05:48 +0200
+Subject: [PATCH 33/59] Deprecated -t option for pki CLI.
+
+The MainCLI has been modified to generate a deprecation warning
+for the -t option.
+
+Change-Id: I28ac45954a900f6944528ef52913982d72896c92
+---
+ base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+index d7aa54c..1b9c569 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+@@ -124,12 +124,12 @@ public class MainCLI extends CLI {
+ 
+     public void printVersion() {
+         Package pkg = MainCLI.class.getPackage();
+-        System.out.println("PKI Command-Line Interface "+pkg.getImplementationVersion());
++        System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion());
+     }
+ 
+     public void printHelp() {
+ 
+-        formatter.printHelp(name+" [OPTIONS..] <command> [ARGS..]", options);
++        formatter.printHelp(name + " [OPTIONS..] <command> [ARGS..]", options);
+         System.out.println();
+ 
+         int leftPadding = 1;
+@@ -169,7 +169,7 @@ public class MainCLI extends CLI {
+         option.setArgName("port");
+         options.addOption(option);
+ 
+-        option = new Option("t", true, "Subsystem type");
++        option = new Option("t", true, "Subsystem type (deprecated)");
+         option.setArgName("type");
+         options.addOption(option);
+ 
+@@ -340,8 +340,10 @@ public class MainCLI extends CLI {
+         if (uri == null)
+             uri = protocol + "://" + hostname + ":" + port;
+ 
+-        if (subsystem != null)
++        if (subsystem != null) {
++            System.err.println("WARNING: The -t option has been deprecated. Use pki " + subsystem + " command instead.");
+             uri = uri + "/" + subsystem;
++        }
+ 
+         config.setServerURI(uri);
+ 
+-- 
+1.8.3.1
+
+
+From 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 7 Apr 2017 19:45:10 +0200
+Subject: [PATCH 34/59] Added FIPS-compliant password generator.
+
+A new function has been added to generate a random password that
+meets FIPS requirements for a strong password. This function is
+used to generate NSS database password during installation.
+
+https://pagure.io/dogtagpki/issue/2556
+
+Change-Id: I64dd36125ec968f6253f90835e6065325d720032
+---
+ base/common/python/pki/__init__.py                 | 63 ++++++++++++++++++++++
+ .../python/pki/server/deployment/pkiparser.py      | 12 +----
+ 2 files changed, 65 insertions(+), 10 deletions(-)
+
+diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
+index c015126..1fc5385 100644
+--- a/base/common/python/pki/__init__.py
++++ b/base/common/python/pki/__init__.py
+@@ -26,7 +26,9 @@ from __future__ import print_function
+ 
+ from functools import wraps
+ import os
++import random
+ import re
++import string
+ import sys
+ 
+ import requests
+@@ -124,6 +126,67 @@ def implementation_version():
+     raise Exception('Missing implementation version.')
+ 
+ 
++def generate_password():
++    """
++    This function generates FIPS-compliant password.
++
++    See sftk_newPinCheck() in the following file:
++    https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c
++
++    The minimum password length is FIPS_MIN_PIN Unicode characters.
++
++    The password must contain at least 3 character classes:
++     * digits (string.digits)
++     * ASCII lowercase letters (string.ascii_lowercase)
++     * ASCII uppercase letters (string.ascii_uppercase)
++     * ASCII non-alphanumeric characters (string.punctuation)
++     * non-ASCII characters
++
++    If an ASCII uppercase letter is the first character of the password,
++    the uppercase letter is not counted toward its character class.
++
++    If a digit is the last character of the password, the digit is not
++    counted toward its character class.
++
++    The FIPS_MIN_PIN is defined in the following file:
++    https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h
++
++    #define FIPS_MIN_PIN 7
++    """
++
++    rnd = random.SystemRandom()
++
++    valid_chars = string.digits +\
++        string.ascii_lowercase +\
++        string.ascii_uppercase +\
++        string.punctuation
++
++    chars = []
++
++    # add 1 random char from each char class to meet
++    # the minimum number of char class requirement
++    chars.append(rnd.choice(string.digits))
++    chars.append(rnd.choice(string.ascii_lowercase))
++    chars.append(rnd.choice(string.ascii_uppercase))
++    chars.append(rnd.choice(string.punctuation))
++
++    # add 6 additional random chars
++    chars.extend(rnd.choice(valid_chars) for i in range(6))
++
++    # randomize the char order
++    rnd.shuffle(chars)
++
++    # add 2 random chars at the beginning and the end
++    # to maintain the minimum number of char class
++    chars.insert(0, rnd.choice(valid_chars))
++    chars.append(rnd.choice(valid_chars))
++
++    # final password is 12 chars
++    password = ''.join(chars)
++
++    return password
++
++
+ # pylint: disable=R0903
+ class Attribute(object):
+     """
+diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
+index e05e0be..df04ff8 100644
+--- a/base/server/python/pki/server/deployment/pkiparser.py
++++ b/base/server/python/pki/server/deployment/pkiparser.py
+@@ -583,12 +583,6 @@ class PKIConfigParser:
+ 
+             self.deployer.flatten_master_dict()
+ 
+-            # Generate random 'pin's for use as security database passwords
+-            # and add these to the "sensitive" key value pairs read in from
+-            # the configuration file
+-            pin_low = 100000000000
+-            pin_high = 999999999999
+-
+             instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
+             instance.load()
+ 
+@@ -604,11 +598,9 @@ class PKIConfigParser:
+ 
+             # otherwise, generate a random password
+             else:
+-                self.mdict['pki_pin'] = \
+-                    random.randint(pin_low, pin_high)
++                self.mdict['pki_pin'] = pki.generate_password()
+ 
+-            self.mdict['pki_client_pin'] = \
+-                random.randint(pin_low, pin_high)
++            self.mdict['pki_client_pin'] = pki.generate_password()
+ 
+             pkilogging.sensitive_parameters = \
+                 self.mdict['sensitive_parameters'].split()
+-- 
+1.8.3.1
+
+
+From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 11 Apr 2017 18:04:41 +0200
+Subject: [PATCH 35/59] Added pki-server <subsystem>-audit-file-find CLI.
+
+A new pki-server <subsystem>-audit-file-find CLI has been added
+to list audit log files on the server.
+
+Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
+---
+ base/server/python/pki/server/__init__.py  |  14 ++++
+ base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++
+ base/server/python/pki/server/cli/ca.py    |   2 +
+ base/server/python/pki/server/cli/kra.py   |   2 +
+ base/server/python/pki/server/cli/ocsp.py  |   2 +
+ base/server/python/pki/server/cli/tks.py   |   2 +
+ base/server/python/pki/server/cli/tps.py   |   2 +
+ 7 files changed, 133 insertions(+)
+ create mode 100644 base/server/python/pki/server/cli/audit.py
+
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 5032274..112dcbf 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -389,6 +389,20 @@ class PKISubsystem(object):
+ 
+         pki.util.customize_file(input_file, output_file, params)
+ 
++    def get_audit_log_files(self):
++
++        current_file_path = self.config['log.instance.SignedAudit.fileName']
++        (log_dir, current_file) = os.path.split(current_file_path)
++
++        # sort log files based on timestamp
++        files = [f for f in os.listdir(log_dir) if f != current_file]
++        files.sort()
++
++        # put the current log file at the end
++        files.append(current_file)
++
++        return files
++
+     def __repr__(self):
+         return str(self.instance) + '/' + self.name
+ 
+diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
+new file mode 100644
+index 0000000..3bb9d5f
+--- /dev/null
++++ b/base/server/python/pki/server/cli/audit.py
+@@ -0,0 +1,109 @@
++# Authors:
++#     Endi S. Dewata <edewata@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 2 of the License.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2017 Red Hat, Inc.
++# All rights reserved.
++#
++
++from __future__ import absolute_import
++from __future__ import print_function
++import getopt
++import sys
++
++import pki.cli
++
++
++class AuditCLI(pki.cli.CLI):
++
++    def __init__(self, parent):
++        super(AuditCLI, self).__init__(
++            'audit', 'Audit management commands')
++
++        self.parent = parent
++        self.add_module(AuditFileFindCLI(self))
++
++
++class AuditFileFindCLI(pki.cli.CLI):
++
++    def __init__(self, parent):
++        super(AuditFileFindCLI, self).__init__(
++            'file-find', 'Find audit log files')
++
++        self.parent = parent
++
++    def print_help(self):
++        print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name)
++        print()
++        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
++        print('      --help                         Show help message.')
++        print()
++
++    def execute(self, args):
++
++        try:
++            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++                'instance=',
++                'verbose', 'help'])
++
++        except getopt.GetoptError as e:
++            print('ERROR: ' + str(e))
++            self.print_help()
++            sys.exit(1)
++
++        instance_name = 'pki-tomcat'
++
++        for o, a in opts:
++            if o in ('-i', '--instance'):
++                instance_name = a
++
++            elif o in ('-v', '--verbose'):
++                self.set_verbose(True)
++
++            elif o == '--help':
++                self.print_help()
++                sys.exit()
++
++            else:
++                print('ERROR: unknown option ' + o)
++                self.print_help()
++                sys.exit(1)
++
++        instance = pki.server.PKIInstance(instance_name)
++        if not instance.is_valid():
++            print('ERROR: Invalid instance %s.' % instance_name)
++            sys.exit(1)
++
++        instance.load()
++
++        subsystem_name = self.parent.parent.name
++        subsystem = instance.get_subsystem(subsystem_name)
++        if not subsystem:
++            print('ERROR: No %s subsystem in instance %s.'
++                  % (subsystem_name.upper(), instance_name))
++            sys.exit(1)
++
++        log_files = subsystem.get_audit_log_files()
++
++        self.print_message('%s entries matched' % len(log_files))
++
++        first = True
++        for filename in log_files:
++            if first:
++                first = False
++            else:
++                print()
++
++            print('  File name: %s' % filename)
+diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
+index 1d1c00f..550e511 100644
+--- a/base/server/python/pki/server/cli/ca.py
++++ b/base/server/python/pki/server/cli/ca.py
+@@ -28,6 +28,7 @@ import sys
+ import tempfile
+ 
+ import pki.cli
++import pki.server.cli.audit
+ 
+ 
+ class CACLI(pki.cli.CLI):
+@@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI):
+ 
+         self.add_module(CACertCLI())
+         self.add_module(CACloneCLI())
++        self.add_module(pki.server.cli.audit.AuditCLI(self))
+ 
+ 
+ class CACertCLI(pki.cli.CLI):
+diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
+index 5558d6a..3724014 100644
+--- a/base/server/python/pki/server/cli/kra.py
++++ b/base/server/python/pki/server/cli/kra.py
+@@ -32,6 +32,7 @@ import tempfile
+ import time
+ 
+ import pki.cli
++import pki.server.cli.audit
+ 
+ 
+ KRA_VLVS = ['allKeys', 'kraAll',
+@@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI):
+ 
+         self.add_module(KRACloneCLI())
+         self.add_module(KRADBCLI())
++        self.add_module(pki.server.cli.audit.AuditCLI(self))
+ 
+ 
+ class KRACloneCLI(pki.cli.CLI):
+diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
+index 246f593..3e9b6aa 100644
+--- a/base/server/python/pki/server/cli/ocsp.py
++++ b/base/server/python/pki/server/cli/ocsp.py
+@@ -28,6 +28,7 @@ import sys
+ import tempfile
+ 
+ import pki.cli
++import pki.server.cli.audit
+ 
+ 
+ class OCSPCLI(pki.cli.CLI):
+@@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI):
+             'ocsp', 'OCSP management commands')
+ 
+         self.add_module(OCSPCloneCLI())
++        self.add_module(pki.server.cli.audit.AuditCLI(self))
+ 
+ 
+ class OCSPCloneCLI(pki.cli.CLI):
+diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
+index 2c4157a..0e6a998 100644
+--- a/base/server/python/pki/server/cli/tks.py
++++ b/base/server/python/pki/server/cli/tks.py
+@@ -28,6 +28,7 @@ import sys
+ import tempfile
+ 
+ import pki.cli
++import pki.server.cli.audit
+ 
+ 
+ class TKSCLI(pki.cli.CLI):
+@@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI):
+             'tks', 'TKS management commands')
+ 
+         self.add_module(TKSCloneCLI())
++        self.add_module(pki.server.cli.audit.AuditCLI(self))
+ 
+ 
+ class TKSCloneCLI(pki.cli.CLI):
+diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
+index 1f71b8e..03df8de 100644
+--- a/base/server/python/pki/server/cli/tps.py
++++ b/base/server/python/pki/server/cli/tps.py
+@@ -32,6 +32,7 @@ import tempfile
+ import time
+ 
+ import pki.cli
++import pki.server.cli.audit
+ 
+ 
+ TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif'
+@@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI):
+ 
+         self.add_module(TPSCloneCLI())
+         self.add_module(TPSDBCLI())
++        self.add_module(pki.server.cli.audit.AuditCLI(self))
+ 
+ 
+ class TPSCloneCLI(pki.cli.CLI):
+-- 
+1.8.3.1
+
+
+From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 11 Apr 2017 18:04:41 +0200
+Subject: [PATCH 36/59] Added pki-server <subsystem>-audit-file-verify CLI.
+
+A new pki-server <subsystem>-audit-file-verify CLI has been added
+to verify audit log files on the server.
+
+Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
+---
+ base/server/python/pki/server/__init__.py  |  5 ++
+ base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++
+ 2 files changed, 96 insertions(+)
+
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 112dcbf..8898654 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -389,6 +389,11 @@ class PKISubsystem(object):
+ 
+         pki.util.customize_file(input_file, output_file, params)
+ 
++    def get_audit_log_dir(self):
++
++        current_file_path = self.config['log.instance.SignedAudit.fileName']
++        return os.path.dirname(current_file_path)
++
+     def get_audit_log_files(self):
+ 
+         current_file_path = self.config['log.instance.SignedAudit.fileName']
+diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
+index 3bb9d5f..0833ca8 100644
+--- a/base/server/python/pki/server/cli/audit.py
++++ b/base/server/python/pki/server/cli/audit.py
+@@ -21,7 +21,11 @@
+ from __future__ import absolute_import
+ from __future__ import print_function
+ import getopt
++import os
++import shutil
++import subprocess
+ import sys
++import tempfile
+ 
+ import pki.cli
+ 
+@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI):
+ 
+         self.parent = parent
+         self.add_module(AuditFileFindCLI(self))
++        self.add_module(AuditFileVerifyCLI(self))
+ 
+ 
+ class AuditFileFindCLI(pki.cli.CLI):
+@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI):
+                 print()
+ 
+             print('  File name: %s' % filename)
++
++
++class AuditFileVerifyCLI(pki.cli.CLI):
++
++    def __init__(self, parent):
++        super(AuditFileVerifyCLI, self).__init__(
++            'file-verify', 'Verify audit log files')
++
++        self.parent = parent
++
++    def print_help(self):
++        print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name)
++        print()
++        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
++        print('      --help                         Show help message.')
++        print()
++
++    def execute(self, args):
++
++        try:
++            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++                'instance=',
++                'verbose', 'help'])
++
++        except getopt.GetoptError as e:
++            print('ERROR: ' + str(e))
++            self.print_help()
++            sys.exit(1)
++
++        instance_name = 'pki-tomcat'
++
++        for o, a in opts:
++            if o in ('-i', '--instance'):
++                instance_name = a
++
++            elif o in ('-v', '--verbose'):
++                self.set_verbose(True)
++
++            elif o == '--help':
++                self.print_help()
++                sys.exit()
++
++            else:
++                print('ERROR: unknown option ' + o)
++                self.print_help()
++                sys.exit(1)
++
++        instance = pki.server.PKIInstance(instance_name)
++        if not instance.is_valid():
++            print('ERROR: Invalid instance %s.' % instance_name)
++            sys.exit(1)
++
++        instance.load()
++
++        subsystem_name = self.parent.parent.name
++        subsystem = instance.get_subsystem(subsystem_name)
++        if not subsystem:
++            print('ERROR: No %s subsystem in instance %s.'
++                  % (subsystem_name.upper(), instance_name))
++            sys.exit(1)
++
++        log_dir = subsystem.get_audit_log_dir()
++        log_files = subsystem.get_audit_log_files()
++        signing_cert = subsystem.get_subsystem_cert('audit_signing')
++
++        tmpdir = tempfile.mkdtemp()
++
++        try:
++            file_list = os.path.join(tmpdir, 'audit.txt')
++
++            with open(file_list, 'w') as f:
++                for filename in log_files:
++                    f.write(os.path.join(log_dir, filename) + '\n')
++
++            cmd = ['AuditVerify',
++                   '-d', instance.nssdb_dir,
++                   '-n', signing_cert['nickname'],
++                   '-a', file_list]
++
++            if self.verbose:
++                print('Command: %s' % ' '.join(cmd))
++
++            subprocess.call(cmd)
++
++        finally:
++            shutil.rmtree(tmpdir)
+-- 
+1.8.3.1
+
+
+From 77d2064858e4623fa25f4986647f318d8bf8a6f7 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 7 Apr 2017 12:23:47 -0400
+Subject: [PATCH 37/59] Add KRAInfo resource
+
+This resource (which will be accessed at /kra/rest/info)
+will initially return the mechanism for archival or retrieval.
+
+This is needed by clients to know how to package secrets when
+archiving.
+
+Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
+---
+ .../src/com/netscape/certsrv/kra/KRAClient.java    |   3 +
+ base/common/src/org/dogtagpki/common/KRAInfo.java  | 136 +++++++++++++++++++++
+ .../src/org/dogtagpki/common/KRAInfoClient.java    |  48 ++++++++
+ .../src/org/dogtagpki/common/KRAInfoResource.java  |  40 ++++++
+ .../dogtagpki/server/kra/rest/KRAApplication.java  |   4 +
+ .../org/dogtagpki/server/rest/KRAInfoService.java  |  67 ++++++++++
+ 6 files changed, 298 insertions(+)
+ create mode 100644 base/common/src/org/dogtagpki/common/KRAInfo.java
+ create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoClient.java
+ create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoResource.java
+ create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+
+diff --git a/base/common/src/com/netscape/certsrv/kra/KRAClient.java b/base/common/src/com/netscape/certsrv/kra/KRAClient.java
+index 1eb102f..9440174 100644
+--- a/base/common/src/com/netscape/certsrv/kra/KRAClient.java
++++ b/base/common/src/com/netscape/certsrv/kra/KRAClient.java
+@@ -1,5 +1,7 @@
+ package com.netscape.certsrv.kra;
+ 
++import org.dogtagpki.common.KRAInfoClient;
++
+ import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.certsrv.client.SubsystemClient;
+ import com.netscape.certsrv.group.GroupClient;
+@@ -22,5 +24,6 @@ public class KRAClient extends SubsystemClient {
+         addClient(new SelfTestClient(client, name));
+         addClient(new SystemCertClient(client, name));
+         addClient(new UserClient(client, name));
++        addClient(new KRAInfoClient(client, name));
+     }
+ }
+diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java
+new file mode 100644
+index 0000000..e17bd64
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/KRAInfo.java
+@@ -0,0 +1,136 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import java.io.StringReader;
++import java.io.StringWriter;
++
++import javax.xml.bind.JAXBContext;
++import javax.xml.bind.Marshaller;
++import javax.xml.bind.Unmarshaller;
++import javax.xml.bind.annotation.XmlElement;
++import javax.xml.bind.annotation.XmlRootElement;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++
++import com.netscape.certsrv.base.ResourceMessage;
++
++/**
++ * @author Ade Lee
++ */
++@XmlRootElement(name="KRAInfo")
++public class KRAInfo extends ResourceMessage {
++
++    private static Logger logger = LoggerFactory.getLogger(Info.class);
++
++    public static Marshaller marshaller;
++    public static Unmarshaller unmarshaller;
++
++    static {
++        try {
++            marshaller = JAXBContext.newInstance(KRAInfo.class).createMarshaller();
++            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
++            unmarshaller = JAXBContext.newInstance(KRAInfo.class).createUnmarshaller();
++        } catch (Exception e) {
++            logger.error(e.getMessage(), e);
++        }
++    }
++
++    String archivalMechanism;
++    String recoveryMechanism;
++
++    @XmlElement(name="ArchivalMechanism")
++    public String getArchivalMechanism() {
++        return archivalMechanism;
++    }
++
++    public void setArchivalMechanism(String archivalMechanism) {
++        this.archivalMechanism = archivalMechanism;
++    }
++
++    @XmlElement(name="RecoveryMechanism")
++    public String getRecoveryMechanism() {
++        return recoveryMechanism;
++    }
++
++    public void setRecoveryMechanism(String recoveryMechanism) {
++        this.recoveryMechanism = recoveryMechanism;
++    }
++
++    @Override
++    public int hashCode() {
++        final int prime = 31;
++        int result = super.hashCode();
++        result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
++        result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode());
++        return result;
++    }
++
++    @Override
++    public boolean equals(Object obj) {
++        if (this == obj)
++            return true;
++        if (!super.equals(obj))
++            return false;
++        if (getClass() != obj.getClass())
++            return false;
++        KRAInfo other = (KRAInfo) obj;
++        if (archivalMechanism == null) {
++            if (other.archivalMechanism != null)
++                return false;
++        } else if (!archivalMechanism.equals(other.archivalMechanism))
++            return false;
++        if (recoveryMechanism == null) {
++            if (other.recoveryMechanism != null)
++                return false;
++        } else if (!recoveryMechanism.equals(other.recoveryMechanism))
++            return false;
++        return true;
++    }
++
++    public String toString() {
++        try {
++            StringWriter sw = new StringWriter();
++            marshaller.marshal(this, sw);
++            return sw.toString();
++
++        } catch (Exception e) {
++            throw new RuntimeException(e);
++        }
++    }
++
++    public static KRAInfo valueOf(String string) throws Exception {
++        return (KRAInfo)unmarshaller.unmarshal(new StringReader(string));
++    }
++
++    public static void main(String args[]) throws Exception {
++
++        KRAInfo before = new KRAInfo();
++        before.setArchivalMechanism("encrypt");
++        before.setRecoveryMechanism("keywrap");
++
++        String string = before.toString();
++        System.out.println(string);
++
++        KRAInfo after = KRAInfo.valueOf(string);
++        System.out.println(before.equals(after));
++    }
++}
++
+diff --git a/base/common/src/org/dogtagpki/common/KRAInfoClient.java b/base/common/src/org/dogtagpki/common/KRAInfoClient.java
+new file mode 100644
+index 0000000..c998401
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/KRAInfoClient.java
+@@ -0,0 +1,48 @@
++//--- BEGIN COPYRIGHT BLOCK ---
++//This program is free software; you can redistribute it and/or modify
++//it under the terms of the GNU General Public License as published by
++//the Free Software Foundation; version 2 of the License.
++//
++//This program is distributed in the hope that it will be useful,
++//but WITHOUT ANY WARRANTY; without even the implied warranty of
++//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++//GNU General Public License for more details.
++//
++//You should have received a copy of the GNU General Public License along
++//with this program; if not, write to the Free Software Foundation, Inc.,
++//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++//(C) 2017 Red Hat, Inc.
++//All rights reserved.
++//--- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import java.net.URISyntaxException;
++
++import javax.ws.rs.core.Response;
++
++import com.netscape.certsrv.client.Client;
++import com.netscape.certsrv.client.PKIClient;
++
++/**
++ * @author Ade Lee
++ */
++public class KRAInfoClient extends Client {
++
++    public KRAInfoResource resource;
++
++    public KRAInfoClient(PKIClient client, String subsystem) throws URISyntaxException {
++        super(client, subsystem, "info");
++        init();
++    }
++
++    public void init() throws URISyntaxException {
++        resource = createProxy(KRAInfoResource.class);
++    }
++
++    public KRAInfo getInfo() throws Exception {
++        Response response = resource.getInfo();
++        return client.getEntity(response, KRAInfo.class);
++    }
++}
+diff --git a/base/common/src/org/dogtagpki/common/KRAInfoResource.java b/base/common/src/org/dogtagpki/common/KRAInfoResource.java
+new file mode 100644
+index 0000000..540e3a6
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/KRAInfoResource.java
+@@ -0,0 +1,40 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import javax.ws.rs.GET;
++import javax.ws.rs.Path;
++import javax.ws.rs.core.Response;
++
++import org.jboss.resteasy.annotations.ClientResponseType;
++
++/**
++ * @author Ade Lee
++ */
++@Path("info")
++public interface KRAInfoResource {
++
++    String ENCRYPT_MECHANISM = "encrypt";
++    String KEYWRAP_MECHANISM = "keywrap";
++
++    @GET
++    @ClientResponseType(entityType=KRAInfo.class)
++    public Response getInfo() throws Exception;
++}
++
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+index 6244270..a1f58a8 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+@@ -10,6 +10,7 @@ import org.dogtagpki.server.rest.AccountService;
+ import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
+ import org.dogtagpki.server.rest.GroupService;
++import org.dogtagpki.server.rest.KRAInfoService;
+ import org.dogtagpki.server.rest.MessageFormatInterceptor;
+ import org.dogtagpki.server.rest.PKIExceptionMapper;
+ import org.dogtagpki.server.rest.SecurityDomainService;
+@@ -67,6 +68,9 @@ public class KRAApplication extends Application {
+         // exception mapper
+         classes.add(PKIExceptionMapper.class);
+ 
++        // info service
++        classes.add(KRAInfoService.class);
++
+         // interceptors
+         singletons.add(new SessionContextInterceptor());
+         singletons.add(new AuthMethodInterceptor());
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+new file mode 100644
+index 0000000..c4b3252
+--- /dev/null
++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+@@ -0,0 +1,67 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.server.rest;
++
++import javax.servlet.http.HttpSession;
++import javax.ws.rs.core.Response;
++
++import org.dogtagpki.common.KRAInfo;
++import org.dogtagpki.common.KRAInfoResource;
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.cms.servlet.base.PKIService;
++
++/**
++ * @author Ade Lee
++ */
++public class KRAInfoService extends PKIService implements KRAInfoResource {
++
++    private static Logger logger = LoggerFactory.getLogger(InfoService.class);
++
++    @Override
++    public Response getInfo() throws Exception {
++
++        HttpSession session = servletRequest.getSession();
++        logger.debug("KRAInfoService.getInfo(): session: " + session.getId());
++
++        KRAInfo info = new KRAInfo();
++        info.setArchivalMechanism(getArchivalMechanism());
++        info.setRecoveryMechanism(getRecoveryMechanism());
++
++
++        return createOKResponse(info);
++    }
++
++    String getArchivalMechanism() throws EBaseException {
++        IConfigStore cs = CMS.getConfigStore();
++        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++        return encrypt_archival ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
++    }
++
++    String getRecoveryMechanism() throws EBaseException {
++        IConfigStore cs = CMS.getConfigStore();
++        boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false);
++        return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
++    }
++}
++
+-- 
+1.8.3.1
+
+
+From 24d7e952e4f048fcb58dcd1b33009e92afde365d Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 7 Apr 2017 16:52:31 -0400
+Subject: [PATCH 38/59] Add CAInfo resource
+
+This resource (which will be accessed at /ca/rest/info)
+will initially return the mechanism for archival.
+
+This is needed by clients to know how to package secrets when
+archiving.  We may add the transport cert later.
+
+Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
+---
+ .../dogtagpki/server/ca/rest/CAApplication.java    |   4 +
+ base/common/src/org/dogtagpki/common/CAInfo.java   | 119 +++++++++++++++++++++
+ .../src/org/dogtagpki/common/CAInfoClient.java     |  49 +++++++++
+ .../src/org/dogtagpki/common/CAInfoResource.java   |  37 +++++++
+ .../org/dogtagpki/server/rest/CAInfoService.java   |  64 +++++++++++
+ 5 files changed, 273 insertions(+)
+ create mode 100644 base/common/src/org/dogtagpki/common/CAInfo.java
+ create mode 100644 base/common/src/org/dogtagpki/common/CAInfoClient.java
+ create mode 100644 base/common/src/org/dogtagpki/common/CAInfoResource.java
+ create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+index ae18e02..45881b9 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+@@ -9,6 +9,7 @@ import org.dogtagpki.server.rest.ACLInterceptor;
+ import org.dogtagpki.server.rest.AccountService;
+ import org.dogtagpki.server.rest.AuditService;
+ import org.dogtagpki.server.rest.AuthMethodInterceptor;
++import org.dogtagpki.server.rest.CAInfoService;
+ import org.dogtagpki.server.rest.FeatureService;
+ import org.dogtagpki.server.rest.GroupService;
+ import org.dogtagpki.server.rest.MessageFormatInterceptor;
+@@ -65,6 +66,9 @@ public class CAApplication extends Application {
+         // features
+         classes.add(FeatureService.class);
+ 
++        // info service
++        classes.add(CAInfoService.class);
++
+         // security domain
+         IConfigStore cs = CMS.getConfigStore();
+ 
+diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
+new file mode 100644
+index 0000000..89255ed
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/CAInfo.java
+@@ -0,0 +1,119 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import java.io.StringReader;
++import java.io.StringWriter;
++
++import javax.xml.bind.JAXBContext;
++import javax.xml.bind.Marshaller;
++import javax.xml.bind.Unmarshaller;
++import javax.xml.bind.annotation.XmlElement;
++import javax.xml.bind.annotation.XmlRootElement;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++
++import com.netscape.certsrv.base.ResourceMessage;
++
++/**
++ * @author Ade Lee
++ */
++@XmlRootElement(name="CAInfo")
++public class CAInfo extends ResourceMessage {
++
++    private static Logger logger = LoggerFactory.getLogger(Info.class);
++
++    public static Marshaller marshaller;
++    public static Unmarshaller unmarshaller;
++
++    static {
++        try {
++            marshaller = JAXBContext.newInstance(CAInfo.class).createMarshaller();
++            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
++            unmarshaller = JAXBContext.newInstance(CAInfo.class).createUnmarshaller();
++        } catch (Exception e) {
++            logger.error(e.getMessage(), e);
++        }
++    }
++
++    String archivalMechanism;
++
++    @XmlElement(name="ArchivalMechanism")
++    public String getArchivalMechanism() {
++        return archivalMechanism;
++    }
++
++    public void setArchivalMechanism(String archivalMechanism) {
++        this.archivalMechanism = archivalMechanism;
++    }
++
++    @Override
++    public int hashCode() {
++        final int prime = 31;
++        int result = super.hashCode();
++        result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
++        return result;
++    }
++
++    @Override
++    public boolean equals(Object obj) {
++        if (this == obj)
++            return true;
++        if (!super.equals(obj))
++            return false;
++        if (getClass() != obj.getClass())
++            return false;
++        CAInfo other = (CAInfo) obj;
++        if (archivalMechanism == null) {
++            if (other.archivalMechanism != null)
++                return false;
++        } else if (!archivalMechanism.equals(other.archivalMechanism))
++            return false;
++        return true;
++    }
++
++    public String toString() {
++        try {
++            StringWriter sw = new StringWriter();
++            marshaller.marshal(this, sw);
++            return sw.toString();
++
++        } catch (Exception e) {
++            throw new RuntimeException(e);
++        }
++    }
++
++    public static CAInfo valueOf(String string) throws Exception {
++        return (CAInfo)unmarshaller.unmarshal(new StringReader(string));
++    }
++
++    public static void main(String args[]) throws Exception {
++
++        CAInfo before = new CAInfo();
++        before.setArchivalMechanism("encrypt");
++
++        String string = before.toString();
++        System.out.println(string);
++
++        CAInfo after = CAInfo.valueOf(string);
++        System.out.println(before.equals(after));
++    }
++}
++
+diff --git a/base/common/src/org/dogtagpki/common/CAInfoClient.java b/base/common/src/org/dogtagpki/common/CAInfoClient.java
+new file mode 100644
+index 0000000..859c829
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/CAInfoClient.java
+@@ -0,0 +1,49 @@
++//--- BEGIN COPYRIGHT BLOCK ---
++//This program is free software; you can redistribute it and/or modify
++//it under the terms of the GNU General Public License as published by
++//the Free Software Foundation; version 2 of the License.
++//
++//This program is distributed in the hope that it will be useful,
++//but WITHOUT ANY WARRANTY; without even the implied warranty of
++//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++//GNU General Public License for more details.
++//
++//You should have received a copy of the GNU General Public License along
++//with this program; if not, write to the Free Software Foundation, Inc.,
++//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++//(C) 2017 Red Hat, Inc.
++//All rights reserved.
++//--- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import java.net.URISyntaxException;
++
++import javax.ws.rs.core.Response;
++
++import com.netscape.certsrv.client.Client;
++import com.netscape.certsrv.client.PKIClient;
++
++/**
++ * @author Ade Lee
++ */
++public class CAInfoClient extends Client {
++
++    public CAInfoResource resource;
++
++    public CAInfoClient(PKIClient client, String subsystem) throws URISyntaxException {
++        super(client, subsystem, "info");
++        init();
++    }
++
++    public void init() throws URISyntaxException {
++        resource = createProxy(CAInfoResource.class);
++    }
++
++    public CAInfo getInfo() throws Exception {
++        Response response = resource.getInfo();
++        return client.getEntity(response, CAInfo.class);
++    }
++}
++
+diff --git a/base/common/src/org/dogtagpki/common/CAInfoResource.java b/base/common/src/org/dogtagpki/common/CAInfoResource.java
+new file mode 100644
+index 0000000..6c18cd5
+--- /dev/null
++++ b/base/common/src/org/dogtagpki/common/CAInfoResource.java
+@@ -0,0 +1,37 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.common;
++
++import javax.ws.rs.GET;
++import javax.ws.rs.Path;
++import javax.ws.rs.core.Response;
++
++import org.jboss.resteasy.annotations.ClientResponseType;
++
++/**
++ * @author Ade Lee
++ */
++@Path("info")
++public interface CAInfoResource {
++
++    @GET
++    @ClientResponseType(entityType=CAInfo.class)
++    public Response getInfo() throws Exception;
++}
++
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+new file mode 100644
+index 0000000..975ad61
+--- /dev/null
++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+@@ -0,0 +1,64 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package org.dogtagpki.server.rest;
++
++import javax.servlet.http.HttpSession;
++import javax.ws.rs.core.Response;
++
++import org.dogtagpki.common.CAInfo;
++import org.dogtagpki.common.CAInfoResource;
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.cms.servlet.base.PKIService;
++
++/**
++ * @author Ade Lee
++ */
++public class CAInfoService extends PKIService implements CAInfoResource {
++
++    private static Logger logger = LoggerFactory.getLogger(InfoService.class);
++
++    @Override
++    public Response getInfo() throws Exception {
++
++        HttpSession session = servletRequest.getSession();
++        logger.debug("CAInfoService.getInfo(): session: " + session.getId());
++
++        CAInfo info = new CAInfo();
++        String archivalMechanism = getArchivalMechanism();
++
++        if (archivalMechanism != null)
++            info.setArchivalMechanism(getArchivalMechanism());
++
++        return createOKResponse(info);
++    }
++
++    String getArchivalMechanism() throws EBaseException {
++        IConfigStore cs = CMS.getConfigStore();
++        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
++        if (!kra_present) return null;
++
++        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++        return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;
++    }
++}
+-- 
+1.8.3.1
+
+
+From 2a73c978784d58b11375aa724cbd2c04607eafc1 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 01:51:40 +0200
+Subject: [PATCH 40/59] Added audit event constants for SSL session.
+
+Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
+---
+ .../src/com/netscape/certsrv/logging/AuditEvent.java       | 14 ++++++++++----
+ base/server/cms/src/com/netscape/cms/logging/LogFile.java  |  4 +---
+ .../src/org/dogtagpki/server/PKIServerSocketListener.java  |  9 +++++----
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 8ae5cd6..b409a12 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,10 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
+-    /**
+-     *
+-     */
++    public final static String ACCESS_SESSION_ESTABLISH_FAILURE =
++            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE";
++    public final static String ACCESS_SESSION_ESTABLISH_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS";
++    public final static String ACCESS_SESSION_TERMINATED =
++            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED";
++    public final static String AUDIT_LOG_SIGNING =
++            "LOGGING_SIGNED_AUDIT_SIGNING_3";
++
+     private static final long serialVersionUID = -844306657733902324L;
++    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+ 
+     protected Object mParams[] = null;
+ 
+@@ -54,7 +61,6 @@ public class AuditEvent implements IBundleLogEvent {
+      * The bundle name for this event.
+      */
+     private String mBundleName = LogResources.class.getName();
+-    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+ 
+     /**
+      * Constructs a message event
+diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+index 9d19edd..fdf3f83 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+@@ -104,8 +104,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+ 
+     private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP =
+                                "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
+-    private final static String LOGGING_SIGNED_AUDIT_SIGNING =
+-                               "LOGGING_SIGNED_AUDIT_SIGNING_3";
+     private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN =
+                                "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
+     private final static String LOG_SIGNED_AUDIT_EXCEPTION =
+@@ -723,7 +721,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+         // so as to avoid infinite recursiveness of calling
+         // the log() method
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SIGNING,
++                AuditEvent.AUDIT_LOG_SIGNING,
+                 ILogger.SYSTEM_UID,
+                 ILogger.SUCCESS,
+                 base64Encode(sigBytes));
+diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+index adba676..7016bc8 100644
+--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+@@ -33,6 +33,7 @@ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ 
+ public class PKIServerSocketListener implements SSLSocketListener {
+@@ -66,7 +67,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             IAuditor auditor = CMS.getAuditor();
+ 
+             String auditMessage = CMS.getLogMessage(
+-                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
++                    AuditEvent.ACCESS_SESSION_TERMINATED,
+                     clientIP,
+                     serverIP,
+                     subjectID,
+@@ -108,7 +109,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {
+ 
+                 String auditMessage = CMS.getLogMessage(
+-                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
++                        AuditEvent.ACCESS_SESSION_TERMINATED,
+                         clientIP,
+                         serverIP,
+                         subjectID,
+@@ -119,7 +120,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             } else {
+ 
+                 String auditMessage = CMS.getLogMessage(
+-                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE",
++                        AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE,
+                         clientIP,
+                         serverIP,
+                         subjectID,
+@@ -157,7 +158,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             IAuditor auditor = CMS.getAuditor();
+ 
+             String auditMessage = CMS.getLogMessage(
+-                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS",
++                    AuditEvent.ACCESS_SESSION_ESTABLISH_SUCCESS,
+                     clientIP,
+                     serverIP,
+                     subjectID);
+-- 
+1.8.3.1
+
+
+From e22d0e99aa33bccc3e4041f5ed501fedf0dcae49 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 02:28:31 +0200
+Subject: [PATCH 41/59] Added audit event constants for TPS.
+
+Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
+---
+ .../dogtagpki/server/ca/rest/AuthorityService.java |  7 +--
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 51 ++++++++++++++++++++++
+ .../cms/servlet/base/SubsystemService.java         |  3 +-
+ .../server/tps/processor/TPSEnrollProcessor.java   | 15 +++++-----
+ .../server/tps/processor/TPSPinResetProcessor.java |  5 ++-
+ .../server/tps/processor/TPSProcessor.java         | 23 ++++++------
+ .../server/tps/rest/AuthenticatorService.java      |  3 +-
+ .../server/tps/rest/ConnectorService.java          |  3 +-
+ .../server/tps/rest/ProfileMappingService.java     |  3 +-
+ .../dogtagpki/server/tps/rest/ProfileService.java  |  3 +-
+ .../dogtagpki/server/tps/rest/TokenService.java    |  5 ++-
+ 11 files changed, 86 insertions(+), 35 deletions(-)
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+index 215d0fa..7ba9596 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.ca.IssuerUnavailableException;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.SubsystemService;
+ import com.netscape.cmsutil.util.Utils;
+@@ -70,10 +71,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
+         hostCA = (ICertificateAuthority) CMS.getSubsystem("ca");
+     }
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
+-            "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
+-
+-
+     @Override
+     public Response listCAs() {
+         List<AuthorityData> results = new ArrayList<>();
+@@ -373,7 +370,7 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
+             String status, String op, String id,
+             Map<String, String> params) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG,
++                AuditEvent.AUTHORITY_CONFIG,
+                 auditor.getSubjectID(),
+                 status,
+                 auditor.getParamString(ScopeDef.SC_AUTHORITY, op, id, params));
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index b409a12..abe16b6 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,57 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String TOKEN_CERT_ENROLLMENT =
++            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
++    public final static String TOKEN_CERT_RENEWAL =
++            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9";
++    public final static String TOKEN_CERT_RETRIEVAL =
++            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9";
++    public final static String TOKEN_KEY_RECOVERY =
++            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10";
++    public final static String TOKEN_CERT_STATUS_CHANGE_REQUEST =
++            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
++    public final static String TOKEN_PIN_RESET_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
++    public final static String TOKEN_PIN_RESET_FAILURE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
++    public final static String TOKEN_OP_REQUEST =
++            "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
++    public final static String TOKEN_FORMAT_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
++    public final static String TOKEN_FORMAT_FAILURE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
++    public final static String TOKEN_APPLET_UPGRADE_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
++    public final static String TOKEN_APPLET_UPGRADE_FAILURE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
++    public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
++            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
++    public final static String TOKEN_KEY_CHANGEOVER_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10";
++    public final static String TOKEN_KEY_CHANGEOVER_FAILURE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
++    public final static String TOKEN_AUTH_FAILURE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
++    public final static String TOKEN_AUTH_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
++    public final static String CONFIG_TOKEN_GENERAL =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5";
++    public final static String CONFIG_TOKEN_PROFILE =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6";
++    public final static String CONFIG_TOKEN_MAPPING_RESOLVER =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6";
++    public final static String CONFIG_TOKEN_AUTHENTICATOR =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6";
++    public final static String CONFIG_TOKEN_CONNECTOR =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6";
++    public final static String CONFIG_TOKEN_RECORD =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6";
++    public final static String TOKEN_STATE_CHANGE =
++            "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8";
++    public final static String AUTHORITY_CONFIG =
++            "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
++
+     public final static String ACCESS_SESSION_ESTABLISH_FAILURE =
+             "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE";
+     public final static String ACCESS_SESSION_ESTABLISH_SUCCESS =
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+index 48c985c..30d6b9c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authorization.IAuthzSubsystem;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ 
+@@ -94,7 +95,7 @@ public class SubsystemService extends PKIService {
+     public void auditConfigTokenGeneral(String status, String service, Map<String, String> params, String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5",
++                AuditEvent.CONFIG_TOKEN_GENERAL,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+index 672f53d..118bf50 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+@@ -15,12 +15,6 @@ import java.util.Map;
+ import java.util.Random;
+ import java.util.zip.DataFormatException;
+ 
+-import netscape.security.provider.RSAPublicKey;
+-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+-import netscape.security.util.BigInt;
+-import netscape.security.x509.RevocationReason;
+-import netscape.security.x509.X509CertImpl;
+-
+ import org.dogtagpki.server.tps.TPSSession;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+ import org.dogtagpki.server.tps.TPSTokenPolicy;
+@@ -59,20 +60,21 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
+ import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.tps.token.TokenStatus;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.provider.RSAPublicKey;
+ //import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+ import netscape.security.util.BigInt;
+ import netscape.security.x509.RevocationReason;
+ import netscape.security.x509.X509CertImpl;
+ import sun.security.pkcs11.wrapper.PKCS11Constants;
+ 
+ public class TPSEnrollProcessor extends TPSProcessor {
+ 
+     public TPSEnrollProcessor(TPSSession session) {
+@@ -3688,13 +3688,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
+         String auditType = "";
+         switch (op) {
+         case "retrieval":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9";
++            auditType = AuditEvent.TOKEN_CERT_RETRIEVAL;
+             break;
+         case "renewal":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9";
++            auditType = AuditEvent.TOKEN_CERT_RENEWAL;
+             break;
+         default:
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
++            auditType = AuditEvent.TOKEN_CERT_ENROLLMENT;
+         }
+ 
+         String auditMessage = CMS.getLogMessage(
+@@ -3724,7 +3724,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
+             serialNum = serial.toString();
+ 
+         String auditMessage = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10",
++                AuditEvent.TOKEN_KEY_RECOVERY,
+                 (session != null) ? session.getIpAddress() : null,
+                 subjectID,
+                 aInfo.getCUIDhexStringPlain(),
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+index fe3f801..b309657 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+@@ -33,6 +33,7 @@ import org.dogtagpki.tps.msg.BeginOpMsg;
+ import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus;
+ 
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.tps.token.TokenStatus;
+ 
+ public class TPSPinResetProcessor extends TPSProcessor {
+@@ -197,10 +198,10 @@ public class TPSPinResetProcessor extends TPSProcessor {
+         String auditType = "";
+         switch (status) {
+         case "success":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
++            auditType = AuditEvent.TOKEN_PIN_RESET_SUCCESS;
+             break;
+         default:
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
++            auditType = AuditEvent.TOKEN_PIN_RESET_FAILURE;
+         }
+ 
+         String auditMessage = CMS.getLogMessage(
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+index 7d17f36..910a263 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+@@ -93,14 +93,15 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.token.TokenStatus;
+ import com.netscape.cms.servlet.tks.SecureChannelProtocol;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.symkey.SessionKey;
+ 
+ import netscape.security.x509.RevocationReason;
+ 
+ public class TPSProcessor {
+ 
+     public static final int RESULT_NO_ERROR = 0;
+@@ -4054,9 +4055,9 @@ public class TPSProcessor {
+             String status,
+             String authMgrId) {
+ 
+-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
++        String auditType = AuditEvent.TOKEN_AUTH_FAILURE;
+         if (status.equals("success"))
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
++            auditType = AuditEvent.TOKEN_AUTH_SUCCESS;
+ 
+         String auditMessage = CMS.getLogMessage(
+                 auditType,
+@@ -4078,7 +4079,7 @@ public class TPSProcessor {
+     protected void auditOpRequest(String op, AppletInfo aInfo,
+             String status,
+             String info) {
+-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
++        String auditType = AuditEvent.TOKEN_OP_REQUEST;
+ 
+         String auditMessage = CMS.getLogMessage(
+                 auditType,
+@@ -4100,10 +4101,10 @@ public class TPSProcessor {
+         String auditType = "";
+         switch (status) {
+         case "success":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
++            auditType = AuditEvent.TOKEN_FORMAT_SUCCESS;
+             break;
+         default:
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
++            auditType = AuditEvent.TOKEN_FORMAT_FAILURE;
+         }
+ 
+         String auditMessage = CMS.getLogMessage(
+@@ -4129,10 +4130,10 @@ public class TPSProcessor {
+         String auditType = "";
+         switch (status) {
+         case "success":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
++            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS;
+             break;
+         default:
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
++            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE;
+         }
+ 
+         String auditMessage = CMS.getLogMessage(
+@@ -4154,7 +4155,7 @@ public class TPSProcessor {
+             String newKeyVersion,
+             String info) {
+ 
+-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
++        String auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_REQUIRED;
+ 
+         String auditMessage = CMS.getLogMessage(
+                 auditType,
+@@ -4180,10 +4181,10 @@ public class TPSProcessor {
+         String auditType = "";
+         switch (status) {
+         case "success":
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10";
++            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS;
+             break;
+         default:
+-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
++            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE;
+         }
+ 
+         String auditMessage = CMS.getLogMessage(
+@@ -4212,7 +4213,7 @@ public class TPSProcessor {
+             String caConnId,
+             String info) {
+ 
+-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
++        String auditType = AuditEvent.TOKEN_CERT_STATUS_CHANGE_REQUEST;
+         /*
+          * requestType is "revoke", "on-hold", or "off-hold"
+          */
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+index 50453ee..6efe4cb 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.authenticator.AuthenticatorCollection;
+ import com.netscape.certsrv.tps.authenticator.AuthenticatorData;
+@@ -474,7 +475,7 @@ public class AuthenticatorService extends SubsystemService implements Authentica
+             Map<String, String> params, String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6",
++                AuditEvent.CONFIG_TOKEN_AUTHENTICATOR,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+index 01bc132..3e1e5df 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.connector.ConnectorCollection;
+ import com.netscape.certsrv.tps.connector.ConnectorData;
+@@ -471,7 +472,7 @@ public class ConnectorService extends SubsystemService implements ConnectorResou
+             String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6",
++                AuditEvent.CONFIG_TOKEN_CONNECTOR,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+index 2c070c0..9bbb616 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.profile.ProfileMappingCollection;
+ import com.netscape.certsrv.tps.profile.ProfileMappingData;
+@@ -448,7 +449,7 @@ public class ProfileMappingService extends SubsystemService implements ProfileMa
+     public void auditMappingResolverChange(String status, String service, String resolverID, Map<String, String> params,
+             String info) {
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6",
++                AuditEvent.CONFIG_TOKEN_MAPPING_RESOLVER,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+index 8058caf..43e14be 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.profile.ProfileCollection;
+ import com.netscape.certsrv.tps.profile.ProfileData;
+@@ -470,7 +471,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
+             String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6",
++                AuditEvent.CONFIG_TOKEN_PROFILE,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+index f3d0d80..73d0a64 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
++++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.dbs.EDBException;
+ import com.netscape.certsrv.dbs.IDBVirtualList;
+ import com.netscape.certsrv.ldap.LDAPExceptionConverter;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.tps.token.TokenCollection;
+ import com.netscape.certsrv.tps.token.TokenData;
+@@ -814,7 +815,7 @@ public class TokenService extends SubsystemService implements TokenResource {
+             String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6",
++                AuditEvent.CONFIG_TOKEN_RECORD,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 service,
+@@ -832,7 +833,7 @@ public class TokenService extends SubsystemService implements TokenResource {
+             String newReason, Map<String, String> params, String info) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8",
++                AuditEvent.TOKEN_STATE_CHANGE,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 oldState.toString(),
+-- 
+1.8.3.1
+
+
+From d2838897eb2ef43f538a1c57e6195292237aa28c Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 02:46:49 +0200
+Subject: [PATCH 42/59] Reorganized audit event constants for KRA.
+
+Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 28 ++++++++++++++++++++++
+ .../src/com/netscape/kra/AsymKeyGenService.java    |  5 ++--
+ .../com/netscape/kra/SecurityDataProcessor.java    | 12 +++-------
+ .../kra/src/com/netscape/kra/SymKeyGenService.java |  6 ++---
+ .../server/kra/rest/KeyRequestService.java         | 26 +++++---------------
+ .../org/dogtagpki/server/kra/rest/KeyService.java  | 10 +++-----
+ .../servlet/csadmin/SecurityDomainProcessor.java   |  8 +++----
+ .../cms/servlet/csadmin/UpdateDomainXML.java       |  7 +++---
+ .../cms/servlet/csadmin/UpdateNumberRange.java     |  9 ++++---
+ .../com/netscape/cmscore/session/SessionTimer.java |  6 ++---
+ 10 files changed, 56 insertions(+), 61 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index abe16b6..dc632c3 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,34 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String SECURITY_DOMAIN_UPDATE =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
++    public final static String CONFIG_SERIAL_NUMBER =
++            "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
++
++    public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
++    public static final String SECURITY_DATA_ARCHIVAL_REQUEST =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
++    public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
++    public static final String SECURITY_DATA_RECOVERY_REQUEST =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4";
++    public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
++    public final static String SECURITY_DATA_RETRIEVE_KEY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
++    public final static String KEY_STATUS_CHANGE =
++            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
++    public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6";
++    public static final String SYMKEY_GENERATION_REQUEST =
++            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4";
++    public static final String ASYMKEY_GENERATION_REQUEST =
++            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4";
++    public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
++
+     public final static String TOKEN_CERT_ENROLLMENT =
+             "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+     public final static String TOKEN_CERT_RENEWAL =
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index a731fb1..75e340c 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -35,6 +35,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.key.AsymKeyGenerationRequest;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -63,8 +64,6 @@ public class AsymKeyGenService implements IService {
+     private IKeyRecoveryAuthority kra = null;
+     private IStorageKeyUnit storageUnit = null;
+     private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
+ 
+     public AsymKeyGenService(IKeyRecoveryAuthority kra) {
+         this.kra = kra;
+@@ -233,7 +232,7 @@ public class AsymKeyGenService implements IService {
+             String clientKeyID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED,
++                AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED,
+                 subjectID,
+                 status,
+                 requestID.toString(),
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 3475eae..78d64c5 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -38,6 +38,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+@@ -65,13 +66,6 @@ public class SecurityDataProcessor {
+     private static boolean allowEncDecrypt_archival = false;
+     private static boolean allowEncDecrypt_recovery = false;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+-
+-
+     public SecurityDataProcessor(IKeyRecoveryAuthority kra) {
+         this.kra = kra;
+         transportUnit = kra.getTransportKeyUnit();
+@@ -779,7 +773,7 @@ public class SecurityDataProcessor {
+     private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
++                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
+                 subjectID,
+                 status,
+                 requestID.toString(),
+@@ -791,7 +785,7 @@ public class SecurityDataProcessor {
+     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
++                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
+                 subjectID,
+                 status,
+                 requestID.toString(),
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index 9c50eb3..f700a79 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -34,6 +34,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.key.SymKeyGenerationRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -60,9 +61,6 @@ public class SymKeyGenService implements IService {
+     private IStorageKeyUnit mStorageUnit = null;
+     private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6";
+-
+     public SymKeyGenService(IKeyRecoveryAuthority kra) {
+         mKRA = kra;
+         mStorageUnit = kra.getStorageKeyUnit();
+@@ -252,7 +250,7 @@ public class SymKeyGenService implements IService {
+     private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED,
++                AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED,
+                 subjectID,
+                 status,
+                 requestID.toString(),
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index e0c4ca9..38f7e93 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -48,6 +48,7 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.key.KeyRequestResponse;
+ import com.netscape.certsrv.key.SymKeyGenerationRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestNotFoundException;
+@@ -62,21 +63,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
+  */
+ public class KeyRequestService extends SubsystemService implements KeyRequestResource {
+ 
+-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
+-
+-    private static final String LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4";
+-
+-    private static final String LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4";
+-
+-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4";
+-
+-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+-
+     public static final int DEFAULT_START = 0;
+     public static final int DEFAULT_PAGESIZE = 20;
+     public static final int DEFAULT_MAXRESULTS = 100;
+@@ -349,7 +335,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+ 
+     public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
++                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
+                 getRequestor(),
+                 status,
+                 requestId.toString(),
+@@ -359,7 +345,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+ 
+     public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST,
++                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST,
+                 getRequestor(),
+                 status,
+                 requestId != null? requestId.toString(): "null",
+@@ -369,7 +355,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+ 
+     public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST,
++                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST,
+                 getRequestor(),
+                 status,
+                 requestId != null? requestId.toString(): "null",
+@@ -379,7 +365,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+ 
+     public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST,
++                AuditEvent.SYMKEY_GENERATION_REQUEST,
+                 getRequestor(),
+                 status,
+                 requestId != null ? requestId.toString() : "null",
+@@ -389,7 +375,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+ 
+     public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST,
++                AuditEvent.ASYMKEY_GENERATION_REQUEST,
+                 getRequestor(),
+                 status,
+                 requestId != null ? requestId.toString() : "null",
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index e15b263..7a21971 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -60,6 +60,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest;
+ import com.netscape.certsrv.key.KeyResource;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.IKeyService;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -77,11 +78,6 @@ import com.netscape.cmsutil.util.Utils;
+  */
+ public class KeyService extends SubsystemService implements KeyResource {
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE =
+-            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+-
+     public static final int DEFAULT_MAXRESULTS = 100;
+     public static final int DEFAULT_MAXTIME = 10;
+     public static final String ATTR_SERIALNO = "serialNumber";
+@@ -606,7 +602,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+ 
+     public void auditRetrieveKey(String status, String reason) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY,
++                AuditEvent.SECURITY_DATA_RETRIEVE_KEY,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 requestId != null ? requestId.toString(): "null",
+@@ -628,7 +624,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+     public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus,
+             String newKeyStatus, String info) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE,
++                AuditEvent.KEY_STATUS_CHANGE,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 keyID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+index 3a2b694..69e76fc 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+@@ -43,6 +43,7 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.base.UnauthorizedException;
+ import com.netscape.certsrv.ldap.ILdapConnFactory;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.system.DomainInfo;
+ import com.netscape.certsrv.system.InstallToken;
+@@ -64,9 +65,6 @@ import netscape.ldap.LDAPSearchResults;
+  */
+ public class SecurityDomainProcessor extends CAProcessor {
+ 
+-    public final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+-
+     public final static String[] TYPES = { "CA", "KRA", "OCSP", "TKS", "RA", "TPS" };
+ 
+     Random random = new Random();
+@@ -128,7 +126,7 @@ public class SecurityDomainProcessor extends CAProcessor {
+ 
+         if (status == ISecurityDomainSessionTable.SUCCESS) {
+             message = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
++                               AuditEvent.SECURITY_DOMAIN_UPDATE,
+                                user,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -136,7 +134,7 @@ public class SecurityDomainProcessor extends CAProcessor {
+ 
+         } else {
+             message = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
++                               AuditEvent.SECURITY_DOMAIN_UPDATE,
+                                user,
+                                ILogger.FAILURE,
+                                auditParams);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+index 1a23823..bed4357 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+@@ -47,6 +47,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ldap.ILdapConnFactory;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.base.UserInfo;
+@@ -62,8 +63,6 @@ public class UpdateDomainXML extends CMSServlet {
+     private static final long serialVersionUID = 4059169588555717548L;
+     private final static String SUCCESS = "0";
+     private final static String FAILED = "1";
+-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+     private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+             "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+ 
+@@ -501,14 +500,14 @@ public class UpdateDomainXML extends CMSServlet {
+ 
+         if (status.equals(SUCCESS)) {
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
++                               AuditEvent.SECURITY_DOMAIN_UPDATE,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+         } else {
+             // what if already exists or already deleted
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
++                               AuditEvent.SECURITY_DOMAIN_UPDATE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
+index e068bd4..2586da2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
+@@ -37,6 +37,7 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.dbs.repository.IRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.base.UserInfo;
+@@ -52,8 +53,6 @@ public class UpdateNumberRange extends CMSServlet {
+     private static final long serialVersionUID = -1584171713024263331L;
+     private final static String SUCCESS = "0";
+     private final static String AUTH_FAILURE = "2";
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+ 
+     public UpdateNumberRange() {
+         super();
+@@ -208,7 +207,7 @@ public class UpdateNumberRange extends CMSServlet {
+                 CMS.debug("UpdateNumberRange::process() - " +
+                            "beginNum is null!");
+                 auditMessage = CMS.getLogMessage(
+-                                   LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
++                                   AuditEvent.CONFIG_SERIAL_NUMBER,
+                                    auditSubjectID,
+                                    ILogger.FAILURE,
+                                    auditParams);
+@@ -240,7 +239,7 @@ public class UpdateNumberRange extends CMSServlet {
+                           "+endNumber;;" + endNum.toString(radix);
+ 
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
++                               AuditEvent.CONFIG_SERIAL_NUMBER,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -251,7 +250,7 @@ public class UpdateNumberRange extends CMSServlet {
+             CMS.debug(e);
+ 
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
++                               AuditEvent.CONFIG_SERIAL_NUMBER,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams);
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
+index 0f79fc4..c6db131 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
+@@ -23,14 +23,12 @@ import java.util.TimerTask;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.ISecurityDomainSessionTable;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ 
+ public class SessionTimer extends TimerTask {
+     private ISecurityDomainSessionTable m_sessiontable = null;
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+-
+     public SessionTimer(ISecurityDomainSessionTable table) {
+         super();
+         m_sessiontable = table;
+@@ -61,7 +59,7 @@ public class SessionTimer extends TimerTask {
+                 // audit message
+                 String auditParams = "operation;;expire_token+token;;" + sessionId;
+                 String auditMessage = CMS.getLogMessage(
+-                                         LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
++                                         AuditEvent.SECURITY_DOMAIN_UPDATE,
+                                          "system",
+                                          ILogger.SUCCESS,
+                                          auditParams);
+-- 
+1.8.3.1
+
+
+From f0eedf609ef2042915556738dafba0fa9d8da6cc Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 03:11:51 +0200
+Subject: [PATCH 43/59] Reorganized audit event constants for TKS.
+
+Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 25 ++++++++
+ .../com/netscape/cms/servlet/tks/TokenServlet.java | 73 ++++++----------------
+ 2 files changed, 44 insertions(+), 54 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index dc632c3..8abb9a5 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,31 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String COMPUTE_RANDOM_DATA_REQUEST =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
++    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3";
++    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
++    public final static String COMPUTE_SESSION_KEY_REQUEST =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
++    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
++    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
++    public final static String DIVERSIFY_KEY_REQUEST =
++            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
++    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
++    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
++    public final static String ENCRYPT_DATA_REQUEST =
++            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
++    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12";
++    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13";
++
+     public final static String SECURITY_DOMAIN_UPDATE =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+     public final static String CONFIG_SERIAL_NUMBER =
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+index 6a17466..3915b73 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IPrettyPrintFormat;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+@@ -75,42 +76,6 @@ public class TokenServlet extends CMSServlet {
+     String mCurrentUID = null;
+     IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+-
+-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
+-
+     // Derivation Constants for SCP02
+     public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 };
+     public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 };
+@@ -404,7 +369,7 @@ public class TokenServlet extends CMSServlet {
+         }
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+                 rCUID,
+                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+                 ILogger.SUCCESS,
+@@ -834,7 +799,7 @@ public class TokenServlet extends CMSServlet {
+                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+                     logParams);
+ 
+         } else {
+@@ -854,7 +819,7 @@ public class TokenServlet extends CMSServlet {
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+                     errorMsg // Error
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+                     logParams);
+         }
+ 
+@@ -922,7 +887,7 @@ public class TokenServlet extends CMSServlet {
+ 
+         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+                 rCUID,
+                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+                 ILogger.SUCCESS,
+@@ -1492,7 +1457,7 @@ public class TokenServlet extends CMSServlet {
+                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+                     logParams);
+ 
+         } else {
+@@ -1514,7 +1479,7 @@ public class TokenServlet extends CMSServlet {
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+                     errorMsg // Error
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+                     logParams);
+ 
+         }
+@@ -1635,7 +1600,7 @@ public class TokenServlet extends CMSServlet {
+ 
+         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST,
++                AuditEvent.DIVERSIFY_KEY_REQUEST,
+                 rCUID,
+                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+                 ILogger.SUCCESS,
+@@ -1924,7 +1889,7 @@ public class TokenServlet extends CMSServlet {
+                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
++            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
+         } else {
+             // AC: KDF SPEC CHANGE - Log both CUID and KDD
+             //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+@@ -1946,7 +1911,7 @@ public class TokenServlet extends CMSServlet {
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+                     errorMsg // Error
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
++            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
+         }
+ 
+         audit(auditMessage);
+@@ -2011,7 +1976,7 @@ public class TokenServlet extends CMSServlet {
+ 
+         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST,
++                AuditEvent.ENCRYPT_DATA_REQUEST,
+                 rCUID,
+                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+                 ILogger.SUCCESS,
+@@ -2262,7 +2227,7 @@ public class TokenServlet extends CMSServlet {
+                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
++            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
+         } else {
+             // AC: KDF SPEC CHANGE - Log both CUID and KDD
+             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+@@ -2281,7 +2246,7 @@ public class TokenServlet extends CMSServlet {
+                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+                     errorMsg // Error
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
++            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
+         }
+ 
+         audit(auditMessage);
+@@ -2344,7 +2309,7 @@ public class TokenServlet extends CMSServlet {
+         CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize);
+ 
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST,
++                AuditEvent.COMPUTE_RANDOM_DATA_REQUEST,
+                 ILogger.SUCCESS,
+                 agentId);
+ 
+@@ -2403,13 +2368,13 @@ public class TokenServlet extends CMSServlet {
+ 
+         if (status.equals("0")) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
++                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
+                     ILogger.SUCCESS,
+                     status,
+                     agentId);
+         } else {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
++                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
+                     ILogger.FAILURE,
+                     status,
+                     agentId,
+@@ -2533,7 +2498,7 @@ public class TokenServlet extends CMSServlet {
+         }
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+                 rCUID,
+                 rKDD,
+                 ILogger.SUCCESS,
+@@ -2956,7 +2921,7 @@ public class TokenServlet extends CMSServlet {
+                     keySet, // TKSKeyset
+                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+                     logParams);
+ 
+         } else {
+@@ -2973,7 +2938,7 @@ public class TokenServlet extends CMSServlet {
+                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+                     errorMsg // Error
+             };
+-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+                     logParams);
+ 
+         }
+-- 
+1.8.3.1
+
+
+From e770f3a4ff34c27bc698d47aedc518a7ae6b31f9 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 03:54:29 +0200
+Subject: [PATCH 44/59] Reorganized audit event constants for OCSP.
+
+Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 17 ++++++++++++
+ .../com/netscape/cms/authentication/CMCAuth.java   | 25 +++++++++---------
+ .../netscape/cms/servlet/ocsp/AddCAServlet.java    | 22 +++++++---------
+ .../netscape/cms/servlet/ocsp/AddCRLServlet.java   | 30 ++++++++++------------
+ .../netscape/cms/servlet/ocsp/RemoveCAServlet.java | 17 ++++--------
+ 5 files changed, 56 insertions(+), 55 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 8abb9a5..bc892a9 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,23 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String CRL_RETRIEVAL =
++            "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
++    public final static String CRL_VALIDATION =
++            "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2";
++    public final static String OCSP_ADD_CA_REQUEST =
++            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3";
++    public final static String OCSP_ADD_CA_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3";
++    public final static String OCSP_REMOVE_CA_REQUEST =
++            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3";
++    public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3";
++    public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
++    public final static String CMC_SIGNED_REQUEST_SIG_VERIFY =
++            "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
++
+     public final static String COMPUTE_RANDOM_DATA_REQUEST =
+             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
+     public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+index 8523189..02aceb4 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IExtendedPluginInfo;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -181,8 +182,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+             "enrollment";
+     private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE =
+             "revocation";
+-    private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY =
+-            "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
+ 
+     /////////////////////
+     // default methods //
+@@ -266,7 +265,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditReqType,
+@@ -285,7 +284,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditReqType,
+@@ -334,7 +333,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                         !cmcReq.hasContent()) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                            AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditReqType,
+@@ -380,7 +379,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                         !ci.hasContent()) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                            AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditReqType,
+@@ -561,7 +560,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                             } catch (Exception e) {
+                                 // store a message in the signed audit log file
+                                 auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+                                         auditReqType,
+@@ -615,7 +614,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                             } catch (Exception e) {
+                                 // store a message in the signed audit log file
+                                 auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+                                         auditReqType,
+@@ -640,7 +639,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditReqType,
+@@ -656,7 +655,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditReqType,
+@@ -669,7 +668,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+         } catch (EMissingCredential eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+@@ -683,7 +682,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+         } catch (EInvalidCredentials eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+@@ -697,7 +696,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+         } catch (EBaseException eAudit3) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
+index f19a9d6..0088e92 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
+@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ocsp.IDefStore;
+@@ -69,11 +70,6 @@ public class AddCAServlet extends CMSServlet {
+     private String mFormPath = null;
+     private IOCSPAuthority mOCSPAuthority = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3";
+-    private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3";
+-
+     public AddCAServlet() {
+         super();
+     }
+@@ -162,7 +158,7 @@ public class AddCAServlet extends CMSServlet {
+ 
+         if (b64 == null) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST,
++                    AuditEvent.OCSP_ADD_CA_REQUEST,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+@@ -175,7 +171,7 @@ public class AddCAServlet extends CMSServlet {
+         auditCA = Cert.normalizeCertStr(Cert.stripCertBrackets(b64.trim()));
+         // record the fact that a request to add CA is made
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST,
++                AuditEvent.OCSP_ADD_CA_REQUEST,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditCA);
+@@ -184,7 +180,7 @@ public class AddCAServlet extends CMSServlet {
+ 
+         if (b64.indexOf(BEGIN_HEADER) == -1) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditCASubjectDN);
+@@ -195,7 +191,7 @@ public class AddCAServlet extends CMSServlet {
+         }
+         if (b64.indexOf(END_HEADER) == -1) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditCASubjectDN);
+@@ -216,7 +212,7 @@ public class AddCAServlet extends CMSServlet {
+             if (cert == null) {
+                 CMS.debug("AddCAServlet::process() - cert is null!");
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCASubjectDN);
+@@ -245,7 +241,7 @@ public class AddCAServlet extends CMSServlet {
+                 auditCASubjectDN = leafCert.getSubjectDN().getName();
+             } catch (Exception e) {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCASubjectDN);
+@@ -270,7 +266,7 @@ public class AddCAServlet extends CMSServlet {
+                 rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded());
+             } catch (Exception e) {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCASubjectDN);
+@@ -282,7 +278,7 @@ public class AddCAServlet extends CMSServlet {
+             defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec);
+             log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName());
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
++                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditCASubjectDN);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
+index 386ce93..5b4f624 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
+@@ -40,6 +40,7 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+ import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ocsp.IDefStore;
+@@ -77,11 +78,6 @@ public class AddCRLServlet extends CMSServlet {
+     private String mFormPath = null;
+     private IOCSPAuthority mOCSPAuthority = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL =
+-            "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
+-    private final static String LOGGING_SIGNED_AUDIT_CRL_VALIDATION =
+-            "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2";
+-
+     public AddCRLServlet() {
+         super();
+     }
+@@ -153,7 +149,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -181,7 +177,7 @@ public class AddCRLServlet extends CMSServlet {
+             if (b64 == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -216,7 +212,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -237,7 +233,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -253,7 +249,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -290,7 +286,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditCRLNum);
+@@ -304,7 +300,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -329,7 +325,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
++                        AuditEvent.CRL_VALIDATION,
+                         auditSubjectID,
+                         ILogger.FAILURE);
+ 
+@@ -383,7 +379,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
++                            AuditEvent.CRL_VALIDATION,
+                             auditSubjectID,
+                             ILogger.SUCCESS);
+ 
+@@ -400,7 +396,7 @@ public class AddCRLServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
++                            AuditEvent.CRL_VALIDATION,
+                             auditSubjectID,
+                             ILogger.FAILURE);
+ 
+@@ -547,7 +543,7 @@ public class AddCRLServlet extends CMSServlet {
+             if (!CRLFetched) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
++                        AuditEvent.CRL_RETRIEVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditCRLNum);
+@@ -557,7 +553,7 @@ public class AddCRLServlet extends CMSServlet {
+                 if (!CRLValidated) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
++                            AuditEvent.CRL_VALIDATION,
+                             auditSubjectID,
+                             ILogger.FAILURE);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
+index 55f688a..b6352a1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
+@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ocsp.IDefStore;
+ import com.netscape.certsrv.ocsp.IOCSPAuthority;
+@@ -56,14 +57,6 @@ public class RemoveCAServlet extends CMSServlet {
+     private String mFormPath = null;
+     private IOCSPAuthority mOCSPAuthority = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3";
+-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
+-
+     public RemoveCAServlet() {
+         super();
+     }
+@@ -151,7 +144,7 @@ public class RemoveCAServlet extends CMSServlet {
+ 
+         if (caID == null) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
++                    AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+@@ -160,7 +153,7 @@ public class RemoveCAServlet extends CMSServlet {
+         }
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST,
++                AuditEvent.OCSP_REMOVE_CA_REQUEST,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 caID);
+@@ -175,7 +168,7 @@ public class RemoveCAServlet extends CMSServlet {
+         } catch (EBaseException e) {
+ 
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
++                    AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     caID);
+@@ -188,7 +181,7 @@ public class RemoveCAServlet extends CMSServlet {
+         CMS.debug("RemoveCAServlet::process: CRL IssuingPoint for CA successfully removed: " + caID);
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,
++                AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 caID);
+-- 
+1.8.3.1
+
+
+From 0afe49b7b758d46f8bc0ca87cf2124e90084ebce Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 04:13:14 +0200
+Subject: [PATCH 45/59] Reorganized audit event constants for authentication.
+
+Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
+---
+ .../dogtagpki/server/ca/rest/ProfileService.java   |  5 +--
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 19 ++++++++++
+ .../netscape/cms/profile/common/EnrollProfile.java |  8 ++--
+ .../netscape/cms/profile/input/EnrollInput.java    |  8 ++--
+ .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 14 +++----
+ .../netscape/cms/servlet/admin/AdminServlet.java   | 43 +++++++++-------------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 27 +++++---------
+ .../cms/servlet/connector/ConnectorServlet.java    | 19 +++++-----
+ .../cms/servlet/processors/CAProcessor.java        | 31 ++++++----------
+ .../cms/servlet/processors/CRMFProcessor.java      | 12 +++---
+ .../cms/servlet/profile/ProfileApproveServlet.java | 21 +++++------
+ .../org/dogtagpki/server/rest/ACLInterceptor.java  | 24 +++++-------
+ 12 files changed, 106 insertions(+), 125 deletions(-)
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+index 694fb92..eae68ef 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.UnauthorizedException;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -89,8 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource
+     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
+     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL =
+-            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
+     private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
+             "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
+ 
+@@ -1189,7 +1188,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
+ 
+     public void auditProfileChangeState(String profileId, String op, String status) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                AuditEvent.CERT_PROFILE_APPROVAL,
+                 auditor.getSubjectID(),
+                 status,
+                 profileId,
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index bc892a9..82cb77f 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,25 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String AUTHZ_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
++    public final static String AUTHZ_SUCCESS_INFO =
++            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5";
++    public final static String AUTHZ_FAIL =
++            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
++    public final static String AUTHZ_FAIL_INFO =
++            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5";
++    public final static String INTER_BOUNDARY =
++            "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
++    public final static String AUTH_FAIL =
++            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
++    public final static String AUTH_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
++    public final static String CERT_PROFILE_APPROVAL =
++            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
++    public final static String PROOF_OF_POSSESSION =
++            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
++
+     public final static String CRL_RETRIEVAL =
+             "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
+     public final static String CRL_VALIDATION =
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index f4a59d2..0ec3c94 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -76,6 +76,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -121,9 +122,6 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+     private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
+             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
+-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+-
+     private PKIData mCMCData;
+ 
+     public EnrollProfile() {
+@@ -2073,7 +2071,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                    AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+                     ILogger.SUCCESS);
+             audit(auditMessage);
+@@ -2093,7 +2091,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                    AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+                     ILogger.FAILURE);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+index f246951..81e71c4 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+@@ -30,6 +30,7 @@ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -48,9 +49,6 @@ import com.netscape.cmsutil.crypto.CryptoUtil;
+  */
+ public abstract class EnrollInput implements IProfileInput {
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
+-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+-
+     protected IConfigStore mConfig = null;
+     protected Vector<String> mValueNames = new Vector<String>();
+     protected Vector<String> mConfigNames = new Vector<String>();
+@@ -219,7 +217,7 @@ public abstract class EnrollInput implements IProfileInput {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                    AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+                     ILogger.SUCCESS);
+             audit(auditMessage);
+@@ -230,7 +228,7 @@ public abstract class EnrollInput implements IProfileInput {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                    AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+                     ILogger.FAILURE);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+index 1933601..28fb0b9 100644
+--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+@@ -16,6 +16,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authentication.ICertUserDBAuthentication;
+ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -35,11 +36,6 @@ import netscape.security.x509.X509CertImpl;
+ 
+ public class PKIRealm extends RealmBase {
+     protected ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+-
+     @Override
+     protected String getName() {
+         return "PKIRealm";
+@@ -66,7 +62,7 @@ public class PKIRealm extends RealmBase {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                        AuditEvent.AUTH_SUCCESS,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+@@ -77,7 +73,7 @@ public class PKIRealm extends RealmBase {
+         } catch (Throwable e) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                        AuditEvent.AUTH_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID,
+@@ -126,7 +122,7 @@ public class PKIRealm extends RealmBase {
+             CMS.debug("PKIRealm: User ID: " + username);
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                        AuditEvent.AUTH_SUCCESS,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
+@@ -137,7 +133,7 @@ public class PKIRealm extends RealmBase {
+         } catch (Throwable e) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                        AuditEvent.AUTH_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         IAuthSubsystem.CERTUSERDB_AUTHMGR_ID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index ab7af9e..0350e38 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.IExtendedPluginInfo;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+@@ -121,14 +122,6 @@ public class AdminServlet extends HttpServlet {
+     public static final String CERT_ATTR =
+             "javax.servlet.request.X509Certificate";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+     private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+     private final static String CERTUSERDB =
+@@ -307,7 +300,7 @@ public class AdminServlet extends HttpServlet {
+                 if (allCerts == null || allCerts.length == 0) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                AuditEvent.AUTH_FAIL,
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+@@ -399,7 +392,7 @@ public class AdminServlet extends HttpServlet {
+                 if (authType.equals("sslclientauth")) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                AuditEvent.AUTH_FAIL,
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+@@ -409,7 +402,7 @@ public class AdminServlet extends HttpServlet {
+                 } else {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                AuditEvent.AUTH_FAIL,
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 PASSWDUSERDB,
+@@ -433,7 +426,7 @@ public class AdminServlet extends HttpServlet {
+                     if (authType.equals("sslclientauth")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                    AuditEvent.AUTH_FAIL,
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     CERTUSERDB,
+@@ -443,7 +436,7 @@ public class AdminServlet extends HttpServlet {
+                     } else {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                    AuditEvent.AUTH_FAIL,
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     PASSWDUSERDB,
+@@ -469,7 +462,7 @@ public class AdminServlet extends HttpServlet {
+                     if (authType.equals("sslclientauth")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                    AuditEvent.AUTH_FAIL,
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     CERTUSERDB,
+@@ -479,7 +472,7 @@ public class AdminServlet extends HttpServlet {
+                     } else {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                    AuditEvent.AUTH_FAIL,
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     PASSWDUSERDB,
+@@ -505,7 +498,7 @@ public class AdminServlet extends HttpServlet {
+                 if (authType.equals("sslclientauth")) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                AuditEvent.AUTH_FAIL,
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+@@ -515,7 +508,7 @@ public class AdminServlet extends HttpServlet {
+                 } else {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                                AuditEvent.AUTH_FAIL,
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 PASSWDUSERDB,
+@@ -535,7 +528,7 @@ public class AdminServlet extends HttpServlet {
+             if (authType.equals("sslclientauth")) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                            AuditEvent.AUTH_SUCCESS,
+                             auditSubjectID(),
+                             ILogger.SUCCESS,
+                             CERTUSERDB);
+@@ -544,7 +537,7 @@ public class AdminServlet extends HttpServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                            AuditEvent.AUTH_SUCCESS,
+                             auditSubjectID(),
+                             ILogger.SUCCESS,
+                             PASSWDUSERDB);
+@@ -555,7 +548,7 @@ public class AdminServlet extends HttpServlet {
+             if (authType.equals("sslclientauth")) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                            AuditEvent.AUTH_FAIL,
+                             ILogger.UNIDENTIFIED,
+                             ILogger.FAILURE,
+                             CERTUSERDB,
+@@ -565,7 +558,7 @@ public class AdminServlet extends HttpServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                            AuditEvent.AUTH_FAIL,
+                             ILogger.UNIDENTIFIED,
+                             ILogger.FAILURE,
+                             PASSWDUSERDB,
+@@ -654,7 +647,7 @@ public class AdminServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -677,7 +670,7 @@ public class AdminServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -698,7 +691,7 @@ public class AdminServlet extends HttpServlet {
+         } catch (Exception e) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -720,7 +713,7 @@ public class AdminServlet extends HttpServlet {
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                    AuditEvent.AUTHZ_SUCCESS,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditACLResource,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index ab9b936..01f9f07 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -64,6 +64,7 @@ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+@@ -244,14 +245,6 @@ public abstract class CMSServlet extends HttpServlet {
+     private IUGSubsystem mUG = (IUGSubsystem)
+             CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+     private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+ 
+@@ -1801,7 +1794,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                        AuditEvent.AUTH_SUCCESS,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditAuthMgrID);
+@@ -1812,7 +1805,7 @@ public abstract class CMSServlet extends HttpServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                        AuditEvent.AUTH_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditAuthMgrID,
+@@ -1837,7 +1830,7 @@ public abstract class CMSServlet extends HttpServlet {
+             authzToken = mAuthz.authorize(authzMgrName, authToken, exp);
+             if (authzToken != null) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                            AuditEvent.AUTHZ_SUCCESS,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditACLResource,
+@@ -1855,7 +1848,7 @@ public abstract class CMSServlet extends HttpServlet {
+                 audit(auditMessage);
+             } else {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                            AuditEvent.AUTHZ_FAIL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditACLResource,
+@@ -1874,7 +1867,7 @@ public abstract class CMSServlet extends HttpServlet {
+             return authzToken;
+         } catch (Exception e) {
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -1971,7 +1964,7 @@ public abstract class CMSServlet extends HttpServlet {
+             if (authzTok != null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                            AuditEvent.AUTHZ_SUCCESS,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditACLResource,
+@@ -1990,7 +1983,7 @@ public abstract class CMSServlet extends HttpServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                            AuditEvent.AUTHZ_FAIL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditACLResource,
+@@ -2012,7 +2005,7 @@ public abstract class CMSServlet extends HttpServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -2033,7 +2026,7 @@ public abstract class CMSServlet extends HttpServlet {
+         } catch (Exception eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index e6dfbc4..014db79 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.connector.IPKIMessage;
+ import com.netscape.certsrv.connector.IRequestEncoder;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -97,8 +98,6 @@ public class ConnectorServlet extends CMSServlet {
+ 
+     protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
+-    private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
+     private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
+             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+     private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+@@ -479,7 +478,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                                AuditEvent.INTER_BOUNDARY,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditProtectionMethod,
+@@ -501,7 +500,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                                AuditEvent.INTER_BOUNDARY,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditProtectionMethod,
+@@ -699,7 +698,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                            AuditEvent.INTER_BOUNDARY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditProtectionMethod,
+@@ -921,7 +920,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                            AuditEvent.INTER_BOUNDARY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditProtectionMethod,
+@@ -934,7 +933,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                            AuditEvent.INTER_BOUNDARY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProtectionMethod,
+@@ -947,7 +946,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                            AuditEvent.INTER_BOUNDARY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProtectionMethod,
+@@ -960,7 +959,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                            AuditEvent.INTER_BOUNDARY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProtectionMethod,
+@@ -980,7 +979,7 @@ public class ConnectorServlet extends CMSServlet {
+         } catch (EBaseException e) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
++                        AuditEvent.INTER_BOUNDARY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditProtectionMethod,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 62b9a7c..d5a9c4d 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -118,14 +119,6 @@ public class CAProcessor extends Processor {
+ 
+     public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+-    public final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+-    public final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+-    public final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+-    public final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+     public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
+@@ -498,7 +491,7 @@ public class CAProcessor extends Processor {
+ 
+                 authSubjectID += " : " + uid_cred;
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                        AuditEvent.AUTH_FAIL,
+                         authSubjectID,
+                         ILogger.FAILURE,
+                         authMgrID,
+@@ -512,7 +505,7 @@ public class CAProcessor extends Processor {
+ 
+                 authSubjectID += " : " + uid_cred;
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                        AuditEvent.AUTH_FAIL,
+                         authSubjectID,
+                         ILogger.FAILURE,
+                         authMgrID,
+@@ -534,7 +527,7 @@ public class CAProcessor extends Processor {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                    AuditEvent.AUTH_SUCCESS,
+                     authSubjectID,
+                     ILogger.SUCCESS,
+                     authMgrID);
+@@ -669,7 +662,7 @@ public class CAProcessor extends Processor {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
++                    AuditEvent.AUTH_SUCCESS,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditAuthMgrID);
+@@ -680,7 +673,7 @@ public class CAProcessor extends Processor {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
++                    AuditEvent.AUTH_FAIL,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditAuthMgrID,
+@@ -730,7 +723,7 @@ public class CAProcessor extends Processor {
+             authzToken = authz.authorize(authzMgrName, authToken, exp);
+             if (authzToken != null) {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                        AuditEvent.AUTHZ_SUCCESS,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditACLResource,
+@@ -748,7 +741,7 @@ public class CAProcessor extends Processor {
+                 audit(auditMessage);
+             } else {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -767,7 +760,7 @@ public class CAProcessor extends Processor {
+             return authzToken;
+         } catch (EBaseException e) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                    AuditEvent.AUTHZ_FAIL,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditACLResource,
+@@ -863,7 +856,7 @@ public class CAProcessor extends Processor {
+             if (authzTok != null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                        AuditEvent.AUTHZ_SUCCESS,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditACLResource,
+@@ -882,7 +875,7 @@ public class CAProcessor extends Processor {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+@@ -904,7 +897,7 @@ public class CAProcessor extends Processor {
+         } catch (Exception eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                    AuditEvent.AUTHZ_FAIL,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditACLResource,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+index 1da0cf3..70a4a42 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+@@ -50,6 +50,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cms.servlet.base.CMSServlet;
+@@ -68,9 +69,6 @@ public class CRMFProcessor extends PKIProcessor {
+ 
+     private boolean enforcePop = false;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
+-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+-
+     public CRMFProcessor() {
+         super();
+     }
+@@ -118,7 +116,7 @@ public class CRMFProcessor extends PKIProcessor {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                                AuditEvent.PROOF_OF_POSSESSION,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS);
+ 
+@@ -131,7 +129,7 @@ public class CRMFProcessor extends PKIProcessor {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                                AuditEvent.PROOF_OF_POSSESSION,
+                                 auditSubjectID,
+                                 ILogger.FAILURE);
+ 
+@@ -148,7 +146,7 @@ public class CRMFProcessor extends PKIProcessor {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                            AuditEvent.PROOF_OF_POSSESSION,
+                             auditSubjectID,
+                             ILogger.FAILURE);
+ 
+@@ -161,7 +159,7 @@ public class CRMFProcessor extends PKIProcessor {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
++                    AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+                     ILogger.FAILURE);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
+index 89ba1bd..f56c378 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
+@@ -32,6 +32,7 @@ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IPolicyConstraint;
+@@ -60,8 +61,6 @@ public class ProfileApproveServlet extends ProfileServlet {
+     private static final String PROP_AUTHORITY_ID = "authorityId";
+     private String mAuthorityId = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL =
+-            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
+     private final static String OP_APPROVE = "approve";
+     private final static String OP_DISAPPROVE = "disapprove";
+ 
+@@ -134,7 +133,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -168,7 +167,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -198,7 +197,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -222,7 +221,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -244,7 +243,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -277,7 +276,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                                    AuditEvent.CERT_PROFILE_APPROVAL,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditProfileID,
+@@ -298,7 +297,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditProfileID,
+@@ -316,7 +315,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                            AuditEvent.CERT_PROFILE_APPROVAL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditProfileID,
+@@ -329,7 +328,7 @@ public class ProfileApproveServlet extends ProfileServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
++                        AuditEvent.CERT_PROFILE_APPROVAL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditProfileID,
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+index 8e02ec2..86996d5 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+@@ -45,6 +45,7 @@ import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
+ import com.netscape.certsrv.authorization.IAuthzSubsystem;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.ForbiddenException;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.realm.PKIPrincipal;
+ 
+@@ -54,11 +55,6 @@ import com.netscape.cms.realm.PKIPrincipal;
+ @Provider
+ public class ACLInterceptor implements ContainerRequestFilter {
+     protected ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5";
+-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5";
+-
+     private final static String LOGGING_ACL_PARSING_ERROR = "internal error: ACL parsing error";
+     private final static String LOGGING_NO_ACL_ACCESS_ALLOWED = "no ACL configured; OK";
+     private final static String LOGGING_MISSING_AUTH_TOKEN = "auth token not found";
+@@ -178,7 +174,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             // store a message in the signed audit log file
+             // although if it didn't pass authentication, it should not have gotten here
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL_INFO,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         null, // resource
+@@ -195,7 +191,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             CMS.debug("ACLInterceptor: No ACL mapping; authz not required.");
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                        AuditEvent.AUTHZ_SUCCESS_INFO,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         null, //resource
+@@ -219,7 +215,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         } catch (IOException e) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL_INFO,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         null, //resource
+@@ -236,7 +232,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             CMS.debug("ACLInterceptor: No ACL configuration.");
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                    AuditEvent.AUTHZ_SUCCESS_INFO,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     null, //resource
+@@ -252,7 +248,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             CMS.debug("ACLInterceptor: Invalid ACL mapping.");
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                    AuditEvent.AUTHZ_FAIL_INFO,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     null, //resource
+@@ -279,7 +275,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+                 CMS.debug("ACLInterceptor: " + info);
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                            AuditEvent.AUTHZ_FAIL_INFO,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             values[0], // resource
+@@ -296,7 +292,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             CMS.debug("ACLInterceptor: " + info);
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL_INFO,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         values[0], // resource
+@@ -309,7 +305,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             String info = e.getMessage();
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
++                        AuditEvent.AUTHZ_FAIL_INFO,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         values[0], // resource
+@@ -323,7 +319,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         // Allow request.
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
++                    AuditEvent.AUTHZ_SUCCESS_INFO,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     values[0], // resource
+-- 
+1.8.3.1
+
+
+From 6b9aee2d0a37cb7e8b93614b693cda0e6c410d9b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 04:33:11 +0200
+Subject: [PATCH 46/59] Reorganized audit event constants for CA.
+
+Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 11 +++
+ .../netscape/cms/profile/common/EnrollProfile.java |  8 +-
+ .../cms/servlet/cert/CMCRevReqServlet.java         | 26 +++----
+ .../netscape/cms/servlet/cert/CertProcessor.java   |  7 +-
+ .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 23 +++---
+ .../netscape/cms/servlet/cert/DoUnrevokeTPS.java   | 17 ++---
+ .../netscape/cms/servlet/cert/EnrollServlet.java   | 46 ++++++------
+ .../cms/servlet/cert/RequestProcessor.java         |  9 ++-
+ .../cms/servlet/cert/RevocationProcessor.java      | 10 +--
+ .../cms/servlet/cert/scep/CRSEnrollment.java       |  3 +-
+ .../cms/servlet/connector/ConnectorServlet.java    | 15 ++--
+ .../cms/servlet/processors/CAProcessor.java        |  2 -
+ .../servlet/profile/ProfileSubmitCMCServlet.java   | 12 ++-
+ .../cms/servlet/request/ProcessCertReq.java        | 85 +++++++++++-----------
+ 14 files changed, 128 insertions(+), 146 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 82cb77f..39314df 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String NON_PROFILE_CERT_REQUEST =
++            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
++    public final static String PROFILE_CERT_REQUEST =
++            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
++    public final static String CERT_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
++    public final static String CERT_STATUS_CHANGE_REQUEST =
++            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
++    public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
++
+     public final static String AUTHZ_SUCCESS =
+             "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+     public final static String AUTHZ_SUCCESS_INFO =
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 0ec3c94..370cc33 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -120,8 +120,6 @@ import netscape.security.x509.X509Key;
+ public abstract class EnrollProfile extends BasicProfile
+         implements IEnrollProfile {
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+     private PKIData mCMCData;
+ 
+     public EnrollProfile() {
+@@ -1915,7 +1913,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                        AuditEvent.PROFILE_CERT_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -1928,7 +1926,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                        AuditEvent.PROFILE_CERT_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -1941,7 +1939,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                        AuditEvent.PROFILE_CERT_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+index 71c10ea..f4d7f8f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+@@ -53,6 +53,7 @@ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+@@ -92,11 +93,6 @@ public class CMCRevReqServlet extends CMSServlet {
+     private final static String REVOKE = "revoke";
+     private final static String ON_HOLD = "on-hold";
+     private final static int ON_HOLD_REASON = 6;
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+-
+     // http params
+     public static final String SERIAL_NO = TOKEN_CERT_SERIAL;
+     public static final String REASON_CODE = "reasonCode";
+@@ -546,7 +542,7 @@ public class CMCRevReqServlet extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -815,7 +811,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -832,7 +828,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -849,7 +845,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -870,7 +866,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -887,7 +883,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -909,7 +905,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -926,7 +922,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -945,7 +941,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -962,7 +958,7 @@ public class CMCRevReqServlet extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index 47b5222..0534f90 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -30,6 +30,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.cert.CertEnrollmentRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.ERejectException;
+@@ -230,7 +231,7 @@ public class CertProcessor extends CAProcessor {
+                             ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -266,7 +267,7 @@ public class CertProcessor extends CAProcessor {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                        AuditEvent.CERT_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -284,7 +285,7 @@ public class CertProcessor extends CAProcessor {
+                 req.setExtData(IRequest.ERROR_CODE, errorCode);
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                        AuditEvent.CERT_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+index 79eba99..68ac6da 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+@@ -46,6 +46,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+@@ -89,10 +90,6 @@ public class DoRevokeTPS extends CMSServlet {
+     private final static String REVOKE = "revoke";
+     private final static String ON_HOLD = "on-hold";
+     private final static int ON_HOLD_REASON = 6;
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+ 
+     public DoRevokeTPS() {
+         super();
+@@ -433,7 +430,7 @@ public class DoRevokeTPS extends CMSServlet {
+                     CMS.debug(method + "Only have previously revoked certs in the list.");
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+@@ -450,7 +447,7 @@ public class DoRevokeTPS extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -475,7 +472,7 @@ public class DoRevokeTPS extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -561,7 +558,7 @@ public class DoRevokeTPS extends CMSServlet {
+                             auditApprovalStatus == RequestStatus.REJECTED ||
+                             auditApprovalStatus == RequestStatus.CANCELED) {
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -752,7 +749,7 @@ public class DoRevokeTPS extends CMSServlet {
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+@@ -770,7 +767,7 @@ public class DoRevokeTPS extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -787,7 +784,7 @@ public class DoRevokeTPS extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -809,7 +806,7 @@ public class DoRevokeTPS extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -826,7 +823,7 @@ public class DoRevokeTPS extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
+index 39ccb49..30bde76 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
+@@ -30,7 +30,7 @@ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.security.x509.X509CertImpl;
++import org.dogtagpki.server.connector.IRemoteRequest;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+@@ -43,6 +43,7 @@ import com.netscape.certsrv.ca.ICRLIssuingPoint;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+@@ -53,7 +54,7 @@ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.common.ECMSGWException;
+ 
+-import org.dogtagpki.server.connector.IRemoteRequest;
++import netscape.security.x509.X509CertImpl;
+ 
+ /**
+  * 'Unrevoke' a certificate. (For certificates that are on-hold only,
+@@ -78,10 +79,6 @@ public class DoUnrevokeTPS extends CMSServlet {
+ 
+     private final static String OFF_HOLD = "off-hold";
+     private final static int OFF_HOLD_REASON = 6;
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+ 
+     public DoUnrevokeTPS() {
+         super();
+@@ -268,7 +265,7 @@ public class DoUnrevokeTPS extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -465,7 +462,7 @@ public class DoUnrevokeTPS extends CMSServlet {
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+@@ -482,7 +479,7 @@ public class DoUnrevokeTPS extends CMSServlet {
+                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
+                 // message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -499,7 +496,7 @@ public class DoUnrevokeTPS extends CMSServlet {
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+index 91caccf..3757967 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+@@ -58,6 +58,7 @@ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+@@ -153,11 +154,6 @@ public class EnrollServlet extends CMSServlet {
+             + "indeterminate reason for inability to process "
+             + "cert request due to an EBaseException"
+         };
+-    private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+-
+     private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
+     private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
+ 
+@@ -766,7 +762,7 @@ public class EnrollServlet extends CMSServlet {
+                 //  an "agent" cert request for "bulk enrollment", or
+                 //  an "EE" standard cert request)
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                            AuditEvent.NON_PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -829,7 +825,7 @@ public class EnrollServlet extends CMSServlet {
+                 //  an "agent" cert request for "bulk enrollment", or
+                 //  an "EE" standard cert request)
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                            AuditEvent.NON_PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -872,7 +868,7 @@ public class EnrollServlet extends CMSServlet {
+                     //  an "agent" cert request for "bulk enrollment", or
+                     //  an "EE" standard cert request)
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -912,7 +908,7 @@ public class EnrollServlet extends CMSServlet {
+                     //  an "agent" cert request for "bulk enrollment", or
+                     //  an "EE" standard cert request)
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -969,7 +965,7 @@ public class EnrollServlet extends CMSServlet {
+                     //  an "agent" cert request for "bulk enrollment", or
+                     //  an "EE" standard cert request)
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1072,7 +1068,7 @@ public class EnrollServlet extends CMSServlet {
+                         //  certificate, an "agent" cert request for
+                         //  "bulk enrollment", or an "EE" standard cert request)
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -1102,7 +1098,7 @@ public class EnrollServlet extends CMSServlet {
+                         //  certificate, an "agent" cert request for
+                         //  "bulk enrollment", or an "EE" standard cert request)
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -1129,7 +1125,7 @@ public class EnrollServlet extends CMSServlet {
+                         //  certificate, an "agent" cert request for
+                         //  "bulk enrollment", or an "EE" standard cert request)
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -1177,7 +1173,7 @@ public class EnrollServlet extends CMSServlet {
+                         //  certificate, an "agent" cert request for
+                         //  "bulk enrollment", or an "EE" standard cert request)
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -1230,7 +1226,7 @@ public class EnrollServlet extends CMSServlet {
+                         //  certificate, an "agent" cert request for
+                         //  "bulk enrollment", or an "EE" standard cert request)
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -1279,7 +1275,7 @@ public class EnrollServlet extends CMSServlet {
+                 //  an "agent" cert request for "bulk enrollment", or
+                 //  an "EE" standard cert request)
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                            AuditEvent.NON_PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -1322,7 +1318,7 @@ public class EnrollServlet extends CMSServlet {
+             //  an "agent" cert request for "bulk enrollment", or
+             //  an "EE" standard cert request)
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                        AuditEvent.NON_PROFILE_CERT_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -1337,7 +1333,7 @@ public class EnrollServlet extends CMSServlet {
+             //  an "agent" cert request for "bulk enrollment", or
+             //  an "EE" standard cert request)
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                        AuditEvent.NON_PROFILE_CERT_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -1374,7 +1370,7 @@ public class EnrollServlet extends CMSServlet {
+                         // (automated "agent" cert request processed
+                         //  - "accepted")
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+@@ -1388,7 +1384,7 @@ public class EnrollServlet extends CMSServlet {
+ 
+                     // (automated "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1408,7 +1404,7 @@ public class EnrollServlet extends CMSServlet {
+             if (completed == false) {
+                 // (automated "agent" cert request processed - "rejected")
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                            AuditEvent.CERT_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -1464,7 +1460,7 @@ public class EnrollServlet extends CMSServlet {
+                 for (int i = 0; i < issuedCerts.length; i++) {
+                     // (automated "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -1487,7 +1483,7 @@ public class EnrollServlet extends CMSServlet {
+                 for (int i = 0; i < issuedCerts.length; i++) {
+                     // (automated "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -1504,7 +1500,7 @@ public class EnrollServlet extends CMSServlet {
+ 
+                 // (automated "agent" cert request processed - "rejected")
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                            AuditEvent.CERT_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -1520,7 +1516,7 @@ public class EnrollServlet extends CMSServlet {
+             // store a message in the signed audit log file
+             // (automated "agent" cert request processed - "rejected")
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                        AuditEvent.CERT_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index 436e7a9..474a2e5 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -40,6 +40,7 @@ import com.netscape.certsrv.ca.AuthorityID;
+ import com.netscape.certsrv.ca.CANotFoundException;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.cert.CertReviewResponse;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -283,7 +284,7 @@ public class RequestProcessor extends CertProcessor {
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                AuditEvent.CERT_REQUEST_PROCESSED,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+@@ -319,7 +320,7 @@ public class RequestProcessor extends CertProcessor {
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                AuditEvent.CERT_REQUEST_PROCESSED,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+@@ -399,7 +400,7 @@ public class RequestProcessor extends CertProcessor {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                    AuditEvent.CERT_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditRequesterID,
+@@ -411,7 +412,7 @@ public class RequestProcessor extends CertProcessor {
+         } catch (EProfileException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                    AuditEvent.CERT_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
+index ffcda63..b90966e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.dbs.certdb.CertId;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+@@ -62,11 +63,6 @@ public class RevocationProcessor extends CertProcessor {
+     public final static String ON_HOLD = "on-hold";
+     public final static String OFF_HOLD = "off-hold";
+ 
+-    public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+-    public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+-
+     long startTime;
+ 
+     ICertificateAuthority authority;
+@@ -486,7 +482,7 @@ public class RevocationProcessor extends CertProcessor {
+             return;
+ 
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
++                AuditEvent.CERT_STATUS_CHANGE_REQUEST,
+                 auditor.getSubjectID(),
+                 status,
+                 requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(),
+@@ -510,7 +506,7 @@ public class RevocationProcessor extends CertProcessor {
+                 || requestStatus == RequestStatus.CANCELED)) return;
+ 
+         String auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                 auditor.getSubjectID(),
+                 status,
+                 requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(),
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+index c2c6cde..150c36f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+@@ -73,6 +73,7 @@ import com.netscape.certsrv.base.ISubsystem;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.ldap.ILdapConnFactory;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -1495,7 +1496,7 @@ public class CRSEnrollment extends HttpServlet {
+ 
+                 // perform audit log
+                 String auditMessage = CMS.getLogMessage(
+-                            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5",
++                            AuditEvent.NON_PROFILE_CERT_REQUEST,
+                             httpReq.getRemoteAddr(),
+                             ILogger.FAILURE,
+                             req.getTransactionID(),
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index 014db79..2299e60 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -98,11 +98,6 @@ public class ConnectorServlet extends CMSServlet {
+ 
+     protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
+-    private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+-
+     private final static byte EOL[] = { Character.LINE_SEPARATOR };
+ 
+     public ConnectorServlet() {
+@@ -554,7 +549,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                            AuditEvent.PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+@@ -568,7 +563,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                            AuditEvent.PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -582,7 +577,7 @@ public class ConnectorServlet extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
++                            AuditEvent.PROFILE_CERT_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -636,7 +631,7 @@ public class ConnectorServlet extends CMSServlet {
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+@@ -657,7 +652,7 @@ public class ConnectorServlet extends CMSServlet {
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index d5a9c4d..5669233 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -117,8 +117,6 @@ public class CAProcessor extends Processor {
+     public static final String ACL_INFO = "ACLinfo";
+     public static final String PROFILE_SUB_ID = "profileSubId";
+ 
+-    public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+     public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index c233e41..fd155a6 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -44,6 +44,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -83,9 +84,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+     private String mProfileSubId = null;
+     private String requestB64 = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+-
+     public ProfileSubmitCMCServlet() {
+     }
+ 
+@@ -682,7 +680,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                                     ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                        AuditEvent.CERT_REQUEST_PROCESSED,
+                                         auditSubjectID,
+                                         ILogger.SUCCESS,
+                                         auditRequesterID,
+@@ -738,7 +736,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     if (errorCode.equals("1")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -753,7 +751,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     } else if (errorCode.equals("3")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -787,7 +785,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                                 ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+index 367c558..d15774e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+@@ -35,21 +35,6 @@ import javax.servlet.ServletOutputStream;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.security.extensions.NSCertTypeExtension;
+-import netscape.security.extensions.PresenceServerExtension;
+-import netscape.security.util.DerValue;
+-import netscape.security.x509.AlgorithmId;
+-import netscape.security.x509.BasicConstraintsExtension;
+-import netscape.security.x509.CertificateAlgorithmId;
+-import netscape.security.x509.CertificateExtensions;
+-import netscape.security.x509.CertificateSubjectName;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.CertificateVersion;
+-import netscape.security.x509.Extension;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.IAuthToken;
+@@ -62,6 +47,7 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.ICMSRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+@@ -80,6 +66,21 @@ import com.netscape.cms.servlet.common.CMSTemplateParams;
+ import com.netscape.cms.servlet.common.ECMSGWException;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.extensions.NSCertTypeExtension;
++import netscape.security.extensions.PresenceServerExtension;
++import netscape.security.util.DerValue;
++import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.BasicConstraintsExtension;
++import netscape.security.x509.CertificateAlgorithmId;
++import netscape.security.x509.CertificateExtensions;
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.CertificateVersion;
++import netscape.security.x509.Extension;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++
+ /**
+  * Agent operations on Certificate requests. This servlet is used
+  * by an Agent to approve, reject, reassign, or change a certificate
+@@ -170,10 +171,6 @@ public class ProcessCertReq extends CMSServlet {
+             + "indeterminate reason for inability to process "
+             + "cert request due to a NoSuchAlgorithmException"
+         };
+-    private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+ 
+     /**
+      * Process request.
+@@ -457,7 +454,7 @@ public class ProcessCertReq extends CMSServlet {
+                     if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+                         // ("agent" cert request for "cloning")
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -468,7 +465,7 @@ public class ProcessCertReq extends CMSServlet {
+                     } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                         // (manual "agent" cert request processed - "accepted")
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -479,7 +476,7 @@ public class ProcessCertReq extends CMSServlet {
+                     } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                         // (manual "agent" cert request processed - "cancelled")
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -490,7 +487,7 @@ public class ProcessCertReq extends CMSServlet {
+                     } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                         // (manual "agent" cert request processed - "rejected")
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                    AuditEvent.CERT_REQUEST_PROCESSED,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -940,7 +937,7 @@ public class ProcessCertReq extends CMSServlet {
+                                 // (one for each manual "agent"
+                                 //  cert request processed - "accepted")
+                                 auditMessage = CMS.getLogMessage(
+-                                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                            AuditEvent.CERT_REQUEST_PROCESSED,
+                                             auditSubjectID,
+                                             ILogger.SUCCESS,
+                                             auditRequesterID,
+@@ -984,7 +981,7 @@ public class ProcessCertReq extends CMSServlet {
+                             // (manual "agent" cert request processed
+                             //  - "accepted")
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                        AuditEvent.CERT_REQUEST_PROCESSED,
+                                         auditSubjectID,
+                                         ILogger.SUCCESS,
+                                         auditRequesterID,
+@@ -1109,7 +1106,7 @@ public class ProcessCertReq extends CMSServlet {
+                     // store a message in the signed audit log file
+                     // (manual "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -1171,7 +1168,7 @@ public class ProcessCertReq extends CMSServlet {
+                     // store a message in the signed audit log file
+                     // (manual "agent" cert request processed - "cancelled")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -1238,7 +1235,7 @@ public class ProcessCertReq extends CMSServlet {
+                     // store a message in the signed audit log file
+                     // ("agent" cert request for "cloning")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -1271,7 +1268,7 @@ public class ProcessCertReq extends CMSServlet {
+                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+                     // ("agent" cert request for "cloning")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1282,7 +1279,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1293,7 +1290,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1304,7 +1301,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1324,7 +1321,7 @@ public class ProcessCertReq extends CMSServlet {
+                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+                     // ("agent" cert request for "cloning")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1335,7 +1332,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1346,7 +1343,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1357,7 +1354,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1378,7 +1375,7 @@ public class ProcessCertReq extends CMSServlet {
+                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+                     // ("agent" cert request for "cloning")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1389,7 +1386,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1400,7 +1397,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1411,7 +1408,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1432,7 +1429,7 @@ public class ProcessCertReq extends CMSServlet {
+                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
+                     // ("agent" cert request for "cloning")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
++                                AuditEvent.NON_PROFILE_CERT_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1443,7 +1440,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1454,7 +1451,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -1465,7 +1462,7 @@ public class ProcessCertReq extends CMSServlet {
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
++                                AuditEvent.CERT_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+-- 
+1.8.3.1
+
+
+From e0b3e36b6737e872e479624780497373765600f4 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 04:58:25 +0200
+Subject: [PATCH 47/59] Reorganized additional audit event constants for KRA.
+
+Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
+---
+ base/ca/src/com/netscape/ca/CAService.java         | 67 +++++++++++-----------
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 27 +++++++++
+ .../src/com/netscape/kra/EnrollmentService.java    | 32 +++++------
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 42 +++++---------
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 31 +++-------
+ .../com/netscape/kra/TokenKeyRecoveryService.java  | 36 ++++++------
+ .../cms/profile/common/CAEnrollProfile.java        | 12 ++--
+ .../cms/servlet/admin/CMSAdminServlet.java         | 11 ++--
+ .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 11 +---
+ .../src/com/netscape/cms/servlet/key/GetPk12.java  | 11 +---
+ .../cms/servlet/key/GrantAsyncRecovery.java        | 10 ++--
+ .../netscape/cms/servlet/key/GrantRecovery.java    | 12 ++--
+ 12 files changed, 138 insertions(+), 164 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
+index 31df153..5b364b8 100644
+--- a/base/ca/src/com/netscape/ca/CAService.java
++++ b/base/ca/src/com/netscape/ca/CAService.java
+@@ -31,33 +31,6 @@ import java.util.Enumeration;
+ import java.util.Hashtable;
+ import java.util.Vector;
+ 
+-import netscape.security.extensions.CertInfo;
+-import netscape.security.util.BigInt;
+-import netscape.security.util.DerValue;
+-import netscape.security.x509.AlgorithmId;
+-import netscape.security.x509.BasicConstraintsExtension;
+-import netscape.security.x509.CRLExtensions;
+-import netscape.security.x509.CRLReasonExtension;
+-import netscape.security.x509.CertificateAlgorithmId;
+-import netscape.security.x509.CertificateChain;
+-import netscape.security.x509.CertificateExtensions;
+-import netscape.security.x509.CertificateIssuerName;
+-import netscape.security.x509.CertificateSerialNumber;
+-import netscape.security.x509.CertificateSubjectName;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.Extension;
+-import netscape.security.x509.LdapV3DNStrConverter;
+-import netscape.security.x509.PKIXExtensions;
+-import netscape.security.x509.RevocationReason;
+-import netscape.security.x509.RevokedCertImpl;
+-import netscape.security.x509.SerialNumber;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X500NameAttrMap;
+-import netscape.security.x509.X509CRLImpl;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-import netscape.security.x509.X509ExtensionException;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.authority.ICertAuthority;
+@@ -77,6 +50,7 @@ import com.netscape.certsrv.dbs.ModificationSet;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -95,6 +69,33 @@ import com.netscape.cmscore.dbs.RevocationInfo;
+ import com.netscape.cmscore.util.Debug;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.extensions.CertInfo;
++import netscape.security.util.BigInt;
++import netscape.security.util.DerValue;
++import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.BasicConstraintsExtension;
++import netscape.security.x509.CRLExtensions;
++import netscape.security.x509.CRLReasonExtension;
++import netscape.security.x509.CertificateAlgorithmId;
++import netscape.security.x509.CertificateChain;
++import netscape.security.x509.CertificateExtensions;
++import netscape.security.x509.CertificateIssuerName;
++import netscape.security.x509.CertificateSerialNumber;
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.Extension;
++import netscape.security.x509.LdapV3DNStrConverter;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.RevocationReason;
++import netscape.security.x509.RevokedCertImpl;
++import netscape.security.x509.SerialNumber;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X500NameAttrMap;
++import netscape.security.x509.X509CRLImpl;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++import netscape.security.x509.X509ExtensionException;
++
+ /**
+  * Request Service for CertificateAuthority.
+  */
+@@ -115,8 +116,6 @@ public class CAService implements ICAService, IService {
+     private Hashtable<String, ICRLIssuingPoint> mCRLIssuingPoints = new Hashtable<String, ICRLIssuingPoint>();
+ 
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+ 
+     public CAService(ICertificateAuthority ca) {
+         mCA = ca;
+@@ -422,7 +421,7 @@ public class CAService implements ICAService, IService {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -441,7 +440,7 @@ public class CAService implements ICAService, IService {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -459,7 +458,7 @@ public class CAService implements ICAService, IService {
+                     if (request.getExtDataInString(IRequest.ERROR) != null) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -486,7 +485,7 @@ public class CAService implements ICAService, IService {
+             if (!(type.equals(IRequest.REVOCATION_REQUEST) ||
+                     type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -506,7 +505,7 @@ public class CAService implements ICAService, IService {
+                 type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditRequesterID,
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 39314df..dc434fa 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,33 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String PRIVATE_KEY_ARCHIVE_REQUEST =
++            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
++    public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
++    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
++    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
++    public final static String SERVER_SIDE_KEYGEN_REQUEST =
++            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
++    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
++    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
++            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
++    public final static String KEY_RECOVERY_REQUEST =
++            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
++    public final static String KEY_RECOVERY_REQUEST_ASYNC =
++            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
++    public final static String KEY_RECOVERY_AGENT_LOGIN =
++            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
++    public final static String KEY_RECOVERY_REQUEST_PROCESSED =
++            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
++    public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
++            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
++    public final static String KEY_GEN_ASYMMETRIC =
++            "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
++
+     public final static String NON_PROFILE_CERT_REQUEST =
+             "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+     public final static String PROFILE_CERT_REQUEST =
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index 36a809b..d2748a2 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -48,6 +48,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.ProofOfArchival;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+@@ -102,11 +103,6 @@ public class EnrollmentService implements IService {
+     private IStorageKeyUnit mStorageUnit = null;
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+-
+     /**
+      * Constructs request processor.
+      * <P>
+@@ -205,7 +201,7 @@ public class EnrollmentService implements IService {
+             } catch (IOException e) {
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -253,7 +249,7 @@ public class EnrollmentService implements IService {
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -289,7 +285,7 @@ public class EnrollmentService implements IService {
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -331,7 +327,7 @@ public class EnrollmentService implements IService {
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+@@ -352,7 +348,7 @@ public class EnrollmentService implements IService {
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ 
+                     auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -377,7 +373,7 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -412,7 +408,7 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -439,7 +435,7 @@ public class EnrollmentService implements IService {
+                 } catch (InvalidKeyException e) {
+ 
+                     auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -489,7 +485,7 @@ public class EnrollmentService implements IService {
+                                 rec.getSerialNumber().toString()));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -511,7 +507,7 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
+                 // TODO(alee) Set correct audit message here
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -529,7 +525,7 @@ public class EnrollmentService implements IService {
+                         CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -586,7 +582,7 @@ public class EnrollmentService implements IService {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -597,7 +593,7 @@ public class EnrollmentService implements IService {
+             // store a message in the signed audit log file
+             auditPublicKey = auditPublicKey(rec);
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditPublicKey);
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 64680ed..b6e4376 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.IKeyService;
+ import com.netscape.certsrv.listeners.EListenersException;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.ARequestNotifier;
+ import com.netscape.certsrv.request.IPolicy;
+@@ -137,19 +138,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private final static byte EOL[] = { Character.LINE_SEPARATOR };
+     private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", ";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
+-
+     /**
+      * Constructs an escrow authority.
+      * <P>
+@@ -777,7 +765,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+@@ -787,7 +775,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+@@ -808,7 +796,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditPublicKey);
+@@ -817,7 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditPublicKey);
+@@ -859,7 +847,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC,
++                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRecoveryID,
+@@ -869,7 +857,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC,
++                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -1049,7 +1037,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
++                        AuditEvent.KEY_RECOVERY_REQUEST,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRecoveryID,
+@@ -1059,7 +1047,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
++                        AuditEvent.KEY_RECOVERY_REQUEST,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -1083,7 +1071,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRecoveryID,
+@@ -1097,7 +1085,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -1110,7 +1098,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -1178,7 +1166,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRecoveryID,
+@@ -1192,7 +1180,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -1205,7 +1193,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 3f5e32f..665ff19 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -91,22 +92,6 @@ public class NetkeyKeygenService implements IService {
+     public final static String ATTR_PROOF_OF_ARCHIVAL =
+             "proofOfArchival";
+ 
+-    // private
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+-    // these need to be defined in LogMessages_en.properties later when we do this
+-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
+-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+     private IKeyRecoveryAuthority mKRA = null;
+     private ITransportKeyUnit mTransportUnit = null;
+     private IStorageKeyUnit mStorageUnit = null;
+@@ -384,7 +369,7 @@ public class NetkeyKeygenService implements IService {
+         }
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST,
++                AuditEvent.SERVER_SIDE_KEYGEN_REQUEST,
+                 agentId,
+                 ILogger.SUCCESS,
+                 auditSubjectID);
+@@ -455,7 +440,7 @@ public class NetkeyKeygenService implements IService {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
++                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
+                         agentId,
+                         ILogger.FAILURE,
+                         auditSubjectID);
+@@ -487,7 +472,7 @@ public class NetkeyKeygenService implements IService {
+                 }
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
++                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
+                         agentId,
+                         ILogger.SUCCESS,
+                         auditSubjectID,
+@@ -550,7 +535,7 @@ public class NetkeyKeygenService implements IService {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                             agentId,
+                             ILogger.FAILURE,
+                             auditSubjectID,
+@@ -561,7 +546,7 @@ public class NetkeyKeygenService implements IService {
+                 } else {
+                     request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                             agentId,
+                             ILogger.SUCCESS,
+                             auditSubjectID,
+@@ -586,7 +571,7 @@ public class NetkeyKeygenService implements IService {
+                     //            mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                             agentId,
+                             ILogger.SUCCESS,
+                             auditSubjectID,
+@@ -680,7 +665,7 @@ public class NetkeyKeygenService implements IService {
+                     CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid);
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                             agentId,
+                             ILogger.SUCCESS,
+                             PubKey);
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index b084964..b710291 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -89,11 +90,6 @@ public class TokenKeyRecoveryService implements IService {
+     private IStorageKeyUnit mStorageUnit = null;
+     private ITransportKeyUnit mTransportUnit = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+ 
+     /**
+@@ -271,7 +267,7 @@ public class TokenKeyRecoveryService implements IService {
+             CMS.debug("TokenKeyRecoveryService: not receive des key");
+             request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -289,7 +285,7 @@ public class TokenKeyRecoveryService implements IService {
+             CMS.debug("TokenKeyRecoveryService: not receive cert or keyid");
+             request.setExtData(IRequest.RESULT, Integer.valueOf(3));
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -310,7 +306,7 @@ public class TokenKeyRecoveryService implements IService {
+                     CMS.debug("cert mapping failed");
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(5));
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -323,7 +319,7 @@ public class TokenKeyRecoveryService implements IService {
+                 CMS.debug("TokenKeyRecoveryService: mapCert failed");
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(6));
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -362,7 +358,7 @@ public class TokenKeyRecoveryService implements IService {
+                     CMS.debug("key record not found");
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(8));
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -375,7 +371,7 @@ public class TokenKeyRecoveryService implements IService {
+                 com.netscape.cmscore.util.Debug.printStackTrace(e);
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(9));
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -409,7 +405,7 @@ public class TokenKeyRecoveryService implements IService {
+                 if (inputPubData.length != pubData.length) {
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -424,7 +420,7 @@ public class TokenKeyRecoveryService implements IService {
+                     if (pubData[i] != inputPubData[i]) {
+                         mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                                AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRecoveryID,
+@@ -447,7 +443,7 @@ public class TokenKeyRecoveryService implements IService {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
+                     auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -477,7 +473,7 @@ public class TokenKeyRecoveryService implements IService {
+                     mKRA.log(ILogger.LL_FAILURE,
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+                     auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -503,7 +499,7 @@ public class TokenKeyRecoveryService implements IService {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
+                     auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -533,7 +529,7 @@ public class TokenKeyRecoveryService implements IService {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                 CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -561,7 +557,7 @@ public class TokenKeyRecoveryService implements IService {
+             }
+ 
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
++                    AuditEvent.KEY_RECOVERY_REQUEST,
+                     auditSubjectID,
+                         ILogger.SUCCESS,
+                     auditRecoveryID,
+@@ -573,7 +569,7 @@ public class TokenKeyRecoveryService implements IService {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                 CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -588,7 +584,7 @@ public class TokenKeyRecoveryService implements IService {
+             }
+             request.setExtData("public_key", PubKey);
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
++                    AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditRecoveryID,
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+index 44c1245..02aa8c8 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+@@ -29,6 +29,7 @@ import com.netscape.certsrv.ca.AuthorityID;
+ import com.netscape.certsrv.ca.ICAService;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.connector.IConnector;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -49,9 +50,6 @@ import netscape.security.x509.X509CertInfo;
+  */
+ public class CAEnrollProfile extends EnrollProfile {
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+-
+     public CAEnrollProfile() {
+     }
+ 
+@@ -120,7 +118,7 @@ public class CAEnrollProfile extends EnrollProfile {
+                                 "not configured");
+ 
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+@@ -135,7 +133,7 @@ public class CAEnrollProfile extends EnrollProfile {
+                         // check response
+                         if (!request.isSuccess()) {
+                             auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+@@ -153,7 +151,7 @@ public class CAEnrollProfile extends EnrollProfile {
+                         }
+ 
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+@@ -170,7 +168,7 @@ public class CAEnrollProfile extends EnrollProfile {
+                     CMS.debug(e);
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
++                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+index 2c3c6be..3e73dc6 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+@@ -60,6 +60,7 @@ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ocsp.IOCSPAuthority;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+@@ -109,8 +110,6 @@ public final class CMSAdminServlet extends AdminServlet {
+             "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
+     private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY =
+             "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC =
+-            "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
+     private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
+             "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
+     private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
+@@ -1142,7 +1141,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                 if (nickname.equals("")) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
++                                AuditEvent.KEY_GEN_ASYMMETRIC,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditPublicKey);
+@@ -1205,7 +1204,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
++                        AuditEvent.KEY_GEN_ASYMMETRIC,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditPublicKey);
+@@ -1217,7 +1216,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
++                        AuditEvent.KEY_GEN_ASYMMETRIC,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditPublicKey);
+@@ -1229,7 +1228,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
++                        AuditEvent.KEY_GEN_ASYMMETRIC,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditPublicKey);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
+index 773b91e..f0065e1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
+@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+@@ -64,12 +65,6 @@ public class GetAsyncPk12 extends CMSServlet {
+ 
+     private com.netscape.certsrv.kra.IKeyService mService = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+-
+     private String mFormPath = null;
+ 
+     /**
+@@ -213,7 +208,7 @@ public class GetAsyncPk12 extends CMSServlet {
+                     mRenderResult = false;
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                             agent,
+                             ILogger.SUCCESS,
+                             reqID,
+@@ -239,7 +234,7 @@ public class GetAsyncPk12 extends CMSServlet {
+ 
+         if ((agent != null) && (reqID != null)) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                     agent,
+                     ILogger.FAILURE,
+                     reqID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
+index c79a82f..9bb52cd 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+@@ -63,12 +64,6 @@ public class GetPk12 extends CMSServlet {
+ 
+     private com.netscape.certsrv.kra.IKeyService mService = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+-
+-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+-
+     private String mFormPath = null;
+ 
+     /**
+@@ -207,7 +202,7 @@ public class GetPk12 extends CMSServlet {
+                     mRenderResult = false;
+ 
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                             agent,
+                             ILogger.SUCCESS,
+                             recoveryID,
+@@ -233,7 +228,7 @@ public class GetPk12 extends CMSServlet {
+ 
+         if ((agent != null) && (recoveryID != null)) {
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                     agent,
+                     ILogger.FAILURE,
+                     recoveryID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+index 4100391..c410525 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyService;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+@@ -61,9 +62,6 @@ public class GrantAsyncRecovery extends CMSServlet {
+     private IKeyService mService = null;
+     private String mFormPath = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+-
+     /**
+      * Constructs EA servlet.
+      */
+@@ -237,7 +235,7 @@ public class GrantAsyncRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequestID,
+@@ -250,7 +248,7 @@ public class GrantAsyncRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequestID,
+@@ -262,7 +260,7 @@ public class GrantAsyncRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequestID,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
+index 9d57fbe..47054d9 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyService;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+@@ -64,9 +65,6 @@ public class GrantRecovery extends CMSServlet {
+     private IKeyService mService = null;
+     private String mFormPath = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+-
+     /**
+      * Constructs EA servlet.
+      */
+@@ -243,7 +241,7 @@ public class GrantRecovery extends CMSServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                            AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+@@ -266,7 +264,7 @@ public class GrantRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRecoveryID,
+@@ -279,7 +277,7 @@ public class GrantRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+@@ -291,7 +289,7 @@ public class GrantRecovery extends CMSServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
++                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+-- 
+1.8.3.1
+
+
+From 20a307e4683e62b033f7662ed4aa2f18dfad6226 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 05:23:15 +0200
+Subject: [PATCH 48/59] Reorganized audit event constants for configuration.
+
+Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
+---
+ .../dogtagpki/server/ca/rest/ProfileService.java   |   5 +-
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  37 ++++++
+ .../src/com/netscape/certsrv/logging/IAuditor.java |   3 -
+ .../cms/src/com/netscape/cms/logging/LogFile.java  |  10 +-
+ .../com/netscape/cms/logging/RollingLogFile.java   |   8 +-
+ .../cms/profile/updater/SubsystemGroupUpdater.java |  14 +--
+ .../cms/servlet/admin/ACLAdminServlet.java         |  38 +++----
+ .../netscape/cms/servlet/admin/AdminServlet.java   |  10 +-
+ .../cms/servlet/admin/AuthAdminServlet.java        |  96 ++++++++--------
+ .../netscape/cms/servlet/admin/CAAdminServlet.java |  50 ++++-----
+ .../cms/servlet/admin/CMSAdminServlet.java         |  86 +++++++-------
+ .../cms/servlet/admin/GroupMemberProcessor.java    |   4 +-
+ .../cms/servlet/admin/KRAAdminServlet.java         |   8 +-
+ .../cms/servlet/admin/LogAdminServlet.java         | 113 +++++++++----------
+ .../cms/servlet/admin/OCSPAdminServlet.java        |  22 ++--
+ .../cms/servlet/admin/PolicyAdminServlet.java      |  62 +++++------
+ .../cms/servlet/admin/ProfileAdminServlet.java     | 124 ++++++++++-----------
+ .../cms/servlet/admin/UsrGrpAdminServlet.java      | 120 ++++++++++----------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  |  17 ++-
+ .../netscape/cms/servlet/csadmin/RegisterUser.java |  14 +--
+ .../servlet/csadmin/SecurityDomainProcessor.java   |   4 +-
+ .../cms/servlet/csadmin/UpdateDomainXML.java       |  11 +-
+ .../cms/servlet/processors/CAProcessor.java        |  14 +--
+ .../org/dogtagpki/server/rest/AuditService.java    |   3 +-
+ .../org/dogtagpki/server/rest/GroupService.java    |   4 +-
+ .../src/org/dogtagpki/server/rest/UserService.java |   6 +-
+ .../src/com/netscape/cmscore/cert/CertUtils.java   |  18 ++-
+ .../cmscore/selftests/SelfTestSubsystem.java       |   9 +-
+ 28 files changed, 445 insertions(+), 465 deletions(-)
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+index eae68ef..be61892 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+@@ -90,9 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource
+     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
+     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
+-
+     @Override
+     public Response listProfiles(Integer start, Integer size) {
+ 
+@@ -1198,7 +1195,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
+ 
+     public void auditProfileChange(String scope, String type, String id, String status, Map<String, String> params) {
+         String msg = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                AuditEvent.CONFIG_CERT_PROFILE,
+                 auditor.getSubjectID(),
+                 status,
+                 auditor.getParamString(scope, type, id, params));
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index dc434fa..716e0d4 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -35,6 +35,43 @@ import com.netscape.certsrv.base.MessageFormatter;
+  */
+ public class AuditEvent implements IBundleLogEvent {
+ 
++    public final static String AUDIT_LOG_STARTUP =
++            "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
++    public final static String AUDIT_LOG_SHUTDOWN =
++            "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
++    public final static String CIMC_CERT_VERIFICATION =
++            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
++    public final static String ROLE_ASSUME =
++            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
++    public final static String CONFIG_CERT_POLICY =
++            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3";
++    public final static String CONFIG_CERT_PROFILE =
++            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
++    public final static String CONFIG_CRL_PROFILE =
++            "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3";
++    public final static String CONFIG_OCSP_PROFILE =
++            "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3";
++    public final static String CONFIG_AUTH =
++            "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3";
++    public final static String CONFIG_ROLE =
++            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
++    public final static String CONFIG_ACL =
++            "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3";
++    public final static String CONFIG_SIGNED_AUDIT =
++            "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
++    public final static String CONFIG_ENCRYPTION =
++            "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
++    public final static String CONFIG_TRUSTED_PUBLIC_KEY =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
++    public final static String CONFIG_DRM =
++            "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
++    public final static String SELFTESTS_EXECUTION =
++            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
++    public final static String AUDIT_LOG_DELETE =
++            "LOGGING_SIGNED_AUDIT_LOG_DELETE_3";
++    public final static String LOG_PATH_CHANGE =
++            "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
++
+     public final static String PRIVATE_KEY_ARCHIVE_REQUEST =
+             "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+     public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
+index 1d31a8c..216015f 100644
+--- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java
++++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
+@@ -25,9 +25,6 @@ import java.util.Map;
+  */
+ public interface IAuditor {
+ 
+-    public final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+-
+     public final static String SIGNED_AUDIT_SCOPE = "Scope";
+     public final static String SIGNED_AUDIT_OPERATION = "Operation";
+     public final static String SIGNED_AUDIT_RESOURCE = "Resource";
+diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+index fdf3f83..989fece 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+@@ -102,10 +102,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+     static final String PROP_BUFFER_SIZE = "bufferSize";
+     static final String PROP_FLUSH_INTERVAL = "flushInterval";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP =
+-                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
+-    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN =
+-                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
+     private final static String LOG_SIGNED_AUDIT_EXCEPTION =
+                                "LOG_SIGNED_AUDIT_EXCEPTION_1";
+ 
+@@ -647,12 +643,12 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+             try {
+                 setupSigning();
+                 audit(CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
++                        AuditEvent.AUDIT_LOG_STARTUP,
+                         ILogger.SYSTEM_UID,
+                         ILogger.SUCCESS));
+             } catch (EBaseException e) {
+                 audit(CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
++                        AuditEvent.AUDIT_LOG_STARTUP,
+                         ILogger.SYSTEM_UID,
+                         ILogger.FAILURE));
+                 throw e;
+@@ -872,7 +868,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+ 
+         // log signed audit shutdown success
+         auditMessage = CMS.getLogMessage(
+-                           LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN,
++                           AuditEvent.AUDIT_LOG_SHUTDOWN,
+                            ILogger.SYSTEM_UID,
+                            ILogger.SUCCESS);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+index fb70f46..5d2cdd9 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IExtendedPluginInfo;
+ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ConsoleError;
+ import com.netscape.certsrv.logging.ELogException;
+ import com.netscape.certsrv.logging.ILogEvent;
+@@ -95,9 +96,6 @@ public class RollingLogFile extends LogFile {
+      */
+     private Object mExpLock = new Object();
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_LOG_DELETE =
+-            "LOGGING_SIGNED_AUDIT_LOG_DELETE_3";
+-
+     /**
+      * Construct a RollingLogFile
+      */
+@@ -351,14 +349,14 @@ public class RollingLogFile extends LogFile {
+                 if (file.exists()) {
+                     // log failure in deleting an expired signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
++                                AuditEvent.AUDIT_LOG_DELETE,
+                                 ILogger.SYSTEM_UID,
+                                 ILogger.FAILURE,
+                                 fullname);
+                 } else {
+                     // log success in deleting an expired signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
++                                AuditEvent.AUDIT_LOG_DELETE,
+                                 ILogger.SYSTEM_UID,
+                                 ILogger.SUCCESS,
+                                 fullname);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+index b1da188..2f47efa 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.ConflictingOperationException;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+@@ -55,9 +56,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private Vector<String> mConfigNames = new Vector<String>();
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+-
+     public SubsystemGroupUpdater() {
+     }
+ 
+@@ -166,7 +164,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+             system.addUser(user);
+             CMS.debug("SubsystemGroupUpdater update: successfully add the user");
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -196,7 +194,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+             system.addUserCert(user);
+             CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate");
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -209,7 +207,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+         } catch (Exception e) {
+             CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString());
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams);
+@@ -240,7 +238,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+                 system.modifyGroup(group);
+ 
+                 auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -253,7 +251,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+         } catch (Exception e) {
+             CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString());
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
+index 1244da1..8c5da18 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
+@@ -38,6 +38,7 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.evaluators.IAccessEvaluator;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ 
+ /**
+@@ -55,9 +56,6 @@ public class ACLAdminServlet extends AdminServlet {
+     private final static String INFO = "ACLAdminServlet";
+     private IAuthzManager mAuthzMgr = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3";
+-
+     /**
+      * initialize the servlet.
+      * <ul>
+@@ -338,7 +336,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -363,7 +361,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -377,7 +375,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -404,7 +402,7 @@ public class ACLAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                        AuditEvent.CONFIG_ACL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -502,7 +500,7 @@ public class ACLAdminServlet extends AdminServlet {
+             if (type == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -544,7 +542,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -567,7 +565,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                                AuditEvent.CONFIG_ACL,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -587,7 +585,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -612,7 +610,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -635,7 +633,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -660,7 +658,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                        AuditEvent.CONFIG_ACL,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -683,7 +681,7 @@ public class ACLAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                        AuditEvent.CONFIG_ACL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -741,7 +739,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -762,7 +760,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -797,7 +795,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                            AuditEvent.CONFIG_ACL,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -812,7 +810,7 @@ public class ACLAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                        AuditEvent.CONFIG_ACL,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -836,7 +834,7 @@ public class ACLAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
++                        AuditEvent.CONFIG_ACL,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index 0350e38..089fcbe 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -122,8 +122,6 @@ public class AdminServlet extends HttpServlet {
+     public static final String CERT_ATTR =
+             "javax.servlet.request.X509Certificate";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+     private final static String CERTUSERDB =
+             IAuthSubsystem.CERTUSERDB_AUTHMGR_ID;
+     private final static String PASSWDUSERDB =
+@@ -657,7 +655,7 @@ public class AdminServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+@@ -680,7 +678,7 @@ public class AdminServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+@@ -701,7 +699,7 @@ public class AdminServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+@@ -723,7 +721,7 @@ public class AdminServlet extends HttpServlet {
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                    AuditEvent.ROLE_ASSUME,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditGroups(auditSubjectID));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
+index 71cf8a2..253a9cd 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
+@@ -43,6 +43,7 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.ldap.ILdapAuthInfo;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ 
+ /**
+@@ -66,9 +67,6 @@ public class AuthAdminServlet extends AdminServlet {
+             "PASSWORD_CACHE_ADD";
+     private final static String EDIT = ";" + Constants.EDIT;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3";
+-
+     public AuthAdminServlet() {
+         super();
+     }
+@@ -382,7 +380,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -399,7 +397,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (mAuths.getPlugins().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -419,7 +417,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (classPath == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -436,7 +434,7 @@ public class AuthAdminServlet extends AdminServlet {
+                     classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -464,7 +462,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (ClassNotFoundException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -478,7 +476,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (IllegalArgumentException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -496,7 +494,7 @@ public class AuthAdminServlet extends AdminServlet {
+                 if (IAuthManager.class.isAssignableFrom(newImpl) == false) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                                AuditEvent.CONFIG_AUTH,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -511,7 +509,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (NullPointerException e) { // unlikely, only if newImpl null.
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -534,7 +532,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -559,7 +557,7 @@ public class AuthAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -583,7 +581,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -638,7 +636,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -655,7 +653,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (mAuths.getInstances().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -676,7 +674,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (implname == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -703,7 +701,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (plugin == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -756,7 +754,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (ClassNotFoundException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -774,7 +772,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (InstantiationException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -791,7 +789,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (IllegalAccessException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -813,7 +811,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -832,7 +830,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -859,7 +857,7 @@ public class AuthAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -871,7 +869,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -883,7 +881,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -986,7 +984,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1011,7 +1009,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (mAuths.getPlugins().containsKey(id) == false) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1034,7 +1032,7 @@ public class AuthAdminServlet extends AdminServlet {
+                 if (authMgr.getImplName() == id) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                                AuditEvent.CONFIG_AUTH,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1063,7 +1061,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1078,7 +1076,7 @@ public class AuthAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1102,7 +1100,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1158,7 +1156,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1183,7 +1181,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (mAuths.getInstances().containsKey(id) == false) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1216,7 +1214,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1238,7 +1236,7 @@ public class AuthAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1262,7 +1260,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1409,7 +1407,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1434,7 +1432,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (!mAuths.getInstances().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1453,7 +1451,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (implname == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1472,7 +1470,7 @@ public class AuthAdminServlet extends AdminServlet {
+             if (plugin == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1548,7 +1546,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (ClassNotFoundException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1566,7 +1564,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (InstantiationException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1583,7 +1581,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (IllegalAccessException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1606,7 +1604,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1625,7 +1623,7 @@ public class AuthAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                            AuditEvent.CONFIG_AUTH,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1652,7 +1650,7 @@ public class AuthAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1664,7 +1662,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1676,7 +1674,7 @@ public class AuthAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
++                        AuditEvent.CONFIG_AUTH,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
+index 09c77e5..5ece2c8 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequestListener;
+ import com.netscape.cmsutil.util.Utils;
+@@ -62,9 +63,6 @@ public class CAAdminServlet extends AdminServlet {
+ 
+     private final static String INFO = "CAAdminServlet";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3";
+-
+     private ICertificateAuthority mCA = null;
+     protected static final String PROP_ENABLED = "enabled";
+ 
+@@ -537,7 +535,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (ipId == null || ipId.length() == 0) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -554,7 +552,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (desc == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -587,7 +585,7 @@ public class CAAdminServlet extends AdminServlet {
+                 if (ipId.equals(name)) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                                AuditEvent.CONFIG_CRL_PROFILE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -601,7 +599,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -615,7 +613,7 @@ public class CAAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -626,7 +624,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -638,7 +636,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -693,7 +691,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (ipId == null || ipId.length() == 0) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -710,7 +708,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (desc == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -762,7 +760,7 @@ public class CAAdminServlet extends AdminServlet {
+             if (!done) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                            AuditEvent.CONFIG_CRL_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -776,7 +774,7 @@ public class CAAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -787,7 +785,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -799,7 +797,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -869,7 +867,7 @@ public class CAAdminServlet extends AdminServlet {
+                 if (!done) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                                AuditEvent.CONFIG_CRL_PROFILE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -884,7 +882,7 @@ public class CAAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -895,7 +893,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -907,7 +905,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1039,7 +1037,7 @@ public class CAAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1050,7 +1048,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1062,7 +1060,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1246,7 +1244,7 @@ public class CAAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1260,7 +1258,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1272,7 +1270,7 @@ public class CAAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
++                        AuditEvent.CONFIG_CRL_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+index 3e73dc6..229c377 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+@@ -106,14 +106,6 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private final static byte EOL[] = { Character.LINE_SEPARATOR };
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
+-    private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
+-            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
+-    private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
+-            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
+ 
+     // CMS must be instantiated before this admin servlet.
+ 
+@@ -574,7 +566,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                         if (tokenizer.countTokens() != 2) {
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
++                                        AuditEvent.CONFIG_ENCRYPTION,
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+                                         auditParams(req));
+@@ -599,7 +591,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                         } else
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
++                                        AuditEvent.CONFIG_ENCRYPTION,
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+                                         auditParams(req));
+@@ -636,7 +628,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
++                        AuditEvent.CONFIG_ENCRYPTION,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -648,7 +640,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
++                        AuditEvent.CONFIG_ENCRYPTION,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -660,7 +652,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
++                        AuditEvent.CONFIG_ENCRYPTION,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1494,7 +1486,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1514,7 +1506,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1534,7 +1526,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             if (nickname.equals("")) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1781,7 +1773,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1794,7 +1786,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString());
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1807,7 +1799,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString());
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1900,7 +1892,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                     if (certpath == null || certpath.equals("")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1934,7 +1926,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } catch (IOException ee) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1964,7 +1956,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } else {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2193,7 +2185,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                 verified = true;
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                        AuditEvent.CIMC_CERT_VERIFICATION,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                                 nickname);
+@@ -2203,7 +2195,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 CMS.debug(e);
+                 auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                                AuditEvent.CIMC_CERT_VERIFICATION,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 nickname);
+@@ -2213,7 +2205,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -2230,7 +2222,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2242,7 +2234,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2319,7 +2311,7 @@ public final class CMSAdminServlet extends AdminServlet {
+                     if (certpath == null || certpath.equals("")) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -2352,7 +2344,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } catch (IOException ee) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2386,7 +2378,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2405,7 +2397,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2426,7 +2418,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -2437,7 +2429,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2449,7 +2441,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2952,7 +2944,7 @@ public final class CMSAdminServlet extends AdminServlet {
+             jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust);
+         } catch (EBaseException e) {
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2964,7 +2956,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                    AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditParams(req));
+@@ -3020,7 +3012,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -3032,7 +3024,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -3044,7 +3036,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
++                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -3132,7 +3124,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                            AuditEvent.SELFTESTS_EXECUTION,
+                             auditSubjectID,
+                             ILogger.FAILURE);
+ 
+@@ -3185,7 +3177,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                                    AuditEvent.SELFTESTS_EXECUTION,
+                                     auditSubjectID,
+                                     ILogger.FAILURE);
+ 
+@@ -3215,7 +3207,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                                    AuditEvent.SELFTESTS_EXECUTION,
+                                     auditSubjectID,
+                                     ILogger.FAILURE);
+ 
+@@ -3268,7 +3260,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                                        AuditEvent.SELFTESTS_EXECUTION,
+                                         auditSubjectID,
+                                         ILogger.FAILURE);
+ 
+@@ -3316,7 +3308,7 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         auditSubjectID,
+                         ILogger.SUCCESS);
+ 
+@@ -3336,7 +3328,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (EMissingSelfTestException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         auditSubjectID,
+                         ILogger.FAILURE);
+ 
+@@ -3347,7 +3339,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (ESelfTestException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         auditSubjectID,
+                         ILogger.FAILURE);
+ 
+@@ -3358,7 +3350,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         } catch (IOException eAudit3) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         auditSubjectID,
+                         ILogger.FAILURE);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
+index f974db4..00f960e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
+@@ -43,8 +43,8 @@ import com.netscape.certsrv.group.GroupMemberCollection;
+ import com.netscape.certsrv.group.GroupMemberData;
+ import com.netscape.certsrv.group.GroupNotFoundException;
+ import com.netscape.certsrv.group.GroupResource;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+-import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -388,6 +388,6 @@ public class GroupMemberProcessor extends Processor {
+     }
+ 
+     public void audit(String type, String id, Map<String, String> params, String status) {
+-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status);
++        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status);
+     }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
+index 3f9f558..5583d12 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
+@@ -32,6 +32,7 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ 
+ /**
+@@ -54,9 +55,6 @@ public class KRAAdminServlet extends AdminServlet {
+ 
+     private IKeyRecoveryAuthority mKRA = null;
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
+-
+     /**
+      * Constructs KRA servlet.
+      */
+@@ -204,7 +202,7 @@ public class KRAAdminServlet extends AdminServlet {
+                     mKRA.setNoOfRequiredAgents(number);
+                 } catch (NumberFormatException e) {
+                     auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_DRM,
++                            AuditEvent.CONFIG_DRM,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -218,7 +216,7 @@ public class KRAAdminServlet extends AdminServlet {
+         commit(true);
+ 
+         auditMessage = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_CONFIG_DRM,
++                AuditEvent.CONFIG_DRM,
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+index 13ba52c..c424520 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ELogException;
+ import com.netscape.certsrv.logging.ELogNotFound;
+ import com.netscape.certsrv.logging.ELogPluginNotFound;
+@@ -64,10 +65,6 @@ public class LogAdminServlet extends AdminServlet {
+     private ILogSubsystem mSys = null;
+ 
+     private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit";
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
+-    private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE =
+-            "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+ 
+     /**
+      * Constructs Log servlet.
+@@ -439,7 +436,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -458,7 +455,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -479,7 +476,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -508,7 +505,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -524,7 +521,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -544,7 +541,7 @@ public class LogAdminServlet extends AdminServlet {
+                     // store a message in the signed audit log file
+                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                    AuditEvent.CONFIG_SIGNED_AUDIT,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -561,7 +558,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -588,7 +585,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -612,7 +609,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -637,7 +634,7 @@ public class LogAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                        AuditEvent.CONFIG_SIGNED_AUDIT,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -709,7 +706,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -727,7 +724,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -744,7 +741,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -766,7 +763,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -789,7 +786,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -849,7 +846,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -868,7 +865,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -887,7 +884,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -912,7 +909,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -928,7 +925,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -950,7 +947,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -974,7 +971,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -999,7 +996,7 @@ public class LogAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                        AuditEvent.CONFIG_SIGNED_AUDIT,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1103,7 +1100,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1122,7 +1119,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1158,7 +1155,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1175,7 +1172,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1200,7 +1197,7 @@ public class LogAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                        AuditEvent.CONFIG_SIGNED_AUDIT,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1265,7 +1262,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1283,7 +1280,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1308,7 +1305,7 @@ public class LogAdminServlet extends AdminServlet {
+                     // store a message in the signed audit log file
+                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                    AuditEvent.CONFIG_SIGNED_AUDIT,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -1339,7 +1336,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1356,7 +1353,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1381,7 +1378,7 @@ public class LogAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                        AuditEvent.CONFIG_SIGNED_AUDIT,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1472,7 +1469,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1491,7 +1488,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1512,7 +1509,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1534,7 +1531,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1673,7 +1670,7 @@ public class LogAdminServlet extends AdminServlet {
+                                     // file (regardless of logType)
+                                     if (!(newLogPath.equals(origLogPath))) {
+                                         auditMessage = CMS.getLogMessage(
+-                                                    LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                                                    AuditEvent.LOG_PATH_CHANGE,
+                                                     auditSubjectID,
+                                                     ILogger.FAILURE,
+                                                     logType,
+@@ -1686,7 +1683,7 @@ public class LogAdminServlet extends AdminServlet {
+                                     // file
+                                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                                         auditMessage = CMS.getLogMessage(
+-                                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                                    AuditEvent.CONFIG_SIGNED_AUDIT,
+                                                     auditSubjectID,
+                                                     ILogger.FAILURE,
+                                                     auditParams(req));
+@@ -1775,7 +1772,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // (regardless of logType)
+                 if (!(newLogPath.equals(origLogPath))) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                                AuditEvent.LOG_PATH_CHANGE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 logType,
+@@ -1801,7 +1798,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1827,7 +1824,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // (regardless of logType)
+                 if (!(newLogPath.equals(origLogPath))) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                                AuditEvent.LOG_PATH_CHANGE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 logType,
+@@ -1852,7 +1849,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1878,7 +1875,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // (regardless of logType)
+                 if (!(newLogPath.equals(origLogPath))) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                                AuditEvent.LOG_PATH_CHANGE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 logType,
+@@ -1903,7 +1900,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1937,7 +1934,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // (regardless of logType)
+                 if (!(newLogPath.equals(origLogPath))) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                                AuditEvent.LOG_PATH_CHANGE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 logType,
+@@ -1962,7 +1959,7 @@ public class LogAdminServlet extends AdminServlet {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                                AuditEvent.CONFIG_SIGNED_AUDIT,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1996,7 +1993,7 @@ public class LogAdminServlet extends AdminServlet {
+             // (regardless of logType)
+             if (!(newLogPath.equals(origLogPath))) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                            AuditEvent.LOG_PATH_CHANGE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             logType,
+@@ -2021,7 +2018,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -2042,7 +2039,7 @@ public class LogAdminServlet extends AdminServlet {
+             // (regardless of logType)
+             if (!(newLogPath.equals(origLogPath))) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                            AuditEvent.LOG_PATH_CHANGE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             logType,
+@@ -2067,7 +2064,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2088,7 +2085,7 @@ public class LogAdminServlet extends AdminServlet {
+             // (regardless of logType)
+             if (!(newLogPath.equals(origLogPath))) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
++                            AuditEvent.LOG_PATH_CHANGE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             logType,
+@@ -2113,7 +2110,7 @@ public class LogAdminServlet extends AdminServlet {
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
++                            AuditEvent.CONFIG_SIGNED_AUDIT,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
+index a7ff922..ee1c3a2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
+@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ocsp.IOCSPAuthority;
+ import com.netscape.certsrv.ocsp.IOCSPStore;
+@@ -57,9 +58,6 @@ public class OCSPAdminServlet extends AdminServlet {
+ 
+     private final static String INFO = "OCSPAdminServlet";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3";
+-
+     private IOCSPAuthority mOCSP = null;
+ 
+     public OCSPAdminServlet() {
+@@ -256,7 +254,7 @@ public class OCSPAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -267,7 +265,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -279,7 +277,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -368,7 +366,7 @@ public class OCSPAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -379,7 +377,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -391,7 +389,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -503,7 +501,7 @@ public class OCSPAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -514,7 +512,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -526,7 +524,7 @@ public class OCSPAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
++                        AuditEvent.CONFIG_OCSP_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
+index 1fe9c87..7a09e83 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
+@@ -41,6 +41,7 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ 
+@@ -83,9 +84,6 @@ public class PolicyAdminServlet extends AdminServlet {
+     public static String COMMA = ",";
+     public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3";
+-
+     /**
+      * Constructs administration servlet.
+      */
+@@ -506,7 +504,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -522,7 +520,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -535,7 +533,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -547,7 +545,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -628,7 +626,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -644,7 +642,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (classPath == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -659,7 +657,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -670,7 +668,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -682,7 +680,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -735,7 +733,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -751,7 +749,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -764,7 +762,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -776,7 +774,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -875,7 +873,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -892,7 +890,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (implName == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -925,7 +923,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -956,7 +954,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -967,7 +965,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -979,7 +977,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1032,7 +1030,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (policyOrder == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1047,7 +1045,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1058,7 +1056,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1070,7 +1068,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1123,7 +1121,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1140,7 +1138,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             if (implName == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1172,7 +1170,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1208,7 +1206,7 @@ public class PolicyAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1219,7 +1217,7 @@ public class PolicyAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                            AuditEvent.CONFIG_CERT_POLICY,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1231,7 +1229,7 @@ public class PolicyAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
++                        AuditEvent.CONFIG_CERT_POLICY,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
+index b418baf..c4b40c0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
+@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IPolicyConstraint;
+@@ -88,9 +89,6 @@ public class ProfileAdminServlet extends AdminServlet {
+     public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
+     public static String BAD_CONFIGURATION_VAL = "Invalid configuration value.";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
+-
+     /**
+      * Constructs administration servlet.
+      */
+@@ -425,7 +423,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -475,7 +473,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -492,7 +490,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -503,7 +501,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -566,7 +564,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -599,7 +597,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -617,7 +615,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -628,7 +626,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -691,7 +689,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -725,7 +723,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -743,7 +741,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -754,7 +752,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -826,7 +824,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -848,7 +846,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -863,7 +861,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -874,7 +872,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -948,7 +946,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -965,7 +963,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (EBaseException e1) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -980,7 +978,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -991,7 +989,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1065,7 +1063,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1082,7 +1080,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (EBaseException e1) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1097,7 +1095,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1108,7 +1106,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1170,7 +1168,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1219,7 +1217,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1233,7 +1231,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1244,7 +1242,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1306,7 +1304,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1356,7 +1354,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1371,7 +1369,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1382,7 +1380,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1444,7 +1442,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1488,7 +1486,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1502,7 +1500,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1513,7 +1511,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1575,7 +1573,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1607,7 +1605,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1621,7 +1619,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1632,7 +1630,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1694,7 +1692,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1727,7 +1725,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1741,7 +1739,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1752,7 +1750,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1814,7 +1812,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1861,7 +1859,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1876,7 +1874,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1887,7 +1885,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2278,7 +2276,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2294,7 +2292,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (EProfileException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2307,7 +2305,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -2318,7 +2316,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2391,7 +2389,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             if (id == null || id.trim().equals("") || !isValidId(id)) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2441,7 +2439,7 @@ public class ProfileAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2480,7 +2478,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2493,7 +2491,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -2504,7 +2502,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2563,7 +2561,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                            AuditEvent.CONFIG_CERT_PROFILE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2591,7 +2589,7 @@ public class ProfileAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -2607,7 +2605,7 @@ public class ProfileAdminServlet extends AdminServlet {
+         } catch (IOException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
++                        AuditEvent.CONFIG_CERT_PROFILE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+index cce1ce3..1c38b88 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+@@ -48,6 +48,7 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.password.IPasswordCheck;
+@@ -87,9 +88,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+     private final static String BACK_SLASH = "\\";
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+-
+     private IUGSubsystem mMgr = null;
+ 
+     private static String[] mMultiRoleGroupEnforceList = null;
+@@ -682,7 +680,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -701,7 +699,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -720,7 +718,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -743,7 +741,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -770,7 +768,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 if (!passwdCheck.isGoodPassword(pword)) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                AuditEvent.CONFIG_ROLE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -823,7 +821,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                    AuditEvent.CONFIG_ROLE,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -846,7 +844,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                             // store a message in the signed audit log file
+                             auditMessage = CMS.getLogMessage(
+-                                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                        AuditEvent.CONFIG_ROLE,
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+                                         auditParams(req));
+@@ -872,7 +870,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -886,7 +884,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -907,7 +905,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -921,7 +919,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -933,7 +931,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -993,7 +991,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1016,7 +1014,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1056,7 +1054,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     if (p7certs.length == 0) {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                    AuditEvent.CONFIG_ROLE,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -1091,7 +1089,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                    AuditEvent.CONFIG_ROLE,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -1157,7 +1155,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                AuditEvent.CONFIG_ROLE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -1173,7 +1171,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1195,7 +1193,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1211,7 +1209,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1227,7 +1225,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1241,7 +1239,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (ConflictingOperationException e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1257,7 +1255,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1283,7 +1281,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1346,7 +1344,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1368,7 +1366,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1386,7 +1384,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1400,7 +1398,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1426,7 +1424,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1497,7 +1495,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1519,7 +1517,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1539,7 +1537,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     } else {
+                         // store a message in the signed audit log file
+                         auditMessage = CMS.getLogMessage(
+-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                    AuditEvent.CONFIG_ROLE,
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditParams(req));
+@@ -1561,7 +1559,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1573,7 +1571,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception ex) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1587,7 +1585,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1599,7 +1597,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1660,7 +1658,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1698,7 +1696,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1710,7 +1708,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1725,7 +1723,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1737,7 +1735,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1798,7 +1796,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1817,7 +1815,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditParams(req));
+@@ -1828,7 +1826,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1840,7 +1838,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -1903,7 +1901,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -1956,7 +1954,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                             } else {
+                                 // store a message in the signed audit log file
+                                 auditMessage = CMS.getLogMessage(
+-                                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                            AuditEvent.CONFIG_ROLE,
+                                             auditSubjectID,
+                                             ILogger.FAILURE,
+                                             auditParams(req));
+@@ -1980,7 +1978,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -1993,7 +1991,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2008,7 +2006,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2020,7 +2018,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2152,7 +2150,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2176,7 +2174,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2201,7 +2199,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 if (!passwdCheck.isGoodPassword(pword)) {
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                AuditEvent.CONFIG_ROLE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams(req));
+@@ -2232,7 +2230,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditParams(req));
+@@ -2246,7 +2244,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                            AuditEvent.CONFIG_ROLE,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditParams(req));
+@@ -2260,7 +2258,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+@@ -2272,7 +2270,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
+         } catch (IOException eAudit2) {
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                        AuditEvent.CONFIG_ROLE,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditParams(req));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index 01f9f07..c7fc03b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -245,9 +245,6 @@ public abstract class CMSServlet extends HttpServlet {
+     private IUGSubsystem mUG = (IUGSubsystem)
+             CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+ 
+-    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+-
+     public CMSServlet() {
+     }
+ 
+@@ -1840,7 +1837,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                            AuditEvent.ROLE_ASSUME,
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditGroupID);
+@@ -1857,7 +1854,7 @@ public abstract class CMSServlet extends HttpServlet {
+                 audit(auditMessage);
+ 
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                            AuditEvent.ROLE_ASSUME,
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditGroupID);
+@@ -1876,7 +1873,7 @@ public abstract class CMSServlet extends HttpServlet {
+             audit(auditMessage);
+ 
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroupID);
+@@ -1974,7 +1971,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                            AuditEvent.ROLE_ASSUME,
+                             auditID,
+                             ILogger.SUCCESS,
+                             auditGroups(auditSubjectID));
+@@ -1993,7 +1990,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                            AuditEvent.ROLE_ASSUME,
+                             auditID,
+                             ILogger.FAILURE,
+                             auditGroups(auditSubjectID));
+@@ -2015,7 +2012,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+@@ -2036,7 +2033,7 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+index 74197a4..f02932e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.ICertUserLocator;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -65,9 +66,6 @@ public class RegisterUser extends CMSServlet {
+     private final static String SUCCESS = "0";
+     private final static String AUTH_FAILURE = "2";
+     private String mGroupName = null;
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+-
+     public RegisterUser() {
+         super();
+     }
+@@ -202,7 +200,7 @@ public class RegisterUser extends CMSServlet {
+                 ugsys.addUser(user);
+                 CMS.debug("RegisterUser created user " + uid);
+                 auditMessage = CMS.getLogMessage(
+-                              LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                              AuditEvent.CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+                               auditParams);
+@@ -227,7 +225,7 @@ public class RegisterUser extends CMSServlet {
+                 ugsys.addUserCert(user);
+                 CMS.debug("RegisterUser added user certificate");
+                 auditMessage = CMS.getLogMessage(
+-                              LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                              AuditEvent.CONFIG_ROLE,
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+                               auditParams);
+@@ -237,7 +235,7 @@ public class RegisterUser extends CMSServlet {
+         } catch (Exception eee) {
+             CMS.debug("RegisterUser error " + eee.toString());
+             auditMessage = CMS.getLogMessage(
+-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                AuditEvent.CONFIG_ROLE,
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditParams);
+@@ -270,7 +268,7 @@ public class RegisterUser extends CMSServlet {
+                 CMS.debug("RegisterUser modified group");
+ 
+                 auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+                                auditParams);
+@@ -279,7 +277,7 @@ public class RegisterUser extends CMSServlet {
+             }
+         } catch (Exception e) {
+             auditMessage = CMS.getLogMessage(
+-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                               AuditEvent.CONFIG_ROLE,
+                                auditSubjectID,
+                                ILogger.FAILURE,
+                                auditParams);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+index 69e76fc..cd769db 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+@@ -90,7 +90,7 @@ public class SecurityDomainProcessor extends CAProcessor {
+ 
+         if (!ugSubsystem.isMemberOf(user, group)) {
+             String message = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                    AuditEvent.ROLE_ASSUME,
+                     user,
+                     ILogger.FAILURE,
+                     group);
+@@ -100,7 +100,7 @@ public class SecurityDomainProcessor extends CAProcessor {
+         }
+ 
+         String message = CMS.getLogMessage(
+-                LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                AuditEvent.ROLE_ASSUME,
+                 user,
+                 ILogger.SUCCESS,
+                 group);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+index bed4357..5872ab0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+@@ -63,9 +63,6 @@ public class UpdateDomainXML extends CMSServlet {
+     private static final long serialVersionUID = 4059169588555717548L;
+     private final static String SUCCESS = "0";
+     private final static String FAILED = "1";
+-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+-
+     public UpdateDomainXML() {
+         super();
+     }
+@@ -372,7 +369,7 @@ public class UpdateDomainXML extends CMSServlet {
+                     status2 = remove_from_ldap(adminUserDN);
+                     if (status2.equals(SUCCESS)) {
+                         auditMessage = CMS.getLogMessage(
+-                                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                               AuditEvent.CONFIG_ROLE,
+                                                auditSubjectID,
+                                                ILogger.SUCCESS,
+                                                userAuditParams);
+@@ -388,13 +385,13 @@ public class UpdateDomainXML extends CMSServlet {
+                         status2 = modify_ldap(dn, mod);
+                         if (status2.equals(SUCCESS)) {
+                             auditMessage = CMS.getLogMessage(
+-                                                   LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                                   AuditEvent.CONFIG_ROLE,
+                                                    auditSubjectID,
+                                                    ILogger.SUCCESS,
+                                                    userAuditParams);
+                         } else {
+                             auditMessage = CMS.getLogMessage(
+-                                                   LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                                   AuditEvent.CONFIG_ROLE,
+                                                    auditSubjectID,
+                                                    ILogger.FAILURE,
+                                                    userAuditParams);
+@@ -402,7 +399,7 @@ public class UpdateDomainXML extends CMSServlet {
+                         audit(auditMessage);
+                     } else { // error deleting user
+                         auditMessage = CMS.getLogMessage(
+-                                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
++                                               AuditEvent.CONFIG_ROLE,
+                                                auditSubjectID,
+                                                ILogger.FAILURE,
+                                                userAuditParams);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 5669233..ad79cbb 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -117,8 +117,6 @@ public class CAProcessor extends Processor {
+     public static final String ACL_INFO = "ACLinfo";
+     public static final String PROFILE_SUB_ID = "profileSubId";
+ 
+-    public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
+-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
+             "requestNotes";
+ 
+@@ -731,7 +729,7 @@ public class CAProcessor extends Processor {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditGroupID);
+@@ -748,7 +746,7 @@ public class CAProcessor extends Processor {
+                 audit(auditMessage);
+ 
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditGroupID);
+@@ -767,7 +765,7 @@ public class CAProcessor extends Processor {
+             audit(auditMessage);
+ 
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                    AuditEvent.ROLE_ASSUME,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditGroupID);
+@@ -864,7 +862,7 @@ public class CAProcessor extends Processor {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditID,
+                         ILogger.SUCCESS,
+                         auditGroups(auditSubjectID));
+@@ -883,7 +881,7 @@ public class CAProcessor extends Processor {
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                        AuditEvent.ROLE_ASSUME,
+                         auditID,
+                         ILogger.FAILURE,
+                         auditGroups(auditSubjectID));
+@@ -905,7 +903,7 @@ public class CAProcessor extends Processor {
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
++                    AuditEvent.ROLE_ASSUME,
+                     auditID,
+                     ILogger.FAILURE,
+                     auditGroups(auditSubjectID));
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+index 7bb048f..2d5b371 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.base.ResourceNotFoundException;
+ import com.netscape.certsrv.logging.AuditConfig;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFile;
+ import com.netscape.certsrv.logging.AuditFileCollection;
+ import com.netscape.certsrv.logging.AuditResource;
+@@ -412,7 +413,7 @@ public class AuditService extends SubsystemService implements AuditResource {
+     public void auditTPSConfigSignedAudit(String status, Map<String, String> params) {
+ 
+         String msg = CMS.getLogMessage(
+-                "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3",
++                AuditEvent.CONFIG_SIGNED_AUDIT,
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 auditor.getParamString(null, params));
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+index 4ee2810..4aa0209 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+@@ -40,7 +40,7 @@ import com.netscape.certsrv.group.GroupData;
+ import com.netscape.certsrv.group.GroupMemberData;
+ import com.netscape.certsrv.group.GroupNotFoundException;
+ import com.netscape.certsrv.group.GroupResource;
+-import com.netscape.certsrv.logging.IAuditor;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IGroupConstants;
+@@ -432,6 +432,6 @@ public class GroupService extends SubsystemService implements GroupResource {
+     }
+ 
+     public void audit(String type, String id, Map<String, String> params, String status) {
+-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status);
++        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status);
+     }
+ }
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+index eeadba5..e10c4f5 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+@@ -52,7 +52,7 @@ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.dbs.certdb.CertId;
+ import com.netscape.certsrv.group.GroupMemberData;
+-import com.netscape.certsrv.logging.IAuditor;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.password.IPasswordCheck;
+ import com.netscape.certsrv.user.UserCertCollection;
+@@ -1227,10 +1227,10 @@ public class UserService extends SubsystemService implements UserResource {
+     }
+ 
+     public void auditUser(String type, String id, Map<String, String> params, String status) {
+-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
++        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
+     }
+ 
+     public void auditUserCert(String type, String id, Map<String, String> params, String status) {
+-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
++        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
+     }
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+index 400ad0c..e1c4c76 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+@@ -41,6 +41,7 @@ import org.mozilla.jss.CryptoManager.CertificateUsage;
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.cmsutil.util.Utils;
+ 
+@@ -84,9 +85,6 @@ public class CertUtils {
+             "-----END CERTIFICATE REVOCATION LIST-----";
+ 
+     protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
+-            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
+-
+     /**
+      * Remove the header and footer in the PKCS10 request.
+      */
+@@ -911,7 +909,7 @@ public class CertUtils {
+             if (subsysType == null) {
+                 CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                            AuditEvent.CIMC_CERT_VERIFICATION,
+                             ILogger.SYSTEM_UID,
+                             ILogger.FAILURE,
+                             "");
+@@ -936,7 +934,7 @@ public class CertUtils {
+             verifySystemCertByNickname(nickname, certusage);
+ 
+             auditMessage = CMS.getLogMessage(
+-                    LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                    AuditEvent.CIMC_CERT_VERIFICATION,
+                     ILogger.SYSTEM_UID,
+                     ILogger.SUCCESS,
+                         nickname);
+@@ -947,7 +945,7 @@ public class CertUtils {
+             CMS.debug("CertUtils: verifySystemCertsByTag() failed: " +
+                     e.toString());
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                        AuditEvent.CIMC_CERT_VERIFICATION,
+                         ILogger.SYSTEM_UID,
+                         ILogger.FAILURE,
+                         "");
+@@ -1009,7 +1007,7 @@ public class CertUtils {
+             if (subsysType.equals("")) {
+                 CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done");
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                            AuditEvent.CIMC_CERT_VERIFICATION,
+                             ILogger.SYSTEM_UID,
+                             ILogger.FAILURE,
+                             "");
+@@ -1022,7 +1020,7 @@ public class CertUtils {
+             if (subsysType == null) {
+                 CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                            AuditEvent.CIMC_CERT_VERIFICATION,
+                             ILogger.SYSTEM_UID,
+                             ILogger.FAILURE,
+                             "");
+@@ -1036,7 +1034,7 @@ public class CertUtils {
+                 CMS.debug("CertUtils: verifySystemCerts() "
+                         + subsysType + ".cert.list not defined in CS.cfg. System certificates verification not done");
+                 auditMessage = CMS.getLogMessage(
+-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                            AuditEvent.CIMC_CERT_VERIFICATION,
+                             ILogger.SYSTEM_UID,
+                             ILogger.FAILURE,
+                             "");
+@@ -1056,7 +1054,7 @@ public class CertUtils {
+         } catch (Exception e) {
+             // audit here
+             auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
++                        AuditEvent.CIMC_CERT_VERIFICATION,
+                         ILogger.SYSTEM_UID,
+                         ILogger.FAILURE,
+                         "");
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+index 4ddb42c..95556b9 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+@@ -96,9 +96,6 @@ public class SelfTestSubsystem
+     private static final String ELEMENT_DELIMITER = ":";
+     private static final String CRITICAL = "critical";
+ 
+-    private static final String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
+-            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
+-
+     /////////////////////
+     // default methods //
+     /////////////////////
+@@ -1809,7 +1806,7 @@ public class SelfTestSubsystem
+ 
+             // store a message in the signed audit log file
+             String auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         ILogger.SYSTEM_UID,
+                         ILogger.SUCCESS);
+ 
+@@ -1819,7 +1816,7 @@ public class SelfTestSubsystem
+ 
+             // store a message in the signed audit log file
+             String auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         ILogger.SYSTEM_UID,
+                         ILogger.FAILURE);
+ 
+@@ -1832,7 +1829,7 @@ public class SelfTestSubsystem
+ 
+             // store a message in the signed audit log file
+             String auditMessage = CMS.getLogMessage(
+-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
++                        AuditEvent.SELFTESTS_EXECUTION,
+                         ILogger.SYSTEM_UID,
+                         ILogger.FAILURE);
+ 
+-- 
+1.8.3.1
+
+
+From eb7c9139c1ab017a8749d87e163e9dcc42037fb2 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 11 Apr 2017 14:18:32 -0400
+Subject: [PATCH 49/59] Modified CRMFPopClient to use correct wrapping for
+ encrypt case
+
+When the server cannot do key wrapping using the AES KeyWrap,
+probably because the backend HSM cannot do key wrapping, then
+there is a setting to allow it to use encrypt/decrypt instead.
+
+If the key wrap algorithm is something simple like 3DES or AES-CBC,
+then the client can just use key wrapping to wrap the key on its
+token, and the server can use an encryption algorithm to decrypt.
+The client does not need to know that the server cannot handle a
+key wrap, because keywrapping and encryption are pretty much the
+same mechanism - just either in server memory or not.
+
+When we do key wrapping using AES KeyWrap though, there is no
+corresponding encryption algorithm used to decrypt.  So the server
+cannot simply decrypt a message wrapped with AES Keywrap (or at least
+not in any obvious way).  So in this case, the client needs to know
+if the server can handle keywrap.
+
+The patch therefore does the following:
+1. For CRMFPopClient, adds a command line option to specify if key
+   wrapping or encryption is required.
+2. Reads an environment variable if no option is provided.
+3. If encryption is specified, uses key wrapping using AES-CBC
+   which can be decrypted on the server side.
+4. For cert-client, contacts the server to determine from the
+   CAInfoResource if keywrapping is supported.
+
+Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
+---
+ .../src/com/netscape/certsrv/key/KeyClient.java    |  3 ++
+ .../netscape/certsrv/util/NSSCryptoProvider.java   |  2 +-
+ .../src/com/netscape/cmstools/CRMFPopClient.java   | 43 +++++++++++++++++++---
+ .../cmstools/client/ClientCertRequestCLI.java      | 28 ++++++++++++--
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 16 +-------
+ 5 files changed, 69 insertions(+), 23 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+index 750d270..dea44b1 100644
+--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+@@ -27,6 +27,7 @@ import java.util.List;
+ import javax.ws.rs.core.Response;
+ 
+ import org.dogtagpki.common.Info;
++import org.dogtagpki.common.KRAInfoResource;
+ import org.dogtagpki.common.Version;
+ import org.mozilla.jss.crypto.EncryptionAlgorithm;
+ import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+@@ -49,6 +50,7 @@ public class KeyClient extends Client {
+ 
+     public KeyResource keyClient;
+     public KeyRequestResource keyRequestClient;
++    public KRAInfoResource kraInfoClient;
+ 
+     private CryptoProvider crypto;
+     private String transportCert;
+@@ -92,6 +94,7 @@ public class KeyClient extends Client {
+     public void init() throws URISyntaxException {
+         keyClient = createProxy(KeyResource.class);
+         keyRequestClient = createProxy(KeyRequestResource.class);
++        kraInfoClient = createProxy(KRAInfoResource.class);
+     }
+ 
+     public CryptoProvider getCrypto() {
+diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
+index 1d2edbc..be8dd24 100644
+--- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
++++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
+@@ -140,7 +140,7 @@ public class NSSCryptoProvider extends CryptoProvider {
+         if (token == null) {
+             throw new NotInitializedException();
+         }
+-        return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm);
++        return CryptoUtil.encryptPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm);
+     }
+ 
+     @Override
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 9d81a72..c5da9cf 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -40,6 +40,7 @@ import org.apache.http.HttpResponse;
+ import org.apache.http.client.methods.HttpGet;
+ import org.apache.http.impl.client.DefaultHttpClient;
+ import org.apache.http.util.EntityUtils;
++import org.dogtagpki.common.KRAInfoResource;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ASN1Util;
+ import org.mozilla.jss.asn1.BIT_STRING;
+@@ -182,6 +183,10 @@ public class CRMFPopClient {
+         option.setArgName("extractable");
+         options.addOption(option);
+ 
++        option = new Option("g", true, "KeyWrap");
++        option.setArgName("keyWrap");
++        options.addOption(option);
++
+         options.addOption("v", "verbose", false, "Run in verbose mode.");
+         options.addOption(null, "help", false, "Show help message.");
+ 
+@@ -210,6 +215,9 @@ public class CRMFPopClient {
+         System.out.println("                               - POP_NONE: without POP");
+         System.out.println("                               - POP_SUCCESS: with valid POP");
+         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");
++        System.out.println("  -g <true|false>              Use KeyWrapping to wrap private key (default: true)");
++        System.out.println("                               - true: use a key wrapping algorithm");
++        System.out.println("                               - false: use an encryption algorithm");
+         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
+         System.out.println("  -v, --verbose                Run in verbose mode.");
+         System.out.println("      --help                   Show help message.");
+@@ -302,6 +310,16 @@ public class CRMFPopClient {
+         int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
+         int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
+ 
++        boolean keyWrap = true;
++        if (cmd.hasOption("g")) {
++            keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
++        } else {
++            String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
++            if (useKeyWrap != null) {
++                keyWrap = Boolean.parseBoolean(useKeyWrap);
++            }
++        }
++
+         String output = cmd.getOptionValue("o");
+ 
+         String hostPort = cmd.getOptionValue("m");
+@@ -440,8 +458,11 @@ public class CRMFPopClient {
+             String kid = CryptoUtil.byte2string(id);
+             System.out.println("Keypair private key id: " + kid);
+ 
++            String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
++                KRAInfoResource.ENCRYPT_MECHANISM;
+             if (verbose) System.out.println("Creating certificate request");
+-            CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
++            CertRequest certRequest = client.createCertRequest(
++                    token, transportCert, algorithm, keyPair, subject, archivalMechanism);
+ 
+             ProofOfPossession pop = null;
+ 
+@@ -550,7 +571,8 @@ public class CRMFPopClient {
+             X509Certificate transportCert,
+             String algorithm,
+             KeyPair keyPair,
+-            Name subject) throws Exception {
++            Name subject,
++            String archivalMechanism) throws Exception {
+         EncryptionAlgorithm encryptAlg = null;
+         String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
+ 
+@@ -563,7 +585,7 @@ public class CRMFPopClient {
+ 
+         byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
+         AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+-        WrappingParams params = getWrappingParams(encryptAlg, iv);
++        WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism);
+ 
+         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
+                 token,
+@@ -583,12 +605,23 @@ public class CRMFPopClient {
+         return new CertRequest(new INTEGER(1), certTemplate, seq);
+     }
+ 
+-    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception {
++    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV,
++            String archivalMechanism) throws Exception {
+         if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
++            KeyWrapAlgorithm wrapAlg = null;
++            IVParameterSpec wrapIVS = null;
++            if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) {
++                // We will use AES_CBC_PAD as the a key wrap mechanism.  This
++                // can be decrypted using the same mechanism on the server.
++                wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
++                wrapIVS = new IVParameterSpec(wrapIV);
++            } else {
++                wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
++            }
+             return new WrappingParams(
+                 SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+                 KeyWrapAlgorithm.RSA, encryptAlg,
+-                KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null);
++                wrapAlg, wrapIVS, wrapIVS);
+         } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
+             return new WrappingParams(
+                     SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+index 6562699..8ca857b 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+@@ -29,6 +29,8 @@ import java.util.Vector;
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+ import org.apache.commons.io.FileUtils;
++import org.dogtagpki.common.CAInfoClient;
++import org.dogtagpki.common.KRAInfoResource;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.Signature;
+@@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI {
+             CryptoManager manager = CryptoManager.getInstance();
+             X509Certificate transportCert = manager.importCACertPackage(transportCertData);
+ 
++            // get archival mechanism
++            CAInfoClient infoClient = new CAInfoClient(client, "ca");
++            String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++            try {
++                archivalMechanism = infoClient.getInfo().getArchivalMechanism();
++            } catch (Exception e) {
++                // this could be an older server, check for environment variable.
++                String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
++                if (useKeyWrapping != null) {
++                    if (Boolean.parseBoolean(useKeyWrapping)) {
++                        archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++                    } else {
++                        archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM;
++                    }
++                }
++            }
++
+             csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
+-                    algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop);
++                    algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
++                    archivalMechanism);
+ 
+         } else {
+             throw new Exception("Unknown request type: " + requestType);
+@@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI {
+             boolean temporary,
+             int sensitive,
+             int extractable,
+-            boolean withPop
++            boolean withPop,
++            String archivalMechanism
+             ) throws Exception {
+ 
+         CryptoManager manager = CryptoManager.getInstance();
+@@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI {
+             throw new Exception("Unknown algorithm: " + algorithm);
+         }
+ 
+-        CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
++        CertRequest certRequest = client.createCertRequest(
++                token, transportCert, algorithm, keyPair, subject, archivalMechanism);
+ 
+         ProofOfPossession pop = null;
+         if (withPop) {
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 3588852..d22856d 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -1962,7 +1962,7 @@ public class CryptoUtil {
+         return decodedData;
+     }
+ 
+-    public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk,
++    public static byte[] encryptPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk,
+             EncryptionAlgorithm alg)
+             throws NoSuchAlgorithmException, TokenException, InvalidKeyException,
+             InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException {
+@@ -2010,17 +2010,6 @@ public class CryptoUtil {
+         return encodePKIArchiveOptions(opts);
+     }
+ 
+-    /* Used to create PKIArchiveOptions for wrapped symmetric key */
+-    public static PKIArchiveOptions createPKIArchiveOptions(
+-            CryptoToken token,
+-            PublicKey wrappingKey,
+-            SymmetricKey data,
+-            WrappingParams params,
+-            AlgorithmIdentifier aid) throws Exception {
+-         return createPKIArchiveOptionsInternal(
+-                 token, wrappingKey, null, null, data, params, aid);
+-    }
+-
+     public static byte[] createEncodedPKIArchiveOptions(
+             CryptoToken token,
+             PublicKey wrappingKey,
+@@ -2068,10 +2057,9 @@ public class CryptoUtil {
+                 params.getSkLength(),
+                 null,
+                 false);
+-
+         byte[] key_data;
+         if (passphraseData != null) {
+-            key_data = wrapPassphrase(
++            key_data = encryptPassphrase(
+                     token,
+                     passphraseData,
+                     params.getPayloadEncryptionIV(),
+-- 
+1.8.3.1
+
+
+From d9d8b19bef7c91c2e3d33618869ea6426ecb4a36 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 21:44:31 +0200
+Subject: [PATCH 50/59] Updated CMS.getLogMessage().
+
+The CMS.getLogMessage() has been generalized to take an array of
+Objects instead of Strings.
+
+Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
+---
+ base/common/src/com/netscape/certsrv/apps/CMS.java                  | 2 +-
+ base/common/src/com/netscape/certsrv/apps/ICMSEngine.java           | 2 +-
+ base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java    | 2 +-
+ base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
+index d2210df..8f1d648 100644
+--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
+@@ -701,7 +701,7 @@ public final class CMS {
+      * @param p an array of parameters
+      * @return localized log message
+      */
+-    public static String getLogMessage(String msgID, String p[]) {
++    public static String getLogMessage(String msgID, Object p[]) {
+         return _engine.getLogMessage(msgID, p);
+     }
+ 
+diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+index 97fc467..3655b03 100644
+--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
++++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+@@ -334,7 +334,7 @@ public interface ICMSEngine extends ISubsystem {
+      * @param p an array of parameters
+      * @return localized log message
+      */
+-    public String getLogMessage(String msgID, String p[]);
++    public String getLogMessage(String msgID, Object p[]);
+ 
+     /**
+      * Retrieves the centralized log message from LogMessages.properties.
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+index 90ee8b9..ef9a6a2 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+@@ -1583,7 +1583,7 @@ public class CMSEngine implements ICMSEngine {
+         return getUserMessage(locale, msgID, params);
+     }
+ 
+-    public String getLogMessage(String msgID, String params[]) {
++    public String getLogMessage(String msgID, Object params[]) {
+         ResourceBundle rb = ResourceBundle.getBundle(
+                 "LogMessages");
+         String msg = rb.getString(msgID);
+diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+index d6305cb..dd28adb 100644
+--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
++++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+@@ -211,7 +211,7 @@ public class CMSEngineDefaultStub implements ICMSEngine {
+         return null;
+     }
+ 
+-    public String getLogMessage(String msgID, String p[]) {
++    public String getLogMessage(String msgID, Object p[]) {
+         return null;
+     }
+ 
+-- 
+1.8.3.1
+
+
+From 92b68d7ab3f58ad80a545f550f0598de2c43da2c Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 13 Apr 2017 01:45:37 +0200
+Subject: [PATCH 51/59] Added methods to log AuditEvent object.
+
+New audit(AuditEvent) methods have been added alongside the
+existing audit(String) methods.
+
+Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
+---
+ base/ca/src/com/netscape/ca/CAService.java         | 10 ++++++++++
+ .../src/com/netscape/kra/AsymKeyGenService.java    | 10 ++++++++++
+ .../src/com/netscape/kra/EnrollmentService.java    | 10 ++++++++++
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 10 ++++++++++
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 10 ++++++++++
+ .../com/netscape/kra/SecurityDataProcessor.java    | 10 ++++++++++
+ .../kra/src/com/netscape/kra/SymKeyGenService.java | 10 ++++++++++
+ .../com/netscape/kra/TokenKeyRecoveryService.java  |  9 +++++++++
+ .../com/netscape/cms/authentication/CMCAuth.java   | 10 ++++++++++
+ .../cms/src/com/netscape/cms/logging/LogFile.java  | 10 ++++++++++
+ .../netscape/cms/profile/common/BasicProfile.java  | 11 +++++++++++
+ .../netscape/cms/profile/input/EnrollInput.java    | 10 ++++++++++
+ .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +++++++++++--
+ .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 10 ++++++++++
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 10 ++++++++++
+ .../cms/servlet/connector/ConnectorServlet.java    | 10 ++++++++++
+ .../cms/servlet/processors/CAProcessor.java        | 10 ++++++++++
+ .../cms/servlet/processors/PKIProcessor.java       | 23 ++++++++++++++++------
+ .../org/dogtagpki/server/rest/ACLInterceptor.java  | 10 ++++++++++
+ .../src/com/netscape/cmscore/cert/CertUtils.java   | 10 ++++++++++
+ .../src/com/netscape/cmscore/logging/Auditor.java  | 11 +++++++++++
+ .../cmscore/selftests/SelfTestSubsystem.java       | 10 ++++++++++
+ .../server/tps/processor/TPSProcessor.java         | 10 ++++++++++
+ 23 files changed, 240 insertions(+), 8 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
+index 5b364b8..2ad1967 100644
+--- a/base/ca/src/com/netscape/ca/CAService.java
++++ b/base/ca/src/com/netscape/ca/CAService.java
+@@ -1177,6 +1177,16 @@ public class CAService implements ICAService, IService {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index 75e340c..bd2be70 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -228,6 +228,16 @@ public class AsymKeyGenService implements IService {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID,
+             String clientKeyID,
+             String keyID, String reason) {
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index d2748a2..7c179d4 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -1034,4 +1034,14 @@ public class EnrollmentService implements IService {
+                 ILogger.LL_SECURITY,
+                 msg);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index b6e4376..1df04db 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -1570,6 +1570,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 665ff19..4926873 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -708,4 +708,14 @@ public class NetkeyKeygenService implements IService {
+                 ILogger.LL_SECURITY,
+                 msg);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 78d64c5..05dccb9 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -770,6 +770,16 @@ public class SecurityDataProcessor {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index f700a79..0dfd3a2 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -247,6 +247,16 @@ public class SymKeyGenService implements IService {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+             String keyID, String reason) {
+         String auditMessage = CMS.getLogMessage(
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index b710291..67f4dc6 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -733,4 +733,13 @@ public class TokenKeyRecoveryService implements IService {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+index 02aceb4..b898353 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+@@ -1073,6 +1073,16 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+index 989fece..772607e 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+@@ -1541,4 +1541,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+                                 ILogger.LL_SECURITY,
+                                 msg);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+index ff97bfa..e6fc045 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+@@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.NameValuePairs;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.ERejectException;
+@@ -1173,6 +1174,16 @@ public abstract class BasicProfile implements IProfile {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+index 81e71c4..84a6398 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+@@ -263,6 +263,16 @@ public abstract class EnrollInput implements IProfileInput {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+index 2f47efa..7daa8e4 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+@@ -21,8 +21,6 @@ import java.util.Enumeration;
+ import java.util.Locale;
+ import java.util.Vector;
+ 
+-import netscape.security.x509.X509CertImpl;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.ConflictingOperationException;
+ import com.netscape.certsrv.base.EBaseException;
+@@ -42,6 +40,8 @@ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+ import com.netscape.certsrv.usrgrp.IUser;
+ 
++import netscape.security.x509.X509CertImpl;
++
+ /**
+  * This updater class will create the new user to the subsystem group and
+  * then add the subsystem certificate to the user.
+@@ -279,6 +279,16 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     private String auditSubjectID() {
+         if (mSignedAuditLogger == null) {
+             return null;
+diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+index 28fb0b9..bcd3ff8 100644
+--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+@@ -227,4 +227,14 @@ public class PKIRealm extends RealmBase {
+                 ILogger.LL_SECURITY,
+                 msg);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index c7fc03b..a007a00 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -2068,6 +2068,16 @@ public abstract class CMSServlet extends HttpServlet {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index 2299e60..13c732b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -1025,6 +1025,16 @@ public class ConnectorServlet extends CMSServlet {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Profile ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index ad79cbb..8c4fef1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -945,6 +945,16 @@ public class CAProcessor extends Processor {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Requester ID
+      *
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
+index bea8993..e6ee2db 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
+@@ -23,12 +23,6 @@ import java.util.Date;
+ 
+ import javax.servlet.http.HttpServletRequest;
+ 
+-import netscape.security.x509.CertificateExtensions;
+-import netscape.security.x509.CertificateSubjectName;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509CertInfo;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.IAuthToken;
+@@ -36,11 +30,18 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.ECMSGWException;
+ 
++import netscape.security.x509.CertificateExtensions;
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
++
+ /**
+  * Process Certificate Requests
+  *
+@@ -316,6 +317,16 @@ public class PKIProcessor implements IPKIProcessor {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+index 86996d5..331bae1 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+@@ -351,4 +351,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+                 ILogger.LL_SECURITY,
+                 msg);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+index e1c4c76..6691f7a 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+@@ -1102,4 +1102,14 @@ public class CertUtils {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+index 8c99e67..48dfe3a 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+@@ -24,6 +24,7 @@ import java.util.Map;
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.Constants;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -218,4 +219,14 @@ public class Auditor implements IAuditor {
+                 ILogger.LL_SECURITY,
+                 message);
+     }
++
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        log(message);
++    }
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+index 95556b9..6ee3176 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+@@ -127,6 +127,16 @@ public class SelfTestSubsystem
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * This helper method returns the "full" property name (the corresponding
+      * substore name prepended in front of the plugin/parameter name). This
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+index 910a263..0cfac59 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+@@ -4264,6 +4264,16 @@ public class TPSProcessor {
+                 msg);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     public static void main(String[] args) {
+     }
+ 
+-- 
+1.8.3.1
+
+
+From 164087b1fc302dd8b125cd52e9e55f54ea97e09d Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Fri, 24 Mar 2017 15:56:17 -0700
+Subject: [PATCH 52/59] SCP03 support for g&d sc 7 card.
+
+This allows the use of the g&d 7 card.
+This will require the following:
+
+1. An out of band method is needed to generate an AES based master key.
+We do not as of yet have support with tkstool for this:
+
+Ex:
+
+/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16
+
+2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:
+
+Ex:
+
+tks.defKeySet._005=## tks.prot3   , protocol 3 specific settings
+tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
+tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
+tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
+tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
+tks.defKeySet._010=##
+tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
+tks.defKeySet._013=## Smart Cafe 6 settings:
+tks.defKeySet._014=##    tks.defKeySet.prot3.divers=emv
+tks.defKeySet._015=##    tks.defKeySet.prot3.diversVer1Keys=emv
+tks.defKeySet._016=##    tks.defKeySet.prot3.devKeyType=DES3
+tks.defKeySet._017=##    tks.defKeySet.prot3.masterKeyType=DES3
+tks.defKeySet._018=##Smart Cafe 7 settings:
+tks.defKeySet._019=##    tks.defKeySet.prot3.divers=none
+tks.defKeySet._020=##    tks.defKeySet.prot3.diversVer1Keys=none
+tks.defKeySet._021=##    tks.defKeySet.prot3.devKeyType=AES
+tks.defKeySet._022=##    tks.defKeySet.prot3.masterKeyType=AES
+tks.defKeySet._023=##
+tks.defKeySet._024=##
+---
+ .../src/com/netscape/cms/servlet/tks/GPParams.java |  21 ++++
+ .../netscape/cms/servlet/tks/NistSP800_108KDF.java | 114 +++++----------------
+ .../cms/servlet/tks/SecureChannelProtocol.java     | 107 ++++++++++++++-----
+ .../com/netscape/cms/servlet/tks/TokenServlet.java |  20 ++++
+ base/tks/shared/conf/CS.cfg                        |  24 +++++
+ base/tps/shared/conf/CS.cfg                        |   2 +-
+ 6 files changed, 174 insertions(+), 114 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
+index f16481b..bda4e66 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
+@@ -30,6 +30,8 @@ public class GPParams {
+     public static String DIVER_NONE = "none";
+     public static String DIVER_VISA2 = "visa2";
+     public static String NIST_SP800 = "nistsp_800";
++    public static String AES = "AES";
++    public static String DES3 ="DES3";
+ 
+     public GPParams() {
+     }
+@@ -39,6 +41,25 @@ public class GPParams {
+     //Diversification scheme for just version one or developer keys
+     private String version1DiversificationScheme;
+ 
++    private String devKeyType;
++    private String masterKeyType;
++
++    public String getDevKeyType() {
++        return devKeyType;
++    }
++
++    public String getMasterKeyType() {
++        return masterKeyType;
++    }
++
++    public void setDevKeyType(String newType) {
++        devKeyType = newType;
++    }
++
++    public void setMasterKeyType(String newType) {
++        masterKeyType = newType;
++    }
++
+     public boolean isDiversEmv() {
+         if (DIVER_EMV.equalsIgnoreCase(diversificationScheme))
+             return true;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
+index ad4a370..1f2c1b5 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
+@@ -461,8 +461,8 @@ public class NistSP800_108KDF extends KDF {
+     // Collection of informal invocations of api used to create various session keys
+     // Done with test data.
+     public static void main(String[] args) {
+-/*
+-      Options options = new Options();
++
++  /*   Options options = new Options();
+ 
+         options.addOption("d", true, "Directory for tokendb");
+ 
+@@ -474,15 +474,20 @@ public class NistSP800_108KDF extends KDF {
+                 (byte) 0x4f };
+ 
+         byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 };
+-        byte test_kdd[] = { (byte)0x00, (byte)0x00, (byte)0x50, (byte)0x24,(byte) 0x97,(byte) 0x00,(byte) 0x74, (byte) 0xA9, (byte)0x72,(byte)0x71 };
++        byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 };
++
+ 
++        byte test_host_challenge[]  = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 };
++        byte test_card_challenge[]  = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89};
+ 
+-        byte test_host_challenge[]  = { 0x06 ,(byte)0xA4 ,0x46 ,0x57 ,(byte) 0x8B ,0x65 ,0x48 ,0x51 };
+-        byte test_card_challenge[]  = { (byte) 0xAD ,(byte) 0x2E ,(byte)0xD0 ,0x1E ,0x7C ,0x2D ,0x0C ,0x6F};
++        byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB };
++        byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 };
+ 
+-        byte test_key_info[] = { (byte) 0x02,(byte) 03,(byte) 00 };
++        byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 };
+         byte test_old_key_info[] = {0x01,0x03,0x00};
+ 
++        byte test_sequence_counter[] = { 0x00 ,0x00 ,0x06 };
++
+         try {
+             CommandLineParser parser = new DefaultParser();
+             CommandLine cmd = parser.parse(options, args);
+@@ -500,11 +505,6 @@ public class NistSP800_108KDF extends KDF {
+         SymmetricKey macKey = null;
+         SymmetricKey kekKey = null;
+ 
+-        SymmetricKey putEncKey = null;
+-        SymmetricKey putMacKey = null;
+-        SymmetricKey putKekKey = null;
+-
+-        SymmetricKey tempKey = null;
+ 
+         try {
+             CryptoManager.initialize(db_dir);
+@@ -512,113 +512,55 @@ public class NistSP800_108KDF extends KDF {
+ 
+             CryptoToken token = cm.getInternalKeyStorageToken();
+ 
+-           KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.AES);
+-
+-            SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4];
+-            usages[0] = SymmetricKey.Usage.WRAP;
+-            usages[1] = SymmetricKey.Usage.UNWRAP;
+-            usages[2] = SymmetricKey.Usage.ENCRYPT;
+-            usages[3] = SymmetricKey.Usage.DECRYPT;
+-
+-            kg.setKeyUsages(usages);
+-            kg.temporaryKeys(true);
+-            kg.initialize(128);
+-            tempKey = kg.generate();
+-
+-
+-            Cipher encryptor = token.getCipherContext(EncryptionAlgorithm.AES_128_CBC);
+-
+-            int ivLength = EncryptionAlgorithm.AES_128_CBC.getIVLength();
+-            byte[] iv = null;
+-
+-            if (ivLength > 0) {
+-                iv = new byte[ivLength]; // all zeroes
+-            }
+-
+-            encryptor.initEncrypt(tempKey, new IVParameterSpec(iv));
+-            byte[] wrappedKey = encryptor.doFinal(devKey);
+-
+-            KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.AES_CBC);
+-            keyWrap.initUnwrap(tempKey, new IVParameterSpec(iv));
+-
+-            encKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
+-            macKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
+-            kekKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
+-
+             String transportName = "TPS-dhcp-16-206.sjc.redhat.com-8443 sharedSecret";
+             SecureChannelProtocol prot = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE);
+ 
+             SymmetricKey masterKey =  SecureChannelProtocol.getSymKeyByName(token,"new_master");
+ 
+             GPParams params = new GPParams();
+-            params.setVersion1DiversificationScheme("visa2");
+-            params.setDiversificationScheme("visa2");
+-
+-            putEncKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
+-                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
+-                    transportName,params);
+-
+-            putMacKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
+-                    SecureChannelProtocol.macType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
+-                    transportName,params);
+-
+-            putKekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
+-                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
+-                    transportName,params);
++            params.setVersion1DiversificationScheme("emv");
++            params.setDiversificationScheme("emv");
++            params.setDevKeyType(GPParams.AES);
++            params.setMasterKeyType(GPParams.AES);
+ 
+             //create test session keys
+-            encKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
+-                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
++            encKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
++                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
+                     transportName,params);
+ 
+-            macKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
+-                    SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
++            macKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
++                    SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
+                     transportName,params);
+ 
+-            kekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
+-                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
++            kekKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
++                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
+                     transportName,params);
+ 
+             System.out.println("masterKey: " + masterKey);
+ 
+             System.out.println("\n");
+ 
+-            SecureChannelProtocol.debugByteArray(putEncKey.getKeyData(), " derived putEnc session key data: ");
+-            SecureChannelProtocol.debugByteArray(putMacKey.getKeyData(), " derived putMac session key data: ");
+-            SecureChannelProtocol.debugByteArray(putKekKey.getKeyData(), " derived putKek session key data: ");
+-
+-            System.out.println("\n");
+ 
+             SecureChannelProtocol.debugByteArray(encKey.getKeyData(), " derived enc session key data: ");
+             SecureChannelProtocol.debugByteArray(macKey.getKeyData(), " derived mac session key data: ");
+             SecureChannelProtocol.debugByteArray(kekKey.getKeyData(), " derived kek session key data: ");
+ 
+-            ByteArrayOutputStream contextStream = new ByteArrayOutputStream();
+-            try {
+-                contextStream.write(test_host_challenge);
+-                contextStream.write(test_card_challenge);
+-            } catch (IOException e) {
+-            }
+-
+-            StandardKDF standard = new StandardKDF(prot);
+ 
+             ByteArrayOutputStream testContext = new ByteArrayOutputStream();
+ 
+-            testContext.write(test_host_challenge);
+-            testContext.write(test_card_challenge);
++            testContext.write(test_host_challenge_1);
++            testContext.write(test_card_challenge_1);
++
++            SecureChannelProtocol.debugByteArray(testContext.toByteArray(), "Test context bytes: ");
+ 
+-            NistSP800_108KDF  nistKdf = new NistSP800_108KDF(prot);
+ 
+-            byte[] finalEncBytes = nistKdf.kdf_AES_CMAC_SCP03(encKey, testContext.toByteArray(), (byte) 0x04, 16);
+-            byte[] finalMacBytes = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), (byte) 0x06, 16);
++            NistSP800_108KDF  nistKdf = new NistSP800_108KDF(prot);
+ 
+-            SymmetricKey sEnc  = prot.unwrapAESSymKeyOnToken(token, finalEncBytes, false);
+-            SymmetricKey sMac  = macKey = prot.unwrapAESSymKeyOnToken(token, finalMacBytes, false);
+ 
+-            byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8);
++            byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8);
+             SecureChannelProtocol.debugByteArray(cardCryptoVerify, " calculated card cryptogram");
+ 
+-            byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8);
++            byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8);
+             SecureChannelProtocol.debugByteArray(hostCrypto, " calculated host cryptogram");
+ 
+         } catch (AlreadyInitializedException e) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+index 371e734..ef0c61b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+@@ -36,6 +36,7 @@ public class SecureChannelProtocol {
+     static String sharedSecretKeyName = null;
+     static String masterKeyPrefix = null;
+ 
++    static final int DEF_AES_KEYLENGTH = 16;
+     static final int KEYLENGTH = 16;
+     static final int PREFIXLENGHT = 128;
+     static final int DES2_LENGTH = 16;
+@@ -288,7 +289,9 @@ public class SecureChannelProtocol {
+ 
+         {
+             String finalKeyType = keyType;
+-            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray);
++            String devKeyType = params.getDevKeyType();
++            CMS.debug(method + " Developer key set case: incoming dev key type: " + devKeyType);
++            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,devKeyType);
+ 
+             StandardKDF standard = new StandardKDF(this);
+             SymmetricKey divKey = null;
+@@ -297,22 +300,31 @@ public class SecureChannelProtocol {
+ 
+             //Consult the config to determine with diversification method to use.
+             if (params.isVer1DiversNone()) {
++                CMS.debug(method + " No diversifcation requested. ");
+                 noDivers = true;
+             } else if (params.isVer1DiversEmv()) {
++                CMS.debug(method + " EMV diversification requested. ");
+                 keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType);
+             } else if (params.isVer1DiversVisa2()) {
++                CMS.debug(method + " Visa2 diversification requested.");
+                 keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType);
+             } else {
+                 throw new EBaseException(method + " Invalid diversification method!");
+             }
+ 
+             //Obtain the card key,it may just be the raw developer key
+-            if (noDivers == true) {
+-                divKey = unwrapAESSymKeyOnToken(token, devKeyArray, false);
++            if (noDivers == true || GPParams.AES.equalsIgnoreCase(devKeyType)) {
++                divKey = devSymKey;
+             } else {
+ 
+                 // The g&d calls for computing the aes card key with DES, it will then be treated as aes
+-                divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token);
++                // Right now if the dev key type is AES, we do not support any diversification
++
++                if (GPParams.DES3.equalsIgnoreCase(devKeyType)) {
++                    divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token);
++                } else {
++                    throw new EBaseException(method + " Invalid devolper key type. Does not support diversification: "+ devKeyType);
++                }
+             }
+ 
+             NistSP800_108KDF nistKdf = new NistSP800_108KDF(this);
+@@ -338,22 +350,35 @@ public class SecureChannelProtocol {
+ 
+             masterKey = getSymKeyByName(token, keyNameStr);
+ 
++            String masterKeyType = params.getMasterKeyType();
++
++            CMS.debug(method + " Master key case: requested master key type: " + masterKeyType);
++
+             StandardKDF standard = new StandardKDF(this);
+ 
+             byte[] keyDiversified = null;
+ 
+             if (params.isDiversNone()) {
+-                throw new EBaseException(method + " No diversification requested in master key mode. Aborting...");
++                if (GPParams.AES.equalsIgnoreCase(masterKeyType)) {
++                    CMS.debug(method + " Master key case: no diversification requested: With master key type of AES ");
++                }
++                else {
++                    throw new EBaseException(method + " No diversification requested in master key mode. With master key type of DES3: Aborting...");
++                }
+             } //Allow choice of emv or standard diversification
+             else if (params.isDiversEmv()) {
+                 keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType);
+             } else if (params.isDiversVisa2()) {
+                 keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType);
+             }
+-
+             SymmetricKey divKey = null;
+ 
+-            divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token);
++            if(GPParams.AES.equalsIgnoreCase(masterKeyType)) {
++                CMS.debug(method + " master key case with AES type.");
++                divKey = masterKey;
++            } else {
++                divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token);
++            }
+ 
+             NistSP800_108KDF nistKdf = new NistSP800_108KDF(this);
+             // The kek session key does not call for derivation
+@@ -488,11 +513,11 @@ public class SecureChannelProtocol {
+ 
+             String finalKeyType = keyType;
+ 
+-            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray);
++            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,"DES3");
+ 
+             // Create the auth with is the same as enc, might need it later.
+             if (keyType.equals(encType)) {
+-                returnDeveloperSymKey(token, authType, keySet, devKeyArray);
++                returnDeveloperSymKey(token, authType, keySet, devKeyArray,"DES3");
+             }
+ 
+             if (noDerive == true) {
+@@ -672,14 +697,25 @@ public class SecureChannelProtocol {
+     From that point it is a simple matter of retrieving  the desired key from the token.
+     No security advantage is implied or desired here.
+     */
+-    public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray)
++    public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray, String keyAlg)
+             throws EBaseException {
+ 
+         SymmetricKey devKey = null;
+ 
+         String method = "SecureChannelProtocol.returnDeveloperSymKey:";
+ 
+-        String devKeyName = keySet + "-" + keyType + "Key";
++        boolean isAES = false;
++        String finalAlg = null;
++        if(keyAlg == null) {
++            finalAlg = "DES3";
++        }
++
++        if(keyAlg.equalsIgnoreCase("AES")) {
++            isAES = true;
++            finalAlg = "AES";
++        }
++
++        String devKeyName = keySet + "-" + keyType + "Key"  + "-" + finalAlg;
+         CMS.debug(method + " entering.. searching for key: " + devKeyName);
+ 
+         if (token == null || keyType == null || keySet == null) {
+@@ -706,22 +742,31 @@ public class SecureChannelProtocol {
+ 
+             CMS.debug(method + " inputKeyArray.length: " + inputLen);
+ 
+-            if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) {
+-                throw new EBaseException(method + "invalid input key length!");
+-            }
++            if (!isAES) {
++                if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) {
++                    throw new EBaseException(method + "invalid input key length!");
++                }
++
++                if (inputLen == DES2_LENGTH) {
++                    des3InputKey = new byte[DES3_LENGTH];
++                    System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH);
++                    System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES);
++
++                } else {
++                    System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH);
++                }
++
++                SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": ");
+ 
+-            if (inputLen == DES2_LENGTH) {
+-                des3InputKey = new byte[DES3_LENGTH];
+-                System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH);
+-                System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES);
++                devKey = unwrapSymKeyOnToken(token, des3InputKey, true);
+ 
+             } else {
+-                System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH);
+-            }
+ 
+-            SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": ");
++                if(inputLen == DEF_AES_KEYLENGTH) { // support 128 bits for now
++                    devKey = unwrapAESSymKeyOnToken(token, inputKeyArray, true);
++                }
++            }
+ 
+-            devKey = unwrapSymKeyOnToken(token, des3InputKey, true);
+             devKey.setNickName(devKeyName);
+         } else {
+             CMS.debug(method + " Found sym key: " + devKeyName);
+@@ -1823,9 +1868,9 @@ public class SecureChannelProtocol {
+             //This is the case where we revert to the original developer key set or key set 1
+             if (protocol == PROTOCOL_ONE) {
+                 CMS.debug(method + " Special case returning to the dev key set (1) for DiversifyKey, protocol 1!");
+-                encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null);
+-                macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null);
+-                kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null);
++                encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null,"DES3");
++                macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null,"DES3");
++                kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3");
+             } else if (protocol == PROTOCOL_THREE) {
+                 CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!");
+                 encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo,
+@@ -1920,7 +1965,15 @@ public class SecureChannelProtocol {
+ 
+             CMS.debug(method + " old kek sym key is null");
+ 
+-            old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray);
++            String devKeyType = null;
++
++            if(protocol == PROTOCOL_THREE) {
++                devKeyType = params.getDevKeyType();
++            } else {
++                devKeyType = "DES3";
++            }
++
++            old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray, devKeyType);
+ 
+             output = createKeySetDataWithSymKeys(newKeyVersion, (byte[]) null,
+                     old_kek_sym_key,
+@@ -2070,7 +2123,7 @@ public class SecureChannelProtocol {
+             throw new EBaseException(method + " Can't compose final output byte array!");
+         }
+ 
+-        //SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: ");
++        SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: ");
+         CMS.debug(method + " returning output");
+ 
+         return output;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+index 3915b73..1377055 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+@@ -3184,6 +3184,26 @@ public class TokenServlet extends CMSServlet {
+         params.setVersion1DiversificationScheme(diversVer1Keys);
+         CMS.debug(method + " Version 1 keys Divers: " + divers);
+ 
++        String keyType = null;
++        try {
++            keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3");
++        } catch (EBaseException e) {
++        }
++
++        CMS.debug(method + " devKeyType: " + keyType);
++
++        params.setDevKeyType(keyType);
++
++        try {
++            keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3");
++        } catch (EBaseException e) {
++        }
++
++        params.setMasterKeyType(keyType);
++
++        CMS.debug(method + " masterKeyType: " + keyType);
++
++
+         return params;
+     }
+ 
+diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
+index 0eea3e9..45716d2 100644
+--- a/base/tks/shared/conf/CS.cfg
++++ b/base/tks/shared/conf/CS.cfg
+@@ -340,11 +340,35 @@ tks.defKeySet._001=## Axalto default key set:
+ tks.defKeySet._002=##
+ tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname>
+ tks.defKeySet._004=##
++tks.defKeySet._005=## tks.prot3   , protocol 3 specific settings
++tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
++tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
++tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
++tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
++tks.defKeySet._010=##
++tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
++tks.defKeySet._013=## Smart Cafe 6 settings:
++tks.defKeySet._014=##    tks.defKeySet.prot3.divers=emv
++tks.defKeySet._015=##    tks.defKeySet.prot3.diversVer1Keys=emv
++tks.defKeySet._016=##    tks.defKeySet.prot3.devKeyType=DES3
++tks.defKeySet._017=##    tks.defKeySet.prot3.masterKeyType=DES3
++tks.defKeySet._018=##Smart Cafe 7 settings:
++tks.defKeySet._019=##    tks.defKeySet.prot3.divers=none
++tks.defKeySet._020=##    tks.defKeySet.prot3.diversVer1Keys=none
++tks.defKeySet._021=##    tks.defKeySet.prot3.devKeyType=AES
++tks.defKeySet._022=##    tks.defKeySet.prot3.masterKeyType=AES
++tks.defKeySet._023=##
++tks.defKeySet._024=##
+ tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
+ tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
+ tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
+ tks.defKeySet.nistSP800-108KdfOnKeyVersion=00
+ tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false
++tks.defKeySet.prot3.divers=emv
++tks.defKeySet.prot3.diversVer1Keys=emv
++tks.defKeySet.prot3.devKeyType=DES3
++tks.defKeySet.prot3.masterKeyType=DES3
++
+ tks.jForte._000=##
+ tks.jForte._001=## SAFLink's jForte default key set:
+ tks.jForte._002=##
+diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
+index 8d667f5..2d9057a 100644
+--- a/base/tps/shared/conf/CS.cfg
++++ b/base/tps/shared/conf/CS.cfg
+@@ -10,7 +10,7 @@ applet._001=# applet information
+ applet._002=# SAF Key:
+ applet._003=# applet.aid.cardmgr_instance=A0000001510000
+ applet._004=# Stock RSA,KeyRecover applet : 1.4.58768072.ijc 
+-applet._005=# Beta RSA/KeyRecovery/GP211/SCP02 applet : 1.5.558cdcff.ijc
++applet._005=# RSA/KeyRecovery/GP211/SCP02, SCP03 applet : 1.5.558cdcff.ijc
+ applet._006=# Use GP211 applet only with SCP02 card
+ applet._007=#########################################
+ applet.aid.cardmgr_instance=A0000000030000
+-- 
+1.8.3.1
+
+
+From 7672b543f8c62da34f0bb11be17d5e6d336cb2da Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 11 Apr 2017 23:04:34 -0400
+Subject: [PATCH 53/59] Fix python issues identified in review
+
+subprocess returns bytes in Python 3.  Make sure to
+decode first when returning env variables.
+
+Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
+---
+ base/common/python/pki/util.py | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
+index 0de13fd..5832f55 100644
+--- a/base/common/python/pki/util.py
++++ b/base/common/python/pki/util.py
+@@ -258,10 +258,9 @@ def read_environment_files(env_file_list=None):
+     if env_file_list is None:
+         env_file_list = DEFAULT_PKI_ENV_LIST
+ 
+-    file_command = ''
+-    for env_file in env_file_list:
+-        file_command += "source " + env_file + " && "
+-    file_command += "env"
++    file_command = ' && '.join(
++        'source {}'.format(env_file) for env_file in env_file_list)
++    file_command += ' && env'
+ 
+     command = [
+         'bash',
+@@ -269,7 +268,7 @@ def read_environment_files(env_file_list=None):
+         file_command
+     ]
+ 
+-    env_vals = subprocess.check_output(command).split('\n')
++    env_vals = subprocess.check_output(command).decode('utf-8').split('\n')
+ 
+     for env_val in env_vals:
+         (key, _, value) = env_val.partition("=")
+-- 
+1.8.3.1
+
+
+From af1ad849c62fb76915142796ead7677abd5896f3 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 11 Apr 2017 09:28:15 +0200
+Subject: [PATCH 54/59] Add Travis CI to compose core RPM packages
+
+The command "./scripts/compose_pki_core_packages rpms" is tested on
+Fedora 25, 26 and rawhide. On 25 and 26, the COPR @pki/10.4 is enabled
+to provide additional build dependencies.
+
+Travis Ci is configured to use pre-populated Docker images from
+https://github.com/dogtagpki/pki-ci-containers . The images contain
+build dependencies.
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ .travis.test | 31 +++++++++++++++++++++++++++++++
+ .travis.yml  | 20 ++++++++++++++++++++
+ 2 files changed, 51 insertions(+)
+ create mode 100755 .travis.test
+ create mode 100644 .travis.yml
+
+diff --git a/.travis.test b/.travis.test
+new file mode 100755
+index 0000000..ca81022
+--- /dev/null
++++ b/.travis.test
+@@ -0,0 +1,31 @@
++#!/bin/bash
++set -ex
++
++WORKDIR="${BUILDDIR:-/tmp/builddir}"
++BUILDUSER=builduser
++BUILDUSER_UID=${UID:-1000}
++BUILDUSER_GID=${GID:-1000}
++
++. /etc/os-release
++
++echo "$NAME $VERSION $1"
++
++## compose_pki_core_packages doesn't run as root, create a build user
++groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER}
++useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER}
++
++## chown workdir and enter pki dir
++chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR}
++cd ${WORKDIR}/pki
++
++## prepare additional build dependencies
++dnf copr -y enable @pki/10.4
++dnf builddep -y ./specs/pki-core.spec
++
++# update, container might be outdated
++dnf update -y
++
++## run tox and build
++# run make with --quiet to reduce log verbosity. Travis CI has a log limit
++# of 10,000 lines.
++sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms
+diff --git a/.travis.yml b/.travis.yml
+new file mode 100644
+index 0000000..2e1a69f
+--- /dev/null
++++ b/.travis.yml
+@@ -0,0 +1,20 @@
++sudo: required
++language: python
++
++services:
++  - docker
++
++env:
++  - CONTAINER=dogtagpki/pki-ci-containers:f25_104
++  - CONTAINER=dogtagpki/pki-ci-containers:f26_104
++  - CONTAINER=dogtagpki/pki-ci-containers:rawhide
++
++script:
++  - docker pull $CONTAINER
++  - >
++    docker run
++    -v $(pwd):/tmp/workdir/pki
++    -e UID=$(id -u)
++    -e GID=$(id -g)
++    $CONTAINER
++    /tmp/workdir/pki/.travis.test $CONTAINER
+-- 
+1.8.3.1
+
+
+From c381566ddf1f4f05330063bb012d59e5c1753b13 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 13 Apr 2017 08:13:26 +0200
+Subject: [PATCH 55/59] Fixed ClientIP field in SSL session audit log.
+
+The PKIServerSocketListener has been fixed to obtain the correct
+client IP address from SSL socket.
+
+https://pagure.io/dogtagpki/issue/2602
+
+Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
+---
+ .../cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+index 7016bc8..093776f 100644
+--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+@@ -18,8 +18,6 @@
+ package org.dogtagpki.server;
+ 
+ import java.net.InetAddress;
+-import java.net.InetSocketAddress;
+-import java.net.SocketAddress;
+ import java.security.Principal;
+ 
+ import org.mozilla.jss.crypto.X509Certificate;
+@@ -45,8 +43,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+         try {
+             SSLSocket socket = event.getSocket();
+ 
+-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
++            InetAddress clientAddress = socket.getInetAddress();
+             InetAddress serverAddress = socket.getLocalAddress();
+             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+@@ -85,8 +82,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+         try {
+             SSLSocket socket = event.getSocket();
+ 
+-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
++            InetAddress clientAddress = socket.getInetAddress();
+             InetAddress serverAddress = socket.getLocalAddress();
+             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+@@ -139,8 +135,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+         try {
+             SSLSocket socket = event.getSocket();
+ 
+-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
++            InetAddress clientAddress = socket.getInetAddress();
+             InetAddress serverAddress = socket.getLocalAddress();
+             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+-- 
+1.8.3.1
+
+
+From 716dca464943a22eb6588187fba9fad85e1c1345 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 6 Apr 2017 17:09:39 -0400
+Subject: [PATCH 56/59] Fix symkey retrieval in python client
+
+Keys (like symmetric keys and asymmetric keys) are returned
+from the KRA either encrypted or key wrapped.  Because the
+AES keywrapping algorithm cannot be decrypted using AES CBC,
+we need special logic to unwrap the keys.
+
+The flow here is as follows:
+1. When a key retrieval request is sent to the server,
+   the client sends the encryption and key wrapping
+   algorithms it requires the key to be wrapped along
+   with the wrapping key.
+2. If no encryption algorithm or key wrap algorithm is
+   recieved, the server assumes its talking to an old
+   client and uses DES3.
+3. The key is retrieved and (on server's choice) is wrapped
+   or encrypted.  The return package will have either
+   encryption or key wrap algorithm set (depending on how
+   the key was encrypted/wrapped.)
+4. client uses that to determine how to unwrap key.
+
+This patch:
+1. Makes sure the key wrap algorithm requested by client
+   is passed through and used to wrap the retrieved key.
+2. Adds logic in the python client to unwrap/decrypt.
+3. As python-cryptography does not yet support
+   AES KeyWrap with padding, the python client is configured
+   to request AES-CBC by default.
+
+Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
+---
+ base/common/python/pki/crypto.py                   | 51 +++++++++++++-
+ base/common/python/pki/key.py                      | 56 ++++++++++++---
+ .../src/com/netscape/certsrv/key/KeyClient.java    |  4 ++
+ .../com/netscape/kra/SecurityDataProcessor.java    | 79 ++++++++++++++++++----
+ .../netscape/cms/servlet/key/KeyRequestDAO.java    |  9 +++
+ 5 files changed, 173 insertions(+), 26 deletions(-)
+
+diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
+index b767abd..0891acd 100644
+--- a/base/common/python/pki/crypto.py
++++ b/base/common/python/pki/crypto.py
+@@ -34,10 +34,21 @@ from cryptography.hazmat.backends import default_backend
+ from cryptography.hazmat.primitives.ciphers import (
+     Cipher, algorithms, modes
+ )
++from cryptography.hazmat.primitives import keywrap
+ from cryptography.hazmat.primitives import padding
+ from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
+ import cryptography.x509
+ 
++# encryption algorithms OIDs
++DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
++AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
++
++# Wrap Algorithm names as defined by JSS.
++WRAP_AES_CBC_PAD = "AES/CBC/PKCS5Padding"
++WRAP_AES_KEY_WRAP = "AES KeyWrap"
++WRAP_AES_KEY_WRAP_PAD = "AES KeyWrap/Padding"
++WRAP_DES3_CBC_PAD = "DES3/CBC/Pad"
++
+ 
+ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+     """
+@@ -96,7 +107,11 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
+         DES3 key.
+         """
+ 
+-    # abc.abstractmethod
++    @abc.abstractmethod
++    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
++        """ Unwrap data that has been key wrapped using AES KeyWrap """
++
++    @abc.abstractmethod
+     def get_cert(self, cert_nick):
+         """ Get the certificate for the specified cert_nick. """
+ 
+@@ -302,6 +317,18 @@ class NSSCryptoProvider(CryptoProvider):
+         public_key = wrapping_cert.subject_public_key_info.public_key
+         return nss.pub_wrap_sym_key(mechanism, public_key, data)
+ 
++    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
++        """
++        :param mechanism        Key wrapping mechanism
++        :param data:            Data to be unwrapped
++        :param wrapping_key:    Wrapping Key
++        :param nonce_iv         Nonce data
++        :return:                Unwrapped data
++
++        Return unwrapped data for data wrapped using AES KeyWrap
++        """
++        raise NotImplementedError()
++
+     def get_cert(self, cert_nick):
+         """
+         :param cert_nick       Nickname for the certificate to be returned
+@@ -461,6 +488,28 @@ class CryptographyCryptoProvider(CryptoProvider):
+             PKCS1v15()
+         )
+ 
++    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
++        """
++        :param mechanism        key wrapping mechanism
++        :param data:            data to unwrap
++        :param wrapping_key:    AES key used to wrap data
++        :param nonce_iv         Nonce data
++        :return:                unwrapped data
++
++        Unwrap the encrypted data which has been wrapped using a
++        KeyWrap mechanism.
++        """
++        if mechanism == WRAP_AES_CBC_PAD or mechanism == WRAP_DES3_CBC_PAD:
++            return self.symmetric_unwrap(
++                data,
++                wrapping_key,
++                nonce_iv=nonce_iv)
++
++        if mechanism == WRAP_AES_KEY_WRAP:
++            return keywrap.aes_key_unwrap(wrapping_key, data, self.backend)
++
++        raise ValueError("Unsupported key wrap algorithm: " + mechanism)
++
+     def get_cert(self, cert_nick):
+         """
+         :param cert_nick  Nickname for the certificate to be returned.
+diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
+index 6c5641a..e782d54 100644
+--- a/base/common/python/pki/key.py
++++ b/base/common/python/pki/key.py
+@@ -33,6 +33,7 @@ from six import iteritems
+ from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
+ 
+ import pki
++import pki.crypto
+ import pki.encoder as encoder
+ from pki.info import Version
+ import pki.util
+@@ -459,10 +460,6 @@ class KeyClient(object):
+     RSA_ALGORITHM = "RSA"
+     DSA_ALGORITHM = "DSA"
+ 
+-    # default session key wrapping algorithm
+-    DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
+-    AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
+-
+     def __init__(self, connection, crypto, transport_cert_nick=None,
+                  info_client=None):
+         """ Constructor """
+@@ -481,6 +478,7 @@ class KeyClient(object):
+ 
+         self.info_client = info_client
+         self.encrypt_alg_oid = None
++        self.wrap_name = None
+         self.set_crypto_algorithms()
+ 
+     def set_transport_cert(self, transport_cert_nick):
+@@ -502,9 +500,14 @@ class KeyClient(object):
+ 
+         # set keyset related constants needed in KeyClient
+         if keyset_id == 0:
+-            self.encrypt_alg_oid = self.DES_EDE3_CBC_OID
++            self.encrypt_alg_oid = pki.crypto.DES_EDE3_CBC_OID
++            self.wrap_name = pki.crypto.WRAP_DES3_CBC_PAD
+         else:
+-            self.encrypt_alg_oid = self.AES_128_CBC_OID
++            self.encrypt_alg_oid = pki.crypto.AES_128_CBC_OID
++            # Note:  AES_KEY_WRAP_PAD is not yet supported by
++            # python cryptography.  Therefore we will default
++            # to AES_CBC_PAD instead
++            self.wrap_name = pki.crypto.WRAP_AES_CBC_PAD
+ 
+     def get_client_keyset(self):
+         # get client keyset
+@@ -847,7 +850,7 @@ class KeyClient(object):
+             raise TypeError('Missing wrapped session key')
+ 
+         if not algorithm_oid:
+-            algorithm_oid = KeyClient.AES_128_CBC_OID
++            algorithm_oid = pki.crypto.AES_128_CBC_OID
+             # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
+ 
+         if not nonce_iv:
+@@ -1015,16 +1018,47 @@ class KeyClient(object):
+             request_id=request_id,
+             trans_wrapped_session_key=base64.b64encode(
+                 trans_wrapped_session_key),
+-            payload_encryption_oid=self.encrypt_alg_oid
++            payload_encryption_oid=self.encrypt_alg_oid,
++            payload_wrapping_name=self.wrap_name
+         )
+ 
+         key = self.retrieve_key_data(request)
+         if not key_provided and key.encrypted_data is not None:
+-            key.data = self.crypto.symmetric_unwrap(
++            self.process_returned_key(key, session_key)
++        return key
++
++    @pki.handle_exceptions()
++    def process_returned_key(self, key, session_key):
++        """
++        Decrypt the returned key and place in key.data
++
++        The data will either by encrypted using an encryption algorithm -
++        in which case, the key data will contain an encryption algorithm OID,
++        or it will be key wrapped - in which case, the key data will contain
++        a key wrap mechanism name.
++
++        Only one of these should be present.  If we are talking to an older
++        server, and none is present, we will assume encryption.
++        """
++        if key.wrap_algorithm is not None:
++            if key.encrypt_algorithm_oid is not None:
++                raise ValueError(
++                    "Both encryptOID and wrapping name have been set " +
++                    "in server response"
++                )
++            # do key unwrapping here
++            key.data = self.crypto.key_unwrap(
++                key.wrap_algorithm,
+                 key.encrypted_data,
+                 session_key,
+-                nonce_iv=key.nonce_data)
+-        return key
++                key.nonce_data)
++            return
++
++        # do decryption
++        key.data = self.crypto.symmetric_unwrap(
++            key.encrypted_data,
++            session_key,
++            nonce_iv=key.nonce_data)
+ 
+     @pki.handle_exceptions()
+     def retrieve_key_by_passphrase(self, key_id=None, request_id=None,
+diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+index dea44b1..2c99e1c 100644
+--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+@@ -465,6 +465,7 @@ public class KeyClient extends Client {
+         recoveryRequest.setRequestId(requestId);
+         recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
+         recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID());
++        recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString());
+ 
+         Key data = retrieveKeyData(recoveryRequest);
+         processKeyData(data, sessionKey);
+@@ -503,6 +504,7 @@ public class KeyClient extends Client {
+         recoveryRequest.setKeyId(keyId);
+         recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
+         recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID());
++        recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString());
+ 
+         return retrieveKeyData(recoveryRequest);
+     }
+@@ -562,6 +564,7 @@ public class KeyClient extends Client {
+         data.setSessionWrappedPassphrase(Utils.base64encode(sessionWrappedPassphrase));
+         data.setNonceData(Utils.base64encode(nonceData));
+         data.setPayloadEncryptionOID(getEncryptAlgorithmOID());
++        data.setPayloadWrappingName(wrapAlgorithm.toString());
+ 
+         return retrieveKeyData(data);
+     }
+@@ -610,6 +613,7 @@ public class KeyClient extends Client {
+         data.setKeyId(keyId);
+         data.setRequestId(requestId);
+         data.setPayloadEncryptionOID(getEncryptAlgorithmOID());
++        data.setPayloadWrappingName(wrapAlgorithm.toString());
+ 
+         if (transWrappedSessionKey != null) {
+             data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 05dccb9..4659901 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -402,26 +402,34 @@ public class SecurityDataProcessor {
+         String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm();
+ 
+         byte[] iv = null;
++        byte[] iv_wrap = null;
+         try {
+-            iv = generate_iv(payloadEncryptOID, transportUnit.getOldWrappingParams());
++            iv = generate_iv(
++                    payloadEncryptOID,
++                    transportUnit.getOldWrappingParams().getPayloadEncryptionAlgorithm());
++            iv_wrap = generate_wrap_iv(
++                    payloadWrapName,
++                    transportUnit.getOldWrappingParams().getPayloadWrapAlgorithm());
+         } catch (Exception e1) {
+              throw new EBaseException("Failed to generate IV when wrapping secret", e1);
+         }
+-        String ivStr = Utils.base64encode(iv);
++        String ivStr = iv != null? Utils.base64encode(iv): null;
++        String ivStr_wrap = iv_wrap != null ? Utils.base64encode(iv_wrap): null;
+ 
+         WrappingParams wrapParams = null;
+         if (payloadEncryptOID == null) {
++            // talking to an old server, use 3DES
+             wrapParams = transportUnit.getOldWrappingParams();
+             wrapParams.setPayloadEncryptionIV(new IVParameterSpec(iv));
+-            wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv));
++            wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv_wrap));
+         } else {
+             try {
+                 wrapParams = new WrappingParams(
+                     payloadEncryptOID,
+                     payloadWrapName,
+                     transportKeyAlgo,
+-                    new IVParameterSpec(iv),
+-                    null);
++                    iv != null? new IVParameterSpec(iv): null,
++                    iv_wrap != null? new IVParameterSpec(iv_wrap): null);
+             } catch (Exception e) {
+                 auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+                         "Cannot generate wrapping params");
+@@ -597,7 +605,7 @@ public class SecurityDataProcessor {
+             //secret has wrapped using a key wrapping algorithm
+             params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(true));
+             if (wrapParams.getPayloadWrappingIV() != null) {
+-                params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
++                params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr_wrap);
+             }
+         }
+ 
+@@ -614,17 +622,60 @@ public class SecurityDataProcessor {
+         return false; //return true ? TODO
+     }
+ 
+-    private byte[] generate_iv(String oid, WrappingParams old) throws Exception {
++    /***
++     * This method returns an IV for the Encryption Algorithm referenced in OID.
++     * If the oid is null, we return an IV for the default encryption algorithm.
++     * The method checks to see if the encryption algorithm requires an IV by checking
++     * the parameterClasses() for the encryption algorithm.
++     *
++     * @param oid           -- OID of encryption algorithm (as a string)
++     * @param defaultAlg    -- default encryption algorithm
++     * @return              -- initialization vector or null if none needed
++     * @throws Exception if algorithm is not found, or if default and OID are null.
++     *                   (ie. algorithm is unknown)
++     */
++    private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception {
+         int numBytes = 0;
+-        if (oid != null) {
+-            numBytes = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)).getIVLength();
+-        } else {
+-            // old client (OID not provided)
+-            numBytes = old.getPayloadEncryptionAlgorithm().getIVLength();
++        EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)):
++            defaultAlg;
++
++        if (alg == null) {
++            throw new EBaseException("Cannot determine encryption algorithm to generate IV");
++        };
++
++        if (alg.getParameterClasses() == null)
++            return null;
++
++        numBytes = alg.getIVLength();
++        return (new SecureRandom()).generateSeed(numBytes);
++    }
++
++    /***
++     * This method returns an IV for the KeyWrap algorithm referenced in wrapName.
++     * If the wrapName is null, we return an IV for the default wrap algorithm.
++     * The method checks to see if the key wrap algorithm requires an IV by checking
++     * the parameterClasses() for the key wrap algorithm.
++     *
++     * @param wrapName      -- name of the key wrap algorithm (as defined in JSS)
++     * @param defaultAlg    -- default wrapping parameters
++     * @return              -- initialization vector or null if none needed
++     * @throws Exception if algorithm is not found, or if default and OID are null.
++     *                   (ie. algorithm is unknown)
++     */
++    private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception {
++        int numBytes = 0;
++        KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) :
++            defaultAlg;
++
++        if (alg == null) {
++            throw new EBaseException("Cannot determine keywrap algorithm to generate IV");
+         }
+ 
+-        SecureRandom rnd = new SecureRandom();
+-        return rnd.generateSeed(numBytes);
++        if (alg.getParameterClasses() == null)
++            return null;
++
++        numBytes = alg.getBlockSize();
++        return (new SecureRandom()).generateSeed(numBytes);
+     }
+ 
+     public SymmetricKey recoverSymKey(KeyRecord keyRecord)
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+index b2008f2..5ffb36b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+@@ -283,6 +283,10 @@ public class KeyRequestDAO extends CMSRequestDAO {
+         if (encryptOID != null)
+             request.setExtData(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID);
+ 
++        String wrapName = data.getPayloadWrappingName();
++        if (wrapName != null)
++            request.setExtData(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName);
++
+         return request;
+     }
+ 
+@@ -294,6 +298,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
+         String wrappedPassPhraseStr = data.getSessionWrappedPassphrase();
+         String nonceDataStr = data.getNonceData();
+         String encryptOID = data.getPaylodEncryptionOID();
++        String wrapName = data.getPayloadWrappingName();
+ 
+         if (wrappedPassPhraseStr != null) {
+             requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr);
+@@ -310,6 +315,10 @@ public class KeyRequestDAO extends CMSRequestDAO {
+         if (encryptOID != null) {
+             requestParams.put(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID);
+         }
++
++        if (wrapName != null) {
++            requestParams.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName);
++        }
+     }
+ 
+     public Hashtable<String, Object> getTransientData(IRequest request) throws EBaseException {
+-- 
+1.8.3.1
+
+
+From 2d7ab34b812eb1cf28c7c53fb43bf595f94a806f Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 13 Apr 2017 14:54:38 -0400
+Subject: [PATCH 57/59] Add field to indicate if key was encrypted or wrapped
+
+Whether a secret was encrypted or wrapped in the storage unit
+depends on a parameter in CS.cfg.  If that parameter is changed,
+the Storage unit may use the wrong mechanism to try to decrypt
+the stored key.  Thats ok for encrypt/wrap using DES or AES-CBC,
+but not for AES KeyWrap.
+
+In this patch, we add a field in the Key record to specify whether
+the secret was encrypted with stored (or keywrapped if false).
+
+A subsequent patch will change the logic when decrypting to use
+this field.
+
+Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
+---
+ base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java    | 2 +-
+ base/kra/src/com/netscape/kra/AsymKeyGenService.java              | 8 ++++++--
+ base/kra/src/com/netscape/kra/EnrollmentService.java              | 2 +-
+ base/kra/src/com/netscape/kra/NetkeyKeygenService.java            | 3 ++-
+ base/kra/src/com/netscape/kra/SecurityDataProcessor.java          | 5 ++++-
+ base/kra/src/com/netscape/kra/SymKeyGenService.java               | 3 ++-
+ .../cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java     | 1 +
+ base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java   | 3 ++-
+ 8 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+index aa4eb30..c947d3c 100644
+--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
++++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+@@ -170,7 +170,7 @@ public interface IKeyRecord {
+      */
+     public String getRealm() throws EBaseException;
+ 
+-    public void setWrappingParams(WrappingParams params) throws Exception;
++    public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception;
+ 
+     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception;
+ }
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index bd2be70..9528972 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.TokenException;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.key.AsymKeyGenerationRequest;
+@@ -72,7 +73,7 @@ public class AsymKeyGenService implements IService {
+ 
+     @Override
+     public boolean serviceRequest(IRequest request) throws EBaseException {
+-
++        IConfigStore cs = CMS.getConfigStore();
+         String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
+         String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
+ 
+@@ -81,6 +82,8 @@ public class AsymKeyGenService implements IService {
+ 
+         String realm = request.getRealm();
+ 
++        boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++
+         KeyPairGeneratorSpi.Usage[] usageList = null;
+         String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
+         if (usageStr != null) {
+@@ -164,6 +167,7 @@ public class AsymKeyGenService implements IService {
+         WrappingParams params = null;
+ 
+         try {
++            // TODO(alee) What happens if key wrap algorithm is not supported?
+             params = storageUnit.getWrappingParams();
+             privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
+         } catch (Exception e) {
+@@ -201,7 +205,7 @@ public class AsymKeyGenService implements IService {
+         }
+ 
+         try {
+-            record.setWrappingParams(params);
++            record.setWrappingParams(params, false);
+         } catch (Exception e) {
+             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+                     clientKeyId, null, "Failed to store wrapping params");
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index 7c179d4..381fee8 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -502,7 +502,7 @@ public class EnrollmentService implements IService {
+             }
+ 
+             try {
+-                rec.setWrappingParams(params);
++                rec.setWrappingParams(params, allowEncDecrypt_archival);
+             } catch (Exception e) {
+                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
+                 // TODO(alee) Set correct audit message here
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 4926873..e09eb42 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -584,6 +584,7 @@ public class NetkeyKeygenService implements IService {
+                     WrappingParams params = null;
+ 
+                     try {
++                        // TODO(alee)  What happens if key wrap algorithm is not supported?
+                         params = mStorageUnit.getWrappingParams();
+                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
+                     } catch (Exception e) {
+@@ -656,7 +657,7 @@ public class NetkeyKeygenService implements IService {
+                         return false;
+                     }
+ 
+-                    rec.setWrappingParams(params);
++                    rec.setWrappingParams(params, false);
+ 
+                     CMS.debug("NetkeyKeygenService: before addKeyRecord");
+                     rec.set(KeyRecord.ATTR_ID, serialNo);
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 4659901..4261833 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -214,6 +214,7 @@ public class SecurityDataProcessor {
+ 
+         byte[] publicKey = null;
+         byte privateSecurityData[] = null;
++        boolean doEncrypt = false;
+ 
+         try {
+             params = storageUnit.getWrappingParams();
+@@ -222,9 +223,11 @@ public class SecurityDataProcessor {
+             } else if (unwrapped != null && allowEncDecrypt_archival == true) {
+                 privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params);
+                 Arrays.fill(unwrapped, (byte)0);
++                doEncrypt = true;
+                 CMS.debug("allowEncDecrypt_archival of symmetric key.");
+             } else if (securityData != null) {
+                 privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params);
++                doEncrypt = true;
+             } else { // We have no data.
+                 auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
+                         clientKeyId, null, "Failed to create security data to archive");
+@@ -282,7 +285,7 @@ public class SecurityDataProcessor {
+         }
+ 
+         try {
+-            rec.setWrappingParams(params);
++            rec.setWrappingParams(params, doEncrypt);
+         } catch (Exception e) {
+             kra.log(ILogger.LL_FAILURE,
+                     "Failed to store wrapping parameters: " + e);
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index 0dfd3a2..c1830ec 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -170,6 +170,7 @@ public class SymKeyGenService implements IService {
+         }
+ 
+         try {
++            // TODO(alee) what happens if key wrap algorithm is not supported?
+             params = mStorageUnit.getWrappingParams();
+             privateSecurityData = mStorageUnit.wrap(sk, params);
+         } catch (Exception e) {
+@@ -215,7 +216,7 @@ public class SymKeyGenService implements IService {
+         }
+ 
+         try {
+-            rec.setWrappingParams(params);
++            rec.setWrappingParams(params, false);
+         } catch (Exception e) {
+             mKRA.log(ILogger.LL_FAILURE,
+                     "Failed to store wrapping parameters: " + e);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+index b1e6cd6..f4e54c4 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+@@ -60,6 +60,7 @@ public class KeyRecordParser {
+     public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV";
+     public final static String OUT_PL_ENCRYPTION_IV_LEN = "payloadEncryptionIVLen";
+     public final static String OUT_PL_ENCRYPTION_OID = "payloadEncryptionOID";
++    public static final String OUT_PL_ENCRYPTED = "payloadEncrypted";
+ 
+     /**
+      * Fills key record into argument block.
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+index 97f4942..b082165 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+@@ -407,7 +407,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
+         return realm;
+     }
+ 
+-    public void setWrappingParams(WrappingParams params) throws Exception {
++    public void setWrappingParams(WrappingParams params, boolean doEncrypt) throws Exception {
+         if (mMetaInfo == null) {
+             mMetaInfo = new MetaInfo();
+         }
+@@ -456,6 +456,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
+             );
+         }
+ 
++        mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTED, Boolean.toString(doEncrypt));
+     }
+ 
+     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception {
+-- 
+1.8.3.1
+
+
+From b04739d364e7e220da29ce8d47654377999ad881 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 13 Apr 2017 16:53:58 -0700
+Subject: [PATCH 58/59] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature
+ implementation This patch provides the feature for CMC on handling
+ id-cmc-popLinkWitnessV2
+
+---
+ .../src/com/netscape/cmstools/CMCRequest.java      | 458 +++++++++++++++++++--
+ .../src/com/netscape/cmstools/CRMFPopClient.java   |  10 +-
+ .../src/com/netscape/cmstools/PKCS10Client.java    |  22 +-
+ .../netscape/cms/profile/common/EnrollProfile.java | 421 ++++++++++++++-----
+ .../cms/servlet/common/CMCOutputTemplate.java      |  12 +
+ base/server/cmsbundle/src/UserMessages.properties  |   2 +
+ 6 files changed, 770 insertions(+), 155 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index a2aca8a..ac523ad 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -34,6 +34,7 @@ import java.security.NoSuchAlgorithmException;
+ import java.text.SimpleDateFormat;
+ import java.util.Arrays;
+ import java.util.Date;
++import java.util.Random;
+ import java.util.StringTokenizer;
+ 
+ import org.mozilla.jss.CryptoManager;
+@@ -53,10 +54,12 @@ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.DigestAlgorithm;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+ import org.mozilla.jss.crypto.PrivateKey;
++import org.mozilla.jss.crypto.Signature;
+ import org.mozilla.jss.crypto.SignatureAlgorithm;
+ import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.crypto.X509Certificate;
+ import org.mozilla.jss.pkcs10.CertificationRequest;
++import org.mozilla.jss.pkcs10.CertificationRequestInfo;
+ import org.mozilla.jss.pkix.cmc.CMCCertId;
+ import org.mozilla.jss.pkix.cmc.CMCStatusInfo;
+ import org.mozilla.jss.pkix.cmc.DecryptedPOP;
+@@ -68,6 +71,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo;
+ import org.mozilla.jss.pkix.cmc.OtherMsg;
+ import org.mozilla.jss.pkix.cmc.PKIData;
+ import org.mozilla.jss.pkix.cmc.PendInfo;
++import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2;
+ import org.mozilla.jss.pkix.cmc.ResponseBody;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
+@@ -85,7 +89,11 @@ import org.mozilla.jss.pkix.cms.SignerInfo;
+ import org.mozilla.jss.pkix.crmf.CertReqMsg;
+ import org.mozilla.jss.pkix.crmf.CertRequest;
+ import org.mozilla.jss.pkix.crmf.CertTemplate;
++import org.mozilla.jss.pkix.crmf.POPOSigningKey;
++import org.mozilla.jss.pkix.crmf.ProofOfPossession;
++import org.mozilla.jss.pkix.primitive.AVA;
+ import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
++import org.mozilla.jss.pkix.primitive.Attribute;
+ import org.mozilla.jss.pkix.primitive.Name;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ import org.mozilla.jss.util.Password;
+@@ -148,6 +156,43 @@ public class CMCRequest {
+     }
+ 
+     /**
++     * getSigningAlgFromPrivate
++     *
++     */
++    static SignatureAlgorithm getSigningAlgFromPrivate (java.security.PrivateKey privKey) {
++        String method = "getSigningAlgFromPrivate: ";
++        System.out.println(method + "begins.");
++
++        if (privKey == null) {
++            System.out.println(method + "method param privKey cannot be null");
++            System.exit(1);
++        }
++
++        SignatureAlgorithm signAlg = null;
++        /*
++            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType =
++                    ((org.mozilla.jss.crypto.PrivateKey) privKey)
++                    .getType();
++        */
++        // TODO: allow more options later
++        String signingKeyType = privKey.getAlgorithm();
++        System.out.println(method + "found signingKeyType=" + signingKeyType);
++        if (signingKeyType.equalsIgnoreCase("RSA")) {
++            signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
++        } else if (signingKeyType.equalsIgnoreCase("EC")) {
++            signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
++        } else {
++            System.out.println(method + "Algorithm not supported:" +
++                    signingKeyType);
++            return null;
++        }
++        System.out.println(method + "using SignatureAlgorithm: " +
++                signAlg.toString());
++
++        return signAlg;
++    }
++
++    /**
+      * signData signs the request PKIData
+      *
+      * @param signerCert the certificate of the authorized signer of the CMC revocation request.
+@@ -190,17 +235,9 @@ public class CMCRequest {
+ 
+             EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
+             DigestAlgorithm digestAlg = null;
+-            SignatureAlgorithm signAlg = null;
+-            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey)
+-                    .getType();
+-            if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) {
+-                signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
+-            } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) {
+-                signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
+-            } else {
+-                System.out.println("Algorithm not supported");
++            SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey);
++            if (signAlg == null)
+                 return null;
+-            }
+ 
+             MessageDigest SHADigest = null;
+ 
+@@ -292,9 +329,13 @@ public class CMCRequest {
+             String transactionMgtId,
+             String identificationEnable, String identification,
+             String identityProofEnable, String identityProofSharedSecret,
+-            String identityProofV2Enable, String witnessSharedSecret,
++            String witnessSharedSecret,
++            String identityProofV2Enable,
+             String identityProofV2hashAlg, String identityProofV2macAlg,
+-            SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) {
++            String popLinkWitnessV2Enable,
++            String popLinkWitnessV2keyGenAlg, String popLinkWitnessV2macAlg,
++            SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid,
++            CryptoToken token, PrivateKey privk) {
+ 
+         String method = "createPKIData: ";
+ 
+@@ -305,6 +346,26 @@ public class CMCRequest {
+             TaggedRequest trq = null;
+             PKCS10 pkcs = null;
+             CertReqMsg certReqMsg = null;
++            CertReqMsg new_certReqMsg = null;
++            CertRequest new_certreq = null;
++
++            PopLinkWitnessV2 popLinkWitnessV2Control = null;
++            if (popLinkWitnessV2Enable.equals("true")) {
++                popLinkWitnessV2Control =
++                        createPopLinkWitnessV2Attr(
++                                bpid,
++                                controlSeq,
++                                witnessSharedSecret,
++                                popLinkWitnessV2keyGenAlg,
++                                popLinkWitnessV2macAlg,
++                                (identificationEnable.equals("true")) ?
++                                        identification : null);
++                if (popLinkWitnessV2Control == null) {
++                    System.out.println(method +
++                            "createPopLinkWitnessV2Attr returned null...exit");
++                    System.exit(1);
++                }
++            }
+ 
+             // create CMC req
+             SEQUENCE reqSequence = new SEQUENCE();
+@@ -325,9 +386,63 @@ public class CMCRequest {
+                             System.exit(1);
+                         }
+                         certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0);
+-                        trq = new TaggedRequest(TaggedRequest.CRMF, null,
+-                                certReqMsg);
++
++                        if (popLinkWitnessV2Enable.equals("true")) {
++                            System.out.println(method +
++                                    "popLinkWitnessV2 enabled. reconstructing crmf");
++                            //crmf reconstruction to include PopLinkWitnessV2 control
++                            CertRequest certReq = certReqMsg.getCertReq();
++                            INTEGER certReqId = certReq.getCertReqId();
++                            CertTemplate certTemplate = certReq.getCertTemplate();
++                            SEQUENCE controls = certReq.getControls();
++                            controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2,
++                                    popLinkWitnessV2Control));
++                            new_certreq = new CertRequest(certReqId, certTemplate, controls);
++
++                            // recalculate signing POP, if it had one
++                            ProofOfPossession new_pop = null;
++                            if (certReqMsg.hasPop()) {
++                                if (privk == null) {
++                                    System.out.println(method +
++                                            "privateKey not found; can't regenerate new POP");
++                                    System.exit(1);
++                                }
++                                if (token == null) {
++                                    System.out.println(method +
++                                            "token not found; can't regenerate new POP");
++                                    System.exit(1);
++                                }
++                                new_pop = createNewPOP(
++                                        certReqMsg,
++                                        new_certreq,
++                                        token,
++                                        privk);
++                            } else { // !hasPop
++                                System.out.println(method +
++                                        "old certReqMsg has no pop, so will the new certReqMsg");
++                            }
++
++                            new_certReqMsg = new CertReqMsg(new_certreq, new_pop, null);
++                            SEQUENCE seq = new SEQUENCE();
++                            seq.addElement(new_certReqMsg);
++
++                            byte[] encodedNewCrmfMessage = ASN1Util.encode(seq);
++                            String b64String = Utils.base64encode(encodedNewCrmfMessage);
++                            System.out.println(method + "new CRMF b64encode completes.");
++                            System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING);
++                            System.out.println(b64String);
++                            System.out.println(CryptoUtil.CERTREQ_END_HEADING);
++                            System.out.println("");
++
++                            trq = new TaggedRequest(TaggedRequest.CRMF, null,
++                                    new_certReqMsg);
++
++                        } else { // !popLinkWitnessV2Enable
++                            trq = new TaggedRequest(TaggedRequest.CRMF, null,
++                                    certReqMsg);
++                        }
+                     } else if (format.equals("pkcs10")) {
++                        System.out.println(method + " format: pkcs10");
+                         try {
+                             pkcs = new PKCS10(decodedBytes, true);
+                         } catch (Exception e2) {
+@@ -338,9 +453,82 @@ public class CMCRequest {
+                                 pkcs.toByteArray());
+                         CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate()
+                                 .decode(crInputStream);
+-                        TaggedCertificationRequest tcr = new TaggedCertificationRequest(
+-                                new INTEGER(bpid++), cr);
+-                        trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
++                        if (popLinkWitnessV2Enable.equals("true")) {
++                            System.out.println(method +
++                                    "popLinkWitnessV2 enabled. reconstructing pkcs#10");
++                            //pkcs#10 reconstruction to include PopLinkWitnessV2 control
++
++                            CertificationRequestInfo certReqInfo = cr.getInfo();
++
++                            INTEGER version = certReqInfo.getVersion();
++                            Name subject = certReqInfo.getSubject();
++                            SubjectPublicKeyInfo spkInfo = certReqInfo.getSubjectPublicKeyInfo();
++                            /*
++                            AlgorithmIdentifier alg = spkInfo.getAlgorithmIdentifier();
++                            SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(alg.getOID());
++                            if (signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest) {
++                                System.out.println(method +
++                                        "signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest");
++                            } else {
++                                System.out.println(method +
++                                        "signAlg == " + signAlg.toString());
++                            }
++                            */
++
++                            Attribute attr = new Attribute(
++                                    OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2,
++                                    popLinkWitnessV2Control);
++                            SET attrs = certReqInfo.getAttributes();
++                            if (attrs == null) {
++                                attrs = new SET();
++                            }
++                            attrs.addElement(attr);
++                            System.out.println(method +
++                                    " new pkcs#10 Attribute created for id_cmc_popLinkWitnessV2.");
++
++                            SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privk);
++                            if (signAlg == null) {
++                                System.out.println(method +
++                                        "signAlg not found");
++                                System.exit(1);
++                            }
++                            CertificationRequestInfo new_certReqInfo = new CertificationRequestInfo(
++                                    version,
++                                    subject,
++                                    spkInfo,
++                                    attrs);
++                            System.out.println(method +
++                                    " new pkcs#10 CertificationRequestInfo created.");
++
++                            CertificationRequest new_certRequest = new CertificationRequest(
++                                    new_certReqInfo,
++                                    privk,
++                                    signAlg);
++                            System.out.println(method +
++                                    "new pkcs#10 CertificationRequest created.");
++
++                            ByteArrayOutputStream bos = new ByteArrayOutputStream();
++                            new_certRequest.encode(bos);
++                            byte[] bb = bos.toByteArray();
++
++                            System.out.println(method + "calling Utils.b64encode.");
++                            String b64String = Utils.base64encode(bb);
++                            System.out.println(method + "new PKCS#10 b64encode completes.");
++                            System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING);
++                            System.out.println(b64String);
++                            System.out.println(CryptoUtil.CERTREQ_END_HEADING);
++                            System.out.println("");
++
++                            TaggedCertificationRequest tcr = new TaggedCertificationRequest(
++                                    new INTEGER(bpid++), new_certRequest);
++                            trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
++
++                        } else { // !popLinkWitnessV2Enable
++
++                            TaggedCertificationRequest tcr = new TaggedCertificationRequest(
++                                    new INTEGER(bpid++), cr);
++                            trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
++                        }
+                     } else {
+                         System.out.println(method + " Unrecognized request format: " + format);
+                         System.exit(1);
+@@ -348,7 +536,7 @@ public class CMCRequest {
+                     reqSequence.addElement(trq);
+                 }
+             } catch (Exception e) {
+-                System.out.println(method + " Exception:" + e.toString());
++                System.out.println(method + " Exception:" + e);
+                 System.exit(1);
+             }
+ 
+@@ -380,6 +568,63 @@ public class CMCRequest {
+         return pkidata;
+     }
+ 
++    /**
++     * createNewPOP
++     * called in case of PopLinkwitnessV2 when pop exists, thus
++     * requiring recalculation due to changes in CertRequest controls
++     *
++     * @param old_certReqMsg,
++     * @param new_certReqMsg,
++     * @param token,
++     * @param privKey
++     *
++     * @author cfu
++     */
++    static ProofOfPossession createNewPOP(
++            CertReqMsg old_certReqMsg,
++            CertRequest new_certReq,
++            CryptoToken token,
++            PrivateKey privKey) {
++        String method = "createNewPOP: ";
++
++        System.out.println(method + "begins");
++        if (old_certReqMsg == null ||
++                new_certReq == null ||
++                token == null ||
++                privKey == null) {
++            System.out.println(method + "method params cannot be null.");
++            System.exit(1);
++        }
++        ProofOfPossession old_pop = old_certReqMsg.getPop();
++        if (old_pop == null) {
++            System.out.println(method + "no pop in old_certReqMsg.");
++            System.exit(1);
++        }
++
++        POPOSigningKey PopOfsignKey = old_pop.getSignature();
++        AlgorithmIdentifier algId = PopOfsignKey.getAlgorithmIdentifier();
++
++        byte[] signature = null;
++        try {
++            SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(algId.getOID());
++            Signature signer = token.getSignatureContext(signAlg);
++            signer.initSign(privKey);
++            ByteArrayOutputStream bo = new ByteArrayOutputStream();
++            new_certReq.encode(bo);
++            signer.update(bo.toByteArray());
++            signature = signer.sign();
++        } catch (Exception e) {
++            System.out.println(method + e);
++            System.exit(1);
++        }
++
++        System.out.println(method + "about to create POPOSigningKey");
++        POPOSigningKey newPopOfSigningKey = new POPOSigningKey(null, algId, new BIT_STRING(signature, 0));
++
++        System.out.println(method + "creating and returning newPopOfSigningKey");
++        return ProofOfPossession.createSignature(newPopOfSigningKey);
++    }
++
+     static void printUsage() {
+         System.out.println("");
+         System.out.println("Usage: CMCRequest <configuration file>");
+@@ -516,13 +761,29 @@ public class CMCRequest {
+         System.out.println("identityProofV2.hashAlg=SHA-256");
+         System.out.println("identityProofV2.macAlg=SHA-256-HMAC");
+         System.out.println("");
++        System.out.println("#witness.sharedSecret works with identityProofV2 and popLinkWitnessV2");
+         System.out.println("#witness.sharedSecret: Shared Secret");
+         System.out.println("witness.sharedSecret=testing");
+         System.out.println("");
+-        System.out.println("#identification works with identityProofV2");
++        System.out.println("#identification works with identityProofV2 and popLinkWitnessV2");
+         System.out.println("identification.enable=false");
+         System.out.println("identification=testuser");
+         System.out.println("");
++        System.out.println("#popLinkWitnessV2.enable:  if true, then the underlying request will contain");
++        System.out.println("#this control or attribute. Otherwise, false.");
++        System.out.println("#Supported keyGenAlg are:");
++        System.out.println("# SHA-256, SHA-384, and SHA-512");
++        System.out.println("#Supported macAlg are:");
++        System.out.println("# SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC");
++        System.out.println("popLinkWitnessV2.enable=false");
++        System.out.println("popLinkWitnessV2.keyGenAlg=SHA-256");
++        System.out.println("popLinkWitnessV2.macAlg=SHA-256-HMAC");
++        System.out.println("");
++        System.out.println("");
++        System.out.println("###############################");
++        System.out.println("Note: The following controls are outdated and replaced by newer");
++        System.out.println("      controls above.  They remain untouched, but also untested.");
++        System.out.println("###############################");
+         System.out.println("#identityProof.enable: if true, then the request will contain");
+         System.out.println("#this control. Otherwise, false.");
+         System.out.println("#Note that this control is updated by identityProofV2 above");
+@@ -879,7 +1140,7 @@ public class CMCRequest {
+             System.out.println("");
+             seq.addElement(getCertControl);
+         } catch (Exception e) {
+-            System.out.println("Error in creating get certificate control. Check the parameters.");
++            System.out.println("Error in creating get certificate control. Check the parameters." + e);
+             System.exit(1);
+         }
+ 
+@@ -1023,6 +1284,118 @@ public class CMCRequest {
+         return bpid;
+     }
+ 
++    /**
++     * createPopLinkWitnessV2Attr generates witness v2
++     *
++     * @param
++     * @return PopLinkWitnessV2
++     *
++     * @author cfu
++     */
++    private static PopLinkWitnessV2 createPopLinkWitnessV2Attr(
++            int bpid, SEQUENCE controlSeq,
++            String sharedSecret,
++            String keyGenAlgString,
++            String macAlgString,
++            String ident) {
++
++        String method = "createPopLinkWitnessV2Attr: ";
++        System.out.println(method + "begins");
++
++        if (sharedSecret == null) {
++            System.out.println(method + "method param sharedSecret cannot be null");
++            System.exit(1);
++        }
++
++        byte[] key = null;
++        byte[] finalDigest = null;
++
++        // (1) generate a random byte-string R of 512 bits
++        Random random = new Random();
++        byte[] random_R = new byte[64];
++        random.nextBytes(random_R);
++
++        // default to SHA256 if not specified
++        if (keyGenAlgString == null) {
++            keyGenAlgString = "SHA-256";
++        }
++        if (macAlgString == null) {
++            macAlgString = "SHA-256-HMAC";
++        }
++        System.out.println(method + "keyGenAlg=" + keyGenAlgString +
++                "; macAlg=" + macAlgString);
++
++        String toBeDigested = sharedSecret;
++        if (ident != null) {
++            toBeDigested = sharedSecret + ident;
++        }
++
++        // (2) compute key from sharedSecret + identity
++        try {
++            MessageDigest hash = MessageDigest.getInstance(keyGenAlgString);
++            key = hash.digest(toBeDigested.getBytes());
++        } catch (NoSuchAlgorithmException ex) {
++            System.out.println(method + "No such algorithm!");
++            return null;
++        }
++
++        MessageDigest mac;
++        // (3) compute MAC over R from (1) using key from (2)
++        try {
++            mac = MessageDigest.getInstance(
++                    CryptoUtil.getHMACtoMessageDigestName(macAlgString));
++            HMACDigest hmacDigest = new HMACDigest(mac, key);
++            hmacDigest.update(random_R);
++            finalDigest = hmacDigest.digest();
++        } catch (NoSuchAlgorithmException ex) {
++            System.out.println(method + "No such algorithm!");
++            return null;
++        }
++
++        // (4) encode R as the value of a POP Link Random control
++        TaggedAttribute idPOPLinkRandom =
++                new TaggedAttribute(new INTEGER(bpid++),
++                OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom,
++                new OCTET_STRING(random_R));
++        controlSeq.addElement(idPOPLinkRandom);
++        System.out.println(method +
++                "Successfully created id_cmc_idPOPLinkRandom control. bpid = "
++                + (bpid - 1));
++
++        AlgorithmIdentifier keyGenAlg;
++        try {
++            keyGenAlg = new AlgorithmIdentifier(
++                    CryptoUtil.getHashAlgorithmOID(keyGenAlgString));
++        } catch (NoSuchAlgorithmException ex) {
++            System.out.println(method + "No such hashing algorithm:" + keyGenAlgString);
++            return null;
++        }
++        AlgorithmIdentifier macAlg;
++        try {
++            macAlg = new AlgorithmIdentifier(
++                    CryptoUtil.getHMACAlgorithmOID(macAlgString));
++        } catch (NoSuchAlgorithmException ex) {
++            System.out.println(method + "No such HMAC algorithm:" + macAlgString);
++            return null;
++        }
++
++        // (5) put MAC value from (3) in PopLinkWitnessV2
++        PopLinkWitnessV2 popLinkWitnessV2 =
++                new PopLinkWitnessV2(keyGenAlg, macAlg,
++                        new OCTET_STRING(finalDigest));
++        /*
++         * for CRMF, needs to go into CRMF controls field of the CertRequest structure.
++         * for PKCS#10, needs to go into the aributes field of CertificationRequestInfo structure
++         *   - return the PopLinkWitnessV2 for such surgical procedure
++         */
++        System.out.println(method + "Successfully created PopLinkWitnessV2 control.");
++
++        System.out.println(method + "returning...");
++        System.out.println("");
++
++        return popLinkWitnessV2;
++    }
++
+     private static int addPopLinkWitnessAttr(int bpid, SEQUENCE controlSeq) {
+         byte[] seed =
+         { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c,
+@@ -1309,7 +1682,8 @@ public class CMCRequest {
+         String dbdir = null, nickname = null;
+         String tokenName = null;
+         String ifilename = null, ofilename = null, password = null, format = null;
+-        String decryptedPopEnable = "false", encryptedPopResponseFile=null, privKeyId = null, decryptedPopRequestFile= null;
++        String privKeyId = null;
++        String decryptedPopEnable = "false", encryptedPopResponseFile=null, decryptedPopRequestFile= null;
+         String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null;
+         String getCertEnable = "false", getCertIssuer = null, getCertSerial = null;
+         String dataReturnEnable = "false", dataReturnData = null;
+@@ -1321,7 +1695,9 @@ public class CMCRequest {
+         String revRequestInvalidityDatePresent = "false";
+         String identificationEnable = "false", identification = null;
+         String identityProofEnable = "false", identityProofSharedSecret = null;
+-        String identityProofV2Enable = "false", witnessSharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
++        String identityProofV2Enable = "false", identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
++        String witnessSharedSecret = null; //shared by identityProofV2 and popLinkWitnessV2
++        String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256";
+         String popLinkWitnessEnable = "false";
+         String bodyPartIDs = null, lraPopWitnessEnable = "false";
+ 
+@@ -1378,6 +1754,8 @@ public class CMCRequest {
+                         ofilename = val;
+                     } else if (name.equals("input")) {
+                         ifilename = val;
++                    } else if (name.equals("numRequests")) {
++                        numRequests = val;
+                     } else if (name.equals("decryptedPop.enable")) {
+                         decryptedPopEnable = val;
+                     } else if (name.equals("encryptedPopResponseFile")) {
+@@ -1430,14 +1808,21 @@ public class CMCRequest {
+                         identificationEnable = val;
+                     } else if (name.equals("identification")) {
+                         identification = val;
+-                    } else if (name.equals("identityProofV2.enable")) {
+-                        identityProofV2Enable = val;
+                     } else if (name.equals("witness.sharedSecret")) {
+                         witnessSharedSecret = val;
++                    } else if (name.equals("identityProofV2.enable")) {
++                        identityProofV2Enable = val;
+                     } else if (name.equals("identityProofV2.hashAlg")) {
+                         identityProofV2hashAlg = val;
+                     } else if (name.equals("identityProofV2.macAlg")) {
+                         identityProofV2macAlg = val;
++                    } else if (name.equals("popLinkWitnessV2.enable")) {
++                        popLinkWitnessV2Enable = val;
++                    } else if (name.equals("popLinkWitnessV2.keyGenAlg")) {
++                        popLinkWitnessV2keyGenAlg = val;
++                    } else if (name.equals("popLinkWitnessV2.macAlg")) {
++                        popLinkWitnessV2macAlg = val;
++                    /* the following are outdated */
+                     } else if (name.equals("identityProof.enable")) {
+                         identityProofEnable = val;
+                     } else if (name.equals("identityProof.sharedSecret")) {
+@@ -1448,8 +1833,6 @@ public class CMCRequest {
+                         lraPopWitnessEnable = val;
+                     } else if (name.equals("LraPopWitness.bodyPartIDs")) {
+                         bodyPartIDs = val;
+-                    } else if (name.equals("numRequests")) {
+-                        numRequests = val;
+                     }
+                 }
+             }
+@@ -1518,13 +1901,14 @@ public class CMCRequest {
+             //cfu
+             ContentInfo cmcblob = null;
+             PKIData pkidata = null;
+-            if (decryptedPopEnable.equalsIgnoreCase("true")) {
+-                PrivateKey privk = null;
++            PrivateKey privk = null;
++            if (decryptedPopEnable.equalsIgnoreCase("true") ||
++                    popLinkWitnessV2Enable.equalsIgnoreCase("true")) {
+                 if (privKeyId == null) {
+-                    System.out.println("ecryptedPop.enable = true, but privKeyId not specified.");
++                    System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified.");
+                     printUsage();
+                 } else {
+-                    System.out.println("got privKeyId: " + privKeyId);
++                    System.out.println("got request privKeyId: " + privKeyId);
+ 
+                     byte[] keyIDb = CryptoUtil.string2byte(privKeyId);
+ 
+@@ -1538,7 +1922,9 @@ public class CMCRequest {
+                         System.exit(1);
+                     }
+                 }
++            }
+ 
++            if (decryptedPopEnable.equalsIgnoreCase("true")) {
+                 if (encryptedPopResponseFile == null) {
+                     System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified.");
+                     printUsage();
+@@ -1688,7 +2074,9 @@ public class CMCRequest {
+                 if (senderNonceEnable.equalsIgnoreCase("true"))
+                     bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce);
+ 
+-                if (popLinkWitnessEnable.equalsIgnoreCase("true"))
++                //popLinkWitnessV2 takes precedence
++                if (!popLinkWitnessV2Enable.equalsIgnoreCase("true") &
++                        popLinkWitnessEnable.equalsIgnoreCase("true"))
+                     bpid = addPopLinkWitnessAttr(bpid, controlSeq);
+ 
+                 SEQUENCE otherMsgSeq = new SEQUENCE();
+@@ -1711,9 +2099,13 @@ public class CMCRequest {
+                         format, transactionMgtEnable, transactionMgtId,
+                         identificationEnable, identification,
+                         identityProofEnable, identityProofSharedSecret,
+-                        identityProofV2Enable, witnessSharedSecret,
++                        witnessSharedSecret,
++                        identityProofV2Enable,
+                         identityProofV2hashAlg, identityProofV2macAlg,
+-                        controlSeq, otherMsgSeq, bpid);
++                        popLinkWitnessV2Enable,
++                        popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg,
++                        controlSeq, otherMsgSeq, bpid,
++                        token, privk);
+ 
+                 if (pkidata == null) {
+                     System.out.println("pkidata null after createPKIData(). Exiting with error");
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index c5da9cf..5d9f7f1 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -599,8 +599,10 @@ public class CRMFPopClient {
+         SEQUENCE seq = new SEQUENCE();
+         seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts));
+ 
++        /*
+         OCTET_STRING ostr = createIDPOPLinkWitness();
+         seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr));
++        */
+ 
+         return new CertRequest(new INTEGER(1), certTemplate, seq);
+     }
+@@ -676,10 +678,10 @@ public class CRMFPopClient {
+ 
+         Signature signer;
+         if (algorithm.equals("rsa")) {
+-            signer =  token.getSignatureContext(SignatureAlgorithm.RSASignatureWithMD5Digest);
++            signer =  token.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA256Digest);
+ 
+         } else if (algorithm.equals("ec")) {
+-            signer =  token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA1Digest);
++            signer =  token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA256Digest);
+ 
+         } else {
+             throw new Exception("Unknown algorithm: " + algorithm);
+@@ -694,10 +696,10 @@ public class CRMFPopClient {
+ 
+         AlgorithmIdentifier algorithmID;
+         if (algorithm.equals("rsa")) {
+-            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null);
++            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithSHA256Digest.toOID(), null);
+ 
+         } else if (algorithm.equals("ec")) {
+-            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA1Digest.toOID(), null);
++            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID(), null);
+ 
+         } else {
+             throw new Exception("Unknown algorithm: " + algorithm);
+diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+index 57f8792..fd1d087 100644
+--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+@@ -22,14 +22,12 @@ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.PrintStream;
+ import java.security.KeyPair;
+-import java.security.MessageDigest;
+ import java.security.PublicKey;
+ 
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.BMPString;
+ import org.mozilla.jss.asn1.INTEGER;
+ import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+-import org.mozilla.jss.asn1.OCTET_STRING;
+ import org.mozilla.jss.asn1.PrintableString;
+ import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.asn1.TeletexString;
+@@ -38,17 +36,16 @@ import org.mozilla.jss.asn1.UniversalString;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.KeyPairAlgorithm;
+ import org.mozilla.jss.crypto.KeyPairGenerator;
++import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.crypto.SignatureAlgorithm;
+ import org.mozilla.jss.pkcs10.CertificationRequest;
+ import org.mozilla.jss.pkcs10.CertificationRequestInfo;
+ import org.mozilla.jss.pkix.primitive.AVA;
+-import org.mozilla.jss.pkix.primitive.Attribute;
+ import org.mozilla.jss.pkix.primitive.Name;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ import org.mozilla.jss.util.Password;
+ 
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+-import com.netscape.cmsutil.util.HMACDigest;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.pkcs.PKCS10;
+@@ -248,6 +245,8 @@ public class PKCS10Client {
+ 
+             System.out.println("PKCS10Client: key pair generated."); //key pair generated");
+ 
++            /*** leave out this test code; cmc can add popLinkwitnessV2;
++
+             // Add idPOPLinkWitness control
+             String secretValue = "testing";
+             byte[] key1 = null;
+@@ -255,7 +254,7 @@ public class PKCS10Client {
+             MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
+             key1 = SHA1Digest.digest(secretValue.getBytes());
+ 
+-            /* seed */
++            // seed
+             byte[] b =
+             { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c,
+                 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c,
+@@ -272,9 +271,10 @@ public class PKCS10Client {
+ 
+             OCTET_STRING ostr = new OCTET_STRING(finalDigest);
+             Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr);
++            ***/
+ 
+             SET attributes = new SET();
+-            attributes.addElement(attr);
++            //attributes.addElement(attr);
+             Name n = getJssName(enable_encoding, subjectName);
+             SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic());
+             System.out.println("PKCS10Client: pair.getPublic() called.");
+@@ -286,7 +286,7 @@ public class PKCS10Client {
+             if (alg.equals("rsa")) {
+                 CertificationRequest certRequest = null;
+                 certRequest = new CertificationRequest(certReqInfo,
+-                pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest);
++                pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest);
+                 System.out.println("PKCS10Client: CertificationRequest created.");
+ 
+                 ByteArrayOutputStream bos = new ByteArrayOutputStream();
+@@ -323,6 +323,14 @@ public class PKCS10Client {
+                 b64E = CryptoUtil.base64Encode(certReqb);
+             }
+ 
++            // print out keyid to be used in cmc popLinkWitnessV2
++            PrivateKey privateKey = (PrivateKey) pair.getPrivate();
++            @SuppressWarnings("deprecation")
++            byte id[] = privateKey.getUniqueID();
++            String kid = CryptoUtil.byte2string(id);
++            System.out.println("Keypair private key id: " + kid);
++            System.out.println("");
++
+             System.out.println(RFC7468_HEADER);
+             System.out.println(b64E);
+             System.out.println(RFC7468_TRAILER);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 370cc33..5f7b0ef 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -55,6 +55,7 @@ import org.mozilla.jss.pkix.cmc.IdentityProofV2;
+ import org.mozilla.jss.pkix.cmc.LraPopWitness;
+ import org.mozilla.jss.pkix.cmc.OtherMsg;
+ import org.mozilla.jss.pkix.cmc.PKIData;
++import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
+ import org.mozilla.jss.pkix.cmc.TaggedRequest;
+@@ -64,6 +65,7 @@ import org.mozilla.jss.pkix.crmf.CertTemplate;
+ import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
+ import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+ import org.mozilla.jss.pkix.primitive.AVA;
++import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+ import org.mozilla.jss.pkix.primitive.Attribute;
+ import org.mozilla.jss.pkix.primitive.Name;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+@@ -73,7 +75,6 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.base.EBaseException;
+-import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+@@ -143,6 +144,9 @@ public abstract class EnrollProfile extends BasicProfile
+      */
+     public IRequest[] createRequests(IProfileContext ctx, Locale locale)
+             throws EProfileException {
++        String method = "EnrollProfile: createRequests";
++        CMS.debug(method + "begins");
++
+         // determine how many requests should be created
+         String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE);
+         String cert_request = ctx.get(CTX_CERT_REQUEST);
+@@ -151,7 +155,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+         /* cert_request_type can be null for the case of CMC */
+         if (cert_request_type == null) {
+-            CMS.debug("EnrollProfile: request type is null");
++            CMS.debug(method + " request type is null");
+         }
+ 
+         int num_requests = 1; // default to 1 request
+@@ -174,10 +178,14 @@ public abstract class EnrollProfile extends BasicProfile
+              */
+             // catch for invalid request
+             cmc_msgs = parseCMC(locale, cert_request);
+-            if (cmc_msgs == null)
++            if (cmc_msgs == null) {
++                CMS.debug(method + "parseCMC returns cmc_msgs null");
+                 return null;
+-            else
++            } else {
+                 num_requests = cmc_msgs.length;
++                CMS.debug(method + "parseCMC returns cmc_msgs num_requests=" +
++                        num_requests);
++            }
+         }
+ 
+         // only 1 request for renewal
+@@ -356,7 +364,6 @@ public abstract class EnrollProfile extends BasicProfile
+             throw new EBaseException(method + msg);
+         }
+         byte[] req_key_data = req.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY);
+-        netscape.security.x509.CertificateX509Key pubKey = null;
+         if (req_key_data != null) {
+             CMS.debug(method + "found user public key in request");
+ 
+@@ -511,6 +518,11 @@ public abstract class EnrollProfile extends BasicProfile
+         }
+     }
+ 
++    /*
++     * parseCMC
++     * @throws EProfileException in case of error
++     *   note: returing "null" doesn't mean failure
++     */
+     public TaggedRequest[] parseCMC(Locale locale, String certreq)
+             throws EProfileException {
+ 
+@@ -553,6 +565,7 @@ public abstract class EnrollProfile extends BasicProfile
+             int numcontrols = controlSeq.size();
+             SEQUENCE reqSeq = pkiData.getReqSequence();
+             byte randomSeed[] = null;
++            UTF8String ident_s = null;
+             SessionContext context = SessionContext.getContext();
+             if (!context.containsKey("numOfControls")) {
+                 if (numcontrols > 0) {
+@@ -588,6 +601,7 @@ public abstract class EnrollProfile extends BasicProfile
+                             id_cmc_identityProof = true;
+                             attr = attributes[i];
+                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) {
++                            CMS.debug(method + "id_cmc_idPOPLinkRandom true");
+                             id_cmc_idPOPLinkRandom = true;
+                             vals = attributes[i].getValues();
+                         } else {
+@@ -621,23 +635,31 @@ public abstract class EnrollProfile extends BasicProfile
+                         return null;
+                     }
+ 
+-                    UTF8String ident_s = null;
+                     if (id_cmc_identification) {
+                         if (ident == null) {
+                             msg = "id_cmc_identification contains null attribute value";
+                             CMS.debug(method + msg);
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+-                            return null;
++
++                            msg = " id_cmc_identification attribute value not found in";
++                            CMS.debug(method + msg);
++                            throw new EProfileException(
++                                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
++                                            msg);
+                         }
+                         ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(),
+                                 ASN1Util.encode(ident.elementAt(0))));
+                         if (ident_s == null) {
+-                            msg = "id_cmc_identification contains invalid content";
++                            msg = " id_cmc_identification contains invalid content";
+                             CMS.debug(method + msg);
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+-                            return null;
++
++                            CMS.debug(method + msg);
++                            throw new EProfileException(
++                                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
++                                            msg);
+                         }
+                     }
+ 
+@@ -646,7 +668,8 @@ public abstract class EnrollProfile extends BasicProfile
+                         if (!id_cmc_identification) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+-                            msg = "id_cmc_identityProofV2 must be accompanied by id_cmc_identification in this server";
++                            context.put("identityProofV2", bpids);
++                            msg = "id_cmc_identityProofV2 missing id_cmc_identification";
+                             CMS.debug(method + msg);
+                             throw new EProfileException(
+                                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+@@ -658,7 +681,11 @@ public abstract class EnrollProfile extends BasicProfile
+                         if (!valid) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identityProofV2", bpids);
+-                            return null;
++
++                            msg = " in verifyIdentityProofV2";
++                            CMS.debug(method + msg);
++                            throw new EProfileException(CMS.getUserMessage(locale,
++                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
+                         }
+                     } else if (id_cmc_identityProof && (attr != null)) {
+                         boolean valid = verifyIdentityProof(attr,
+@@ -666,14 +693,20 @@ public abstract class EnrollProfile extends BasicProfile
+                         if (!valid) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identityProof", bpids);
+-                            return null;
++
++                            msg = " in verifyIdentityProof";
++                            CMS.debug(method + msg);
++                            throw new EProfileException(CMS.getUserMessage(locale,
++                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
+                         }
+                     }
+ 
+                     if (id_cmc_idPOPLinkRandom && vals != null) {
+-                        OCTET_STRING ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
++                        OCTET_STRING ostr =
++                                (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                                 ASN1Util.encode(vals.elementAt(0))));
+                         randomSeed = ostr.toByteArray();
++                        CMS.debug(method + "got randomSeed");
+                     }
+                 } // numcontrols > 0
+             }
+@@ -691,19 +724,55 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             int nummsgs = reqSeq.size();
+             if (nummsgs > 0) {
++
+                 msgs = new TaggedRequest[reqSeq.size()];
+                 SEQUENCE bpids = new SEQUENCE();
++
++                /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true
++                // enforce popLinkWitness (or V2)
++                boolean popLinkWitnessRequired = true;
++                try {
++                    String configName = "cmc.popLinkWitnessRequired";
++                    CMS.debug(method + "getting :" + configName);
++                    popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true);
++                    CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired);
++                } catch (Exception e) {
++                    // unlikely to get here
++                    msg = method + " Failed to retrieve cmc.popLinkWitnessRequired";
++                    CMS.debug(msg);
++                    throw new EProfileException(method + msg);
++                }
++*/
++
+                 boolean valid = true;
+                 for (int i = 0; i < nummsgs; i++) {
+                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
+-                    if (!context.containsKey("POPLinkWitness")) {
++                    if (!context.containsKey("POPLinkWitnessV2") &&
++                            !context.containsKey("POPLinkWitness")) {
+                         if (randomSeed != null) {
+-                            valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids);
+-                            if (!valid || bpids.size() > 0) {
+-                                context.put("POPLinkWitness", bpids);
+-                                return null;
++                            // verifyPOPLinkWitness() will determine if this is
++                            // POPLinkWitnessV2 or POPLinkWitness
++                            // If failure, context is set in verifyPOPLinkWitness
++                            valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context);
++                            if (valid == false) {
++                                if (context.containsKey("POPLinkWitnessV2"))
++                                    msg = " in POPLinkWitnessV2";
++                                else if (context.containsKey("POPLinkWitness"))
++                                    msg = " in POPLinkWitness";
++                                else
++                                    msg = " unspecified failure from verifyPOPLinkWitness";
++
++                                CMS.debug(method + msg);
++                                throw new EProfileException(CMS.getUserMessage(locale,
++                                        "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg);
+                             }
+-                        }
++                        /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip
++                        } else if (popLinkWitnessRequired == true) {
++                            //popLinkWitnessRequired == true, must have randomSeed
++                            CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found");
++                            context.put("POPLinkWitnessV2", bpids);
++                            return null;*/
++                        } //randomSeed != null
+                     }
+                 }
+             } else
+@@ -711,8 +780,10 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             CMS.debug(method + "ends");
+             return msgs;
++        } catch (EProfileException e) {
++            throw new EProfileException(e);
+         } catch (Exception e) {
+-            CMS.debug(method + "Unable to parse CMC request: " + e);
++            CMS.debug(method + e);
+             throw new EProfileException(
+                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e);
+         }
+@@ -778,9 +849,9 @@ public abstract class EnrollProfile extends BasicProfile
+         }
+ 
+         byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST);
+-        if (pop_sysPubEncreyptedSession == null) {
++        if (cmc_msg == null) {
+             msg = method +
+-                    "pop_sysPubEncreyptedSession not found in request:" +
++                    "cmc_msg not found in request:" +
+                     reqId.toString();
+             CMS.debug(msg);
+             return null;
+@@ -857,43 +928,125 @@ public abstract class EnrollProfile extends BasicProfile
+         return reqId;
+     }
+ 
+-    private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req,
+-            SEQUENCE bpids) {
+-        ISharedToken tokenClass = null;
+-        boolean sharedSecretFound = true;
+-        String name = null;
++    /**
++     * getPopLinkWitnessV2control
++     *
++     * @author cfu
++     */
++    protected PopLinkWitnessV2 getPopLinkWitnessV2control(ASN1Value value) {
++        String method = "EnrollProfile: getPopLinkWitnessV2control: ";
++
++        ByteArrayInputStream bis = new ByteArrayInputStream(
++                ASN1Util.encode(value));
++        PopLinkWitnessV2 popLinkWitnessV2 = null;
++
+         try {
+-            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
+-        } catch (EPropertyNotFound e) {
+-            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+-            sharedSecretFound = false;
+-        } catch (EBaseException e) {
+-            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+-            sharedSecretFound = false;
++            popLinkWitnessV2 = (PopLinkWitnessV2) (new PopLinkWitnessV2.Template()).decode(bis);
++        } catch (Exception e) {
++            CMS.debug(method + e);
++        }
++        return popLinkWitnessV2;
++    }
++
++    /**
++     * verifyPopLinkWitnessV2
++     *
++     * @author cfu
++     */
++    protected boolean verifyPopLinkWitnessV2(
++            PopLinkWitnessV2 popLinkWitnessV2,
++            byte[] randomSeed,
++            String sharedSecret,
++            String ident_string) {
++        String method = "EnrollProfile: verifyPopLinkWitnessV2: ";
++
++        if ((popLinkWitnessV2 == null) ||
++                (randomSeed == null) ||
++                (sharedSecret == null)) {
++            CMS.debug(method + " method parameters cannot be null");
++            return false;
++        }
++        AlgorithmIdentifier keyGenAlg = popLinkWitnessV2.getKeyGenAlgorithm();
++        AlgorithmIdentifier macAlg = popLinkWitnessV2.getMacAlgorithm();
++        OCTET_STRING witness = popLinkWitnessV2.getWitness();
++        if (keyGenAlg == null) {
++            CMS.debug(method + " keyGenAlg reurned by popLinkWitnessV2.getWitness is null");
++            return false;
++        }
++        if (macAlg == null) {
++            CMS.debug(method + " macAlg reurned by popLinkWitnessV2.getWitness is null");
++            return false;
++        }
++        if (witness == null) {
++            CMS.debug(method + " witness reurned by popLinkWitnessV2.getWitness is null");
++            return false;
+         }
+ 
+         try {
+-            tokenClass = (ISharedToken) Class.forName(name).newInstance();
+-        } catch (ClassNotFoundException e) {
+-            CMS.debug("EnrollProfile: Failed to find class name: " + name);
+-            sharedSecretFound = false;
+-        } catch (InstantiationException e) {
+-            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+-            sharedSecretFound = false;
+-        } catch (IllegalAccessException e) {
+-            CMS.debug("EnrollProfile: Illegal access: " + name);
++            DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID());
++            MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString());
++
++            HMACAlgorithm macAlgID = HMACAlgorithm.fromOID(macAlg.getOID());
++            MessageDigest macMDAlg = MessageDigest
++                    .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString()));
++
++            byte[] witness_bytes = witness.toByteArray();
++            return verifyDigest(
++                    (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(),
++                    randomSeed,
++                    witness_bytes,
++                    keyGenMDAlg, macMDAlg);
++        } catch (NoSuchAlgorithmException e) {
++            CMS.debug(method + e);
++            return false;
++        } catch (Exception e) {
++            CMS.debug(method + e);
++            return false;
++        }
++    }
++
++    /*
++     * verifyPOPLinkWitness now handles POPLinkWitnessV2;
++     */
++    private boolean verifyPOPLinkWitness(
++            UTF8String ident, byte[] randomSeed, TaggedRequest req,
++            SEQUENCE bpids, SessionContext context) {
++        String method = "EnrollProfile: verifyPOPLinkWitness: ";
++        CMS.debug(method + "begins.");
++
++        String ident_string = null;
++        if (ident != null) {
++            ident_string = ident.toString();
++        }
++
++        boolean sharedSecretFound = true;
++        String configName = "cmc.sharedSecret.class";
++        String sharedSecret = null;
++        ISharedToken tokenClass = getSharedTokenClass(configName);
++        if (tokenClass == null) {
++            CMS.debug(method + " Failed to retrieve shared secret plugin class");
+             sharedSecretFound = false;
++        } else {
++            if (ident_string != null) {
++                sharedSecret = tokenClass.getSharedToken(ident_string);
++            } else {
++                sharedSecret = tokenClass.getSharedToken(mCMCData);
++            }
++            if (sharedSecret == null)
++                sharedSecretFound = false;
+         }
+ 
+         INTEGER reqId = null;
+         byte[] bv = null;
+-        String sharedSecret = null;
+-        if (tokenClass != null)
+-            sharedSecret = tokenClass.getSharedToken(mCMCData);
++
+         if (req.getType().equals(TaggedRequest.PKCS10)) {
++            String methodPos = method + "PKCS10: ";
++            CMS.debug(methodPos + "begins");
++
+             TaggedCertificationRequest tcr = req.getTcr();
+             if (!sharedSecretFound) {
+                 bpids.addElement(tcr.getBodyPartID());
++                context.put("POPLinkWitness", bpids);
+                 return false;
+             } else {
+                 CertificationRequest creq = tcr.getCertificationRequest();
+@@ -901,13 +1054,42 @@ public abstract class EnrollProfile extends BasicProfile
+                 SET attrs = cinfo.getAttributes();
+                 for (int j = 0; j < attrs.size(); j++) {
+                     Attribute pkcs10Attr = (Attribute) attrs.elementAt(j);
+-                    if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
++                    if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) {
++                        CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2");
++                        if (ident_string == null) {
++                            bpids.addElement(reqId);
++                            context.put("identification", bpids);
++                            context.put("POPLinkWitnessV2", bpids);
++                            String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server";
++                            CMS.debug(methodPos + msg);
++                            return false;
++                        }
++
++                        SET witnessVal = pkcs10Attr.getValues();
++                        if (witnessVal.size() > 0) {
++                            try {
++                                PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0));
++                                boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2,
++                                        randomSeed,
++                                        sharedSecret,
++                                        ident_string);
++                                if (!valid) {
++                                    bpids.addElement(reqId);
++                                    context.put("POPLinkWitnessV2", bpids);
++                                    return valid;
++                                }
++                                return true;
++                            } catch (Exception ex) {
++                                CMS.debug(methodPos + ex);
++                                return false;
++                            }
++                        }
++                    } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                         SET witnessVal = pkcs10Attr.getValues();
+                         if (witnessVal.size() > 0) {
+                             try {
+-                                OCTET_STRING str =
+-                                        (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+-                                                ASN1Util.encode(witnessVal.elementAt(0))));
++                                OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
++                                        ASN1Util.encode(witnessVal.elementAt(0))));
+                                 bv = str.toByteArray();
+                                 return verifyDigest(sharedSecret.getBytes(),
+                                         randomSeed, bv);
+@@ -921,27 +1103,55 @@ public abstract class EnrollProfile extends BasicProfile
+                 return false;
+             }
+         } else if (req.getType().equals(TaggedRequest.CRMF)) {
++            String methodPos = method + "CRMF: ";
++            CMS.debug(methodPos + "begins");
++
+             CertReqMsg crm = req.getCrm();
+             CertRequest certReq = crm.getCertReq();
+             reqId = certReq.getCertReqId();
+             if (!sharedSecretFound) {
+                 bpids.addElement(reqId);
++                context.put("POPLinkWitness", bpids);
+                 return false;
+             } else {
+                 for (int i = 0; i < certReq.numControls(); i++) {
+                     AVA ava = certReq.controlAt(i);
+ 
+-                    if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
++                    if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) {
++                        CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2");
++                        if (ident_string == null) {
++                            bpids.addElement(reqId);
++                            context.put("identification", bpids);
++                            context.put("POPLinkWitnessV2", bpids);
++                            String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server";
++                            CMS.debug(methodPos + msg);
++                            return false;
++                        }
++
++                        ASN1Value value = ava.getValue();
++                        PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value);
++
++                        boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2,
++                                randomSeed,
++                                sharedSecret,
++                                ident_string);
++                        if (!valid) {
++                            bpids.addElement(reqId);
++                            context.put("POPLinkWitnessV2", bpids);
++                            return valid;
++                        }
++                    } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
++                        CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness");
+                         ASN1Value value = ava.getValue();
+                         ByteArrayInputStream bis = new ByteArrayInputStream(
+                                 ASN1Util.encode(value));
+                         OCTET_STRING ostr = null;
+                         try {
+-                            ostr = (OCTET_STRING)
+-                                    (new OCTET_STRING.Template()).decode(bis);
++                            ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis);
+                             bv = ostr.toByteArray();
+                         } catch (Exception e) {
+                             bpids.addElement(reqId);
++                            context.put("POPLinkWitness", bpids);
+                             return false;
+                         }
+ 
+@@ -949,6 +1159,7 @@ public abstract class EnrollProfile extends BasicProfile
+                                 randomSeed, bv);
+                         if (!valid) {
+                             bpids.addElement(reqId);
++                            context.put("POPLinkWitness", bpids);
+                             return valid;
+                         }
+                     }
+@@ -1002,10 +1213,7 @@ public abstract class EnrollProfile extends BasicProfile
+         byte[] finalDigest = null;
+         HMACDigest hmacDigest = new HMACDigest(macAlg, key);
+         hmacDigest.update(text);
+-        if (hmacDigest == null) {
+-            CMS.debug(method + " hmacDigest null after hmacDigest.update");
+-            return false;
+-        }
++
+         finalDigest = hmacDigest.digest();
+ 
+         if (finalDigest.length != bv.length) {
+@@ -1041,6 +1249,40 @@ public abstract class EnrollProfile extends BasicProfile
+         return bpids;
+     }
+ 
++
++    ISharedToken getSharedTokenClass(String configName) {
++        String method = "EnrollProfile: getSharedTokenClass: ";
++        ISharedToken tokenClass = null;
++
++        String name = null;
++        try {
++            CMS.debug(method + "getting :" + configName);
++            name = CMS.getConfigStore().getString(configName);
++            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
++                    name);
++        } catch (Exception e) {
++            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
++            return null;
++        }
++
++        try {
++            tokenClass = (ISharedToken) Class.forName(name).newInstance();
++            CMS.debug(method + "Shared Secret plugin class retrieved");
++        } catch (ClassNotFoundException e) {
++            CMS.debug(method + " Failed to find class name: " + name);
++            return null;
++        } catch (InstantiationException e) {
++            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
++            return null;
++        } catch (IllegalAccessException e) {
++            CMS.debug(method + " Illegal access: " + name);
++            return null;
++        }
++
++        return tokenClass;
++    }
++
++
+     /**
+      * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272
+      *
+@@ -1070,32 +1312,9 @@ public abstract class EnrollProfile extends BasicProfile
+             return false;
+         }
+ 
+-        String name = null;
+-        try {
+-            String configName = "cmc.sharedSecret.class";
+-            CMS.debug(method + "getting :" + configName);
+-            name = CMS.getConfigStore().getString(configName);
+-            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
+-                    name);
+-        } catch (Exception e) {
+-            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
+-            return false;
+-        }
++        String configName = "cmc.sharedSecret.class";
++        ISharedToken tokenClass = getSharedTokenClass(configName);
+ 
+-        ISharedToken tokenClass = null;
+-        try {
+-            tokenClass = (ISharedToken) Class.forName(name).newInstance();
+-            CMS.debug(method + "Shared Secret plugin class retrieved");
+-        } catch (ClassNotFoundException e) {
+-            CMS.debug(method + " Failed to find class name: " + name);
+-            return false;
+-        } catch (InstantiationException e) {
+-            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+-            return false;
+-        } catch (IllegalAccessException e) {
+-            CMS.debug(method + " Illegal access: " + name);
+-            return false;
+-        }
+         if (tokenClass == null) {
+             CMS.debug(method + " Failed to retrieve shared secret plugin class");
+             return false;
+@@ -1116,19 +1335,13 @@ public abstract class EnrollProfile extends BasicProfile
+         try {
+             IdentityProofV2 idV2val = (IdentityProofV2) (ASN1Util.decode(IdentityProofV2.getTemplate(),
+                     ASN1Util.encode(vals.elementAt(0))));
+-            /**
+-             * TODO: cfu:
+-             * phase2: getting configurable allowable hashing and mac algorithms
+-             */
+ 
+             DigestAlgorithm hashAlgID = DigestAlgorithm.fromOID(idV2val.getHashAlgID().getOID());
+             MessageDigest hashAlg = MessageDigest.getInstance(hashAlgID.toString());
+-            // TODO: check against CA allowed algs later
+ 
+             HMACAlgorithm macAlgId = HMACAlgorithm.fromOID(idV2val.getMacAlgId().getOID());
+             MessageDigest macAlg = MessageDigest
+                     .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgId.toString()));
+-            // TODO: check against CA allowed algs later
+ 
+             OCTET_STRING witness = idV2val.getWitness();
+             if (witness == null) {
+@@ -1151,32 +1364,18 @@ public abstract class EnrollProfile extends BasicProfile
+     } // verifyIdentityProofV2
+ 
+     private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) {
++        String method = "verifyIdentityProof: ";
++
+         SET vals = attr.getValues();
+         if (vals.size() < 1)
+             return false;
+-        String name = null;
+-        try {
+-            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
+-        } catch (EPropertyNotFound e) {
+-        } catch (EBaseException e) {
+-        }
+ 
+-        if (name == null)
++        String configName = "cmc.sharedSecret.class";
++            ISharedToken tokenClass = getSharedTokenClass(configName);
++        if (tokenClass == null) {
++            CMS.debug(method + " Failed to retrieve shared secret plugin class");
+             return false;
+-        else {
+-            ISharedToken tokenClass = null;
+-            try {
+-                tokenClass = (ISharedToken) Class.forName(name).newInstance();
+-            } catch (ClassNotFoundException e) {
+-                CMS.debug("EnrollProfile: Failed to find class name: " + name);
+-                return false;
+-            } catch (InstantiationException e) {
+-                CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+-                return false;
+-            } catch (IllegalAccessException e) {
+-                CMS.debug("EnrollProfile: Illegal access: " + name);
+-                return false;
+-            }
++        }
+ 
+             String token = tokenClass.getSharedToken(mCMCData);
+             OCTET_STRING ostr = null;
+@@ -1184,20 +1383,20 @@ public abstract class EnrollProfile extends BasicProfile
+                 ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                         ASN1Util.encode(vals.elementAt(0))));
+             } catch (InvalidBERException e) {
+-                CMS.debug("EnrollProfile: Failed to decode the byte value.");
++                CMS.debug(method + "Failed to decode the byte value.");
+                 return false;
+             }
+             byte[] b = ostr.toByteArray();
+             byte[] text = ASN1Util.encode(reqSeq);
+ 
+             return verifyDigest(token.getBytes(), text, b);
+-        }
+     }
+ 
+     public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info,
+             IRequest req)
+             throws EProfileException {
+         String method = "EnrollProfile: fillTaggedRequest: ";
++        CMS.debug(method + "begins");
+         TaggedRequest.Type type = tagreq.getType();
+         if (type == null) {
+             CMS.debug(method + "TaggedRequest type == null");
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+index ac690f2..c130a1e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+@@ -268,6 +268,18 @@ public class CMCOutputTemplate {
+                 controlSeq.addElement(tagattr);
+             }
+ 
++            SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2");
++            if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) {
++                OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
++                        new INTEGER(OtherInfo.BAD_REQUEST), null);
++                cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED,
++                        POPLinkWitnessV2Bpids, (String) null, otherInfo);
++                tagattr = new TaggedAttribute(
++                        new INTEGER(bpid++),
++                        OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
++                controlSeq.addElement(tagattr);
++            }
++
+             SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness");
+             if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) {
+                 OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
+diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
+index bc7f8cf..bf96f90 100644
+--- a/base/server/cmsbundle/src/UserMessages.properties
++++ b/base/server/cmsbundle/src/UserMessages.properties
+@@ -306,6 +306,8 @@ CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be v
+ # ProfileSubmitServlet
+ #######################################################
+ CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed
++CMS_POI_VERIFICATION_ERROR=Proof-of-Identification Verification Failed
++CMS_POP_LINK_WITNESS_VERIFICATION_ERROR=POP Link Witness Verification Failed
+ CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication
+ CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate.
+ CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication
+-- 
+1.8.3.1
+
+
+From 0bd94db7a4266a7a91e08162c7e5eebf071800f2 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 13 Apr 2017 20:44:32 -0400
+Subject: [PATCH 59/59] Allow key recovery to use encrypted field in key record
+
+The previous commit added a field in the KeyRecord to
+specify whether or not a key was encrypted or key wrapped
+when archived.  This patch modifies the recovery servlets
+to use this field to determine how to decrypt/unwrap the
+key for transport.
+
+Absence of this field in the key record implies that is
+an old record - and we use the value of the CS.cfg parameter
+as the default.
+
+Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
+---
+ .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java  |  2 ++
+ base/kra/src/com/netscape/kra/RecoveryService.java  | 13 ++++++++++---
+ .../src/com/netscape/kra/SecurityDataProcessor.java | 21 ++++++++++++++-------
+ .../com/netscape/kra/TokenKeyRecoveryService.java   | 11 +++++++++--
+ .../src/com/netscape/cmscore/dbs/KeyRecord.java     |  9 +++++++++
+ 5 files changed, 44 insertions(+), 12 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+index c947d3c..d3aaa63 100644
+--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
++++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+@@ -173,4 +173,6 @@ public interface IKeyRecord {
+     public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception;
+ 
+     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception;
++
++    public Boolean isEncrypted() throws EBaseException;
+ }
+diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
+index c89e2f3..fda5b80 100644
+--- a/base/kra/src/com/netscape/kra/RecoveryService.java
++++ b/base/kra/src/com/netscape/kra/RecoveryService.java
+@@ -224,8 +224,15 @@ public class RecoveryService implements IService {
+                 statsSub.startTiming("recover_key");
+             }
+ 
++            Boolean encrypted = keyRecord.isEncrypted();
++            if (encrypted == null) {
++                // must be an old key record
++                // assume the value of allowEncDecrypt
++                encrypted = allowEncDecrypt_recovery;
++            }
++
+             PrivateKey privKey = null;
+-            if (allowEncDecrypt_recovery == true) {
++            if (encrypted) {
+                 privateKeyData = recoverKey(params, keyRecord);
+             } else {
+                 privKey = recoverKey(params, keyRecord, isRSA);
+@@ -234,7 +241,7 @@ public class RecoveryService implements IService {
+                 statsSub.endTiming("recover_key");
+             }
+ 
+-            if ((isRSA == true) && (allowEncDecrypt_recovery == true)) {
++            if ((isRSA == true) && encrypted) {
+                 if (statsSub != null) {
+                     statsSub.startTiming("verify_key");
+                 }
+@@ -253,7 +260,7 @@ public class RecoveryService implements IService {
+             if (statsSub != null) {
+                 statsSub.startTiming("create_p12");
+             }
+-            if (allowEncDecrypt_recovery == true) {
++            if (encrypted) {
+                 createPFX(request, params, privateKeyData);
+             } else {
+                 createPFX(request, params, privKey, ct);
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 4261833..701b611 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -363,8 +363,15 @@ public class SecurityDataProcessor {
+         byte[] unwrappedSecData = null;
+         PrivateKey privateKey = null;
+ 
++        Boolean encrypted = keyRecord.isEncrypted();
++        if (encrypted == null) {
++            // must be an old key record
++            // assume the value of allowEncDecrypt
++            encrypted = allowEncDecrypt_recovery;
++        }
++
+         if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
+-            if (allowEncDecrypt_recovery == true) {
++            if (encrypted) {
+                 CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true.");
+                 unwrappedSecData = recoverSecurityData(keyRecord);
+             } else {
+@@ -375,7 +382,7 @@ public class SecurityDataProcessor {
+             unwrappedSecData = recoverSecurityData(keyRecord);
+         } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+             try {
+-                if (allowEncDecrypt_recovery == true) {
++                if (encrypted) {
+                     CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true.");
+                     unwrappedSecData = recoverSecurityData(keyRecord);
+                 } else {
+@@ -466,7 +473,7 @@ public class SecurityDataProcessor {
+                 if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
+ 
+                     CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with transport passphrase");
+-                    if (allowEncDecrypt_recovery == true) {
++                    if (encrypted) {
+                         CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, symmetric key:  create blob with unwrapped key.");
+                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
+                     } else {
+@@ -478,7 +485,7 @@ public class SecurityDataProcessor {
+                     CMS.debug("SecurityDataProcessor.recover(): encrypt stored passphrase with transport passphrase");
+                     pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
+                 } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+-                    if (allowEncDecrypt_recovery == true) {
++                    if (encrypted) {
+                         CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, asymmetric key:  create blob with unwrapped key.");
+                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
+                     } else {
+@@ -511,7 +518,7 @@ public class SecurityDataProcessor {
+             if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
+                 CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with session key");
+                 try {
+-                    if (allowEncDecrypt_recovery == true) {
++                    if (encrypted) {
+                         CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
+                         unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+                                 SymmetricKey.Usage.ENCRYPT, wrapParams);
+@@ -559,7 +566,7 @@ public class SecurityDataProcessor {
+             } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+                 CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored private key with session key");
+                 try {
+-                    if (allowEncDecrypt_recovery == true) {
++                    if (encrypted) {
+                         CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key.");
+                         unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+                                 SymmetricKey.Usage.ENCRYPT, wrapParams);
+@@ -599,7 +606,7 @@ public class SecurityDataProcessor {
+         params.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME,
+                 wrapParams.getPayloadWrapAlgorithm().toString());
+ 
+-        if ((allowEncDecrypt_recovery == true) || (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE))) {
++        if (encrypted || dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
+             params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(false));
+             if (wrapParams.getPayloadEncryptionIV() != null) {
+                 params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index 67f4dc6..64f65a0 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -433,9 +433,16 @@ public class TokenKeyRecoveryService implements IService {
+                 }
+             } // else, searched by keyid, can't check
+ 
++            Boolean encrypted = keyRecord.isEncrypted();
++            if (encrypted == null) {
++                // must be an old key record
++                // assume the value of allowEncDecrypt
++                encrypted = allowEncDecrypt_recovery;
++            }
++
+             Type keyType = PrivateKey.RSA;
+             byte wrapped[];
+-            if (allowEncDecrypt_recovery == true) {
++            if (encrypted) {
+                 // Unwrap the archived private key
+                 byte privateKeyData[] = null;
+                 privateKeyData = recoverKey(params, keyRecord);
+@@ -493,7 +500,7 @@ public class TokenKeyRecoveryService implements IService {
+                         privateKeyData,
+                         EncryptionAlgorithm.DES3_CBC_PAD,
+                         algParam);
+-            } else { //allowEncDecrypt_recovery == false
++            } else { //encrypted == false
+                 PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery);
+                 if (privKey == null) {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+index b082165..556c4a7 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+@@ -504,4 +504,13 @@ public class KeyRecord implements IDBObj, IKeyRecord {
+ 
+         return params;
+     }
++
++    public Boolean isEncrypted() throws EBaseException {
++        String encrypted = (String) mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTED);
++        if (encrypted == null)
++            return null;
++        return Boolean.valueOf(encrypted);
++    }
++
++
+ }
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-beta.patch b/SOURCES/pki-core-beta.patch
index a32d10e..6bcf558 100644
--- a/SOURCES/pki-core-beta.patch
+++ b/SOURCES/pki-core-beta.patch
@@ -1,6301 +1,13101 @@
-From ca25d3856c37febe4aa89d19ba143bd1e021f0d1 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Sat, 2 Jul 2016 11:03:53 +0530
-Subject: [PATCH 36/96] Added instance and subsystem validation for pki-server
- subsystem-* commands.
-
-The pki-server subsystem-* commands have been updated to validate
-the instance and subsystem before proceeding with the operation.
-
-https://fedorahosted.org/pki/ticket/2399
----
- base/server/python/pki/server/cli/subsystem.py | 66 +++++++++++++++++++++-----
- 1 file changed, 53 insertions(+), 13 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index 49215cf..a44243a 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -177,6 +177,10 @@ class SubsystemShowCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
- 
-         SubsystemCLI.print_subsystem(subsystem)
- 
-@@ -240,9 +244,17 @@ class SubsystemEnableCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
--        subsystem.enable()
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
- 
--        self.print_message('Enabled "%s" subsystem' % subsystem_name)
-+        if subsystem.is_enabled():
-+            self.print_message('Subsystem "%s" is already '
-+                               'enabled' % subsystem_name)
-+        else:
-+            subsystem.enable()
-+            self.print_message('Enabled "%s" subsystem' % subsystem_name)
- 
-         SubsystemCLI.print_subsystem(subsystem)
- 
-@@ -308,9 +320,17 @@ class SubsystemDisableCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
--        subsystem.disable()
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
- 
--        self.print_message('Disabled "%s" subsystem' % subsystem_name)
-+        if not subsystem.is_enabled():
-+            self.print_message('Subsystem "%s" is already '
-+                               'disabled' % subsystem_name)
-+        else:
-+            subsystem.disable()
-+            self.print_message('Disabled "%s" subsystem' % subsystem_name)
- 
-         SubsystemCLI.print_subsystem(subsystem)
- 
-@@ -403,6 +423,10 @@ class SubsystemCertFindCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
-         results = subsystem.find_system_certs()
- 
-         self.print_message('%s entries matched' % len(results))
-@@ -436,7 +460,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
- 
-         try:
-             opts, args = getopt.gnu_getopt(argv, 'i:v', [
--                'instance=',  'show-all',
-+                'instance=', 'show-all',
-                 'verbose', 'help'])
- 
-         except getopt.GetoptError as e:
-@@ -471,7 +495,6 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--
-         if len(args) < 2:
-             print('ERROR: missing cert ID')
-             self.usage()
-@@ -489,6 +512,10 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
-         cert = subsystem.get_subsystem_cert(cert_id)
- 
-         SubsystemCertCLI.print_subsystem_cert(cert, show_all)
-@@ -611,6 +638,10 @@ class SubsystemCertExportCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
-         subsystem_cert = None
- 
-         if len(args) >= 2:
-@@ -732,6 +763,10 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-+        if not subsystem:
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-+            sys.exit(1)
-         subsystem_cert = subsystem.get_subsystem_cert(cert_id)
- 
-         # get cert data from NSS database
-@@ -749,6 +784,9 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-         # get cert request from local CA
-         # TODO: add support for remote CA
-         ca = instance.get_subsystem('ca')
-+        if not ca:
-+            print('ERROR: No CA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
-         results = ca.find_cert_requests(cert=data)
-         cert_request = results[-1]
-         request = cert_request['request']
-@@ -820,7 +858,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
- 
-         subsystem_name = args[0]
- 
--        if len(args) >=2:
-+        if len(args) >= 2:
-             cert_id = args[1]
-         else:
-             cert_id = None
-@@ -835,7 +873,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-         if not subsystem:
--            self.print_message('ERROR: missing subsystem ' + subsystem_name)
-+            print('ERROR: No %s subsystem in instance '
-+                  '%s.' % (subsystem_name, instance_name))
-             sys.exit(1)
- 
-         if cert_id is not None:
-@@ -909,16 +948,17 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-         os.close(pwfile_handle)
- 
-         try:
--            cmd = ['pki', '-d', instance.nssdb_dir,
--                   '-C', pwfile_path ]
-+            cmd = ['pki',
-+                   '-d', instance.nssdb_dir,
-+                   '-C', pwfile_path]
- 
-             if token:
-                 cmd.extend(['--token', token])
- 
-             cmd.extend(['client-cert-validate',
--                nickname,
--                '--certusage', usage]
--            )
-+                        nickname,
-+                        '--certusage', usage
-+                       ])
- 
-             subprocess.check_output(cmd, stderr=subprocess.STDOUT)
-             print('  Status: VALID')
--- 
-1.8.3.1
-
-
-From 03926918b688d6634a46e322565bd1ab8ccdd811 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 6 Jul 2016 17:40:13 +0200
-Subject: [PATCH 37/96] Fixed exception chain in SigningUnit.init().
+From d4e83335d5ac6a6b39bf5abaa26075a9ec86f6b7 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 18 Apr 2017 08:09:00 +0200
+Subject: [PATCH 01/49] Spawn a CA and KRA on Travis
 
-The SigningUnit.init() has been modified to chain the exceptions
-to help troubleshooting.
+Travis CI tests are now using a systemd container to install and run a
+389-DS, CA and KRA instance.
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: Ibc7d1a6b1e218492a84e88d4339de34b1eb58c7c
 ---
- base/ca/src/com/netscape/ca/SigningUnit.java       | 45 +++++++++++++---------
- .../certsrv/ca/CAMissingCertException.java         |  3 ++
- .../netscape/certsrv/ca/CAMissingKeyException.java |  3 ++
- 3 files changed, 32 insertions(+), 19 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
-index 60bd84e..f708e55 100644
---- a/base/ca/src/com/netscape/ca/SigningUnit.java
-+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
-@@ -22,10 +22,6 @@ import java.security.NoSuchAlgorithmException;
- import java.security.PublicKey;
- import java.security.SignatureException;
- 
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509Key;
+ .travis.test            | 31 -----------------------------
+ .travis.yml             | 51 +++++++++++++++++++++++++++++++++++++++---------
+ .travis/00-init         | 36 ++++++++++++++++++++++++++++++++++
+ .travis/10-compose-rpms | 31 +++++++++++++++++++++++++++++
+ .travis/20-install-rpms |  6 ++++++
+ .travis/30-setup-389ds  | 12 ++++++++++++
+ .travis/40-spawn-ca     |  9 +++++++++
+ .travis/50-spawn-kra    |  9 +++++++++
+ .travis/pki.cfg         | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 9 files changed, 197 insertions(+), 40 deletions(-)
+ delete mode 100755 .travis.test
+ create mode 100755 .travis/00-init
+ create mode 100755 .travis/10-compose-rpms
+ create mode 100755 .travis/20-install-rpms
+ create mode 100755 .travis/30-setup-389ds
+ create mode 100755 .travis/40-spawn-ca
+ create mode 100755 .travis/50-spawn-kra
+ create mode 100644 .travis/pki.cfg
+
+diff --git a/.travis.test b/.travis.test
+deleted file mode 100755
+index ca81022..0000000
+--- a/.travis.test
++++ /dev/null
+@@ -1,31 +0,0 @@
+-#!/bin/bash
+-set -ex
 -
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.NoSuchTokenException;
- import org.mozilla.jss.crypto.CryptoToken;
-@@ -42,15 +38,19 @@ import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.IConfigStore;
- import com.netscape.certsrv.base.ISubsystem;
--import com.netscape.certsrv.ca.ECAException;
- import com.netscape.certsrv.ca.CAMissingCertException;
- import com.netscape.certsrv.ca.CAMissingKeyException;
-+import com.netscape.certsrv.ca.ECAException;
- import com.netscape.certsrv.common.Constants;
- import com.netscape.certsrv.logging.ILogger;
- import com.netscape.certsrv.security.ISigningUnit;
- import com.netscape.cmscore.security.JssSubsystem;
- import com.netscape.cmsutil.util.Cert;
- 
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509Key;
+-WORKDIR="${BUILDDIR:-/tmp/builddir}"
+-BUILDUSER=builduser
+-BUILDUSER_UID=${UID:-1000}
+-BUILDUSER_GID=${GID:-1000}
+-
+-. /etc/os-release
+-
+-echo "$NAME $VERSION $1"
+-
+-## compose_pki_core_packages doesn't run as root, create a build user
+-groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER}
+-useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER}
+-
+-## chown workdir and enter pki dir
+-chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR}
+-cd ${WORKDIR}/pki
+-
+-## prepare additional build dependencies
+-dnf copr -y enable @pki/10.4
+-dnf builddep -y ./specs/pki-core.spec
+-
+-# update, container might be outdated
+-dnf update -y
+-
+-## run tox and build
+-# run make with --quiet to reduce log verbosity. Travis CI has a log limit
+-# of 10,000 lines.
+-sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms
+diff --git a/.travis.yml b/.travis.yml
+index 2e1a69f..b443118 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -5,16 +5,49 @@ services:
+   - docker
+ 
+ env:
+-  - CONTAINER=dogtagpki/pki-ci-containers:f25_104
+-  - CONTAINER=dogtagpki/pki-ci-containers:f26_104
+-  - CONTAINER=dogtagpki/pki-ci-containers:rawhide
++  global:
++    - CONTAINER=pkitest
++    - SCRIPTDIR=/tmp/workdir/pki/.travis
++  matrix:
++    - IMAGE=dogtagpki/pki-ci-containers:f25_104
++    # F26 repo is unstable
++    # - IMAGE=dogtagpki/pki-ci-containers:f26_104
++    # rawhide repo is unstable
++    # - IMAGE=dogtagpki/pki-ci-containers:rawhide
+ 
+-script:
+-  - docker pull $CONTAINER
++before_install:
++  - docker pull ${IMAGE}
+   - >
+     docker run
++    --detach
++    --name=${CONTAINER}
++    --hostname='pki.test'
++    --privileged
++    --tmpfs /tmp
++    --tmpfs /run
++    -v /sys/fs/cgroup:/sys/fs/cgroup:ro
+     -v $(pwd):/tmp/workdir/pki
+-    -e UID=$(id -u)
+-    -e GID=$(id -g)
+-    $CONTAINER
+-    /tmp/workdir/pki/.travis.test $CONTAINER
++    -e BUILDUSER_UID=$(id -u)
++    -e BUILDUSER_GID=$(id -g)
++    -e TRAVIS=${TRAVIS}
++    -e TRAVIS_JOB_NUMBER=${TRAVIS_JOB_NUMBER}
++    -ti
++    ${IMAGE}
++  - docker ps -a
++
++install:
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/00-init
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/10-compose-rpms
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/20-install-rpms
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds
++
++script:
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra
++
++after_script:
++  - docker kill ${CONTAINER}
++  - docker rm ${CONTAINER}
++
++after_failure:
++  - journalctl -l
+diff --git a/.travis/00-init b/.travis/00-init
+new file mode 100755
+index 0000000..1b5aa53
+--- /dev/null
++++ b/.travis/00-init
+@@ -0,0 +1,36 @@
++#!/bin/bash
++set -e
 +
- /**
-  * CA signing unit based on JSS.
-  *
-@@ -171,7 +171,7 @@ public final class SigningUnit implements ISigningUnit {
-                 mCert = mManager.findCertByNickname(mNickname);
-                 CMS.debug("Found cert by nickname: '" + mNickname + "' with serial number: " + mCert.getSerialNumber());
-             } catch (ObjectNotFoundException e) {
--                throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
-+                throw new CAMissingCertException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
-             }
- 
-             mCertImpl = new X509CertImpl(mCert.getEncoded());
-@@ -181,7 +181,7 @@ public final class SigningUnit implements ISigningUnit {
-                 mPrivk = mManager.findPrivKeyByCert(mCert);
-                 CMS.debug("Got private key from cert");
-             } catch (ObjectNotFoundException e) {
--                throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"));
-+                throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e);
-             }
- 
-             mPubk = mCert.getPublicKey();
-@@ -194,32 +194,39 @@ public final class SigningUnit implements ISigningUnit {
-             CMS.debug(
-                     "got signing algorithm " + mDefSigningAlgorithm);
-             mInited = true;
-+
-         } catch (java.security.cert.CertificateException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage()));
--            throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()));
-+            throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString()), e);
-+
-         } catch (CryptoManager.NotInitializedException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString()));
--            throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"));
-+            throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED"), e);
-+
-         } catch (IncorrectPasswordException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString()));
--            throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD"));
-+            throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD"), e);
-+
-         } catch (NoSuchTokenException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString()));
--            throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname));
-+            throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname), e);
-+
-         } catch (CAMissingCertException | CAMissingKeyException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString()));
-             throw e;  // re-throw
-+
-         } catch (TokenException e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug("SigningUnit: " + e);
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
--            throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR"));
-+            throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR"), e);
++. /etc/os-release
 +
-         } catch (Exception e) {
--            CMS.debug("SigningUnit init: debug " + e.toString());
-+            CMS.debug(e);
-         }
-     }
- 
-diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
-index 49c5063..e363647 100644
---- a/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
-+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingCertException.java
-@@ -12,4 +12,7 @@ public class CAMissingCertException extends ECAException {
-         super(msgFormat);
-     }
- 
-+    public CAMissingCertException(String msgFormat, Exception cause) {
-+        super(msgFormat, cause);
-+    }
- }
-diff --git a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
-index 8f5e1e7..178857f 100644
---- a/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
-+++ b/base/common/src/com/netscape/certsrv/ca/CAMissingKeyException.java
-@@ -12,4 +12,7 @@ public class CAMissingKeyException extends ECAException {
-         super(msgFormat);
-     }
- 
-+    public CAMissingKeyException(String msgFormat, Exception cause) {
-+        super(msgFormat, cause);
-+    }
- }
--- 
-1.8.3.1
-
-
-From 4bdb8793eddd8d6c26a08c8f871249aa9a5bde7a Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 6 Jul 2016 21:12:35 +0200
-Subject: [PATCH 38/96] Fixed CLI error message on connection problems
-
-The CLI has been modified to display the actual error message
-instead of generic ProcessingException.
-
-https://fedorahosted.org/pki/ticket/2377
----
- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
-index 797f3cb..8f3293d 100644
---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
-@@ -31,6 +31,8 @@ import java.net.UnknownHostException;
- import java.util.Collection;
- import java.util.HashSet;
- 
-+import javax.ws.rs.ProcessingException;
++echo "$NAME $VERSION"
 +
- import org.apache.commons.cli.CommandLine;
- import org.apache.commons.cli.Option;
- import org.apache.commons.lang.StringUtils;
-@@ -571,11 +573,20 @@ public class MainCLI extends CLI {
-             MainCLI cli = new MainCLI();
-             cli.execute(args);
- 
-+        } catch (ProcessingException e) {
-+            Throwable t = e.getCause();
-+            if (verbose) {
-+                t.printStackTrace(System.err);
-+            } else {
-+                System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage());
-+            }
-+            System.exit(-1);
++if test -z "${BUILDDIR}" || ! test -d "${BUILDDIR}"; then
++    echo "BUILDDIR not set or ${BUILDDIR} is not a directory."
++    exit 1
++fi
 +
-         } catch (Throwable t) {
-             if (verbose) {
-                 t.printStackTrace(System.err);
-             } else {
--                System.err.println(t.getClass().getSimpleName()+": "+t.getMessage());
-+                System.err.println(t.getClass().getSimpleName() + ": " + t.getMessage());
-             }
-             System.exit(-1);
-         }
--- 
-1.8.3.1
-
-
-From c595208f58a2c072f9a7a243434411f66f556242 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 6 Jul 2016 22:05:09 +0200
-Subject: [PATCH 39/96] Added validation for pki client-cert-request
- extractable parameter.
-
-The pki client-cert-request CLI has been modified to validate the
-boolean extractable parameter.
-
-https://fedorahosted.org/pki/ticket/2383
----
- .../src/com/netscape/cmstools/client/ClientCertRequestCLI.java         | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-index 3ec4745..0277774 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-@@ -194,6 +194,9 @@ public class ClientCertRequestCLI extends CLI {
-         if (s == null) {
-             extractable = -1;
-         } else {
-+            if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) {
-+                throw new IllegalArgumentException("Invalid extractable parameter: " + s);
-+            }
-             extractable = Boolean.parseBoolean(s) ? 1 : 0;
-         }
- 
++if test -z "${BUILDUSER}" -o -z "${BUILDUSER_UID}" -o -z "${BUILDUSER_GID}"; then
++    echo "BUILDUSER, BUILDUSER_UID, BUILDUSER_GID not set"
++    exit 2
++fi
++
++## compose_pki_core_packages doesn't run as root, create a build user
++groupadd --non-unique -g ${BUILDUSER_GID} ${BUILDUSER}
++useradd --non-unique -u ${BUILDUSER_UID} -g ${BUILDUSER_GID} ${BUILDUSER}
++
++## chown workdir and enter pki dir
++chown ${BUILDUSER}:${BUILDUSER} ${BUILDDIR}
++
++# workaround for
++# [Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'
++rm -f /var/cache/dnf/metadata_lock.pid
++dnf clean all
++dnf makecache || true
++dnf makecache
++
++# update, container might be outdated
++dnf update -y
++
++## prepare additional build dependencies
++dnf builddep -y ${BUILDDIR}/pki/specs/pki-core.spec
+diff --git a/.travis/10-compose-rpms b/.travis/10-compose-rpms
+new file mode 100755
+index 0000000..1e55548
+--- /dev/null
++++ b/.travis/10-compose-rpms
+@@ -0,0 +1,31 @@
++#!/bin/bash
++set -e
++
++BUILDLOG=/tmp/compose.log
++
++function compose {
++    pushd ${BUILDDIR}/pki
++    # run make with --quiet to reduce log verbosity.
++    sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -- \
++        ./scripts/compose_pki_core_packages rpms
++    popd
++}
++
++function upload {
++    if test -f $BUILDLOG; then
++        echo "Uploading build log to transfer"
++        curl --upload-file $BUILDLOG https://transfer.sh/pkitravis.txt
++    fi
++}
++
++if test "${TRAVIS}" != "true"; then
++    compose
++else
++    trap upload EXIT
++    echo "Runing compose_pki_core_packages rpms."
++    echo "Build log will be posted to transfer.sh"
++    echo $(date) > $BUILDLOG
++    echo "Travis job ${TRAVIS_JOB_NUMBER}" >> $BUILDLOG
++    compose >>$BUILDLOG 2>&1
++fi
++
+diff --git a/.travis/20-install-rpms b/.travis/20-install-rpms
+new file mode 100755
+index 0000000..186efb8
+--- /dev/null
++++ b/.travis/20-install-rpms
+@@ -0,0 +1,6 @@
++#!/bin/bash
++set -e
++
++find ${BUILDDIR}/packages/RPMS/ -name '*.rpm' -and -not -name '*debuginfo*' \
++    | xargs dnf install -y --best --allowerasing
++
+diff --git a/.travis/30-setup-389ds b/.travis/30-setup-389ds
+new file mode 100755
+index 0000000..cc16573
+--- /dev/null
++++ b/.travis/30-setup-389ds
+@@ -0,0 +1,12 @@
++#!/bin/bash
++set -e
++
++setup-ds.pl \
++    --silent \
++    slapd.ServerIdentifier="pkitest" \
++    General.SuiteSpotUserID=nobody \
++    General.SuiteSpotGroup=nobody \
++    slapd.ServerPort=389 \
++    slapd.Suffix="dc=pki,dc=test" \
++    slapd.RootDN="cn=Directory Manager" \
++    slapd.RootDNPwd="DMSecret.123"
+diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca
+new file mode 100755
+index 0000000..9986698
+--- /dev/null
++++ b/.travis/40-spawn-ca
+@@ -0,0 +1,9 @@
++#!/bin/bash
++set -e
++
++pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA
++
++echo "Waiting for port 8080"
++for i in {1..20}; do
++    curl http://localhost:8080 && break || sleep 1
++done
+diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra
+new file mode 100755
+index 0000000..80cb039
+--- /dev/null
++++ b/.travis/50-spawn-kra
+@@ -0,0 +1,9 @@
++#!/bin/bash
++set -e
++
++pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA
++
++echo "Waiting for port 8080"
++for i in {1..20}; do
++    curl http://localhost:8080 && break || sleep 1
++done
+diff --git a/.travis/pki.cfg b/.travis/pki.cfg
+new file mode 100644
+index 0000000..a168822
+--- /dev/null
++++ b/.travis/pki.cfg
+@@ -0,0 +1,52 @@
++# based on
++# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/ca.cfg
++# https://fedorapeople.org/cgit/edewata/public_git/pki-dev.git/tree/scripts/kra.cfg
++
++[DEFAULT]
++pki_instance_name=pkitest
++pki_https_port=8443
++pki_http_port=8080
++pki_master_https_port=8443
++pki_security_domain_https_port=8443
++pki_ds_bind_dn=cn=Directory Manager
++pki_ds_ldap_port=389
++pki_ds_password=DMSecret.123
++pki_backup_keys=True
++pki_backup_password=Secret.123
++pki_client_database_password=Secret.123
++pki_client_database_purge=False
++pki_client_pkcs12_password=Secret.123
++pki_clone_pkcs12_password=Secret.123
++pki_security_domain_name=pkitest
++pki_security_domain_user=caadmin
++pki_security_domain_password=Secret.123
++pki_token_password=Secret123
++
++[CA]
++pki_admin_email=caadmin@pki.test
++pki_admin_name=caadmin
++pki_admin_nickname=caadmin
++pki_admin_password=Secret.123
++pki_admin_uid=caadmin
++pki_ds_base_dn=dc=ca,dc=pki,dc=test
++pki_ds_database=ca
++
++[KRA]
++pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert
++pki_admin_email=kraadmin@pki.test
++pki_admin_name=kraadmin
++pki_admin_nickname=kraadmin
++pki_admin_password=Secret.123
++pki_admin_uid=kraadmin
++pki_ds_base_dn=dc=kra,dc=pki,dc=test
++pki_ds_database=kra
++
++[OCSP]
++pki_admin_cert_file=/root/.dogtag/pkitest/ca_admin.cert
++pki_admin_email=ocspadmin@pki.test
++pki_admin_name=ocspadmin
++pki_admin_nickname=ocspadmin
++pki_admin_password=Secret.123
++pki_admin_uid=ocspadmin
++pki_ds_base_dn=dc=ocsp,dc=pki,dc=test
++pki_ds_database=ocsp
 -- 
 1.8.3.1
 
 
-From db75d23cbb90b834b2b515ce6344346522067b7b Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 6 Jul 2016 22:30:52 +0200
-Subject: [PATCH 40/96] Added validation for pki client-cert-request sensitive
- parameter.
-
-The pki client-cert-request CLI has been modified to validate the
-boolean sensitive parameter.
+From 08edc86f8397543f308818458a320fbbef06c90d Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 18 Apr 2017 16:24:53 +0200
+Subject: [PATCH 02/49] Get journald output from test container
 
-https://fedorahosted.org/pki/ticket/2383
+Change-Id: Ibc16a49b4a03524fb62ddb33326a36ffa0b0389f
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
- .../src/com/netscape/cmstools/client/ClientCertRequestCLI.java         | 3 +++
- 1 file changed, 3 insertions(+)
+ .travis.yml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-index 0277774..aff3220 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
-@@ -186,6 +186,9 @@ public class ClientCertRequestCLI extends CLI {
-         if (s == null) {
-             sensitive = -1;
-         } else {
-+            if (!s.equalsIgnoreCase("true") && !s.equalsIgnoreCase("false")) {
-+                throw new IllegalArgumentException("Invalid sensitive parameter: " + s);
-+            }
-             sensitive = Boolean.parseBoolean(s) ? 1 : 0;
-         }
+diff --git a/.travis.yml b/.travis.yml
+index b443118..2714bbc 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -50,4 +50,4 @@ after_script:
+   - docker rm ${CONTAINER}
  
+ after_failure:
+-  - journalctl -l
++  - docker exec -ti ${CONTAINER} journalctl -l
 -- 
 1.8.3.1
 
 
-From 9bf9f9628420d133010ff994cdac0f01b764b603 Mon Sep 17 00:00:00 2001
+From 749c137b59a9725a4cacdcd191b7e931303981df Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 6 Jul 2016 23:02:18 +0200
-Subject: [PATCH 41/96] Added general exception handling for pki-server CLI.
-
-The pki-server CLI has been modified to catch all exceptions and
-display a simple exception message. In verbose mode it will
-display the stack trace.
-
-https://fedorahosted.org/pki/ticket/2381
----
- base/server/sbin/pki-server | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server
-index cea62b7..6df70dc 100644
---- a/base/server/sbin/pki-server
-+++ b/base/server/sbin/pki-server
-@@ -116,3 +116,9 @@ if __name__ == '__main__':
-             traceback.print_exc()
-         print('ERROR: %s' % e)
-         sys.exit(e.returncode)
-+
-+    except Exception as e:  # pylint: disable=broad-except
-+        if cli.verbose:
-+            traceback.print_exc()
-+        print('ERROR: %s' % e)
-+        sys.exit(1)
--- 
-1.8.3.1
-
+Date: Mon, 17 Apr 2017 18:35:56 +0200
+Subject: [PATCH 03/49] Fixed missing IP addresses and subject ID in audit log.
 
-From 59ba26cf9292a578d34d98344e4b1f4d20339508 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 7 Jul 2016 02:42:14 +0200
-Subject: [PATCH 42/96] Fixed problem with pki pkcs12-import --no-trust-flags.
+The PKIServerSocketListener has been modified to use WeakHashMap
+to store socket info that might not be available after the socket
+has been closed.
 
-The pki pkcs12-import CLI has been fixed such that when it calls
-pki pkcs12-cert-find internally it does not add --no-trust-flags
-option.
+https://pagure.io/dogtagpki/issue/2642
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
 ---
- base/common/python/pki/cli/pkcs12.py | 3 ---
- 1 file changed, 3 deletions(-)
+ .../dogtagpki/server/PKIServerSocketListener.java  | 104 +++++++++++++--------
+ 1 file changed, 66 insertions(+), 38 deletions(-)
 
-diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
-index 3fcea35..145f125 100644
---- a/base/common/python/pki/cli/pkcs12.py
-+++ b/base/common/python/pki/cli/pkcs12.py
-@@ -159,9 +159,6 @@ class PKCS12ImportCLI(pki.cli.CLI):
-                 if password_file:
-                     cmd.extend(['--pkcs12-password-file', password_file])
+diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+index 093776f..d742317 100644
+--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
++++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+@@ -19,6 +19,9 @@ package org.dogtagpki.server;
  
--                if no_trust_flags:
--                    cmd.extend(['--no-trust-flags'])
--
-                 if self.verbose:
-                     cmd.extend(['--verbose'])
+ import java.net.InetAddress;
+ import java.security.Principal;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.WeakHashMap;
  
--- 
-1.8.3.1
-
-
-From 12e24ae0eb3f6fb7e0f71b95e3911f45594c5965 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 7 Jul 2016 03:52:09 +0200
-Subject: [PATCH 43/96] Fixed pki pkcs12-import output.
-
-The pki pkcs12-import has been modified to suppress the output of
-external command execution and display a completion message more
-consistently.
-
-https://fedorahosted.org/pki/ticket/2399
----
- base/common/python/pki/cli/pkcs12.py | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
-index 145f125..ded79c7 100644
---- a/base/common/python/pki/cli/pkcs12.py
-+++ b/base/common/python/pki/cli/pkcs12.py
-@@ -314,4 +314,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
+ import org.mozilla.jss.crypto.X509Certificate;
+ import org.mozilla.jss.ssl.SSLAlertDescription;
+@@ -38,6 +41,15 @@ public class PKIServerSocketListener implements SSLSocketListener {
  
-             cmd.extend(nicknames)
+     private static Logger logger = LoggerFactory.getLogger(PKIServerSocketListener.class);
  
--            main_cli.execute_java(cmd)
-+            with open(os.devnull, 'w') as f:
-+                main_cli.execute_java(cmd, stdout=f)
++    /**
++     * The socketInfos map is a storage for socket information that may not be available
++     * after the socket has been closed such as client IP address and subject ID. The
++     * WeakHashMap is used here to allow the map key (i.e. the socket object) to be
++     * garbage-collected since there is no guarantee that socket will be closed with an
++     * SSL alert for a proper map entry removal.
++     */
++    Map<SSLSocket,Map<String,Object>> socketInfos = new WeakHashMap<>();
 +
-+        self.print_message('Import complete')
--- 
-1.8.3.1
-
-
-From 7164c2064a7f069f0943f64167eaab982068593d Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Thu, 7 Jul 2016 14:02:18 -0700
-Subject: [PATCH 44/96] Ticket #978 PPS connector man page: add revocation
- routing info
-
----
- base/tps/man/man5/pki-tps-connector.5 | 23 ++++++++++++++++++++++-
- 1 file changed, 22 insertions(+), 1 deletion(-)
-
-diff --git a/base/tps/man/man5/pki-tps-connector.5 b/base/tps/man/man5/pki-tps-connector.5
-index 6ee009a..b3e405e 100644
---- a/base/tps/man/man5/pki-tps-connector.5
-+++ b/base/tps/man/man5/pki-tps-connector.5
-@@ -62,12 +62,26 @@ This property contains the maximum number of HTTP connections.
- .SS tps.connector.ca<n>.uri.<op>
+     @Override
+     public void alertReceived(SSLAlertEvent event) {
+         try {
+@@ -57,9 +69,10 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             String reason = SSLAlertDescription.valueOf(description).toString();
  
- This property contains the URI to contact CA for the operation <op>.
--Example ops: enrollment, renewal, revoke, unrevoke.
-+Example ops: enrollment, renewal, revoke, unrevoke, getcert.
+             logger.debug("SSL alert received:");
+-            logger.debug(" - client: " + clientAddress);
+-            logger.debug(" - server: " + serverAddress);
+             logger.debug(" - reason: " + reason);
++            logger.debug(" - client: " + clientIP);
++            logger.debug(" - server: " + serverIP);
++            logger.debug(" - subject: " + subjectID);
  
- .SS tps.connector.ca<n>.timeout
+             IAuditor auditor = CMS.getAuditor();
  
- This property contains the connection timeout.
+@@ -73,7 +86,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             auditor.log(auditMessage);
  
-+.SS tps.connector.connCAList
-+
-+This property is used for \fIRevocation Routing\fP. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to.
-+Example:
-+tps.connCAList=ca1,ca2
+         } catch (Exception e) {
+-            e.printStackTrace();
++            logger.error(e.getMessage(), e);
+         }
+     }
+ 
+@@ -82,51 +95,59 @@ public class PKIServerSocketListener implements SSLSocketListener {
+         try {
+             SSLSocket socket = event.getSocket();
+ 
+-            InetAddress clientAddress = socket.getInetAddress();
+-            InetAddress serverAddress = socket.getLocalAddress();
+-            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+-            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+-
+-            SSLSecurityStatus status = socket.getStatus();
+-            X509Certificate peerCertificate = status.getPeerCertificate();
+-            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+-            String subjectID = subjectDN == null ? "" : subjectDN.toString();
+-
+             int description = event.getDescription();
+             String reason = SSLAlertDescription.valueOf(description).toString();
+ 
+-            logger.debug("SSL alert sent:");
+-            logger.debug(" - client: " + clientAddress);
+-            logger.debug(" - server: " + serverAddress);
+-            logger.debug(" - reason: " + reason);
+-
+-            IAuditor auditor = CMS.getAuditor();
++            String eventType;
++            String clientIP;
++            String serverIP;
++            String subjectID;
+ 
+             if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {
+ 
+-                String auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ACCESS_SESSION_TERMINATED,
+-                        clientIP,
+-                        serverIP,
+-                        subjectID,
+-                        reason);
++                eventType = AuditEvent.ACCESS_SESSION_TERMINATED;
+ 
+-                auditor.log(auditMessage);
++                // get socket info from socketInfos map since socket has been closed
++                Map<String,Object> info = socketInfos.get(socket);
++                clientIP = (String)info.get("clientIP");
++                serverIP = (String)info.get("serverIP");
++                subjectID = (String)info.get("subjectID");
+ 
+             } else {
+ 
+-                String auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE,
+-                        clientIP,
+-                        serverIP,
+-                        subjectID,
+-                        reason);
++                eventType = AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE;
+ 
+-                auditor.log(auditMessage);
++                // get socket info from the socket itself
++                InetAddress clientAddress = socket.getInetAddress();
++                InetAddress serverAddress = socket.getLocalAddress();
++                clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
++                serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
++
++                SSLSecurityStatus status = socket.getStatus();
++                X509Certificate peerCertificate = status.getPeerCertificate();
++                Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
++                subjectID = subjectDN == null ? "" : subjectDN.toString();
+             }
+ 
++            logger.debug("SSL alert sent:");
++            logger.debug(" - reason: " + reason);
++            logger.debug(" - client: " + clientIP);
++            logger.debug(" - server: " + serverIP);
++            logger.debug(" - subject: " + subjectID);
 +
-+.SS tps.connector.ca<n>.caNickname
++            IAuditor auditor = CMS.getAuditor();
 +
-+This property is used for \fIRevocation Routing\fP.  It contains the nickname of the CA signing certificate that represents this ca<n>.
++            String auditMessage = CMS.getLogMessage(
++                    eventType,
++                    clientIP,
++                    serverIP,
++                    subjectID,
++                    reason);
 +
-+.SS tps.connector.ca<n>.caSKI
++            auditor.log(auditMessage);
 +
-+This property is used for \fIRevocation Routing\fP . It contains the Subject Key Identifier of the CA signing certificate of this ca<n>. This value is automatically calculated by TPS once and should not need handling by the administrator.
+         } catch (Exception e) {
+-            e.printStackTrace();
++            logger.error(e.getMessage(), e);
+         }
+     }
+ 
+@@ -146,9 +167,16 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             String subjectID = subjectDN == null ? "" : subjectDN.toString();
+ 
+             logger.debug("Handshake completed:");
+-            logger.debug(" - client: " + clientAddress);
+-            logger.debug(" - server: " + serverAddress);
+-            logger.debug(" - subject: " + subjectDN);
++            logger.debug(" - client: " + clientIP);
++            logger.debug(" - server: " + serverIP);
++            logger.debug(" - subject: " + subjectID);
 +
- .SH KRA CONNECTOR
++            // store socket info in socketInfos map
++            Map<String,Object> info = new HashMap<>();
++            info.put("clientIP", clientIP);
++            info.put("serverIP", serverIP);
++            info.put("subjectID", subjectID);
++            socketInfos.put(socket, info);
+ 
+             IAuditor auditor = CMS.getAuditor();
  
- A KRA connector is defined using properties that begin with tps.connector.kra<n> where
-@@ -182,6 +196,13 @@ tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient
- tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient
- tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke
- tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
-+# in case of Revocation Routing
-+# note that caSKI is automatically calculated by TPS
-+tps.connCAList=ca1,ca2
-+tps.connector.ca1.caNickname=caSigningCert cert-pki-tomcat CA
-+tps.connector.ca1.caSKI=hAzNarQMlzit4BymAlbduZMwVCc
-+# ca2 connector in case of Revocation Routing
-+tps.connector.ca2.<etc.>
+@@ -161,7 +189,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
+             auditor.log(auditMessage);
  
- tps.connector.kra1.enable=true
- tps.connector.kra1.host=server.example.com
+         } catch (Exception e) {
+-            e.printStackTrace();
++            logger.error(e.getMessage(), e);
+         }
+     }
+ }
 -- 
 1.8.3.1
 
 
-From ee68baccc5510184ff67b903288410d3ccc6a831 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date: Mon, 11 Jul 2016 17:51:57 -0700
-Subject: [PATCH 46/96] Ticket #2389 fix for regular CA installation This patch
- addresses the issue that with the previous patch, the regular (non-external
- and non-existing) CA installation fails.
+From 786d40f231f3636db381a835ce78904362ea72d0 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 2 Mar 2017 16:32:21 +1000
+Subject: [PATCH 04/49] CMS.getLogMessage: escape format elements in arguments
+
+CMS.getLogMessage performs message formatting via MessageFormat,
+then the message gets logged via a Logger.  The Logger also performs
+message formatting via MessageFormat.  If the formatted log message
+contains '{' or '}' (e.g. if it contains JSON) the MessageFormat
+implementation interprets these as FormatElement delimiters and
+parsing fails.
+
+Update CMS.getLogMessage() to scan arguments for unsafe characters
+and if found, escape the whole message so that subsequent logging
+will succeed.
 
+Part of: https://pagure.io/dogtagpki/issue/1359
 ---
- .../src/com/netscape/cms/servlet/csadmin/CertUtil.java  | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-index 495e4c0..ed762de 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-@@ -535,9 +535,14 @@ public class CertUtil {
-                 CMS.debug("Creating local request exception:" + e.toString());
-             }
- 
--            // installAdjustValidity tells ValidityDefault to adjust the
--            // notAfter value to that of the CA's signing cert if needed
--            req.setExtData("installAdjustValidity", "true");
-+            if (!certTag.equals("signing")) {
-+                /*
-+                 * (applies to non-CA-signing cert only)
-+                 * installAdjustValidity tells ValidityDefault to adjust the
-+                 * notAfter value to that of the CA's signing cert if needed
-+                 */
-+                req.setExtData("installAdjustValidity", "true");
-+            }
-             processor.populate(req, info);
- 
-             PrivateKey caPrik = null;
-@@ -554,11 +559,11 @@ public class CertUtil {
-             }
- 
-             if (caPrik == null) {
--                CMS.debug("CertUtil::createSelfSignedCert() - "
-+                CMS.debug("CertUtil::createLocalCert() - "
-                          + "CA private key is null!");
-                 throw new IOException("CA private key is null");
-             } else {
--                CMS.debug("CertUtil createSelfSignedCert: got CA private key");
-+                CMS.debug("CertUtil createLocalCert: got CA private key");
-             }
- 
-             String keyAlgo = x509key.getAlgorithm();
-@@ -586,7 +591,7 @@ public class CertUtil {
-             }
- 
-             if (cert != null) {
--                CMS.debug("CertUtil createSelfSignedCert: got cert signed");
-+                CMS.debug("CertUtil createLocalCert: got cert signed");
-             }
+ .../src/com/netscape/cmscore/apps/CMSEngine.java     | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+index ef9a6a2..94a0783 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+@@ -1592,7 +1592,25 @@ public class CMSEngine implements ICMSEngine {
+             return msg;
+         MessageFormat mf = new MessageFormat(msg);
+ 
+-        return mf.format(params);
++        Object escapedParams[] = new Object[params.length];
++        for (int i = 0; i < params.length; i++) {
++            if (params[i] instanceof String)
++                escapedParams[i] = escapeLogMessageParam((String) params[i]);
++            else
++                escapedParams[i] = params[i];
++        }
++
++        return mf.format(escapedParams);
++    }
++
++    /** Quote a string for inclusion in a java.text.MessageFormat
++     */
++    private String escapeLogMessageParam(String s) {
++        if (s == null)
++            return null;
++        if (s.contains("{") || s.contains("}"))
++            return "'" + s.replaceAll("'", "''") + "'";
++        return s;
+     }
  
-         } catch (IOException e) {
+     public void debug(byte data[]) {
 -- 
 1.8.3.1
 
 
-From c3ff087bd07cde4cd272defad499fd4d8367e5c1 Mon Sep 17 00:00:00 2001
-From: Geetika Kapoor <gkapoor@redhat.com>
-Date: Wed, 13 Jul 2016 06:57:08 -0400
-Subject: [PATCH 47/96] Added fix for pki-server for db-update
+From a35c6cde1047e305142bec839b8953d90008c127 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 7 Feb 2017 10:36:20 +1000
+Subject: [PATCH 05/49] Allow arbitrary user data in cert request
+
+If a certificate request comes with additional data in the
+'cert-request' query param, add that to the request.  Profile
+components can then use this data.
 
-fixes: https://fedorahosted.org/pki/ticket/1667
+This is needed to convey the subject principal name to the
+ExternalProcessConstraint, when validating FreeIPA certificate
+requests after we switch to GSS-API authentication.
 
-Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
-Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
+Part of: https://pagure.io/dogtagpki/issue/1359
 ---
- base/server/python/pki/server/cli/db.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
-index cc768da..17b1a2f 100644
---- a/base/server/python/pki/server/cli/db.py
-+++ b/base/server/python/pki/server/cli/db.py
-@@ -202,7 +202,7 @@ class DBUpgrade(pki.cli.CLI):
-             entries = conn.ldap.search_s(
-                 repo_dn,
-                 ldap.SCOPE_ONELEVEL,
--                '(&(objectclass=certificateRecord)(!(issuerName=*)))',
-+                '(&(objectclass=certificaterecord)(|(!(issuername=*))(issuername=)))',
-                 None)
- 
-             for entry in entries:
-@@ -227,7 +227,7 @@ class DBUpgrade(pki.cli.CLI):
-         issuer_name = str(cert.issuer)
- 
-         try:
--            conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
-+            conn.ldap.modify_s(dn, [(ldap.MOD_REPLACE, 'issuerName', issuer_name)])
-         except ldap.LDAPError as e:
-             print(
-                 'Failed to add issuerName to certificate {}: {}'
+ base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java     | 5 +++++
+ base/common/src/com/netscape/certsrv/request/IRequest.java           | 5 +++++
+ .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java       | 3 +++
+ .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java   | 5 +++++
+ 4 files changed, 18 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java
+index 1266712..34543cb 100644
+--- a/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java
++++ b/base/common/src/com/netscape/certsrv/profile/IEnrollProfile.java
+@@ -180,6 +180,11 @@ public interface IEnrollProfile extends IProfile {
+     public static final String REQUEST_AUTHORITY_ID = "req_authority_id";
+ 
+     /**
++     * Arbitrary user-supplied data.
++     */
++    public static final String REQUEST_USER_DATA = "req_user_data";
++
++    /**
+      * Set Default X509CertInfo in the request.
+      *
+      * @param request profile-based certificate request.
+diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java
+index a57f08e..cfc4ca0 100644
+--- a/base/common/src/com/netscape/certsrv/request/IRequest.java
++++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
+@@ -96,6 +96,11 @@ public interface IRequest extends Serializable {
+      */
+     public static final String AUTHORITY_ID = "req_authority_id";
+ 
++    /**
++     * Arbitrary user-supplied data that will be saved in request.
++     */
++    public static final String USER_DATA = "user_data";
++
+     public static final String RESULT = "Result"; // service result.
+     public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value
+     public static final Integer RES_ERROR = Integer.valueOf(2); // result value
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 5f7b0ef..1c44e2c 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -221,6 +221,9 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // set requested CA
+             result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID));
++
++            // set user data
++            result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA));
+         }
+         return result;
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+index d394fd3..908cbe4 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+@@ -147,6 +147,11 @@ public class EnrollmentProcessor extends CertProcessor {
+ 
+             IProfileContext ctx = profile.createContext();
+ 
++            // set arbitrary user data into request, if any
++            String userData = request.getParameter("user-data");
++            if (userData != null)
++                ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData);
++
+             if (aid != null)
+                 ctx.set(IEnrollProfile.REQUEST_AUTHORITY_ID, aid.toString());
+ 
 -- 
 1.8.3.1
 
 
-From 8c36ab242c99187a0356b85467e43f5b024718a2 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 13 Jul 2016 04:11:56 +0200
-Subject: [PATCH 48/96] Fixed certificate validation error message.
-
-The pkihelper.py has been modified to display the correct external
-command name on system certificate validation error.
-
-https://fedorahosted.org/pki/ticket/2399
+From f67071910c6b74790f7ad75329f05e599076dee4 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 8 Feb 2017 11:55:13 +1000
+Subject: [PATCH 06/49] CertProcessor: set external principal attributes into
+ request
+
+When processing a certificate request, if the authenticated
+principal is an ExternalPrincipal, add its whole attribute map to
+the IRequest.  This provides a way for AJP request attributes to be
+propagated through the profile system to profile components like
+ExternalProcessConstraint.  One such attribute that is needed for
+GSS-API support is "KRB5CCNAME".
+
+Part of: https://pagure.io/dogtagpki/issue/1359
 ---
- base/server/python/pki/server/deployment/pkihelper.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index 0145b49..54ffe27 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -4663,7 +4663,7 @@ class SystemCertificateVerifier:
-                 stderr=subprocess.STDOUT)
-         except subprocess.CalledProcessError as e:
-             config.pki_log.error(
--                "pki subsystem-cert-validate return code: " + str(e.returncode),
-+                "pki-server subsystem-cert-validate return code: " + str(e.returncode),
-                 extra=config.PKI_INDENTATION_LEVEL_2
-             )
-             config.pki_log.error(
+ .../netscape/cms/servlet/cert/CertProcessor.java    | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index 0534f90..156060a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -18,6 +18,7 @@
+ package com.netscape.cms.servlet.cert;
+ 
+ import java.math.BigInteger;
++import java.security.Principal;
+ import java.util.Date;
+ import java.util.Enumeration;
+ import java.util.HashMap;
+@@ -26,6 +27,7 @@ import java.util.Locale;
+ import javax.servlet.http.HttpServletRequest;
+ 
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.ExternalAuthToken;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+@@ -46,6 +48,7 @@ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestStatus;
+ import com.netscape.cms.servlet.common.AuthCredentials;
+ import com.netscape.cms.servlet.processors.CAProcessor;
++import com.netscape.cms.tomcat.ExternalPrincipal;
+ import com.netscape.cmsutil.ldap.LDAPUtil;
+ 
+ public class CertProcessor extends CAProcessor {
+@@ -139,6 +142,24 @@ public class CertProcessor extends CAProcessor {
+                 }
+             }
+         }
++
++        // special processing of ExternalAuthToken / ExternalPrincipal
++        if (authToken instanceof ExternalAuthToken) {
++            Principal principal =
++                ((ExternalAuthToken) authToken).getPrincipal();
++            if (principal instanceof ExternalPrincipal) {
++                HashMap<String, Object> m =
++                    ((ExternalPrincipal) principal).getAttributes();
++                for (String k : m.keySet()) {
++                    req.setExtData(
++                        IRequest.AUTH_TOKEN_PREFIX
++                            + "." + "PRINCIPAL"
++                            + "." + k
++                        , m.get(k).toString()
++                    );
++                }
++            }
++        }
+     }
+ 
+     /*
 -- 
 1.8.3.1
 
 
-From 96ebbeadc61e5a4c9df5d5adbd062a58ac3dee3c Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Wed, 13 Jul 2016 17:15:14 -0700
-Subject: [PATCH 50/96] [MAN] Apply 'generateCRMFRequest() removed from
- Firefox' workarounds to appropriate 'pki' man page
+From dcc42ad4ed7fcbc566b7cf7ce1cbfae93b24a9a9 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 7 Dec 2016 15:24:07 +1000
+Subject: [PATCH 07/49] Add ExternalProcessConstraint for request validation
 
-This fix will involve the following changes to the source tree.
+Add the ExternalProcessConstraint profile policy constraint class.
+It can be configured to execute an arbitrary program that performs
+additional request validation, rejecting the request if it
+terminates with a nonzero exit status.  Information about the
+request is conveyed in the subprocess' environment.
 
-1. Fixes to the CS.cfg to add two new cert profiles.
-2. Make the caDualCert.cfg profile invisible since it has little chance of
-working any more in Firefox.
-3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
-to have convenient profiles from which to enroll signing ONLY certificates.
+Part of: https://pagure.io/dogtagpki/issue/1359
 ---
- base/ca/shared/conf/CS.cfg                         |  6 +-
- base/ca/shared/profiles/ca/caDualCert.cfg          |  2 +-
- base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 86 ++++++++++++++++++++++
- base/ca/shared/profiles/ca/caSigningUserCert.cfg   | 86 ++++++++++++++++++++++
- 4 files changed, 178 insertions(+), 2 deletions(-)
- create mode 100644 base/ca/shared/profiles/ca/caSigningECUserCert.cfg
- create mode 100644 base/ca/shared/profiles/ca/caSigningUserCert.cfg
-
-diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
-index 288f0d5..68e79a4 100644
---- a/base/ca/shared/conf/CS.cfg
-+++ b/base/ca/shared/conf/CS.cfg
-@@ -966,7 +966,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
- oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
- oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
- os.userid=nobody
--profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
-+profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
- profile.caUUIDdeviceCert.class_id=caEnrollImpl
- profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
- profile.caManualRenewal.class_id=caEnrollImpl
-@@ -1037,6 +1037,10 @@ profile.caServerCert.class_id=caEnrollImpl
- profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg
- profile.caSignedLogCert.class_id=caEnrollImpl
- profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
-+profile.caSigningECUserCert.class_id=caEnrollImpl
-+profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg
-+profile.caSigningUserCert.class_id=caEnrollImpl
-+profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
- profile.caSimpleCMCUserCert.class_id=caEnrollImpl
- profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg
- profile.caSubsystemCert.class_id=caEnrollImpl
-diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg
-index f90f78f..87036d1 100644
---- a/base/ca/shared/profiles/ca/caDualCert.cfg
-+++ b/base/ca/shared/profiles/ca/caDualCert.cfg
+ base/ca/shared/conf/registry.cfg                   |   5 +-
+ .../constraint/ExternalProcessConstraint.java      | 178 +++++++++++++++++++++
+ .../04-AddExternalProcessConstraintToRegistry      |  67 ++++++++
+ 3 files changed, 249 insertions(+), 1 deletion(-)
+ create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java
+ create mode 100755 base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry
+
+diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
+index 280c713..2855b7a 100644
+--- a/base/ca/shared/conf/registry.cfg
++++ b/base/ca/shared/conf/registry.cfg
 @@ -1,5 +1,5 @@
- desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.
--visible=true
-+visible=false
- enable=true
- enableBy=admin
- name=Manual User Signing & Encryption Certificates Enrollment
-diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
+ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
+-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl
++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+ constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
+ constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
+ constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
+@@ -45,6 +45,9 @@ constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constr
+ constraintPolicy.uniqueKeyConstraintImpl.class=com.netscape.cms.profile.constraint.UniqueKeyConstraint
+ constraintPolicy.uniqueKeyConstraintImpl.desc=Unique Public Key Constraint
+ constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
++constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint
++constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint
++constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint
+ defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl
+ defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
+ defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java
 new file mode 100644
-index 0000000..b410504
+index 0000000..8fb91ab
 --- /dev/null
-+++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
-@@ -0,0 +1,86 @@
-+desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox.
-+visible=false
-+enable=true
-+enableBy=admin
-+name=Manual User Signing ECC Certificate Enrollment
-+auth.class_id=
-+input.list=i1,i2,i3
-+input.i1.class_id=certReqInputImpl
-+input.i2.class_id=subjectNameInputImpl
-+input.i3.class_id=submitterInfoInputImpl
-+output.list=o1
-+output.o1.class_id=certOutputImpl
-+policyset.list=signingCertSet
-+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
-+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
-+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
-+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
-+policyset.signingCertSet.1.constraint.params.accept=true
-+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
-+policyset.signingCertSet.1.default.name=Subject Name Default
-+policyset.signingCertSet.1.default.params.name=
-+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
-+policyset.signingCertSet.2.constraint.name=Validity Constraint
-+policyset.signingCertSet.2.constraint.params.range=365
-+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
-+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
-+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
-+policyset.signingCertSet.2.default.name=Validity Default
-+policyset.signingCertSet.2.default.params.range=180
-+policyset.signingCertSet.2.default.params.startTime=0
-+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
-+policyset.signingCertSet.3.constraint.name=Key Constraint
-+policyset.signingCertSet.3.constraint.params.keyType=EC
-+policyset.signingCertSet.3.constraint.params.keyParameters=nistp256,nistp521
-+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
-+policyset.signingCertSet.3.default.name=Key Default
-+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.4.constraint.name=No Constraint
-+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
-+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
-+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.5.constraint.name=No Constraint
-+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
-+policyset.signingCertSet.5.default.name=AIA Extension Default
-+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
-+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
-+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
-+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
-+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
-+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
-+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.6.constraint.name=No Constraint
-+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
-+policyset.signingCertSet.6.default.name=Key Usage Default
-+policyset.signingCertSet.6.default.params.keyUsageCritical=true
-+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
-+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
-+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
-+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
-+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
-+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
-+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.7.constraint.name=No Constraint
-+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
-+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
-+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
-+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.8.constraint.name=No Constraint
-+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
-+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
-+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
-+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
-+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
-+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
-+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
-+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
-+policyset.signingCertSet.9.constraint.name=No Constraint
-+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
-+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
-+policyset.signingCertSet.9.default.name=Signing Alg
-+policyset.signingCertSet.9.default.params.signingAlg=-
-+
-diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
-new file mode 100644
-index 0000000..f197ffa
---- /dev/null
-+++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
-@@ -0,0 +1,86 @@
-+desc=This certificate profile is for enrolling user signing certificates.
-+visible=false
-+enable=true
-+enableBy=admin
-+name=Manual User Signing Certificate Enrollment
-+auth.class_id=
-+input.list=i1,i2,i3
-+input.i1.class_id=certReqInputImpl
-+input.i2.class_id=subjectNameInputImpl
-+input.i3.class_id=submitterInfoInputImpl
-+output.list=o1
-+output.o1.class_id=certOutputImpl
-+policyset.list=signingCertSet
-+policyset.signingCertSet.list=1,2,3,4,5,6,7,8,9
-+policyset.signingCertSet.1.constraint.class_id=subjectNameConstraintImpl
-+policyset.signingCertSet.1.constraint.name=Subject Name Constraint
-+policyset.signingCertSet.1.constraint.params.pattern=CN=.*
-+policyset.signingCertSet.1.constraint.params.accept=true
-+policyset.signingCertSet.1.default.class_id=userSubjectNameDefaultImpl
-+policyset.signingCertSet.1.default.name=Subject Name Default
-+policyset.signingCertSet.1.default.params.name=
-+policyset.signingCertSet.2.constraint.class_id=validityConstraintImpl
-+policyset.signingCertSet.2.constraint.name=Validity Constraint
-+policyset.signingCertSet.2.constraint.params.range=365
-+policyset.signingCertSet.2.constraint.params.notBeforeCheck=false
-+policyset.signingCertSet.2.constraint.params.notAfterCheck=false
-+policyset.signingCertSet.2.default.class_id=validityDefaultImpl
-+policyset.signingCertSet.2.default.name=Validity Default
-+policyset.signingCertSet.2.default.params.range=180
-+policyset.signingCertSet.2.default.params.startTime=0
-+policyset.signingCertSet.3.constraint.class_id=keyConstraintImpl
-+policyset.signingCertSet.3.constraint.name=Key Constraint
-+policyset.signingCertSet.3.constraint.params.keyType=RSA
-+policyset.signingCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
-+policyset.signingCertSet.3.default.class_id=userKeyDefaultImpl
-+policyset.signingCertSet.3.default.name=Key Default
-+policyset.signingCertSet.4.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.4.constraint.name=No Constraint
-+policyset.signingCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
-+policyset.signingCertSet.4.default.name=Authority Key Identifier Default
-+policyset.signingCertSet.5.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.5.constraint.name=No Constraint
-+policyset.signingCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
-+policyset.signingCertSet.5.default.name=AIA Extension Default
-+policyset.signingCertSet.5.default.params.authInfoAccessADEnable_0=true
-+policyset.signingCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
-+policyset.signingCertSet.5.default.params.authInfoAccessADLocation_0=
-+policyset.signingCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
-+policyset.signingCertSet.5.default.params.authInfoAccessCritical=false
-+policyset.signingCertSet.5.default.params.authInfoAccessNumADs=1
-+policyset.signingCertSet.6.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.6.constraint.name=No Constraint
-+policyset.signingCertSet.6.default.class_id=keyUsageExtDefaultImpl
-+policyset.signingCertSet.6.default.name=Key Usage Default
-+policyset.signingCertSet.6.default.params.keyUsageCritical=true
-+policyset.signingCertSet.6.default.params.keyUsageDigitalSignature=true
-+policyset.signingCertSet.6.default.params.keyUsageNonRepudiation=true
-+policyset.signingCertSet.6.default.params.keyUsageDataEncipherment=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyEncipherment=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyAgreement=false
-+policyset.signingCertSet.6.default.params.keyUsageKeyCertSign=false
-+policyset.signingCertSet.6.default.params.keyUsageCrlSign=false
-+policyset.signingCertSet.6.default.params.keyUsageEncipherOnly=false
-+policyset.signingCertSet.6.default.params.keyUsageDecipherOnly=false
-+policyset.signingCertSet.7.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.7.constraint.name=No Constraint
-+policyset.signingCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-+policyset.signingCertSet.7.default.name=Extended Key Usage Extension Default
-+policyset.signingCertSet.7.default.params.exKeyUsageCritical=false
-+policyset.signingCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
-+policyset.signingCertSet.8.constraint.class_id=noConstraintImpl
-+policyset.signingCertSet.8.constraint.name=No Constraint
-+policyset.signingCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
-+policyset.signingCertSet.8.default.name=Subject Alt Name Constraint
-+policyset.signingCertSet.8.default.params.subjAltNameExtCritical=false
-+policyset.signingCertSet.8.default.params.subjAltExtType_0=RFC822Name
-+policyset.signingCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
-+policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
-+policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
-+policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
-+policyset.signingCertSet.9.constraint.name=No Constraint
-+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
-+policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
-+policyset.signingCertSet.9.default.name=Signing Alg
-+policyset.signingCertSet.9.default.params.signingAlg=-
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ExternalProcessConstraint.java
+@@ -0,0 +1,178 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2016, 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.cms.profile.constraint;
++
++import java.io.IOException;
++import java.io.InputStream;
++import java.util.Enumeration;
++import java.util.Locale;
++import java.util.Map;
++import java.util.TreeMap;
++import java.util.concurrent.TimeUnit;
 +
--- 
-1.8.3.1
-
++import org.apache.commons.io.IOUtils;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.ERejectException;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.property.Descriptor;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cms.profile.input.CertReqInput;
++
++import netscape.security.x509.X509CertInfo;
++
++
++public class ExternalProcessConstraint extends EnrollConstraint {
++
++    public static final String CONFIG_EXECUTABLE = "executable";
++    public static final String CONFIG_TIMEOUT = "timeout";
++
++    public static final long DEFAULT_TIMEOUT = 10;
++
++    /* Map of envvars to include, and the corresponding IRequest keys
++     *
++     * All keys will be prefixed with "DOGTAG_" when added to environment.
++     */
++    protected static final Map<String, String> envVars = new TreeMap<>();
++
++    protected Map<String, String> extraEnvVars = new TreeMap<>();
++
++    static {
++        envVars.put("DOGTAG_CERT_REQUEST", CertReqInput.VAL_CERT_REQUEST);
++        envVars.put("DOGTAG_USER",
++            IRequest.AUTH_TOKEN_PREFIX + "." + IAuthToken.USER_ID);
++        envVars.put("DOGTAG_PROFILE_ID", IRequest.PROFILE_ID);
++        envVars.put("DOGTAG_AUTHORITY_ID", IRequest.AUTHORITY_ID);
++        envVars.put("DOGTAG_USER_DATA", IRequest.USER_DATA);
++    }
++
++    protected String executable;
++    protected long timeout;
++
++    public ExternalProcessConstraint() {
++        addConfigName(CONFIG_EXECUTABLE);
++        addConfigName(CONFIG_TIMEOUT);
++    }
++
++    public void init(IProfile profile, IConfigStore config)
++            throws EProfileException {
++        super.init(profile, config);
++
++        this.executable = getConfig(CONFIG_EXECUTABLE);
++        if (this.executable == null || this.executable.isEmpty()) {
++            throw new EProfileException(
++                "Missing required config param 'executable'");
++        }
++
++        timeout = DEFAULT_TIMEOUT;
++        String timeoutConfig = getConfig(CONFIG_TIMEOUT);
++        if (this.executable != null && !this.executable.isEmpty()) {
++            try {
++                timeout = (new Integer(timeoutConfig)).longValue();
++            } catch (NumberFormatException e) {
++                throw new EProfileException("Invalid timeout value", e);
++            }
++            if (timeout < 1) {
++                throw new EProfileException(
++                    "Invalid timeout value: must be positive");
++            }
++        }
++
++        IConfigStore envConfig = config.getSubStore("params.env");
++        Enumeration<String> names = envConfig.getPropertyNames();
++        while (names.hasMoreElements()) {
++            String name = names.nextElement();
++            try {
++                extraEnvVars.put(name, envConfig.getString(name));
++            } catch (EBaseException e) {
++                // shouldn't happen; log and move on
++                CMS.debug(
++                    "ExternalProcessConstraint: caught exception processing "
++                    + "'params.env' config: " + e
++                );
++
++            }
++        }
++    }
++
++    public IDescriptor getConfigDescriptor(Locale locale, String name) {
++        if (name.equals(CONFIG_EXECUTABLE)) {
++            return new Descriptor(
++                IDescriptor.STRING, null, null, "Executable path");
++        } else if (name.equals(CONFIG_TIMEOUT)) {
++            return new Descriptor(
++                IDescriptor.INTEGER, null, null, "Timeout in seconds");
++        } else {
++            return null;
++        }
++    }
++
++    public void validate(IRequest request, X509CertInfo info)
++            throws ERejectException {
++        CMS.debug("About to execute command: " + this.executable);
++        ProcessBuilder pb = new ProcessBuilder(this.executable);
++
++        // set up process environment
++        Map<String, String> env = pb.environment();
++        for (String k : envVars.keySet()) {
++            String v = request.getExtDataInString(envVars.get(k));
++            if (v != null)
++                env.put(k, v);
++        }
++        for (String k : extraEnvVars.keySet()) {
++            String v = request.getExtDataInString(extraEnvVars.get(k));
++            if (v != null)
++                env.put(k, v);
++        }
++
++        Process p;
++        String stdout = "";
++        String stderr = "";
++        boolean timedOut;
++        try {
++            p = pb.start();
++            timedOut = !p.waitFor(timeout, TimeUnit.SECONDS);
++            if (timedOut)
++                p.destroyForcibly();
++            else
++                stdout = IOUtils.toString(p.getInputStream());
++                stderr = IOUtils.toString(p.getErrorStream());
++        } catch (Throwable e) {
++            String msg =
++                "Caught exception while executing command: " + this.executable;
++            CMS.debug(msg);
++            CMS.debug(e);
++            throw new ERejectException(msg, e);
++        }
++        if (timedOut)
++            throw new ERejectException("Request validation timed out");
++        int exitValue = p.exitValue();
++        CMS.debug("ExternalProcessConstraint: exit value: " + exitValue);
++        CMS.debug("ExternalProcessConstraint: stdout: " + stdout);
++        CMS.debug("ExternalProcessConstraint: stderr: " + stderr);
++        if (exitValue != 0)
++            throw new ERejectException(stdout);
++    }
++
++}
+diff --git a/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry
+new file mode 100755
+index 0000000..a9ee00a
+--- /dev/null
++++ b/base/server/upgrade/10.4.0/04-AddExternalProcessConstraintToRegistry
+@@ -0,0 +1,67 @@
++#!/usr/bin/python
++# Authors:
++#     Fraser Tweedale <ftweedal@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 2 of the License.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2017 Red Hat, Inc.
++# All rights reserved.
++
++from __future__ import absolute_import
++import os.path
++
++import pki
++from pki.server.upgrade import PKIServerUpgradeScriptlet
++
++
++class AddExternalProcessConstraintToRegistry(PKIServerUpgradeScriptlet):
++
++    new_config = {
++        'constraintPolicy.externalProcessConstraintImpl.class':
++            'com.netscape.cms.profile.constraint.ExternalProcessConstraint',
++        'constraintPolicy.externalProcessConstraintImpl.desc':
++            'External Process Constraint',
++        'constraintPolicy.externalProcessConstraintImpl.name':
++            'External Process Constraint',
++    }
++
++    constraint_name = 'externalProcessConstraintImpl'
++
++    def __init__(self):
++        super(AddExternalProcessConstraintToRegistry, self).__init__()
++        self.message = 'Add ExternalProcessConstraint to registry'
++
++    def upgrade_subsystem(self, instance, subsystem):
++        if subsystem.name == 'ca':
++            self.add_new_entries(instance, subsystem)
++
++    def add_new_entries(self, instance, subsystem):  # pylint: disable=W0613
++        filename = os.path.join(subsystem.conf_dir, 'registry.cfg')
++        self.backup(filename)
++
++        properties = pki.PropertyFile(filename)
++        properties.read()
++
++        # add constraint to constraint list
++        constraints = properties.get('constraintPolicy.ids').split(',')
++        if self.constraint_name in constraints:
++            return  # update not required
++
++        constraints.append(self.constraint_name)
++        properties.set('constraintPolicy.ids', ','.join(constraints))
++
++        for k, v in self.new_config.items():
++            properties.set(k, v)
++
++        properties.write()
+-- 
+1.8.3.1
 
-From 6bda601d3b4dea93e1a218662ae0814e3a2708a7 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 14 Jul 2016 23:11:46 +0200
-Subject: [PATCH 51/96] Fixed cert usage list in pki client-cert-validate.
 
-The pki client-cert-validate has been modified to add the missing
-EmailRecipient and to list the supported cert usages.
+From b099b631bb49e17e0aa4cd8c7a818ba1c923ec92 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 8 Feb 2017 12:18:03 +1000
+Subject: [PATCH 08/49] Add authn manager that reuses auth token from session
 
-https://fedorahosted.org/pki/ticket/2376
-https://fedorahosted.org/pki/ticket/2399
----
- .../src/com/netscape/cmstools/client/ClientCertValidateCLI.java    | 7 ++++++-
- base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java   | 2 ++
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
-index 3988c71..50cd96f 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
-@@ -45,7 +45,10 @@ public class ClientCertValidateCLI extends CLI {
-     }
- 
-     public void createOptions() {
--        Option option = new Option(null, "certusage", true, "Certificate usage.");
-+        Option option = new Option(null, "certusage", true, "Certificate usage: " +
-+                "CheckAllUsages, SSLServer, SSLServerWithStepUp, SSLClient, SSLCA, AnyCA, " +
-+                "StatusResponder, ObjectSigner, UserCertImport, ProtectedObjectSigner, " +
-+                "VerifyCA, EmailSigner, EmailRecipient.");
-         option.setArgName("certusage");
-         options.addOption(option);
-     }
-@@ -188,6 +191,8 @@ public class ClientCertValidateCLI extends CLI {
-             cu = CryptoManager.CertificateUsage.VerifyCA;
-         else if (certusage.equalsIgnoreCase("EmailSigner"))
-             cu = CryptoManager.CertificateUsage.EmailSigner;
-+        else if (certusage.equalsIgnoreCase("EmailRecipient"))
-+            cu = CryptoManager.CertificateUsage.EmailRecipient;
- 
-         return cu;
-     }
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
-index 5b6382e..400ad0c 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
-@@ -988,6 +988,8 @@ public class CertUtils {
-             cu = CryptoManager.CertificateUsage.VerifyCA;
-         else if (certusage.equalsIgnoreCase("EmailSigner"))
-             cu = CryptoManager.CertificateUsage.EmailSigner;
-+        else if (certusage.equalsIgnoreCase("EmailRecipient"))
-+            cu = CryptoManager.CertificateUsage.EmailRecipient;
- 
-         return cu;
-     }
--- 
-1.8.3.1
+To process a cert request immediately (rather than having it queued
+as pending), the user must be authenticated *by the profile*; auth
+tokens from the main authentication system are not used.
 
+For external authentication support it is possible that the external
+authentication is sufficient to authenticate use of a problem;
+especially when the profile uses componenets like
+ExternalProcessConstraint to perform validation of the cert request
+against external sources of information.
 
-From 078dfc1f01dea30800f19eed6df4ed547edffee3 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date: Tue, 12 Jul 2016 18:18:39 -0700
-Subject: [PATCH 52/96] Ticket #2246 [MAN] Man Page: AuditVerify This patch
- contains the man page for AuditVerify.
+To support this use case, add the SessionAuthentication profile
+authenticator, which merely reuses the IAuthToken from the session
+context, if present.
 
+Part of: https://pagure.io/dogtagpki/issue/1359
 ---
- base/java-tools/man/man1/AuditVerify.1 | 110 +++++++++++++++++++++++++++++++++
- 1 file changed, 110 insertions(+)
- create mode 100644 base/java-tools/man/man1/AuditVerify.1
+ base/ca/shared/conf/CS.cfg                         |   2 +
+ .../cms/authentication/SessionAuthentication.java  | 167 +++++++++++++++++++++
+ base/server/upgrade/10.4.1/.gitignore              |   4 +
+ .../10.4.2/01-AddSessionAuthenticationPlugin       |  51 +++++++
+ 4 files changed, 224 insertions(+)
+ create mode 100644 base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java
+ create mode 100644 base/server/upgrade/10.4.1/.gitignore
+ create mode 100755 base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin
 
-diff --git a/base/java-tools/man/man1/AuditVerify.1 b/base/java-tools/man/man1/AuditVerify.1
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index e800360..3923319 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -175,6 +175,7 @@ auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupD
+ auths.impl.UserPwdDirAuth.class=com.netscape.cms.authentication.UserPwdDirAuthentication
+ auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
+ auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth
++auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAuthentication
+ auths.instance.TokenAuth.pluginName=TokenAuth
+ auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
+ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
+@@ -183,6 +184,7 @@ auths.instance.raCertAuth.pluginName=AgentCertAuth
+ auths.instance.flatFileAuth.pluginName=FlatFileAuth
+ auths.instance.flatFileAuth.fileName=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/flatfile.txt
+ auths.instance.SSLclientCertAuth.pluginName=SSLclientCertAuth
++auths.instance.SessionAuthentication.pluginName=SessionAuthentication
+ auths.revocationChecking.bufferSize=50
+ auths.revocationChecking.ca=ca
+ auths.revocationChecking.enabled=true
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java
 new file mode 100644
-index 0000000..c0bd5ba
+index 0000000..27f08cd
 --- /dev/null
-+++ b/base/java-tools/man/man1/AuditVerify.1
-@@ -0,0 +1,110 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH AuditVerify 1 "July 7, 2016" "version 10.3" "PKI Signed Audit Log Verification Command" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+AuditVerify \- Command-Line utility for verifying Certificate System signed audit logs.
++++ b/base/server/cms/src/com/netscape/cms/authentication/SessionAuthentication.java
+@@ -0,0 +1,167 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++
++package com.netscape.cms.authentication;
++
++import java.util.Collections;
++import java.util.Enumeration;
++import java.util.Locale;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.AuthToken;
++import com.netscape.certsrv.authentication.EMissingCredential;
++import com.netscape.certsrv.authentication.IAuthCredentials;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.profile.IProfileAuthenticator;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++
++/**
++ * Pull any existing auth token from the session context.
++ *
++ * Use with caution as a profile authenticator; if there is a
++ * session it will unconditionally approve the request
++ * (subject to constraints, etc).
++ */
++public class SessionAuthentication
++        implements IProfileAuthenticator {
++
++    private String instName = null;
++    private String implName = null;
++    private IConfigStore config = null;
++
++    public SessionAuthentication() {
++    }
++
++    public void init(String instName, String implName, IConfigStore config)
++            throws EBaseException {
++        this.instName = instName;
++        this.implName = implName;
++        this.config = config;
++    }
 +
-+.SH SYNOPSIS
-+.nf
-+\fBAuditVerify\fR -d <dbdir> -n <signing_certificate_nickname> -a <logListFile> [-P cert/key_db_prefix] [-v]
-+.fi
++    /**
++     * Gets the name of this authentication manager.
++     */
++    public String getName() {
++        return instName;
++    }
 +
-+.SH DESCRIPTION
-+.PP
-+The \fBAuditVerify\fR command provides command-line utility to verify that signed audit logs were signed with the appropriate CS audit private signing key and that the audit logs have not been compromised.  Auditors can verify the authenticity and integrity of signed audit logs using the \fBAuditVerify\fR tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file. The tool result indicates either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised).
-+.PP
-+.B Note: An auditor can be any user that has the privilege to peruse the pki audit logs.
++    /**
++     * Gets the plugin name of authentication manager.
++     */
++    public String getImplName() {
++        return implName;
++    }
 +
-+.SH OPTIONS
-+.TP
-+.B -d <dbdir>
-+Specifies the directory containing the security databases with the imported audit log signing certificate. This directory is almost always the auditor's own personal certificate databases in a personal directory, such as ~jsmith/auditVerifyDir/.
++    public boolean isSSLClientRequired() {
++        return false;
++    }
 +
-+.TP
-+.B -n <signing_certificate_nickname>
-+Gives the nickname of the certificate used to sign the log files. The nickname is whatever was used when the log signing certificate was imported into that database.
++    /**
++     * Authenticate user.
++     *
++     * @return the auth token from existing session context, if any.
++     * @throws EMissingCredential if no auth token or no session
++     */
++    public IAuthToken authenticate(IAuthCredentials authCred)
++            throws EMissingCredential {
++        SessionContext context = SessionContext.getExistingContext();
 +
-+.TP
-+.B [-P cert/key_db_prefix]
-+Optional. The prefix to prepend to the certificate and key database filenames. If used, a value of empty quotation marks (“”) should be specified for this argument, since the auditor is using separate certificate and key databases from the Certificate System instance and it is unlikely that the prefix should be prepended to the new audit security database files. 
++        if (context == null)
++            throw new EMissingCredential("SessionAuthentication: no session");
 +
-+.TP
-+.B -a <logListFile>
-+Specifies the file which contains the comma-separate list of file paths (in chronological order) of the signed audit logs to be verified. 
-+This file should be created in a directory which is writeable by the auditor, such as a special auditing directory like ~jsmith/auditDir.
-+The contents of the logListFile are the full paths to the audit logs. For example:
-+.PP
-+.nf
-+        /var/log/pki/pki-ca/ca/signedAudit/ca_audit,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030227102711,/var/log/pki/pki-ca/ca/signedAudit/ca_audit.20030226094015
-+.fi
++        IAuthToken authToken = (IAuthToken)
++            context.get(SessionContext.AUTH_TOKEN);
 +
-+.TP
-+.B [-v]
-+Optional. Specifies verbose output. 
++        if (authToken == null)
++            throw new EMissingCredential("SessionAuthentication: no auth token");
 +
-+.SH Setting up the Auditor's Database
++        return authToken;
++    }
 +
-+\fBAuditVerify\fP needs access to a set of security databases (usually the auditor's personal security databases) containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database. 
-+.PP
-+Auditors should import the audit signing certificate into their personal certificate database before running \fBAuditVerify\fP. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain.
-+.PP
-+To create the security databases and import the certificate chain: 
++    public String[] getRequiredCreds() {
++        String[] requiredCreds = { };
++        return requiredCreds;
++    }
 +
-+.SS Create a special directory in the auditor's home directory to use to perform the verification. For example:
++    public String[] getConfigParams() {
++        return null;
++    }
 +
-+mkdir ~jsmith/auditVerifyDir
++    /**
++     * prepare this authentication manager for shutdown.
++     */
++    public void shutdown() {
++    }
 +
-+.SS Use the certutil tool to create an empty set of certificate databases in the auditor's home directory.
++    /**
++     * gets the configuretion substore used by this authentication
++     * manager
++     *
++     * @return configuration store
++     */
++    public IConfigStore getConfigStore() {
++        return config;
++    }
 +
-+certutil -d ~jsmith/auditVerifyDir -N
++    // Profile-related methods
 +
-+.SS Download the CA certificate from the CA's Retrieval page. The certificates can be obtained from the CA in ASCII format.
++    public void init(IProfile profile, IConfigStore config) {
++    }
 +
-+https://server.example.com:ca_https_port/ca/ee/ca/
++    /**
++     * Retrieves the localizable name of this policy.
++     */
++    public String getName(Locale locale) {
++        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_NAME");
++    }
 +
-+.SS Import the CA certificate and log signing certificate into the databases and set trust of the certificates
++    /**
++     * Retrieves the localizable description of this policy.
++     */
++    public String getText(Locale locale) {
++        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_AGENT_TEXT");
++    }
 +
-+If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called logsigncert.txt, then the certutil can be used to set the trust for the new audit security database directory pointing to those files, as follows: 
++    /**
++     * Retrieves a list of names of the value parameter.
++     */
++    public Enumeration<String> getValueNames() {
++        return Collections.emptyEnumeration();
++    }
 +
-+certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.txt
++    public boolean isValueWriteable(String name) {
++        return false;
++    }
 +
-+certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.txt
++    /**
++     * Retrieves the descriptor of the given value
++     * parameter by name.
++     */
++    public IDescriptor getValueDescriptor(Locale locale, String name) {
++        return null;
++    }
 +
-+.B Note: The signedAudit directory kept by the subsystem is not writeable by any user, including auditors. 
++    public void populate(IAuthToken token, IRequest request) {
++    }
++}
+diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/server/upgrade/10.4.1/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin
+new file mode 100755
+index 0000000..62d508e
+--- /dev/null
++++ b/base/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin
+@@ -0,0 +1,51 @@
++#!/usr/bin/python
++# Authors:
++#     Fraser Tweedale <ftweedal@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 2 of the License.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2017 Red Hat, Inc.
++# All rights reserved.
 +
-+.SH Operation
-+After a separate audit database directory has been configured, do the following: 
-+.SS Create a text file containing a comma-separated list of the log files to be verified. The name of this file is referenced in the AuditVerify command. 
++from __future__ import absolute_import
++import os.path
 +
-+For example, this file could be logListFile in the ~jsmith/auditVerifyDir/ directory. The contents are the comma-separated list of audit logs to be verified, such as "auditlog.1213, auditlog.1214, auditlog.1215." 
++import pki
++from pki.server.upgrade import PKIServerUpgradeScriptlet
 +
-+.SS If the audit databases do not contain prefixes and are located in the user home directory, such as ~jsmith/.mozilla, and the signing certificate nickname is "Log Signing Certificate", the AuditVerify command is run as follows: 
 +
-+AuditVerify -d ~jsmith/auditVerifyDir -n Log Signing Certificate -a ~jsmith/auditVerifyDir/logListFile -P "" -v
++class AddSessionAuthenticationPlugin(PKIServerUpgradeScriptlet):
++    def __init__(self):
++        super(AddSessionAuthenticationPlugin, self).__init__()
++        self.message = 'Add SessionAuthentication to CS.cfg'
 +
-+.I Note: It has been observed that if audit signing is enabled after system is first started, the first audit signature would not be verified.  What happens is that the signature starts calculating from it's in-memory audit log message when it signs, and since log signing is turned on mid-way (not from a fresh new log file), the previous content were not signed along for calculating the first signature (and rightfully so). When AuditVerify is run, it does not know where the log signing begins, so it assumes it starts from the beginning of the file till the first signature. This is why the first signature (if signing is turned on mid-way) will always appear to be incorrect.
++    def upgrade_subsystem(self, instance, subsystem):
++        if subsystem.name == 'ca':
++            self.add_plugin(instance, subsystem)
 +
++    def add_plugin(self, instance, subsystem):  # pylint: disable=W0613
++        filename = os.path.join(subsystem.conf_dir, 'CS.cfg')
++        self.backup(filename)
 +
-+.SH AUTHORS
-+Christina Fu <cfu@redhat.com>.
++        properties = pki.PropertyFile(filename)
++        properties.read()
 +
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
++        properties.set(
++            'auths.impl.SessionAuthentication.class',
++            'com.netscape.cms.authentication.SessionAuthentication')
++        properties.set(
++            'auths.instance.SessionAuthentication.pluginName',
++            'SessionAuthentication')
 +
-+.SH SEE ALSO
-+.BR pki(1)
++        properties.write()
 -- 
 1.8.3.1
 
 
-From d20638e2916fb99da5cf09d869a1fbc89cd6f17b Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 16 Jul 2016 07:01:23 +0200
-Subject: [PATCH 53/96] Removed redundant question in interactive pkispawn.
+From b9dc595806abb17f34a679976122e526bdc29de8 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 18 Apr 2017 16:46:12 -0400
+Subject: [PATCH 09/49] Modify cert clients to check server for wrapping params
+
+CRMFPopClient and the pki cert client both can send a CRMF request
+to a CA directly.  Logic is added to check the CA for the required
+KRA wrapping params and use those in place of any that have been
+provided by the environment or command line.
 
-The pkispawn has been modified such that if the admin selects to
-import the admin certificate the admin will not be asked where to
-export the certificate.
+Also, additional data for the supported KRA keyset has been added to
+the CAInfoService.  This will need to be managed by the admin.  The
+default is "1" which corresponds to AES.
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
 ---
- base/server/sbin/pkispawn | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
-index d3a111f..11745b4 100755
---- a/base/server/sbin/pkispawn
-+++ b/base/server/sbin/pkispawn
-@@ -226,9 +226,9 @@ def main(argv):
-                                     'pki_import_admin_cert',
-                                     'False')
- 
--            parser.read_text('Export certificate to',
--                             config.pki_subsystem,
--                             'pki_client_admin_cert')
-+                parser.read_text('Export certificate to',
-+                                 config.pki_subsystem,
-+                                 'pki_client_admin_cert')
- 
-             # if parser.mdict['pki_hsm_enable'] == 'True':
-             #     use_hsm = 'Y'
-@@ -261,7 +261,7 @@ def main(argv):
-             # parser.set_property(config.pki_subsystem,
-             #                     'pki_hsm_libfile',
-             #                     libfile)
--            # print
-+            print()
- 
-             print("Directory Server:")
-             while True:
+ base/common/src/org/dogtagpki/common/CAInfo.java   | 16 +++++
+ .../src/com/netscape/cmstools/CRMFPopClient.java   | 71 ++++++++++++++++++++--
+ .../cmstools/client/ClientCertRequestCLI.java      | 32 ++++++----
+ .../org/dogtagpki/server/rest/CAInfoService.java   | 10 +++
+ 4 files changed, 110 insertions(+), 19 deletions(-)
+
+diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
+index 89255ed..f21dcd0 100644
+--- a/base/common/src/org/dogtagpki/common/CAInfo.java
++++ b/base/common/src/org/dogtagpki/common/CAInfo.java
+@@ -54,6 +54,7 @@ public class CAInfo extends ResourceMessage {
+     }
+ 
+     String archivalMechanism;
++    String wrappingKeySet;
+ 
+     @XmlElement(name="ArchivalMechanism")
+     public String getArchivalMechanism() {
+@@ -64,11 +65,21 @@ public class CAInfo extends ResourceMessage {
+         this.archivalMechanism = archivalMechanism;
+     }
+ 
++    @XmlElement(name="WrappingKeySet")
++    public String getWrappingKeySet() {
++        return wrappingKeySet;
++    }
++
++    public void setWrappingKeySet(String wrappingKeySet) {
++        this.wrappingKeySet = wrappingKeySet;
++    }
++
+     @Override
+     public int hashCode() {
+         final int prime = 31;
+         int result = super.hashCode();
+         result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
++        result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode());
+         return result;
+     }
+ 
+@@ -86,6 +97,11 @@ public class CAInfo extends ResourceMessage {
+                 return false;
+         } else if (!archivalMechanism.equals(other.archivalMechanism))
+             return false;
++        if (wrappingKeySet == null) {
++            if (other.wrappingKeySet != null)
++                return false;
++        } else if (!wrappingKeySet.equals(other.wrappingKeySet))
++            return false;
+         return true;
+     }
+ 
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 5d9f7f1..0168503 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -40,6 +40,8 @@ import org.apache.http.HttpResponse;
+ import org.apache.http.client.methods.HttpGet;
+ import org.apache.http.impl.client.DefaultHttpClient;
+ import org.apache.http.util.EntityUtils;
++import org.dogtagpki.common.CAInfo;
++import org.dogtagpki.common.CAInfoClient;
+ import org.dogtagpki.common.KRAInfoResource;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ASN1Util;
+@@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ import org.mozilla.jss.util.Password;
+ 
++import com.netscape.certsrv.base.PKIException;
++import com.netscape.certsrv.client.ClientConfig;
++import com.netscape.certsrv.client.PKIClient;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.cmsutil.util.Cert;
+ import com.netscape.cmsutil.util.HMACDigest;
+@@ -187,6 +192,10 @@ public class CRMFPopClient {
+         option.setArgName("keyWrap");
+         options.addOption(option);
+ 
++        option = new Option("w", true, "Wrapping Keyset");
++        option.setArgName("keySet");
++        options.addOption(option);
++
+         options.addOption("v", "verbose", false, "Run in verbose mode.");
+         options.addOption(null, "help", false, "Show help message.");
+ 
+@@ -218,6 +227,7 @@ public class CRMFPopClient {
+         System.out.println("  -g <true|false>              Use KeyWrapping to wrap private key (default: true)");
+         System.out.println("                               - true: use a key wrapping algorithm");
+         System.out.println("                               - false: use an encryption algorithm");
++        System.out.println("  -w <keyset_id>               Key set ID to use when wrapping the private key");
+         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
+         System.out.println("  -v, --verbose                Run in verbose mode.");
+         System.out.println("      --help                   Show help message.");
+@@ -310,6 +320,7 @@ public class CRMFPopClient {
+         int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
+         int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
+ 
++        // get the key wrapping mechanism
+         boolean keyWrap = true;
+         if (cmd.hasOption("g")) {
+             keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
+@@ -319,6 +330,10 @@ public class CRMFPopClient {
+                 keyWrap = Boolean.parseBoolean(useKeyWrap);
+             }
+         }
++        String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
++            KRAInfoResource.ENCRYPT_MECHANISM;
++
++        String wrappingKeySet = cmd.getOptionValue("w");
+ 
+         String output = cmd.getOptionValue("o");
+ 
+@@ -326,6 +341,16 @@ public class CRMFPopClient {
+         String username = cmd.getOptionValue("u");
+         String requestor = cmd.getOptionValue("r");
+ 
++        if (hostPort != null) {
++            if (cmd.hasOption("g") || cmd.hasOption("w")) {
++                printError("Wrapping Key Set (-g) and keywrap (-w) options should " +
++                        "not be specified when hostport is specified.  " +
++                        "CRMFPopClient will contact the server to " +
++                        "determine the correct values for these parameters");
++                System.exit(1);
++            }
++        }
++
+         if (subjectDN == null) {
+             printError("Missing subject DN");
+             System.exit(1);
+@@ -458,11 +483,41 @@ public class CRMFPopClient {
+             String kid = CryptoUtil.byte2string(id);
+             System.out.println("Keypair private key id: " + kid);
+ 
+-            String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
+-                KRAInfoResource.ENCRYPT_MECHANISM;
++            if (hostPort != null) {
++                // check the CA for the required keyset and archival mechanism
++                // if found, override whatever has been set by the command line
++                // options or environment for archivalMechanism and wrappingKeySet
++
++                ClientConfig config = new ClientConfig();
++                String host = hostPort.substring(0, hostPort.indexOf(':'));
++                int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1));
++                config.setServerURL("http", host, port);
++
++                PKIClient pkiclient = new PKIClient(config);
++
++                // get archival mechanism
++                CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
++                try {
++                    CAInfo info = infoClient.getInfo();
++                    archivalMechanism = info.getArchivalMechanism();
++                    wrappingKeySet = info.getWrappingKeySet();
++                } catch (PKIException e) {
++                    if (e.getCode() == 404) {
++                        // assume this is an older server,
++                        archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++                        wrappingKeySet = "0";
++                    } else {
++                        throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
++                    }
++                } catch (Exception e) {
++                    throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
++                }
++            }
++
+             if (verbose) System.out.println("Creating certificate request");
+             CertRequest certRequest = client.createCertRequest(
+-                    token, transportCert, algorithm, keyPair, subject, archivalMechanism);
++                    token, transportCert, algorithm, keyPair,
++                    subject, archivalMechanism, wrappingKeySet);
+ 
+             ProofOfPossession pop = null;
+ 
+@@ -572,11 +627,15 @@ public class CRMFPopClient {
+             String algorithm,
+             KeyPair keyPair,
+             Name subject,
+-            String archivalMechanism) throws Exception {
++            String archivalMechanism,
++            String wrappingKeySet) throws Exception {
+         EncryptionAlgorithm encryptAlg = null;
+-        String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
+ 
+-        if (keyset != null && keyset.equalsIgnoreCase("0")) {
++        if (wrappingKeySet == null) {
++            wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET");
++        }
++
++        if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) {
+             // talking to an old server?
+             encryptAlg = EncryptionAlgorithm.DES3_CBC;
+         } else {
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+index 8ca857b..696ab8b 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+@@ -29,6 +29,7 @@ import java.util.Vector;
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+ import org.apache.commons.io.FileUtils;
++import org.dogtagpki.common.CAInfo;
+ import org.dogtagpki.common.CAInfoClient;
+ import org.dogtagpki.common.KRAInfoResource;
+ import org.mozilla.jss.CryptoManager;
+@@ -39,6 +40,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest;
+ import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+ import org.mozilla.jss.pkix.primitive.Name;
+ 
++import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.cert.CertClient;
+ import com.netscape.certsrv.cert.CertEnrollmentRequest;
+ import com.netscape.certsrv.cert.CertRequestInfos;
+@@ -250,23 +252,26 @@ public class ClientCertRequestCLI extends CLI {
+             // get archival mechanism
+             CAInfoClient infoClient = new CAInfoClient(client, "ca");
+             String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++            String wrappingKeySet = "1";
+             try {
+-                archivalMechanism = infoClient.getInfo().getArchivalMechanism();
+-            } catch (Exception e) {
+-                // this could be an older server, check for environment variable.
+-                String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+-                if (useKeyWrapping != null) {
+-                    if (Boolean.parseBoolean(useKeyWrapping)) {
+-                        archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+-                    } else {
+-                        archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM;
+-                    }
++                CAInfo info = infoClient.getInfo();
++                archivalMechanism = info.getArchivalMechanism();
++                wrappingKeySet = info.getWrappingKeySet();
++            } catch (PKIException e) {
++                if (e.getCode() == 404) {
++                    // assume this is an older server,
++                    archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++                    wrappingKeySet = "0";
++                } else {
++                    throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+                 }
++            } catch (Exception e) {
++                throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+             }
+ 
+             csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
+                     algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
+-                    archivalMechanism);
++                    archivalMechanism, wrappingKeySet);
+ 
+         } else {
+             throw new Exception("Unknown request type: " + requestType);
+@@ -408,7 +413,8 @@ public class ClientCertRequestCLI extends CLI {
+             int sensitive,
+             int extractable,
+             boolean withPop,
+-            String archivalMechanism
++            String archivalMechanism,
++            String wrappingKeySet
+             ) throws Exception {
+ 
+         CryptoManager manager = CryptoManager.getInstance();
+@@ -430,7 +436,7 @@ public class ClientCertRequestCLI extends CLI {
+         }
+ 
+         CertRequest certRequest = client.createCertRequest(
+-                token, transportCert, algorithm, keyPair, subject, archivalMechanism);
++                token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet);
+ 
+         ProofOfPossession pop = null;
+         if (withPop) {
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+index 975ad61..f4724a6 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+@@ -50,6 +50,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+         if (archivalMechanism != null)
+             info.setArchivalMechanism(getArchivalMechanism());
+ 
++        info.setWrappingKeySet(getWrappingKeySet());
++
+         return createOKResponse(info);
+     }
+ 
+@@ -61,4 +63,12 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+         boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+         return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;
+     }
++
++    String getWrappingKeySet() throws EBaseException {
++        IConfigStore cs = CMS.getConfigStore();
++        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
++        if (!kra_present) return null;
++
++        return cs.getString("kra.wrappingKeySet", "1");
++    }
+ }
 -- 
 1.8.3.1
 
 
-From 28176087a94f74b451c2dbf3c59b4d13a20014c6 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 16 Jul 2016 09:22:27 +0200
-Subject: [PATCH 54/96] Fixed pkispawn installation summary.
+From 316e20d2e39542bcb2d2043f36633dc7b779c61b Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 19 Apr 2017 14:19:37 -0400
+Subject: [PATCH 10/49] Make sure connection is always closed
 
-The pkispawn installation summary has been modified not to
-show the admin certificate nickname and NSS database if
-pki_client_database_purge or pki_clone is set to true since
-the NSS database will not be created in those cases.
+When an exception is thrown, the connection is currently
+not closed, leading to Invalid State exceptions when the
+next connection is attempted.  This resolves this issue.
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb
 ---
- base/server/sbin/pkispawn | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
-index 11745b4..13139fa 100755
---- a/base/server/sbin/pkispawn
-+++ b/base/server/sbin/pkispawn
-@@ -754,16 +754,15 @@ def print_final_install_information(mdict):
-         print("      Administrator's PKCS #12 file:\n            %s" %
-               mdict['pki_client_admin_cert_p12'])
- 
--    if not config.str2bool(mdict['pki_client_database_purge']):
-+    if not config.str2bool(mdict['pki_client_database_purge']) and \
-+            not config.str2bool(mdict['pki_clone']):
-         print()
-         print("      Administrator's certificate nickname:\n            %s"
-               % mdict['pki_admin_nickname'])
--
--    if not config.str2bool(mdict['pki_clone']):
-         print("      Administrator's certificate database:\n            %s"
-               % mdict['pki_client_database_dir'])
- 
--    else:
-+    if config.str2bool(mdict['pki_clone']):
-         print()
-         print("      This %s subsystem of the '%s' instance\n"
-               "      is a clone." %
+ .../com/netscape/certsrv/client/PKIConnection.java | 30 ++++++++++++++--------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+index d5e4c00..d655023 100644
+--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
++++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+@@ -429,23 +429,33 @@ public class PKIConnection {
+     }
+ 
+     public <T> T getEntity(Response response, Class<T> clazz) {
+-        Family family = response.getStatusInfo().getFamily();
+-        if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) {
+-            if (response.hasEntity()) return response.readEntity(clazz);
++        try {
++            Family family = response.getStatusInfo().getFamily();
++            if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) {
++                if (response.hasEntity())
++                    return response.readEntity(clazz);
++                return null;
++            }
++            handleErrorResponse(response);
+             return null;
++        } finally {
++            response.close();
+         }
+-        handleErrorResponse(response);
+-        return null;
+     }
+ 
+     public <T> T getEntity(Response response, GenericType<T> clazz) {
+-        Family family = response.getStatusInfo().getFamily();
+-        if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) {
+-            if (response.hasEntity()) return response.readEntity(clazz);
++        try {
++            Family family = response.getStatusInfo().getFamily();
++            if (!family.equals(Family.CLIENT_ERROR) && !family.equals(Family.SERVER_ERROR)) {
++                if (response.hasEntity())
++                    return response.readEntity(clazz);
++                return null;
++            }
++            handleErrorResponse(response);
+             return null;
++        } finally {
++            response.close();
+         }
+-        handleErrorResponse(response);
+-        return null;
+     }
+ 
+     private void handleErrorResponse(Response response) {
 -- 
 1.8.3.1
 
 
-From eddbcedba312258cd4105f0353313c1423084593 Mon Sep 17 00:00:00 2001
+From 7033c5208fd315e9fd1c76d1755d1f7fd2bbf17a Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 20 Jul 2016 00:38:41 +0200
-Subject: [PATCH 55/96] Fixed error handling in SystemConfigService.
+Date: Wed, 19 Apr 2017 23:40:43 +0200
+Subject: [PATCH 12/49] Added AuditEvent.setParameters().
 
-To help troubleshooting the SystemConfigService has been modified
-to chain the original exception and to log stack trace into the
-debug log.
+A new method has been added to set AuditEvent's parameters.
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714
 ---
- .../src/org/dogtagpki/server/rest/SystemConfigService.java   | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-index 6fc37b5..95afa4c 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-@@ -782,7 +782,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-                 ConfigurationUtils.populateVLVIndexes();
-             }
-         } catch (Exception e) {
--            e.printStackTrace();
-+            CMS.debug(e);
-             throw new PKIException("Error in populating database: " + e, e);
-         }
-     }
-@@ -1029,14 +1029,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-                 String tokenpwd = data.getTokenPassword();
-                 ConfigurationUtils.loginToken(ctoken, tokenpwd);
-             } catch (NotInitializedException e) {
--                throw new PKIException("Token is not initialized");
-+                throw new PKIException("Token is not initialized", e);
-             } catch (NoSuchTokenException e) {
--                throw new BadRequestException("Invalid Token provided. No such token.");
-+                throw new BadRequestException("Invalid Token provided. No such token.", e);
-             } catch (TokenException e) {
--                e.printStackTrace();
--                throw new PKIException("Token Exception" + e);
-+                CMS.debug(e);
-+                throw new PKIException("Token Exception: " + e, e);
-             } catch (IncorrectPasswordException e) {
--                throw new BadRequestException("Incorrect Password provided for token.");
-+                throw new BadRequestException("Incorrect Password provided for token.", e);
-             }
-         }
+ base/common/src/com/netscape/certsrv/logging/AuditEvent.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 716e0d4..72c93f8 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -387,6 +387,13 @@ public class AuditEvent implements IBundleLogEvent {
      }
+ 
+     /**
++     * Sets audit event's parameters.
++     */
++    public void setParameters(Object[] params) {
++        mParams = params;
++    }
++
++    /**
+      * Returns localized message string. This method should
+      * only be called if a localized string is necessary.
+      * <P>
 -- 
 1.8.3.1
 
 
-From 3998429da6e4a96b1ec667436f1da6b96d0ca33c Mon Sep 17 00:00:00 2001
+From 6817c67bc93e99f36c79838fffc08145e6599580 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 22 Jul 2016 13:35:54 +0200
-Subject: [PATCH 56/96] Fixed param substitution problem.
+Date: Wed, 19 Apr 2017 21:35:09 +0200
+Subject: [PATCH 14/49] Updated default SSL connection timeout.
+
+The default SSL connection timeout has been changed to 5 minutes
+to improve PKI console usability.
 
-The string splice operation in substitute_deployment_params() has
-been fixed to include the rest of the string.
+https://pagure.io/dogtagpki/issue/2643
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: I905ca855285ddd655d965488b175c2d11fe407fd
 ---
- base/server/python/pki/server/deployment/pkihelper.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index 54ffe27..6ac68b1 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -1810,8 +1810,8 @@ class File:
-                     line[begin:end + 1], value,
-                     extra=config.PKI_INDENTATION_LEVEL_3)
- 
--                # replace parameter with value
--                line = line[0:begin] + value + line[end + 1]
-+                # replace parameter with value, keep the rest of the line
-+                line = line[0:begin] + value + line[end + 1:]
- 
-                 # calculate the new end position
-                 end = begin + len(value) + 1
+ base/server/tomcat7/conf/server.xml | 2 +-
+ base/server/tomcat8/conf/server.xml | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml
+index cc3160d..35bd7a4 100644
+--- a/base/server/tomcat7/conf/server.xml
++++ b/base/server/tomcat7/conf/server.xml
+@@ -187,7 +187,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+     -->
+     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
+            maxHttpHeaderSize="8192"
+-           connectionTimeout="80000"
++           connectionTimeout="300000"
+            acceptCount="100" maxThreads="150" minSpareThreads="25"
+            enableLookups="false" disableUploadTimeout="true"
+            sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
+diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml
+index af463f5..4daf85e 100644
+--- a/base/server/tomcat8/conf/server.xml
++++ b/base/server/tomcat8/conf/server.xml
+@@ -212,7 +212,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+            sslProtocol="SSL"
+            scheme="https"
+            secure="true"
+-           connectionTimeout="80000"
++           connectionTimeout="300000"
+            maxHttpHeaderSize="8192"
+            acceptCount="100" maxThreads="150" minSpareThreads="25"
+            enableLookups="false" disableUploadTimeout="true"
 -- 
 1.8.3.1
 
 
-From 215d07d0754a5397e5008e98fe42626e8de9e399 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Fri, 22 Jul 2016 14:43:21 -0700
-Subject: [PATCH 57/96] Stop using a java8 only constant. Will allow
- compilation with java7. Trivial fix.
+From 470e6c6724fe59d9db9066971a9f24758d5fe0aa Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 01:06:18 +0200
+Subject: [PATCH 15/49] Fixed SSL connection timeouts.
 
----
- .../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java   | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
+The connectionTimeout parameter has been restored to 80 seconds.
+The keepAliveTimeout parameter has been set to 5 minutes.
 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-index 9593816..db42cab 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-@@ -56,6 +56,8 @@ public class SecureChannelProtocol {
-     static final int PROTOCOL_THREE = 3;
-     static final int HOST_CRYPTOGRAM = 0;
-     static final int CARD_CRYPTOGRAM = 1;
-+    //Size of long type in bytes, since java7 has no define for this
-+    static final int LONG_SIZE = 8;
- 
-     private SymmetricKey transportKey = null;
-     CryptoManager cryptoManager = null;
-@@ -762,7 +764,7 @@ public class SecureChannelProtocol {
-     }
- 
-     public static byte[] longToBytes(long x) {
--        ByteBuffer buffer = ByteBuffer.allocate(Long.BYTES);
-+        ByteBuffer buffer = ByteBuffer.allocate(LONG_SIZE);
-         buffer.putLong(x);
-         return buffer.array();
-     }
+https://pagure.io/dogtagpki/issue/2643
+
+Change-Id: I05bca0284ad946d833ed144e2f93a4ef4b9b6f0f
+---
+ base/server/tomcat7/conf/server.xml | 3 ++-
+ base/server/tomcat8/conf/server.xml | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml
+index 35bd7a4..2db8bca 100644
+--- a/base/server/tomcat7/conf/server.xml
++++ b/base/server/tomcat7/conf/server.xml
+@@ -187,7 +187,8 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+     -->
+     <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true"
+            maxHttpHeaderSize="8192"
+-           connectionTimeout="300000"
++           connectionTimeout="80000"
++           keepAliveTimeout="300000"
+            acceptCount="100" maxThreads="150" minSpareThreads="25"
+            enableLookups="false" disableUploadTimeout="true"
+            sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
+diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml
+index 4daf85e..64b1b00 100644
+--- a/base/server/tomcat8/conf/server.xml
++++ b/base/server/tomcat8/conf/server.xml
+@@ -212,7 +212,8 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+            sslProtocol="SSL"
+            scheme="https"
+            secure="true"
+-           connectionTimeout="300000"
++           connectionTimeout="80000"
++           keepAliveTimeout="300000"
+            maxHttpHeaderSize="8192"
+            acceptCount="100" maxThreads="150" minSpareThreads="25"
+            enableLookups="false" disableUploadTimeout="true"
 -- 
 1.8.3.1
 
 
-From a307cf68e91327ddbef4b9d7e2bbd3991354831f Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Fri, 22 Jul 2016 18:38:19 -0600
-Subject: [PATCH 58/96] Allow PrettyPrintCert to process HEADERs and TRAILERs.
+From 46cc674dcb6ff09167c69391054b36bdcfb36cbb Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 01:03:29 +0200
+Subject: [PATCH 16/49] Refactored line concatenation.
+
+The code that concatenates lines has been simplified using
+String.replace().
 
-* PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements
-  Checked-in under one-liner/trivial rule.
+Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea
 ---
- base/java-tools/templates/pretty_print_cert_command_wrapper.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
-index 63451d0..882e7a1 100644
---- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in
-+++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in
-@@ -137,7 +137,7 @@ if [ $# -eq 1 ] ||
- then
-     if [ "$1" = "-simpleinfo" ]
-     then
--        file $2 | grep 'ASCII text' > /dev/null
-+        file $2 | grep -E 'ASCII text|PEM certificate' > /dev/null
-         if [ $? -ne 0 ] ; then
-             ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND}
-             printf "\n"
-@@ -147,7 +147,7 @@ then
-             exit 255
-         fi
-     else
--        file $1 | grep 'ASCII text' > /dev/null
-+        file $1 | grep -E 'ASCII text|PEM certificate' > /dev/null
-         if [ $? -ne 0 ] ; then
-             ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND}
-             printf "\n"
+ .../cms/profile/updater/SubsystemGroupUpdater.java  | 11 +++--------
+ .../netscape/cms/servlet/csadmin/RegisterUser.java  | 14 ++++----------
+ .../cms/servlet/processors/CAProcessor.java         | 21 ++++-----------------
+ .../servlet/profile/ProfileSubmitCMCServlet.java    | 10 ++--------
+ 4 files changed, 13 insertions(+), 43 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+index 7daa8e4..4ecc255 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+@@ -175,14 +175,9 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+                 byte[] certEncoded = cert.getEncoded();
+                 b64 = CMS.BtoA(certEncoded).trim();
+ 
+-                // extract all line separators
+-                StringBuffer sb = new StringBuffer();
+-                for (int i = 0; i < b64.length(); i++) {
+-                    if (!Character.isWhitespace(b64.charAt(i))) {
+-                        sb.append(b64.charAt(i));
+-                    }
+-                }
+-                b64 = sb.toString();
++                // concatenate lines
++                b64 = b64.replace("\r", "").replace("\n", "");
++
+             } catch (Exception ence) {
+                 CMS.debug("SubsystemGroupUpdater update: user cert encoding failed: " + ence);
+             }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+index f02932e..77ef4d8 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+@@ -27,8 +27,6 @@ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.security.x509.X509CertImpl;
+-
+ import org.w3c.dom.Node;
+ 
+ import com.netscape.certsrv.apps.CMS;
+@@ -49,6 +47,8 @@ import com.netscape.cms.servlet.common.ICMSTemplateFiller;
+ import com.netscape.cmsutil.util.Utils;
+ import com.netscape.cmsutil.xml.XMLObject;
+ 
++import netscape.security.x509.X509CertImpl;
++
+ /**
+  * This servlet creates a TPS user in the CA,
+  * and it associates TPS's server certificate to
+@@ -207,14 +207,8 @@ public class RegisterUser extends CMSServlet {
+                 audit(auditMessage);
+             }
+ 
+-            // extract all line separators
+-            StringBuffer sb = new StringBuffer();
+-            for (int i = 0; i < certsString.length(); i++) {
+-                if (!Character.isWhitespace(certsString.charAt(i))) {
+-                    sb.append(certsString.charAt(i));
+-                }
+-            }
+-            certsString = sb.toString();
++            // concatenate lines
++            certsString = certsString.replace("\r", "").replace("\n", "");
+ 
+             auditParams = "Scope;;certs+Operation;;OP_ADD+source;;RegisterUser" +
+                         "+Resource;;" + uid +
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 8c4fef1..4bc738c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -1024,15 +1024,8 @@ public class CAProcessor extends Processor {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            StringBuffer sb = new StringBuffer();
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (!Character.isWhitespace(base64Data.charAt(i))) {
+-                    sb.append(base64Data.charAt(i));
+-
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
+@@ -1180,14 +1173,8 @@ public class CAProcessor extends Processor {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            StringBuffer sb = new StringBuffer();
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (!Character.isWhitespace(base64Data.charAt(i))) {
+-                    sb.append(base64Data.charAt(i));
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index fd155a6..83bab5b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -928,14 +928,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            StringBuffer sb = new StringBuffer();
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (!Character.isWhitespace(base64Data.charAt(i))) {
+-                    sb.append(base64Data.charAt(i));
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
 -- 
 1.8.3.1
 
 
-From 3f4c9e4e7946f3f330b71cfe36a00ae933de2575 Mon Sep 17 00:00:00 2001
+From 6bb1757a035d3439a65aa604a19dcdf48b7b2dbc Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 21 Jul 2016 02:26:24 +0200
-Subject: [PATCH 59/96] Added CMake target dependencies.
+Date: Thu, 20 Apr 2017 05:01:57 +0200
+Subject: [PATCH 17/49] Refactored additional line concatenation.
 
-To help troubleshooting build issues, some CMake dependencies have
-been added to some targets even though the actual codes do not
-require those dependencies. This will ensure the targets are built
-sequentially so build failures can be found more easily at the end
-of the build log.
+The code that concatenates lines has been simplified using
+String.replace().
 
-https://fedorahosted.org/pki/ticket/2403
+Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74
 ---
- base/native-tools/src/tkstool/CMakeLists.txt       | 2 +-
- base/server/tomcat/src/CMakeLists.txt              | 2 ++
- base/tps-client/src/CMakeLists.txt                 | 1 +
- base/tps-client/src/authentication/CMakeLists.txt  | 1 +
- base/tps-client/src/modules/tokendb/CMakeLists.txt | 1 +
- base/tps-client/src/modules/tps/CMakeLists.txt     | 1 +
- base/tps-client/src/tus/CMakeLists.txt             | 1 +
- 7 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/base/native-tools/src/tkstool/CMakeLists.txt b/base/native-tools/src/tkstool/CMakeLists.txt
-index 8b07950..8c65717 100644
---- a/base/native-tools/src/tkstool/CMakeLists.txt
-+++ b/base/native-tools/src/tkstool/CMakeLists.txt
-@@ -34,7 +34,7 @@ set(tkstool_SRCS
- include_directories(${TKSTOOL_PRIVATE_INCLUDE_DIRS})
- 
- add_executable(tkstool ${tkstool_SRCS})
--
-+add_dependencies(tkstool pki-certsrv-jar)
- target_link_libraries(tkstool ${TKSTOOL_LINK_LIBRARIES})
- 
- install(
-diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
-index 4cb40ad..c589758 100644
---- a/base/server/tomcat/src/CMakeLists.txt
-+++ b/base/server/tomcat/src/CMakeLists.txt
-@@ -135,4 +135,6 @@ javac(pki-tomcat-classes
- 		${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
-     OUTPUT_DIR
-         ${CMAKE_BINARY_DIR}/../../tomcat
-+    DEPENDS
-+        pki-certsrv-jar
- )
-diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt
-index b0276f8..28ca2e4 100644
---- a/base/tps-client/src/CMakeLists.txt
-+++ b/base/tps-client/src/CMakeLists.txt
-@@ -129,6 +129,7 @@ set(tps_library_SRCS
- include_directories(${TPS_PRIVATE_INCLUDE_DIRS})
- 
- add_library(${TPS_SHARED_LIBRARY} SHARED ${tps_library_SRCS})
-+add_dependencies(${TPS_SHARED_LIBRARY} pki-tps-jar)
- target_link_libraries(${TPS_SHARED_LIBRARY} ${TPS_LINK_LIBRARIES})
- 
- set_target_properties(
-diff --git a/base/tps-client/src/authentication/CMakeLists.txt b/base/tps-client/src/authentication/CMakeLists.txt
-index ba8ca07..b0ca83a 100644
---- a/base/tps-client/src/authentication/CMakeLists.txt
-+++ b/base/tps-client/src/authentication/CMakeLists.txt
-@@ -37,6 +37,7 @@ set(ldapauth_library_SRCS
- include_directories(${LDAPAUTH_PRIVATE_INCLUDE_DIRS})
- 
- add_library(${LDAPAUTH_SHARED_LIBRARY} SHARED ${ldapauth_library_SRCS})
-+add_dependencies(${LDAPAUTH_SHARED_LIBRARY} pki-tps-jar)
- target_link_libraries(${LDAPAUTH_SHARED_LIBRARY} ${LDAPAUTH_LINK_LIBRARIES})
- 
- set_target_properties(${LDAPAUTH_SHARED_LIBRARY}
-diff --git a/base/tps-client/src/modules/tokendb/CMakeLists.txt b/base/tps-client/src/modules/tokendb/CMakeLists.txt
-index 7b6edae..94db88e 100644
---- a/base/tps-client/src/modules/tokendb/CMakeLists.txt
-+++ b/base/tps-client/src/modules/tokendb/CMakeLists.txt
-@@ -31,6 +31,7 @@ set(tokendb_module_SRCS
- include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS})
- 
- add_library(${TOKENDB_MODULE} MODULE ${tokendb_module_SRCS})
-+add_dependencies(${TOKENDB_MODULE} pki-tps-jar)
- target_link_libraries(${TOKENDB_MODULE} ${TOKENDB_LINK_LIBRARIES})
- 
- set_target_properties(${TOKENDB_MODULE}
-diff --git a/base/tps-client/src/modules/tps/CMakeLists.txt b/base/tps-client/src/modules/tps/CMakeLists.txt
-index 275d8b3..ac990e5 100644
---- a/base/tps-client/src/modules/tps/CMakeLists.txt
-+++ b/base/tps-client/src/modules/tps/CMakeLists.txt
-@@ -35,6 +35,7 @@ set(tps_module_SRCS
- include_directories(${TPS_PRIVATE_INCLUDE_DIRS})
- 
- add_library(${TPS_MODULE} MODULE ${tps_module_SRCS})
-+add_dependencies(${TPS_MODULE} pki-tps-jar)
- target_link_libraries(${TPS_MODULE} ${TPS_LINK_LIBRARIES})
- 
- set_target_properties(${TPS_MODULE}
-diff --git a/base/tps-client/src/tus/CMakeLists.txt b/base/tps-client/src/tus/CMakeLists.txt
-index 3148d9e..912075f 100644
---- a/base/tps-client/src/tus/CMakeLists.txt
-+++ b/base/tps-client/src/tus/CMakeLists.txt
-@@ -35,6 +35,7 @@ set(tokendb_library_SRCS
- include_directories(${TOKENDB_PRIVATE_INCLUDE_DIRS})
- 
- add_library(${TOKENDB_SHARED_LIBRARY} SHARED ${tokendb_library_SRCS})
-+add_dependencies(${TOKENDB_SHARED_LIBRARY} pki-tps-jar)
- target_link_libraries(${TOKENDB_SHARED_LIBRARY} ${TOKENDB_LINK_LIBRARIES})
- 
- set_target_properties(${TOKENDB_SHARED_LIBRARY}
+ .../src/com/netscape/kra/EnrollmentService.java    | 12 ++++------
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 26 ++++-----------------
+ .../cms/servlet/admin/CMSAdminServlet.java         | 11 ++-------
+ .../netscape/cms/servlet/cert/EnrollServlet.java   | 27 ++++++++--------------
+ .../cms/servlet/connector/ConnectorServlet.java    | 11 ++-------
+ .../cms/servlet/request/ProcessCertReq.java        | 11 ++-------
+ 6 files changed, 25 insertions(+), 73 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index 381fee8..a200c34 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -24,7 +24,6 @@ import java.security.InvalidKeyException;
+ import java.security.PublicKey;
+ import java.security.cert.CertificateException;
+ import java.util.Arrays;
+-import java.util.StringTokenizer;
+ import java.util.Vector;
+ 
+ import org.mozilla.jss.asn1.ASN1Util;
+@@ -917,7 +916,7 @@ public class EnrollmentService implements IService {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         }
+ 
+-        StringBuffer key = new StringBuffer();
++        String key = "";
+ 
+         // convert "rawData" into "base64Data"
+         if (rawData != null) {
+@@ -925,13 +924,10 @@ public class EnrollmentService implements IService {
+ 
+             base64Data = CMS.BtoA(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            StringTokenizer st = new StringTokenizer(base64Data, "\r\n");
+-            while (st.hasMoreTokens()) {
+-                key.append(st.nextToken());
+-            }
++            // concatenate lines
++            key = base64Data.replace("\r", "").replace("\n", "");
+         }
+-        String checkKey = key.toString().trim();
++        String checkKey = key.trim();
+         if (checkKey.equals("")) {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         } else {
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 1df04db..ec920e6 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -136,7 +136,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+     public IRequestListener mReqInQListener = null;
+ 
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+     private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", ";
+     /**
+      * Constructs an escrow authority.
+@@ -1713,16 +1712,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         // convert "rawData" into "base64Data"
+         if (rawData != null) {
+             String base64Data = CMS.BtoA(rawData).trim();
+-            StringBuffer key = new StringBuffer();
+ 
+-            // extract all line separators from the "base64Data"
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    key.append(base64Data.substring(i, i));
+-                }
+-            }
+-
+-            return key.toString();
++            // concatenate lines
++            return base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+@@ -1757,23 +1749,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         }
+ 
+         String key = null;
+-        StringBuffer tempBuffer = new StringBuffer();
++
+         // convert "rawData" into "base64Data"
+         if (rawData != null) {
+             String base64Data = null;
+ 
+             base64Data = CMS.BtoA(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    tempBuffer.append(base64Data.substring(i, i));
+-                }
+-            }
+-        }
+-
+-        if (tempBuffer.length() > 0) {
+-            key = tempBuffer.toString();
++            // concatenate lines
++            key = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (key != null) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+index 229c377..e5a1474 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+@@ -105,7 +105,6 @@ public final class CMSAdminServlet extends AdminServlet {
+     private final static String PROP_INTERNAL_DB = "internaldb";
+ 
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+ 
+     // CMS must be instantiated before this admin servlet.
+ 
+@@ -3390,7 +3389,6 @@ public final class CMSAdminServlet extends AdminServlet {
+         rawData = object.getPublic().getEncoded();
+ 
+         String key = null;
+-        StringBuffer sb = new StringBuffer();
+ 
+         // convert "rawData" into "base64Data"
+         if (rawData != null) {
+@@ -3398,14 +3396,9 @@ public final class CMSAdminServlet extends AdminServlet {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    sb.append(base64Data.substring(i, i));
+-                }
+-            }
++            // concatenate lines
++            key = base64Data.replace("\r", "").replace("\n", "");
+         }
+-        key = sb.toString();
+ 
+         if (key != null) {
+             key = key.trim();
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+index 3757967..6f01d2a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+@@ -35,14 +35,6 @@ import javax.servlet.http.HttpServletResponse;
+ 
+ import org.dogtagpki.legacy.policy.IPolicyProcessor;
+ 
+-import netscape.security.pkcs.PKCS10;
+-import netscape.security.x509.AlgorithmId;
+-import netscape.security.x509.CertificateAlgorithmId;
+-import netscape.security.x509.CertificateX509Key;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-import netscape.security.x509.X509Key;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.IAuthSubsystem;
+@@ -78,6 +70,14 @@ import com.netscape.cms.servlet.processors.PKCS10Processor;
+ import com.netscape.cms.servlet.processors.PKIProcessor;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.pkcs.PKCS10;
++import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.CertificateAlgorithmId;
++import netscape.security.x509.CertificateX509Key;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++import netscape.security.x509.X509Key;
++
+ /**
+  * Submit a Certificate Enrollment request
+  *
+@@ -138,7 +138,6 @@ public class EnrollServlet extends CMSServlet {
+             "racertbasedenrollment";
+     private final static String EE_RA_ENROLLMENT_SERVLET =
+             "raenrollment";
+-    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+     private final static String[] SIGNED_AUDIT_AUTOMATED_REJECTION_REASON = new String[] {
+ 
+     /* 0 */"automated non-profile cert request rejection:  "
+@@ -1732,14 +1731,8 @@ public class EnrollServlet extends CMSServlet {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            StringBuffer sb = new StringBuffer();
+-            // extract all line separators from the "base64Data"
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    sb.append(base64Data.substring(i, i));
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index 13c732b..9c75cc1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -98,7 +98,6 @@ public class ConnectorServlet extends CMSServlet {
+ 
+     protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+     private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
+-    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+ 
+     public ConnectorServlet() {
+     }
+@@ -1101,14 +1100,8 @@ public class ConnectorServlet extends CMSServlet {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            StringBuffer sb = new StringBuffer();
+-            // extract all line separators from the "base64Data"
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    sb.append(base64Data.substring(i, i));
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+index d15774e..9d0da48 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+@@ -118,7 +118,6 @@ public class ProcessCertReq extends CMSServlet {
+     private final static String SIGNED_AUDIT_CANCELLATION = "cancel";
+     private final static String SIGNED_AUDIT_CLONING = "clone";
+     private final static String SIGNED_AUDIT_REJECTION = "reject";
+-    private final static byte EOL[] = { Character.LINE_SEPARATOR };
+     private final static String[] SIGNED_AUDIT_MANUAL_CANCELLATION_REASON = new String[] {
+ 
+     /* 0 */"manual non-profile cert request cancellation:  "
+@@ -1840,14 +1839,8 @@ public class ProcessCertReq extends CMSServlet {
+ 
+             base64Data = Utils.base64encode(rawData).trim();
+ 
+-            // extract all line separators from the "base64Data"
+-            StringBuffer sb = new StringBuffer();
+-            for (int i = 0; i < base64Data.length(); i++) {
+-                if (base64Data.substring(i, i).getBytes() != EOL) {
+-                    sb.append(base64Data.substring(i, i));
+-                }
+-            }
+-            cert = sb.toString();
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
+         }
+ 
+         if (cert != null) {
 -- 
 1.8.3.1
 
 
-From 9e77b42d88da07e91a42966bc2d1ea9237e62f47 Mon Sep 17 00:00:00 2001
+From 17e71d3ec1f52cc2e13590499dd70c5932885b20 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 22 Jul 2016 17:31:20 +0200
-Subject: [PATCH 60/96] Removed hard-coded paths in pki.policy.
+Date: Thu, 20 Apr 2017 09:56:16 +0200
+Subject: [PATCH 18/49] Added AdminServlet.audit(AuditEvent).
 
-The operations script has been modified to generate pki.policy
-dynamically from links in the <instance>/common/lib directory.
-This allows the pki.policy to match the actual paths in different
-platforms.
+A new audit() methods have been added to log AuditEvents in
+AdminServlet.
 
-https://fedorahosted.org/pki/ticket/2403
+Change-Id: I92a259363bdda553621491e46122365c7097946a
 ---
- base/server/scripts/operations    |  16 ++++-
- base/server/share/conf/pki.policy | 132 +-------------------------------------
- 2 files changed, 17 insertions(+), 131 deletions(-)
-
-diff --git a/base/server/scripts/operations b/base/server/scripts/operations
-index 14443c4..5991670 100644
---- a/base/server/scripts/operations
-+++ b/base/server/scripts/operations
-@@ -1352,10 +1352,24 @@ start_instance()
-         return $rv
-     fi
- 
-+    # Copy pki.policy template
-+    /bin/cp /usr/share/pki/server/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf
-+
-+    # Add permissions for all JAR files in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib
-+    for path in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib/*; do
-+
-+        cat >> /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy << EOF
-+
-+grant codeBase "file:$(realpath $path)" {
-+    permission java.security.AllPermission;
-+};
-+EOF
-+    done
-+
-     # Generate catalina.policy dynamically.
-     cat /usr/share/pki/server/conf/catalina.policy \
-         /usr/share/tomcat/conf/catalina.policy \
--        /usr/share/pki/server/conf/pki.policy \
-+        /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy \
-         /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \
-         /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy
- 
-diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy
-index e281e01..7d8cfec 100644
---- a/base/server/share/conf/pki.policy
-+++ b/base/server/share/conf/pki.policy
-@@ -4,10 +4,10 @@
- // --- END COPYRIGHT BLOCK ---
+ .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java   | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index 089fcbe..16a2e39 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -1024,6 +1024,16 @@ public class AdminServlet extends HttpServlet {
+         auditor.log(msg);
+     }
  
- // ============================================================================
--// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7
-+// pki.policy - Default Security Policy Permissions for PKI on Tomcat
- //
- // This file contains a default set of security policies for PKI running inside
--// Tomcat 7.
-+// Tomcat.
- // ============================================================================
- 
- grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-@@ -22,42 +22,6 @@ grant codeBase "file:${catalina.base}/lib/-" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:/usr/lib/java/jss4.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/lib/java/symkey.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/lib64/java/jss4.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/lib64/java/symkey.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/commons-codec.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/apache-commons-io.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/apache-commons-lang.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/apache-commons-logging.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/ecj.jar" {
-         permission java.security.AllPermission;
- };
-@@ -70,18 +34,6 @@ grant codeBase "file:/usr/share/java/glassfish-jsp.jar" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/javassist.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/jaxb-api.jar" {
-         permission java.security.AllPermission;
- };
-@@ -98,66 +50,10 @@ grant codeBase "file:/usr/share/java/jboss-web.jar" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:/usr/share/java/jackson/jackson-core-asl.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/jackson/jackson-jaxrs.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/jackson/jackson-mapper-asl.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/jackson/jackson-mrbean.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/jackson/jackson-smile.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/jackson/jackson-xc.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/ldapjdk.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/log4j.jar" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:${RESTEASY_LIB}/jaxrs-api.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxrs.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:${RESTEASY_LIB}/resteasy-jackson-provider.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/scannotation.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/servlet.jar" {
-         permission java.security.AllPermission;
- };
-@@ -166,10 +62,6 @@ grant codeBase "file:/usr/share/java/tomcat/-" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:/usr/share/java/tomcatjss.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/tomcat-el-api.jar" {
-         permission java.security.AllPermission;
- };
-@@ -178,22 +70,6 @@ grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" {
-         permission java.security.AllPermission;
- };
- 
--grant codeBase "file:/usr/share/java/velocity.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/xerces-j2.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/xml-commons-apis.jar" {
--        permission java.security.AllPermission;
--};
--
--grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" {
--        permission java.security.AllPermission;
--};
--
- grant codeBase "file:/usr/share/java/pki/-" {
-         permission java.security.AllPermission;
- };
-@@ -221,7 +97,3 @@ grant codeBase "file:${catalina.base}/webapps/tks/-" {
- grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
-         permission java.security.AllPermission;
- };
--
--grant codeBase "file:/usr/lib/java/nuxwdog.jar" {
--        permission java.security.AllPermission;
--};
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
+     /**
+      * Signed Audit Log Subject ID
+      *
 -- 
 1.8.3.1
 
 
-From ecbf1cded60cec973316584baf272ae4c7bae1dd Mon Sep 17 00:00:00 2001
+From 4a28ac15f5552d6594b6f6bb58af8f076ab5c46f Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 21 Jul 2016 05:08:25 +0200
-Subject: [PATCH 61/96] Removed hard-coded paths in pki CLI.
+Date: Thu, 20 Apr 2017 03:43:06 +0200
+Subject: [PATCH 19/49] Refactored CAProcessor.auditInfoCertValue().
 
-The pki CLI has been modified to use java.ext.dirs property to
-load the dependencies instead of listing them individually. The
-dependencies are stored as links in /usr/share/pki/lib folder.
-This allows the RPM spec to customize the links for different
-platforms.
+The auditInfoCertValue(IRequest) in CAProcessor has been merged
+into auditInfoCertValue(X509CertImpl) since they are identical.
 
-https://fedorahosted.org/pki/ticket/2403
+Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca
 ---
- base/common/CMakeLists.txt     | 45 ++++++++++++++++++++++++++++++++++++++++++
- base/common/share/etc/pki.conf |  3 +++
- base/java-tools/bin/pki        | 43 ++++------------------------------------
- 3 files changed, 52 insertions(+), 39 deletions(-)
-
-diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
-index 1213925..dc5cecf 100644
---- a/base/common/CMakeLists.txt
-+++ b/base/common/CMakeLists.txt
-@@ -11,6 +11,51 @@ configure_file(
-     ${CMAKE_CURRENT_BINARY_DIR}/etc/pki.conf
- )
- 
-+# Create /usr/share/pki/lib. This can be customized for different platforms in RPM spec.
-+
-+add_custom_target(pki-lib ALL)
-+
-+add_custom_command(
-+    TARGET pki-lib
-+    COMMAND ${CMAKE_COMMAND} -E make_directory lib
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-cli.jar lib/commons-cli.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar lib/commons-codec.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-httpclient.jar lib/commons-httpclient.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar lib/commons-io.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar lib/commons-lang.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar lib/commons-logging.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar lib/httpclient.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar lib/httpcore.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar lib/jackson-core-asl.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar lib/jackson-jaxrs.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar lib/jackson-mapper-asl.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar lib/jackson-mrbean.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar lib/jackson-smile.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar lib/jackson-xc.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar lib/resteasy-jaxb-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar lib/resteasy-jaxrs-api.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs-jandex.jar lib/resteasy-jaxrs-jandex.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar lib/resteasy-jaxrs.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/servlet.jar lib/servlet.jar
-+)
-+
-+install(
-+    DIRECTORY
-+        ${CMAKE_CURRENT_BINARY_DIR}/lib/
-+    DESTINATION
-+        ${DATA_INSTALL_DIR}/lib
-+)
-+
- install(
-     FILES
-         ${CMAKE_CURRENT_SOURCE_DIR}/share/etc/logging.properties
-diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
-index f43d914..97f3777 100644
---- a/base/common/share/etc/pki.conf
-+++ b/base/common/share/etc/pki.conf
-@@ -4,5 +4,8 @@ JAVA_HOME=${JAVA_HOME}
- # JNI jar file location
- JNI_JAR_DIR=/usr/lib/java
- 
-+# PKI library
-+PKI_LIB=/usr/share/pki/lib
-+
- # logging configuration location
- LOGGING_CONFIG=/usr/share/pki/etc/logging.properties
-diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
-index c1ba34e..ba321be 100644
---- a/base/java-tools/bin/pki
-+++ b/base/java-tools/bin/pki
-@@ -76,11 +76,11 @@ class PKICLI(pki.cli.CLI):
-             shell=True)
-         java_home = value.decode(sys.getfilesystemencoding()).strip()
- 
--        # read RESTEasy library path
-+        # read PKI library
-         value = subprocess.check_output(
--            '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $RESTEASY_LIB',
-+            '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB',
-             shell=True)
--        resteasy_lib = value.decode(sys.getfilesystemencoding()).strip()
-+        pki_lib = value.decode(sys.getfilesystemencoding()).strip()
- 
-         # read logging configuration path
-         value = subprocess.check_output(
-@@ -88,44 +88,9 @@ class PKICLI(pki.cli.CLI):
-             shell=True)
-         logging_config = value.decode(sys.getfilesystemencoding()).strip()
- 
--        # construct classpath
--        classpath = [
--            '/usr/share/java/commons-cli.jar',
--            '/usr/share/java/commons-codec.jar',
--            '/usr/share/java/commons-httpclient.jar',
--            '/usr/share/java/commons-io.jar',
--            '/usr/share/java/commons-lang.jar',
--            '/usr/share/java/commons-logging.jar',
--            '/usr/share/java/httpcomponents/httpclient.jar',
--            '/usr/share/java/httpcomponents/httpcore.jar',
--            '/usr/share/java/jackson/jackson-core-asl.jar',
--            '/usr/share/java/jackson/jackson-jaxrs.jar',
--            '/usr/share/java/jackson/jackson-mapper-asl.jar',
--            '/usr/share/java/jackson/jackson-mrbean.jar',
--            '/usr/share/java/jackson/jackson-smile.jar',
--            '/usr/share/java/jackson/jackson-xc.jar',
--            '/usr/share/java/jaxb-api.jar',
--            '/usr/share/java/ldapjdk.jar',
--            '/usr/share/java/servlet.jar',
--            resteasy_lib + '/jaxrs-api.jar',
--            resteasy_lib + '/resteasy-atom-provider.jar',
--            resteasy_lib + '/resteasy-client.jar',
--            resteasy_lib + '/resteasy-jaxb-provider.jar',
--            resteasy_lib + '/resteasy-jaxrs.jar',
--            resteasy_lib + '/resteasy-jaxrs-jandex.jar',
--            resteasy_lib + '/resteasy-jackson-provider.jar',
--            '/usr/share/java/pki/pki-nsutil.jar',
--            '/usr/share/java/pki/pki-cmsutil.jar',
--            '/usr/share/java/pki/pki-certsrv.jar',
--            '/usr/share/java/pki/pki-tools.jar',
--            '/usr/lib64/java/jss4.jar',
--            '/usr/lib/java/jss4.jar'
--        ]
--
-         cmd = [
-             java_home + '/bin/java',
--            '-cp',
--            ':'.join(classpath),
-+            '-Djava.ext.dirs=' + pki_lib,
-             '-Djava.util.logging.config.file=' + logging_config,
-             'com.netscape.cmstools.cli.MainCLI'
-         ]
+ .../netscape/cms/servlet/cert/CertProcessor.java   |  8 +--
+ .../cms/servlet/processors/CAProcessor.java        | 57 ----------------------
+ 2 files changed, 5 insertions(+), 60 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index 156060a..c16d8e0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.ERejectException;
++import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+ import com.netscape.certsrv.profile.IProfileContext;
+@@ -51,6 +52,8 @@ import com.netscape.cms.servlet.processors.CAProcessor;
+ import com.netscape.cms.tomcat.ExternalPrincipal;
+ import com.netscape.cmsutil.ldap.LDAPUtil;
+ 
++import netscape.security.x509.X509CertImpl;
++
+ public class CertProcessor extends CAProcessor {
+ 
+     public CertProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException {
+@@ -217,7 +220,6 @@ public class CertProcessor extends CAProcessor {
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = ILogger.UNIDENTIFIED;
+-        String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         String errorCode = null;
+         String errorReason = null;
+ 
+@@ -244,8 +246,8 @@ public class CertProcessor extends CAProcessor {
+                 profile.submit(authToken, req);
+                 req.setRequestStatus(RequestStatus.COMPLETE);
+ 
+-                // reset the "auditInfoCertValue"
+-                auditInfoCertValue = auditInfoCertValue(req);
++                X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
++                String auditInfoCertValue = auditInfoCertValue(x509cert);
+ 
+                 if (auditInfoCertValue != null) {
+                     if (!(auditInfoCertValue.equals(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 4bc738c..a98d555 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -53,7 +53,6 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+-import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -985,62 +984,6 @@ public class CAProcessor extends Processor {
+         return requesterID;
+     }
+ 
+-    /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param request request containing an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    protected String auditInfoCertValue(IRequest request) {
+-        // if no signed audit object exists, bail
+-        if (signedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        X509CertImpl x509cert = request.getExtDataInCert(
+-                IEnrollProfile.REQUEST_ISSUED_CERT);
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+-
+     protected String auditSubjectID() {
+         // if no signed audit object exists, bail
+         if (signedAuditLogger == null) {
 -- 
 1.8.3.1
 
 
-From 4926aace5cf0be65ddddf51c031e6cac6646a1dd Mon Sep 17 00:00:00 2001
+From 41fcfc470c6462bc069774c74ecfe2fe09cf6ac3 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 21 Jul 2016 05:08:25 +0200
-Subject: [PATCH 63/96] Removed hard-coded paths in deployment tool.
+Date: Thu, 20 Apr 2017 04:24:18 +0200
+Subject: [PATCH 20/49] Refactored ConnectorServlet.auditInfoCertValue().
 
-The deployment tool has been modified to link <instance>/common
-to /usr/share/pki/server/common instead of creating separate links
-for each dependency. This allows the RPM spec to customize the
-links for different platforms.
+The ConnectorServlet.auditInfoCertValue() has been refactored to
+accept X509CertImpl like CAProcessor.auditInfoCertValue().
 
-https://fedorahosted.org/pki/ticket/2403
+Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33
 ---
- base/server/CMakeLists.txt                         |  47 +++++++
- base/server/etc/default.cfg                        |  82 ------------
- .../deployment/scriptlets/instance_layout.py       | 143 +--------------------
- base/server/scripts/operations                     |  79 ------------
- 4 files changed, 54 insertions(+), 297 deletions(-)
-
-diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
-index 5a6aea9..27470f3 100644
---- a/base/server/CMakeLists.txt
-+++ b/base/server/CMakeLists.txt
-@@ -21,6 +21,53 @@ set(APACHE_SUBSYSTEMS
-     tps
- )
- 
-+# Create /usr/share/pki/server/common/lib. This can be customized for different platforms in RPM spec.
-+
-+add_custom_target(pki-server-common-lib ALL)
-+
-+add_custom_command(
-+    TARGET pki-server-common-lib
-+    COMMAND ${CMAKE_COMMAND} -E make_directory common/lib
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-codec.jar common/lib/commons-codec.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-collections.jar common/lib/commons-collections.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-io.jar common/lib/commons-io.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-lang.jar common/lib/commons-lang.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/commons-logging.jar common/lib/commons-logging.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpclient.jar common/lib/httpclient.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/httpcomponents/httpcore.jar common/lib/httpcore.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-core-asl.jar common/lib/jackson-core-asl.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-jaxrs.jar common/lib/jackson-jaxrs.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mapper-asl.jar common/lib/jackson-mapper-asl.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-mrbean.jar common/lib/jackson-mrbean.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-smile.jar common/lib/jackson-smile.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jackson/jackson-xc.jar common/lib/jackson-xc.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/javassist.jar common/lib/javassist.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxb-provider.jar common/lib/resteasy-jaxb-provider.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-apis.jar common/lib/xml-commons-apis.jar
-+    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xml-commons-resolver.jar common/lib/xml-commons-resolver.jar
-+)
-+
-+install(
-+    DIRECTORY
-+        ${CMAKE_CURRENT_BINARY_DIR}/common/lib/
-+    DESTINATION
-+        ${DATA_INSTALL_DIR}/server/common/lib
-+)
-+
- install(
-     DIRECTORY
-         man/
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index edd2632..4919cb4 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -268,88 +268,6 @@ pki_tomcat_subsystem_webapps_path=%(pki_subsystem_path)s/webapps
- pki_tomcat_webapps_subsystem_path=%(pki_tomcat_subsystem_webapps_path)s/%(pki_subsystem_type)s
- pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes
- pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib
--pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar
--pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar
--pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar
--pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar
--pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar
--pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar
--
--
--# JAR paths
--# These are used in the processing of pkispawn and are not supposed
--# to be overwritten by user configuration files
--pki_jss_jar=%(jni_jar_dir)s/jss4.jar
--pki_symkey_jar=%(jni_jar_dir)s/symkey.jar
--pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar
--pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar
--pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar
--pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar
--pki_commons_codec_jar=/usr/share/java/commons-codec.jar
--pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar
--pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar
--pki_javassist_jar=/usr/share/java/javassist.jar
--pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar
--pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar
--pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar
--pki_cmscore=/usr/share/java/pki/pki-cmscore.jar
--pki_cms=/usr/share/java/pki/pki-cms.jar
--pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar
--pki_nsutil=/usr/share/java/pki/pki-nsutil.jar
--pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar
--pki_scannotation_jar=/usr/share/java/scannotation.jar
--pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar
--pki_velocity_jar=/usr/share/java/velocity.jar
--pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar
--pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar
--pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar
--pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar
--pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar
--pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar
--pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar
--pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar
--pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar
--pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar
--pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar
--pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar
--pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar
--pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar
--pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar
--pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar
--pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar
--pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar
--pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar
--pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar
--pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar
--pki_ca_jar=/usr/share/java/pki/pki-ca.jar
--pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar
--pki_kra_jar=/usr/share/java/pki/pki-kra.jar
--pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar
--pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar
--pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar
--pki_tks_jar=/usr/share/java/pki/pki-tks.jar
--pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar
--pki_tps_jar=/usr/share/java/pki/pki-tps.jar
--pki_tps_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tps.jar
--
--# Jackson
--pki_jackson_core_asl_jar=/usr/share/java/jackson/jackson-core-asl.jar
--pki_jackson_jaxrs_jar=/usr/share/java/jackson/jackson-jaxrs.jar
--pki_jackson_mapper_asl_jar=/usr/share/java/jackson/jackson-mapper-asl.jar
--pki_jackson_mrbean_jar=/usr/share/java/jackson/jackson-mrbean.jar
--pki_jackson_smile_jar=/usr/share/java/jackson/jackson-smile.jar
--pki_jackson_xc_jar=/usr/share/java/jackson/jackson-xc.jar
--
--# RESTEasy
--pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar
--pki_resteasy_client_jar=%(resteasy_lib)s/resteasy-client.jar
--pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar
--pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar
--pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar
--pki_resteasy_jackson_provider_jar=%(resteasy_lib)s/resteasy-jackson-provider.jar
--
--# nuxwdog
--pki_nuxwdog_client_jar=/usr/lib/java/nuxwdog.jar
- 
- 
- ###############################################################################
-diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-index 57f8537..c470c7f 100644
---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-@@ -122,11 +122,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     "localhost",
-                     "pki#js.xml"))
- 
--            # establish Tomcat instance base
--            deployer.directory.create(deployer.mdict['pki_tomcat_common_path'])
--            deployer.directory.create(
--                deployer.mdict['pki_tomcat_common_lib_path'])
--            # establish Tomcat instance library
-+            # Create Tomcat instance library
-             deployer.directory.create(deployer.mdict['pki_instance_lib'])
-             for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']):
-                 deployer.symlink.create(
-@@ -139,6 +135,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-             deployer.symlink.create(
-                 deployer.mdict['pki_instance_conf_log4j_properties'],
-                 deployer.mdict['pki_instance_lib_log4j_properties'])
-+
-+            # Link /var/lib/pki/<instance>/common to /usr/share/pki/server/common
-+            deployer.symlink.create(
-+                '/usr/share/pki/server/common',
-+                deployer.mdict['pki_tomcat_common_path'])
-+
-             deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path'])
- 
-             deployer.directory.create(deployer.mdict['pki_tomcat_work_path'])
-@@ -160,129 +162,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 deployer.mdict['pki_tomcat_systemd'],
-                 deployer.mdict['pki_instance_systemd_link'],
-                 uid=0, gid=0)
--            # establish Tomcat instance common lib jar symbolic links
--            deployer.symlink.create(
--                deployer.mdict['pki_apache_commons_collections_jar'],
--                deployer.mdict['pki_apache_commons_collections_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_apache_commons_io_jar'],
--                deployer.mdict['pki_apache_commons_io_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_apache_commons_lang_jar'],
--                deployer.mdict['pki_apache_commons_lang_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_apache_commons_logging_jar'],
--                deployer.mdict['pki_apache_commons_logging_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_commons_codec_jar'],
--                deployer.mdict['pki_commons_codec_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_httpclient_jar'],
--                deployer.mdict['pki_httpclient_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_httpcore_jar'],
--                deployer.mdict['pki_httpcore_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_javassist_jar'],
--                deployer.mdict['pki_javassist_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_jss_jar'],
--                deployer.mdict['pki_jss_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_ldapjdk_jar'],
--                deployer.mdict['pki_ldapjdk_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_tomcat_jar'],
--                deployer.mdict['pki_tomcat_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_scannotation_jar'],
--                deployer.mdict['pki_scannotation_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_tomcatjss_jar'],
--                deployer.mdict['pki_tomcatjss_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_velocity_jar'],
--                deployer.mdict['pki_velocity_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_xerces_j2_jar'],
--                deployer.mdict['pki_xerces_j2_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_xml_commons_apis_jar'],
--                deployer.mdict['pki_xml_commons_apis_jar_link'])
--            deployer.symlink.create(
--                deployer.mdict['pki_xml_commons_resolver_jar'],
--                deployer.mdict['pki_xml_commons_resolver_jar_link'])
--
--            # Jackson
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_core_asl_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-core-asl.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_jaxrs_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-jaxrs.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_mapper_asl_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-mapper-asl.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_mrbean_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-mrbean.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_smile_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-smile.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_jackson_xc_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jackson-xc.jar'))
--
--            # RESTEasy
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_atom_provider_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'resteasy-atom-provider.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_client_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'resteasy-client.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_jaxb_provider_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'resteasy-jaxb-provider.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_jaxrs_api_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'jaxrs-api.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_jaxrs_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'resteasy-jaxrs.jar'))
--            deployer.symlink.create(
--                deployer.mdict['pki_resteasy_jackson_provider_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'resteasy-jackson-provider.jar'))
--
--            # nuxwdog
--            deployer.symlink.create(
--                deployer.mdict['pki_nuxwdog_client_jar'],
--                os.path.join(
--                    deployer.mdict['pki_tomcat_common_lib_path'],
--                    'nuxwdog.jar'))
- 
-             # establish shared NSS security databases for this instance
-             deployer.directory.create(deployer.mdict['pki_database_path'])
-@@ -297,14 +176,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 deployer.mdict['pki_instance_log_path'],
-                 deployer.mdict['pki_instance_logs_link'])
- 
--            # create the sym link to symkey regardless of subsystem
--            # as long as pki-symkey is installed on the system
--            if os.path.exists(deployer.mdict['pki_symkey_jar']):
--                if not os.path.exists(deployer.mdict['pki_symkey_jar_link']):
--                    deployer.symlink.create(
--                        deployer.mdict['pki_symkey_jar'],
--                        deployer.mdict['pki_symkey_jar_link'])
--
-             # create Tomcat instance systemd service link
-             deployer.symlink.create(deployer.mdict['pki_systemd_service'],
-                                     deployer.mdict['pki_systemd_service_link'])
-diff --git a/base/server/scripts/operations b/base/server/scripts/operations
-index 5991670..5b50178 100644
---- a/base/server/scripts/operations
-+++ b/base/server/scripts/operations
-@@ -909,7 +909,6 @@ verify_symlinks()
-     declare -A ocsp_symlinks
-     declare -A tks_symlinks
-     declare -A tps_symlinks
--    declare -A common_jar_symlinks
-     declare -A ca_jar_symlinks
-     declare -A kra_jar_symlinks
-     declare -A ocsp_jar_symlinks
-@@ -985,75 +984,6 @@ verify_symlinks()
-         [logs]=/var/log/pki/${PKI_INSTANCE_NAME}/tps
-         [registry]=${pki_registry_dir})
- 
--    # '${pki_common_jar_dir}' symlinks
--    if ! $debian; then
--        common_jar_symlinks=(
--            [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
--            [apache-commons-collections.jar]=${java_dir}/apache-commons-collections.jar
--            [apache-commons-io.jar]=${java_dir}/apache-commons-io.jar
--            [apache-commons-lang.jar]=${java_dir}/apache-commons-lang.jar
--            [apache-commons-logging.jar]=${java_dir}/apache-commons-logging.jar
--            [httpclient.jar]=${java_dir}/httpcomponents/httpclient.jar
--            [httpcore.jar]=${java_dir}/httpcomponents/httpcore.jar
--            [javassist.jar]=${java_dir}/javassist.jar
--            [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar
--            [jackson-core-asl.jar]=${java_dir}/jackson/jackson-core-asl.jar
--            [jackson-jaxrs.jar]=${java_dir}/jackson/jackson-jaxrs.jar
--            [jackson-mapper-asl.jar]=${java_dir}/jackson/jackson-mapper-asl.jar
--            [jackson-mrbean.jar]=${java_dir}/jackson/jackson-mrbean.jar
--            [jackson-smile.jar]=${java_dir}/jackson/jackson-smile.jar
--            [jackson-xc.jar]=${java_dir}/jackson/jackson-xc.jar
--            [jss4.jar]=${jni_jar_dir}/jss4.jar
--            [ldapjdk.jar]=${java_dir}/ldapjdk.jar
--            [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
--            [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
--            [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
--            [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
--            [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
--            [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
--            [scannotation.jar]=${java_dir}/scannotation.jar
--            [tomcatjss.jar]=${java_dir}/tomcatjss.jar
--            [velocity.jar]=${java_dir}/velocity.jar
--            [xerces-j2.jar]=${java_dir}/xerces-j2.jar
--            [xml-commons-apis.jar]=${java_dir}/xml-commons-apis.jar
--            [xml-commons-resolver.jar]=${java_dir}/xml-commons-resolver.jar)
--    else
--        common_jar_symlinks=(
--            [apache-commons-codec.jar]=${java_dir}/commons-codec.jar
--            [apache-commons-collections.jar]=${java_dir}/commons-collections3.jar
--            [apache-commons-io.jar]=${java_dir}/commons-io.jar
--            [apache-commons-lang.jar]=${java_dir}/commons-lang.jar
--            [apache-commons-logging.jar]=${java_dir}/commons-logging.jar
--            [httpclient.jar]=${java_dir}/httpclient.jar
--            [httpcore.jar]=${java_dir}/httpcore.jar
--            [javassist.jar]=${java_dir}/javassist.jar
--            [jaxrs-api.jar]=${RESTEASY_LIB}/jaxrs-api.jar
--            [jackson-core-asl.jar]=${java_dir}/jackson-core-asl.jar
--            [jackson-jaxrs.jar]=${java_dir}/jackson-jaxrs.jar
--            [jackson-mapper-asl.jar]=${java_dir}/jackson-mapper-asl.jar
--            [jackson-mrbean.jar]=${java_dir}/jackson-mrbean.jar
--            [jackson-smile.jar]=${java_dir}/jackson-smile.jar
--            [jackson-xc.jar]=${java_dir}/jackson-xc.jar
--            [jss4.jar]=${jni_jar_dir}/jss4.jar
--            [ldapjdk.jar]=${java_dir}/ldapjdk.jar
--            [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
--            [resteasy-atom-provider.jar]=${RESTEASY_LIB}/resteasy-atom-provider.jar
--            [resteasy-client.jar]=${RESTEASY_LIB}/resteasy-client.jar
--            [resteasy-jaxb-provider.jar]=${RESTEASY_LIB}/resteasy-jaxb-provider.jar
--            [resteasy-jaxrs.jar]=${RESTEASY_LIB}/resteasy-jaxrs.jar
--            [resteasy-jackson-provider.jar]=${RESTEASY_LIB}/resteasy-jackson-provider.jar
--            [scannotation.jar]=${java_dir}/scannotation.jar
--            [tomcatjss.jar]=${java_dir}/tomcatjss.jar
--            [velocity.jar]=${java_dir}/velocity.jar
--            [xerces-j2.jar]=${java_dir}/xercesImpl.jar
--            [xml-commons-apis.jar]=${java_dir}/xml-apis.jar
--            [xml-commons-resolver.jar]=${java_dir}/xml-resolver.jar)
--    fi
--
--    if [ -e ${PKI_INSTANCE_PATH}/tks ]; then
--        common_jar_symlinks[symkey.jar]=${jni_jar_dir}/symkey.jar
--    fi
--
-     # '${pki_systemd_dir}' symlinks
-     systemd_symlinks[${pki_systemd_link}]=${systemd_dir}/${pki_systemd_service}
- 
-@@ -1132,15 +1062,6 @@ verify_symlinks()
-             fi
-         fi
- 
--        # Detect and correct 'common_jar_symlinks'
--        common_jar_symlinks_string=$(declare -p common_jar_symlinks)
--        eval "declare -A symlinks=${common_jar_symlinks_string#*=}"
--        check_symlinks ${pki_common_jar_dir} ${PKI_USER} ${PKI_GROUP}
--        rv=$?
--        if [ $rv -ne 0 ]; then
--            return $rv
--        fi
--
-         # Detect and correct 'systemd_symlinks'
-         systemd_symlinks_string=$(declare -p systemd_symlinks)
-         eval "declare -A symlinks=${systemd_symlinks_string#*=}"
+ .../cms/servlet/connector/ConnectorServlet.java      | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index 9c75cc1..6732e92 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -424,9 +424,6 @@ public class ConnectorServlet extends CMSServlet {
+         String auditCertificateSubjectName = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         String subject = null;
+ 
+-        // additional parms for LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED
+-        String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-
+         // "normalize" the "auditSubjectID"
+         if (auditSubjectID != null) {
+             auditSubjectID = auditSubjectID.trim();
+@@ -622,8 +619,9 @@ public class ConnectorServlet extends CMSServlet {
+                 queue.processRequest(thisreq);
+ 
+                 if (isProfileRequest(thisreq)) {
+-                    // reset the "auditInfoCertValue"
+-                    auditInfoCertValue = auditInfoCertValue(thisreq);
++
++                    X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
++                    String auditInfoCertValue = auditInfoCertValue(x509cert);
+ 
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+@@ -643,8 +641,9 @@ public class ConnectorServlet extends CMSServlet {
+                 }
+             } catch (EBaseException eAudit1) {
+                 if (isProfileRequest(thisreq)) {
+-                    // reset the "auditInfoCertValue"
+-                    auditInfoCertValue = auditInfoCertValue(thisreq);
++
++                    X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
++                    String auditInfoCertValue = auditInfoCertValue(x509cert);
+ 
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+@@ -1068,18 +1067,15 @@ public class ConnectorServlet extends CMSServlet {
+      * "X509CertImpl" for a signed audit log message.
+      * <P>
+      *
+-     * @param request a Request containing an X509CertImpl
++     * @param x509cert an X509CertImpl
+      * @return cert string containing the certificate
+      */
+-    private String auditInfoCertValue(IRequest request) {
++    private String auditInfoCertValue(X509CertImpl x509cert) {
+         // if no signed audit object exists, bail
+         if (mSignedAuditLogger == null) {
+             return null;
+         }
+ 
+-        X509CertImpl x509cert = request.getExtDataInCert(
+-                IEnrollProfile.REQUEST_ISSUED_CERT);
+-
+         if (x509cert == null) {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         }
 -- 
 1.8.3.1
 
 
-From 0c502a387c90d2e2d8ebe9e3edf3dfeaf1d6eba4 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Wed, 27 Jul 2016 11:43:33 -0700
-Subject: [PATCH 66/96] Make starting CRL Number configurable.
+From e74fca2ced2416d656a09613e6e56657f4f88d20 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 04:29:40 +0200
+Subject: [PATCH 21/49] Refactored
+ ProfileSubmitCMCServlet.auditInfoCertValue().
+
+The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified
+to accept X509CertImpl like CAProcessor.auditInfoCertValue().
+
+Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b
+---
+ .../cms/servlet/profile/ProfileSubmitCMCServlet.java     | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 83bab5b..c3ada9a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -642,7 +642,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = ILogger.UNIDENTIFIED;
+-        String auditInfoCertValue = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ 
+         try {
+             ///////////////////////////////////////////////
+@@ -672,8 +671,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     profile.submit(authToken, reqs[k]);
+                     reqs[k].setRequestStatus(RequestStatus.COMPLETE);
+ 
+-                    // reset the "auditInfoCertValue"
+-                    auditInfoCertValue = auditInfoCertValue(reqs[k]);
++                    X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
++                    String auditInfoCertValue = auditInfoCertValue(x509cert);
+ 
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+@@ -777,8 +776,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     profile.getRequestQueue().markAsServiced(provedReq);
+                     CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete");
+ 
+-                    // reset the "auditInfoCertValue"
+-                    auditInfoCertValue = auditInfoCertValue(reqs[0]);
++                    X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
++                    String auditInfoCertValue = auditInfoCertValue(x509cert);
+ 
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+@@ -896,18 +895,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+      * "X509CertImpl" for a signed audit log message.
+      * <P>
+      *
+-     * @param request request containing an X509CertImpl
++     * @param x509cert an X509CertImpl
+      * @return cert string containing the certificate
+      */
+-    private String auditInfoCertValue(IRequest request) {
++    private String auditInfoCertValue(X509CertImpl x509cert) {
+         // if no signed audit object exists, bail
+         if (mSignedAuditLogger == null) {
+             return null;
+         }
+ 
+-        X509CertImpl x509cert = request.getExtDataInCert(
+-                IEnrollProfile.REQUEST_ISSUED_CERT);
+-
+         if (x509cert == null) {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         }
+-- 
+1.8.3.1
 
-Ticket #2406 Make starting CRL Number configurable
 
-This simple patch provides a pkispawn config param that passes
-some starting crl number value to the config process.
+From ba32351d7c362e6b0e313cde0929c56f3f55ec5f Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 21 Apr 2017 05:04:05 +0200
+Subject: [PATCH 22/49] Fixed missing IAuditor.log(AuditEvent).
 
-Here is a sample:
+The IAuditor has been modified to define a log() method for
+AuditEvent object.
 
-[CA]
-pki_ca_starting_crl_number=4000
+Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9
+---
+ base/common/src/com/netscape/certsrv/logging/IAuditor.java        | 2 ++
+ base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
+index 216015f..9521228 100644
+--- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java
++++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
+@@ -73,4 +73,6 @@ public interface IAuditor {
+      * Log audit message.
+      */
+     public void log(String message);
++
++    public void log(AuditEvent event);
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+index 48dfe3a..8962561 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+@@ -220,7 +220,8 @@ public class Auditor implements IAuditor {
+                 message);
+     }
+ 
+-    protected void audit(AuditEvent event) {
++    @Override
++    public void log(AuditEvent event) {
+ 
+         String template = event.getMessage();
+         Object[] params = event.getParameters();
+-- 
+1.8.3.1
 
-After the CA comes up the value of "crlNumber" in the db will
-reflect that value of 4000.
 
-Currently no other values are changed. We can talk about if we
-need more values reset in the given case.
+From fcbabc0ce929d91f63098bba4867d102ac04ead0 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Wed, 19 Apr 2017 08:50:06 +0200
+Subject: [PATCH 23/49] Python 3 support and Travis testing
 
-Also, this creates a setting in the CS.cfg
+Fix Python 3 support for pkispawn: Config values are text values. Therefore
+the config file has to be written as text file.
 
-ca.crl.MasterCrl.startingCrlNumber=4000
+Test Python 3 support in Travis CI. The little script py3rewrite copies
+pki.server Python files and rewrites pkispawn and pkidestroy to use
+Python 3.
 
-This setting is only consulted when the crl Issuing Point record is created
-for the first time.
+Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
- base/ca/src/com/netscape/ca/CRLIssuingPoint.java   | 65 +++++++++++++++-------
- .../server/ca/rest/CAInstallerService.java         |  7 +++
- .../certsrv/system/ConfigurationRequest.java       | 12 ++++
- base/server/etc/default.cfg                        |  1 +
- .../python/pki/server/deployment/pkihelper.py      |  4 ++
- 5 files changed, 69 insertions(+), 20 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
-index fc9e6a3..a593eb8 100644
---- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
-+++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
-@@ -31,6 +31,23 @@ import java.util.StringTokenizer;
- import java.util.TimeZone;
- import java.util.Vector;
- 
-+import netscape.security.util.BitArray;
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.CRLExtensions;
-+import netscape.security.x509.CRLNumberExtension;
-+import netscape.security.x509.CRLReasonExtension;
-+import netscape.security.x509.DeltaCRLIndicatorExtension;
-+import netscape.security.x509.Extension;
-+import netscape.security.x509.FreshestCRLExtension;
-+import netscape.security.x509.IssuingDistributionPoint;
-+import netscape.security.x509.IssuingDistributionPointExtension;
-+import netscape.security.x509.RevocationReason;
-+import netscape.security.x509.RevokedCertImpl;
-+import netscape.security.x509.RevokedCertificate;
-+import netscape.security.x509.X509CRLImpl;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509ExtensionException;
-+
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.IConfigStore;
-@@ -66,23 +83,6 @@ import com.netscape.cmscore.dbs.CertRecord;
- import com.netscape.cmscore.dbs.CertificateRepository;
- import com.netscape.cmscore.util.Debug;
- 
--import netscape.security.util.BitArray;
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.CRLExtensions;
--import netscape.security.x509.CRLNumberExtension;
--import netscape.security.x509.CRLReasonExtension;
--import netscape.security.x509.DeltaCRLIndicatorExtension;
--import netscape.security.x509.Extension;
--import netscape.security.x509.FreshestCRLExtension;
--import netscape.security.x509.IssuingDistributionPoint;
--import netscape.security.x509.IssuingDistributionPointExtension;
--import netscape.security.x509.RevocationReason;
--import netscape.security.x509.RevokedCertImpl;
--import netscape.security.x509.RevokedCertificate;
--import netscape.security.x509.X509CRLImpl;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509ExtensionException;
--
- /**
-  * This class encapsulates CRL issuing mechanism. CertificateAuthority
-  * contains a map of CRLIssuingPoint indexed by string ids. Each issuing
-@@ -112,6 +112,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
- 
-     private static final int CRL_PAGE_SIZE = 10000;
- 
-+    private static final String PROP_CRL_STARTING_NUMBER = "startingCrlNumber";
-+
-     /* configuration file property names */
- 
-     public IPublisherProcessor mPublisherProcessor = null;
-@@ -923,13 +925,36 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
-         if (crlRecord == null) {
-             // no crl was ever created, or crl in db is corrupted.
-             // create new one.
-+
-+            IConfigStore ipStore = mCA.getConfigStore().getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE).getSubStore(mId);
-             try {
--                crlRecord = new CRLIssuingPointRecord(mId, BigInteger.ZERO, Long.valueOf(-1),
-+
-+                BigInteger startingCrlNumberBig = ipStore.getBigInteger(PROP_CRL_STARTING_NUMBER, BigInteger.ZERO);
-+                CMS.debug("startingCrlNumber: " + startingCrlNumberBig);
-+
-+                // Check for bogus negative value
+ .travis.yml                               |  7 +++++
+ .travis/40-spawn-ca                       |  2 +-
+ .travis/50-spawn-kra                      |  2 +-
+ .travis/99-destroy                        | 11 ++++++++
+ .travis/py3rewrite                        | 46 +++++++++++++++++++++++++++++++
+ base/server/python/pki/server/__init__.py |  4 +--
+ 6 files changed, 68 insertions(+), 4 deletions(-)
+ create mode 100755 .travis/99-destroy
+ create mode 100755 .travis/py3rewrite
+
+diff --git a/.travis.yml b/.travis.yml
+index 2714bbc..54ae884 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -44,6 +44,13 @@ install:
+ script:
+   - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca
+   - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy
++  # copy pki.server for Python 3 and rewrite pkispawn/pkidestroy shebang
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/py3rewrite
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/30-setup-389ds
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/40-spawn-ca
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/50-spawn-kra
++  - docker exec -ti ${CONTAINER} ${SCRIPTDIR}/99-destroy
+ 
+ after_script:
+   - docker kill ${CONTAINER}
+diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca
+index 9986698..d6771db 100755
+--- a/.travis/40-spawn-ca
++++ b/.travis/40-spawn-ca
+@@ -1,7 +1,7 @@
+ #!/bin/bash
+ set -e
+ 
+-pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA
++pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA
+ 
+ echo "Waiting for port 8080"
+ for i in {1..20}; do
+diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra
+index 80cb039..93f2f4c 100755
+--- a/.travis/50-spawn-kra
++++ b/.travis/50-spawn-kra
+@@ -1,7 +1,7 @@
+ #!/bin/bash
+ set -e
+ 
+-pkispawn -v -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA
++pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA
+ 
+ echo "Waiting for port 8080"
+ for i in {1..20}; do
+diff --git a/.travis/99-destroy b/.travis/99-destroy
+new file mode 100755
+index 0000000..d2fb1ad
+--- /dev/null
++++ b/.travis/99-destroy
+@@ -0,0 +1,11 @@
++#!/bin/bash
++set -e
 +
-+                if(startingCrlNumberBig.compareTo(BigInteger.ZERO) < 0) {
-+                    //Make it the default of ZERO
-+                    startingCrlNumberBig = BigInteger.ZERO;
-+                }
++if [ -d /etc/pki/pkitest/kra ]; then
++    pkidestroy -v -i pkitest -s KRA
++fi
 +
-+                crlRecord = new CRLIssuingPointRecord(mId, startingCrlNumberBig, Long.valueOf(-1),
-                                                null, null, BigInteger.ZERO, Long.valueOf(-1),
-                                           mRevokedCerts, mUnrevokedCerts, mExpiredCerts);
-                 mCRLRepository.addCRLIssuingPointRecord(crlRecord);
--                mCRLNumber = BigInteger.ZERO; //BIG_ZERO;
--                mNextCRLNumber = BigInteger.ONE; //BIG_ONE;
-+                mCRLNumber = startingCrlNumberBig;
-+
-+                // The default case calls for ZERO being the starting point where
-+                // it is then incremented by one to ONE
-+                // If we specificy an explicit starting point,
-+                // We want that exact number to be the next CRL Number.
-+                if(mCRLNumber.compareTo(BigInteger.ZERO) == 0) {
-+                    mNextCRLNumber = BigInteger.ONE;
-+                } else {
-+                    mNextCRLNumber = mCRLNumber;
-+                }
++pkidestroy -v -i pkitest -s CA
 +
-                 mLastCRLNumber = mCRLNumber;
-                 mDeltaCRLNumber = mCRLNumber;
-                 mNextDeltaCRLNumber = mNextCRLNumber;
-diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-index e1b7160..3c7e483 100644
---- a/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAInstallerService.java
-@@ -80,6 +80,8 @@ public class CAInstallerService extends SystemConfigService {
-                 disableCRLCachingAndGenerationForClone(request);
-             }
- 
-+            configureStartingCRLNumber(request);
++remove-ds.pl -f -i slapd-pkitest
 +
-         } catch (Exception e) {
-             CMS.debug(e);
-             throw new PKIException("Errors in determining if security domain host is a master CA");
-@@ -187,6 +189,11 @@ public class CAInstallerService extends SystemConfigService {
-         configStore.commit(false /* no backup */);
-     }
- 
-+    private void configureStartingCRLNumber(ConfigurationRequest data) {
-+        CMS.debug("CAInstallerService:configureStartingCRLNumber entering.");
-+        cs.putString("ca.crl.MasterCRL.startingCrlNumber",data.getStartingCRLNumber() );
+diff --git a/.travis/py3rewrite b/.travis/py3rewrite
+new file mode 100755
+index 0000000..f8a208d
+--- /dev/null
++++ b/.travis/py3rewrite
+@@ -0,0 +1,46 @@
++#!/usr/bin/python3
++import os
++import shutil
 +
++from distutils.sysconfig import get_python_lib
++
++
++BUILDDIR = os.environ['BUILDDIR']
++PKIBASE = os.path.join(BUILDDIR, 'pki', 'base')
++PKICLIENT = os.path.join(PKIBASE, 'common', 'python', 'pki')
++PKISERVER = os.path.join(PKIBASE, 'server', 'python', 'pki', 'server')
++PKISBIN = os.path.join(PKIBASE, 'server', 'sbin')
++
++SITEPACKAGES = get_python_lib()
++
++
++def copyscript(src, dst):
++    with open(src) as f:
++        lines = f.readlines()
++    lines[0] = '#!/usr/bin/python3\n'
++    with open(dst, 'w') as f:
++        os.fchmod(f.fileno(), 0o755)
++        f.writelines(lines)
++
++
++def copyfiles():
++    shutil.rmtree(os.path.join(SITEPACKAGES, 'pki'))
++    shutil.copytree(
++        PKICLIENT,
++        os.path.join(SITEPACKAGES, 'pki')
++    )
++    shutil.copytree(
++        PKISERVER,
++        os.path.join(SITEPACKAGES, 'pki', 'server')
++    )
++    copyscript(
++        os.path.join(PKISBIN, 'pkispawn'),
++        '/usr/sbin/pkispawn'
++    )
++    copyscript(
++        os.path.join(PKISBIN, 'pkidestroy'),
++        '/usr/sbin/pkidestroy'
++    )
++
++if __name__ == '__main__':
++    copyfiles()
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 8898654..46c6711 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -296,9 +296,9 @@ class PKISubsystem(object):
+ 
+     def save(self):
+         sorted_config = sorted(self.config.items(), key=operator.itemgetter(0))
+-        with io.open(self.cs_conf, 'wb') as f:
++        with io.open(self.cs_conf, 'w') as f:
+             for (key, value) in sorted_config:
+-                f.write('%s=%s\n' % (key, value))
++                f.write(u'%s=%s\n' % (key, value))
+ 
+     def is_valid(self):
+         return os.path.exists(self.conf_dir)
+-- 
+1.8.3.1
+
+
+From ce3304834dbb3e4d001ecbbfc1af61044ae7a74c Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 09:52:32 +0200
+Subject: [PATCH 24/49] Added AuthSuccessEvent.
+
+A new AuthSuccessEvent class of has been added to encapsulate the
+AUTH_SUCCESS events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
+---
+ .../certsrv/logging/event/AuthSuccessEvent.java    | 39 ++++++++++++++++++++++
+ .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 16 ++++-----
+ .../netscape/cms/servlet/admin/AdminServlet.java   | 21 +++++-------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  |  9 ++---
+ .../cms/servlet/processors/CAProcessor.java        | 17 +++-------
+ 5 files changed, 61 insertions(+), 41 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java
+new file mode 100644
+index 0000000..5d4f973
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthSuccessEvent.java
+@@ -0,0 +1,39 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class AuthSuccessEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public AuthSuccessEvent(
++            String subjectID,
++            String outcome,
++            String authManagerID) {
++
++        super(AUTH_SUCCESS);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                authManagerID
++        });
 +    }
-     private void disableCRLCachingAndGenerationForClone(ConfigurationRequest data) throws MalformedURLException {
- 
-         CMS.debug("CAInstallerService:disableCRLCachingAndGenerationForClone entering.");
-diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-index 890f7d0..cd9d3c8 100644
---- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
-@@ -234,6 +234,9 @@ public class ConfigurationRequest {
-     @XmlElement
-     protected String sharedDBUserDN;
- 
-+    @XmlElement
-+    protected String startingCRLNumber;
-+
-     public ConfigurationRequest() {
-         // required for JAXB
-     }
-@@ -932,6 +935,14 @@ public class ConfigurationRequest {
-         this.subordinateSecurityDomainName = subordinateSecurityDomainName;
-     }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+index bcd3ff8..81de9fb 100644
+--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -60,14 +61,11 @@ public class PKIRealm extends RealmBase {
+             authToken.set(SessionContext.AUTH_MANAGER_ID, IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
+             auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_SUCCESS,
++            audit(new AuthSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
++                        IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID));
+ 
+-            audit(auditMessage);
+             return getPrincipal(username, authToken);
+ 
+         } catch (Throwable e) {
+@@ -120,14 +118,12 @@ public class PKIRealm extends RealmBase {
+             auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
+ 
+             CMS.debug("PKIRealm: User ID: " + username);
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_SUCCESS,
++
++            audit(new AuthSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
++                        IAuthSubsystem.CERTUSERDB_AUTHMGR_ID));
+ 
+-            audit(auditMessage);
+             return getPrincipal(username, authToken);
+ 
+         } catch (Throwable e) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index 16a2e39..d530f6a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -35,8 +35,6 @@ import javax.servlet.http.HttpServlet;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
  
-+    public String getStartingCRLNumber() {
-+        return startingCRLNumber;
-+    }
-+
-+    public void setStartingCRLNumber(String startingCRLNumber) {
-+        this.startingCRLNumber = startingCRLNumber;
-+    }
+-import netscape.security.x509.X509CertImpl;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.IAuthCredentials;
+ import com.netscape.certsrv.authentication.IAuthManager;
+@@ -54,12 +52,15 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+ import com.netscape.certsrv.usrgrp.IUser;
+ import com.netscape.cms.servlet.base.UserInfo;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.x509.X509CertImpl;
 +
-     @Override
-     public String toString() {
-         return "ConfigurationRequest [pin=XXXX" +
-@@ -995,6 +1006,7 @@ public class ConfigurationRequest {
-                ", setupReplication=" + setupReplication +
-                ", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
-                ", reindexData=" + reindexData +
-+               ", startingCrlNumber=" + startingCRLNumber +
-                "]";
-     }
+ /**
+  * A class represents an administration servlet that
+  * is responsible to serve administrative
+@@ -524,23 +525,17 @@ public class AdminServlet extends HttpServlet {
+             sc.put(SessionContext.LOCALE, locale);
+ 
+             if (authType.equals("sslclientauth")) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTH_SUCCESS,
++
++                audit(new AuthSuccessEvent(
+                             auditSubjectID(),
+                             ILogger.SUCCESS,
+-                            CERTUSERDB);
++                            CERTUSERDB));
+ 
+-                audit(auditMessage);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTH_SUCCESS,
++                audit(new AuthSuccessEvent(
+                             auditSubjectID(),
+                             ILogger.SUCCESS,
+-                            PASSWDUSERDB);
+-
+-                audit(auditMessage);
++                            PASSWDUSERDB));
+             }
+         } catch (IOException eAudit1) {
+             if (authType.equals("sslclientauth")) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index a007a00..9168870 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -1789,14 +1790,10 @@ public abstract class CMSServlet extends HttpServlet {
+             // reset the "auditSubjectID"
+             auditSubjectID = auditSubjectID();
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_SUCCESS,
++            audit(new AuthSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditAuthMgrID);
+-
+-            audit(auditMessage);
++                        auditAuthMgrID));
+ 
+             return authToken;
+         } catch (EBaseException eAudit1) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index a98d555..93d6a9a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -520,14 +521,10 @@ public class CAProcessor extends Processor {
+ 
+             authSubjectID = authSubjectID + " : " + uid_cred;
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTH_SUCCESS,
++            audit(new AuthSuccessEvent(
+                     authSubjectID,
+                     ILogger.SUCCESS,
+-                    authMgrID);
+-
+-            audit(auditMessage);
++                    authMgrID));
+         }
+         endTiming("profile_authentication");
+         return authToken;
+@@ -655,14 +652,10 @@ public class CAProcessor extends Processor {
+             // reset the "auditSubjectID"
+             auditSubjectID = auditSubjectID();
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTH_SUCCESS,
++            audit(new AuthSuccessEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditAuthMgrID);
+-
+-            audit(auditMessage);
++                    auditAuthMgrID));
  
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 4919cb4..3a7e005 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -296,6 +296,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name
- pki_ca_signing_token=Internal Key Storage Token
- pki_ca_signing_csr_path=
- pki_ca_signing_cert_path=
-+pki_ca_starting_crl_number=0
- pki_external=False
- pki_req_ext_add=False
- # MS subca request ext data
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index 6ac68b1..8a1dbdd 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -4113,6 +4113,10 @@ class ConfigClient:
-         if self.subsystem == "TPS":
-             self.set_tps_parameters(data)
- 
-+        # Misc CA parameters
-+        if self.subsystem == "CA":
-+            data.startingCRLNumber = self.mdict['pki_ca_starting_crl_number']
-+
-         return data
- 
-     def save_admin_csr(self):
+             return authToken;
+         } catch (EBaseException eAudit1) {
 -- 
 1.8.3.1
 
 
-From f990cb0dee46df211c2c7212ca0165465b5f3531 Mon Sep 17 00:00:00 2001
+From 0de8be3084c4ccf23c2850331f86fc067e7c8383 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sun, 24 Jul 2016 07:36:36 +0200
-Subject: [PATCH 67/96] Added upgrade scripts to fix server library.
+Date: Thu, 20 Apr 2017 10:07:44 +0200
+Subject: [PATCH 25/49] Added AuthFailEvent.
 
-An upgrade script has been added to replace the <instance>/common
-in existing instances with a link to /usr/share/pki/server/common
-which contains links to server dependencies.
+A new AuthFailEvent class of has been added to encapsulate the
+AUTH_FAIL events.
 
-https://fedorahosted.org/pki/ticket/2403
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
 ---
- base/common/upgrade/10.3.4/.gitignore          |  4 +++
- base/common/upgrade/10.3.5/.gitignore          |  4 +++
- base/server/upgrade/10.3.4/.gitignore          |  4 +++
- base/server/upgrade/10.3.5/01-FixServerLibrary | 46 ++++++++++++++++++++++++++
- 4 files changed, 58 insertions(+)
- create mode 100644 base/common/upgrade/10.3.4/.gitignore
- create mode 100644 base/common/upgrade/10.3.5/.gitignore
- create mode 100644 base/server/upgrade/10.3.4/.gitignore
- create mode 100644 base/server/upgrade/10.3.5/01-FixServerLibrary
-
-diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore
-new file mode 100644
-index 0000000..5e7d273
---- /dev/null
-+++ b/base/common/upgrade/10.3.4/.gitignore
-@@ -0,0 +1,4 @@
-+# Ignore everything in this directory
-+*
-+# Except this file
-+!.gitignore
-diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore
+ .../certsrv/logging/event/AuthFailEvent.java       | 41 +++++++++
+ .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 22 +++--
+ .../netscape/cms/servlet/admin/AdminServlet.java   | 96 ++++++++--------------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 11 ++-
+ .../cms/servlet/processors/CAProcessor.java        | 27 +++---
+ 5 files changed, 102 insertions(+), 95 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java
 new file mode 100644
-index 0000000..5e7d273
+index 0000000..a2c7d8d
 --- /dev/null
-+++ b/base/common/upgrade/10.3.5/.gitignore
-@@ -0,0 +1,4 @@
-+# Ignore everything in this directory
-+*
-+# Except this file
-+!.gitignore
-diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore
++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthFailEvent.java
+@@ -0,0 +1,41 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class AuthFailEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public AuthFailEvent(
++            String subjectID,
++            String outcome,
++            String authManagerID,
++            String attemptedUID) {
++
++        super(AUTH_FAIL);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                authManagerID,
++                attemptedUID
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+index 81de9fb..8306193 100644
+--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
++++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+@@ -18,6 +18,7 @@ import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -45,7 +46,7 @@ public class PKIRealm extends RealmBase {
+     @Override
+     public Principal authenticate(String username, String password) {
+         CMS.debug("PKIRealm: Authenticating user " + username + " with password.");
+-        String auditMessage = null;
++
+         String auditSubjectID = ILogger.UNIDENTIFIED;
+         String attemptedAuditUID = username;
+ 
+@@ -69,14 +70,13 @@ public class PKIRealm extends RealmBase {
+             return getPrincipal(username, authToken);
+ 
+         } catch (Throwable e) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_FAIL,
++
++            audit(new AuthFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID,
+-                        attemptedAuditUID);
+-            audit(auditMessage);
++                        attemptedAuditUID));
++
+             e.printStackTrace();
+         }
+ 
+@@ -87,7 +87,6 @@ public class PKIRealm extends RealmBase {
+     public Principal authenticate(final X509Certificate certs[]) {
+         CMS.debug("PKIRealm: Authenticating certificate chain:");
+ 
+-        String auditMessage = null;
+         // get the cert from the ssl client auth
+         // in cert based auth, subject id from cert has already passed SSL authentication
+         // what remains is to see if the user exists in the internal user db
+@@ -127,14 +126,13 @@ public class PKIRealm extends RealmBase {
+             return getPrincipal(username, authToken);
+ 
+         } catch (Throwable e) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_FAIL,
++
++            audit(new AuthFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         IAuthSubsystem.CERTUSERDB_AUTHMGR_ID,
+-                        attemptedAuditUID);
+-            audit(auditMessage);
++                        attemptedAuditUID));
++
+             e.printStackTrace();
+         }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index d530f6a..a715c73 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -274,7 +275,6 @@ public class AdminServlet extends HttpServlet {
+     protected void authenticate(HttpServletRequest req) throws
+             IOException {
+ 
+-        String auditMessage = null;
+         String auditUID = ILogger.UNIDENTIFIED;
+         String authType = "";
+ 
+@@ -297,15 +297,12 @@ public class AdminServlet extends HttpServlet {
+                         (X509Certificate[]) req.getAttribute(CERT_ATTR);
+ 
+                 if (allCerts == null || allCerts.length == 0) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.AUTH_FAIL,
++
++                    audit(new AuthFailEvent(
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+-                                auditUID);
+-
+-                    audit(auditMessage);
++                                auditUID));
+ 
+                     throw new IOException("No certificate");
+                 }
+@@ -389,25 +386,20 @@ public class AdminServlet extends HttpServlet {
+                  */
+ 
+                 if (authType.equals("sslclientauth")) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.AUTH_FAIL,
++
++                    audit(new AuthFailEvent(
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+-                                auditUID);
++                                auditUID));
+ 
+-                    audit(auditMessage);
+                 } else {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.AUTH_FAIL,
++
++                    audit(new AuthFailEvent(
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 PASSWDUSERDB,
+-                                auditUID);
+-
+-                    audit(auditMessage);
++                                auditUID));
+                 }
+ 
+                 throw new IOException("authentication failed");
+@@ -423,25 +415,20 @@ public class AdminServlet extends HttpServlet {
+                                     tuserid));
+ 
+                     if (authType.equals("sslclientauth")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.AUTH_FAIL,
++
++                        audit(new AuthFailEvent(
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     CERTUSERDB,
+-                                    auditUID);
++                                    auditUID));
+ 
+-                        audit(auditMessage);
+                     } else {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.AUTH_FAIL,
++
++                        audit(new AuthFailEvent(
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     PASSWDUSERDB,
+-                                    auditUID);
+-
+-                        audit(auditMessage);
++                                    auditUID));
+                     }
+ 
+                     throw new IOException("authentication failed");
+@@ -459,25 +446,20 @@ public class AdminServlet extends HttpServlet {
+                                     tuserid));
+ 
+                     if (authType.equals("sslclientauth")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.AUTH_FAIL,
++
++                        audit(new AuthFailEvent(
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     CERTUSERDB,
+-                                    auditUID);
++                                    auditUID));
+ 
+-                        audit(auditMessage);
+                     } else {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.AUTH_FAIL,
++
++                        audit(new AuthFailEvent(
+                                     ILogger.UNIDENTIFIED,
+                                     ILogger.FAILURE,
+                                     PASSWDUSERDB,
+-                                    auditUID);
+-
+-                        audit(auditMessage);
++                                    auditUID));
+                     }
+ 
+                     throw new IOException("authentication failed");
+@@ -495,25 +477,20 @@ public class AdminServlet extends HttpServlet {
+                         CMS.getLogMessage("ADMIN_SRVLT_USR_GRP_ERR", e.toString()));
+ 
+                 if (authType.equals("sslclientauth")) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.AUTH_FAIL,
++
++                    audit(new AuthFailEvent(
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 CERTUSERDB,
+-                                auditUID);
++                                auditUID));
+ 
+-                    audit(auditMessage);
+                 } else {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.AUTH_FAIL,
++
++                    audit(new AuthFailEvent(
+                                 ILogger.UNIDENTIFIED,
+                                 ILogger.FAILURE,
+                                 PASSWDUSERDB,
+-                                auditUID);
+-
+-                    audit(auditMessage);
++                                auditUID));
+                 }
+ 
+                 throw new IOException("authentication failed");
+@@ -539,25 +516,20 @@ public class AdminServlet extends HttpServlet {
+             }
+         } catch (IOException eAudit1) {
+             if (authType.equals("sslclientauth")) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTH_FAIL,
++
++                audit(new AuthFailEvent(
+                             ILogger.UNIDENTIFIED,
+                             ILogger.FAILURE,
+                             CERTUSERDB,
+-                            auditUID);
++                            auditUID));
+ 
+-                audit(auditMessage);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTH_FAIL,
++
++                audit(new AuthFailEvent(
+                             ILogger.UNIDENTIFIED,
+                             ILogger.FAILURE,
+                             PASSWDUSERDB,
+-                            auditUID);
+-
+-                audit(auditMessage);
++                            auditUID));
+             }
+ 
+             // rethrow the specific exception to be handled later
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index 9168870..c23b9d1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -66,6 +66,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+@@ -1701,7 +1702,7 @@ public abstract class CMSServlet extends HttpServlet {
+      */
+     public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName)
+             throws EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = ILogger.UNIDENTIFIED;
+         String auditAuthMgrID = ILogger.UNIDENTIFIED;
+         String auditUID = ILogger.UNIDENTIFIED;
+@@ -1797,14 +1798,12 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             return authToken;
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_FAIL,
++
++            audit(new AuthFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditAuthMgrID,
+-                        auditUID);
+-            audit(auditMessage);
++                        auditUID));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 93d6a9a..a28bee1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+@@ -474,7 +475,7 @@ public class CAProcessor extends Processor {
+ 
+             String authSubjectID = auditSubjectID();
+             String authMgrID = authenticator.getName();
+-            String auditMessage = null;
++
+             try {
+                 if (isRenewal) {
+                     authToken = authenticate(authenticator, request, origReq, context, credentials);
+@@ -486,13 +487,12 @@ public class CAProcessor extends Processor {
+                 CMS.debug("CAProcessor: authentication error: " + e);
+ 
+                 authSubjectID += " : " + uid_cred;
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_FAIL,
++
++                audit(new AuthFailEvent(
+                         authSubjectID,
+                         ILogger.FAILURE,
+                         authMgrID,
+-                        uid_attempted_cred);
+-                audit(auditMessage);
++                        uid_attempted_cred));
+ 
+                 throw e;
+ 
+@@ -500,13 +500,12 @@ public class CAProcessor extends Processor {
+                 CMS.debug(e);
+ 
+                 authSubjectID += " : " + uid_cred;
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTH_FAIL,
++
++                audit(new AuthFailEvent(
+                         authSubjectID,
+                         ILogger.FAILURE,
+                         authMgrID,
+-                        uid_attempted_cred);
+-                audit(auditMessage);
++                        uid_attempted_cred));
+ 
+                 throw e;
+             }
+@@ -565,7 +564,7 @@ public class CAProcessor extends Processor {
+ 
+     public IAuthToken authenticate(HttpServletRequest httpReq, String authMgrName)
+             throws EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = ILogger.UNIDENTIFIED;
+         String auditAuthMgrID = ILogger.UNIDENTIFIED;
+         String auditUID = ILogger.UNIDENTIFIED;
+@@ -659,14 +658,12 @@ public class CAProcessor extends Processor {
+ 
+             return authToken;
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTH_FAIL,
++
++            audit(new AuthFailEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditAuthMgrID,
+-                    auditUID);
+-            audit(auditMessage);
++                    auditUID));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+-- 
+1.8.3.1
+
+
+From fdcb514b0711f10eab47c81837138192207e44b4 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 16:30:18 +0200
+Subject: [PATCH 26/49] Added AuthzSuccessEvent.
+
+A new AuthzSuccessEvent class of has been added to encapsulate the
+AUTHZ_SUCCESS events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
+---
+ .../certsrv/logging/event/AuthzSuccessEvent.java   | 59 ++++++++++++++++++++++
+ .../netscape/cms/servlet/admin/AdminServlet.java   |  9 ++--
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 18 +++----
+ .../cms/servlet/processors/CAProcessor.java        | 18 +++----
+ .../org/dogtagpki/server/rest/ACLInterceptor.java  | 27 +++++-----
+ 5 files changed, 89 insertions(+), 42 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java
+new file mode 100644
+index 0000000..05e505c
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzSuccessEvent.java
+@@ -0,0 +1,59 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class AuthzSuccessEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public AuthzSuccessEvent(
++            String subjectID,
++            String outcome,
++            String aclResource,
++            String operation) {
++
++        super(AUTHZ_SUCCESS);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                aclResource,
++                operation
++        });
++    }
++
++    public AuthzSuccessEvent(
++            String subjectID,
++            String outcome,
++            String aclResource,
++            String operation,
++            String info) {
++
++        super(AUTHZ_SUCCESS_INFO);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                aclResource,
++                operation,
++                info
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index a715c73..adf9424 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+ import com.netscape.certsrv.usrgrp.IUser;
+@@ -676,15 +677,11 @@ public class AdminServlet extends HttpServlet {
+             return null;
+         }
+ 
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_SUCCESS,
++        audit(new AuthzSuccessEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditACLResource,
+-                    auditOperation);
+-
+-        audit(auditMessage);
++                    auditOperation));
+ 
+         // store a message in the signed audit log file
+         auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index c23b9d1..c70f55a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -1822,14 +1823,12 @@ public abstract class CMSServlet extends HttpServlet {
+         try {
+             authzToken = mAuthz.authorize(authzMgrName, authToken, exp);
+             if (authzToken != null) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTHZ_SUCCESS,
++
++                audit(new AuthzSuccessEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditACLResource,
+-                            auditOperation);
+-
+-                audit(auditMessage);
++                            auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -1955,15 +1954,12 @@ public abstract class CMSServlet extends HttpServlet {
+                     operation);
+ 
+             if (authzTok != null) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTHZ_SUCCESS,
++
++                audit(new AuthzSuccessEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditACLResource,
+-                            auditOperation);
+-
+-                audit(auditMessage);
++                            auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index a28bee1..8760caf 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -707,14 +708,12 @@ public class CAProcessor extends Processor {
+         try {
+             authzToken = authz.authorize(authzMgrName, authToken, exp);
+             if (authzToken != null) {
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_SUCCESS,
++
++                audit(new AuthzSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditACLResource,
+-                        auditOperation);
+-
+-                audit(auditMessage);
++                        auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -839,15 +838,12 @@ public class CAProcessor extends Processor {
+                     operation);
+ 
+             if (authzTok != null) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_SUCCESS,
++
++                audit(new AuthzSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditACLResource,
+-                        auditOperation);
+-
+-                audit(auditMessage);
++                        auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+index 331bae1..490eaed 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.cms.realm.PKIPrincipal;
+ 
+ /**
+@@ -189,15 +190,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         // If still not available, it's unprotected, allow request.
+         if (!authzRequired) {
+             CMS.debug("ACLInterceptor: No ACL mapping; authz not required.");
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_SUCCESS_INFO,
++
++            audit(new AuthzSuccessEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         null, //resource
+                         null, //operation
+-                        LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo); //info
+-            audit(auditMessage);
++                        LOGGING_MISSING_ACL_MAPPING + ":" + auditInfo)); //info
++
+             return;
+         }
+ 
+@@ -230,14 +230,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         // If no property defined, allow request.
+         if (value == null) {
+             CMS.debug("ACLInterceptor: No ACL configuration.");
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_SUCCESS_INFO,
++
++            audit(new AuthzSuccessEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     null, //resource
+                     null, //operation
+-                    LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo);
++                    LOGGING_NO_ACL_ACCESS_ALLOWED + ":" + auditInfo));
++
+             return;
+         }
+ 
+@@ -317,15 +317,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         }
+ 
+         // Allow request.
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_SUCCESS_INFO,
++
++        audit(new AuthzSuccessEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     values[0], // resource
+                     values[1], // operation
+-                    auditInfo);
+-        audit(auditMessage);
++                    auditInfo));
++
+         return;
+     }
+ 
+-- 
+1.8.3.1
+
+
+From 30d1575046065dbd79f537e5f819c405e45af0bc Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 16:49:28 +0200
+Subject: [PATCH 27/49] Added AuthzFailEvent.
+
+A new AuthzFailEvent class of has been added to encapsulate the
+AUTHZ_FAIL events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
+---
+ .../certsrv/logging/event/AuthzFailEvent.java      | 59 ++++++++++++++++++++++
+ .../netscape/cms/servlet/admin/AdminServlet.java   | 26 +++-------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 44 ++++++----------
+ .../cms/servlet/processors/CAProcessor.java        | 35 +++++--------
+ .../org/dogtagpki/server/rest/ACLInterceptor.java  | 52 ++++++++-----------
+ 5 files changed, 118 insertions(+), 98 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java
+new file mode 100644
+index 0000000..1e44919
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/AuthzFailEvent.java
+@@ -0,0 +1,59 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class AuthzFailEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public AuthzFailEvent(
++            String subjectID,
++            String outcome,
++            String aclResource,
++            String operation) {
++
++        super(AUTHZ_FAIL);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                aclResource,
++                operation
++        });
++    }
++
++    public AuthzFailEvent(
++            String subjectID,
++            String outcome,
++            String aclResource,
++            String operation,
++            String info) {
++
++        super(AUTHZ_FAIL_INFO);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                aclResource,
++                operation,
++                info
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index adf9424..ecc6a7d 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -54,6 +54,7 @@ import com.netscape.certsrv.logging.IAuditor;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -611,15 +612,11 @@ public class AdminServlet extends HttpServlet {
+         } catch (EAuthzAccessDenied e) {
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+@@ -634,15 +631,11 @@ public class AdminServlet extends HttpServlet {
+         } catch (EBaseException e) {
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString()));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+@@ -655,15 +648,12 @@ public class AdminServlet extends HttpServlet {
+ 
+             return null;
+         } catch (Exception e) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index c70f55a..afb109a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+@@ -1839,14 +1840,12 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+                 audit(auditMessage);
+             } else {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTHZ_FAIL,
++
++                audit(new AuthzFailEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditACLResource,
+-                            auditOperation);
+-
+-                audit(auditMessage);
++                            auditOperation));
+ 
+                 auditMessage = CMS.getLogMessage(
+                             AuditEvent.ROLE_ASSUME,
+@@ -1858,14 +1857,12 @@ public abstract class CMSServlet extends HttpServlet {
+             }
+             return authzToken;
+         } catch (Exception e) {
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             auditMessage = CMS.getLogMessage(
+                         AuditEvent.ROLE_ASSUME,
+@@ -1970,15 +1967,12 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+                 audit(auditMessage);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTHZ_FAIL,
++
++                audit(new AuthzFailEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditACLResource,
+-                            auditOperation);
+-
+-                audit(auditMessage);
++                            auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -1992,15 +1986,12 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             return authzTok;
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+@@ -2013,15 +2004,12 @@ public abstract class CMSServlet extends HttpServlet {
+ 
+             return null;
+         } catch (Exception eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-            audit(auditMessage);
++                        auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 8760caf..1d04f3a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
++import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+@@ -724,14 +725,12 @@ public class CAProcessor extends Processor {
+ 
+                 audit(auditMessage);
+             } else {
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++                audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-                audit(auditMessage);
++                        auditOperation));
+ 
+                 auditMessage = CMS.getLogMessage(
+                         AuditEvent.ROLE_ASSUME,
+@@ -743,14 +742,12 @@ public class CAProcessor extends Processor {
+             }
+             return authzToken;
+         } catch (EBaseException e) {
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditACLResource,
+-                    auditOperation);
+-
+-            audit(auditMessage);
++                    auditOperation));
+ 
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.ROLE_ASSUME,
+@@ -854,15 +851,12 @@ public class CAProcessor extends Processor {
+ 
+                 audit(auditMessage);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL,
++
++                audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditACLResource,
+-                        auditOperation);
+-
+-                audit(auditMessage);
++                        auditOperation));
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -876,15 +870,12 @@ public class CAProcessor extends Processor {
+ 
+             return authzTok;
+         } catch (Exception eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_FAIL,
++
++            audit(new AuthzFailEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditACLResource,
+-                    auditOperation);
+-
+-            audit(auditMessage);
++                    auditOperation));
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+index 490eaed..b4f75f1 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.ForbiddenException;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
+ import com.netscape.cms.realm.PKIPrincipal;
+ 
+@@ -108,7 +109,6 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         String auditInfo =  clazz.getSimpleName() + "." + method.getName();
+ 
+         CMS.debug("ACLInterceptor: " + auditInfo + "()");
+-        String auditMessage = null;
+         String auditSubjectID = ILogger.UNIDENTIFIED;
+ 
+         /*
+@@ -174,14 +174,13 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             CMS.debug("ACLInterceptor: No authentication token present.");
+             // store a message in the signed audit log file
+             // although if it didn't pass authentication, it should not have gotten here
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL_INFO,
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         null, // resource
+                         null, // operation
+-                        LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo);
+-            audit(auditMessage);
++                        LOGGING_MISSING_AUTH_TOKEN + ":" + auditInfo));
++
+             throw new ForbiddenException("No authorization token present.");
+         }
+         if (authToken != null)
+@@ -213,16 +212,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             value = properties.getProperty(name);
+ 
+         } catch (IOException e) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL_INFO,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         null, //resource
+                         null, //operation
+-                        LOGGING_ACL_PARSING_ERROR + ":" + auditInfo);
++                        LOGGING_ACL_PARSING_ERROR + ":" + auditInfo));
+ 
+-            audit(auditMessage);
+             e.printStackTrace();
+             throw new Failure(e);
+         }
+@@ -246,16 +243,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         // If invalid mapping, reject request.
+         if (values.length != 2) {
+             CMS.debug("ACLInterceptor: Invalid ACL mapping.");
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.AUTHZ_FAIL_INFO,
++
++            audit(new AuthzFailEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     null, //resource
+                     null, //operation
+-                    LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo);
++                    LOGGING_INVALID_ACL_MAPPING + ":" + auditInfo));
+ 
+-            audit(auditMessage);
+             throw new ForbiddenException("Invalid ACL mapping.");
+         }
+ 
+@@ -273,15 +268,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
+             if (authzToken == null) {
+                 String info = "No authorization token present.";
+                 CMS.debug("ACLInterceptor: " + info);
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.AUTHZ_FAIL_INFO,
++
++                audit(new AuthzFailEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             values[0], // resource
+                             values[1], // operation
+-                            info);
+-                audit(auditMessage);
++                            info));
++
+                 throw new ForbiddenException("No authorization token present.");
+             }
+ 
+@@ -290,28 +284,26 @@ public class ACLInterceptor implements ContainerRequestFilter {
+         } catch (EAuthzAccessDenied e) {
+             String info = e.getMessage();
+             CMS.debug("ACLInterceptor: " + info);
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL_INFO,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         values[0], // resource
+                         values[1], // operation
+-                        info);
+-            audit(auditMessage);
++                        info));
++
+             throw new ForbiddenException(e.toString());
+ 
+         } catch (EBaseException e) {
+             String info = e.getMessage();
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.AUTHZ_FAIL_INFO,
++
++            audit(new AuthzFailEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         values[0], // resource
+                         values[1], // operation
+-                        info);
+-            audit(auditMessage);
++                        info));
++
+             e.printStackTrace();
+             throw new Failure(e);
+         }
+-- 
+1.8.3.1
+
+
+From aad80e8775eac61ed9eac2f3f94d2ec90207e827 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 20 Apr 2017 10:20:06 +0200
+Subject: [PATCH 28/49] Added RoleAssumeEvent.
+
+A new RoleAssumeEvent class of has been added to encapsulate the
+ROLE_ASSUME events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
+---
+ .../certsrv/logging/event/RoleAssumeEvent.java     | 39 +++++++++++++++
+ .../netscape/cms/servlet/admin/AdminServlet.java   | 35 ++++----------
+ .../com/netscape/cms/servlet/base/CMSServlet.java  | 56 +++++++---------------
+ .../servlet/csadmin/SecurityDomainProcessor.java   | 15 +++---
+ .../cms/servlet/processors/CAProcessor.java        | 48 ++++++-------------
+ 5 files changed, 88 insertions(+), 105 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java
+new file mode 100644
+index 0000000..2715893
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/RoleAssumeEvent.java
+@@ -0,0 +1,39 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class RoleAssumeEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public RoleAssumeEvent(
++            String subjectID,
++            String outcome,
++            String groups) {
++
++        super(ROLE_ASSUME);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                groups
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index ecc6a7d..662a3e9 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
++import com.netscape.certsrv.logging.event.RoleAssumeEvent;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+ import com.netscape.certsrv.usrgrp.IUser;
+@@ -573,7 +574,7 @@ public class AdminServlet extends HttpServlet {
+      * @return the authorization token
+      */
+     protected AuthzToken authorize(HttpServletRequest req) {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String auditACLResource = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         String auditOperation = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+@@ -618,14 +619,10 @@ public class AdminServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+ 
+             return null;
+         } catch (EBaseException e) {
+@@ -637,14 +634,10 @@ public class AdminServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+ 
+             return null;
+         } catch (Exception e) {
+@@ -655,14 +648,10 @@ public class AdminServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+ 
+             return null;
+         }
+@@ -673,14 +662,10 @@ public class AdminServlet extends HttpServlet {
+                     auditACLResource,
+                     auditOperation));
+ 
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                    AuditEvent.ROLE_ASSUME,
++        audit(new RoleAssumeEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditGroups(auditSubjectID));
+-
+-        audit(auditMessage);
++                    auditGroups(auditSubjectID)));
+ 
+         return authzTok;
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+index afb109a..9dc7470 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+@@ -70,6 +70,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
++import com.netscape.certsrv.logging.event.RoleAssumeEvent;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -1815,7 +1816,7 @@ public abstract class CMSServlet extends HttpServlet {
+     public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
+             String exp) throws EBaseException {
+         AuthzToken authzToken = null;
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String auditGroupID = auditGroupID();
+         String auditACLResource = resource;
+@@ -1831,14 +1832,11 @@ public abstract class CMSServlet extends HttpServlet {
+                             auditACLResource,
+                             auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditGroupID);
++                            auditGroupID));
+ 
+-                audit(auditMessage);
+             } else {
+ 
+                 audit(new AuthzFailEvent(
+@@ -1847,13 +1845,10 @@ public abstract class CMSServlet extends HttpServlet {
+                             auditACLResource,
+                             auditOperation));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditGroupID);
+-
+-                audit(auditMessage);
++                            auditGroupID));
+             }
+             return authzToken;
+         } catch (Exception e) {
+@@ -1864,13 +1859,11 @@ public abstract class CMSServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroupID);
++                        auditGroupID));
+ 
+-            audit(auditMessage);
+             throw new EBaseException(e.toString());
+         }
+     }
+@@ -1900,7 +1893,7 @@ public abstract class CMSServlet extends HttpServlet {
+     public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+             String resource, String operation)
+             throws EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String auditGroupID = auditGroupID();
+         String auditID = auditSubjectID;
+@@ -1958,14 +1951,11 @@ public abstract class CMSServlet extends HttpServlet {
+                             auditACLResource,
+                             auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                             auditID,
+                             ILogger.SUCCESS,
+-                            auditGroups(auditSubjectID));
++                            auditGroups(auditSubjectID)));
+ 
+-                audit(auditMessage);
+             } else {
+ 
+                 audit(new AuthzFailEvent(
+@@ -1974,14 +1964,10 @@ public abstract class CMSServlet extends HttpServlet {
+                             auditACLResource,
+                             auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                             auditID,
+                             ILogger.FAILURE,
+-                            auditGroups(auditSubjectID));
+-
+-                audit(auditMessage);
++                            auditGroups(auditSubjectID)));
+             }
+ 
+             return authzTok;
+@@ -1993,14 +1979,10 @@ public abstract class CMSServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+ 
+             return null;
+         } catch (Exception eAudit1) {
+@@ -2011,14 +1993,10 @@ public abstract class CMSServlet extends HttpServlet {
+                         auditACLResource,
+                         auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+ 
+             return null;
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+index cd769db..dc28a7c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.UnauthorizedException;
+ import com.netscape.certsrv.ldap.ILdapConnFactory;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.RoleAssumeEvent;
+ import com.netscape.certsrv.system.DomainInfo;
+ import com.netscape.certsrv.system.InstallToken;
+ import com.netscape.certsrv.system.SecurityDomainHost;
+@@ -89,22 +90,19 @@ public class SecurityDomainProcessor extends CAProcessor {
+         CMS.debug("SecurityDomainProcessor: group: " + group);
+ 
+         if (!ugSubsystem.isMemberOf(user, group)) {
+-            String message = CMS.getLogMessage(
+-                    AuditEvent.ROLE_ASSUME,
++
++            audit(new RoleAssumeEvent(
+                     user,
+                     ILogger.FAILURE,
+-                    group);
+-            audit(message);
++                    group));
+ 
+             throw new UnauthorizedException("User " + user + " is not a member of " + group + " group.");
+         }
+ 
+-        String message = CMS.getLogMessage(
+-                AuditEvent.ROLE_ASSUME,
++        audit(new RoleAssumeEvent(
+                 user,
+                 ILogger.SUCCESS,
+-                group);
+-        audit(message);
++                group));
+ 
+         String ip = "";
+         try {
+@@ -123,6 +121,7 @@ public class SecurityDomainProcessor extends CAProcessor {
+ 
+         ISecurityDomainSessionTable ctable = CMS.getSecurityDomainSessionTable();
+         int status = ctable.addEntry(sessionID, ip, user, group);
++        String message;
+ 
+         if (status == ISecurityDomainSessionTable.SUCCESS) {
+             message = CMS.getLogMessage(
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 1d04f3a..74f501f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -57,6 +57,7 @@ import com.netscape.certsrv.logging.event.AuthFailEvent;
+ import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.logging.event.AuthzFailEvent;
+ import com.netscape.certsrv.logging.event.AuthzSuccessEvent;
++import com.netscape.certsrv.logging.event.RoleAssumeEvent;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileAuthenticator;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -700,7 +701,7 @@ public class CAProcessor extends Processor {
+     public AuthzToken authorize(String authzMgrName, String resource, IAuthToken authToken,
+             String exp) throws EBaseException {
+         AuthzToken authzToken = null;
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String auditGroupID = auditGroupID();
+         String auditACLResource = resource;
+@@ -716,14 +717,11 @@ public class CAProcessor extends Processor {
+                         auditACLResource,
+                         auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditGroupID);
++                        auditGroupID));
+ 
+-                audit(auditMessage);
+             } else {
+ 
+                 audit(new AuthzFailEvent(
+@@ -732,13 +730,10 @@ public class CAProcessor extends Processor {
+                         auditACLResource,
+                         auditOperation));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditGroupID);
+-
+-                audit(auditMessage);
++                        auditGroupID));
+             }
+             return authzToken;
+         } catch (EBaseException e) {
+@@ -749,13 +744,11 @@ public class CAProcessor extends Processor {
+                     auditACLResource,
+                     auditOperation));
+ 
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+-                    auditGroupID);
++                    auditGroupID));
+ 
+-            audit(auditMessage);
+             throw e;
+         }
+     }
+@@ -784,7 +777,7 @@ public class CAProcessor extends Processor {
+      */
+     public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+             String resource, String operation) {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String auditGroupID = auditGroupID();
+         String auditID = auditSubjectID;
+@@ -842,14 +835,11 @@ public class CAProcessor extends Processor {
+                         auditACLResource,
+                         auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                         auditID,
+                         ILogger.SUCCESS,
+-                        auditGroups(auditSubjectID));
++                        auditGroups(auditSubjectID)));
+ 
+-                audit(auditMessage);
+             } else {
+ 
+                 audit(new AuthzFailEvent(
+@@ -858,14 +848,10 @@ public class CAProcessor extends Processor {
+                         auditACLResource,
+                         auditOperation));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.ROLE_ASSUME,
++                audit(new RoleAssumeEvent(
+                         auditID,
+                         ILogger.FAILURE,
+-                        auditGroups(auditSubjectID));
+-
+-                audit(auditMessage);
++                        auditGroups(auditSubjectID)));
+             }
+ 
+             return authzTok;
+@@ -877,14 +863,10 @@ public class CAProcessor extends Processor {
+                     auditACLResource,
+                     auditOperation));
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.ROLE_ASSUME,
++            audit(new RoleAssumeEvent(
+                     auditID,
+                     ILogger.FAILURE,
+-                    auditGroups(auditSubjectID));
+-
+-            audit(auditMessage);
++                    auditGroups(auditSubjectID)));
+ 
+             return null;
+         }
+-- 
+1.8.3.1
+
+
+From 3d9ef95a913af023958b79ef383853cf958757e0 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 21 Apr 2017 04:55:00 +0200
+Subject: [PATCH 29/49] Added ConfigRoleEvent.
+
+A new ConfigRoleEvent class of has been added to encapsulate the
+CONFIG_ROLE events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
+---
+ .../certsrv/logging/event/ConfigRoleEvent.java     |  39 ++
+ .../cms/profile/updater/SubsystemGroupUpdater.java |  37 +-
+ .../cms/servlet/admin/GroupMemberProcessor.java    |  10 +-
+ .../cms/servlet/admin/UsrGrpAdminServlet.java      | 500 ++++++---------------
+ .../netscape/cms/servlet/csadmin/RegisterUser.java |  40 +-
+ .../cms/servlet/csadmin/UpdateDomainXML.java       |  44 +-
+ .../netscape/cms/servlet/processors/Processor.java |  13 -
+ .../org/dogtagpki/server/rest/GroupService.java    |  10 +-
+ .../src/org/dogtagpki/server/rest/UserService.java |  18 +-
+ 9 files changed, 264 insertions(+), 447 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
+new file mode 100644
+index 0000000..695712b
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
+@@ -0,0 +1,39 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class ConfigRoleEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public ConfigRoleEvent(
++            String subjectID,
++            String outcome,
++            String params) {
++
++        super(CONFIG_ROLE);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                params
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+index 4ecc255..276c5b5 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
++++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.profile.IProfile;
+@@ -102,7 +103,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+     public void update(IRequest req, RequestStatus status)
+             throws EProfileException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         CMS.debug("SubsystemGroupUpdater update starts");
+@@ -163,12 +163,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+ 
+             system.addUser(user);
+             CMS.debug("SubsystemGroupUpdater update: successfully add the user");
+-            auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+-                               auditParams);
+-            audit(auditMessage);
++                               auditParams));
+ 
+             String b64 = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+             try {
+@@ -188,12 +187,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+ 
+             system.addUserCert(user);
+             CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate");
+-            auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+-                               auditParams);
+-            audit(auditMessage);
++                               auditParams));
+ 
+         } catch (ConflictingOperationException e) {
+             CMS.debug("UpdateSubsystemGroup: update " + e.toString());
+@@ -201,12 +199,12 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+ 
+         } catch (Exception e) {
+             CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString());
+-            auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.FAILURE,
+-                               auditParams);
+-            audit(auditMessage);
++                               auditParams));
++
+             throw new EProfileException(e.toString());
+         }
+ 
+@@ -232,12 +230,10 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+                 group.addMemberName(id);
+                 system.modifyGroup(group);
+ 
+-                auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+-                               auditParams);
+-                audit(auditMessage);
++                               auditParams));
+ 
+                 CMS.debug("UpdateSubsystemGroup: update: successfully added the user to the group.");
+             } else {
+@@ -245,12 +241,11 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
+             }
+         } catch (Exception e) {
+             CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString());
+-            auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.FAILURE,
+-                               auditParams);
+-            audit(auditMessage);
++                               auditParams));
+         }
+     }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
+index 00f960e..c6ae5b1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
+@@ -43,9 +43,9 @@ import com.netscape.certsrv.group.GroupMemberCollection;
+ import com.netscape.certsrv.group.GroupMemberData;
+ import com.netscape.certsrv.group.GroupNotFoundException;
+ import com.netscape.certsrv.group.GroupResource;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+ import com.netscape.cms.servlet.processors.Processor;
+@@ -388,6 +388,12 @@ public class GroupMemberProcessor extends Processor {
+     }
+ 
+     public void audit(String type, String id, Map<String, String> params, String status) {
+-        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status);
++
++        if (auditor == null) return;
++
++        auditor.log(new ConfigRoleEvent(
++                auditor.getSubjectID(),
++                status,
++                auditor.getParamString(ScopeDef.SC_GROUP_MEMBERS, type, id, params)));
+     }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+index 1c38b88..183fbea 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+@@ -31,9 +31,6 @@ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.security.pkcs.PKCS7;
+-import netscape.security.x509.X509CertImpl;
+-
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.InternalCertificate;
+ 
+@@ -48,9 +45,9 @@ import com.netscape.certsrv.common.Constants;
+ import com.netscape.certsrv.common.NameValuePairs;
+ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.password.IPasswordCheck;
+ import com.netscape.certsrv.usrgrp.EUsrGrpException;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -60,6 +57,9 @@ import com.netscape.certsrv.usrgrp.IUser;
+ import com.netscape.cmsutil.util.Cert;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.pkcs.PKCS7;
++import netscape.security.x509.X509CertImpl;
++
+ /**
+  * A class representing an administration servlet for
+  * User/Group Manager. It communicates with client
+@@ -667,7 +667,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -678,14 +677,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -697,14 +692,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 // backslashes (BS) are not allowed
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_RS_ID_BS"),
+@@ -716,14 +707,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 // backslashes (BS) are not allowed
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", id));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_SPECIAL_ID", id),
+@@ -739,14 +726,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 log(ILogger.LL_FAILURE, msg);
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR, msg, null, resp);
+                 return;
+@@ -766,14 +749,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+ 
+                 if (!passwdCheck.isGoodPassword(pword)) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_ROLE,
++
++                    audit(new ConfigRoleEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+ 
+                     throw new EUsrGrpException(passwdCheck.getReason(pword));
+ 
+@@ -819,14 +799,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     } catch (Exception ex) {
+                         ex.printStackTrace();
+ 
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_ROLE,
++                        audit(new ConfigRoleEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+ 
+                         sendResponse(ERROR,
+                                 CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+@@ -842,14 +818,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                         } catch (Exception ex) {
+                             log(ILogger.LL_FAILURE, ex.toString());
+ 
+-                            // store a message in the signed audit log file
+-                            auditMessage = CMS.getLogMessage(
+-                                        AuditEvent.CONFIG_ROLE,
++                            audit(new ConfigRoleEvent(
+                                         auditSubjectID,
+                                         ILogger.FAILURE,
+-                                        auditParams(req));
+-
+-                            audit(auditMessage);
++                                        auditParams(req)));
+ 
+                             sendResponse(ERROR,
+                                     CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+@@ -868,28 +840,20 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+             } catch (EUsrGrpException e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 if (user.getUserID() == null) {
+                     sendResponse(ERROR,
+@@ -903,40 +867,30 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_ADD_FAILED"), null, resp);
+                 return;
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -978,7 +932,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -989,14 +942,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1012,14 +961,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (certsString == null) {
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+@@ -1052,14 +997,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     X509Certificate p7certs[] = pkcs7.getCertificates();
+ 
+                     if (p7certs.length == 0) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_ROLE,
++
++                        audit(new ConfigRoleEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+ 
+                         sendResponse(ERROR,
+                                 CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+@@ -1087,14 +1029,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                         // not a chain, or in random order
+                         CMS.debug("UsrGrpAdminServlet: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN"));
+ 
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_ROLE,
++                        audit(new ConfigRoleEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+ 
+                         sendResponse(ERROR,
+                                 CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+@@ -1153,14 +1091,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     //-----
+                     log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", ex.toString()));
+ 
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_ROLE,
++                    audit(new ConfigRoleEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+ 
+                     sendResponse(ERROR,
+                             CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_ERROR"), null, resp);
+@@ -1169,14 +1103,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_O_ERROR", e.toString()));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_O_ERROR"), null, resp);
+@@ -1191,14 +1121,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.addUserCert(user);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+@@ -1207,14 +1133,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED",
+                         String.valueOf(certs[0].getSubjectDN())));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_EXPIRED"), null, resp);
+@@ -1223,28 +1145,21 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID",
+                         String.valueOf(certs[0].getSubjectDN())));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"), null, resp);
+                 return;
+ 
+             } catch (ConflictingOperationException e) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_USER_CERT_EXISTS"), null, resp);
+@@ -1253,14 +1168,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+@@ -1279,14 +1190,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1331,7 +1239,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1342,14 +1249,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1364,14 +1267,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (certDN == null) {
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+@@ -1382,28 +1281,20 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.removeUserCert(user);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+@@ -1422,14 +1313,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1474,7 +1362,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1493,14 +1380,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1515,14 +1398,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             } catch (Exception ex) {
+                 ex.printStackTrace();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR, CMS.getUserMessage(getLocale(req), "CMS_INTERNAL_ERROR"), null, resp);
+                 return;
+@@ -1535,14 +1414,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                     if (mustDelete) {
+                         mMgr.removeUserFromGroup(group, id);
+                     } else {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_ROLE,
++                        audit(new ConfigRoleEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+ 
+                         sendResponse(ERROR,
+                                 CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV_G"),
+@@ -1557,52 +1432,39 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.removeUser(id);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+             } catch (Exception ex) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_SRVLT_FAIL_USER_RMV"), null, resp);
+                 return;
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1644,7 +1506,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1656,14 +1517,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1694,26 +1551,19 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.addGroup(group);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+             } catch (Exception e) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_ADD_FAILED"),
+@@ -1721,26 +1571,20 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 return;
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1782,7 +1626,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1794,14 +1637,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1813,37 +1652,27 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             mMgr.removeGroup(id);
+             NameValuePairs params = new NameValuePairs();
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             sendResponse(SUCCESS, null, params, resp);
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1887,7 +1716,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1899,14 +1727,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -1952,14 +1776,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                             if (!isDuplicate(groupName, memberName)) {
+                                 group.addMemberName(memberName);
+                             } else {
+-                                // store a message in the signed audit log file
+-                                auditMessage = CMS.getLogMessage(
+-                                            AuditEvent.CONFIG_ROLE,
++                                audit(new ConfigRoleEvent(
+                                             auditSubjectID,
+                                             ILogger.FAILURE,
+-                                            auditParams(req));
+-
+-                                audit(auditMessage);
++                                            auditParams(req)));
+ 
+                                 throw new EBaseException(CMS.getUserMessage("CMS_BASE_DUPLICATE_ROLES", memberName));
+                             }
+@@ -1976,27 +1796,19 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.modifyGroup(group);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_GROUP_MODIFY_FAILED"),
+@@ -2004,26 +1816,20 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 return;
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -2136,7 +1942,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -2148,14 +1953,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+             if (id == null) {
+                 log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_ADMIN_SRVLT_NULL_RS_ID"),
+@@ -2172,14 +1973,10 @@ public class UsrGrpAdminServlet extends AdminServlet {
+ 
+                 log(ILogger.LL_FAILURE, msg);
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR, msg, null, resp);
+                 return;
+@@ -2197,14 +1994,11 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+ 
+                 if (!passwdCheck.isGoodPassword(pword)) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_ROLE,
++
++                    audit(new ConfigRoleEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+ 
+                     throw new EUsrGrpException(passwdCheck.getReason(pword));
+ 
+@@ -2228,54 +2022,40 @@ public class UsrGrpAdminServlet extends AdminServlet {
+                 mMgr.modifyUser(user);
+                 NameValuePairs params = new NameValuePairs();
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(SUCCESS, null, params, resp);
+                 return;
+             } catch (Exception e) {
+                 log(ILogger.LL_FAILURE, e.toString());
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(ERROR,
+                         CMS.getUserMessage(getLocale(req), "CMS_USRGRP_USER_MOD_FAILED"), null, resp);
+                 return;
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+index 77ef4d8..f3a0164 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+@@ -34,8 +34,8 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+ import com.netscape.certsrv.base.EBaseException;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.usrgrp.ICertUserLocator;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -144,7 +144,6 @@ public class RegisterUser extends CMSServlet {
+         CMS.debug("RegisterUser got name=" + name);
+         CMS.debug("RegisterUser got certsString=" + certsString);
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditParams = "Scope;;users+Operation;;OP_ADD+source;;RegisterUser" +
+                              "+Resource;;" + uid +
+@@ -199,12 +198,11 @@ public class RegisterUser extends CMSServlet {
+ 
+                 ugsys.addUser(user);
+                 CMS.debug("RegisterUser created user " + uid);
+-                auditMessage = CMS.getLogMessage(
+-                              AuditEvent.CONFIG_ROLE,
++
++                audit(new ConfigRoleEvent(
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+-                              auditParams);
+-                audit(auditMessage);
++                              auditParams));
+             }
+ 
+             // concatenate lines
+@@ -218,23 +216,22 @@ public class RegisterUser extends CMSServlet {
+             if (!foundByCert) {
+                 ugsys.addUserCert(user);
+                 CMS.debug("RegisterUser added user certificate");
+-                auditMessage = CMS.getLogMessage(
+-                              AuditEvent.CONFIG_ROLE,
++
++                audit(new ConfigRoleEvent(
+                               auditSubjectID,
+                               ILogger.SUCCESS,
+-                              auditParams);
+-                audit(auditMessage);
++                              auditParams));
++
+             } else
+                 CMS.debug("RegisterUser no need to add user certificate");
+         } catch (Exception eee) {
+             CMS.debug("RegisterUser error " + eee.toString());
+-            auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams);
++                                auditParams));
+ 
+-            audit(auditMessage);
+             outputError(httpResp, "Error: Certificate malformed");
+             return;
+         }
+@@ -261,22 +258,17 @@ public class RegisterUser extends CMSServlet {
+                 ugsys.modifyGroup(group);
+                 CMS.debug("RegisterUser modified group");
+ 
+-                auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++                audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.SUCCESS,
+-                               auditParams);
+-
+-                audit(auditMessage);
++                               auditParams));
+             }
+         } catch (Exception e) {
+-            auditMessage = CMS.getLogMessage(
+-                               AuditEvent.CONFIG_ROLE,
++
++            audit(new ConfigRoleEvent(
+                                auditSubjectID,
+                                ILogger.FAILURE,
+-                               auditParams);
+-
+-            audit(auditMessage);
++                               auditParams));
+         }
+ 
+         // send success status back to the requestor
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+index 5872ab0..91d8983 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+@@ -28,13 +28,6 @@ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.ldap.LDAPAttribute;
+-import netscape.ldap.LDAPAttributeSet;
+-import netscape.ldap.LDAPConnection;
+-import netscape.ldap.LDAPEntry;
+-import netscape.ldap.LDAPException;
+-import netscape.ldap.LDAPModification;
+-
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
+ import org.w3c.dom.Node;
+@@ -49,12 +42,20 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ldap.ILdapConnFactory;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.base.UserInfo;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.common.ICMSTemplateFiller;
+ import com.netscape.cmsutil.xml.XMLObject;
+ 
++import netscape.ldap.LDAPAttribute;
++import netscape.ldap.LDAPAttributeSet;
++import netscape.ldap.LDAPConnection;
++import netscape.ldap.LDAPEntry;
++import netscape.ldap.LDAPException;
++import netscape.ldap.LDAPModification;
++
+ public class UpdateDomainXML extends CMSServlet {
+ 
+     /**
+@@ -368,12 +369,11 @@ public class UpdateDomainXML extends CMSServlet {
+                     // remove the user for this subsystem's admin
+                     status2 = remove_from_ldap(adminUserDN);
+                     if (status2.equals(SUCCESS)) {
+-                        auditMessage = CMS.getLogMessage(
+-                                               AuditEvent.CONFIG_ROLE,
++
++                        audit(new ConfigRoleEvent(
+                                                auditSubjectID,
+                                                ILogger.SUCCESS,
+-                                               userAuditParams);
+-                        audit(auditMessage);
++                                               userAuditParams));
+ 
+                         // remove this user from the subsystem group
+                         userAuditParams = "Scope;;groups+Operation;;OP_DELETE_USER" +
+@@ -384,26 +384,26 @@ public class UpdateDomainXML extends CMSServlet {
+                                 new LDAPAttribute("uniqueMember", adminUserDN));
+                         status2 = modify_ldap(dn, mod);
+                         if (status2.equals(SUCCESS)) {
+-                            auditMessage = CMS.getLogMessage(
+-                                                   AuditEvent.CONFIG_ROLE,
++
++                            audit(new ConfigRoleEvent(
+                                                    auditSubjectID,
+                                                    ILogger.SUCCESS,
+-                                                   userAuditParams);
++                                                   userAuditParams));
++
+                         } else {
+-                            auditMessage = CMS.getLogMessage(
+-                                                   AuditEvent.CONFIG_ROLE,
++
++                            audit(new ConfigRoleEvent(
+                                                    auditSubjectID,
+                                                    ILogger.FAILURE,
+-                                                   userAuditParams);
++                                                   userAuditParams));
+                         }
+-                        audit(auditMessage);
++
+                     } else { // error deleting user
+-                        auditMessage = CMS.getLogMessage(
+-                                               AuditEvent.CONFIG_ROLE,
++
++                        audit(new ConfigRoleEvent(
+                                                auditSubjectID,
+                                                ILogger.FAILURE,
+-                                               userAuditParams);
+-                        audit(auditMessage);
++                                               userAuditParams));
+                     }
+                 }
+             } else {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java
+index 64344d2..ffe707c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/Processor.java
+@@ -60,19 +60,6 @@ public class Processor {
+         return map;
+     }
+ 
+-    public void audit(String message, String scope, String type, String id, Map<String, String> params, String status) {
+-
+-        if (auditor == null) return;
+-
+-        String auditMessage = CMS.getLogMessage(
+-                message,
+-                auditor.getSubjectID(),
+-                status,
+-                auditor.getParamString(scope, type, id, params));
+-
+-        auditor.log(auditMessage);
+-    }
+-
+     public void log(int source, int level, String message) {
+ 
+         if (logger == null) return;
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+index 4aa0209..6292cf8 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+@@ -40,8 +40,8 @@ import com.netscape.certsrv.group.GroupData;
+ import com.netscape.certsrv.group.GroupMemberData;
+ import com.netscape.certsrv.group.GroupNotFoundException;
+ import com.netscape.certsrv.group.GroupResource;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.usrgrp.IGroup;
+ import com.netscape.certsrv.usrgrp.IGroupConstants;
+ import com.netscape.certsrv.usrgrp.IUGSubsystem;
+@@ -432,6 +432,12 @@ public class GroupService extends SubsystemService implements GroupResource {
+     }
+ 
+     public void audit(String type, String id, Map<String, String> params, String status) {
+-        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status);
++
++        if (auditor == null) return;
++
++        auditor.log(new ConfigRoleEvent(
++                auditor.getSubjectID(),
++                status,
++                auditor.getParamString(ScopeDef.SC_GROUPS, type, id, params)));
+     }
+ }
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+index e10c4f5..ec690d6 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+@@ -52,8 +52,8 @@ import com.netscape.certsrv.common.OpDef;
+ import com.netscape.certsrv.common.ScopeDef;
+ import com.netscape.certsrv.dbs.certdb.CertId;
+ import com.netscape.certsrv.group.GroupMemberData;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigRoleEvent;
+ import com.netscape.certsrv.password.IPasswordCheck;
+ import com.netscape.certsrv.user.UserCertCollection;
+ import com.netscape.certsrv.user.UserCertData;
+@@ -1227,10 +1227,22 @@ public class UserService extends SubsystemService implements UserResource {
+     }
+ 
+     public void auditUser(String type, String id, Map<String, String> params, String status) {
+-        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
++
++        if (auditor == null) return;
++
++        auditor.log(new ConfigRoleEvent(
++                auditor.getSubjectID(),
++                status,
++                auditor.getParamString(ScopeDef.SC_USERS, type, id, params)));
+     }
+ 
+     public void auditUserCert(String type, String id, Map<String, String> params, String status) {
+-        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
++
++        if (auditor == null) return;
++
++        auditor.log(new ConfigRoleEvent(
++                auditor.getSubjectID(),
++                status,
++                auditor.getParamString(ScopeDef.SC_USER_CERTS, type, id, params)));
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 692b2d776397b8fd2e4dfbab3a5d2ac407c440de Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Apr 2017 21:45:12 +0200
+Subject: [PATCH 30/49] Added CertRequestProcessedEvent.
+
+A new CertRequestProcessedEvent class of has been added to
+encapsulate the CERT_REQUEST_PROCESSED events.
+
+https://pagure.io/dogtagpki/issue/2636
+
+Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
+---
+ .../logging/event/CertRequestProcessedEvent.java   |  43 +++++++
+ .../netscape/cms/servlet/cert/CertProcessor.java   |  26 ++---
+ .../netscape/cms/servlet/cert/EnrollServlet.java   |  50 +++------
+ .../cms/servlet/cert/RequestProcessor.java         |  42 ++-----
+ .../cms/servlet/connector/ConnectorServlet.java    |  19 ++--
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |  38 +++----
+ .../cms/servlet/request/ProcessCertReq.java        | 125 +++++++--------------
+ 7 files changed, 138 insertions(+), 205 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
 new file mode 100644
-index 0000000..5e7d273
+index 0000000..1703f65
 --- /dev/null
-+++ b/base/server/upgrade/10.3.4/.gitignore
-@@ -0,0 +1,4 @@
-+# Ignore everything in this directory
-+*
-+# Except this file
-+!.gitignore
-diff --git a/base/server/upgrade/10.3.5/01-FixServerLibrary b/base/server/upgrade/10.3.5/01-FixServerLibrary
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -0,0 +1,43 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class CertRequestProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public CertRequestProcessedEvent(
++            String subjectID,
++            String outcome,
++            String requesterID,
++            String infoName,
++            String infoValue) {
++
++        super(CERT_REQUEST_PROCESSED);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requesterID,
++                infoName,
++                infoValue
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index c16d8e0..2a60cb0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -32,8 +32,8 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.EPropertyNotFound;
+ import com.netscape.certsrv.cert.CertEnrollmentRequest;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.ERejectException;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+@@ -217,7 +217,6 @@ public class CertProcessor extends CAProcessor {
+     }
+ 
+     protected String submitRequests(Locale locale, IProfile profile, IAuthToken authToken, IRequest[] reqs) {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = ILogger.UNIDENTIFIED;
+         String errorCode = null;
+@@ -252,16 +251,13 @@ public class CertProcessor extends CAProcessor {
+                 if (auditInfoCertValue != null) {
+                     if (!(auditInfoCertValue.equals(
+                             ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++
++                        audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue);
+-
+-                        audit(auditMessage);
++                                auditInfoCertValue));
+                     }
+                 }
+             } catch (EDeferException e) {
+@@ -288,16 +284,13 @@ public class CertProcessor extends CAProcessor {
+                 req.setExtData(IRequest.ERROR, e.toString());
+                 req.setExtData(IRequest.ERROR_CODE, errorCode);
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CERT_REQUEST_PROCESSED,
++                audit(new CertRequestProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+                         ILogger.SIGNED_AUDIT_REJECTION,
+-                        codeToReason(locale, errorCode, e.toString(), req.getRequestId()));
++                        codeToReason(locale, errorCode, e.toString(), req.getRequestId())));
+ 
+-                audit(auditMessage);
+             } catch (Throwable e) {
+                 // return error to the user
+                 CMS.debug(e);
+@@ -307,15 +300,12 @@ public class CertProcessor extends CAProcessor {
+                 req.setExtData(IRequest.ERROR, errorReason);
+                 req.setExtData(IRequest.ERROR_CODE, errorCode);
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CERT_REQUEST_PROCESSED,
++                audit(new CertRequestProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+                         ILogger.SIGNED_AUDIT_REJECTION,
+-                        errorReason);
+-
+-                audit(auditMessage);
++                        errorReason));
+             }
+ 
+             try {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+index 6f01d2a..cb2b76f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+@@ -53,6 +53,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.RequestStatus;
+ import com.netscape.certsrv.usrgrp.IGroup;
+@@ -1368,29 +1369,23 @@ public class EnrollServlet extends CMSServlet {
+                     for (int i = 0; i < issuedCerts.length; i++) {
+                         // (automated "agent" cert request processed
+                         //  - "accepted")
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue(issuedCerts[i]));
+-
+-                        audit(auditMessage);
++                                    auditInfoCertValue(issuedCerts[i])));
+                     }
+                 } catch (IOException ex) {
+                     cmsReq.setStatus(ICMSRequest.ERROR);
+ 
+                     // (automated "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_REJECTION,
+-                                SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[0]));
+                 }
+ 
+                 return;
+@@ -1402,15 +1397,12 @@ public class EnrollServlet extends CMSServlet {
+ 
+             if (completed == false) {
+                 // (automated "agent" cert request processed - "rejected")
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_REQUEST_PROCESSED,
++                audit(new CertRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             ILogger.SIGNED_AUDIT_REJECTION,
+-                            SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]);
+-
+-                audit(auditMessage);
++                            SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[1]));
+ 
+                 return;
+             }
+@@ -1458,15 +1450,12 @@ public class EnrollServlet extends CMSServlet {
+ 
+                 for (int i = 0; i < issuedCerts.length; i++) {
+                     // (automated "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue(issuedCerts[i]));
+-
+-                    audit(auditMessage);
++                                auditInfoCertValue(issuedCerts[i])));
+                 }
+ 
+                 return;
+@@ -1481,15 +1470,12 @@ public class EnrollServlet extends CMSServlet {
+ 
+                 for (int i = 0; i < issuedCerts.length; i++) {
+                     // (automated "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue(issuedCerts[i]));
+-
+-                    audit(auditMessage);
++                                auditInfoCertValue(issuedCerts[i])));
+                 }
+             } catch (IOException e) {
+                 log(ILogger.LL_FAILURE,
+@@ -1498,15 +1484,12 @@ public class EnrollServlet extends CMSServlet {
+                                 e.toString()));
+ 
+                 // (automated "agent" cert request processed - "rejected")
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_REQUEST_PROCESSED,
++                audit(new CertRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             ILogger.SIGNED_AUDIT_REJECTION,
+-                            SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]);
+-
+-                audit(auditMessage);
++                            SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[2]));
+ 
+                 throw new ECMSGWException(
+                         CMS.getUserMessage("CMS_GW_RETURNING_RESULT_ERROR"));
+@@ -1514,15 +1497,12 @@ public class EnrollServlet extends CMSServlet {
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             // (automated "agent" cert request processed - "rejected")
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CERT_REQUEST_PROCESSED,
++            audit(new CertRequestProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRequesterID,
+                         ILogger.SIGNED_AUDIT_REJECTION,
+-                        SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]);
+-
+-            audit(auditMessage);
++                        SIGNED_AUDIT_AUTOMATED_REJECTION_REASON[3]));
+ 
+             throw eAudit1;
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index 474a2e5..66fe58c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -25,8 +25,6 @@ import java.util.Locale;
+ 
+ import javax.servlet.http.HttpServletRequest;
+ 
+-import netscape.security.x509.X509CertImpl;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+@@ -40,8 +38,8 @@ import com.netscape.certsrv.ca.AuthorityID;
+ import com.netscape.certsrv.ca.CANotFoundException;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.cert.CertReviewResponse;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.ERejectException;
+@@ -62,6 +60,8 @@ import com.netscape.certsrv.request.RequestStatus;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.profile.ProfileOutputFactory;
+ 
++import netscape.security.x509.X509CertImpl;
++
+ public class RequestProcessor extends CertProcessor {
+ 
+     public RequestProcessor(String id, Locale locale) throws EPropertyNotFound, EBaseException {
+@@ -275,23 +275,18 @@ public class RequestProcessor extends CertProcessor {
+      *                occurred
+      */
+     private void cancelRequest(IRequest req) throws EProfileException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(req);
+         String auditInfoValue = auditInfoValue(req);
+ 
+         req.setRequestStatus(RequestStatus.CANCELED);
+ 
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.CERT_REQUEST_PROCESSED,
++        audit(new CertRequestProcessedEvent(
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_CANCELLATION,
+-                auditInfoValue);
+-
+-        audit(auditMessage);
++                auditInfoValue));
+     }
+ 
+     /**
+@@ -311,23 +306,18 @@ public class RequestProcessor extends CertProcessor {
+      *                occurred
+      */
+     private void rejectRequest(IRequest req) throws EProfileException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(req);
+         String auditInfoValue = auditInfoValue(req);
+ 
+         req.setRequestStatus(RequestStatus.REJECTED);
+ 
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.CERT_REQUEST_PROCESSED,
++        audit(new CertRequestProcessedEvent(
+                 auditSubjectID,
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_REJECTION,
+-                auditInfoValue);
+-
+-        audit(auditMessage);
++                auditInfoValue));
+     }
+ 
+     /**
+@@ -374,7 +364,6 @@ public class RequestProcessor extends CertProcessor {
+      */
+     private void approveRequest(IRequest req, CertReviewResponse data, IProfile profile, Locale locale)
+             throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(req);
+ 
+@@ -398,28 +387,21 @@ public class RequestProcessor extends CertProcessor {
+             X509CertImpl theCert = req.getExtDataInCert(
+                     IEnrollProfile.REQUEST_ISSUED_CERT);
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CERT_REQUEST_PROCESSED,
++            audit(new CertRequestProcessedEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditRequesterID,
+                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                    auditInfoCertValue(theCert));
+-
+-            audit(auditMessage);
++                    auditInfoCertValue(theCert)));
+ 
+         } catch (EProfileException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++            audit(new CertRequestProcessedEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditRequesterID,
+                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                    ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+-
+-            audit(auditMessage);
++                    ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+             CMS.debug("CertRequestExecutor: about to throw EProfileException because of bad profile execute.");
+             throw eAudit1;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index 6732e92..ee60187 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.connector.IRequestEncoder;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -626,16 +627,13 @@ public class ConnectorServlet extends CMSServlet {
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-                            // store a message in the signed audit log file
+-                            auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                            audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue);
+-
+-                            audit(auditMessage);
++                                    auditInfoCertValue));
+                         }
+                     }
+                 }
+@@ -648,16 +646,13 @@ public class ConnectorServlet extends CMSServlet {
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-                            // store a message in the signed audit log file
+-                            auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                            audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue);
+-
+-                            audit(auditMessage);
++                                    auditInfoCertValue));
+                         }
+                     }
+                 }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index c3ada9a..28f777b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -44,8 +44,8 @@ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.SessionContext;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.ERejectException;
+@@ -639,7 +639,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+             }
+         } //for
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = ILogger.UNIDENTIFIED;
+ 
+@@ -677,16 +676,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                     ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-                            // store a message in the signed audit log file
+-                            auditMessage = CMS.getLogMessage(
+-                                        AuditEvent.CERT_REQUEST_PROCESSED,
++
++                            audit(new CertRequestProcessedEvent(
+                                         auditSubjectID,
+                                         ILogger.SUCCESS,
+                                         auditRequesterID,
+                                         ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                        auditInfoCertValue);
+-
+-                            audit(auditMessage);
++                                        auditInfoCertValue));
+                         }
+                     }
+                 } catch (EDeferException e) {
+@@ -733,31 +729,26 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ 
+                 if (errorCode != null) {
+                     if (errorCode.equals("1")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_REJECTION,
+-                                    errorReason);
++                                    errorReason));
+ 
+-                        audit(auditMessage);
+                     } else if (errorCode.equals("2")) {
+                         // do NOT store a message in the signed audit log file
+                         // as this errorCode indicates that a process has been
+                         // deferred for manual acceptance/cancellation/rejection
+                     } else if (errorCode.equals("3")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_REJECTION,
+-                                    errorReason);
+-
+-                        audit(auditMessage);
++                                    errorReason));
+                     }
+                     error_codes[k] = Integer.parseInt(errorCode);
+                 } else
+@@ -782,16 +773,13 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                 ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-                            // store a message in the signed audit log file
+-                            auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                            audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue);
+-
+-                            audit(auditMessage);
++                                    auditInfoCertValue));
+                         }
+                     }
+                 } catch (ERejectException e) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+index 9d0da48..2bcc8ad 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+@@ -50,6 +50,7 @@ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -463,37 +464,31 @@ public class ProcessCertReq extends CMSServlet {
+                         audit(auditMessage);
+                     } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                         // (manual "agent" cert request processed - "accepted")
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     auditInfoName,
+-                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE);
++                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+-                        audit(auditMessage);
+                     } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                         // (manual "agent" cert request processed - "cancelled")
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     auditInfoName,
+-                                    SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0]);
++                                    SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[0]));
+ 
+-                        audit(auditMessage);
+                     } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                         // (manual "agent" cert request processed - "rejected")
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_REQUEST_PROCESSED,
++                        audit(new CertRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     auditInfoName,
+-                                    SIGNED_AUDIT_MANUAL_REJECTION_REASON[0]);
+-
+-                        audit(auditMessage);
++                                    SIGNED_AUDIT_MANUAL_REJECTION_REASON[0]));
+                     }
+ 
+                     return;
+@@ -935,15 +930,12 @@ public class ProcessCertReq extends CMSServlet {
+                                 // store a message in the signed audit log file
+                                 // (one for each manual "agent"
+                                 //  cert request processed - "accepted")
+-                                auditMessage = CMS.getLogMessage(
+-                                            AuditEvent.CERT_REQUEST_PROCESSED,
++                                audit(new CertRequestProcessedEvent(
+                                             auditSubjectID,
+                                             ILogger.SUCCESS,
+                                             auditRequesterID,
+                                             auditInfoName,
+-                                            auditInfoCertValue(issuedCerts[i]));
+-
+-                                audit(auditMessage);
++                                            auditInfoCertValue(issuedCerts[i])));
+                             }
+                             header.addStringValue(
+                                     "serialNumber", sbuf.toString());
+@@ -979,15 +971,12 @@ public class ProcessCertReq extends CMSServlet {
+                             // store a message in the signed audit log file
+                             // (manual "agent" cert request processed
+                             //  - "accepted")
+-                            auditMessage = CMS.getLogMessage(
+-                                        AuditEvent.CERT_REQUEST_PROCESSED,
++                            audit(new CertRequestProcessedEvent(
+                                         auditSubjectID,
+                                         ILogger.SUCCESS,
+                                         auditRequesterID,
+                                         auditInfoName,
+-                                        ILogger.SIGNED_AUDIT_EMPTY_VALUE);
+-
+-                            audit(auditMessage);
++                                        ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+                         }
+ 
+                         // grant trusted manager or agent privileges
+@@ -1104,15 +1093,12 @@ public class ProcessCertReq extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     // (manual "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[1]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[1]));
+ 
+                 } else if (toDo.equals("cancel")) {
+                     mQueue.cancelRequest(r);
+@@ -1166,15 +1152,12 @@ public class ProcessCertReq extends CMSServlet {
+ 
+                     // store a message in the signed audit log file
+                     // (manual "agent" cert request processed - "cancelled")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[1]));
+ 
+                 } else if (toDo.equals("clone")) {
+                     IRequest clonedRequest = mQueue.cloneAndMarkPending(r);
+@@ -1277,37 +1260,30 @@ public class ProcessCertReq extends CMSServlet {
+                     audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                ILogger.SIGNED_AUDIT_EMPTY_VALUE);
++                                ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2]);
++                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[2]));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[2]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[2]));
+                 }
+             }
+ 
+@@ -1330,37 +1306,30 @@ public class ProcessCertReq extends CMSServlet {
+                     audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                ILogger.SIGNED_AUDIT_EMPTY_VALUE);
++                                ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3]);
++                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[3]));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[3]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[3]));
+                 }
+             }
+ 
+@@ -1384,37 +1353,30 @@ public class ProcessCertReq extends CMSServlet {
+                     audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                ILogger.SIGNED_AUDIT_EMPTY_VALUE);
++                                ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4]);
++                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[4]));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[4]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[4]));
+                 }
+             }
+ 
+@@ -1438,37 +1400,30 @@ public class ProcessCertReq extends CMSServlet {
+                     audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
+                     // (manual "agent" cert request processed - "accepted")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                ILogger.SIGNED_AUDIT_EMPTY_VALUE);
++                                ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
+                     // (manual "agent" cert request processed - "cancelled")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5]);
++                                SIGNED_AUDIT_MANUAL_CANCELLATION_REASON[5]));
+ 
+-                    audit(auditMessage);
+                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
+                     // (manual "agent" cert request processed - "rejected")
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_REQUEST_PROCESSED,
++                    audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditInfoName,
+-                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[5]);
+-
+-                    audit(auditMessage);
++                                SIGNED_AUDIT_MANUAL_REJECTION_REASON[5]));
+                 }
+             }
+ 
+-- 
+1.8.3.1
+
+
+From f902b0365f2cf92f14f0a814394cd025669b3ea8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 24 Apr 2017 20:35:50 +0200
+Subject: [PATCH 31/49] Updated debug logs in SystemConfigService.
+
+Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
+---
+ .../src/org/dogtagpki/server/rest/SystemConfigService.java    | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+index 27a6817..afbb24a 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+@@ -1008,18 +1008,25 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+ 
+         if (!CryptoUtil.isInternalToken(token)) {
+             try {
++                CMS.debug("Logging into token " + token);
+                 CryptoToken ctoken = CryptoUtil.getKeyStorageToken(token);
+                 String tokenpwd = data.getTokenPassword();
+                 ConfigurationUtils.loginToken(ctoken, tokenpwd);
++
+             } catch (NotInitializedException e) {
++                CMS.debug(e);
+                 throw new PKIException("Token is not initialized", e);
++
+             } catch (NoSuchTokenException e) {
+-                throw new BadRequestException("Invalid Token provided. No such token.", e);
++                CMS.debug(e);
++                throw new BadRequestException("No such key storage token: " + token, e);
++
+             } catch (TokenException e) {
+                 CMS.debug(e);
+                 throw new PKIException("Token Exception: " + e, e);
++
+             } catch (IncorrectPasswordException e) {
+-                throw new BadRequestException("Incorrect Password provided for token.", e);
++                throw new BadRequestException("Incorrect password for token " + token, e);
+             }
+         }
+     }
+-- 
+1.8.3.1
+
+
+From 993a55fb4c883b3ca7ea0e64e24f4501909a571c Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 21 Apr 2017 05:37:05 +0200
+Subject: [PATCH 32/49] Added ConfigSignedAuditEvent.
+
+A new SignedAuditConfigRoleEvent class of has been added to
+encapsulate the CONFIG_SIGNED_AUDIT events.
+
+https://pagure.io/dogtagpki/issue/2641
+
+Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
+---
+ .../logging/event/ConfigSignedAuditEvent.java      |  39 +++
+ .../cms/servlet/admin/LogAdminServlet.java         | 381 ++++++++-------------
+ .../org/dogtagpki/server/rest/AuditService.java    |   9 +-
+ 3 files changed, 185 insertions(+), 244 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java
 new file mode 100644
-index 0000000..79d4965
+index 0000000..32de443
 --- /dev/null
-+++ b/base/server/upgrade/10.3.5/01-FixServerLibrary
-@@ -0,0 +1,46 @@
-+#!/usr/bin/python
-+# Authors:
-+#     Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; version 2 of the License.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License along
-+# with this program; if not, write to the Free Software Foundation, Inc.,
-+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2016 Red Hat, Inc.
-+# All rights reserved.
++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigSignedAuditEvent.java
+@@ -0,0 +1,39 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class ConfigSignedAuditEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public ConfigSignedAuditEvent(
++            String subjectID,
++            String outcome,
++            String params) {
++
++        super(CONFIG_SIGNED_AUDIT);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                params
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+index c424520..1641f27 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+@@ -44,6 +44,7 @@ import com.netscape.certsrv.logging.ILogEventListener;
+ import com.netscape.certsrv.logging.ILogSubsystem;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.LogPlugin;
++import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent;
+ 
+ /**
+  * A class representings an administration servlet for logging
+@@ -414,7 +415,7 @@ public class LogAdminServlet extends AdminServlet {
+     private synchronized void addLogPlugin(HttpServletRequest req,
+             HttpServletResponse resp, String scope)
+             throws ServletException, IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -435,13 +436,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -454,13 +453,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (mSys.getLogPlugins().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -475,13 +472,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (classPath == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -504,13 +499,11 @@ public class LogAdminServlet extends AdminServlet {
+             } catch (ClassNotFoundException e) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -520,13 +513,11 @@ public class LogAdminServlet extends AdminServlet {
+             } catch (IllegalArgumentException e) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -540,13 +531,11 @@ public class LogAdminServlet extends AdminServlet {
+                 if (ILogEventListener.class.isAssignableFrom(newImpl) == false) {
+                     // store a message in the signed audit log file
+                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                        audit(new ConfigSignedAuditEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+                     }
+ 
+                     sendResponse(ERROR,
+@@ -557,13 +546,11 @@ public class LogAdminServlet extends AdminServlet {
+             } catch (NullPointerException e) { // unlikely, only if newImpl null.
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -584,13 +571,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
 +
-+from __future__ import absolute_import
-+import os.path
-+import shutil
-+import pki.server.upgrade
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -608,13 +593,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             sendResponse(SUCCESS, null, params, resp);
+@@ -632,14 +615,11 @@ public class LogAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_SIGNED_AUDIT,
++
++            audit(new ConfigSignedAuditEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -686,7 +666,7 @@ public class LogAdminServlet extends AdminServlet {
+     private synchronized void addLogInst(HttpServletRequest req,
+             HttpServletResponse resp, String scope)
+             throws ServletException, IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -705,13 +685,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (id == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -723,13 +701,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (!isValidID(id)) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR, "Invalid ID '" + id + "'",
+@@ -740,13 +716,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (mSys.getLogInsts().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -762,13 +736,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (implname == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -785,13 +757,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (plugin == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(
+@@ -845,13 +815,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
 +
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -864,13 +832,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
 +
-+class FixServerLibrary(pki.server.upgrade.PKIServerUpgradeScriptlet):
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -883,13 +849,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
 +
-+    def __init__(self):
-+        super(FixServerLibrary, self).__init__()
-+        self.message = 'Fix server library'
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -908,13 +872,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR, e.toString(getLocale(req)), null, resp);
+@@ -924,13 +886,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR, e.toString(), null, resp);
+@@ -946,13 +906,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -970,13 +928,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             sendResponse(SUCCESS, null, params, resp);
+@@ -994,14 +950,11 @@ public class LogAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_SIGNED_AUDIT,
++
++            audit(new ConfigSignedAuditEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1077,7 +1030,7 @@ public class LogAdminServlet extends AdminServlet {
+     private synchronized void delLogInst(HttpServletRequest req,
+             HttpServletResponse resp, String scope)
+             throws ServletException, IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1099,13 +1052,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1118,13 +1069,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (mSys.getLogInsts().containsKey(id) == false) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1154,13 +1103,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1171,13 +1118,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             sendResponse(SUCCESS, null, params, resp);
+@@ -1195,14 +1140,11 @@ public class LogAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_SIGNED_AUDIT,
++
++            audit(new ConfigSignedAuditEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1239,7 +1181,7 @@ public class LogAdminServlet extends AdminServlet {
+     private synchronized void delLogPlugin(HttpServletRequest req,
+             HttpServletResponse resp, String scope)
+             throws ServletException, IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -1261,13 +1203,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1279,13 +1219,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (mSys.getLogPlugins().containsKey(id) == false) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1304,13 +1242,11 @@ public class LogAdminServlet extends AdminServlet {
+                 if (getLogPluginName(log) == id) {
+                     // store a message in the signed audit log file
+                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                        audit(new ConfigSignedAuditEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditParams(req));
+-
+-                        audit(auditMessage);
++                                    auditParams(req)));
+                     }
+ 
+                     sendResponse(ERROR,
+@@ -1335,13 +1271,11 @@ public class LogAdminServlet extends AdminServlet {
+             } catch (EBaseException e) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1352,13 +1286,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             sendResponse(SUCCESS, null, params, resp);
+@@ -1376,14 +1308,11 @@ public class LogAdminServlet extends AdminServlet {
+             //     // rethrow the specific exception to be handled later
+             //     throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_SIGNED_AUDIT,
++
++            audit(new ConfigSignedAuditEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1468,13 +1397,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1487,13 +1414,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (!mSys.getLogInsts().containsKey(id)) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1508,13 +1433,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (implname == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1530,13 +1453,11 @@ public class LogAdminServlet extends AdminServlet {
+             if (plugin == null) {
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(
+@@ -1682,13 +1603,11 @@ public class LogAdminServlet extends AdminServlet {
+                                     // store a message in the signed audit log
+                                     // file
+                                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                                        auditMessage = CMS.getLogMessage(
+-                                                    AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                                        audit(new ConfigSignedAuditEvent(
+                                                     auditSubjectID,
+                                                     ILogger.FAILURE,
+-                                                    auditParams(req));
+-
+-                                        audit(auditMessage);
++                                                    auditParams(req)));
+                                     }
+ 
+                                     sendResponse(ERROR,
+@@ -1797,13 +1716,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1848,13 +1765,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1899,13 +1814,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -1958,13 +1871,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+                 // store a message in the signed audit log file
+                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                    audit(new ConfigSignedAuditEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                    audit(auditMessage);
++                                auditParams(req)));
+                 }
+ 
+                 sendResponse(ERROR,
+@@ -2017,13 +1928,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             sendResponse(RESTART, null, params, resp);
+@@ -2063,13 +1972,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             // rethrow the specific exception to be handled later
+@@ -2109,13 +2016,11 @@ public class LogAdminServlet extends AdminServlet {
+ 
+             // store a message in the signed audit log file
+             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_SIGNED_AUDIT,
++
++                audit(new ConfigSignedAuditEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+             }
+ 
+             // rethrow the specific exception to be handled later
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+index 2d5b371..7c29651 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+@@ -49,11 +49,11 @@ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.base.ResourceNotFoundException;
+ import com.netscape.certsrv.logging.AuditConfig;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFile;
+ import com.netscape.certsrv.logging.AuditFileCollection;
+ import com.netscape.certsrv.logging.AuditResource;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent;
+ import com.netscape.cms.servlet.base.SubsystemService;
+ 
+ /**
+@@ -412,12 +412,9 @@ public class AuditService extends SubsystemService implements AuditResource {
+      */
+     public void auditTPSConfigSignedAudit(String status, Map<String, String> params) {
+ 
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.CONFIG_SIGNED_AUDIT,
++        auditor.log(new ConfigSignedAuditEvent(
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+-                auditor.getParamString(null, params));
+-        auditor.log(msg);
+-
++                auditor.getParamString(null, params)));
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 36a606e4b51de17c56da0f9ee4daab062ec4acf3 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 19 Apr 2017 23:23:39 +0200
+Subject: [PATCH 33/49] Added CertRequestProcessedEvent constructor for
+ X509CertImpl.
+
+A new CertRequestProcessedEvent constructor has been added to
+encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl
+object.
+
+Copies of auditInfoCertValue() method in various classes have been
+combined and moved into CertRequestProcessedEvent.
+
+https://pagure.io/dogtagpki/issue/2636
+
+Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
+---
+ .../logging/event/CertRequestProcessedEvent.java   | 71 ++++++++++++++++++++++
+ .../netscape/cms/servlet/cert/CertProcessor.java   |  5 +-
+ .../netscape/cms/servlet/cert/EnrollServlet.java   | 61 +------------------
+ .../cms/servlet/cert/RequestProcessor.java         |  2 +-
+ .../cms/servlet/connector/ConnectorServlet.java    | 65 ++------------------
+ .../cms/servlet/processors/CAProcessor.java        | 54 ----------------
+ .../servlet/profile/ProfileSubmitCMCServlet.java   | 64 ++-----------------
+ .../cms/servlet/request/ProcessCertReq.java        | 56 +----------------
+ 8 files changed, 91 insertions(+), 287 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+index 1703f65..3e5041d 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -17,7 +17,13 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.certsrv.logging.event;
+ 
++import java.security.cert.CertificateEncodingException;
++
+ import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++import com.netscape.cmsutil.util.Utils;
++
++import netscape.security.x509.X509CertImpl;
+ 
+ public class CertRequestProcessedEvent extends AuditEvent {
+ 
+@@ -40,4 +46,69 @@ public class CertRequestProcessedEvent extends AuditEvent {
+                 infoValue
+         });
+     }
++
++    public CertRequestProcessedEvent(
++            String subjectID,
++            String outcome,
++            String requesterID,
++            String infoName,
++            X509CertImpl x509cert) {
++
++        super(CERT_REQUEST_PROCESSED);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requesterID,
++                infoName,
++                auditInfoCertValue(x509cert)
++        });
++    }
++
++    /**
++     * Signed Audit Log Info Certificate Value
++     *
++     * This method is called to obtain the certificate from the passed in
++     * "X509CertImpl" for a signed audit log message.
++     * <P>
++     *
++     * @param x509cert an X509CertImpl
++     * @return cert string containing the certificate
++     */
++    public static String auditInfoCertValue(X509CertImpl x509cert) {
++
++        if (x509cert == null) {
++            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++        }
++
++        byte rawData[] = null;
++
++        try {
++            rawData = x509cert.getEncoded();
++        } catch (CertificateEncodingException e) {
++            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++        }
 +
-+    def upgrade_instance(self, instance):
++        String cert = null;
 +
-+        common_dir = os.path.join(instance.base_dir, 'common')
++        // convert "rawData" into "base64Data"
++        if (rawData != null) {
++            String base64Data = Utils.base64encode(rawData).trim();
 +
-+        # if <instance>/common is already a link, skip
-+        if os.path.islink(common_dir):
-+            return
++            // concatenate lines
++            cert = base64Data.replace("\r", "").replace("\n", "");
++        }
 +
-+        # remove old <instance>/common
-+        shutil.rmtree(common_dir)
++        if (cert != null) {
++            cert = cert.trim();
 +
-+        # link <instance>/common to /usr/share/pki/server/common
-+        os.symlink('/usr/share/pki/server/common', common_dir)
-+        os.lchown(common_dir, instance.uid, instance.gid)
++            if (cert.equals("")) {
++                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++            } else {
++                return cert;
++            }
++        } else {
++            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++        }
++    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index 2a60cb0..d25d817 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -246,8 +246,9 @@ public class CertProcessor extends CAProcessor {
+                 req.setRequestStatus(RequestStatus.COMPLETE);
+ 
+                 X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                String auditInfoCertValue = auditInfoCertValue(x509cert);
++                String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
++                // TODO: simplify this condition
+                 if (auditInfoCertValue != null) {
+                     if (!(auditInfoCertValue.equals(
+                             ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+@@ -257,7 +258,7 @@ public class CertProcessor extends CAProcessor {
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue));
++                                x509cert));
+                     }
+                 }
+             } catch (EDeferException e) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+index cb2b76f..43df5b6 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.cert;
+ 
+ import java.io.IOException;
+ import java.math.BigInteger;
+-import java.security.cert.CertificateEncodingException;
+ import java.security.cert.CertificateException;
+ import java.security.cert.CertificateParsingException;
+ import java.security.cert.X509Certificate;
+@@ -69,7 +68,6 @@ import com.netscape.cms.servlet.processors.CRMFProcessor;
+ import com.netscape.cms.servlet.processors.KeyGenProcessor;
+ import com.netscape.cms.servlet.processors.PKCS10Processor;
+ import com.netscape.cms.servlet.processors.PKIProcessor;
+-import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.pkcs.PKCS10;
+ import netscape.security.x509.AlgorithmId;
+@@ -1374,7 +1372,7 @@ public class EnrollServlet extends CMSServlet {
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue(issuedCerts[i])));
++                                    issuedCerts[i]));
+                     }
+                 } catch (IOException ex) {
+                     cmsReq.setStatus(ICMSRequest.ERROR);
+@@ -1455,7 +1453,7 @@ public class EnrollServlet extends CMSServlet {
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue(issuedCerts[i])));
++                                issuedCerts[i]));
+                 }
+ 
+                 return;
+@@ -1475,7 +1473,7 @@ public class EnrollServlet extends CMSServlet {
+                                 ILogger.SUCCESS,
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                auditInfoCertValue(issuedCerts[i])));
++                                issuedCerts[i]));
+                 }
+             } catch (IOException e) {
+                 log(ILogger.LL_FAILURE,
+@@ -1674,57 +1672,4 @@ public class EnrollServlet extends CMSServlet {
+             throws EBaseException {
+         mIsTestBed = config.getBoolean("isTestBed", true);
+     }
+-
+-    /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param x509cert an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    private String auditInfoCertValue(X509CertImpl x509cert) {
+-        // if no signed audit object exists, bail
+-        if (mSignedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index 66fe58c..b66aec2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -392,7 +392,7 @@ public class RequestProcessor extends CertProcessor {
+                     ILogger.SUCCESS,
+                     auditRequesterID,
+                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                    auditInfoCertValue(theCert)));
++                    theCert));
+ 
+         } catch (EProfileException eAudit1) {
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index ee60187..b5ccdd2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -25,7 +25,6 @@ import java.io.InputStreamReader;
+ import java.io.OutputStream;
+ import java.io.OutputStreamWriter;
+ import java.security.cert.Certificate;
+-import java.security.cert.CertificateEncodingException;
+ import java.security.cert.CertificateException;
+ import java.security.cert.X509Certificate;
+ import java.util.Enumeration;
+@@ -62,7 +61,6 @@ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestStatus;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+-import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.x509.CRLExtensions;
+ import netscape.security.x509.CRLReasonExtension;
+@@ -622,8 +620,9 @@ public class ConnectorServlet extends CMSServlet {
+                 if (isProfileRequest(thisreq)) {
+ 
+                     X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = auditInfoCertValue(x509cert);
++                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
++                    // TODO: simplify this condition
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+@@ -633,7 +632,7 @@ public class ConnectorServlet extends CMSServlet {
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue));
++                                    x509cert));
+                         }
+                     }
+                 }
+@@ -641,8 +640,9 @@ public class ConnectorServlet extends CMSServlet {
+                 if (isProfileRequest(thisreq)) {
+ 
+                     X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = auditInfoCertValue(x509cert);
++                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
++                    // TODO: simplify this condition
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+@@ -652,7 +652,7 @@ public class ConnectorServlet extends CMSServlet {
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue));
++                                    x509cert));
+                         }
+                     }
+                 }
+@@ -1054,57 +1054,4 @@ public class ConnectorServlet extends CMSServlet {
+ 
+         return profileID;
+     }
+-
+-    /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param x509cert an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    private String auditInfoCertValue(X509CertImpl x509cert) {
+-        // if no signed audit object exists, bail
+-        if (mSignedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 74f501f..25f7bb3 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -71,7 +71,6 @@ import com.netscape.certsrv.util.IStatsSubsystem;
+ import com.netscape.cms.servlet.common.AuthCredentials;
+ import com.netscape.cms.servlet.common.CMSGateway;
+ import com.netscape.cms.servlet.common.ServletUtils;
+-import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.x509.X509CertImpl;
+ 
+@@ -1040,59 +1039,6 @@ public class CAProcessor extends Processor {
+     }
+ 
+     /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param x509cert an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    protected String auditInfoCertValue(X509CertImpl x509cert) {
+-        // if no signed audit object exists, bail
+-        if (signedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+-
+-    /**
+      * Signed Audit Groups
+      *
+      * This method is called to extract all "groups" associated
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 28f777b..26ca2a4 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -19,7 +19,6 @@ package com.netscape.cms.servlet.profile;
+ 
+ import java.io.InputStream;
+ import java.io.OutputStream;
+-import java.security.cert.CertificateEncodingException;
+ import java.util.Enumeration;
+ import java.util.Locale;
+ 
+@@ -671,8 +670,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     reqs[k].setRequestStatus(RequestStatus.COMPLETE);
+ 
+                     X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = auditInfoCertValue(x509cert);
++                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
++                    // TODO: simplify this condition
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                     ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+@@ -682,7 +682,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                                         ILogger.SUCCESS,
+                                         auditRequesterID,
+                                         ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                        auditInfoCertValue));
++                                        x509cert));
+                         }
+                     }
+                 } catch (EDeferException e) {
+@@ -768,8 +768,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete");
+ 
+                     X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = auditInfoCertValue(x509cert);
++                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
++                    // TODO: simplify this condition
+                     if (auditInfoCertValue != null) {
+                         if (!(auditInfoCertValue.equals(
+                                 ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+@@ -779,7 +780,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                                     ILogger.SUCCESS,
+                                     auditRequesterID,
+                                     ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    auditInfoCertValue));
++                                    x509cert));
+                         }
+                     }
+                 } catch (ERejectException e) {
+@@ -875,57 +876,4 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ 
+         return requesterID;
+     }
+-
+-    /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param x509cert an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    private String auditInfoCertValue(X509CertImpl x509cert) {
+-        // if no signed audit object exists, bail
+-        if (mSignedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+index 2bcc8ad..c229263 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+@@ -21,7 +21,6 @@ import java.io.IOException;
+ import java.math.BigInteger;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.cert.Certificate;
+-import java.security.cert.CertificateEncodingException;
+ import java.security.cert.CertificateException;
+ import java.util.Date;
+ import java.util.Enumeration;
+@@ -935,7 +934,7 @@ public class ProcessCertReq extends CMSServlet {
+                                             ILogger.SUCCESS,
+                                             auditRequesterID,
+                                             auditInfoName,
+-                                            auditInfoCertValue(issuedCerts[i])));
++                                            issuedCerts[i]));
+                             }
+                             header.addStringValue(
+                                     "serialNumber", sbuf.toString());
+@@ -1757,59 +1756,6 @@ public class ProcessCertReq extends CMSServlet {
+ 
+         return infoName;
+     }
+-
+-    /**
+-     * Signed Audit Log Info Certificate Value
+-     *
+-     * This method is called to obtain the certificate from the passed in
+-     * "X509CertImpl" for a signed audit log message.
+-     * <P>
+-     *
+-     * @param x509cert an X509CertImpl
+-     * @return cert string containing the certificate
+-     */
+-    private String auditInfoCertValue(X509CertImpl x509cert) {
+-        // if no signed audit object exists, bail
+-        if (mSignedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        if (x509cert == null) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        byte rawData[] = null;
+-
+-        try {
+-            rawData = x509cert.getEncoded();
+-        } catch (CertificateEncodingException e) {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-
+-        String cert = null;
+-
+-        // convert "rawData" into "base64Data"
+-        if (rawData != null) {
+-            String base64Data = null;
+-
+-            base64Data = Utils.base64encode(rawData).trim();
+-
+-            // concatenate lines
+-            cert = base64Data.replace("\r", "").replace("\n", "");
+-        }
+-
+-        if (cert != null) {
+-            cert = cert.trim();
+-
+-            if (cert.equals("")) {
+-                return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-            } else {
+-                return cert;
+-            }
+-        } else {
+-            return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-        }
+-    }
+ }
+ 
+ class RAReqCompletedFiller extends ImportCertsTemplateFiller {
 -- 
 1.8.3.1
 
 
-From ba1e18ba4c9c47930efa0cdfc46fe326f71d3cd4 Mon Sep 17 00:00:00 2001
+From 6f457f2c5e0df576f067b46a78b481eb5dc197e8 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 27 Jul 2016 19:51:37 +0200
-Subject: [PATCH 68/96] Fixed SELinux contexts.
+Date: Fri, 14 Apr 2017 01:46:36 +0200
+Subject: [PATCH 34/49] Added CertRequestProcessedEvent constructor for
+ IRequest.
+
+A new CertRequestProcessedEvent constructor has been added to
+encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest
+object.
 
-The deployment tool has been modified to set up SELinux contexts
-after all instance files have been created to ensure they have the
-correct contexts.
+The auditInfoValue() method in CAProcessor has been moved into
+CertRequestProcessedEvent.
 
-An upgrade script has been added to fix existing instances.
+https://pagure.io/dogtagpki/issue/2636
 
-https://fedorahosted.org/pki/ticket/2421
+Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
 ---
- base/server/etc/default.cfg                      |  2 +-
- base/server/python/pki/server/__init__.py        |  7 ++++-
- base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 ++++++++++++++++++++++++
- 3 files changed, 43 insertions(+), 2 deletions(-)
- create mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts
-
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 3a7e005..24e4a43 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -39,10 +39,10 @@ spawn_scriplets=
-     infrastructure_layout
-     instance_layout
-     subsystem_layout
--    selinux_setup
-     webapp_deployment
-     slot_substitution
-     security_databases
-+    selinux_setup
-     configuration
-     finalization
+ .../logging/event/CertRequestProcessedEvent.java   | 53 ++++++++++++++++++++++
+ .../cms/servlet/cert/RequestProcessor.java         |  7 +--
+ .../cms/servlet/processors/CAProcessor.java        | 39 ----------------
+ 3 files changed, 55 insertions(+), 44 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+index 3e5041d..777434b 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -21,6 +21,7 @@ import java.security.cert.CertificateEncodingException;
+ 
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cmsutil.util.Utils;
  
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index 03bb225..13b3258 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -39,7 +39,10 @@ import pki.nssdb
- import pki.util
+ import netscape.security.x509.X509CertImpl;
+@@ -29,6 +30,8 @@ public class CertRequestProcessedEvent extends AuditEvent {
  
- INSTANCE_BASE_DIR = '/var/lib/pki'
-+CONFIG_BASE_DIR = '/etc/pki'
-+LOG_BASE_DIR = '/var/log/pki'
- REGISTRY_DIR = '/etc/sysconfig/pki'
-+
- SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
- SUBSYSTEM_CLASSES = {}
+     private static final long serialVersionUID = 1L;
  
-@@ -476,7 +479,9 @@ class PKIInstance(object):
-         else:
-             self.base_dir = os.path.join(pki.BASE_DIR, name)
++    public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes";
++
+     public CertRequestProcessedEvent(
+             String subjectID,
+             String outcome,
+@@ -65,6 +68,24 @@ public class CertRequestProcessedEvent extends AuditEvent {
+         });
+     }
  
--        self.conf_dir = os.path.join(self.base_dir, 'conf')
-+        self.conf_dir = os.path.join(CONFIG_BASE_DIR, name)
-+        self.log_dir = os.path.join(LOG_BASE_DIR, name)
++    public CertRequestProcessedEvent(
++            String subjectID,
++            String outcome,
++            String requesterID,
++            String infoName,
++            IRequest request) {
++
++        super(CERT_REQUEST_PROCESSED);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requesterID,
++                infoName,
++                auditInfoValue(request)
++        });
++    }
 +
-         self.password_conf = os.path.join(self.conf_dir, 'password.conf')
-         self.external_certs_conf = os.path.join(
-             self.conf_dir, 'external_certs.conf')
-diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
-new file mode 100644
-index 0000000..f3d981e
---- /dev/null
-+++ b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
-@@ -0,0 +1,36 @@
-+#!/usr/bin/python
-+# Authors:
-+#     Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; version 2 of the License.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License along
-+# with this program; if not, write to the Free Software Foundation, Inc.,
-+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2016 Red Hat, Inc.
-+# All rights reserved.
+     /**
+      * Signed Audit Log Info Certificate Value
+      *
+@@ -111,4 +132,36 @@ public class CertRequestProcessedEvent extends AuditEvent {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+         }
+     }
 +
-+from __future__ import absolute_import
-+import selinux
-+import pki.server.upgrade
++    /**
++     * Signed Audit Log Info Value
++     *
++     * This method is called to obtain the "reason" for
++     * a signed audit log message.
++     * <P>
++     *
++     * @param request the actual request
++     * @return reason string containing the signed audit log message reason
++     */
++    String auditInfoValue(IRequest request) {
 +
++        String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
 +
-+class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
++        if (request != null) {
++            // overwrite "reason" if and only if "info" != null
++            String info =
++                    request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON);
 +
-+    def __init__(self):
-+        super(FixSELinuxContexts, self).__init__()
-+        self.message = 'Fix SELinux contexts'
++            if (info != null) {
++                reason = info.trim();
 +
-+    def upgrade_instance(self, instance):
++                // overwrite "reason" if and only if "reason" is empty
++                if (reason.equals("")) {
++                    reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                }
++            }
++        }
 +
-+        selinux.restorecon(instance.base_dir, True)
-+        selinux.restorecon(instance.conf_dir, True)
-+        selinux.restorecon(instance.log_dir, True)
++        return reason;
++    }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index b66aec2..4494d2c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -277,8 +277,6 @@ public class RequestProcessor extends CertProcessor {
+     private void cancelRequest(IRequest req) throws EProfileException {
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(req);
+-        String auditInfoValue = auditInfoValue(req);
+-
+         req.setRequestStatus(RequestStatus.CANCELED);
+ 
+         audit(new CertRequestProcessedEvent(
+@@ -286,7 +284,7 @@ public class RequestProcessor extends CertProcessor {
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_CANCELLATION,
+-                auditInfoValue));
++                req));
+     }
+ 
+     /**
+@@ -308,7 +306,6 @@ public class RequestProcessor extends CertProcessor {
+     private void rejectRequest(IRequest req) throws EProfileException {
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(req);
+-        String auditInfoValue = auditInfoValue(req);
+ 
+         req.setRequestStatus(RequestStatus.REJECTED);
+ 
+@@ -317,7 +314,7 @@ public class RequestProcessor extends CertProcessor {
+                 ILogger.SUCCESS,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_REJECTION,
+-                auditInfoValue));
++                req));
+     }
+ 
+     /**
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 25f7bb3..bc5b9b5 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -120,9 +120,6 @@ public class CAProcessor extends Processor {
+     public static final String ACL_INFO = "ACLinfo";
+     public static final String PROFILE_SUB_ID = "profileSubId";
+ 
+-    public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
+-            "requestNotes";
+-
+     protected String profileID;
+     protected String profileSubId;
+     protected String aclMethod;
+@@ -1003,42 +1000,6 @@ public class CAProcessor extends Processor {
+     }
+ 
+     /**
+-     * Signed Audit Log Info Value
+-     *
+-     * This method is called to obtain the "reason" for
+-     * a signed audit log message.
+-     * <P>
+-     *
+-     * @param request the actual request
+-     * @return reason string containing the signed audit log message reason
+-     */
+-    protected String auditInfoValue(IRequest request) {
+-        // if no signed audit object exists, bail
+-        if (signedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        String reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-
+-        if (request != null) {
+-            // overwrite "reason" if and only if "info" != null
+-            String info =
+-                    request.getExtDataInString(SIGNED_AUDIT_CERT_REQUEST_REASON);
+-
+-            if (info != null) {
+-                reason = info.trim();
+-
+-                // overwrite "reason" if and only if "reason" is empty
+-                if (reason.equals("")) {
+-                    reason = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-                }
+-            }
+-        }
+-
+-        return reason;
+-    }
+-
+-    /**
+      * Signed Audit Groups
+      *
+      * This method is called to extract all "groups" associated
 -- 
 1.8.3.1
 
 
-From 0f6ddc442d2ac2c166126295dbce32f0c682e0fe Mon Sep 17 00:00:00 2001
-From: Ade Lee <alee@redhat.com>
-Date: Thu, 28 Jul 2016 10:36:50 +0100
-Subject: [PATCH 70/96] Re-license the python client files to LGPLv3
+From 8caedd6723f4885d4aff2348aa3d9fc850627aa1 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 7 Feb 2017 17:27:06 +1000
+Subject: [PATCH 35/49] LDAPProfileSubsystem: avoid duplicating logic in
+ superclass
 
+Part of: https://fedorahosted.org/pki/ticket/2588
+
+Change-Id: I1ac9a3d89c93832ef6b6b48b89138495ef4892fb
 ---
- base/common/LICENSE.LESSER             | 170 +++++++++++++++++++++++++++++++++
- base/common/python/pki/__init__.py     |  13 +--
- base/common/python/pki/account.py      |  13 +--
- base/common/python/pki/authority.py    |  13 +--
- base/common/python/pki/cert.py         |  13 +--
- base/common/python/pki/cli/__init__.py |  13 +--
- base/common/python/pki/cli/pkcs12.py   |  13 +--
- base/common/python/pki/client.py       |  13 +--
- base/common/python/pki/crypto.py       |  13 +--
- base/common/python/pki/encoder.py      |  17 ++++
- base/common/python/pki/feature.py      |  13 +--
- base/common/python/pki/key.py          |  13 +--
- base/common/python/pki/kra.py          |  13 +--
- base/common/python/pki/nssdb.py        |  13 +--
- base/common/python/pki/profile.py      |  13 +--
- base/common/python/pki/system.py       |  13 +--
- base/common/python/pki/systemcert.py   |  13 +--
- base/common/python/pki/upgrade.py      |  13 +--
- base/common/python/pki/util.py         |  13 +--
- base/common/python/setup.py            |  16 ++--
- 20 files changed, 314 insertions(+), 110 deletions(-)
- create mode 100644 base/common/LICENSE.LESSER
-
-diff --git a/base/common/LICENSE.LESSER b/base/common/LICENSE.LESSER
-new file mode 100644
-index 0000000..ca70b83
---- /dev/null
-+++ b/base/common/LICENSE.LESSER
-@@ -0,0 +1,170 @@
-+The Python client code is released under LGPLv3+.
-+This license is provided below:
-+******************************************************************************
-+
-+                   GNU LESSER GENERAL PUBLIC LICENSE
-+                       Version 3, 29 June 2007
-+
-+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
-+ Everyone is permitted to copy and distribute verbatim copies
-+ of this license document, but changing it is not allowed.
-+
-+
-+  This version of the GNU Lesser General Public License incorporates
-+the terms and conditions of version 3 of the GNU General Public
-+License, supplemented by the additional permissions listed below.
+ .../cmscore/profile/AbstractProfileSubsystem.java  |  7 +++-
+ .../cmscore/profile/LDAPProfileSubsystem.java      | 43 ++++------------------
+ 2 files changed, 13 insertions(+), 37 deletions(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
+index 116b8e2..2a209ad 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
+@@ -121,7 +121,7 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem {
+     /**
+      * Commits a profile.
+      */
+-    public void commitProfile(String id)
++    public synchronized void commitProfile(String id)
+             throws EProfileException {
+         IConfigStore cs = mProfiles.get(id).getConfigStore();
+ 
+@@ -157,6 +157,11 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem {
+ 
+         // finally commit the configStore
+         //
++        commitConfigStore(id, cs);
++    }
 +
-+  0. Additional Definitions.
-+
-+  As used herein, "this License" refers to version 3 of the GNU Lesser
-+General Public License, and the "GNU GPL" refers to version 3 of the GNU
-+General Public License.
-+
-+  "The Library" refers to a covered work governed by this License,
-+other than an Application or a Combined Work as defined below.
-+
-+  An "Application" is any work that makes use of an interface provided
-+by the Library, but which is not otherwise based on the Library.
-+Defining a subclass of a class defined by the Library is deemed a mode
-+of using an interface provided by the Library.
-+
-+  A "Combined Work" is a work produced by combining or linking an
-+Application with the Library.  The particular version of the Library
-+with which the Combined Work was made is also called the "Linked
-+Version".
-+
-+  The "Minimal Corresponding Source" for a Combined Work means the
-+Corresponding Source for the Combined Work, excluding any source code
-+for portions of the Combined Work that, considered in isolation, are
-+based on the Application, and not on the Linked Version.
-+
-+  The "Corresponding Application Code" for a Combined Work means the
-+object code and/or source code for the Application, including any data
-+and utility programs needed for reproducing the Combined Work from the
-+Application, but excluding the System Libraries of the Combined Work.
-+
-+  1. Exception to Section 3 of the GNU GPL.
-+
-+  You may convey a covered work under sections 3 and 4 of this License
-+without being bound by section 3 of the GNU GPL.
-+
-+  2. Conveying Modified Versions.
-+
-+  If you modify a copy of the Library, and, in your modifications, a
-+facility refers to a function or data to be supplied by an Application
-+that uses the facility (other than as an argument passed when the
-+facility is invoked), then you may convey a copy of the modified
-+version:
-+
-+   a) under this License, provided that you make a good faith effort to
-+   ensure that, in the event an Application does not supply the
-+   function or data, the facility still operates, and performs
-+   whatever part of its purpose remains meaningful, or
-+
-+   b) under the GNU GPL, with none of the additional permissions of
-+   this License applicable to that copy.
-+
-+  3. Object Code Incorporating Material from Library Header Files.
-+
-+  The object code form of an Application may incorporate material from
-+a header file that is part of the Library.  You may convey such object
-+code under terms of your choice, provided that, if the incorporated
-+material is not limited to numerical parameters, data structure
-+layouts and accessors, or small macros, inline functions and templates
-+(ten or fewer lines in length), you do both of the following:
-+
-+   a) Give prominent notice with each copy of the object code that the
-+   Library is used in it and that the Library and its use are
-+   covered by this License.
-+
-+   b) Accompany the object code with a copy of the GNU GPL and this license
-+   document.
-+
-+  4. Combined Works.
-+
-+  You may convey a Combined Work under terms of your choice that,
-+taken together, effectively do not restrict modification of the
-+portions of the Library contained in the Combined Work and reverse
-+engineering for debugging such modifications, if you also do each of
-+the following:
-+
-+   a) Give prominent notice with each copy of the Combined Work that
-+   the Library is used in it and that the Library and its use are
-+   covered by this License.
-+
-+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
-+   document.
-+
-+   c) For a Combined Work that displays copyright notices during
-+   execution, include the copyright notice for the Library among
-+   these notices, as well as a reference directing the user to the
-+   copies of the GNU GPL and this license document.
-+
-+   d) Do one of the following:
-+
-+       0) Convey the Minimal Corresponding Source under the terms of this
-+       License, and the Corresponding Application Code in a form
-+       suitable for, and under terms that permit, the user to
-+       recombine or relink the Application with a modified version of
-+       the Linked Version to produce a modified Combined Work, in the
-+       manner specified by section 6 of the GNU GPL for conveying
-+       Corresponding Source.
-+
-+       1) Use a suitable shared library mechanism for linking with the
-+       Library.  A suitable mechanism is one that (a) uses at run time
-+       a copy of the Library already present on the user's computer
-+       system, and (b) will operate properly with a modified version
-+       of the Library that is interface-compatible with the Linked
-+       Version.
-+
-+   e) Provide Installation Information, but only if you would otherwise
-+   be required to provide such information under section 6 of the
-+   GNU GPL, and only to the extent that such information is
-+   necessary to install and execute a modified version of the
-+   Combined Work produced by recombining or relinking the
-+   Application with a modified version of the Linked Version. (If
-+   you use option 4d0, the Installation Information must accompany
-+   the Minimal Corresponding Source and Corresponding Application
-+   Code. If you use option 4d1, you must provide the Installation
-+   Information in the manner specified by section 6 of the GNU GPL
-+   for conveying Corresponding Source.)
-+
-+  5. Combined Libraries.
-+
-+  You may place library facilities that are a work based on the
-+Library side by side in a single library together with other library
-+facilities that are not Applications and are not covered by this
-+License, and convey such a combined library under terms of your
-+choice, if you do both of the following:
-+
-+   a) Accompany the combined library with a copy of the same work based
-+   on the Library, uncombined with any other library facilities,
-+   conveyed under the terms of this License.
-+
-+   b) Give prominent notice with the combined library that part of it
-+   is a work based on the Library, and explaining where to find the
-+   accompanying uncombined form of the same work.
-+
-+  6. Revised Versions of the GNU Lesser General Public License.
-+
-+  The Free Software Foundation may publish revised and/or new versions
-+of the GNU Lesser General Public License from time to time. Such new
-+versions will be similar in spirit to the present version, but may
-+differ in detail to address new problems or concerns.
-+
-+  Each version is given a distinguishing version number. If the
-+Library as you received it specifies that a certain numbered version
-+of the GNU Lesser General Public License "or any later version"
-+applies to it, you have the option of following the terms and
-+conditions either of that published version or of any later version
-+published by the Free Software Foundation. If the Library as you
-+received it does not specify a version number of the GNU Lesser
-+General Public License, you may choose any version of the GNU Lesser
-+General Public License ever published by the Free Software Foundation.
-+
-+  If the Library as you received it specifies that a proxy can decide
-+whether future versions of the GNU Lesser General Public License shall
-+apply, that proxy's public statement of acceptance of any version is
-+permanent authorization for you to choose that version for the
-+Library.
-+
-diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
-index 4c4b88a..5d2a143 100644
---- a/base/common/python/pki/__init__.py
-+++ b/base/common/python/pki/__init__.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/account.py b/base/common/python/pki/account.py
-index ee7507b..62d22fc 100644
---- a/base/common/python/pki/account.py
-+++ b/base/common/python/pki/account.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
-index 8827db8..00c6fd9 100644
---- a/base/common/python/pki/authority.py
-+++ b/base/common/python/pki/authority.py
-@@ -1,15 +1,16 @@
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2014 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py
-index 05db87c..c53d757 100644
---- a/base/common/python/pki/cert.py
-+++ b/base/common/python/pki/cert.py
-@@ -1,15 +1,16 @@
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2014 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/cli/__init__.py b/base/common/python/pki/cli/__init__.py
-index 3be9cce..2bed317 100644
---- a/base/common/python/pki/cli/__init__.py
-+++ b/base/common/python/pki/cli/__init__.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2015 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
-index ded79c7..8934d33 100644
---- a/base/common/python/pki/cli/pkcs12.py
-+++ b/base/common/python/pki/cli/pkcs12.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2016 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
-index 230c236..7e91046 100644
---- a/base/common/python/pki/client.py
-+++ b/base/common/python/pki/client.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
-index 60e83c9..86fa16e 100644
---- a/base/common/python/pki/crypto.py
-+++ b/base/common/python/pki/crypto.py
-@@ -2,17 +2,18 @@
- #     Ade Lee <alee@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
-index f830601..8485ab8 100644
---- a/base/common/python/pki/encoder.py
-+++ b/base/common/python/pki/encoder.py
-@@ -1,3 +1,20 @@
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU Lesser General Public License for more details.
-+#
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2016 Red Hat, Inc.
-+# All rights reserved.
-+#
- from __future__ import absolute_import
++    protected void commitConfigStore(String id, IConfigStore cs)
++            throws EProfileException {
+         try {
+             cs.commit(false);
+         } catch (EBaseException e) {
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+index fff8ead..bce675e 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+@@ -303,43 +303,14 @@ public class LDAPProfileSubsystem
+             readProfile(entry);
+     }
  
- import base64
-diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py
-index 45af63c..0e5171d 100644
---- a/base/common/python/pki/feature.py
-+++ b/base/common/python/pki/feature.py
-@@ -1,15 +1,16 @@
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2014 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
-index 28c0e96..14e0b14 100644
---- a/base/common/python/pki/key.py
-+++ b/base/common/python/pki/key.py
-@@ -1,15 +1,16 @@
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py
-index 522773b..b98f856 100644
---- a/base/common/python/pki/kra.py
-+++ b/base/common/python/pki/kra.py
-@@ -3,17 +3,18 @@
- #     Ade Lee <alee@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
-index f563fd8..a0b0302 100644
---- a/base/common/python/pki/nssdb.py
-+++ b/base/common/python/pki/nssdb.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2015 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py
-index c463a6b..a2e7621 100644
---- a/base/common/python/pki/profile.py
-+++ b/base/common/python/pki/profile.py
-@@ -1,15 +1,16 @@
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2014 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/system.py b/base/common/python/pki/system.py
-index 45aa0d6..cbb908f 100644
---- a/base/common/python/pki/system.py
-+++ b/base/common/python/pki/system.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/systemcert.py b/base/common/python/pki/systemcert.py
-index ed41be9..9bf4678 100644
---- a/base/common/python/pki/systemcert.py
-+++ b/base/common/python/pki/systemcert.py
-@@ -2,17 +2,18 @@
- #     Ade Lee <alee@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py
-index 2261ba8..3106c70 100644
---- a/base/common/python/pki/upgrade.py
-+++ b/base/common/python/pki/upgrade.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
-index 2cac1d8..95a3670 100644
---- a/base/common/python/pki/util.py
-+++ b/base/common/python/pki/util.py
-@@ -2,17 +2,18 @@
- #     Endi S. Dewata <edewata@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2013 Red Hat, Inc.
- # All rights reserved.
-diff --git a/base/common/python/setup.py b/base/common/python/setup.py
-index 2ab0337..86e0704 100644
---- a/base/common/python/setup.py
-+++ b/base/common/python/setup.py
-@@ -2,17 +2,17 @@
- #     Christian Heimes <cheimes@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; version 3 of the License.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
-+# GNU Lesser General Public License for more details.
- #
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
- # Copyright (C) 2015 Red Hat, Inc.
- # All rights reserved.
-@@ -81,7 +81,7 @@ hardened by real-world deployments. It supports all aspects of certificate
- lifecycle management, including key archival, OCSP and smartcard management,
- and much more. The Dogtag Certificate System can be downloaded for free
- and set up in less than an hour.""",
--    license='GPL',
-+    license='LGPLv3+',
-     keywords='pki x509 cert certificate',
-     url='http://pki.fedoraproject.org/',
-     packages=['pki', 'pki.cli'],
-@@ -93,7 +93,7 @@ and set up in less than an hour.""",
-         'Operating System :: OS Independent',
-         'Programming Language :: Python :: 2.7',
-         'Programming Language :: Python :: 3.4',
--        'License :: OSI Approved :: GNU General Public License v2 (GPLv2)',
-+        'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)',
-         'Topic :: Security :: Cryptography',
-     ],
- )
++    /**
++     * Commit the configStore and track the resulting
++     * entryUSN and (in case of add) the nsUniqueId
++     */
+     @Override
+-    public synchronized void commitProfile(String id) throws EProfileException {
+-        LDAPConfigStore cs = (LDAPConfigStore) mProfiles.get(id).getConfigStore();
+-
+-        // first create a *new* profile object from the configStore
+-        // and initialise it with the updated configStore
+-        //
+-        IPluginRegistry registry = (IPluginRegistry)
+-            CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+-        String classId = mProfileClassIds.get(id);
+-        IPluginInfo info = registry.getPluginInfo("profile", classId);
+-        String className = info.getClassName();
+-        IProfile newProfile = null;
+-        try {
+-            newProfile = (IProfile) Class.forName(className).newInstance();
+-        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
+-            throw new EProfileException("Could not instantiate class '"
+-                    + classId + "' for profile '" + id + "': " + e);
+-        }
+-        newProfile.setId(id);
+-        try {
+-            newProfile.init(this, cs);
+-        } catch (EBaseException e) {
+-            throw new EProfileException(
+-                    "Failed to initialise profile '" + id + "': " + e);
+-        }
+-
+-        // next replace the existing profile with the new profile;
+-        // this is to avoid any intermediate state where the profile
+-        // is not fully initialised with its inputs, outputs and
+-        // policy objects.
+-        //
+-        mProfiles.put(id, newProfile);
+-
+-        // finally commit the configStore and track the resulting
+-        // entryUSN and (in case of add) the nsUniqueId
+-        //
++    protected void commitConfigStore(String id, IConfigStore configStore)
++            throws EProfileException {
++        LDAPConfigStore cs = (LDAPConfigStore) configStore;
+         try {
+             String[] attrs = {"entryUSN", "nsUniqueId"};
+             LDAPEntry entry = cs.commitReturn(false, attrs);
 -- 
 1.8.3.1
 
 
-From d85080be85eb54756d9db69302a6117cef063017 Mon Sep 17 00:00:00 2001
-From: Ade Lee <alee@redhat.com>
-Date: Fri, 29 Jul 2016 12:23:39 +0100
-Subject: [PATCH 71/96] Do slot substitution for SERVER_KEYGEN
+From 6562b05a73090c0f7882a9684a8ceac2666e4401 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 7 Feb 2017 17:39:33 +1000
+Subject: [PATCH 36/49] ISourceConfigStore: add clear() method to interface
 
-Ticket 2418
----
- base/server/config/pkislots.cfg                       | 1 +
- base/server/python/pki/server/deployment/pkiparser.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
-index 473b0da..3873b83 100644
---- a/base/server/config/pkislots.cfg
-+++ b/base/server/config/pkislots.cfg
-@@ -64,6 +64,7 @@ PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT]
- PKI_USER_SLOT=[PKI_USER]
- PKI_WEB_SERVER_TYPE_SLOT=[PKI_WEB_SERVER_TYPE]
- PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME]
-+SERVER_KEYGEN_SLOT=[SERVER_KEYGEN]
- TOKENDB_HOST_SLOT=[TOKENDB_HOST]
- TOKENDB_PORT_SLOT={TOKENDB_PORT]
- TOKENDB_ROOT_SLOT=[TOKENDB_ROOT]
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index d940e2c..622f87e 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -941,6 +941,8 @@ class PKIConfigParser:
-                 "tomcat"
-             self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \
-                 "webapps"
-+            self.mdict['SERVER_KEYGEN_SLOT'] = \
-+                self.mdict['pki_enable_server_side_keygen']
-             self.mdict['TOMCAT_CFG_SLOT'] = \
-                 self.mdict['pki_target_tomcat_conf']
-             self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
--- 
-1.8.3.1
+The SourceConfigStore load() method does not clear the config store,
+but this might be necessary to avoid stale data if wanting to
+perform a complete replacement of the data (e.g. reload from file).
 
+We should not change the behaviour of load() in case some code is
+relying on the current behaviour, so add the clear() method to the
+interface.
 
-From 7cfff9fb0c08d08f57d6229cb8a67d7c94f785aa Mon Sep 17 00:00:00 2001
-From: Ade Lee <alee@redhat.com>
-Date: Fri, 29 Jul 2016 14:42:35 +0100
-Subject: [PATCH 72/96] Fix client-cert-import to set provided trust bits
+Part of: https://fedorahosted.org/pki/ticket/2588
 
-Ticket 2412
+Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93
 ---
- .../netscape/cmstools/client/ClientCertImportCLI.java    | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
-index 9625440..a920079 100644
---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
-@@ -83,7 +83,7 @@ public class ClientCertImportCLI extends CLI {
-         option.setArgName("serial number");
-         options.addOption(option);
- 
--        option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u.");
-+        option = new Option(null, "trust", true, "Trust attributes.");
-         option.setArgName("trust attributes");
-         options.addOption(option);
-     }
-@@ -140,13 +140,16 @@ public class ClientCertImportCLI extends CLI {
-         String pkcs12PasswordPath = cmd.getOptionValue("pkcs12-password-file");
-         boolean importFromCAServer = cmd.hasOption("ca-server");
-         String serialNumber = cmd.getOptionValue("serial");
--        String trustAttributes = cmd.getOptionValue("trust", "u,u,u");
-+        String trustAttributes = cmd.getOptionValue("trust");
- 
-         // load the certificate
-         if (certPath != null) {
- 
-             if (verbose) System.out.println("Importing certificate from " + certPath + ".");
+ base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java    | 5 +++++
+ .../cmscore/src/com/netscape/cmscore/base/PropConfigStore.java       | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java
+index 42637c2..8eb86c2 100644
+--- a/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java
++++ b/base/common/src/com/netscape/certsrv/base/ISourceConfigStore.java
+@@ -63,6 +63,11 @@ public interface ISourceConfigStore extends Serializable {
+     public Enumeration<String> keys();
  
-+            if (trustAttributes == null)
-+                trustAttributes = "u,u,u";
+     /**
++     * Clear the config store.
++     */
++    public void clear();
 +
-             importCert(
-                     mainCLI.certDatabase.getAbsolutePath(),
-                     certPath,
-@@ -157,7 +160,8 @@ public class ClientCertImportCLI extends CLI {
- 
-             if (verbose) System.out.println("Importing CA certificate from " + caCertPath + ".");
- 
--            trustAttributes = "CT,c,";
-+            if (trustAttributes == null)
-+                trustAttributes = "CT,c,";
- 
-             importCert(
-                     mainCLI.certDatabase.getAbsolutePath(),
-@@ -218,7 +222,8 @@ public class ClientCertImportCLI extends CLI {
-                 out.write(bytes);
-             }
- 
--            trustAttributes = "CT,c,";
-+            if (trustAttributes == null)
-+                trustAttributes = "CT,c,";
- 
-             importCert(
-                     mainCLI.certDatabase.getAbsolutePath(),
-@@ -250,6 +255,9 @@ public class ClientCertImportCLI extends CLI {
-                 out.write(encoded);
-             }
++    /**
+      * Reads a config store from an input stream.
+      *
+      * @param in input stream where the properties are located
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java
+index cc16e24..acf2844 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/base/PropConfigStore.java
+@@ -223,6 +223,10 @@ public class PropConfigStore implements IConfigStore, Cloneable {
+         }
+     }
  
-+            if (trustAttributes == null)
-+                trustAttributes = "u,u,u";
++    public synchronized void clear() {
++        mSource.clear();
++    }
 +
-             importCert(
-                     mainCLI.certDatabase.getAbsolutePath(),
-                     certFile.getAbsolutePath(),
+     /**
+      * Reads a config store from an input stream.
+      *
 -- 
 1.8.3.1
 
 
-From e46fdb07d014368bb506b02d4ca9fafda672800a Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 30 Jul 2016 00:23:48 +0200
-Subject: [PATCH 73/96] Added log message in PKIClient.
+From 62419afd831039e7487ba184c6bf8f876f4d21da Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 7 Feb 2017 21:12:08 +1000
+Subject: [PATCH 37/49] ProfileService: clear profile attributes when modifying
 
-To help troubleshooting the PKIClient class has been modified to
-log the certificate chain retrieved from the CA.
+When modifying a profile, attributes are not cleared.  Attributes
+that were removed in the updated profile configuration are not
+actually removed.
 
-https://fedorahosted.org/pki/ticket/2399
+When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear
+the config store before loading the new configuration.
+
+Fixes: https://fedorahosted.org/pki/ticket/2588
+Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
 ---
- base/common/src/com/netscape/certsrv/client/PKIClient.java | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/client/PKIClient.java b/base/common/src/com/netscape/certsrv/client/PKIClient.java
-index 5c13554..8cad382 100644
---- a/base/common/src/com/netscape/certsrv/client/PKIClient.java
-+++ b/base/common/src/com/netscape/certsrv/client/PKIClient.java
-@@ -32,6 +32,7 @@ import javax.xml.parsers.DocumentBuilder;
- import javax.xml.parsers.DocumentBuilderFactory;
- import javax.xml.parsers.ParserConfigurationException;
- 
-+import org.apache.commons.codec.binary.Base64;
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.CryptoManager.NicknameConflictException;
- import org.mozilla.jss.CryptoManager.NotInitializedException;
-@@ -177,7 +178,15 @@ public class PKIClient {
-         Element element = (Element)list.item(0);
- 
-         String encodedChain = element.getTextContent();
--        return Utils.base64decode(encodedChain);
-+        byte[] bytes = Utils.base64decode(encodedChain);
-+
-+        if (verbose) {
-+            System.out.println("-----BEGIN PKCS7-----");
-+            System.out.print(new Base64(64).encodeToString(bytes));
-+            System.out.println("-----END PKCS7-----");
-+        }
-+
-+        return bytes;
-     }
+ base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+index be61892..8666b9c 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+@@ -718,6 +718,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
+             }
  
-     public X509Certificate importCertPackage(byte[] bytes, String nickname)
+             // no error thrown, so commit updated profile config
++            profile.getConfigStore().clear();
+             profile.getConfigStore().load(new ByteArrayInputStream(data));
+             ps.disableProfile(profileId);
+             ps.commitProfile(profileId);
 -- 
 1.8.3.1
 
 
-From 1b246d46671472d0b395957d3e550e54c3068758 Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Mon, 1 Aug 2016 16:36:00 -0600
-Subject: [PATCH 74/96] pki-tools man pages
+From da624993c302a81a11f37f984d75c37a467dc5e5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 6 Apr 2017 16:07:07 +1000
+Subject: [PATCH 38/49] KRA: do not accumulate recovered keys in token
+
+When using token-based unwrapping of archived keys, the key is being
+stored in the token.  We do not want to accumulate the keys here;
+make them temporary.
+
+Part of: https://pagure.io/dogtagpki/issue/2610
 
-* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
-  - AtoB,
-  - BtoA,
-  - KRATool,
-  - PrettyPrintCert, and
-  - PrettyPrintCrl
+Change-Id: Ic12a4db7238512b4fec5d6fdb023b20195c2d438
 ---
- base/java-tools/man/man1/AtoB.1            |  56 ++++
- base/java-tools/man/man1/BtoA.1            |  56 ++++
- base/java-tools/man/man1/KRATool.1         | 459 +++++++++++++++++++++++++++++
- base/java-tools/man/man1/PrettyPrintCert.1 | 204 +++++++++++++
- base/java-tools/man/man1/PrettyPrintCrl.1  | 141 +++++++++
- 5 files changed, 916 insertions(+)
- create mode 100644 base/java-tools/man/man1/AtoB.1
- create mode 100644 base/java-tools/man/man1/BtoA.1
- create mode 100644 base/java-tools/man/man1/KRATool.1
- create mode 100644 base/java-tools/man/man1/PrettyPrintCert.1
- create mode 100644 base/java-tools/man/man1/PrettyPrintCrl.1
-
-diff --git a/base/java-tools/man/man1/AtoB.1 b/base/java-tools/man/man1/AtoB.1
-new file mode 100644
-index 0000000..228e3e0
---- /dev/null
-+++ b/base/java-tools/man/man1/AtoB.1
-@@ -0,0 +1,56 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH AtoB 1 "July 20, 2016" "version 10.3" "PKI ASCII to Binary Conversion Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+AtoB  \- Convert ASCII base-64 encoded data to binary base-64 encoded data.
-+
-+.SH SYNOPSIS
-+.PP
-+\fBAtoB <input_file> <output_file>\fP
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBAtoB\fP command provides a command-line utility used to convert ASCII base-64 encoded data to binary base-64 encoded data.
-+
-+.SH OPTIONS
-+.PP
-+The following parameters are mandatory:
-+.TP
-+.B <input_file>
-+Specifies the path to the file containing the base-64 encoded ASCII data.
-+
-+.TP
-+.B <output_file>
-+Specifies the path to the file where the utility should write the binary output.
-+
-+.SH EXAMPLES
-+.PP
-+This example command takes the base-64 ASCII data in the \fBascii_data.pem\fP file and writes the binary equivalent of the data to the \fBbinary_data.der\fP file:
-+.IP
-+.nf
-+AtoB ascii_data.pem binary_data.der
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR BtoA(1), pki(1)
-diff --git a/base/java-tools/man/man1/BtoA.1 b/base/java-tools/man/man1/BtoA.1
-new file mode 100644
-index 0000000..95c742d
---- /dev/null
-+++ b/base/java-tools/man/man1/BtoA.1
-@@ -0,0 +1,56 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH BtoA 1 "July 20, 2016" "version 10.3" "PKI Binary to ASCII Conversion Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+BtoA  \- Convert binary base-64 encoded data to ASCII base-64 encoded data.
-+
-+.SH SYNOPSIS
-+.PP
-+\fBBtoA <input_file> <output_file>\fP
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBBtoA\fP command provides a command-line utility used to convert binary base-64 encoded data to ASCII base-64 encoded data.
-+
-+.SH OPTIONS
-+.PP
-+The following parameters are mandatory:
-+.TP
-+.B <input_file>
-+Specifies the path to the file which contains the base-64 encoded binary data.
-+
-+.TP
-+.B <output_file>
-+Specifies the path to the file where the utility should write the ASCII output.
-+
-+.SH EXAMPLES
-+.PP
-+This example command takes the base-64 binary data in the \fBbinary_data.der\fP file and writes the ASCII equivalent of the data to the \fBascii_data.pem\fP file:
-+.IP
-+.nf
-+BtoA binary_data.der ascii_data.pem
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR AtoB(1), pki(1)
-diff --git a/base/java-tools/man/man1/KRATool.1 b/base/java-tools/man/man1/KRATool.1
-new file mode 100644
-index 0000000..b04cd2b
---- /dev/null
-+++ b/base/java-tools/man/man1/KRATool.1
-@@ -0,0 +1,459 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH KRATool 1 "July 18, 2016" "version 10.3" "PKI Key Recovery Authority (KRA) Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+KRATool  \- Command-Line utility used to export private keys from one or more KRA instances (generally legacy) into a KRA instance (generally modern); during the process of moving the keys, the KRATool can rewrap keys, renumber keys, or both.
-+
-+.SH SYNOPSIS
-+.PP
-+The syntax for rewrapping keys:
-+.IP
-+.nf
-+\fBKRATool\fR -kratool_config_file </path/to/tool_config_file>
-+	-source_ldif_file </path/to/original_ldif_file>
-+	-target_ldif_file </path/to/newinstance_ldif_file>
-+	-log_file </path/to/tool_log_file>
-+	[-source_pki_security_database_path </path/to/nss_databases>
-+	-source_storage_token_name </path/to/token>
-+	-source_storage_certificate_nickname <storage_certificate_nickname>
-+	-target_storage_certificate_file </path/to/new_ASCII_storage_cert>
-+	[-source_pki_security_database_pwdfile </path/to/password_file>]]
-+	[-source_kra_naming_context <name> -target_kra_naming_context <name>]
-+	[-process_requests_and_key_records_only]
-+.fi
-+.PP
-+The syntax for renumbering keys:
-+.IP
-+.nf
-+\fBKRATool\fR -kratool_config_file </path/to/tool_config_file>
-+	-source_ldif_file </path/to/original_ldif_file>
-+	-target_ldif_file </path/to/newinstance_ldif_file>
-+	-log_file </path/to/tool_log_file>
-+	[-append_id_offset <prefix_to_add> | -remove_id_offset <prefix_to_remove>]
-+	[-source_kra_naming_context <name> -target_kra_naming_context <name>]
-+	[-process_requests_and_key_records_only]
-+.fi
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBKRATool\fR command provides a command-line utility used to rewrap keys, renumber keys, or both.  For example, some private keys (mainly in older deployments) were wrapped in SHA-1, 1024-bit storage keys when they were archived in the Key Recovery Authority (KRA). These algorithms have become less secure as processor speeds improve and algorithms have been broken. As a security measure, it is possible to rewrap the private keys in a new, stronger storage key (SHA-256, 2048-bit keys).
-+.TP
-+\fBNote:\fP
-+Because the KRATool utility can export private keys from one KRA, rewrap them with a new storage key, and then import them into a new KRA, this tool can be used as part of a process of combining multiple KRA instances into a single KRA.
-+
-+.SH OPTIONS
-+.PP
-+The following parameters are mandatory for both rewrapping and renumbering keys:
-+.TP
-+.B -kratool_config_file </path/to/tool_config_file>
-+Gives the complete path and filename of the configuration file used by the tool. This configuration process tells the tool how to process certain parameters in the existing key records, whether to apply any formatting changes (like changing the naming context or adding an offset) or even whether to update the modify date. The configuration file is required and a default file is included with the tool. The file format is described in the section entitled
-+.B Configuration File (.cfg).
-+
-+.TP
-+.B -source_ldif_file </path/to/original_ldif_file>
-+Gives the complete path and filename of the Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) file which contains all of the key data from the old KRA.
-+
-+.TP
-+.B -target_ldif_file </path/to/newinstance_ldif_file>
-+Gives the complete path and filename of the LDIF file to which the tool will write all of the key data from the new KRA. This file is created by the tool as it runs.
-+
-+.TP
-+.B -log_file </path/to/tool_log_file>
-+Gives the path and filename of the log file to use to log the tool progress and messages. This file is created by the tool as it runs.
-+
-+.PP
-+The following parameters are optional for both rewrapping and renumbering keys:
-+
-+.TP
-+.B -source_kra_naming_context <name>
-+Gives the naming context of the original KRA instance, the Distinguished Name (DN) element that refers to the original KRA. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIalpha.example.com-pki-kra\fP. These entries can be renamed, automatically, from the old KRA instance naming context to the new KRA instance naming context.
-+
-+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
-+If this argument is used, then the \fB-target_kra_naming_context\fP argument must also be used.
-+
-+.TP
-+.B -target_kra_naming_context <name>
-+Gives the naming context of the new KRA instance, the name that the original key entries should be changed too. Key-related LDIF entries have a DN with the KRA instance name in it, such as \fIcn=1,ou=kra,ou=requests,dc=omega.example.com-pki-kra\fP. The naming context for that entry is the DN value, \fIomega.example.com-pki-kra\fP.These entries can be renamed, automatically, from the old KRA instance to the new KRA instance naming context.
-+
-+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
-+If this argument is used, then the \fB-source_kra_naming_context\fP argument must also be used.
-+
-+.TP
-+.B -process_requests_and_key_records_only
-+Removes configuration entries from the source LDIF file, leaving only the key and request entries.
-+
-+While this argument is optional, it is recommended because it means that the LDIF file does not have to be edited before it is imported into the target KRA.
-+
-+.PP
-+The following parameters are optional for rewrapping keys:
-+
-+.TP
-+.B -source_pki_security_database_path </path/to/nss_databases>
-+Gives the full path to the directory which contains the Network Security Services (NSS) security databases used by the old KRA instance.
-+
-+This option is required if any other rewrap parameters are used.
-+
-+.TP
-+.B -source_storage_token_name </path/to/token>
-+Gives the name of the token which stores the KRA data, like \fIInternal Key Storage Token\fP for internal tokens or a name like \fINHSM6000-OCS\fP for the hardware token name.
-+
-+This option is required if any other rewrap parameters are used.
-+
-+.TP
-+.B -source_storage_certificate_nickname <storage_certificate_nickname>
-+Gives the nickname of the KRA storage certificate for the old KRA instance. Either this certificate will be located in the security database for the old KRA instance or the security database will contain a pointer to the certificate in the hardware token.
-+
-+This option is required if any other rewrap parameters are used.
-+
-+.TP
-+.B -target_storage_certificate_file </path/to/new_ASCII_storage_cert>
-+Gives the path and filename of an ASCII-formatted file of the storage certificate for the new KRA instance. The storage certificate should be exported from the new KRA's databases and stored in an accessible location before running KRATool.
-+
-+This option is required if any other rewrap parameters are used.
-+
-+.TP
-+.B -source_pki_security_database_pwdfile </path/to/password_file>
-+Gives the path and filename to a password file that contains only the password for the storage token given in the \fB-source_storage_token_name\fP option.
-+
-+This argument is optional when other rewrap parameters are used. If this argument is not used, then the script prompts for the password.
-+
-+.PP
-+The following parameters are optional for renumbering keys:
-+
-+.TP
-+.B -append_id_offset <prefix_to_add>
-+Gives an ID number which will be preprended to every imported key, to prevent possible collisions. A unique ID offset should be used for every KRA instance which has keys exported using KRATool.
-+
-+If \fB-append_id_offset\fP is used, then do not use the \fB-remove_id_offset\fP option.
-+
-+.TP
-+.B -remove_id_offset <prefix_to_remove>
-+Gives an ID number to remove from the beginning of every imported key.
-+
-+If \fB-remove_id_offset\fP is used, then do not use the \fB-append_id_offset\fP option.
-+
-+.SH Configuration File (.cfg)
-+.PP
-+The required configuration file instructs the KRATool how to process attributes in the key archival and key request entries in the LDIF file. There are six types of entries:
-+.IP
-+* CA enrollment requests
-+* TPS enrollment requests
-+* CA key records
-+* TPS key records
-+* CA and TPS recovery requests (which are treated the same in the KRA)
-+.PP
-+Each key and key request has an LDAP entry with attributes that are specific to that kind of record. For example, for a recovery request:
-+.IP
-+.nf
-+dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra
-+objectClass: top
-+objectClass: request
-+objectClass: extensibleObject
-+requestId: 011
-+requestState: complete
-+dateOfCreate: 20110121181006Z
-+dateOfModify: 20110524094652Z
-+extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n#
-+ F#9E#98#B3
-+extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1
-+ yTWvwIDAQAB
-+extdata-archive: true
-+extdata-requesttype: netkeyKeygen
-+extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10
-+extdata-requestversion: 8.1.0
-+extdata-requestortype: NETKEY_RA
-+extdata-keyrecord: 1
-+extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
-+ F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
-+extdata-userid: jmagne
-+extdata-keysize: 1024
-+extdata-updatedby: TPS-alpha.example.com-7889
-+extdata-dbstatus: UPDATED
-+extdata-cuid: 40906145C76224192D2B
-+extdata-requeststatus: complete
-+extdata-requestid: 1
-+extdata-result: 1
-+requestType: netkeyKeygen
-+cn: 1
-+creatorsName: cn=directory manager
-+modifiersName: cn=directory manager
-+createTimestamp: 20110122021010Z
-+modifyTimestamp: 20110122021010Z
-+nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
-+.if
-+
-+.PP
-+Much of that information passes through the script processing unchanged, so it is entered into the new, target KRA just the same. However, some of those attributes can and should be edited, like the Common Name (CN) and DN being changed to match the new KRA instance. The fields which can safely be changed are listed in the configuration file for each type of key entry. (Any attribute not listed is not touched by the tool under any circumstances.)
-+.PP
-+If a field /fIshould/fP be edited — meaning, the tool can update the record ID number or rename the entry — then the value is set to true in the configuration file. For example, this configuration updates the CN, DN, ID number, last modified date, and associated entry notes for all CA enrollment requests:
-+.IP
-+.nf
-+kratool.ldif.caEnrollmentRequest.cn=true
-+kratool.ldif.caEnrollmentRequest.dateOfModify=true
-+kratool.ldif.caEnrollmentRequest.dn=true
-+kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
-+kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
-+kratool.ldif.caEnrollmentRequest.requestId=true
-+.if
-+
-+.PP
-+If a line is set to true, then the attribute is processed in the LDIF file. By default, all possible attributes are processed. Setting a line to false means that the KRATool skips that attribute and passes the value unchanged. For example, this leaves the last modified time unchanged so that it doesn't update for when the KRATool runs:
-+.IP
-+.nf
-+kratool.ldif.caEnrollmentRequest.dateOfModify=false
-+.if
-+
-+.TP
-+\fBNOTE:\fP
-+Key enrollments, records, and requests all have an optional notes attribute where administrators can enter notes about the process. When the KRATool runs, it appends a note to that attribute or adds the attribute with information about the tool running, what operations were performed, and a timestamp:
-+.IP
-+.nf
-+extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetric session key' with the '2048-bit RSA public key' obtained from the target storage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming context 'alpha.example.com-pki-kra' to target KRA naming context 'omega.example.com-pki-kra' + PROCESSED requests and key records ONLY!
-+.if
-+
-+.TP
-+\fB\fP
-+This information is very useful for both audit and maintenance of the KRA, so it is beneficial to keep the extdata.requestNotes parameter for all of the key record types set to true.
-+
-+.TP
-+\fBIMPORTANT:\fP
-+Every parameter line in the default \fBkratool.cfg\fP must be present in the \fI.cfg\fP file used when the tool is invoked. No line can be omitted and every line must have a valid value (true or false). If the file is not properly formatted, the KRATool will fail.
-+
-+.PP
-+The formatting of the \fI.cfg\fP file is the same as the formatting used in the instance \fBCS.cfg\fP files.
-+
-+.PP
-+A default \fI.cfg\fP file is included with the KRATool script. This file (shown in the example entitled \fBDefault kratool.cfg File\fP) can be copied and edited into a custom file or edited directly and used with the tool.
-+
-+.SS Default kratool.cfg File
-+.BR
-+.IP
-+.nf
-+kratool.ldif.caEnrollmentRequest._000=########################################
-+kratool.ldif.caEnrollmentRequest._001=##     KRA CA Enrollment Request      ##
-+kratool.ldif.caEnrollmentRequest._002=########################################
-+kratool.ldif.caEnrollmentRequest._003=##                                    ##
-+kratool.ldif.caEnrollmentRequest._004=##  NEVER allow 'KRATOOL' the ability ##
-+kratool.ldif.caEnrollmentRequest._005=##  to change the CA 'naming context' ##
-+kratool.ldif.caEnrollmentRequest._006=##  data in the following fields:     ##
-+kratool.ldif.caEnrollmentRequest._007=##                                    ##
-+kratool.ldif.caEnrollmentRequest._008=##    extdata-auth--005ftoken;uid     ##
-+kratool.ldif.caEnrollmentRequest._009=##    extdata-auth--005ftoken;userid  ##
-+kratool.ldif.caEnrollmentRequest._010=##    extdata-updatedby               ##
-+kratool.ldif.caEnrollmentRequest._011=##                                    ##
-+kratool.ldif.caEnrollmentRequest._012=##  NEVER allow 'KRATOOL' the ability ##
-+kratool.ldif.caEnrollmentRequest._013=##  to change CA 'numeric' data in    ##
-+kratool.ldif.caEnrollmentRequest._014=##  the following fields:             ##
-+kratool.ldif.caEnrollmentRequest._015=##                                    ##
-+kratool.ldif.caEnrollmentRequest._016=##    extdata-requestId               ##
-+kratool.ldif.caEnrollmentRequest._017=##                                    ##
-+kratool.ldif.caEnrollmentRequest._018=########################################
-+kratool.ldif.caEnrollmentRequest.cn=true
-+kratool.ldif.caEnrollmentRequest.dateOfModify=true
-+kratool.ldif.caEnrollmentRequest.dn=true
-+kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
-+kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
-+kratool.ldif.caEnrollmentRequest.requestId=true
-+kratool.ldif.caKeyRecord._000=#########################################
-+kratool.ldif.caKeyRecord._001=##          KRA CA Key Record          ##
-+kratool.ldif.caKeyRecord._002=#########################################
-+kratool.ldif.caKeyRecord._003=##                                     ##
-+kratool.ldif.caKeyRecord._004=##  NEVER allow 'KRATOOL' the ability  ##
-+kratool.ldif.caKeyRecord._005=##  to change the CA 'naming context'  ##
-+kratool.ldif.caKeyRecord._006=##  data in the following fields:      ##
-+kratool.ldif.caKeyRecord._007=##                                     ##
-+kratool.ldif.caKeyRecord._008=##    archivedBy                       ##
-+kratool.ldif.caKeyRecord._009=##                                     ##
-+kratool.ldif.caKeyRecord._010=#########################################
-+kratool.ldif.caKeyRecord.cn=true
-+kratool.ldif.caKeyRecord.dateOfModify=true
-+kratool.ldif.caKeyRecord.dn=true
-+kratool.ldif.caKeyRecord.privateKeyData=true
-+kratool.ldif.caKeyRecord.serialno=true
-+kratool.ldif.namingContext._000=############################################
-+kratool.ldif.namingContext._001=##       KRA Naming Context Fields        ##
-+kratool.ldif.namingContext._002=############################################
-+kratool.ldif.namingContext._003=##                                        ##
-+kratool.ldif.namingContext._004=##  NEVER allow 'KRATOOL' the ability to  ##
-+kratool.ldif.namingContext._005=##  change the CA 'naming context' data   ##
-+kratool.ldif.namingContext._006=##  in the following 'non-KeyRecord /     ##
-+kratool.ldif.namingContext._007=##  non-Request' fields (as these records ##
-+kratool.ldif.namingContext._008=##  should be removed via the option to   ##
-+kratool.ldif.namingContext._009=##  process requests and key records only ##
-+kratool.ldif.namingContext._010=##  if this is a KRA migration):          ##
-+kratool.ldif.namingContext._011=##                                        ##
-+kratool.ldif.namingContext._012=##    cn                                  ##
-+kratool.ldif.namingContext._013=##    sn                                  ##
-+kratool.ldif.namingContext._014=##    uid                                 ##
-+kratool.ldif.namingContext._015=##    uniqueMember                        ##
-+kratool.ldif.namingContext._016=##                                        ##
-+kratool.ldif.namingContext._017=##  NEVER allow 'KRATOOL' the ability to  ##
-+kratool.ldif.namingContext._018=##  change the KRA 'naming context' data  ##
-+kratool.ldif.namingContext._019=##  in the following 'non-KeyRecord /     ##
-+kratool.ldif.namingContext._020=##  non-Request' fields (as these records ##
-+kratool.ldif.namingContext._021=##  should be removed via the option to   ##
-+kratool.ldif.namingContext._022=##  process requests and key records only ##
-+kratool.ldif.namingContext._023=##  if this is a KRA migration):          ##
-+kratool.ldif.namingContext._024=##                                        ##
-+kratool.ldif.namingContext._025=##      dc                                ##
-+kratool.ldif.namingContext._026=##      dn                                ##
-+kratool.ldif.namingContext._027=##      uniqueMember                      ##
-+kratool.ldif.namingContext._028=##                                        ##
-+kratool.ldif.namingContext._029=##  NEVER allow 'KRATOOL' the ability to  ##
-+kratool.ldif.namingContext._030=##  change the TPS 'naming context' data  ##
-+kratool.ldif.namingContext._031=##  in the following 'non-KeyRecord /     ##
-+kratool.ldif.namingContext._032=##  non-Request' fields (as these records ##
-+kratool.ldif.namingContext._033=##  should be removed via the option to   ##
-+kratool.ldif.namingContext._034=##  process requests and key records only ##
-+kratool.ldif.namingContext._035=##  if this is a KRA migration):          ##
-+kratool.ldif.namingContext._036=##                                        ##
-+kratool.ldif.namingContext._037=##    uid                                 ##
-+kratool.ldif.namingContext._038=##    uniqueMember                        ##
-+kratool.ldif.namingContext._039=##                                        ##
-+kratool.ldif.namingContext._040=##  If '-source_naming_context            ##
-+kratool.ldif.namingContext._041=##  original source KRA naming context'   ##
-+kratool.ldif.namingContext._042=##  and '-target_naming_context           ##
-+kratool.ldif.namingContext._043=##  renamed target KRA naming context'    ##
-+kratool.ldif.namingContext._044=##  options are specified, ALWAYS         ##
-+kratool.ldif.namingContext._045=##  require 'KRATOOL' to change the       ##
-+kratool.ldif.namingContext._046=##  KRA 'naming context' data in ALL of   ##
-+kratool.ldif.namingContext._047=##  the following fields in EACH of the   ##
-+kratool.ldif.namingContext._048=##  following types of records:           ##
-+kratool.ldif.namingContext._049=##                                        ##
-+kratool.ldif.namingContext._050=##    caEnrollmentRequest:                ##
-+kratool.ldif.namingContext._051=##                                        ##
-+kratool.ldif.namingContext._052=##      dn                                ##
-+kratool.ldif.namingContext._053=##      extdata-auth--005ftoken;user      ##
-+kratool.ldif.namingContext._054=##      extdata-auth--005ftoken;userdn    ##
-+kratool.ldif.namingContext._055=##                                        ##
-+kratool.ldif.namingContext._056=##    caKeyRecord:                        ##
-+kratool.ldif.namingContext._057=##                                        ##
-+kratool.ldif.namingContext._058=##      dn                                ##
-+kratool.ldif.namingContext._059=##                                        ##
-+kratool.ldif.namingContext._060=##    recoveryRequest:                    ##
-+kratool.ldif.namingContext._061=##                                        ##
-+kratool.ldif.namingContext._062=##      dn                                ##
-+kratool.ldif.namingContext._063=##                                        ##
-+kratool.ldif.namingContext._064=##    tpsKeyRecord:                       ##
-+kratool.ldif.namingContext._065=##                                        ##
-+kratool.ldif.namingContext._066=##      dn                                ##
-+kratool.ldif.namingContext._067=##                                        ##
-+kratool.ldif.namingContext._068=##    tpsNetkeyKeygenRequest:             ##
-+kratool.ldif.namingContext._069=##                                        ##
-+kratool.ldif.namingContext._070=##      dn                                ##
-+kratool.ldif.namingContext._071=##                                        ##
-+kratool.ldif.namingContext._072=############################################
-+kratool.ldif.recoveryRequest._000=#####################################
-+kratool.ldif.recoveryRequest._001=##  KRA CA / TPS Recovery Request  ##
-+kratool.ldif.recoveryRequest._002=#####################################
-+kratool.ldif.recoveryRequest.cn=true
-+kratool.ldif.recoveryRequest.dateOfModify=true
-+kratool.ldif.recoveryRequest.dn=true
-+kratool.ldif.recoveryRequest.extdata.requestId=true
-+kratool.ldif.recoveryRequest.extdata.requestNotes=true
-+kratool.ldif.recoveryRequest.extdata.serialnumber=true
-+kratool.ldif.recoveryRequest.requestId=true
-+kratool.ldif.tpsKeyRecord._000=#########################################
-+kratool.ldif.tpsKeyRecord._001=##         KRA TPS Key Record          ##
-+kratool.ldif.tpsKeyRecord._002=#########################################
-+kratool.ldif.tpsKeyRecord._003=##                                     ##
-+kratool.ldif.tpsKeyRecord._004=##  NEVER allow 'KRATOOL' the ability  ##
-+kratool.ldif.tpsKeyRecord._005=##  to change the TPS 'naming context' ##
-+kratool.ldif.tpsKeyRecord._006=##  data in the following fields:      ##
-+kratool.ldif.tpsKeyRecord._007=##                                     ##
-+kratool.ldif.tpsKeyRecord._008=##    archivedBy                       ##
-+kratool.ldif.tpsKeyRecord._009=##                                     ##
-+kratool.ldif.tpsKeyRecord._010=#########################################
-+kratool.ldif.tpsKeyRecord.cn=true
-+kratool.ldif.tpsKeyRecord.dateOfModify=true
-+kratool.ldif.tpsKeyRecord.dn=true
-+kratool.ldif.tpsKeyRecord.privateKeyData=true
-+kratool.ldif.tpsKeyRecord.serialno=true
-+kratool.ldif.tpsNetkeyKeygenRequest._000=#####################################
-+kratool.ldif.tpsNetkeyKeygenRequest._001=##  KRA TPS Netkey Keygen Request  ##
-+kratool.ldif.tpsNetkeyKeygenRequest._002=#####################################
-+kratool.ldif.tpsNetkeyKeygenRequest._003=##                                 ##
-+kratool.ldif.tpsNetkeyKeygenRequest._004=##  NEVER allow 'KRATOOL' the      ##
-+kratool.ldif.tpsNetkeyKeygenRequest._005=##  ability to change the          ##
-+kratool.ldif.tpsNetkeyKeygenRequest._006=##  TPS 'naming context' data in   ##
-+kratool.ldif.tpsNetkeyKeygenRequest._007=##  the following fields:          ##
-+kratool.ldif.tpsNetkeyKeygenRequest._008=##                                 ##
-+kratool.ldif.tpsNetkeyKeygenRequest._009=##    extdata-updatedby            ##
-+kratool.ldif.tpsNetkeyKeygenRequest._010=##                                 ##
-+kratool.ldif.tpsNetkeyKeygenRequest._011=#####################################
-+kratool.ldif.tpsNetkeyKeygenRequest.cn=true
-+kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true
-+kratool.ldif.tpsNetkeyKeygenRequest.dn=true
-+kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true
-+kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true
-+kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true
-+kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
-+.if
-+
-+.SH EXAMPLES
-+.PP
-+The KRATool performs two operations: it can rewrap keys with a new private key, and it can renumber attributes in the LDIF file entries for key records, including enrollments and recovery requests. At least one operation (rewrap or renumber) must be performed and both can be performed in a single invocation.
-+
-+.SS Rewrapping Keys
-+.BR
-+.PP
-+When rewrapping keys, the tool needs to be able to access the original NSS databases for the source KRA and its storage certificate to unwrap the keys, as well as the storage certificate for the new KRA, which is used to rewrap the keys.
-+.IP
-+.nf
-+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token"  -source_storage_certificate_nickname "storageCert cert-pki-kra"  -target_storage_certificate_file "/tmp/files/omega.cert"
-+.if
-+
-+.SS Renumbering Keys
-+.BR
-+.PP
-+When multiple KRA instances are being merged into a single instance, it is important to make sure that no key or request records have conflicting CNs, DNs, serial numbers, or request ID numbers. These values can be processed to append a new, larger number to the existing values.
-+.PP
-+For the CN, the new number is the addition of the original CN plus the appended number. For example, if the CN is 4 and the append number is 1000000, the new CN is 1000004.
-+.PP
-+For serial numbers and request IDs, the value is always a digit count plus the value. So a CN of 4 has a serial number of 014, or one digit and the CN value. If the append number is 1000000, the new serial number is 071000004, for seven digits and then the sum of the append number (1000000) and the original value (4).
-+.IP
-+.nf
-+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -append_id_offset 100000000000
-+.if
-+
-+.SS Restoring the Original Numbering
-+.BR
-+.PP
-+If a number has been appended to key entries, as in the example entitled \fBRenumbering Keys\fP, that number can also be removed. Along with updating the CN, it also reconstructs any associated numbers, like serial numbers and request ID numbers. Undoing a renumbering action may be necessary if the original number wasn't large enough to prevent conflicts or as part of testing a migration or KRA consolidation process.
-+.IP
-+.nf
-+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -remove_id_offset 100000000000
-+.if
-+
-+.SS Renumbering and Rewrapping in a Single Command
-+.BR
-+.PP
-+Rewrapping and renumbering operations can be performed in the same invocation.
-+.IP
-+.nf
-+KRATool -kratool_config_file "/usr/share/pki/java-tools/KRATool.cfg" -source_ldif_file "/tmp/files/originalKRA.ldif" -target_ldif_file "/tmp/files/newKRA.ldif" -log_file "/tmp/kratool.log" -source_pki_security_database_path "/tmp/files/" -source_storage_token_name "Internal Key Storage Token" -source_storage_certificate_nickname "storageCert cert-pki-kra" -target_storage_certificate_file "/tmp/files/omega.cert" -append_id_offset 100000000000
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki(1)
-diff --git a/base/java-tools/man/man1/PrettyPrintCert.1 b/base/java-tools/man/man1/PrettyPrintCert.1
-new file mode 100644
-index 0000000..3cfb2f9
---- /dev/null
-+++ b/base/java-tools/man/man1/PrettyPrintCert.1
-@@ -0,0 +1,204 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH PrettyPrintCert 1 "July 20, 2016" "version 10.3" "PKI Certificate Print Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+PrettyPrintCert  \- print the contents of a certificate stored as ASCII base-64 encoded data to a readable format.
-+
-+.SH SYNOPSIS
-+.PP
-+\fBPrettyPrintCert [-simpleinfo] <input_file> [output_file]\fP
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBPrettyPrintCert\fP command provides a command-line utility used to print the contents of a certificate stored as ASCII base-64 encoded data to a readable format.  The output of this command is displayed to standard output, but can be optionally saved into a specified file.  An additional non-mandatory option is available which limits the certificate information output of this command for easier parsing.
-+
-+.SH OPTIONS
-+.TP
-+.B [-simpleinfo]
-+\fBOptional\fP. Prints limited certificate information in an easy to parse format; if this option is not specified, the entire contents of the certificate will be printed.
-+
-+.TP
-+.B <input_file>
-+\fBMandatory\fP. Specifies the path to the file containing the ASCII base-64 encoded certificate.
-+
-+.TP
-+.B [output_file]
-+\fBOptional\fP. Specifies the path to the file in which the tool should write the certificate. If this option is not specified, the certificate information is written to the standard output.
-+
-+.SH EXAMPLES
-+.PP
-+The following example converts the ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the certificate in the pretty-print form to the output file \fBcert.out\fP:
-+.IP
-+.nf
-+PrettyPrintCert ascii_data.cert cert.out
-+.if
-+
-+.PP
-+For this example, the base-64 encoded certificate data in the \fBascii_data.cert\fP looks like the following:
-+.IP
-+.nf
-+-----BEGIN CERTIFICATE-----
-+MIIECjCCAvKgAwIBAgIBCTANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
-+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
-+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjIwMzEzOFoXDTE3MDExODIxMzEzOFow
-+gZwxCzAJBgNVBAYTAlVTMRwwGgYDVQQKDBNFeGFtcGxlIENvcnBvcmF0aW9uMQsw
-+CQYDVQQLDAJJUzEpMCcGA1UEAwwgUHJldHR5UHJpbnRDZXJ0IFRlc3QgQ2VydGlm
-+aWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMRUwEwYKCZIm
-+iZPyLGQBAQwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn
-+Jv8ADWpC7C3Bzb13n9zQwaDW8YfyshZd7lXI0cghJOSfRLT6C10LOi1yhI+7W3NN
-+MgYeLDCiRmKfHnqq6lpPg9aZmrxBwrn+30OdP+m1K6Crf6X9wqAWSR/r2hG4NuYi
-+ovcJg7ani5h4BL+V0hbUvfEs4o7QfOWjQZcoo2KbOKmRrodAA21XVjWGB1ELQLNN
-+hGwmZ6l1rtnN04Ruoclu8LaKMAAzFSH8cHEBtdCgxeDNy+bNnXbjO1wdruFNrars
-+W6wdc230AvHRcEUWEvQVq86vHfS4UZ5q0N1ychibrHZXB0/+TUtyKDQGx0K7ELSB
-+xgwt9QxEjKlXHiStcGupAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCH
-+IzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzABhjJodHRwOi8v
-+cGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Evb2NzcDAOBgNV
-+HQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqG
-+SIb3DQEBCwUAA4IBAQCgQ/vTCyQ+lHKNDNCtvbul2l6V3Sjzvj0il9t4HtorxoBF
-+3FIE6VNpUYFq0AkNS/LjV7ek7LRl8kuuiKaNpqF6RvAIPrABPDh7hE1Gi3Vm+Xw/
-+ndodT1AVII3x6xUbRsHu2iUVdZM5xO9ZFwA18nJUznL9q8lEGjj8vVCyFZuplUL+
-+pdKqL3SgBNUdyfiV6vywevI9jFoZBlsQbn4EjBs2nNeaFSZhZ1NG6tktSt85fJ51
-+IAiZv9Ipq0deHxFgpEywPq9lSrMZnm178PFlzRQUySHSm1pA+ngTydUKqZqAU0vr
-+XIDTmj4lE93VPZspnPS94p/0OT4Pe3NKAe+IbIv/
-+-----END CERTIFICATE-----
-+.if
-+
-+.PP
-+The certificate in pretty-print format in the \fBcert.out\fP file looks like the following:
-+.IP
-+.nf
-+    Certificate:
-+        Data:
-+            Version:  v3
-+            Serial Number: 0x9
-+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
-+            Validity:
-+                Not Before: Friday, July 22, 2016 2:31:38 PM MDT America/Denver
-+                Not  After: Wednesday, January 18, 2017 2:31:38 PM MST America/Denver
-+            Subject: UID=admin,E=admin@example.com,CN=PrettyPrintCert Test Certificate,OU=IS,O=Example Corporation,C=US
-+            Subject Public Key Info:
-+                Algorithm: RSA - 1.2.840.113549.1.1.1
-+                Public Key:
-+                    Exponent: 65537
-+                    Public Key Modulus: (2048 bits) :
-+                        E7:26:FF:00:0D:6A:42:EC:2D:C1:CD:BD:77:9F:DC:D0:
-+                        C1:A0:D6:F1:87:F2:B2:16:5D:EE:55:C8:D1:C8:21:24:
-+                        E4:9F:44:B4:FA:0B:5D:0B:3A:2D:72:84:8F:BB:5B:73:
-+                        4D:32:06:1E:2C:30:A2:46:62:9F:1E:7A:AA:EA:5A:4F:
-+                        83:D6:99:9A:BC:41:C2:B9:FE:DF:43:9D:3F:E9:B5:2B:
-+                        A0:AB:7F:A5:FD:C2:A0:16:49:1F:EB:DA:11:B8:36:E6:
-+                        22:A2:F7:09:83:B6:A7:8B:98:78:04:BF:95:D2:16:D4:
-+                        BD:F1:2C:E2:8E:D0:7C:E5:A3:41:97:28:A3:62:9B:38:
-+                        A9:91:AE:87:40:03:6D:57:56:35:86:07:51:0B:40:B3:
-+                        4D:84:6C:26:67:A9:75:AE:D9:CD:D3:84:6E:A1:C9:6E:
-+                        F0:B6:8A:30:00:33:15:21:FC:70:71:01:B5:D0:A0:C5:
-+                        E0:CD:CB:E6:CD:9D:76:E3:3B:5C:1D:AE:E1:4D:AD:AA:
-+                        EC:5B:AC:1D:73:6D:F4:02:F1:D1:70:45:16:12:F4:15:
-+                        AB:CE:AF:1D:F4:B8:51:9E:6A:D0:DD:72:72:18:9B:AC:
-+                        76:57:07:4F:FE:4D:4B:72:28:34:06:C7:42:BB:10:B4:
-+                        81:C6:0C:2D:F5:0C:44:8C:A9:57:1E:24:AD:70:6B:A9
-+            Extensions:
-+                Identifier: Authority Key Identifier - 2.5.29.35
-+                    Critical: no
-+                    Key Identifier:
-+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
-+                        8A:EB:BA:B5
-+                Identifier: 1.3.6.1.5.5.7.1.1
-+                    Critical: no
-+                    Value:
-+                        30:40:30:3E:06:08:2B:06:01:05:05:07:30:01:86:32:
-+                        68:74:74:70:3A:2F:2F:70:6B:69:2D:64:65:73:6B:74:
-+                        6F:70:2E:75:73:65:72:73:79:73:2E:72:65:64:68:61:
-+                        74:2E:63:6F:6D:3A:38:30:38:30:2F:63:61:2F:6F:63:
-+                        73:70
-+                Identifier: Key Usage: - 2.5.29.15
-+                    Critical: yes
-+                    Key Usage:
-+                        Digital Signature
-+                        Non Repudiation
-+                        Key Encipherment
-+                Identifier: Extended Key Usage: - 2.5.29.37
-+                    Critical: no
-+                    Extended Key Usage:
-+                        1.3.6.1.5.5.7.3.2
-+                        1.3.6.1.5.5.7.3.4
-+        Signature:
-+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Signature:
-+                A0:43:FB:D3:0B:24:3E:94:72:8D:0C:D0:AD:BD:BB:A5:
-+                DA:5E:95:DD:28:F3:BE:3D:22:97:DB:78:1E:DA:2B:C6:
-+                80:45:DC:52:04:E9:53:69:51:81:6A:D0:09:0D:4B:F2:
-+                E3:57:B7:A4:EC:B4:65:F2:4B:AE:88:A6:8D:A6:A1:7A:
-+                46:F0:08:3E:B0:01:3C:38:7B:84:4D:46:8B:75:66:F9:
-+                7C:3F:9D:DA:1D:4F:50:15:20:8D:F1:EB:15:1B:46:C1:
-+                EE:DA:25:15:75:93:39:C4:EF:59:17:00:35:F2:72:54:
-+                CE:72:FD:AB:C9:44:1A:38:FC:BD:50:B2:15:9B:A9:95:
-+                42:FE:A5:D2:AA:2F:74:A0:04:D5:1D:C9:F8:95:EA:FC:
-+                B0:7A:F2:3D:8C:5A:19:06:5B:10:6E:7E:04:8C:1B:36:
-+                9C:D7:9A:15:26:61:67:53:46:EA:D9:2D:4A:DF:39:7C:
-+                9E:75:20:08:99:BF:D2:29:AB:47:5E:1F:11:60:A4:4C:
-+                B0:3E:AF:65:4A:B3:19:9E:6D:7B:F0:F1:65:CD:14:14:
-+                C9:21:D2:9B:5A:40:FA:78:13:C9:D5:0A:A9:9A:80:53:
-+                4B:EB:5C:80:D3:9A:3E:25:13:DD:D5:3D:9B:29:9C:F4:
-+                BD:E2:9F:F4:39:3E:0F:7B:73:4A:01:EF:88:6C:8B:FF
-+        FingerPrint
-+            MD2:
-+                EC:AE:A5:A3:E5:FA:30:3B:34:0E:FD:9D:ED:46:56:03
-+            MD5:
-+                CB:E1:80:0C:B3:66:DF:CF:3A:2B:A9:C1:F4:88:88:23
-+            SHA-1:
-+                B6:BA:84:0D:AE:4E:B0:CD:84:71:D8:A4:61:60:A7:2D:
-+                3A:7C:55:46
-+            SHA-256:
-+                B2:95:9C:8C:B9:3C:7B:9F:FF:8E:BD:92:90:BC:75:F5:
-+                BB:0D:96:2C:93:05:20:1B:4C:9D:B9:59:6F:54:25:5B
-+            SHA-512:
-+                B9:7A:1E:2E:59:8C:6F:76:F5:52:36:AD:A6:62:E9:DD:
-+                00:6E:82:7A:BA:38:1E:29:FC:F8:80:F1:DD:7C:81:92:
-+                F1:C2:E3:34:27:1A:7A:EB:95:36:DB:65:41:A2:46:19:
-+                FB:14:89:00:B5:8B:DB:AA:33:41:8C:6C:C4:75:CF:17
-+.if
-+
-+.PP
-+The following example command takes the same ASCII base-64 encoded certificate in the \fBascii_data.cert\fP file and writes the information contained within the certificate to the simple format output file \fBcert.simple\fP:
-+.IP
-+.nf
-+PrettyPrintCert -simpleinfo ascii_data.cert cert.simple
-+.if
-+
-+.PP
-+The simple certificate information in the \fBcert.simple\fP output file looks like the following:
-+.IP
-+.nf
-+UID=admin
-+E=admin@example.com
-+CN=PrettyPrintCert Test Certificate
-+OU=IS
-+O=Example Corporation
-+C=US
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR PrettyPrintCrl(1), pki(1)
-diff --git a/base/java-tools/man/man1/PrettyPrintCrl.1 b/base/java-tools/man/man1/PrettyPrintCrl.1
-new file mode 100644
-index 0000000..31a73a0
---- /dev/null
-+++ b/base/java-tools/man/man1/PrettyPrintCrl.1
-@@ -0,0 +1,141 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH PrettyPrintCrl 1 "July 20, 2016" "version 10.3" "PKI CRL Print Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+PrettyPrintCrl  \- reads a certificate revocation list (CRL) stored in an ASCII base-64 encoded file and outputs it in a readable format.
-+
-+.SH SYNOPSIS
-+.PP
-+\fBPrettyPrintCrl <input_file> [output_file]\fP
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBPrettyPrintCrl\fP command provides a command-line utility used to print the contents of a CRL stored as ASCII base-64 encoded data in a file to a readable format.  The output of this command is displayed to standard output, but can be optionally saved into a specified file.
-+
-+.SH OPTIONS
-+.TP
-+.B <input_file>
-+\fBMandatory\fP. Specifies the path to the file that contains the ASCII base-64 encoded CRL.
-+
-+.TP
-+.B [output_file]
-+\fBOptional\fP. Specifies the path to the file to write the CRL. If the output file is not specified, the CRL information is written to the standard output.
-+
-+.SH EXAMPLES
-+.PP
-+The following example \fBPrettyPrintCrl\fP command takes the ASCII base-64 encoded CRL in the \fBascii_data.crl\fP file and writes the CRL in the pretty-print format to the output file \fBcrl.out\fP:
-+.IP
-+.nf
-+PrettyPrintCrl ascii_data.crl crl.out
-+.if
-+
-+.PP
-+For this example, the base-64 encoded CRL data in the \fBascii_data.crl\fP looks like the following:
-+.IP
-+.nf
-+-----BEGIN X509 CRL-----
-+MIICVDCCATwCAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5y
-+ZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBD
-+ZXJ0aWZpY2F0ZRcNMTYwNzIyMjExMjUwWhcNMTYwNzIyMjMwMDAwWjCBiDAgAgEK
-+Fw0xNjA3MjIyMDU1MTZaMAwwCgYDVR0VBAMKAQYwIAIBCRcNMTYwNzIyMjEwMTU2
-+WjAMMAoGA1UdFQQDCgEGMCACAQgXDTE2MDcyMjIxMTIyNVowDDAKBgNVHRUEAwoB
-+ATAgAgEHFw0xNjA3MjIyMTAxNTZaMAwwCgYDVR0VBAMKAQagLzAtMB8GA1UdIwQY
-+MBaAFLs2mF1ly4jghyM3b1v3r4uK67q1MAoGA1UdFAQDAgEKMA0GCSqGSIb3DQEB
-+CwUAA4IBAQCjnwpdLVU4sg3GnOFQiHpBuWspevzj0poHQs9b4Uv17o0MC4irftkR
-+zRBVgwLvdSd5WFEUSbhWVjhS4o4w84BXdmti/+UBS+mOVNxiKqs3Z7Fxcg+mCsiH
-+SDWT3iiqZVqlPMOKDzIQGj4XeArSBK13qjNdwKzVJZlXYfwzdDtyVKBJcoETXGZ3
-+irU8RTXo7OhO6xKDAaHjzVVynjfGdIDaavl1fjwXFufwZBeiXm1zyyFSvDUdny4G
-+29NTmM2945jCESeR7DV2q1LHG/v2rzCOKTWdPdXTPCics05KzUA4S6X+mp051wkh
-+yJM2LYpV6lKV6JiczHLrgf5QcqfwSkTX
-+-----END X509 CRL-----
-+.if
-+
-+.PP
-+The CRL in pretty-print format in the \fBcrl.out\fP file looks like the following:
-+.IP
-+.nf
-+    Certificate Revocation List:
-+        Data:
-+            Version:  v2
-+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
-+            This Update: Friday, July 22, 2016 3:12:50 PM MDT America/Denver
-+            Next Update: Friday, July 22, 2016 5:00:00 PM MDT America/Denver
-+            Revoked Certificates:
-+                Serial Number: 0xA
-+                Revocation Date: Friday, July 22, 2016 2:55:16 PM MDT America/Denver
-+                Extensions:
-+                    Identifier: Revocation Reason - 2.5.29.21
-+                        Critical: no
-+                        Reason: CA_Compromise
-+                Serial Number: 0x9
-+                Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver
-+                Extensions:
-+                    Identifier: Revocation Reason - 2.5.29.21
-+                        Critical: no
-+                        Reason: Affiliation_Changed
-+                Serial Number: 0x8
-+                Revocation Date: Friday, July 22, 2016 3:12:25 PM MDT America/Denver
-+                Extensions:
-+                    Identifier: Revocation Reason - 2.5.29.21
-+                        Critical: no
-+                        Reason: Key_Compromise
-+                Serial Number: 0x7
-+                Revocation Date: Friday, July 22, 2016 3:01:56 PM MDT America/Denver
-+                Extensions:
-+                    Identifier: Revocation Reason - 2.5.29.21
-+                        Critical: no
-+                        Reason: Certificate_Hold
-+        Extensions:
-+            Identifier: Authority Key Identifier - 2.5.29.35
-+                Critical: no
-+                Key Identifier:
-+                    BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
-+                    8A:EB:BA:B5
-+            Identifier: CRL Number - 2.5.29.20
-+                Critical: no
-+                Number: 10
-+        Signature:
-+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Signature:
-+                A3:9F:0A:5D:2D:55:38:B2:0D:C6:9C:E1:50:88:7A:41:
-+                B9:6B:29:7A:FC:E3:D2:9A:07:42:CF:5B:E1:4B:F5:EE:
-+                8D:0C:0B:88:AB:7E:D9:11:CD:10:55:83:02:EF:75:27:
-+                79:58:51:14:49:B8:56:56:38:52:E2:8E:30:F3:80:57:
-+                76:6B:62:FF:E5:01:4B:E9:8E:54:DC:62:2A:AB:37:67:
-+                B1:71:72:0F:A6:0A:C8:87:48:35:93:DE:28:AA:65:5A:
-+                A5:3C:C3:8A:0F:32:10:1A:3E:17:78:0A:D2:04:AD:77:
-+                AA:33:5D:C0:AC:D5:25:99:57:61:FC:33:74:3B:72:54:
-+                A0:49:72:81:13:5C:66:77:8A:B5:3C:45:35:E8:EC:E8:
-+                4E:EB:12:83:01:A1:E3:CD:55:72:9E:37:C6:74:80:DA:
-+                6A:F9:75:7E:3C:17:16:E7:F0:64:17:A2:5E:6D:73:CB:
-+                21:52:BC:35:1D:9F:2E:06:DB:D3:53:98:CD:BD:E3:98:
-+                C2:11:27:91:EC:35:76:AB:52:C7:1B:FB:F6:AF:30:8E:
-+                29:35:9D:3D:D5:D3:3C:28:9C:B3:4E:4A:CD:40:38:4B:
-+                A5:FE:9A:9D:39:D7:09:21:C8:93:36:2D:8A:55:EA:52:
-+                95:E8:98:9C:CC:72:EB:81:FE:50:72:A7:F0:4A:44:D7
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR PrettyPrintCert(1), pki(1)
+ base/kra/src/com/netscape/kra/RecoveryService.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
+index fda5b80..5609b19 100644
+--- a/base/kra/src/com/netscape/kra/RecoveryService.java
++++ b/base/kra/src/com/netscape/kra/RecoveryService.java
+@@ -416,7 +416,7 @@ public class RecoveryService implements IService {
+                 privKey = mStorageUnit.unwrap(
+                         keyRecord.getPrivateKeyData(),
+                         pubkey,
+-                        false,
++                        true /* temporary */,
+                         keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
+             } catch (Exception e) {
+                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
 -- 
 1.8.3.1
 
 
-From ad454dedb6ba7b5161f962fe65f78fb236c1a7fe Mon Sep 17 00:00:00 2001
+From 3cc50b49e2a18344937702bd1b170b9faf738845 Mon Sep 17 00:00:00 2001
 From: Ade Lee <alee@redhat.com>
-Date: Tue, 2 Aug 2016 11:18:31 -0400
-Subject: [PATCH 76/96] Fix deployment issue
+Date: Thu, 27 Apr 2017 11:10:36 -0400
+Subject: [PATCH 39/49] Modify the key client to default to 3DES
 
-Need to put pki_server_side_keygen in a conditional to avoid
-breaking other subsystem deployments.
+When no algorithm OID is provided, we used to default to 3DES.
+We need to continue to do this to not break IPA.
 
-Ticket 2418
+Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
 ---
- base/server/python/pki/server/deployment/pkiparser.py | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index 622f87e..3e5d355 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -941,8 +941,11 @@ class PKIConfigParser:
-                 "tomcat"
-             self.mdict['PKI_WEBAPPS_NAME_SLOT'] = \
-                 "webapps"
--            self.mdict['SERVER_KEYGEN_SLOT'] = \
--                self.mdict['pki_enable_server_side_keygen']
-+
-+            if self.mdict['pki_subsystem'] == "TPS":
-+                self.mdict['SERVER_KEYGEN_SLOT'] = \
-+                    self.mdict['pki_enable_server_side_keygen']
-+
-             self.mdict['TOMCAT_CFG_SLOT'] = \
-                 self.mdict['pki_target_tomcat_conf']
-             self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
+ base/common/python/pki/key.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
+index e782d54..9313b0e 100644
+--- a/base/common/python/pki/key.py
++++ b/base/common/python/pki/key.py
+@@ -514,7 +514,7 @@ class KeyClient(object):
+         pki.util.read_environment_files()
+         client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET')
+         if client_keyset is not None:
+-            return client_keyset
++            return int(client_keyset)
+         return 0
+ 
+     def get_server_keyset(self):
+@@ -795,7 +795,7 @@ class KeyClient(object):
+             data_type,
+             encrypted_data,
+             wrapped_session_key,
+-            algorithm_oid=None,
++            algorithm_oid=self.encrypt_alg_oid,
+             nonce_iv=nonce_iv,
+             key_algorithm=key_algorithm,
+             key_size=key_size,
+@@ -850,8 +850,10 @@ class KeyClient(object):
+             raise TypeError('Missing wrapped session key')
+ 
+         if not algorithm_oid:
+-            algorithm_oid = pki.crypto.AES_128_CBC_OID
+-            # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
++            # legacy apps like IPA call this directly without
++            # setting the algorithm_oid.  We need to keep DES
++            # for backward compatibility
++            algorithm_oid = pki.crypto.DES_EDE3_CBC_OID
+ 
+         if not nonce_iv:
+             raise TypeError('Missing nonce IV')
 -- 
 1.8.3.1
 
 
-From e6c426eb69e294207a657897fdce0a7b07e4c41d Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 2 Aug 2016 05:15:17 +0200
-Subject: [PATCH 77/96] Fixed problem creating links to PKI JAR files.
+From b93cec621203c6fb970b57ef042636ba2f9efa3d Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 27 Apr 2017 16:01:39 +1000
+Subject: [PATCH 41/49] Add upgrade script that adds KRA wrapping params
 
-The CMake create_symlink command fails if the link target does not
-exist already. Since PKI JAR files may not exist at build time, the
-commands to create the links to those files have been replaced with
-the ln -sf command which will create the links regardless of the
-targets' existence.
+Part of: https://pagure.io/dogtagpki/issue/1408
 
-https://fedorahosted.org/pki/ticket/2403
+Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1
 ---
- base/common/CMakeLists.txt | 8 ++++----
- base/server/CMakeLists.txt | 4 ++--
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
-index dc5cecf..d4b0d7f 100644
---- a/base/common/CMakeLists.txt
-+++ b/base/common/CMakeLists.txt
-@@ -35,10 +35,10 @@ add_custom_command(
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/jaxb-api.jar lib/jaxb-api.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar lib/jss4.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar lib/ldapjdk.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-certsrv.jar lib/pki-certsrv.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-cmsutil.jar lib/pki-cmsutil.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-nsutil.jar lib/pki-nsutil.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tools.jar lib/pki-tools.jar
-+    COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-certsrv.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-certsrv.jar
-+    COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-cmsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-cmsutil.jar
-+    COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-nsutil.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-nsutil.jar
-+    COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tools.jar ${CMAKE_CURRENT_BINARY_DIR}/lib/pki-tools.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar lib/resteasy-atom-provider.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar lib/resteasy-client.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar lib/resteasy-jackson-provider.jar
-diff --git a/base/server/CMakeLists.txt b/base/server/CMakeLists.txt
-index 27470f3..be58c05 100644
---- a/base/server/CMakeLists.txt
-+++ b/base/server/CMakeLists.txt
-@@ -45,7 +45,7 @@ add_custom_command(
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/jss4.jar common/lib/jss4.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/ldapjdk.jar common/lib/ldapjdk.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/nuxwdog.jar common/lib/nuxwdog.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/pki/pki-tomcat.jar common/lib/pki-tomcat.jar
-+    COMMAND /usr/bin/ln -sf /usr/share/java/pki/pki-tomcat.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/pki-tomcat.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-atom-provider.jar common/lib/resteasy-atom-provider.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-client.jar common/lib/resteasy-client.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jackson-provider.jar common/lib/resteasy-jackson-provider.jar
-@@ -53,7 +53,7 @@ add_custom_command(
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/jaxrs-api.jar common/lib/resteasy-jaxrs-api.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink ${RESTEASY_LIB}/resteasy-jaxrs.jar common/lib/resteasy-jaxrs.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/scannotation.jar common/lib/scannotation.jar
--    COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/lib/java/symkey.jar common/lib/symkey.jar
-+    COMMAND /usr/bin/ln -sf /usr/lib/java/symkey.jar ${CMAKE_CURRENT_BINARY_DIR}/common/lib/symkey.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/tomcatjss.jar common/lib/tomcatjss.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/velocity.jar common/lib/velocity.jar
-     COMMAND ${CMAKE_COMMAND} -E create_symlink /usr/share/java/xerces-j2.jar common/lib/xerces-j2.jar
+ base/server/upgrade/10.4.2/02-AddKRAWrappingParams | 78 ++++++++++++++++++++++
+ 1 file changed, 78 insertions(+)
+ create mode 100755 base/server/upgrade/10.4.2/02-AddKRAWrappingParams
+
+diff --git a/base/server/upgrade/10.4.2/02-AddKRAWrappingParams b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams
+new file mode 100755
+index 0000000..c95b844
+--- /dev/null
++++ b/base/server/upgrade/10.4.2/02-AddKRAWrappingParams
+@@ -0,0 +1,78 @@
++#!/usr/bin/python
++# Authors:
++#     Fraser Tweedale <ftweedal@redhat.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 2 of the License.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Copyright (C) 2017 Red Hat, Inc.
++# All rights reserved.
++
++from __future__ import absolute_import
++import os.path
++
++import pki
++from pki.server.upgrade import PKIServerUpgradeScriptlet
++
++proplist = [
++    ('kra.storageUnit.wrapping.0.sessionKeyLength', '168'),
++    ('kra.storageUnit.wrapping.0.sessionKeyWrapAlgorithm', 'RSA'),
++    ('kra.storageUnit.wrapping.0.payloadEncryptionPadding', 'PKCS5Padding'),
++    ('kra.storageUnit.wrapping.0.sessionKeyKeyGenAlgorithm', 'DESede'),
++    ('kra.storageUnit.wrapping.0.payloadEncryptionAlgorithm', 'DESede'),
++    ('kra.storageUnit.wrapping.0.payloadEncryptionMode', 'CBC'),
++    ('kra.storageUnit.wrapping.0.payloadEncryptionIV', 'AQEBAQEBAQE='),
++    ('kra.storageUnit.wrapping.0.payloadWrapAlgorithm', 'DES3/CBC/Pad'),
++    ('kra.storageUnit.wrapping.0.payloadWrapIV', 'AQEBAQEBAQE='),
++    ('kra.storageUnit.wrapping.0.sessionKeyType', 'DESede'),
++    ('kra.storageUnit.wrapping.1.sessionKeyLength', '128'),
++    ('kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm', 'RSA'),
++    ('kra.storageUnit.wrapping.1.payloadEncryptionPadding', 'PKCS5Padding'),
++    ('kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm', 'AES'),
++    ('kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm', 'AES'),
++    ('kra.storageUnit.wrapping.1.payloadEncryptionMode', 'CBC'),
++    ('kra.storageUnit.wrapping.1.payloadEncryptionIVLen', '16'),
++    ('kra.storageUnit.wrapping.1.payloadWrapAlgorithm', 'AES KeyWrap/Padding'),
++    ('kra.storageUnit.wrapping.1.sessionKeyType', 'AES'),
++
++    # this upgrade script adds the config, but uses the legacy
++    # configuration so that behaviour of deployed instance does
++    # not change
++    ('kra.storageUnit.wrapping.choice', '0'),
++]
++
++
++class AddKRAWrappingParams(PKIServerUpgradeScriptlet):
++    def __init__(self):
++        super(AddKRAWrappingParams, self).__init__()
++        self.message = 'Add wrapping params to KRA CS.cfg'
++
++    def upgrade_subsystem(self, instance, subsystem):
++        if subsystem.name == 'kra':
++            self.upgrade_config(instance, subsystem)
++
++    def upgrade_config(self, instance, subsystem):  # pylint: disable=W0613
++        filename = os.path.join(subsystem.conf_dir, 'CS.cfg')
++        self.backup(filename)
++
++        properties = pki.PropertyFile(filename)
++        properties.read()
++
++        # if the property exists, leave it alone, otherwise set
++        # it to the value defined above
++        for k, v in proplist:
++            cur = properties.get(k)
++            if cur is None:
++                properties.set(k, v)
++
++        properties.write()
 -- 
 1.8.3.1
 
 
-From c73f98926d6c3b5bd1fe5e6d7d1f48d5f4e77220 Mon Sep 17 00:00:00 2001
+From 853220445eb0ce54b6ce241547891605329b7e3e Mon Sep 17 00:00:00 2001
 From: Ade Lee <alee@redhat.com>
-Date: Wed, 3 Aug 2016 23:55:53 -0400
-Subject: [PATCH 78/96] Add pkispawn option to disable Master CRL
+Date: Fri, 28 Apr 2017 00:29:45 -0400
+Subject: [PATCH 42/49] Fix DES3 using python-cryptography provider
+
+Incorrect key size lead to errors when the client side
+was set to use 3DES. Also deprecate not providing an
+encryption algorithm OID explcitly in
+archive_encrypted_data()
 
+Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
 ---
- base/ca/shared/conf/CS.cfg                            | 2 +-
- base/server/config/pkislots.cfg                       | 1 +
- base/server/etc/default.cfg                           | 1 +
- base/server/python/pki/server/deployment/pkiparser.py | 4 ++++
- 4 files changed, 7 insertions(+), 1 deletion(-)
+ base/common/python/pki/crypto.py | 7 ++++++-
+ base/common/python/pki/key.py    | 3 +++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
 
-diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
-index 68e79a4..3beb45c 100644
---- a/base/ca/shared/conf/CS.cfg
-+++ b/base/ca/shared/conf/CS.cfg
-@@ -578,7 +578,7 @@ ca.crl.MasterCRL.unexpectedExceptionLoopMax=10
- ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
- ca.crl.MasterCRL.dailyUpdates=1:00
- ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
--ca.crl.MasterCRL.enable=true
-+ca.crl.MasterCRL.enable=[MASTER_CRL_ENABLE]
- ca.crl.MasterCRL.enableCRLCache=true
- ca.crl.MasterCRL.enableCRLUpdates=true
- ca.crl.MasterCRL.enableCacheTesting=false
-diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg
-index 3873b83..d806c1f 100644
---- a/base/server/config/pkislots.cfg
-+++ b/base/server/config/pkislots.cfg
-@@ -1,6 +1,7 @@
- [Tomcat]
- application_version=[APPLICATION_VERSION]
- INSTALL_TIME_SLOT=[INSTALL_TIME]
-+MASTER_CRL_ENABLE_SLOT=[MASTER_CRL_ENABLE]
- NUXWDOG_JNI_PATH_SLOT=[NUXWDOG_JNI_PATH]
- PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT]
- PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME]
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 24e4a43..cfbd289 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -335,6 +335,7 @@ pki_ds_database=%(pki_instance_name)s-CA
- pki_ds_hostname=%(pki_hostname)s
- pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
- pki_share_db=False
-+pki_master_crl_enable=True
- 
- # Default OCSP URI added by AuthInfoAccessExtDefault if the profile
- # config is blank.  If both are blank, the value is constructed
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index 3e5d355..115f3ca 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -946,6 +946,10 @@ class PKIConfigParser:
-                 self.mdict['SERVER_KEYGEN_SLOT'] = \
-                     self.mdict['pki_enable_server_side_keygen']
- 
-+            if self.mdict['pki_subsystem'] == "CA":
-+                self.mdict['MASTER_CRL_ENABLE_SLOT'] = \
-+                    self.mdict['pki_master_crl_enable']
-+
-             self.mdict['TOMCAT_CFG_SLOT'] = \
-                 self.mdict['pki_target_tomcat_conf']
-             self.mdict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] = \
+diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
+index 0891acd..7f03846 100644
+--- a/base/common/python/pki/crypto.py
++++ b/base/common/python/pki/crypto.py
+@@ -389,9 +389,14 @@ class CryptographyCryptoProvider(CryptoProvider):
+             self.encrypt_mode = modes.CBC
+             self.encrypt_size = 128
+         elif level == 0:
++            # note that 3DES keys are actually 192 bits long, even
++            # though only 168 bits are used internally.  See
++            # https://tools.ietf.org/html/rfc4949
++            # Using 168 here will cause python-cryptography key verification
++            # checks to fail.
+             self.encrypt_alg = algorithms.TripleDES
+             self.encrypt_mode = modes.CBC
+-            self.encrypt_size = 168
++            self.encrypt_size = 192
+ 
+     def generate_nonce_iv(self, mechanism='AES'):
+         """ Create a random initialization vector """
+diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
+index 9313b0e..d2b8297 100644
+--- a/base/common/python/pki/key.py
++++ b/base/common/python/pki/key.py
+@@ -28,6 +28,7 @@ from __future__ import print_function
+ import base64
+ import json
+ import os
++import warnings
+ 
+ from six import iteritems
+ from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
+@@ -853,6 +854,8 @@ class KeyClient(object):
+             # legacy apps like IPA call this directly without
+             # setting the algorithm_oid.  We need to keep DES
+             # for backward compatibility
++            warnings.warn("algorithm_oid=None is deprecated",
++                          DeprecationWarning)
+             algorithm_oid = pki.crypto.DES_EDE3_CBC_OID
+ 
+         if not nonce_iv:
 -- 
 1.8.3.1
 
 
-From d2e8c9c5fb54e39884ecf304a234f8cb52c5a40e Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date: Thu, 4 Aug 2016 16:40:06 -0700
-Subject: [PATCH 79/96] Ticket#2428 broken request links for CA's system certs
- in agent request viewing This patch fixes the issue that when an agent visit
- one of the CA's system cert request records, exception is thrown.
+From d98f20d33378a37898d4d6ffec80b09261504823 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Wed, 26 Apr 2017 15:21:39 -0700
+Subject: [PATCH 43/49] CA in the certificate profiles the startTime parameter
+ is not working as expected.
 
+This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
 ---
- .../cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java  | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-index 3cbf0f9..caf2cf1 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-@@ -431,7 +431,7 @@ public class ProfileReviewServlet extends ProfileServlet {
-                 defset.set(ARG_DEF_SYNTAX, defSyntax);
-                 defset.set(ARG_DEF_CONSTRAINT, defConstraint);
-                 defset.set(ARG_DEF_NAME, defValueName);
--                defset.set(ARG_DEF_VAL, defValue);
-+                defset.set(ARG_DEF_VAL, (defValue!=null)? defValue:"");
-                 deflist.add(defset);
+ .../src/com/netscape/cms/profile/def/CAValidityDefault.java  | 12 ++++++------
+ .../cms/profile/def/PrivateKeyUsagePeriodExtDefault.java     |  4 ++--
+ .../netscape/cms/profile/def/RandomizedValidityDefault.java  |  2 +-
+ .../src/com/netscape/cms/profile/def/ValidityDefault.java    | 10 +++++-----
+ 4 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+index 2df256e..2ecd484 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAValidityDefault.java
+@@ -24,6 +24,11 @@ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.Locale;
+ 
++import netscape.security.x509.BasicConstraintsExtension;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.X509CertInfo;
++
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+@@ -34,11 +39,6 @@ import com.netscape.certsrv.property.EPropertyException;
+ import com.netscape.certsrv.property.IDescriptor;
+ import com.netscape.certsrv.request.IRequest;
+ 
+-import netscape.security.x509.BasicConstraintsExtension;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.PKIXExtensions;
+-import netscape.security.x509.X509CertInfo;
+-
+ /**
+  * This class implements a CA signing cert enrollment default policy
+  * that populates a server-side configurable validity
+@@ -348,7 +348,7 @@ public class CAValidityDefault extends EnrollDefault {
+         if (startTimeStr == null || startTimeStr.equals("")) {
+             startTimeStr = "60";
+         }
+-        int startTime = Integer.parseInt(startTimeStr);
++        long startTime = Long.parseLong(startTimeStr);
+ 
+         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
+         CMS.debug("CAValidityDefault: not before: " + notBefore);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
+index 6532a13..2f05f32 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/PrivateKeyUsagePeriodExtDefault.java
+@@ -296,13 +296,13 @@ public class PrivateKeyUsagePeriodExtDefault extends EnrollExtDefault {
+             if (startTimeStr == null || startTimeStr.equals("")) {
+                 startTimeStr = "60";
              }
+-            int startTime = Integer.parseInt(startTimeStr);
++            long startTime = Long.parseLong(startTimeStr);
+             Date notBefore = new Date(CMS.getCurrentDate().getTime() +
+                     (1000 * startTime));
+             long notAfterVal = 0;
+ 
+             notAfterVal = notBefore.getTime() +
+-                    (mDefault * Integer.parseInt(getConfig(CONFIG_DURATION)));
++                    (mDefault * Long.parseLong(getConfig(CONFIG_DURATION)));
+             Date notAfter = new Date(notAfterVal);
+ 
+             ext = new PrivateKeyUsageExtension(notBefore, notAfter);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
+index 6308715..ce69c15 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/RandomizedValidityDefault.java
+@@ -290,7 +290,7 @@ public class RandomizedValidityDefault extends EnrollDefault {
+         if (startTimeStr == null || startTimeStr.equals("")) {
+             startTimeStr = "60";
          }
--- 
-1.8.3.1
-
-
-From 7702dae72b59a39b31b52640a9d1a4b5b6ca62ca Mon Sep 17 00:00:00 2001
-From: Geetika Kapoor <gkapoor@redhat.com>
-Date: Thu, 28 Jul 2016 02:59:40 -0400
-Subject: [PATCH 80/96] Fixed NumberFormatException in tps-cert-find
-
-Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
----
- .../netscape/cmstools/tps/cert/TPSCertFindCLI.java   | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
-index 9cbdad6..83c977b 100644
---- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
-@@ -84,12 +84,24 @@ public class TPSCertFindCLI extends CLI {
-         String filter = cmdArgs.length > 0 ? cmdArgs[0] : null;
- 
-         String tokenID = cmd.getOptionValue("token");
-+        String string3 = cmd.getOptionValue("start");
-+        String string4 = cmd.getOptionValue("size");
-+        Integer start = null;
-+        Integer size = null;
- 
--        String s = cmd.getOptionValue("start");
--        Integer start = s == null ? null : Integer.valueOf(s);
-+        try {
-+            start = string3 == null ? null : Integer.valueOf(string3);
-+        } catch (NumberFormatException e) {
-+            System.err.println("Error: Invalid value for --start parameter: " + string3);
-+            System.exit(-1);
-+        }
+-        int startTime = Integer.parseInt(startTimeStr);
++        long startTime = Long.parseLong(startTimeStr);
+ 
+         String notBeforeRandomBitsStr = getConfig(CONFIG_NOT_BEFORE_RANDOM_BITS);
+         if (notBeforeRandomBitsStr == null || notBeforeRandomBitsStr.length() == 0) {
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+index 21ec8ea..a74ccdf 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+@@ -24,6 +24,10 @@ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.Locale;
  
--        s = cmd.getOptionValue("size");
--        Integer size = s == null ? null : Integer.valueOf(s);
-+        try {
-+            size = string4 == null ? null : Integer.valueOf(string4);
-+        } catch (NumberFormatException e) {
-+            System.err.println("Error: Invalid value for --size parameter: " + string4);
-+            System.exit(-1);
-+        }
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+@@ -34,10 +38,6 @@ import com.netscape.certsrv.property.EPropertyException;
+ import com.netscape.certsrv.property.IDescriptor;
+ import com.netscape.certsrv.request.IRequest;
  
-         TPSCertCollection result = certCLI.certClient.findCerts(filter, tokenID, start, size);
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-
+ /**
+  * This class implements an enrollment default policy
+  * that populates a server-side configurable validity
+@@ -265,7 +265,7 @@ public class ValidityDefault extends EnrollDefault {
+         if (startTimeStr == null || startTimeStr.equals("")) {
+             startTimeStr = "60";
+         }
+-        int startTime = Integer.parseInt(startTimeStr);
++        long startTime = Long.parseLong(startTimeStr);
  
+         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
+         CMS.debug("ValidityDefault: not before: " + notBefore);
 -- 
 1.8.3.1
 
 
-From 5178567bf5c65d23d3903b0956a47813bdc1fe23 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Tue, 2 Aug 2016 16:46:29 +0530
-Subject: [PATCH 81/96] Added check for Subsystem data and request in
- 'pki-server subsystem-cert-export'
+From 9590944d5726ff32d94c6a2b2909175eae946466 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 28 Apr 2017 17:44:19 -0400
+Subject: [PATCH 44/49] Fix symkey retrieval using NSS python client
 
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
+This is tested using Barbican as a client.  We are simply
+reverting to the same behavior we had before for the
+NSS Crypto provider case.
 
-Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
+Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
 ---
- base/server/python/pki/server/cli/subsystem.py | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index a44243a..4651d74 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -1,5 +1,6 @@
- # Authors:
- #     Endi S. Dewata <edewata@redhat.com>
-+#     Abhijeet Kasurde <akasurde@redhat.com>
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
-@@ -14,7 +15,7 @@
- # with this program; if not, write to the Free Software Foundation, Inc.,
- # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- #
--# Copyright (C) 2015 Red Hat, Inc.
-+# Copyright (C) 2015-2016 Red Hat, Inc.
- # All rights reserved.
- #
- 
-@@ -654,14 +655,22 @@ class SubsystemCertExportCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         if cert_file:
-+            cert_data = subsystem_cert.get('data', None)
-+            if cert_data is None:
-+                print("ERROR: Unable to find certificate data for %s" % cert_id)
-+                sys.exit(1)
- 
--            cert_data = pki.nssdb.convert_cert(subsystem_cert['data'], 'base64', 'pem')
-+            cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
-             with open(cert_file, 'w') as f:
-                 f.write(cert_data)
- 
-         if csr_file:
-+            cert_request = subsystem_cert.get('request', None)
-+            if cert_request is None:
-+                print("ERROR: Unable to find certificate request for %s" % cert_id)
-+                sys.exit(1)
- 
--            csr_data = pki.nssdb.convert_csr(subsystem_cert['request'], 'base64', 'pem')
-+            csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem')
-             with open(csr_file, 'w') as f:
-                 f.write(csr_data)
- 
+ base/common/python/pki/crypto.py | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
+index 7f03846..edb32c0 100644
+--- a/base/common/python/pki/crypto.py
++++ b/base/common/python/pki/crypto.py
+@@ -325,9 +325,17 @@ class NSSCryptoProvider(CryptoProvider):
+         :param nonce_iv         Nonce data
+         :return:                Unwrapped data
+ 
+-        Return unwrapped data for data wrapped using AES KeyWrap
++        Return unwrapped data for data that has been keywrapped.
++        For NSS, we only support 3DES - so something that has been
++        keywrapped can be decrypted.  This is precisely what we used
++        to do before.
+         """
+-        raise NotImplementedError()
++        return self.symmetric_unwrap(
++            data,
++            wrapping_key,
++            mechanism=nss.CKM_DES3_CBC_PAD,
++            nonce_iv=nonce_iv
++        )
+ 
+     def get_cert(self, cert_nick):
+         """
 -- 
 1.8.3.1
 
 
-From f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Wed, 3 Aug 2016 18:01:23 -0700
-Subject: [PATCH 82/96] Fix to sort the output of a cert search by serialno.
+From 3ff9de6a517d7fdcdee6c4a8c884eff052f8f824 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 28 Apr 2017 17:55:17 -0700
+Subject: [PATCH 45/49] Ticket #2717 CMC user-signed enrollment request This
+ patch provides implementation that allows user-signed CMC requests to be
+ processed; The resulting certificate will bear the same subjectDN as that of
+ the signing cert; The new uri to access is
+ /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used:
+ caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin:
+ CMCUserSignedAuth and new profile default plugin:
+ CMCUserSignedSubjectNameDefault and new profile constraint plugin:
+ CMCUserSignedSubjectNameConstraint
 
 ---
- .../src/com/netscape/certsrv/dbs/IDBSSession.java  | 35 +++++++-
- .../certsrv/dbs/certdb/ICertificateRepository.java | 27 ++++++
- .../com/netscape/cms/servlet/cert/SrchCerts.java   |  4 +-
- .../cmscore/dbs/CertificateRepository.java         | 37 ++++++++-
- .../src/com/netscape/cmscore/dbs/DBSSession.java   | 97 +++++++++++++++++++---
- .../cmscore/dbs/DBSSessionDefaultStub.java         | 15 +++-
- 6 files changed, 197 insertions(+), 18 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
-index 6569505..9ab2fde 100644
---- a/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
-+++ b/base/common/src/com/netscape/certsrv/dbs/IDBSSession.java
-@@ -17,11 +17,11 @@
- // --- END COPYRIGHT BLOCK ---
- package com.netscape.certsrv.dbs;
- 
-+import netscape.ldap.LDAPSearchResults;
+ base/ca/shared/conf/CS.cfg                         |    6 +-
+ base/ca/shared/conf/registry.cfg                   |   10 +-
+ .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   83 ++
+ base/ca/shared/webapps/ca/WEB-INF/web.xml          |   28 +
+ .../certsrv/authentication/IAuthManager.java       |    3 +
+ .../com/netscape/certsrv/logging/AuditEvent.java   |    2 +
+ .../src/com/netscape/cmstools/CRMFPopClient.java   |    2 +-
+ .../cms/authentication/CMCUserSignedAuth.java      | 1140 ++++++++++++++++++++
+ .../netscape/cms/profile/common/BasicProfile.java  |   28 +-
+ .../netscape/cms/profile/common/EnrollProfile.java |  426 +++++---
+ .../CMCUserSignedSubjectNameConstraint.java        |  141 +++
+ .../def/CMCUserSignedSubjectNameDefault.java       |  159 +++
+ .../netscape/cms/profile/def/EnrollDefault.java    |    5 +-
+ .../cms/profile/input/CMCCertReqInput.java         |   21 +-
+ .../netscape/cms/profile/input/CertReqInput.java   |   36 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |   28 +-
+ base/server/cmsbundle/src/LogMessages.properties   |    1 +
+ base/server/cmsbundle/src/UserMessages.properties  |    2 +
+ 18 files changed, 1964 insertions(+), 157 deletions(-)
+ create mode 100644 base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+ create mode 100644 base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+ create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java
+ create mode 100644 base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 3923319..b29802c 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -168,6 +168,7 @@ auths.impl._001=## authentication manager implementations
+ auths.impl._002=##
+ auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
+ auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
++auths.impl.CMCUserSignedAuth.class=com.netscape.cms.authentication.CMCUserSignedAuth
+ auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication
+ auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
+ auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
+@@ -734,6 +735,7 @@ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher
+ ca.publish.rule.instance.LdapXCertRule.type=xcert
+ cmc.cert.confirmRequired=false
+ cmc.lraPopWitness.verify.allow=false
++cmc.popLinkWitnessRequired=false
+ cmc.revokeCert.verify=true
+ cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+ cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+@@ -905,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
+index 2855b7a..519d854 100644
+--- a/base/ca/shared/conf/registry.cfg
++++ b/base/ca/shared/conf/registry.cfg
+@@ -1,5 +1,5 @@
+ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
+-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+ constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
+ constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
+ constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
+@@ -36,6 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
+ constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
+ constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
+ constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
+ constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
+ constraintPolicy.validityConstraintImpl.desc=Validity Constraint
+ constraintPolicy.validityConstraintImpl.name=Validity Constraint
+@@ -48,7 +51,7 @@ constraintPolicy.uniqueKeyConstraintImpl.name=Unique Public Key Constraint
+ constraintPolicy.externalProcessConstraintImpl.class=com.netscape.cms.profile.constraint.ExternalProcessConstraint
+ constraintPolicy.externalProcessConstraintImpl.desc=External Process Constraint
+ constraintPolicy.externalProcessConstraintImpl.name=External Process Constraint
+-defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl
++defaultPolicy.ids=noDefaultImpl,genericExtDefaultImpl,autoAssignDefaultImpl,subjectNameDefaultImpl,validityDefaultImpl,randomizedValidityDefaultImpl,caValidityDefaultImpl,subjectKeyIdentifierExtDefaultImpl,authorityKeyIdentifierExtDefaultImpl,basicConstraintsExtDefaultImpl,keyUsageExtDefaultImpl,nsCertTypeExtDefaultImpl,extendedKeyUsageExtDefaultImpl,ocspNoCheckExtDefaultImpl,issuerAltNameExtDefaultImpl,subjectAltNameExtDefaultImpl,userSubjectNameDefaultImpl,cmcUserSignedSubjectNameDefaultImpl,signingAlgDefaultImpl,userKeyDefaultImpl,userValidityDefaultImpl,userExtensionDefaultImpl,userSigningAlgDefaultImpl,authTokenSubjectNameDefaultImpl,subjectInfoAccessExtDefaultImpl,authInfoAccessExtDefaultImpl,nscCommentExtDefaultImpl,freshestCRLExtDefaultImpl,crlDistributionPointsExtDefaultImpl,policyConstraintsExtDefaultImpl,policyMappingsExtDefaultImpl,nameConstraintsExtDefaultImpl,certificateVersionDefaultImpl,certificatePoliciesExtDefaultImpl,subjectDirAttributesExtDefaultImpl,privateKeyPeriodExtDefaultImpl,inhibitAnyPolicyExtDefaultImpl,imageDefaultImpl,nsTokenDeviceKeySubjectNameDefaultImpl,nsTokenUserKeySubjectNameDefaultImpl,authzRealmDefaultImpl,commonNameToSANDefaultImpl
+ defaultPolicy.autoAssignDefaultImpl.class=com.netscape.cms.profile.def.AutoAssignDefault
+ defaultPolicy.autoAssignDefaultImpl.desc=Auto Request Assignment Default
+ defaultPolicy.autoAssignDefaultImpl.name=Auto Request Assignment Default
+@@ -67,6 +70,9 @@ defaultPolicy.authTokenSubjectNameDefaultImpl.name=Token Supplied Subject Name D
+ defaultPolicy.userSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.UserSubjectNameDefault
+ defaultPolicy.userSubjectNameDefaultImpl.desc=User Supplied Subject Name Default
+ defaultPolicy.userSubjectNameDefaultImpl.name=User Supplied Subject Name Default
++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.class=com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault
++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.desc=CMC User Signed Subject Name Default
++defaultPolicy.cmcUserSignedSubjectNameDefaultImpl.name=CMC User Signed Subject Name Default
+ defaultPolicy.userKeyDefaultImpl.class=com.netscape.cms.profile.def.UserKeyDefault
+ defaultPolicy.userKeyDefaultImpl.desc=User Supplied Key Default
+ defaultPolicy.userKeyDefaultImpl.name=User Supplied Key Default
+diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+new file mode 100644
+index 0000000..229a3cd
+--- /dev/null
++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+@@ -0,0 +1,83 @@
++desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication.
++enable=true
++enableBy=admin
++name=User-Signed CMC-Authenticated User Certificate Enrollment
++visible=false
++auth.instance_id=CMCUserSignedAuth
++input.list=i1,i2
++input.i1.class_id=cmcCertReqInputImpl
++input.i2.class_id=submitterInfoInputImpl
++output.list=o1
++output.o1.class_id=certOutputImpl
++policyset.list=cmcUserCertSet
++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
++policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint
++policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl
++policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default
++policyset.cmcUserCertSet.1.default.params.name=
++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
++policyset.cmcUserCertSet.2.constraint.params.range=365
++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
++policyset.cmcUserCertSet.2.default.name=Validity Default
++policyset.cmcUserCertSet.2.default.params.range=180
++policyset.cmcUserCertSet.2.default.params.startTime=0
++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
++policyset.cmcUserCertSet.3.constraint.name=Key Constraint
++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
++policyset.cmcUserCertSet.3.constraint.params.keyType=-
++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
++policyset.cmcUserCertSet.3.default.name=Key Default
++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.4.constraint.name=No Constraint
++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.5.constraint.name=No Constraint
++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
++policyset.cmcUserCertSet.5.default.name=AIA Extension Default
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
++policyset.cmcUserCertSet.6.default.name=Key Usage Default
++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.7.constraint.name=No Constraint
++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
++policyset.cmcUserCertSet.8.constraint.name=No Constraint
++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
++policyset.cmcUserCertSet.8.default.name=Signing Alg
++policyset.cmcUserCertSet.8.default.params.signingAlg=-
+diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+index bf8aed4..dc61ab3 100644
+--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+@@ -1553,6 +1553,29 @@
+    </servlet>
+ 
+    <servlet>
++      <servlet-name>  caProfileSubmitUserSignedCMCFull  </servlet-name>
++      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
++             <init-param><param-name>  GetClientCert  </param-name>
++                         <param-value> false       </param-value> </init-param>
++             <init-param><param-name>  cert_request_type  </param-name>
++                         <param-value> cmc         </param-value> </init-param>
++             <init-param><param-name>  profileId   </param-name>
++                         <param-value> caFullCMCUserSignedCert </param-value> </init-param>
++             <init-param><param-name>  AuthzMgr    </param-name>
++                         <param-value> BasicAclAuthz </param-value> </init-param>
++             <init-param><param-name>  authorityId  </param-name>
++                         <param-value> ca          </param-value> </init-param>
++             <init-param><param-name>  ID          </param-name>
++                         <param-value> caProfileSubmitUserSignedCMCFull </param-value> </init-param>
++             <init-param><param-name>  templatePath  </param-name>
++                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
++             <init-param><param-name>  resourceID  </param-name>
++                         <param-value> certServer.ee.profile </param-value> </init-param>
++             <init-param><param-name>  interface   </param-name>
++                         <param-value> ee          </param-value> </init-param>
++   </servlet>
++
++   <servlet>
+       <servlet-name>  caProfileList  </servlet-name>
+       <servlet-class> com.netscape.cms.servlet.profile.ProfileListServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+@@ -2257,6 +2280,11 @@
+    </servlet-mapping>
+ 
+    <servlet-mapping>  
++      <servlet-name>  caProfileSubmitUserSignedCMCFull  </servlet-name>
++      <url-pattern>   /ee/ca/profileSubmitUserSignedCMCFull  </url-pattern>
++   </servlet-mapping>
++
++   <servlet-mapping>  
+       <servlet-name>  caProfileList  </servlet-name>
+       <url-pattern>   /ee/ca/profileList  </url-pattern>
+    </servlet-mapping>
+diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
+index f9eddbc..21639e2 100644
+--- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
+@@ -31,6 +31,9 @@ public interface IAuthManager {
+     /* standard credential for client cert from ssl client auth */
+     public static final String CRED_SSL_CLIENT_CERT = "sslClientCert";
+ 
++    /* standard credential for CMC request signing cert */
++    public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert";
 +
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.ISubsystem;
+     /**
+      * Standard credential for client cert's serial number from revocation.
+      */
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 72c93f8..7a4aa9b 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -145,6 +145,8 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
+     public final static String CMC_SIGNED_REQUEST_SIG_VERIFY =
+             "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
++    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY =
++            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5";
+ 
+     public final static String COMPUTE_RANDOM_DATA_REQUEST =
+             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 0168503..d0e5c27 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -545,7 +545,7 @@ public class CRMFPopClient {
+                 pop = client.createPop(algorithm, signature);
+             }
  
--import netscape.ldap.LDAPSearchResults;
--
- /**
-  * An interface represents the database session. Operations
-  * can be performed with a session.
-@@ -132,6 +132,21 @@ public interface IDBSSession extends AutoCloseable {
-      * @param base starting point of the search
-      * @param filter search filter
-      * @param maxSize max number of entries
-+     * @param sortAttribute Field to sort the records on
-+     * @return search results
-+     * @exception EBaseException failed to search
+-            if (verbose) System.out.println("Creating CRMF requrest");
++            if (verbose) System.out.println("Creating CRMF request");
+             String request = client.createCRMFRequest(certRequest, pop);
+ 
+             StringWriter sw = new StringWriter();
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+new file mode 100644
+index 0000000..a72ce58
+--- /dev/null
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -0,0 +1,1140 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2007 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++// package statement //
++///////////////////////
++
++package com.netscape.cms.authentication;
++
++///////////////////////
++// import statements //
++///////////////////////
++
++/* cert server imports */
++import java.io.ByteArrayInputStream;
++import java.io.ByteArrayOutputStream;
++import java.io.IOException;
++import java.math.BigInteger;
++import java.security.MessageDigest;
++import java.security.PublicKey;
++import java.util.Enumeration;
++import java.util.Hashtable;
++import java.util.Locale;
++import java.util.Vector;
++
++import org.mozilla.jss.CryptoManager;
++import org.mozilla.jss.CryptoManager.NotInitializedException;
++import org.mozilla.jss.asn1.ASN1Util;
++import org.mozilla.jss.asn1.INTEGER;
++import org.mozilla.jss.asn1.InvalidBERException;
++import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
++import org.mozilla.jss.asn1.OCTET_STRING;
++import org.mozilla.jss.asn1.SEQUENCE;
++import org.mozilla.jss.asn1.SET;
++import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.DigestAlgorithm;
++import org.mozilla.jss.crypto.PrivateKey;
++import org.mozilla.jss.pkcs10.CertificationRequest;
++import org.mozilla.jss.pkcs11.PK11ECPublicKey;
++import org.mozilla.jss.pkcs11.PK11PubKey;
++import org.mozilla.jss.pkix.cert.Certificate;
++import org.mozilla.jss.pkix.cert.CertificateInfo;
++import org.mozilla.jss.pkix.cmc.PKIData;
++import org.mozilla.jss.pkix.cmc.TaggedAttribute;
++import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
++import org.mozilla.jss.pkix.cmc.TaggedRequest;
++import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
++import org.mozilla.jss.pkix.cms.IssuerAndSerialNumber;
++import org.mozilla.jss.pkix.cms.SignedData;
++import org.mozilla.jss.pkix.cms.SignerIdentifier;
++import org.mozilla.jss.pkix.crmf.CertReqMsg;
++import org.mozilla.jss.pkix.crmf.CertRequest;
++import org.mozilla.jss.pkix.crmf.CertTemplate;
++import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
++import org.mozilla.jss.pkix.primitive.Name;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.AuthToken;
++import com.netscape.certsrv.authentication.EInvalidCredentials;
++import com.netscape.certsrv.authentication.EMissingCredential;
++import com.netscape.certsrv.authentication.IAuthCredentials;
++import com.netscape.certsrv.authentication.IAuthManager;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.base.IExtendedPluginInfo;
++import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.profile.IProfileAuthenticator;
++import com.netscape.certsrv.property.Descriptor;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cmsutil.crypto.CryptoUtil;
++import com.netscape.cmsutil.util.Utils;
++
++import netscape.security.pkcs.PKCS10;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++import netscape.security.x509.X509Key;
++
++//import com.netscape.cmscore.util.*;
++//////////////////////
++// class definition //
++//////////////////////
++
++/**
++ * User Signed CMC authentication plug-in
++ * note:
++ *  - this version differs from CMCAuth in that it allows non-agent users
++ *  to sign own cmc requests;  It is expected to be used with
++ *  CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint
++ *  so that the resulting cert will bear the same subjectDN of that of the CMC
++ *  signing cert
++ *  - it originates from CMCAuth with modification for user-signed cmc
++ * @author cfu - user signed cmc authentication
++ * <P>
++ *
++ * @version $Revision$, $Date$
++ */
++public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
++        IProfileAuthenticator {
++
++    ////////////////////////
++    // default parameters //
++    ////////////////////////
++
++    /////////////////////////////
++    // IAuthManager parameters //
++    /////////////////////////////
++
++    /* authentication plug-in configuration store */
++    private IConfigStore mConfig;
++    private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
++    private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
++    public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke";
++    public static final String REASON_CODE = "reasonCode";
++    /* authentication plug-in name */
++    private String mImplName = null;
++
++    /* authentication plug-in instance name */
++    private String mName = null;
++
++    /* authentication plug-in fields */
++
++    /* Holds authentication plug-in fields accepted by this implementation.
++     * This list is passed to the configuration console so configuration
++     * for instances of this implementation can be configured through the
++     * console.
++     */
++    protected static String[] mConfigParams =
++            new String[] {};
++
++    /* authentication plug-in values */
++
++    /* authentication plug-in properties */
++
++    /* required credentials to authenticate. UID and CMC are strings. */
++    public static final String CRED_CMC = "cmcRequest";
++
++    protected static String[] mRequiredCreds = {};
++
++    ////////////////////////////////////
++    // IExtendedPluginInfo parameters //
++    ////////////////////////////////////
++
++    /* Vector of extendedPluginInfo strings */
++    protected static Vector<String> mExtendedPluginInfo = null;
++    //public static final String AGENT_AUTHMGR_ID = "agentAuthMgr";
++    //public static final String AGENT_PLUGIN_ID = "agentAuthPlugin";
++
++    /* actual help messages */
++    static {
++        mExtendedPluginInfo = new Vector<String>();
++
++        mExtendedPluginInfo
++                .add(IExtendedPluginInfo.HELP_TEXT +
++                    ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\"");
++        mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
++                ";configuration-authentication");
++    }
++
++    ///////////////////////
++    // Logger parameters //
++    ///////////////////////
++
++    /* the system's logger */
++    private ILogger mLogger = CMS.getLogger();
++
++    /* signed audit parameters */
++    private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
++    private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE =
++            "enrollment";
++    private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE =
++            "revocation";
++
++    /////////////////////
++    // default methods //
++    /////////////////////
++
++    /**
++     * Default constructor, initialization must follow.
 +     */
-+    public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute)
-+            throws EBaseException;
++    public CMCUserSignedAuth() {
++    }
 +
++    //////////////////////////
++    // IAuthManager methods //
++    //////////////////////////
 +
 +    /**
-+     * Searchs for a list of objects that match the
-+     * filter.
++     * Initializes the CMCUserSignedAuth authentication plug-in.
++     * <p>
 +     *
-+     * @param base starting point of the search
-+     * @param filter search filter
-+     * @param maxSize max number of entries
-      * @param timeLimit timeout limit
-      * @return search results
-      * @exception EBaseException failed to search
-@@ -140,6 +155,22 @@ public interface IDBSSession extends AutoCloseable {
-             int timeLimit) throws EBaseException;
- 
-     /**
-+     * Searchs for a list of objects that match the
-+     * filter.
++     * @param name The name for this authentication plug-in instance.
++     * @param implName The name of the authentication plug-in.
++     * @param config - The configuration store for this instance.
++     * @exception EBaseException If an error occurs during initialization.
++     */
++    public void init(String name, String implName, IConfigStore config)
++            throws EBaseException {
++        mName = name;
++        mImplName = implName;
++        mConfig = config;
++
++        log(ILogger.LL_INFO, "Initialization complete!");
++    }
++
++    /**
++     * Authenticates user by their CMC;
++     * resulting AuthToken sets a TOKEN_SUBJECT for the subject name.
++     * <P>
++     *
++     * <ul>
++     * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert
++     * requests or revocation requests are submitted and signature is verified
++     * </ul>
 +     *
-+     * @param base starting point of the search
-+     * @param filter search filter
-+     * @param maxSize max number of entries
-+     * @param timeLimit timeout limit
-+     * @param sortAttribute Field to sort the records on
-+     * @return search results
-+     * @exception EBaseException failed to search
++     * @param authCred Authentication credentials, CRED_UID and CRED_CMC.
++     * @return an AuthToken
++     * @exception com.netscape.certsrv.authentication.EMissingCredential
++     *                If a required authentication credential is missing.
++     * @exception com.netscape.certsrv.authentication.EInvalidCredentials
++     *                If credentials failed authentication.
++     * @exception com.netscape.certsrv.base.EBaseException
++     *                If an internal error occurred.
++     * @see com.netscape.certsrv.authentication.AuthToken
 +     */
-+    public IDBSearchResults search(String base, String filter, int maxSize,
-+            int timeLimit, String sortAttribute) throws EBaseException;
++    public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials,
++            EBaseException {
++        String method = "CMCUserSignedAuth: authenticate: ";
++        CMS.debug(method + "begins");
++
++        String auditMessage = null;
++        String auditSubjectID = auditSubjectID();
++        String auditReqType = ILogger.UNIDENTIFIED;
++        String auditCertSubject = ILogger.UNIDENTIFIED;
++        String auditSignerInfo = ILogger.UNIDENTIFIED;
++
++        // ensure that any low-level exceptions are reported
++        // to the signed audit log and stored as failures
++        try {
++            // get the CMC.
++
++            Object argblock = authCred.getArgBlock();
++            Object returnVal = null;
++            if (argblock == null) {
++                returnVal = authCred.get("cert_request");
++                if (returnVal == null)
++                    returnVal = authCred.get(CRED_CMC);
++            } else {
++                returnVal = authCred.get("cert_request");
++                if (returnVal == null)
++                    returnVal = authCred.getArgBlock().get(CRED_CMC);
++            }
++            String cmc = (String) returnVal;
++            if (cmc == null) {
++                CMS.debug(method + " Authentication failed. Missing CMC.");
++
++                // store a message in the signed audit log file
++                auditMessage = CMS.getLogMessage(
++                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                        auditSubjectID,
++                        ILogger.FAILURE,
++                        auditReqType,
++                        auditCertSubject,
++                        auditSignerInfo);
++
++                audit(auditMessage);
++
++                throw new EMissingCredential(CMS.getUserMessage(
++                        "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC));
++            }
++
++            if (cmc.equals("")) {
++                log(ILogger.LL_FAILURE,
++                        "cmc : attempted login with empty CMC.");
++
++                // store a message in the signed audit log file
++                auditMessage = CMS.getLogMessage(
++                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                        auditSubjectID,
++                        ILogger.FAILURE,
++                        auditReqType,
++                        auditCertSubject,
++                        auditSignerInfo);
++
++                audit(auditMessage);
++
++                throw new EInvalidCredentials(CMS.getUserMessage(
++                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++            }
++
++            // authenticate by checking CMC.
++
++            // everything OK.
++            // now formulate the certificate info.
++            // set the subject name at a minimum.
++            // set anything else like version, extensions, etc.
++            // if nothing except subject name is set the rest of
++            // cert info will be filled in by policies and CA defaults.
++
++            AuthToken authToken = new AuthToken(this);
++
++            try {
++                String asciiBASE64Blob;
++
++                int startIndex = cmc.indexOf(HEADER);
++                int endIndex = cmc.indexOf(TRAILER);
++                if (startIndex != -1 && endIndex != -1) {
++                    startIndex = startIndex + HEADER.length();
++                    asciiBASE64Blob = cmc.substring(startIndex, endIndex);
++                } else
++                    asciiBASE64Blob = cmc;
++
++                byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob);
++                ByteArrayInputStream cmcBlobIn = new
++                                                 ByteArrayInputStream(cmcBlob);
++
++                org.mozilla.jss.pkix.cms.ContentInfo cmcReq =
++                        (org.mozilla.jss.pkix.cms.ContentInfo)
++                        org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(
++                                cmcBlobIn);
++
++                if (!cmcReq.getContentType().equals(
++                        org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) ||
++                        !cmcReq.hasContent()) {
++                    // store a message in the signed audit log file
++                    auditMessage = CMS.getLogMessage(
++                            AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditReqType,
++                            auditCertSubject,
++                            auditSignerInfo);
++
++                    audit(auditMessage);
++
++                    // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT);
++
++                    throw new EBaseException("NO_CMC_CONTENT");
++                }
++
++                SignedData cmcFullReq = (SignedData)
++                                        cmcReq.getInterpretedContent();
++
++                IConfigStore cmc_config = CMS.getConfigStore();
++                boolean checkSignerInfo =
++                        cmc_config.getBoolean("cmc.signerInfo.verify", true);
++                String userid = "defUser";
++                String uid = "defUser";
++                if (checkSignerInfo) {
++                    IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq);
++                    if (userToken == null) {
++                        CMS.debug(method + " authenticate() userToken null");
++                        throw new EBaseException(method + " verifySignerInfo failure");
++                    }
++                    userid = userToken.getInString("userid");
++                    uid = userToken.getInString("cn");
++                } else {
++                    CMS.debug(method + " authenticate() signerInfo verification bypassed");
++                }
++                // reset value of auditSignerInfo
++                if (uid != null) {
++                    auditSignerInfo = uid.trim();
++                }
++
++                EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
++
++                OBJECT_IDENTIFIER id = ci.getContentType();
++
++                if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
++                        !ci.hasContent()) {
++                    // store a message in the signed audit log file
++                    auditMessage = CMS.getLogMessage(
++                            AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditReqType,
++                            auditCertSubject,
++                            auditSignerInfo);
++
++                    audit(auditMessage);
++
++                    //  throw new ECMSGWException(
++                    // CMSGWResources.NO_PKIDATA);
++
++                    throw new EBaseException("NO_PKIDATA");
++                }
++
++                OCTET_STRING content = ci.getContent();
++
++                ByteArrayInputStream s = new
++                        ByteArrayInputStream(content.toByteArray());
++                PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
++
++                SEQUENCE reqSequence = pkiData.getReqSequence();
++
++                int numReqs = reqSequence.size();
++
++                if (numReqs == 0) {
++                    CMS.debug(method + "numReqs 0, assume revocation request");
++                    // revocation request
++
++                    // reset value of auditReqType
++                    auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE;
++
++                    SEQUENCE controlSequence = pkiData.getControlSequence();
++                    int controlSize = controlSequence.size();
++
++                    if (controlSize > 0) {
++                        for (int i = 0; i < controlSize; i++) {
++                            TaggedAttribute taggedAttribute =
++                                    (TaggedAttribute) controlSequence.elementAt(i);
++                            OBJECT_IDENTIFIER type = taggedAttribute.getType();
++
++                            if (type.equals(
++                                    OBJECT_IDENTIFIER.id_cmc_revokeRequest)) {
++/* TODO: user-signed revocation to be handled in next ticket
++                                // if( i ==1 ) {
++                                //     taggedAttribute.getType() ==
++                                //       OBJECT_IDENTIFIER.id_cmc_revokeRequest
++                                // }
++
++                                SET values = taggedAttribute.getValues();
++                                int numVals = values.size();
++                                BigInteger[] bigIntArray = null;
++
++                                bigIntArray = new BigInteger[numVals];
++                                for (int j = 0; j < numVals; j++) {
++                                    // serialNumber    INTEGER
++
++                                    // SEQUENCE RevRequest = (SEQUENCE)
++                                    //     values.elementAt(j);
++                                    byte[] encoded = ASN1Util.encode(
++                                            values.elementAt(j));
++                                    org.mozilla.jss.asn1.ASN1Template template = new
++                                            org.mozilla.jss.pkix.cmmf.RevRequest.Template();
++                                    org.mozilla.jss.pkix.cmmf.RevRequest revRequest =
++                                            (org.mozilla.jss.pkix.cmmf.RevRequest)
++                                            ASN1Util.decode(template, encoded);
++
++                                    // SEQUENCE RevRequest = (SEQUENCE)
++                                    //     ASN1Util.decode(
++                                    //         SEQUENCE.getTemplate(),
++                                    //         ASN1Util.encode(
++                                    //         values.elementAt(j)));
++
++                                    // SEQUENCE RevRequest =
++                                    //     values.elementAt(j);
++                                    // int revReqSize = RevRequest.size();
++                                    // if( revReqSize > 3 ) {
++                                    //     INTEGER serialNumber =
++                                    //         new INTEGER((long)0);
++                                    // }
++
++                                    INTEGER temp = revRequest.getSerialNumber();
++
++                                    bigIntArray[j] = temp;
++                                    authToken.set(TOKEN_CERT_SERIAL, bigIntArray);
++
++                                    long reasonCode = revRequest.getReason().getValue();
++                                    Integer IntObject = Integer.valueOf((int) reasonCode);
++                                    authToken.set(REASON_CODE, IntObject);
++
++                                    authToken.set("uid", uid);
++                                    authToken.set("userid", userid);
++                                }
++*/
++                            }
++                        }
 +
++                    }
++                } else {
++                    CMS.debug(method + "numReqs not 0, assume enrollment request");
++                    // enrollment request
++
++                    // reset value of auditReqType
++                    auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE;
++
++                    X509CertInfo[] certInfoArray = new X509CertInfo[numReqs];
++                    String[] reqIdArray = new String[numReqs];
++
++                    for (int i = 0; i < numReqs; i++) {
++                        // decode message.
++                        TaggedRequest taggedRequest =
++                                (TaggedRequest) reqSequence.elementAt(i);
++
++                        TaggedRequest.Type type = taggedRequest.getType();
++
++                        if (type.equals(TaggedRequest.PKCS10)) {
++                            CMS.debug(method + " type is PKCS10");
++                            authToken.set("cert_request_type", "cmc-pkcs10");
++
++                            TaggedCertificationRequest tcr =
++                                    taggedRequest.getTcr();
++                            int p10Id = tcr.getBodyPartID().intValue();
++
++                            reqIdArray[i] = String.valueOf(p10Id);
++
++                            CertificationRequest p10 =
++                                    tcr.getCertificationRequest();
++
++                            // transfer to sun class
++                            ByteArrayOutputStream ostream =
++                                    new ByteArrayOutputStream();
++
++                            p10.encode(ostream);
++                            boolean sigver = true;
++                            boolean tokenSwitched = false;
++                            CryptoManager cm = null;
++                            CryptoToken signToken = null;
++                            CryptoToken savedToken = null;
++
++                            // for PKCS10, "sigver" would offer the POP
++                            sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
++                            try {
++                                cm = CryptoManager.getInstance();
++                                if (sigver == true) {
++                                    String tokenName =
++                                        CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
++                                    savedToken = cm.getThreadToken();
++                                    signToken = CryptoUtil.getCryptoToken(tokenName);
++                                    if (!savedToken.getName().equals(signToken.getName())) {
++                                        cm.setThreadToken(signToken);
++                                        tokenSwitched = true;
++                                    }
++                                }
++
++                                PKCS10 pkcs10 =
++                                        new PKCS10(ostream.toByteArray(), sigver);
++
++                                // xxx do we need to do anything else?
++                                X509CertInfo certInfo =
++                                        CMS.getDefaultX509CertInfo();
++
++                                // fillPKCS10(certInfo,pkcs10,authToken,null);
++
++                                // authToken.set(
++                                //     pkcs10.getSubjectPublicKeyInfo());
++
++                                X500Name tempName = pkcs10.getSubjectName();
++
++                                // reset value of auditCertSubject
++                                if (tempName != null) {
++                                    auditCertSubject =
++                                            tempName.toString().trim();
++                                    if (auditCertSubject.equals("")) {
++                                        auditCertSubject =
++                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                    }
++                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
++                                              tempName.toString());
++                                }
++
++                                authToken.set("uid", uid);
++                                authToken.set("userid", userid);
++
++                                certInfoArray[i] = certInfo;
++                            } catch (Exception e) {
++                                // store a message in the signed audit log file
++                                auditMessage = CMS.getLogMessage(
++                                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                                        auditSubjectID,
++                                        ILogger.FAILURE,
++                                        auditReqType,
++                                        auditCertSubject,
++                                        auditSignerInfo);
++
++                                audit(auditMessage);
++
++                                //throw new ECMSGWException(
++                                //CMSGWResources.ERROR_PKCS101, e.toString());
++
++                                e.printStackTrace();
++                                throw new EBaseException(e.toString());
++                            } finally {
++                                if ((sigver == true) && (tokenSwitched == true)){
++                                    cm.setThreadToken(savedToken);
++                                }
++                             }
++                        } else if (type.equals(TaggedRequest.CRMF)) {
++
++                            CMS.debug(method + " type is CRMF");
++                            authToken.set("cert_request_type", "cmc-crmf");
++                            try {
++                                CertReqMsg crm =
++                                        taggedRequest.getCrm();
++                                CertRequest certReq = crm.getCertReq();
++                                INTEGER reqID = certReq.getCertReqId();
++                                reqIdArray[i] = reqID.toString();
++                                CertTemplate template = certReq.getCertTemplate();
++                                Name name = template.getSubject();
++
++                                // xxx do we need to do anything else?
++                                X509CertInfo certInfo =
++                                        CMS.getDefaultX509CertInfo();
++
++                                // reset value of auditCertSubject
++                                if (name != null) {
++                                    String ss = name.getRFC1485();
++
++                                    auditCertSubject = ss;
++                                    if (auditCertSubject.equals("")) {
++                                        auditCertSubject =
++                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                    }
++
++                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
++                                    authToken.set("uid", uid);
++                                    authToken.set("userid", userid);
++                                }
++                                certInfoArray[i] = certInfo;
++                            } catch (Exception e) {
++                                // store a message in the signed audit log file
++                                auditMessage = CMS.getLogMessage(
++                                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                                        auditSubjectID,
++                                        ILogger.FAILURE,
++                                        auditReqType,
++                                        auditCertSubject,
++                                        auditSignerInfo);
++
++                                audit(auditMessage);
++
++                                //throw new ECMSGWException(
++                                //CMSGWResources.ERROR_PKCS101, e.toString());
++
++                                e.printStackTrace();
++                                throw new EBaseException(e.toString());
++                            }
++                        }
++
++                        // authToken.set(AgentAuthentication.CRED_CERT, new
++                        //     com.netscape.certsrv.usrgrp.Certificates(
++                        //     x509Certs));
++                    }
++                }
++            } catch (Exception e) {
++                CMS.debug(method + e);
++                // store a message in the signed audit log file
++                auditMessage = CMS.getLogMessage(
++                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                        auditSubjectID,
++                        ILogger.FAILURE,
++                        auditReqType,
++                        auditCertSubject,
++                        auditSignerInfo);
++
++                audit(auditMessage);
++
++                //Debug.printStackTrace(e);
++                throw new EInvalidCredentials(CMS.getUserMessage(
++                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++            }
++
++            // store a message in the signed audit log file
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    auditSubjectID,
++                    ILogger.SUCCESS,
++                    auditReqType,
++                    auditCertSubject,
++                    auditSignerInfo);
++
++            audit(auditMessage);
++
++            CMS.debug(method + "ends successfully; returning authToken");
++            return authToken;
++        } catch (EMissingCredential eAudit1) {
++            CMS.debug(method + eAudit1);
++            // store a message in the signed audit log file
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditReqType,
++                    auditCertSubject,
++                    auditSignerInfo);
++
++            audit(auditMessage);
++
++            // rethrow the specific exception to be handled later
++            throw eAudit1;
++        } catch (EInvalidCredentials eAudit2) {
++            CMS.debug(method + eAudit2);
++            // store a message in the signed audit log file
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditReqType,
++                    auditCertSubject,
++                    auditSignerInfo);
++
++            audit(auditMessage);
++
++            // rethrow the specific exception to be handled later
++            throw eAudit2;
++        } catch (EBaseException eAudit3) {
++            CMS.debug(method + eAudit3);
++            // store a message in the signed audit log file
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditReqType,
++                    auditCertSubject,
++                    auditSignerInfo);
++
++            audit(auditMessage);
++
++            // rethrow the specific exception to be handled later
++            throw eAudit3;
++        }
++    }
 +
 +    /**
-      * Retrieves a list of object that satifies the given
-      * filter.
-      *
-diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
-index f113ea0..2efb023 100644
---- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
-+++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java
-@@ -239,6 +239,33 @@ public interface ICertificateRepository extends IRepository {
-      * the filter.
-      *
-      * @param filter search filter
-+     * @param maxSize max size to return
-+     * @param timeLimit timeout value
-+     * @param sortAttribute Attribute of ICertRecord to sort the results
-+     * @return a list of certificates
-+     * @exception EBaseException failed to search
++     * Returns a list of configuration parameter names.
++     * The list is passed to the configuration console so instances of
++     * this implementation can be configured through the console.
++     * <p>
++     *
++     * @return String array of configuration parameter names.
 +     */
-+    public Enumeration<ICertRecord> searchCertificates(String filter, int maxSize,
-+            int timeLimit,String sortAttribute) throws EBaseException;
++    public String[] getConfigParams() {
++        return (mConfigParams);
++    }
 +
 +    /**
-+     * Finds a list of certificate records that satisifies
-+     * the filter.
++     * gets the configuration substore used by this authentication
++     * plug-in
++     * <p>
 +     *
-+     * @param filter search filter
-+     * @param maxSize max size to return
-+     * @param sortAttribute Attribute of ICertRecord to sort the results
-+     * @return a list of certificates
-+     * @exception EBaseException failed to search
++     * @return configuration store
++     */
++    public IConfigStore getConfigStore() {
++        return mConfig;
++    }
++
++    /**
++     * gets the plug-in name of this authentication plug-in.
 +     */
-+    public Enumeration<Object> searchCertificates(String filter, int maxSize,
-+            String sortAttribute) throws EBaseException;
++    public String getImplName() {
++        return mImplName;
++    }
++
++    /**
++     * gets the name of this authentication plug-in instance
++     */
++    public String getName() {
++        return mName;
++    }
 +
 +    /**
-+     * Finds a list of certificate records that satisifies
-+     * the filter.
++     * get the list of required credentials.
++     * <p>
 +     *
-+     * @param filter search filter
-      * @param attrs selected attribute
-      * @param pageSize page size
-      * @return a list of certificates
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
-index 508a8df..c55dfea 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/SrchCerts.java
-@@ -608,7 +608,9 @@ public class SrchCerts extends CMSServlet {
-             }
-             CMS.debug("Start searching ... "
-                     + "filter=" + filter + " maxreturns=" + maxResults + " timelimit=" + timeLimit);
--            Enumeration<ICertRecord> e = mCertDB.searchCertificates(filter, maxResults, timeLimit);
-+
-+            // Do the search with the optional sortAtribute field, giving an assured list of certs sorted by serialno
-+            Enumeration<ICertRecord> e = mCertDB.searchCertificates(filter, maxResults, timeLimit, "serialno");
- 
-             int count = 0;
- 
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
-index d0a604e..8406f36 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
-@@ -1124,7 +1124,7 @@ public class CertificateRepository extends Repository
-         ModificationSet mods = new ModificationSet();
-         if (isAlreadyOnHold) {
-             mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_REPLACE, info);
--        } else { 
-+        } else {
-             mods.add(CertRecord.ATTR_REVO_INFO, Modification.MOD_ADD, info);
-         }
-         SessionContext ctx = SessionContext.getContext();
-@@ -1190,6 +1190,21 @@ public class CertificateRepository extends Repository
-         modifyCertificateRecord(id, mods);
-     }
- 
-+    public Enumeration<Object> searchCertificates(String filter, int maxSize,String sortAttribute)
-+            throws EBaseException {
-+        IDBSSession s = mDBService.createSession();
-+        Enumeration<Object> e = null;
++     * @return list of required credentials as strings.
++     */
++    public String[] getRequiredCreds() {
++        return (mRequiredCreds);
++    }
 +
-+        CMS.debug("searchCertificates filter " + filter + " maxSize " + maxSize);
-+        try {
-+            e = s.search(getDN(), filter, maxSize,sortAttribute);
-+        } finally {
-+            if (s != null)
-+                s.close();
++    /**
++     * prepares for shutdown.
++     */
++    public void shutdown() {
++    }
++
++    /////////////////////////////////
++    // IExtendedPluginInfo methods //
++    /////////////////////////////////
++
++    /**
++     * Activate the help system.
++     * <p>
++     *
++     * @return help messages
++     */
++    public String[] getExtendedPluginInfo() {
++        String method = "CMCUserSignedAuth: getExtendedPluginInfo: ";
++        CMS.debug(method + " begins");
++        String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
++
++        CMS.debug(method + " s.length = " + s.length);
++        for (int i = 0; i < s.length; i++) {
++            CMS.debug("" + i + " " + s[i]);
 +        }
-+        return e;
++        return s;
 +    }
 +
-     public Enumeration<Object> searchCertificates(String filter, int maxSize)
-             throws EBaseException {
-         IDBSSession s = mDBService.createSession();
-@@ -1223,6 +1238,26 @@ public class CertificateRepository extends Repository
-         return v.elements();
-     }
- 
-+    public Enumeration<ICertRecord> searchCertificates(String filter, int maxSize,
-+            int timeLimit,String sortAttribute) throws EBaseException {
-+        IDBSSession s = mDBService.createSession();
-+        Vector<ICertRecord> v = new Vector<ICertRecord>();
++    ////////////////////
++    // Logger methods //
++    ////////////////////
++
++    /**
++     * Logs a message for this class in the system log file.
++     * <p>
++     *
++     * @param level The log level.
++     * @param msg The message to log.
++     * @see com.netscape.certsrv.logging.ILogger
++     */
++    protected void log(int level, String msg) {
++        if (mLogger == null)
++            return;
++        mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHENTICATION,
++                level, "CMC User Signed Authentication: " + msg);
++    }
++
++    protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException {
++        String method = "CMCUserSignedAuth: verifySignerInfo: ";
++        CMS.debug(method + "begins");
 +
-+        CMS.debug("searchCertificateswith time limit filter " + filter);
++        EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
++        OBJECT_IDENTIFIER id = ci.getContentType();
++        OCTET_STRING content = ci.getContent();
++
++        boolean tokenSwitched = false;
++        CryptoToken signToken = null;
++        CryptoToken savedToken = null;
++        CryptoManager cm = null;
 +        try {
-+            IDBSearchResults sr = s.search(getDN(), filter, maxSize, timeLimit,sortAttribute);
-+            while (sr.hasMoreElements()) {
-+                v.add((ICertRecord) sr.nextElement());
++            cm = CryptoManager.getInstance();
++            ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
++            PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
++
++            SET dais = cmcFullReq.getDigestAlgorithmIdentifiers();
++            int numDig = dais.size();
++            Hashtable<String, byte[]> digs = new Hashtable<String, byte[]>();
++
++            //if request key is used for signing, there MUST be only one signerInfo
++            //object in the signedData object.
++            for (int i = 0; i < numDig; i++) {
++                AlgorithmIdentifier dai =
++                        (AlgorithmIdentifier) dais.elementAt(i);
++                String name =
++                        DigestAlgorithm.fromOID(dai.getOID()).toString();
++
++                MessageDigest md =
++                        MessageDigest.getInstance(name);
++
++                byte[] digest = md.digest(content.toByteArray());
++
++                digs.put(name, digest);
++            }
++
++            SET sis = cmcFullReq.getSignerInfos();
++            int numSis = sis.size();
++
++            for (int i = 0; i < numSis; i++) {
++                org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
++
++                String name = si.getDigestAlgorithm().toString();
++                byte[] digest = digs.get(name);
++
++                if (digest == null) {
++                    MessageDigest md = MessageDigest.getInstance(name);
++                    ByteArrayOutputStream ostream = new ByteArrayOutputStream();
++
++                    pkiData.encode(ostream);
++                    digest = md.digest(ostream.toByteArray());
++
++                }
++                // signed  by  previously certified signature key
++                SignerIdentifier sid = si.getSignerIdentifier();
++                // TODO: need to handle signing key being the matching key from
++                // the request
++                if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) {
++                    IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber();
++                    // find from the certs in the signedData
++                    java.security.cert.X509Certificate cert = null;
++
++                    if (cmcFullReq.hasCertificates()) {
++                        SET certs = cmcFullReq.getCertificates();
++                        int numCerts = certs.size();
++                        java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1];
++                        byte[] certByteArray = new byte[0];
++                        for (int j = 0; j < numCerts; j++) {
++                            Certificate certJss = (Certificate) certs.elementAt(j);
++                            CertificateInfo certI = certJss.getInfo();
++                            Name issuer = certI.getIssuer();
++
++                            byte[] issuerB = ASN1Util.encode(issuer);
++CMS.debug(method + "issuer = " + new String(issuerB));
++                            INTEGER sn = certI.getSerialNumber();
++                            // if this cert is the signer cert, not a cert in the chain
++                            if (new String(issuerB).equals(new String(
++                                    ASN1Util.encode(issuerAndSerialNumber.getIssuer())))
++                                    && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) {
++                                ByteArrayOutputStream os = new
++                                        ByteArrayOutputStream();
++
++                                certJss.encode(os);
++                                certByteArray = os.toByteArray();
++
++                                X509CertImpl tempcert = new X509CertImpl(os.toByteArray());
++
++                                cert = tempcert;
++                                x509Certs[0] = cert;
++                                // xxx validate the cert length
++
++                            }
++                        }
++                        CMS.debug(method + "start checking signature");
++                        if (cert == null) {
++                            // find from certDB
++                            CMS.debug(method + "verifying signature");
++                            si.verify(digest, id);
++                        } else {
++                            CMS.debug(method + "found signing cert... verifying");
++                            PublicKey signKey = cert.getPublicKey();
++                            PrivateKey.Type keyType = null;
++                            String alg = signKey.getAlgorithm();
++
++                            PK11PubKey pubK = null;
++                            if (alg.equals("RSA")) {
++                                CMS.debug(method + "signing key alg=RSA");
++                                keyType = PrivateKey.RSA;
++                                pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());
++                            } else if (alg.equals("EC")) {
++                                CMS.debug(method + "signing key alg=EC");
++                                keyType = PrivateKey.EC;
++                                byte publicKeyData[] = ((X509Key) signKey).getEncoded();
++                                pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
++                            } else {
++                                CMS.debug(method + "unsupported signature algorithm: " + alg);
++                                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                            }
++
++                            String tokenName =
++                                CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
++                            // by default JSS will use internal crypto token
++                            if (!CryptoUtil.isInternalToken(tokenName)) {
++                                savedToken = cm.getThreadToken();
++                                signToken = CryptoUtil.getCryptoToken(tokenName);
++                                if(signToken != null) {
++                                    cm.setThreadToken(signToken);
++                                    tokenSwitched = true;
++                                    CMS.debug(method + "verifySignerInfo token switched:"+ tokenName);
++                                } else {
++                                    CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal");
++                                }
++                            }
++
++                            CMS.debug(method + "verifying signature with public key");
++                            si.verify(digest, id, pubK);
++                        }
++                        CMS.debug(method + "finished checking signature");
++                        // verify signer's certificate using the revocator
++                        if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
++                            CMS.debug(method + "CMC signature failed to be verified");
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                        } else {
++                            CMS.debug(method + "CMC signature verified; but signer not yet;");
++                        }
++                        // At this point, the signature has been verified;
++
++                        IAuthToken tempToken = new AuthToken(null);
++                        netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
++                        String CN = tempPrincipal.getCommonName(); //tempToken.get("userid");
++                        CMS.debug(method + " Principal name = " + CN);
++
++                        BigInteger certSerial = x509Certs[0].getSerialNumber();
++                        CMS.debug(method + " verified cert serial=" + certSerial.toString());
++                        authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString());
++                        tempToken.set("cn", CN);
++
++                        return tempToken;
++
++                    }
++
++                } else {
++                    CMS.debug(method + "unsupported SignerIdentifier type");
++                }
 +            }
++        } catch (InvalidBERException e) {
++            CMS.debug(method + e.toString());
++        } catch (IOException e) {
++            CMS.debug(method + e.toString());
++        } catch (NotInitializedException e) {
++            CMS.debug(method + e.toString());
++        } catch (Exception e) {
++            CMS.debug(method + e.toString());
++            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
 +        } finally {
-+            if (s != null)
-+                s.close();
++            if ((tokenSwitched == true) && (savedToken != null)){
++                cm.setThreadToken(savedToken);
++                CMS.debug(method + "verifySignerInfo token restored");
++            }
++        }
++        return null;
++
++    }
++
++    public String[] getExtendedPluginInfo(Locale locale) {
++        return null;
++    }
++
++    // Profile-related methods
++
++    public void init(IProfile profile, IConfigStore config)
++            throws EProfileException {
++    }
++
++    /**
++     * Retrieves the localizable name of this policy.
++     */
++    public String getName(Locale locale) {
++        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_NAME");
++    }
++
++    /**
++     * Retrieves the localizable description of this policy.
++     */
++    public String getText(Locale locale) {
++        return CMS.getUserMessage(locale, "CMS_AUTHENTICATION_CMS_SIGN_TEXT");
++    }
++
++    /**
++     * Retrieves a list of names of the value parameter.
++     */
++    public Enumeration<String> getValueNames() {
++        Vector<String> v = new Vector<String>();
++        v.addElement("cert_request");
++        return v.elements();
++    }
++
++    public boolean isValueWriteable(String name) {
++        return false;
++    }
++
++    /**
++     * Retrieves the descriptor of the given value
++     * parameter by name.
++     */
++    public IDescriptor getValueDescriptor(Locale locale, String name) {
++        if (name.equals(CRED_CMC)) {
++            return new Descriptor(IDescriptor.STRING_LIST, null, null,
++                    "CMC request");
 +        }
-+        return v.elements();
++        return null;
++    }
 +
++    public void populate(IAuthToken token, IRequest request)
++            throws EProfileException {
++        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
++                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
 +    }
 +
++    public boolean isSSLClientRequired() {
++        return false;
++    }
 +
-     /**
-      * Returns a list of X509CertImp that satisfies the filter.
-      *
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
-index 2bfd5f2..853dfe4 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSSession.java
-@@ -19,6 +19,20 @@ package com.netscape.cmscore.dbs;
- 
- import java.util.Enumeration;
- 
-+import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPAttributeSet;
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPEntry;
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPModification;
-+import netscape.ldap.LDAPModificationSet;
-+import netscape.ldap.LDAPSearchConstraints;
-+import netscape.ldap.LDAPSearchResults;
-+import netscape.ldap.LDAPSortKey;
-+import netscape.ldap.LDAPv2;
-+import netscape.ldap.controls.LDAPPersistSearchControl;
-+import netscape.ldap.controls.LDAPSortControl;
++    /**
++     * Signed Audit Log
++     *
++     * This method is called to store messages to the signed audit log.
++     * <P>
++     *
++     * @param msg signed audit log message
++     */
++    private void audit(String msg) {
++        // in this case, do NOT strip preceding/trailing whitespace
++        // from passed-in String parameters
 +
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.ISubsystem;
-@@ -34,18 +48,6 @@ import com.netscape.certsrv.dbs.Modification;
- import com.netscape.certsrv.dbs.ModificationSet;
- import com.netscape.certsrv.logging.ILogger;
- 
--import netscape.ldap.LDAPAttribute;
--import netscape.ldap.LDAPAttributeSet;
--import netscape.ldap.LDAPConnection;
--import netscape.ldap.LDAPEntry;
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPModification;
--import netscape.ldap.LDAPModificationSet;
--import netscape.ldap.LDAPSearchConstraints;
--import netscape.ldap.LDAPSearchResults;
--import netscape.ldap.LDAPv2;
--import netscape.ldap.controls.LDAPPersistSearchControl;
--
- /**
-  * A class represents the database session. Operations
-  * can be performed with a session.
-@@ -295,6 +297,40 @@ public class DBSSession implements IDBSSession {
-     }
- 
-     @SuppressWarnings("unchecked")
-+    public IDBSearchResults search(String base, String filter, int maxSize,String sortAttribute)
-+            throws EBaseException {
-+        try {
-+            String ldapattrs[] = null;
-+            String ldapfilter =
-+                    mDBSystem.getRegistry().getFilter(filter);
++        if (mSignedAuditLogger == null) {
++            return;
++        }
 +
-+            LDAPSearchConstraints cons = new LDAPSearchConstraints();
++        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
++                null,
++                ILogger.S_SIGNED_AUDIT,
++                ILogger.LL_SECURITY,
++                msg);
++    }
 +
-+            cons.setMaxResults(maxSize);
++    protected void audit(AuditEvent event) {
 +
-+            if(sortAttribute != null) {
-+                LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute );
-+                LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true);
-+                cons.setServerControls( sortCtrl );
-+            }
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
 +
-+            LDAPSearchResults res = mConn.search(base,
-+                    LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons);
-+
-+            return new DBSearchResults(mDBSystem.getRegistry(),
-+                    res);
-+        } catch (LDAPException e) {
-+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE)
-+                throw new EDBNotAvailException(
-+                        CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE"));
-+            // XXX error handling, should not raise exception if
-+            // entry not found
-+            throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE",
-+                        e.toString()));
-+        }
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
 +    }
 +
-+    @SuppressWarnings("unchecked")
-     public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit)
-             throws EBaseException {
-         try {
-@@ -323,6 +359,43 @@ public class DBSSession implements IDBSSession {
-         }
-     }
- 
-+    @SuppressWarnings("unchecked")
-+    public IDBSearchResults search(String base, String filter, int maxSize,
-+            int timeLimit, String sortAttribute) throws EBaseException {
++    /**
++     * Signed Audit Log Subject ID
++     *
++     * This method is called to obtain the "SubjectID" for
++     * a signed audit log message.
++     * <P>
++     *
++     * @return id string containing the signed audit log message SubjectID
++     */
++    private String auditSubjectID() {
++        // if no signed audit object exists, bail
++        if (mSignedAuditLogger == null) {
++            return null;
++        }
 +
-+        try {
-+            String ldapattrs[] = null;
-+            String ldapfilter =
-+                    mDBSystem.getRegistry().getFilter(filter);
++        String subjectID = null;
 +
-+            LDAPSearchConstraints cons = new LDAPSearchConstraints();
++        // Initialize subjectID
++        SessionContext auditContext = SessionContext.getExistingContext();
 +
-+            cons.setMaxResults(maxSize);
-+            cons.setServerTimeLimit(timeLimit);
++        if (auditContext != null) {
++            subjectID = (String)
++                    auditContext.get(SessionContext.USER_ID);
 +
-+            if(sortAttribute != null) {
-+                LDAPSortKey sortOrder = new LDAPSortKey( sortAttribute );
-+                LDAPSortControl sortCtrl = new LDAPSortControl(sortOrder,true);
-+                cons.setServerControls( sortCtrl );
++            if (subjectID != null) {
++                subjectID = subjectID.trim();
++            } else {
++                subjectID = ILogger.NONROLEUSER;
 +            }
-+
-+            LDAPSearchResults res = mConn.search(base,
-+                    LDAPv2.SCOPE_ONE, ldapfilter, ldapattrs, false, cons);
-+
-+            return new DBSearchResults(mDBSystem.getRegistry(),
-+                    res);
-+        } catch (LDAPException e) {
-+            if (e.getLDAPResultCode() == LDAPException.UNAVAILABLE)
-+                throw new EDBNotAvailException(
-+                        CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE"));
-+            // XXX error handling, should not raise exception if
-+            // entry not found
-+            throw new EDBException(CMS.getUserMessage("CMS_DBS_LDAP_OP_FAILURE",
-+                        e.toString()));
++        } else {
++            subjectID = ILogger.UNIDENTIFIED;
 +        }
 +
++        return subjectID;
 +    }
-+
-     /**
-      * Retrieves a list of object that satifies the given
-      * filter.
-diff --git a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
-index e4e7157..8d7bbc0 100644
---- a/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
-+++ b/base/server/test/com/netscape/cmscore/dbs/DBSSessionDefaultStub.java
-@@ -1,5 +1,7 @@
- package com.netscape.cmscore.dbs;
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+index e6fc045..e47c722 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+@@ -783,6 +783,8 @@ public abstract class BasicProfile implements IProfile {
+             boolean createConfig)
+             throws EProfileException {
+ 
++        String method = "BasicProfile: createProfilePolicy: ";
++        CMS.debug(method + "begins");
+         // String setId ex: policyset.set1
+         // String id    Id of policy : examples: p1,p2,p3
+         // String defaultClassId : id of the default plugin ex: validityDefaultImpl
+@@ -911,19 +913,18 @@ public abstract class BasicProfile implements IProfile {
+                 }
+             }
+         }
+-
+         String defaultRoot = id + "." + PROP_DEFAULT;
+         String constraintRoot = id + "." + PROP_CONSTRAINT;
+         IPluginInfo defInfo = mRegistry.getPluginInfo("defaultPolicy",
+                 defaultClassId);
+ 
+         if (defInfo == null) {
+-            CMS.debug("BasicProfile: Cannot find " + defaultClassId);
++            CMS.debug(method + " Cannot find " + defaultClassId);
+             throw new EProfileException("Cannot find " + defaultClassId);
+         }
+         String defaultClass = defInfo.getClassName();
  
-+import netscape.ldap.LDAPSearchResults;
-+
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.ISubsystem;
- import com.netscape.certsrv.dbs.EDBException;
-@@ -9,8 +11,6 @@ import com.netscape.certsrv.dbs.IDBSearchResults;
- import com.netscape.certsrv.dbs.IDBVirtualList;
- import com.netscape.certsrv.dbs.ModificationSet;
+-        CMS.debug("BasicProfile: loading default class " + defaultClass);
++        CMS.debug(method + " loading default class " + defaultClass);
+         IPolicyDefault def = null;
  
--import netscape.ldap.LDAPSearchResults;
--
- /**
-  * A default stub ojbect for tests to extend.
-  */
-@@ -81,4 +81,15 @@ public class DBSSessionDefaultStub implements IDBSSession {
-             String sortKey, int pageSize) throws EBaseException {
-         return null;
+         try {
+@@ -931,7 +932,7 @@ public abstract class BasicProfile implements IProfile {
+                     Class.forName(defaultClass).newInstance();
+         } catch (Exception e) {
+             // throw Exception
+-            CMS.debug("BasicProfile: default policy " +
++            CMS.debug(method + " default policy " +
+                     defaultClass + " " + e.toString());
+         }
+         if (def == null) {
+@@ -941,24 +942,30 @@ public abstract class BasicProfile implements IProfile {
+ 
+             defStore = policyStore.getSubStore(defaultRoot);
+             def.init(this, defStore);
++            CMS.debug(method + " default class initialized.");
+         }
+ 
+         IPluginInfo conInfo = mRegistry.getPluginInfo("constraintPolicy",
+                 constraintClassId);
++        if (conInfo == null) {
++            CMS.debug(method + " Cannot find " + constraintClassId);
++            throw new EProfileException("Cannot find " + constraintClassId);
++        }
+         String constraintClass = conInfo.getClassName();
+-        IPolicyConstraint constraint = null;
+ 
++        CMS.debug(method + " loading constraint class " + constraintClass);
++        IPolicyConstraint constraint = null;
+         try {
+             constraint = (IPolicyConstraint)
+                     Class.forName(constraintClass).newInstance();
+         } catch (Exception e) {
+             // throw Exception
+-            CMS.debug("BasicProfile: constraint policy " +
++            CMS.debug(method + " constraint policy " +
+                     constraintClass + " " + e.toString());
+         }
+         ProfilePolicy policy = null;
+         if (constraint == null) {
+-            CMS.debug("BasicProfile: failed to create " + constraintClass);
++            CMS.debug(method + " failed to create " + constraintClass);
+         } else {
+             IConfigStore conStore = null;
+ 
+@@ -966,9 +973,11 @@ public abstract class BasicProfile implements IProfile {
+             constraint.init(this, conStore);
+             policy = new ProfilePolicy(id, def, constraint);
+             policies.addElement(policy);
++            CMS.debug(method + " constraint class initialized.");
+         }
+ 
+         if (createConfig) {
++            CMS.debug(method + " createConfig true; creating...");
+             String list = null;
+ 
+             try {
+@@ -996,8 +1005,10 @@ public abstract class BasicProfile implements IProfile {
+                 CMS.debug("BasicProfile: commiting config store " +
+                         e.toString());
+             }
++            CMS.debug(method + " config created.");
+         }
+ 
++        CMS.debug(method + "ends");
+         return policy;
      }
-+
-+    @Override
-+    public IDBSearchResults search(String base, String filter, int maxSize, int timeLimit, String sortAttribute)
-+            throws EBaseException {
-+        return null;
-+    }
-+
-+    @Override
-+    public IDBSearchResults search(String base, String filter, int maxSize, String sortAttribute) throws EBaseException {
-+        return null;
-+    }
- }
--- 
-1.8.3.1
-
-
-From f726f9a668b523c4e5a9438d8ea301f4b556efd4 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 1 Aug 2016 22:35:32 +0200
-Subject: [PATCH 83/96] Added log messages for certificate validation.
-
-The ConfigCertApprovalCallback has been modified such that it
-logs the server certificate being validated and can be configured
-to ignore certain validation errors.
-
-The ConfigurationUtils has been modified to use the
-ConfigCertApprovalCallback to show and validate the server
-certificate in all GET and POST operations except for the
-importCertChain() in which the code needs to ignore untrusted
-issuer in order to get the certificate chain via SSL.
-
-https://fedorahosted.org/pki/ticket/2424
----
- .../csadmin/ConfigCertApprovalCallback.java        | 63 +++++++++++++++++++++-
- .../cms/servlet/csadmin/ConfigurationUtils.java    | 63 ++++++++++++----------
- 2 files changed, 97 insertions(+), 29 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
-index 956c285..9b741af 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigCertApprovalCallback.java
-@@ -17,17 +17,78 @@
- // --- END COPYRIGHT BLOCK ---
- package com.netscape.cms.servlet.csadmin;
  
-+import java.lang.reflect.Field;
-+import java.lang.reflect.Modifier;
-+import java.util.Enumeration;
-+import java.util.HashSet;
-+import java.util.Set;
-+
- import org.mozilla.jss.crypto.X509Certificate;
- import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+@@ -1091,9 +1102,10 @@ public abstract class BasicProfile implements IProfile {
+      */
+     public void populate(IRequest request)
+             throws EProfileException {
++        String method = "BasicProfile: populate: ";
+         String setId = getPolicySetId(request);
+         Vector<IProfilePolicy> policies = getPolicies(setId);
+-        CMS.debug("BasicProfile: populate() policy setid =" + setId);
++        CMS.debug(method + "policy setid =" + setId);
+ 
+         for (int i = 0; i < policies.size(); i++) {
+             IProfilePolicy policy = policies.elementAt(i);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 1c44e2c..57f07d1 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -71,6 +71,7 @@ import org.mozilla.jss.pkix.primitive.Name;
+ import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
  
-+import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthManager;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.authority.IAuthority;
+@@ -110,6 +111,7 @@ import netscape.security.x509.CertificateX509Key;
+ import netscape.security.x509.Extension;
+ import netscape.security.x509.Extensions;
+ import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509CertInfo;
+ import netscape.security.x509.X509Key;
+ 
+@@ -144,7 +146,8 @@ public abstract class EnrollProfile extends BasicProfile
+      */
+     public IRequest[] createRequests(IProfileContext ctx, Locale locale)
+             throws EProfileException {
+-        String method = "EnrollProfile: createRequests";
 +
- public class ConfigCertApprovalCallback
-         implements SSLCertificateApprovalCallback {
++        String method = "EnrollProfile: createRequests: ";
+         CMS.debug(method + "begins");
  
-+    public Set<Integer> ignoredErrors = new HashSet<Integer>();
+         // determine how many requests should be created
+@@ -171,13 +174,20 @@ public abstract class EnrollProfile extends BasicProfile
+         }
+         TaggedRequest[] cmc_msgs = null;
+         if (cert_request_type != null && cert_request_type.startsWith("cmc")) {
+-            /*
+-             * TODO: cfu: Phase 2: check if CMCAuth pre-signed request passed.
+-             *     if not, identityProofV2 and/or identification controls
+-             *     are required;
+-             */
++
++            // donePOI true means Proof-Of-Identity is already done.
++            // if the auth manager is the CMCUserSignedAuth, then
++            // the new cert will eventually have the same subject as the
++            // user signing cert
++            // if the auth manager is the CMCAuth (agent pre-approved),
++            // then no changes
++            boolean donePOI = false;
++            String signingUserSerial = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT);
++            if (signingUserSerial != null) {
++                donePOI = true;
++            }
+             // catch for invalid request
+-            cmc_msgs = parseCMC(locale, cert_request);
++            cmc_msgs = parseCMC(locale, cert_request, donePOI);
+             if (cmc_msgs == null) {
+                 CMS.debug(method + "parseCMC returns cmc_msgs null");
+                 return null;
+@@ -209,7 +219,7 @@ public abstract class EnrollProfile extends BasicProfile
+             } else {
+                 result[i].setExtData(REQUEST_SEQ_NUM, Integer.valueOf(i));
+                 if ((cmc_msgs != null) && (cmc_msgs[i] != null)) {
+-                    CMS.debug("EnrollProfile: createRequests: setting cmc TaggedRequest in request");
++                    CMS.debug(method + "setting cmc TaggedRequest in request");
+                     result[i].setExtData(
+                             CTX_CERT_REQUEST,
+                             ASN1Util.encode(cmc_msgs[i]));
+@@ -221,9 +231,6 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // set requested CA
+             result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID));
+-
+-            // set user data
+-            result[i].setExtData(IRequest.USER_DATA, ctx.get(REQUEST_USER_DATA));
+         }
+         return result;
+     }
+@@ -300,7 +307,7 @@ public abstract class EnrollProfile extends BasicProfile
+             req.setExtData(REQUEST_EXTENSIONS,
+                     new CertificateExtensions());
+ 
+-            CMS.debug("EnrollProfile: createRequest " +
++            CMS.debug("EnrollProfile: createEnrollmentRequest " +
+                     req.getRequestId());
+         } catch (EBaseException e) {
+             // raise exception?
+@@ -469,6 +476,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+         IRequestQueue queue = getRequestQueue();
+         String msg = "";
++        CMS.debug(method + "begins");
+ 
+         boolean popChallengeRequired =
+                 request.getExtDataInBoolean("cmc_POPchallengeRequired", false);
+@@ -485,7 +493,7 @@ public abstract class EnrollProfile extends BasicProfile
+         }
+ 
+         if (token == null){
+-            CMS.debug(method + " auth token is null");
++            CMS.debug(method + " auth token is null; agent manual approval required;");
+             CMS.debug(method + " validating request");
+             validate(request);
+             try {
+@@ -500,6 +508,7 @@ public abstract class EnrollProfile extends BasicProfile
+             // this is encryptedPOP case; defer to require decryptedPOP
+             CMS.debug(method + " popChallengeRequired, defer to enforce decryptedPOP");
+             validate(request);
 +
-     public ConfigCertApprovalCallback() {
+             CMS.debug(method + " about to call setPOPchallenge");
+             try {
+                 setPOPchallenge(request);
+@@ -521,40 +530,38 @@ public abstract class EnrollProfile extends BasicProfile
+         }
      }
  
-+    public void ignoreError(int error) {
-+        ignoredErrors.add(error);
+-    /*
+-     * parseCMC
+-     * @throws EProfileException in case of error
+-     *   note: returing "null" doesn't mean failure
++    /**
++     * getPKIDataFromCMCblob
++     *
++     * @param certReqBlob cmc b64 encoded blob
++     * @return PKIData
+      */
+-    public TaggedRequest[] parseCMC(Locale locale, String certreq)
++    public PKIData getPKIDataFromCMCblob(Locale locale, String certReqBlob)
+             throws EProfileException {
+ 
+-        String method = "EnrollProfile: parseCMC: ";
++        String method = "EnrollProfile: getPKIDataFromCMCblob: ";
+         String msg = ""; // for capturing debug and throw info
+ 
+         /* cert request must not be null */
+-        if (certreq == null) {
+-            msg = method + "certreq null";
++        if (certReqBlob == null) {
++            msg = method + "certReqBlob null";
+             CMS.debug(msg);
+             throw new EProfileException(
+                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                             msg);
+         }
+-        //CMS.debug(method + " Start parseCMC(): " + certreq);
++        //CMS.debug(method + " Start: " + certReqBlob);
+         CMS.debug(method + "starts");
+ 
+-        TaggedRequest msgs[] = null;
+-
+-        String creq = normalizeCertReq(certreq);
++        String creq = normalizeCertReq(certReqBlob);
+         try {
+             byte data[] = CMS.AtoB(creq);
+-            ByteArrayInputStream cmcBlobIn =
+-                    new ByteArrayInputStream(data);
++            ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data);
+ 
+-            org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo)
+-                    org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(cmcBlobIn);
+-            org.mozilla.jss.pkix.cms.SignedData cmcFullReq =
+-                (org.mozilla.jss.pkix.cms.SignedData) cmcReq.getInterpretedContent();
++            org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
++                    .getTemplate().decode(cmcBlobIn);
++            org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq
++                    .getInterpretedContent();
+             org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+             OCTET_STRING content = ci.getContent();
+ 
+@@ -564,6 +571,104 @@ public abstract class EnrollProfile extends BasicProfile
+             mCMCData = pkiData;
+             //PKIData pkiData = (PKIData)
+             //    (new PKIData.Template()).decode(cmcBlobIn);
++
++            return pkiData;
++        } catch (Exception e) {
++            CMS.debug(method + e);
++            throw new EProfileException(
++                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e);
++        }
 +    }
 +
-+    public String getErrorDescription(int reason) {
++    public static CertificateSubjectName getCMCSigningCertSNfromCertSerial(
++            String certSerial) throws Exception {
++        X509CertImpl userCert = getCMCSigningCertFromCertSerial(certSerial);
 +
-+        // iterate through all constants in ValidityStatus
-+        for (Field f : ValidityStatus.class.getDeclaredFields()) {
-+            int mod = f.getModifiers();
-+            if (Modifier.isPublic(mod) &&
-+                Modifier.isFinal(mod) &&
-+                Modifier.isStatic(mod)) {
++        if (userCert != null) {
++            return userCert.getSubjectObj();
++        } else {
++            return null;
++        }
++    }
 +
-+                try {
-+                    int value = f.getInt(null);
++    /**
++     * getCMCSigningCertFromCertSerial is to be used when authentication
++     * was done with CMCUserSignedAuth where the resulting
++     * authToken contains
++     * IAuthManager.CRED_CMC_SIGNING_CERT, serial number
++     * This method takes the serial number
++     * and finds the cert from the CA's certdb
++     */
++    public static X509CertImpl getCMCSigningCertFromCertSerial(
++            String certSerial) throws Exception {
++        String method = "EnrollProfile: getCMCSigningCertFromCertSerial: ";
++        String msg = "";
 +
-+                    // if value matches the reason, return the name
-+                    if (value == reason) {
-+                        return f.getName();
-+                    }
++        X509CertImpl userCert = null;
 +
-+                } catch (IllegalAccessException e) {
-+                    return "ERROR #" + reason;
-+                }
-+            }
++        if (certSerial == null || certSerial.equals("")) {
++            msg = method + "certSerial empty";
++            CMS.debug(msg);
++            throw new Exception(msg);
 +        }
 +
-+        return "UNKNOWN_ERROR";
-+    }
++        // for CMCUserSignedAuth, the signing user is the subject of
++        // the new cert
++        ICertificateAuthority authority = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
++        try {
++            BigInteger serialNo = new BigInteger(certSerial);
++            userCert = authority.getCertificateRepository().getX509Certificate(serialNo);
++        } catch (NumberFormatException e) {
++            msg = method + e;
++            CMS.debug(msg);
++            throw new Exception(msg);
++        } catch (EBaseException e) {
++            msg = method + e + "; signing user cert not found: serial=" + certSerial;
++            CMS.debug(msg);
++            throw new Exception(msg);
++        }
 +
-     public boolean approve(X509Certificate cert,
-             SSLCertificateApprovalCallback.ValidityStatus status) {
--        return true;
++        if (userCert != null) {
++            msg = method + "signing user cert found; serial=" + certSerial;
++            CMS.debug(msg);
++        } else {
++            msg = method + "signing user cert not found: serial=" + certSerial;
++            CMS.debug(msg);
++            throw new Exception(msg);
++        }
 +
-+        CMS.debug("Server certificate:");
-+        CMS.debug(" - subject: " + cert.getSubjectDN());
-+        CMS.debug(" - issuer: " + cert.getIssuerDN());
++        return userCert;
++    }
 +
-+        Enumeration<?> errors = status.getReasons();
-+        boolean result = true;
++    /*
++     * parseCMC
++     * @throws EProfileException in case of error
++     *   note: returing "null" doesn't mean failure
++     */
++    public TaggedRequest[] parseCMC(Locale locale, String certreq)
++            throws EProfileException {
++        return parseCMC(locale, certreq, false);
++    }
++    public TaggedRequest[] parseCMC(Locale locale, String certreq, boolean donePOI)
++            throws EProfileException {
++
++        String method = "EnrollProfile: parseCMC: ";
++        String msg = ""; // for capturing debug and throw info
++        //CMS.debug(method + " Start parseCMC(): " + certreq);
++        CMS.debug(method + "starts");
++
++        /* cert request must not be null */
++        if (certreq == null) {
++            msg = method + "certreq null";
++            CMS.debug(msg);
++            throw new EProfileException(
++                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
++                            msg);
++        }
 +
-+        while (errors.hasMoreElements()) {
-+            SSLCertificateApprovalCallback.ValidityItem item = (SSLCertificateApprovalCallback.ValidityItem) errors.nextElement();
-+            int reason = item.getReason();
-+            String description = getErrorDescription(reason);
++        TaggedRequest msgs[] = null;
++        try {
++            PKIData pkiData = getPKIDataFromCMCblob(locale, certreq);
+             SEQUENCE controlSeq = pkiData.getControlSequence();
+             int numcontrols = controlSeq.size();
+             SEQUENCE reqSeq = pkiData.getReqSequence();
+@@ -571,6 +676,7 @@ public abstract class EnrollProfile extends BasicProfile
+             UTF8String ident_s = null;
+             SessionContext context = SessionContext.getContext();
+             if (!context.containsKey("numOfControls")) {
++                CMS.debug(method + "numcontrols="+ numcontrols);
+                 if (numcontrols > 0) {
+                     context.put("numOfControls", Integer.valueOf(numcontrols));
+                     TaggedAttribute[] attributes = new TaggedAttribute[numcontrols];
+@@ -587,56 +693,45 @@ public abstract class EnrollProfile extends BasicProfile
+                     boolean id_cmc_idPOPLinkRandom = false;
+                     SET vals = null;
+ 
++                    /**
++                     * pre-process all controls --
++                     * the postponed processing is so that we can capture
++                     * the identification, if included
++                     */
++                    CMS.debug(method + "about to pre-process controls");
+                     for (int i = 0; i < numcontrols; i++) {
+                         attributes[i] = (TaggedAttribute) controlSeq.elementAt(i);
+                         OBJECT_IDENTIFIER oid = attributes[i].getType();
+                         if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) {
+-                            CMS.debug(method + " decryptedPOP found");
++                            CMS.debug(method + " id_cmc_decryptedPOP found");
+                             id_cmc_decryptedPOP = true;
+                             decPopVals = attributes[i].getValues();
+                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identification)) {
++                            CMS.debug(method + " id_cmc_identification found");
+                             id_cmc_identification = true;
+                             ident = attributes[i].getValues();
+                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProofV2)) {
++                            CMS.debug(method + " id_cmc_identityProofV2 found");
+                             id_cmc_identityProofV2 = true;
+                             attr = attributes[i];
+                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_identityProof)) {
++                            CMS.debug(method + " id_cmc_identityProof found");
+                             id_cmc_identityProof = true;
+                             attr = attributes[i];
+                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) {
+-                            CMS.debug(method + "id_cmc_idPOPLinkRandom true");
++                            CMS.debug(method + "id_cmc_idPOPLinkRandom found");
+                             id_cmc_idPOPLinkRandom = true;
+                             vals = attributes[i].getValues();
+                         } else {
++                            CMS.debug(method + "unknown control found");
+                             context.put(attributes[i].getType(), attributes[i]);
+                         }
+                     } //for
+ 
+                     /**
+                      * now do the actual control processing
+-                     * (the postponed processing is so that we can capture
+-                     * the identification, if included)
+                      */
+-
+-                    if (id_cmc_decryptedPOP) {
+-                        if (decPopVals != null) {
+-
+-                            DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(),
+-                                    ASN1Util.encode(decPopVals.elementAt(0))));
+-                            CMS.debug(method + "DecryptedPOP encoded");
+-
+-                            Integer reqId = verifyDecryptedPOP(locale, decPop);
+-                            if (reqId != null) {
+-                                context.put("decryptedPopReqId", reqId);
+-                            }
+-                        } else { //decPopVals == null
+-                            msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP";
+-                            CMS.debug(method + msg);
+-                            SEQUENCE bpids = getRequestBpids(reqSeq);
+-                            context.put("decryptedPOP", bpids);
+-                        }
+-                        return null;
+-                    }
++                    CMS.debug(method + "processing controls...");
+ 
+                     if (id_cmc_identification) {
+                         if (ident == null) {
+@@ -666,8 +761,22 @@ public abstract class EnrollProfile extends BasicProfile
+                         }
+                     }
+ 
+-                    // either V2 or not V2; can't be both
+-                    if (id_cmc_identityProofV2 && (attr != null)) {
++                    // checking Proof Of Identity, if not pre-signed
++
++                    if (donePOI) {
++                        // for logging purposes
++                        if (id_cmc_identityProofV2) {
++                            CMS.debug(method
++                                    + "pre-signed CMC request, but id_cmc_identityProofV2 found...ignore; no further proof of identification check");
++                        } else if (id_cmc_identityProof) {
++                            CMS.debug(method
++                                    + "pre-signed CMC request, but id_cmc_identityProof found...ignore; no further proof of identification check");
++                        } else {
++                            CMS.debug(method + "pre-signed CMC request; no further proof of identification check");
++                        }
++                    } else if (id_cmc_identityProofV2 && (attr != null)) {
++                        // either V2 or not V2; can't be both
++                        CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;");
+                         if (!id_cmc_identification) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+@@ -685,23 +794,57 @@ public abstract class EnrollProfile extends BasicProfile
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identityProofV2", bpids);
+ 
+-                            msg = " in verifyIdentityProofV2";
++                            msg = " after verifyIdentityProofV2";
+                             CMS.debug(method + msg);
+                             throw new EProfileException(CMS.getUserMessage(locale,
+-                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
++                                    "CMS_POI_VERIFICATION_ERROR") + msg);
++                        } else {
++                            CMS.debug(method + "passed verifyIdentityProofV2; Proof of Identity successful;");
+                         }
+                     } else if (id_cmc_identityProof && (attr != null)) {
++                        CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProof;");
+                         boolean valid = verifyIdentityProof(attr,
+                                 reqSeq);
+                         if (!valid) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identityProof", bpids);
+ 
+-                            msg = " in verifyIdentityProof";
++                            msg = " after verifyIdentityProof";
+                             CMS.debug(method + msg);
+                             throw new EProfileException(CMS.getUserMessage(locale,
+-                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
++                                    "CMS_POI_VERIFICATION_ERROR") + msg);
++                        } else {
++                            CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;");
+                         }
++                    } else {
++                        msg = "not pre-signed CMC request; missing Proof of Identification control";
++                        CMS.debug(method + msg);
++                        throw new EProfileException(CMS.getUserMessage(locale,
++                                "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg);
++                    }
 +
-+            if (ignoredErrors.contains(reason)) {
-+                CMS.debug("WARNING: " + description);
-+            } else {
-+                CMS.debug("ERROR: " + description);
-+                result = false;
++                    if (id_cmc_decryptedPOP) {
++                        if (decPopVals != null) {
++
++                            DecryptedPOP decPop = (DecryptedPOP) (ASN1Util.decode(DecryptedPOP.getTemplate(),
++                                    ASN1Util.encode(decPopVals.elementAt(0))));
++                            CMS.debug(method + "DecryptedPOP encoded");
++
++                            Integer reqId = verifyDecryptedPOP(locale, decPop);
++                            if (reqId != null) {
++                                context.put("cmcDecryptedPopReqId", reqId);
++                            }
++                        } else { //decPopVals == null
++                            msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP";
++                            CMS.debug(method + msg);
++                            SEQUENCE bpids = getRequestBpids(reqSeq);
++                            context.put("decryptedPOP", bpids);
++                        }
++
++                        // decryptedPOP is expected to return null;
++                        // POPLinkWitnessV2 would have to be checked in
++                        // round one, if required
++                        return null;
+                     }
+ 
+                     if (id_cmc_idPOPLinkRandom && vals != null) {
+@@ -725,61 +868,65 @@ public abstract class EnrollProfile extends BasicProfile
+                 }
+             }
+ 
+-            int nummsgs = reqSeq.size();
+-            if (nummsgs > 0) {
++            /**
++             * in CS.cfg, cmc.popLinkWitnessRequired=true
++             * will enforce popLinkWitness (or V2);
++             */
++            boolean popLinkWitnessRequired = false;
++            try {
++                String configName = "cmc.popLinkWitnessRequired";
++                CMS.debug(method + "getting :" + configName);
++                popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false);
++            } catch (Exception e) {
++                // unlikely to get here
++                msg = method + " Failed to retrieve cmc.popLinkWitnessRequired";
++                CMS.debug(msg);
++                throw new EProfileException(method + msg);
 +            }
-+        }
-+
-+        return result;
-     }
- }
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index ab5e4d6..fe65bb8 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -58,34 +58,6 @@ import javax.ws.rs.core.MultivaluedMap;
- import javax.ws.rs.core.Response;
- import javax.xml.parsers.ParserConfigurationException;
  
--import netscape.ldap.LDAPAttribute;
--import netscape.ldap.LDAPAttributeSet;
--import netscape.ldap.LDAPConnection;
--import netscape.ldap.LDAPDN;
--import netscape.ldap.LDAPEntry;
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPModification;
--import netscape.ldap.LDAPSearchConstraints;
--import netscape.ldap.LDAPSearchResults;
--import netscape.ldap.LDAPv3;
--import netscape.security.pkcs.ContentInfo;
--import netscape.security.pkcs.PKCS10;
--import netscape.security.pkcs.PKCS12;
--import netscape.security.pkcs.PKCS12Util;
--import netscape.security.pkcs.PKCS7;
--import netscape.security.pkcs.SignerInfo;
--import netscape.security.util.DerOutputStream;
--import netscape.security.util.ObjectIdentifier;
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.BasicConstraintsExtension;
--import netscape.security.x509.CertificateChain;
--import netscape.security.x509.Extension;
--import netscape.security.x509.Extensions;
--import netscape.security.x509.KeyUsageExtension;
--import netscape.security.x509.X500Name;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509Key;
++            int nummsgs = reqSeq.size();
++            if (!popLinkWitnessRequired) {
++                CMS.debug(method + "popLinkWitnessRequired false, skip check");
++            } else if (nummsgs > 0) {
++                CMS.debug(method + "cmc.popLinkWitnessRequired is true");
++                CMS.debug(method + "nummsgs =" + nummsgs);
+                 msgs = new TaggedRequest[reqSeq.size()];
+                 SEQUENCE bpids = new SEQUENCE();
+ 
+-                /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true
+-                // enforce popLinkWitness (or V2)
+-                boolean popLinkWitnessRequired = true;
+-                try {
+-                    String configName = "cmc.popLinkWitnessRequired";
+-                    CMS.debug(method + "getting :" + configName);
+-                    popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true);
+-                    CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired);
+-                } catch (Exception e) {
+-                    // unlikely to get here
+-                    msg = method + " Failed to retrieve cmc.popLinkWitnessRequired";
+-                    CMS.debug(msg);
+-                    throw new EProfileException(method + msg);
+-                }
+-*/
 -
- import org.apache.commons.lang.StringUtils;
- import org.apache.velocity.context.Context;
- import org.mozilla.jss.CryptoManager;
-@@ -131,6 +103,7 @@ import org.mozilla.jss.pkix.primitive.Attribute;
- import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo;
- import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
- import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
-+import org.mozilla.jss.ssl.SSLCertificateApprovalCallback.ValidityStatus;
- import org.mozilla.jss.util.IncorrectPasswordException;
- import org.mozilla.jss.util.Password;
- import org.w3c.dom.Document;
-@@ -180,6 +153,34 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
- import com.netscape.cmsutil.util.Utils;
- import com.netscape.cmsutil.xml.XMLObject;
+                 boolean valid = true;
+                 for (int i = 0; i < nummsgs; i++) {
+                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
+                     if (!context.containsKey("POPLinkWitnessV2") &&
+                             !context.containsKey("POPLinkWitness")) {
+-                        if (randomSeed != null) {
+-                            // verifyPOPLinkWitness() will determine if this is
+-                            // POPLinkWitnessV2 or POPLinkWitness
+-                            // If failure, context is set in verifyPOPLinkWitness
+-                            valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context);
+-                            if (valid == false) {
+-                                if (context.containsKey("POPLinkWitnessV2"))
+-                                    msg = " in POPLinkWitnessV2";
+-                                else if (context.containsKey("POPLinkWitness"))
+-                                    msg = " in POPLinkWitness";
+-                                else
+-                                    msg = " unspecified failure from verifyPOPLinkWitness";
+-
+-                                CMS.debug(method + msg);
+-                                throw new EProfileException(CMS.getUserMessage(locale,
+-                                        "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg);
+-                            }
+-                        /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip
+-                        } else if (popLinkWitnessRequired == true) {
+-                            //popLinkWitnessRequired == true, must have randomSeed
+-                            CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found");
++                        CMS.debug(method + "popLinkWitness(V2) required");
++                        if (randomSeed == null) {
++                            CMS.debug(method + "no randomSeed found");
+                             context.put("POPLinkWitnessV2", bpids);
+-                            return null;*/
+-                        } //randomSeed != null
++                            return null;
++                        }
++
++                        // verifyPOPLinkWitness() will determine if this is
++                        // POPLinkWitnessV2 or POPLinkWitness
++                        // If failure, context is set in verifyPOPLinkWitness
++                        valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context);
++                        if (valid == false) {
++                            if (context.containsKey("POPLinkWitnessV2"))
++                                msg = " in POPLinkWitnessV2";
++                            else if (context.containsKey("POPLinkWitness"))
++                                msg = " in POPLinkWitness";
++                            else
++                                msg = " unspecified failure from verifyPOPLinkWitness";
++
++                            CMS.debug(method + msg);
++                            throw new EProfileException(CMS.getUserMessage(locale,
++                                    "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg);
++                        }
+                     }
+-                }
+-            } else
++                } //for
++            } else {
++                CMS.debug(method + "nummsgs 0; returning...");
+                 return null;
++            }
  
-+import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPAttributeSet;
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPDN;
-+import netscape.ldap.LDAPEntry;
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPModification;
-+import netscape.ldap.LDAPSearchConstraints;
-+import netscape.ldap.LDAPSearchResults;
-+import netscape.ldap.LDAPv3;
-+import netscape.security.pkcs.ContentInfo;
-+import netscape.security.pkcs.PKCS10;
-+import netscape.security.pkcs.PKCS12;
-+import netscape.security.pkcs.PKCS12Util;
-+import netscape.security.pkcs.PKCS7;
-+import netscape.security.pkcs.SignerInfo;
-+import netscape.security.util.DerOutputStream;
-+import netscape.security.util.ObjectIdentifier;
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.BasicConstraintsExtension;
-+import netscape.security.x509.CertificateChain;
-+import netscape.security.x509.Extension;
-+import netscape.security.x509.Extensions;
-+import netscape.security.x509.KeyUsageExtension;
-+import netscape.security.x509.X500Name;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509Key;
+             CMS.debug(method + "ends");
+             return msgs;
+@@ -1398,6 +1545,9 @@ public abstract class EnrollProfile extends BasicProfile
+     public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info,
+             IRequest req)
+             throws EProfileException {
++        String auditMessage = null;
++        String auditSubjectID = auditSubjectID();
++
+         String method = "EnrollProfile: fillTaggedRequest: ";
+         CMS.debug(method + "begins");
+         TaggedRequest.Type type = tagreq.getType();
+@@ -1409,16 +1559,19 @@ public abstract class EnrollProfile extends BasicProfile
+         }
+ 
+         if (type.equals(TaggedRequest.PKCS10)) {
+-            CMS.debug(method + " TaggedRequest type == pkcs10");
++            String methodPos = method + "PKCS10: ";
++            CMS.debug(methodPos + " TaggedRequest type == pkcs10");
+             boolean sigver = true;
+             boolean tokenSwitched = false;
+             CryptoManager cm = null;
+             CryptoToken signToken = null;
+             CryptoToken savedToken = null;
+             try {
++                // for PKCS10, "sigver" would provide the POP
+                 sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
+                 cm = CryptoManager.getInstance();
+                 if (sigver == true) {
++                    CMS.debug(methodPos + "sigver true, POP is to be verified");
+                     String tokenName =
+                         CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
+                     savedToken = cm.getThreadToken();
+@@ -1427,6 +1580,12 @@ public abstract class EnrollProfile extends BasicProfile
+                         cm.setThreadToken(signToken);
+                         tokenSwitched = true;
+                     }
++                } else {
++                    // normally, you would not get here, as you almost always
++                    // would want to verify the PKCS10 signature when it's
++                    // already there instead of taking a 2nd trip
++                    CMS.debug(methodPos + "sigver false, POP is not to be verified now, but instead will be challenged");
++                    req.setExtData("cmc_POPchallengeRequired", "true");
+                 }
+ 
+                 TaggedCertificationRequest tcr = tagreq.getTcr();
+@@ -1440,13 +1599,17 @@ public abstract class EnrollProfile extends BasicProfile
+                 fillPKCS10(locale, pkcs10, info, req);
+             } catch (Exception e) {
+                 CMS.debug(method + e);
++                // this will throw
++                popFailed(locale, auditSubjectID, auditMessage, e);
+             }  finally {
+                 if ((sigver == true) && (tokenSwitched == true)){
+                     cm.setThreadToken(savedToken);
+                 }
+             }
++            CMS.debug(methodPos + "done");
+         } else if (type.equals(TaggedRequest.CRMF)) {
+-            CMS.debug(method + " TaggedRequest type == crmf");
++            String methodPos = method + "CRMF: ";
++            CMS.debug(methodPos + " TaggedRequest type == crmf");
+             CertReqMsg crm = tagreq.getCrm();
+             SessionContext context = SessionContext.getContext();
+             Integer nums = (Integer) (context.get("numOfControls"));
+@@ -1454,12 +1617,12 @@ public abstract class EnrollProfile extends BasicProfile
+             boolean verifyAllow = false; //disable RA by default
+             try {
+                 String configName = "cmc.lraPopWitness.verify.allow";
+-                CMS.debug(method + "getting :" + configName);
++                CMS.debug(methodPos + "getting :" + configName);
+                 verifyAllow = CMS.getConfigStore().getBoolean(configName, false);
+-                CMS.debug(method + "cmc.lraPopWitness.verify.allow is " + verifyAllow);
++                CMS.debug(methodPos + "cmc.lraPopWitness.verify.allow is " + verifyAllow);
+             } catch (Exception e) {
+                 // unlikely to get here
+-                String msg = method + " Failed to retrieve cmc.lraPopWitness.verify.allow";
++                String msg = methodPos + " Failed to retrieve cmc.lraPopWitness.verify.allow";
+                 CMS.debug(msg);
+                 throw new EProfileException(method + msg);
+             }
+@@ -1471,23 +1634,23 @@ public abstract class EnrollProfile extends BasicProfile
+                         parseLRAPopWitness(locale, crm, attr);
+                     } else {
+                         CMS.debug(
+-                                method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
++                                methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
+                         if (crm.hasPop()) {
+-                            CMS.debug(method + " hasPop true");
++                            CMS.debug(methodPos + " hasPop true");
+                             verifyPOP(locale, crm);
+                         } else { // no signing POP, then do it the hard way
+-                            CMS.debug(method + "hasPop false, need to challenge");
++                            CMS.debug(methodPos + "hasPop false, need to challenge");
+                             req.setExtData("cmc_POPchallengeRequired", "true");
+                         }
+                     }
+                 } else {
+                     CMS.debug(
+-                            method + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
++                            methodPos + " verify POP in CMC because LRA POP Witness control attribute doesnt exist in the CMC request.");
+                     if (crm.hasPop()) {
+-                        CMS.debug(method + " hasPop true");
++                        CMS.debug(methodPos + " hasPop true");
+                         verifyPOP(locale, crm);
+                     } else { // no signing POP, then do it the hard way
+-                        CMS.debug(method + "hasPop false, need to challenge");
++                        CMS.debug(methodPos + "hasPop false, need to challenge");
+                         req.setExtData("cmc_POPchallengeRequired", "true");
+                     }
+                 }
+@@ -1495,10 +1658,10 @@ public abstract class EnrollProfile extends BasicProfile
+             } else { //!verifyAllow
+ 
+                 if (crm.hasPop()) {
+-                    CMS.debug(method + " hasPop true");
++                    CMS.debug(methodPos + " hasPop true");
+                     verifyPOP(locale, crm);
+                 } else { // no signing POP, then do it the hard way
+-                    CMS.debug(method + "hasPop false, need to challenge");
++                    CMS.debug(methodPos + "hasPop false, need to challenge");
+                     req.setExtData("cmc_POPchallengeRequired", "true");
+                 }
+             }
+@@ -1835,6 +1998,8 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+     public void fillPKCS10(Locale locale, PKCS10 pkcs10, X509CertInfo info, IRequest req)
+             throws EProfileException {
++        String method = "EnrollProfile: fillPKCS10: ";
++        CMS.debug(method + "begins");
+         X509Key key = pkcs10.getSubjectPublicKeyInfo();
+ 
+         try {
+@@ -1869,7 +2034,7 @@ public abstract class EnrollProfile extends BasicProfile
+                 PKCS10Attribute p10Attr = p10Attrs.getAttribute(CertificateExtensions.NAME);
+                 if (p10Attr != null && p10Attr.getAttributeId().equals(
+                         PKCS9Attribute.EXTENSION_REQUEST_OID)) {
+-                    CMS.debug("Found PKCS10 extension");
++                    CMS.debug(method + "Found PKCS10 extension");
+                     Extensions exts0 = (Extensions)
+                             (p10Attr.getAttributeValue());
+                     DerOutputStream extOut = new DerOutputStream();
+@@ -1879,24 +2044,22 @@ public abstract class EnrollProfile extends BasicProfile
+                     DerInputStream extIn = new DerInputStream(extB);
+                     CertificateExtensions exts = new CertificateExtensions(extIn);
+                     if (exts != null) {
+-                        CMS.debug("Set extensions " + exts);
++                        CMS.debug(method + "Set extensions " + exts);
+                         // info.set(X509CertInfo.EXTENSIONS, exts);
+                         req.setExtData(REQUEST_EXTENSIONS, exts);
+                     }
+                 } else {
+-                    CMS.debug("PKCS10 extension Not Found");
++                    CMS.debug(method + "PKCS10 extension Not Found");
+                 }
+             }
+ 
+-            CMS.debug("Finish parsePKCS10 - " + pkcs10.getSubjectName());
++            CMS.debug(method + "Finish parsePKCS10 - " + pkcs10.getSubjectName());
+         } catch (IOException e) {
+-            CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e);
+-            CMS.debug(e);
++            CMS.debug(method + "Unable to fill PKCS #10: " + e);
+             throw new EProfileException(
+                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e);
+         } catch (CertificateException e) {
+-            CMS.debug("EnrollProfile: Unable to fill PKCS #10: " + e);
+-            CMS.debug(e);
++            CMS.debug(method + "Unable to fill PKCS #10: " + e);
+             throw new EProfileException(
+                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e);
+         }
+@@ -2074,8 +2237,11 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+     public void populate(IRequest request)
+             throws EProfileException {
+-        super.populate(request);
+ 
++        String method = "EnrollProfile: populate: ";
++        CMS.debug(method + "begins");
 +
- /**
-  * Utility class for functions to be used by the RESTful installer.
-  *
-@@ -196,6 +197,8 @@ public class ConfigurationUtils {
-     public static final Long MINUS_ONE = Long.valueOf(-1);
-     public static final String DBUSER = "pkidbuser";
- 
-+    public static ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
-+
-     public static boolean loginToken(CryptoToken token, String tokPwd) throws TokenException,
-             IncorrectPasswordException {
-         boolean rv = true;
-@@ -229,6 +232,7 @@ public class ConfigurationUtils {
- 
-         CMS.debug("ConfigurationUtils: GET " + config.getServerURI() + path);
-         PKIConnection connection = new PKIConnection(config);
-+        if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
-         connection.setCallback(certApprovalCallback);
-         return connection.get(path);
++        super.populate(request);
      }
-@@ -245,6 +249,7 @@ public class ConfigurationUtils {
  
-         CMS.debug("ConfigurationUtils: POST " + config.getServerURI() + path);
-         PKIConnection connection = new PKIConnection(config);
-+        if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
-         connection.setCallback(certApprovalCallback);
-         return connection.post(path, content);
+     /**
+@@ -2240,7 +2406,7 @@ public abstract class EnrollProfile extends BasicProfile
+     public void verifyPOP(Locale locale, CertReqMsg certReqMsg)
+             throws EProfileException {
+         String method = "EnrollProfile: verifyPOP: ";
+-        CMS.debug(method + "for signing keys");
++        CMS.debug(method + "for signing keys begins.");
+ 
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+@@ -2261,10 +2427,10 @@ public abstract class EnrollProfile extends BasicProfile
+             CryptoToken verifyToken = null;
+             String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
+             if (CryptoUtil.isInternalToken(tokenName)) {
+-                CMS.debug("POP verification using internal token");
++                CMS.debug(method + "POP verification using internal token");
+                 certReqMsg.verify();
+             } else {
+-                CMS.debug("POP verification using token:" + tokenName);
++                CMS.debug(method + "POP verification using token:" + tokenName);
+                 verifyToken = CryptoUtil.getCryptoToken(tokenName);
+                 certReqMsg.verify(verifyToken);
+             }
+@@ -2279,7 +2445,7 @@ public abstract class EnrollProfile extends BasicProfile
+             CMS.debug(method + "Unable to verify POP: " + e);
+             popFailed(locale, auditSubjectID, auditMessage, e);
+         }
+-        CMS.debug(method + "ends.");
++        CMS.debug(method + "done.");
      }
-@@ -256,6 +261,8 @@ public class ConfigurationUtils {
- 
-         IConfigStore cs = CMS.getConfigStore();
-         ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
-+        // Ignore untrusted issuer to get cert chain.
-+        certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER);
-         String c = get(host, port, true, serverPath, null, certApprovalCallback);
  
-         if (c != null) {
--- 
-1.8.3.1
-
-
-From da66600e8ae07fa4169d24909c7d04ed69d2906c Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 1 Aug 2016 22:35:32 +0200
-Subject: [PATCH 84/96] Added log messages for certificate import during
- cloning.
-
-To help troubleshooting cloning issues the security_databases.py
-has been modified to log the content of the PKCS #12 file before
-import and the NSS database after import.
-
-https://fedorahosted.org/pki/ticket/2424
----
- base/common/python/pki/nssdb.py                    | 10 +++
- base/common/python/pki/pkcs12.py                   | 73 ++++++++++++++++++++++
- .../deployment/scriptlets/security_databases.py    | 42 ++++++++++---
- 3 files changed, 118 insertions(+), 7 deletions(-)
- create mode 100644 base/common/python/pki/pkcs12.py
-
-diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
-index a0b0302..ed45654 100644
---- a/base/common/python/pki/nssdb.py
-+++ b/base/common/python/pki/nssdb.py
-@@ -398,6 +398,16 @@ class NSSDatabase(object):
-         if rc:
-             raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
- 
-+    def show_certs(self):
-+
-+        cmd = [
-+            'certutil',
-+            '-L',
-+            '-d', self.directory
-+        ]
-+
-+        subprocess.check_call(cmd)
-+
-     def get_cert(self, nickname, output_format='pem'):
- 
-         if output_format == 'pem':
-diff --git a/base/common/python/pki/pkcs12.py b/base/common/python/pki/pkcs12.py
+     private void popFailed(Locale locale, String auditSubjectID, String auditMessage)
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java
 new file mode 100644
-index 0000000..a62ca09
+index 0000000..c71b670
 --- /dev/null
-+++ b/base/common/python/pki/pkcs12.py
-@@ -0,0 +1,73 @@
-+# Authors:
-+#     Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the Lesser GNU General Public License as published by
-+# the Free Software Foundation; either version 3 of the License or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU Lesser General Public License for more details.
-+#
-+# You should have received a copy of the GNU Lesser General Public License
-+#  along with this program; if not, write to the Free Software Foundation,
-+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2016 Red Hat, Inc.
-+# All rights reserved.
-+#
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCUserSignedSubjectNameConstraint.java
+@@ -0,0 +1,141 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2013 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.cms.profile.constraint;
++
++import java.util.Locale;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthManager;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.ERejectException;
++import com.netscape.certsrv.profile.IPolicyDefault;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cms.profile.common.EnrollProfile;
++import com.netscape.cms.profile.def.CMCUserSignedSubjectNameDefault;
++
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
++
++/**
++ * This class implements the user subject name constraint for user-signed cmc requests.
++ * It makes sure the signing cert's subjectDN and the rsulting cert match
++ *
++ * @author cfu
++ * @version $Revision$, $Date$
++ */
++public class CMCUserSignedSubjectNameConstraint extends EnrollConstraint {
++
++    public CMCUserSignedSubjectNameConstraint() {
++    }
++
++    public void init(IProfile profile, IConfigStore config)
++            throws EProfileException {
++        super.init(profile, config);
++    }
 +
-+from __future__ import absolute_import
-+import os
-+import shutil
-+import subprocess
-+import tempfile
++    public IDescriptor getConfigDescriptor(Locale locale, String name) {
++        return null;
++    }
++
++    public String getDefaultConfig(String name) {
++        return null;
++    }
++
++    /**
++     * Validates the request. The request is not modified
++     * during the validation. User encoded subject name
++     * is copied into the certificate template.
++     */
++    public void validate(IRequest request, X509CertInfo info)
++            throws ERejectException {
++        String method = "CMCUserSignedSubjectNameConstraint: ";
++        String msg = "";
 +
++        CMS.debug(method + "validate start");
++        CertificateSubjectName infoCertSN = null;
++            CertificateSubjectName authTokenCertSN = null;
 +
-+class PKCS12(object):
 +
-+    def __init__(self, path, password=None, password_file=None, nssdb=None):
++        try {
++            infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
++            if (infoCertSN == null) {
++                msg = method + "infoCertSN null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            CMS.debug(method + "validate user subject ="+
++                      infoCertSN.toString());
++            String certSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
++            if (certSerial == null) {
++                msg = method + "certSerial null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            authTokenCertSN =
++                          EnrollProfile.getCMCSigningCertSNfromCertSerial(certSerial);
++            if (authTokenCertSN == null) {
++                msg = method + "authTokenCertSN null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
++            if (infoCertName == null) {
++                msg = method + "infoCertName null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            X500Name authTokenCertName = (X500Name) authTokenCertSN.get(CertificateSubjectName.DN_NAME);
++            if (authTokenCertName == null) {
++                msg = method + "authTokenCertName null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            if (infoCertName.equals(authTokenCertName)) {
++                CMS.debug(method + "names match");
++            } else {
++                msg = method + "names do not match";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++
++        } catch (Exception e) {
++            throw new ERejectException(
++                    CMS.getUserMessage(getLocale(request),
++                        "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
++        }
++    }
 +
-+        # The pki CLI needs an NSS database to run PKCS #12 operations
-+        # as required by JSS. If the nssdb parameter is provided, the CLI
-+        # will use the specified NSS database object. Otherwise, it will use
-+        # the default NSS database in ~/.dogtag/nssdb.
++    public String getText(Locale locale) {
++        return CMS.getUserMessage(locale,
++                   "CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT");
++    }
 +
-+        self.path = path
-+        self.nssdb = nssdb
++    public boolean isApplicable(IPolicyDefault def) {
++        String method = "CMCUserSignedSubjectNameConstraint: isApplicable: ";
++        if (def instanceof CMCUserSignedSubjectNameDefault) {
++            CMS.debug(method + "true");
++            return true;
++        }
++        CMS.debug(method + "false");
++        return false;
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
+new file mode 100644
+index 0000000..a0816ea
+--- /dev/null
++++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
+@@ -0,0 +1,159 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2007 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.cms.profile.def;
++
++import java.io.IOException;
++import java.util.Locale;
 +
-+        self.tmpdir = tempfile.mkdtemp()
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthManager;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.IEnrollProfile;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.property.Descriptor;
++import com.netscape.certsrv.property.EPropertyException;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cms.profile.common.EnrollProfile;
 +
-+        if password:
-+            self.password_file = os.path.join(self.tmpdir, 'password.txt')
-+            with open(self.password_file, 'w') as f:
-+                f.write(password)
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
 +
-+        elif password_file:
-+            self.password_file = password_file
++/**
++ * This class implements an enrollment default policy
++ * that populates a CMC signing user's subject name
++ * into the certificate template.
++ *
++ * @author cfu
++ * @version $Revision$, $Date$
++ */
++public class CMCUserSignedSubjectNameDefault extends EnrollDefault {
++
++    public static final String VAL_NAME = "name";
++
++    public CMCUserSignedSubjectNameDefault() {
++        super();
++        addValueName(VAL_NAME);
++    }
 +
-+        else:
-+            raise Exception('Missing PKCS #12 password')
++    public void init(IProfile profile, IConfigStore config)
++            throws EProfileException {
++        super.init(profile, config);
++    }
 +
-+    def close(self):
-+        shutil.rmtree(self.tmpdir)
++    public IDescriptor getValueDescriptor(Locale locale, String name) {
++        if (name.equals(VAL_NAME)) {
++            return new Descriptor(IDescriptor.STRING, null, null,
++                    CMS.getUserMessage(locale, "CMS_PROFILE_SUBJECT_NAME"));
++        } else {
++            return null;
++        }
++    }
 +
-+    def show_certs(self):
++    public void setValue(String name, Locale locale,
++            X509CertInfo info, String value)
++            throws EPropertyException {
++        if (name == null) {
++            throw new EPropertyException(CMS.getUserMessage(
++                        locale, "CMS_INVALID_PROPERTY", name));
++        }
++        if (name.equals(VAL_NAME)) {
++            X500Name x500name = null;
++
++            try {
++                x500name = new X500Name(value);
++            } catch (IOException e) {
++                CMS.debug(e.toString());
++                // failed to build x500 name
++            }
++            CMS.debug("SubjectNameDefault: setValue name=" + x500name);
++            try {
++                info.set(X509CertInfo.SUBJECT,
++                        new CertificateSubjectName(x500name));
++            } catch (Exception e) {
++                // failed to insert subject name
++                CMS.debug("CMCUserSignedSubjectNameDefault: setValue " + e.toString());
++                throw new EPropertyException(CMS.getUserMessage(
++                            locale, "CMS_INVALID_PROPERTY", name));
++            }
++        } else {
++            throw new EPropertyException(CMS.getUserMessage(
++                        locale, "CMS_INVALID_PROPERTY", name));
++        }
++    }
 +
-+        cmd = ['pki']
++    public String getValue(String name, Locale locale,
++            X509CertInfo info)
++            throws EPropertyException {
++        if (name == null) {
++            throw new EPropertyException(CMS.getUserMessage(
++                        locale, "CMS_INVALID_PROPERTY", name));
++        }
++        if (name.equals(VAL_NAME)) {
++            CertificateSubjectName sn = null;
++
++            try {
++                sn = (CertificateSubjectName)
++                        info.get(X509CertInfo.SUBJECT);
++                return sn.toString();
++            } catch (Exception e) {
++                // nothing
++            }
++            throw new EPropertyException(CMS.getUserMessage(
++                        locale, "CMS_INVALID_PROPERTY", name));
++        } else {
++            throw new EPropertyException(CMS.getUserMessage(
++                        locale, "CMS_INVALID_PROPERTY", name));
++        }
++    }
 +
-+        if self.nssdb:
-+            cmd.extend([
-+                '-d', self.nssdb.directory,
-+                '-C', self.nssdb.password_file
-+            ])
++    public String getText(Locale locale) {
++        return CMS.getUserMessage(locale, "CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME");
++    }
 +
-+        cmd.extend([
-+            'pkcs12-cert-find',
-+            '--pkcs12-file', self.path,
-+            '--pkcs12-password-file', self.password_file
-+        ])
++    /**
++     * Populates the request with this policy default.
++     */
++    public void populate(IRequest request, X509CertInfo info)
++            throws EProfileException {
++        String method = "CMCUserSignedSubjectNameDefault: populate: ";
++        String msg = "";
++        CMS.debug(method + "begins");
++
++        String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
++        if (info == null) {
++            msg = method + "info null";
++            CMS.debug(msg);
++            throw new EProfileException(msg);
++        }
 +
-+        subprocess.check_call(cmd)
-diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-index 18fc3e1..99daf15 100644
---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-@@ -19,9 +19,11 @@
- #
++        CertificateSubjectName certSN = null;
++        try {
++            certSN = EnrollProfile.getCMCSigningCertSNfromCertSerial(signingUserSerial);
++            info.set(X509CertInfo.SUBJECT, certSN);
++            CMS.debug(method + "subjectDN set in X509CertInfo");
++        } catch (Exception e) {
++            msg = method + "exception thrown:" + e;
++            throw new EProfileException(e.toString());
++        }
++        request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info);
++        CMS.debug(method + "ends");
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+index 00d669e..1d5bfc4 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+@@ -214,17 +214,18 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
+      */
+     public void populate(IRequest request)
+             throws EProfileException {
++        String method = "EnrollDefault: populate: ";
+         String name = getClass().getName();
+ 
+         name = name.substring(name.lastIndexOf('.') + 1);
+-        CMS.debug(name + ": populate start");
++        CMS.debug(method + name + ": start");
+         X509CertInfo info =
+                 request.getExtDataInCertInfo(IEnrollProfile.REQUEST_CERTINFO);
+ 
+         populate(request, info);
+ 
+         request.setExtData(IEnrollProfile.REQUEST_CERTINFO, info);
+-        CMS.debug(name + ": populate end");
++        CMS.debug(method + name + ": end");
+     }
  
- from __future__ import absolute_import
-+from __future__ import print_function
+     public void addValueName(String name) {
+diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java
+index a62d6e9..0a9cae1 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java
++++ b/base/server/cms/src/com/netscape/cms/profile/input/CMCCertReqInput.java
+@@ -21,6 +21,8 @@ import java.util.Locale;
  
- import os
- import pki.nssdb
-+import pki.pkcs12
- import pki.server
- 
- # PKI Deployment Imports
-@@ -104,9 +106,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 directory=deployer.mdict['pki_database_path'],
-                 password_file=deployer.mdict['pki_shared_pfile'])
- 
--            nssdb.import_pkcs12(
--                pkcs12_file=pki_server_pkcs12_path,
--                pkcs12_password=pki_server_pkcs12_password)
-+            try:
-+                nssdb.import_pkcs12(
-+                    pkcs12_file=pki_server_pkcs12_path,
-+                    pkcs12_password=pki_server_pkcs12_password)
-+            finally:
-+                nssdb.close()
- 
-             # update external CA file (if needed)
-             external_certs_path = deployer.mdict['pki_server_external_certs_path']
-@@ -127,10 +132,33 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 directory=deployer.mdict['pki_database_path'],
-                 password_file=deployer.mdict['pki_shared_pfile'])
- 
--            nssdb.import_pkcs12(
--                pkcs12_file=pki_clone_pkcs12_path,
--                pkcs12_password=pki_clone_pkcs12_password,
--                no_user_certs=True)
-+            try:
-+                print('Importing certificates from %s:' % pki_clone_pkcs12_path)
-+
-+                # The PKCS12 class requires an NSS database to run. For simplicity
-+                # it uses the NSS database that has just been created.
-+                pkcs12 = pki.pkcs12.PKCS12(
-+                    path=pki_clone_pkcs12_path,
-+                    password=pki_clone_pkcs12_password,
-+                    nssdb=nssdb)
-+
-+                try:
-+                    pkcs12.show_certs()
-+                finally:
-+                    pkcs12.close()
-+
-+                # Import certificates
-+                nssdb.import_pkcs12(
-+                    pkcs12_file=pki_clone_pkcs12_path,
-+                    pkcs12_password=pki_clone_pkcs12_password,
-+                    no_user_certs=True)
-+
-+                print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
-+
-+                nssdb.show_certs()
-+
-+            finally:
-+                nssdb.close()
- 
-         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
+ import netscape.security.x509.X509CertInfo;
  
--- 
-1.8.3.1
-
-
-From b7d4f6e9efd8b2e7d26a001f6c18a10b82df6b56 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 1 Aug 2016 22:35:32 +0200
-Subject: [PATCH 85/96] Fixed PKCS #12 import for cloning.
-
-To fix cloning issue in IPA the security_database.py has been
-modified to import all certificates and keys in the PKCS #12 file
-before the PKI server is started. Since the PKCS #12 generated by
-IPA may not contain the certificate trust flags, the script will
-also reset the trust flags on the imported certificates (i.e.
-CT,C,C for CA certificate and u,u,Pu for audit certificate).
-
-The ConfigurationUtils.restoreCertsFromP12() is now redundant and
-it should be removed in the future, but for now it has been
-modified to set the same trust flags on imported certificates.
-
-The CryptoUtil.importCertificateChain() has also been modified to
-set the same trust flags on imported certificates.
-
-https://fedorahosted.org/pki/ticket/2424
----
- .../cms/servlet/csadmin/ConfigurationUtils.java    |  9 +++-
- .../deployment/scriptlets/security_databases.py    | 13 ++++-
- .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 60 ++++++++++++----------
- 3 files changed, 51 insertions(+), 31 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index fe65bb8..3494882 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -834,7 +834,8 @@ public class ConfigurationUtils {
-             BadPaddingException, NotInitializedException, NicknameConflictException, UserCertConflictException,
-             NoSuchItemOnTokenException, InvalidBERException, IOException {
- 
--        // TODO: refactor into a PKCS #12 utility class
-+        // TODO: The PKCS #12 file is already imported in security_database.py.
-+        // This method should be removed.
- 
-         byte b[] = new byte[1000000];
-         FileInputStream fis = new FileInputStream(p12File);
-@@ -1109,10 +1110,14 @@ public class ConfigurationUtils {
-                 InternalCertificate icert = (InternalCertificate) xcert;
- 
-                 if (isCASigningCert) {
--                    // we need to change the trust attribute to CT
-+                    // set trust flags to CT,C,C
-                     icert.setSSLTrust(InternalCertificate.TRUSTED_CA
-                             | InternalCertificate.TRUSTED_CLIENT_CA
-                             | InternalCertificate.VALID_CA);
-+                    icert.setEmailTrust(InternalCertificate.TRUSTED_CA
-+                            | InternalCertificate.VALID_CA);
-+                    icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
-+                            | InternalCertificate.VALID_CA);
- 
-                 } else if (isAuditSigningCert(name)) {
-                     icert.setObjectSigningTrust(InternalCertificate.USER
-diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-index 99daf15..e80a1d0 100644
---- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
-@@ -150,8 +150,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 # Import certificates
-                 nssdb.import_pkcs12(
-                     pkcs12_file=pki_clone_pkcs12_path,
--                    pkcs12_password=pki_clone_pkcs12_password,
--                    no_user_certs=True)
-+                    pkcs12_password=pki_clone_pkcs12_password)
-+
-+                # Set certificate trust flags
-+                if subsystem.type == 'CA':
-+                    nssdb.modify_cert(
-+                        nickname=deployer.mdict['pki_ca_signing_nickname'],
-+                        trust_attributes='CTu,Cu,Cu')
-+
-+                nssdb.modify_cert(
-+                    nickname=deployer.mdict['pki_audit_signing_nickname'],
-+                    trust_attributes='u,u,Pu')
- 
-                 print('Imported certificates in %s:' % deployer.mdict['pki_database_path'])
- 
-diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-index 9cabdc5..b02c363 100644
---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-@@ -47,33 +47,6 @@ import java.util.Random;
- import java.util.StringTokenizer;
- import java.util.Vector;
++import org.mozilla.jss.asn1.SEQUENCE;
++import org.mozilla.jss.pkix.cmc.PKIData;
+ import org.mozilla.jss.pkix.cmc.TaggedRequest;
+ 
+ import com.netscape.certsrv.apps.CMS;
+@@ -85,19 +87,32 @@ public class CMCCertReqInput extends EnrollInput implements IProfileInput {
+      */
+     public void populate(IProfileContext ctx, IRequest request)
+             throws EProfileException {
++        String method = "CMCCertReqInput: populate: ";
++        CMS.debug(method + "begins");
++
+         String cert_request = ctx.get(VAL_CERT_REQUEST);
+         X509CertInfo info =
+                 request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+ 
+         if (cert_request == null) {
+-            CMS.debug("CMCCertReqInput: populate - invalid certificate request");
++            CMS.debug(method + "invalid certificate request");
+             throw new EProfileException(CMS.getUserMessage(
+                         getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+         }
+-        TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
++        // cfu: getPKIDataFromCMCblob() is extracted from parseCMC
++        // so it's less confusing
++        //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
++        PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request);
++        SEQUENCE reqSeq = pkiData.getReqSequence();
++        int nummsgs = reqSeq.size(); // for now we only handle one anyways
++        CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs);
++        TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()];
++        for (int i = 0; i < nummsgs; i++) {
++            msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
++        }
+ 
+         if (msgs == null) {
+-            CMS.debug("CMCCertReqInput: populate - parseCMC returns null TaggedRequest msgs");
++            CMS.debug(method + "TaggedRequest msgs null after getPKIDataFromCMCblob");
+             return;
+         }
+         // This profile only handle the first request in CRMF
+diff --git a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java
+index e67f5b5..fabd2aa 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java
++++ b/base/server/cms/src/com/netscape/cms/profile/input/CertReqInput.java
+@@ -19,10 +19,8 @@ package com.netscape.cms.profile.input;
+ 
+ import java.util.Locale;
  
 -import netscape.security.pkcs.PKCS10;
--import netscape.security.pkcs.PKCS10Attribute;
--import netscape.security.pkcs.PKCS10Attributes;
--import netscape.security.pkcs.PKCS7;
--import netscape.security.pkcs.PKCS9Attribute;
--import netscape.security.util.BigInt;
 -import netscape.security.util.DerInputStream;
--import netscape.security.util.DerOutputStream;
--import netscape.security.util.DerValue;
--import netscape.security.util.ObjectIdentifier;
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.CertificateAlgorithmId;
--import netscape.security.x509.CertificateChain;
--import netscape.security.x509.CertificateExtensions;
--import netscape.security.x509.CertificateIssuerName;
--import netscape.security.x509.CertificateSerialNumber;
--import netscape.security.x509.CertificateSubjectName;
--import netscape.security.x509.CertificateValidity;
--import netscape.security.x509.CertificateVersion;
--import netscape.security.x509.CertificateX509Key;
--import netscape.security.x509.Extensions;
--import netscape.security.x509.X500Name;
--import netscape.security.x509.X500Signer;
--import netscape.security.x509.X509CertImpl;
 -import netscape.security.x509.X509CertInfo;
--import netscape.security.x509.X509Key;
 -
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.CryptoManager.NotInitializedException;
- import org.mozilla.jss.NoSuchTokenException;
-@@ -132,6 +105,33 @@ import org.mozilla.jss.util.Password;
- import com.netscape.cmsutil.util.Cert;
- import com.netscape.cmsutil.util.Utils;
++import org.mozilla.jss.asn1.SEQUENCE;
++import org.mozilla.jss.pkix.cmc.PKIData;
+ import org.mozilla.jss.pkix.cmc.TaggedRequest;
+ import org.mozilla.jss.pkix.crmf.CertReqMsg;
+ 
+@@ -37,6 +35,10 @@ import com.netscape.certsrv.property.IDescriptor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cms.profile.common.EnrollProfile;
  
 +import netscape.security.pkcs.PKCS10;
-+import netscape.security.pkcs.PKCS10Attribute;
-+import netscape.security.pkcs.PKCS10Attributes;
-+import netscape.security.pkcs.PKCS7;
-+import netscape.security.pkcs.PKCS9Attribute;
-+import netscape.security.util.BigInt;
 +import netscape.security.util.DerInputStream;
-+import netscape.security.util.DerOutputStream;
-+import netscape.security.util.DerValue;
-+import netscape.security.util.ObjectIdentifier;
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.CertificateAlgorithmId;
-+import netscape.security.x509.CertificateChain;
-+import netscape.security.x509.CertificateExtensions;
-+import netscape.security.x509.CertificateIssuerName;
-+import netscape.security.x509.CertificateSerialNumber;
-+import netscape.security.x509.CertificateSubjectName;
-+import netscape.security.x509.CertificateValidity;
-+import netscape.security.x509.CertificateVersion;
-+import netscape.security.x509.CertificateX509Key;
-+import netscape.security.x509.Extensions;
-+import netscape.security.x509.X500Name;
-+import netscape.security.x509.X500Signer;
-+import netscape.security.x509.X509CertImpl;
 +import netscape.security.x509.X509CertInfo;
-+import netscape.security.x509.X509Key;
 +
- @SuppressWarnings("serial")
- public class CryptoUtil {
- 
-@@ -1164,10 +1164,16 @@ public class CryptoUtil {
-         if (certchains != null) {
-             cert = certchains[certchains.length - 1];
+ /**
+  * This class implements the certificate request input.
+  * This input populates 2 main fields to the enrollment page:
+@@ -89,13 +91,16 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+      */
+     public void populate(IProfileContext ctx, IRequest request)
+             throws EProfileException {
++        String method = "CertReqInput: populate: ";
++        CMS.debug(method + "begins");
++
+         String cert_request_type = ctx.get(VAL_CERT_REQUEST_TYPE);
+         String cert_request = ctx.get(VAL_CERT_REQUEST);
+         X509CertInfo info =
+                 request.getExtDataInCertInfo(EnrollProfile.REQUEST_CERTINFO);
+ 
+         if (cert_request_type == null) {
+-            CMS.debug("CertReqInput: populate - invalid cert request type " +
++            CMS.debug(method + "invalid cert request type " +
+                     "");
+             throw new EProfileException(
+                     CMS.getUserMessage(getLocale(request),
+@@ -103,12 +108,14 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+                             ""));
          }
+         if (cert_request == null) {
+-            CMS.debug("CertReqInput: populate - invalid certificate request");
++            CMS.debug(method + "invalid certificate request");
+             throw new EProfileException(CMS.getUserMessage(
+                         getLocale(request), "CMS_PROFILE_NO_CERT_REQ"));
+         }
+ 
+         if (cert_request_type.equals(EnrollProfile.REQ_TYPE_PKCS10)) {
++            CMS.debug(method + "cert_request_type= REQ_TYPE_PKCS10");
++
+             PKCS10 pkcs10 = mEnrollProfile.parsePKCS10(getLocale(request), cert_request);
+ 
+             if (pkcs10 == null) {
+@@ -118,6 +125,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+ 
+             mEnrollProfile.fillPKCS10(getLocale(request), pkcs10, info, request);
+         } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_KEYGEN)) {
++            CMS.debug(method + "cert_request_type= REQ_TYPE_KEYGEN");
+             DerInputStream keygen = mEnrollProfile.parseKeyGen(getLocale(request), cert_request);
+ 
+             if (keygen == null) {
+@@ -127,6 +135,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+ 
+             mEnrollProfile.fillKeyGen(getLocale(request), keygen, info, request);
+         } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CRMF)) {
++            CMS.debug(method + "cert_request_type= REQ_TYPE_CRMF");
+             CertReqMsg msgs[] = mEnrollProfile.parseCRMF(getLocale(request), cert_request);
+ 
+             if (msgs == null) {
+@@ -142,7 +151,18 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+             mEnrollProfile.fillCertReqMsg(getLocale(request), msgs[seqNum.intValue()], info, request
+                     );
+         } else if (cert_request_type.startsWith(EnrollProfile.REQ_TYPE_CMC)) {
+-            TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
++            CMS.debug(method + "cert_request_type= REQ_TYPE_CMC");
++            // cfu: getPKIDataFromCMCblob() is extracted from parseCMC
++            // so it's less confusing
++            //TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);
++            PKIData pkiData = mEnrollProfile.getPKIDataFromCMCblob(getLocale(request), cert_request);
++            SEQUENCE reqSeq = pkiData.getReqSequence();
++            int nummsgs = reqSeq.size(); // for now we only handle one anyways
++            CMS.debug(method + "pkiData.getReqSequence() called; nummsgs =" + nummsgs);
++            TaggedRequest[] msgs = new TaggedRequest[reqSeq.size()];
++            for (int i = 0; i < nummsgs; i++) {
++                msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
++            }
+ 
+             if (msgs == null) {
+                 throw new EProfileException(CMS.getUserMessage(
+@@ -159,7 +179,7 @@ public class CertReqInput extends EnrollInput implements IProfileInput {
+             mEnrollProfile.fillTaggedRequest(getLocale(request), msgs[seqNum.intValue()], info, request);
+         } else {
+             // error
+-            CMS.debug("CertReqInput: populate - invalid cert request type " +
++            CMS.debug(method + "invalid cert request type " +
+                     cert_request_type);
+             throw new EProfileException(
+                     CMS.getUserMessage(getLocale(request),
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 26ca2a4..1e128d0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -39,6 +39,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ 
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthManager;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.base.EBaseException;
+@@ -443,6 +444,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         ///////////////////////////////////////////////
+         // create request
+         ///////////////////////////////////////////////
++        String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT);
++        if (tmpCertSerialS != null) {
++            // unlikely to happenm, but do this just in case
++            CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS);
++            CMS.debug("ProfileSubmitCMCServlet: null it out");
++            ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
++        }
++        String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
++        if (signingCertSerialS != null) {
++            CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth");
++            ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
++        }
+         try {
+             reqs = profile.createRequests(ctx, locale);
+         } catch (EProfileException e) {
+@@ -512,7 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         IRequest provedReq = null;
+         if (reqs == null) {
+             // handling DecryptedPOP request here
+-            Integer reqID = (Integer) context.get("decryptedPopReqId");
++            Integer reqID = (Integer) context.get("cmcDecryptedPopReqId");
+             provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString()));
+             if (provedReq == null) {
+ 
+@@ -568,6 +581,19 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                         }
+                     }
+                 }
 +
-+        // set trust flags to CT,C,C
-         InternalCertificate icert = (InternalCertificate) cert;
-         icert.setSSLTrust(InternalCertificate.TRUSTED_CA
-                                     | InternalCertificate.TRUSTED_CLIENT_CA
-                                     | InternalCertificate.VALID_CA);
-+        icert.setEmailTrust(InternalCertificate.TRUSTED_CA
-+                | InternalCertificate.VALID_CA);
-+        icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA
-+                | InternalCertificate.VALID_CA);
-     }
++                tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
++                if (tmpCertSerialS != null) {
++                    // unlikely to happenm, but do this just in case
++                    CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
++                    CMS.debug("ProfileSubmitCMCServlet: null it out");
++                    reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
++                }
++                // put CMCUserSignedAuth authToken in request
++                if (signingCertSerialS != null) {
++                    CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
++                    reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
++                }
+             }
  
-     public static SEQUENCE parseCRMFMsgs(byte cert_request[])
+             // put profile framework parameters into the request
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 7572db4..d3ac06a 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2235,6 +2235,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=<type=OCSP_REMOV
+ # SignerInfo must be a unique String representation for the signer
+ #
+ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification
++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification
+ 
+ # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST 
+ # - used for TPS to TKS to get random challenge data
+diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
+index bf96f90..ff56465 100644
+--- a/base/server/cmsbundle/src/UserMessages.properties
++++ b/base/server/cmsbundle/src/UserMessages.properties
+@@ -951,6 +951,7 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
+ CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
+ CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
+ CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
++CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
+ CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
+ CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
+ CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
+@@ -994,6 +995,7 @@ CMS_PROFILE_DEF_USER_KEY=This default populates a User-Supplied Certificate Key
+ CMS_PROFILE_DEF_USER_SIGNING_ALGORITHM=This default populates a User-Supplied Certificate Signing Algorithm to the request.
+ CMS_PROFILE_DEF_AUTHZ_REALM=This default populates an authorization realm.
+ CMS_PROFILE_DEF_USER_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request.
++CMS_PROFILE_DEF_CMC_USER_SIGNED_SUBJECT_NAME=This default populates a User-Supplied Certificate Subject Name to the request.
+ CMS_PROFILE_DEF_USER_VALIDITY=This default populates a User-Supplied Certificate Validity to the request.
+ CMS_PROFILE_DEF_VALIDITY=This default populates a Certificate Validity to the request. The default values are Range={0} in days
+ CMS_PROFILE_CERTIFICATE_POLICIES_ID=Certificate Policies ID
 -- 
 1.8.3.1
 
 
-From 018b5c1f3295fadd263d256d00866dd7b9d31163 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Tue, 26 Jul 2016 14:07:10 +1000
-Subject: [PATCH 90/96] Fix CA OCSP responder when LWCAs are not in use
-
-The CA subsystem OCSP responder was updated to handle dispatching
-OCSP requests to the relevant CertificateAuthority instance,
-according to the issuer of the certificates identified in the
-request.  Unfortunately, the updated routine assumes that the
-database updates that enable lightweight CAs have occurred.  If they
-have not, the OCSP responder always fails.
-
-Fix the issue by inferring that if 'caMap' is empty, lightweight CAs
-are not in use, the current instance is the one and only CA, and
-proceed straight to validation.
+From f31ad87440332845e7e5a1d6ea1f092fefd9eef1 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 28 Apr 2017 20:05:44 -0700
+Subject: [PATCH 46/49] Ticket #2617 added the new caFullCMCUserSignedCert
+ profile in CS.cfg
 
-Fixes: https://fedorahosted.org/pki/ticket/2420
 ---
- base/ca/src/com/netscape/ca/CertificateAuthority.java | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index 502ab18..a5397da 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -2240,6 +2240,10 @@ public class CertificateAuthority
-          * employ some heuristic to deal with this case. Our
-          * heuristic is:
-          *
-+         * 0. If caMap contains no CAs, then lightweight CAs are not
-+         *    enabled.  There is only one CA, and 'this' is it.  Go
-+         *    straight to validation.
-+         *
-          * 1. Find the issuer of the cert identified by the first
-          *    CertID in the request.
-          *
-@@ -2254,7 +2258,7 @@ public class CertificateAuthority
-          *    aggregate OCSP response.
-          */
-         ICertificateAuthority ocspCA = this;
--        if (tbsReq.getRequestCount() > 0) {
-+        if (caMap.size() > 0 && tbsReq.getRequestCount() > 0) {
-             com.netscape.cmsutil.ocsp.Request req = tbsReq.getRequestAt(0);
-             BigInteger serialNo = req.getCertID().getSerialNumber();
-             X509CertImpl cert = mCertRepot.getX509Certificate(serialNo);
+ base/ca/shared/conf/CS.cfg | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index b29802c..078abee 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -970,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
+ oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
+ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
+ os.userid=nobody
+-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
++profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+ profile.caUUIDdeviceCert.class_id=caEnrollImpl
+ profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
+ profile.caManualRenewal.class_id=caEnrollImpl
+@@ -1015,6 +1015,8 @@ profile.caRAagentCert.class_id=caEnrollImpl
+ profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg
+ profile.caFullCMCUserCert.class_id=caEnrollImpl
+ profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg
++profile.caFullCMCUserSignedCert.class_id=caEnrollImpl
++profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg
+ profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
+ profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg
+ profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
 -- 
 1.8.3.1
 
 
-From 7bed80ef6b1529f948da260a6b43f2052c6ffb21 Mon Sep 17 00:00:00 2001
+From 633c7c6519c925af7e3700adff29961d72435c7f Mon Sep 17 00:00:00 2001
 From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Mon, 8 Aug 2016 14:39:01 +1000
-Subject: [PATCH 91/96] Fix lightweight CA PEM-encoded PKCS #7 cert chain
- retrieval
-
-The method to retrieve a lightweight CA's PEM-encoded PKCS #7 cert
-chain incorrectly returns X.509 data wrapped in PKCS7 PEM header.
-Return proper PKCS #7 data.
-
-Fixes: https://fedorahosted.org/pki/ticket/2433
+Date: Thu, 23 Mar 2017 14:34:31 +1100
+Subject: [PATCH 47/49] PKCS12Util: use AES to encrypt private keys
+
+Update PKCS12Util to use AES-256-CBC to encrypt private keys.
+Use JSS CryptoStore methods to ensure that all key wrapping and
+unwrapping is done on the token.
+
+Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
+previous process where a symmetric key was generated, the private
+key wrapped to the symmetric key, then decryted into Dogtag's
+memory, then re-encrypted under the supplied passphrase.  Now the
+key gets wrapped directly to the supplied passphrase.
+
+Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
+using the supplied passphrase, then encrypted to a freshly generated
+symmetric key, which was then used to unwrap the key into the token.
+Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
+used to unwrap the EncryptedPrivateKeyInfo directly into the token,
+using the supplied passphrase.
+
+As a result, the PKCS12KeyInfo class, which previously stored
+unencrypted key material (a PrivateKeyInfo object), it now only
+deals with PrivateKey (an opaque handle to an PKCS #11 object)
+on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
+import.  This split suggests that PKCS12KeyInfo should be decomposed
+into two classes - one containing a PrivateKey and the other
+containing a byte[] encryptedPrivateKeyInfo - but this refactoring
+is left for another day.
+
+Part of: https://pagure.io/dogtagpki/issue/2610
+
+Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
+(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
 ---
- base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-index 7bca10f..246a3f0 100644
---- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-@@ -173,7 +173,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
+ .../netscape/cmstools/pkcs12/PKCS12ImportCLI.java  |   4 +-
+ .../com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java |   1 -
+ .../src/netscape/security/pkcs/PKCS12KeyInfo.java  |  29 +++--
+ .../src/netscape/security/pkcs/PKCS12Util.java     | 122 ++++++++-------------
+ 4 files changed, 65 insertions(+), 91 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
+index da5478c..de43284 100644
+--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
+@@ -124,12 +124,12 @@ public class PKCS12ImportCLI extends CLI {
+ 
+             if (nicknames.length == 0) {
+                 // store all certificates
+-                util.storeIntoNSS(pkcs12, overwrite);
++                util.storeIntoNSS(pkcs12, password, overwrite);
  
-     @Override
-     public Response getChainPEM(String aidString) {
--        byte[] der = (byte[]) getCert(aidString).getEntity();
-+        byte[] der = (byte[]) getChain(aidString).getEntity();
-         return Response.ok(toPem("PKCS7", der)).build();
+             } else {
+                 // load specified certificates
+                 for (String nickname : nicknames) {
+-                    util.storeCertIntoNSS(pkcs12, nickname, overwrite);
++                    util.storeCertIntoNSS(pkcs12, password, nickname, overwrite);
+                 }
+             }
+ 
+diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java
+index fbebdda..e74b63a 100644
+--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java
+@@ -38,6 +38,5 @@ public class PKCS12KeyCLI extends CLI {
+ 
+         System.out.println("  Key ID: " + keyInfo.getID().toString(16));
+         System.out.println("  Subject DN: " + keyInfo.getSubjectDN());
+-        System.out.println("  Algorithm: " + keyInfo.getPrivateKeyInfo().getAlgorithm());
+     }
+ }
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
+index c7e84f0..f180cf2 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
+@@ -19,31 +19,40 @@ package netscape.security.pkcs;
+ 
+ import java.math.BigInteger;
+ 
+-import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
++import org.mozilla.jss.crypto.PrivateKey;
+ 
+ public class PKCS12KeyInfo {
+ 
++    private PrivateKey privateKey;
++    private byte[] epkiBytes;
+     BigInteger id;
+-    PrivateKeyInfo privateKeyInfo;
+     String subjectDN;
+ 
+     public PKCS12KeyInfo() {
+     }
+ 
+-    public BigInteger getID() {
+-        return id;
++    public PKCS12KeyInfo(PrivateKey k) {
++        this.privateKey = k;
+     }
+ 
+-    public void setID(BigInteger id) {
+-        this.id = id;
++    public PKCS12KeyInfo(byte[] epkiBytes) {
++        this.epkiBytes = epkiBytes;
++    }
++
++    public PrivateKey getPrivateKey() {
++        return this.privateKey;
+     }
+ 
+-    public PrivateKeyInfo getPrivateKeyInfo() {
+-        return privateKeyInfo;
++    public byte[] getEncryptedPrivateKeyInfoBytes() {
++        return epkiBytes;
+     }
+ 
+-    public void setPrivateKeyInfo(PrivateKeyInfo privateKeyInfo) {
+-        this.privateKeyInfo = privateKeyInfo;
++    public BigInteger getID() {
++        return id;
++    }
++
++    public void setID(BigInteger id) {
++        this.id = id;
+     }
+ 
+     public String getSubjectDN() {
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+index 0b164aa..9f9a35e 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+@@ -33,27 +33,19 @@ import java.util.Collection;
+ import org.apache.commons.lang.StringUtils;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ANY;
+-import org.mozilla.jss.asn1.ASN1Util;
+ import org.mozilla.jss.asn1.ASN1Value;
+ import org.mozilla.jss.asn1.BMPString;
+ import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+ import org.mozilla.jss.asn1.OCTET_STRING;
+ import org.mozilla.jss.asn1.SEQUENCE;
+ import org.mozilla.jss.asn1.SET;
+-import org.mozilla.jss.crypto.Cipher;
+ import org.mozilla.jss.crypto.CryptoStore;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.EncryptionAlgorithm;
+-import org.mozilla.jss.crypto.IVParameterSpec;
+ import org.mozilla.jss.crypto.InternalCertificate;
+-import org.mozilla.jss.crypto.KeyGenAlgorithm;
+-import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+-import org.mozilla.jss.crypto.KeyWrapper;
+ import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+-import org.mozilla.jss.crypto.PBEAlgorithm;
+ import org.mozilla.jss.crypto.PrivateKey;
+-import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.crypto.X509Certificate;
+ import org.mozilla.jss.pkcs12.AuthenticatedSafes;
+ import org.mozilla.jss.pkcs12.CertBag;
+@@ -61,14 +53,10 @@ import org.mozilla.jss.pkcs12.PFX;
+ import org.mozilla.jss.pkcs12.PasswordConverter;
+ import org.mozilla.jss.pkcs12.SafeBag;
+ import org.mozilla.jss.pkix.primitive.Attribute;
+-import org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo;
+-import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
+ import org.mozilla.jss.util.Password;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+-import com.netscape.cmsutil.crypto.CryptoUtil;
+-
+ import netscape.ldap.LDAPDN;
+ import netscape.ldap.util.DN;
+ import netscape.security.x509.X509CertImpl;
+@@ -114,41 +102,30 @@ public class PKCS12Util {
+         icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2]));
+     }
+ 
+-    byte[] getEncodedKey(PrivateKey privateKey) throws Exception {
+-        CryptoManager cm = CryptoManager.getInstance();
+-        CryptoToken token = cm.getInternalKeyStorageToken();
+-
+-        byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-        IVParameterSpec param = new IVParameterSpec(iv);
+-
+-        SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true);
+-        byte[] enckey = CryptoUtil.wrapUsingSymmetricKey(
+-                token,
+-                sk,
+-                privateKey,
+-                param,
+-                KeyWrapAlgorithm.DES3_CBC_PAD);
+-
+-        Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
+-        c.initDecrypt(sk, param);
+-        return c.doFinal(enckey);
+-    }
+-
+     public void addKeyBag(PKCS12KeyInfo keyInfo, Password password,
+             SEQUENCE encSafeContents) throws Exception {
++        PrivateKey k = keyInfo.getPrivateKey();
++        if (k == null) {
++            logger.debug("NO PRIVATE KEY for " + keyInfo.subjectDN);
++            return;
++        }
+ 
+         logger.debug("Creating key bag for " + keyInfo.subjectDN);
+ 
+         PasswordConverter passConverter = new PasswordConverter();
+-        byte salt[] = { 0x01, 0x01, 0x01, 0x01 };
+-
+-        EncryptedPrivateKeyInfo encPrivateKeyInfo = EncryptedPrivateKeyInfo.createPBE(
+-                PBEAlgorithm.PBE_SHA1_DES3_CBC,
+-                password, salt, 1, passConverter, keyInfo.privateKeyInfo);
++        byte[] epkiBytes = CryptoManager.getInstance()
++            .getInternalKeyStorageToken()
++            .getCryptoStore()
++            .getEncryptedPrivateKeyInfo(
++                /* NSS has a bug that causes any AES CBC encryption
++                 * to use AES-256, but AlgorithmID contains chosen
++                 * alg.  To avoid mismatch, use AES_256_CBC. */
++                passConverter, password, EncryptionAlgorithm.AES_256_CBC, 0, k);
+ 
+         SET keyAttrs = createKeyBagAttrs(keyInfo);
+ 
+-        SafeBag safeBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, encPrivateKeyInfo, keyAttrs);
++        SafeBag safeBag = new SafeBag(
++            SafeBag.PKCS8_SHROUDED_KEY_BAG, new ANY(epkiBytes), keyAttrs);
+         encSafeContents.addElement(safeBag);
+     }
+ 
+@@ -318,14 +295,10 @@ public class PKCS12Util {
+             PrivateKey privateKey = cm.findPrivKeyByCert(cert);
+             logger.debug("Certificate \"" + nickname + "\" has private key");
+ 
+-            PKCS12KeyInfo keyInfo = new PKCS12KeyInfo();
++            PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(privateKey);
+             keyInfo.id = id;
+             keyInfo.subjectDN = cert.getSubjectDN().toString();
+ 
+-            byte[] privateData = getEncodedKey(privateKey);
+-            keyInfo.privateKeyInfo = (PrivateKeyInfo)
+-                    ASN1Util.decode(PrivateKeyInfo.getTemplate(), privateData);
+-
+             pkcs12.addKeyInfo(keyInfo);
+ 
+         } catch (ObjectNotFoundException e) {
+@@ -375,11 +348,7 @@ public class PKCS12Util {
+ 
+     public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception {
+ 
+-        PKCS12KeyInfo keyInfo = new PKCS12KeyInfo();
+-
+-        // get private key info
+-        EncryptedPrivateKeyInfo encPrivateKeyInfo = (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent();
+-        keyInfo.privateKeyInfo = encPrivateKeyInfo.decrypt(password, new PasswordConverter());
++        PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded());
+ 
+         // get key attributes
+         SET bagAttrs = bag.getBagAttributes();
+@@ -491,7 +460,7 @@ public class PKCS12Util {
+ 
+     public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
+ 
+-        logger.debug("Load private keys:");
++        logger.debug("Load encrypted private keys:");
+ 
+         AuthenticatedSafes safes = pfx.getAuthSafes();
+ 
+@@ -590,20 +559,12 @@ public class PKCS12Util {
+ 
+     public void importKey(
+             PKCS12 pkcs12,
++            Password password,
++            String nickname,
+             PKCS12KeyInfo keyInfo) throws Exception {
+ 
+         logger.debug("Importing private key " + keyInfo.subjectDN);
+ 
+-        byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-        IVParameterSpec param = new IVParameterSpec(iv);
+-
+-        PrivateKeyInfo privateKeyInfo = keyInfo.privateKeyInfo;
+-
+-        // encode private key
+-        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+-        privateKeyInfo.encode(bos);
+-        byte[] privateKey = bos.toByteArray();
+-
+         PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID());
+         if (certInfo == null) {
+             logger.debug("Private key has no certificate, ignore");
+@@ -619,26 +580,29 @@ public class PKCS12Util {
+         // get public key
+         PublicKey publicKey = cert.getPublicKey();
+ 
+-        // delete the cert again
++        byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes();
++        if (epkiBytes == null) {
++            logger.debug(
++                "No EncryptedPrivateKeyInfo for key '"
++                + keyInfo.subjectDN + "'; skipping key");
++        }
++        store.importEncryptedPrivateKeyInfo(
++            new PasswordConverter(), password, nickname, publicKey, epkiBytes);
++
++        // delete the cert again (it will be imported again later
++        // with the correct nickname)
+         try {
+             store.deleteCert(cert);
+         } catch (NoSuchItemOnTokenException e) {
+             // this is OK
+         }
+-
+-        // encrypt private key
+-        SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true);
+-        byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(
+-                token, sk, privateKey, EncryptionAlgorithm.DES3_CBC_PAD, param);
+-
+-        // unwrap private key to load into database
+-        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+-        wrapper.initUnwrap(sk, param);
+-        wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);
+     }
+ 
+-    public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
+-
++    public void storeCertIntoNSS(
++            PKCS12 pkcs12, Password password,
++            PKCS12CertInfo certInfo, boolean overwrite)
++        throws Exception
++    {
+         CryptoManager cm = CryptoManager.getInstance();
+         CryptoToken ct = cm.getInternalKeyStorageToken();
+         CryptoStore store = ct.getCryptoStore();
+@@ -656,7 +620,7 @@ public class PKCS12Util {
+         X509Certificate cert;
+         if (keyInfo != null) { // cert has key
+             logger.debug("Importing user key for " + certInfo.nickname);
+-            importKey(pkcs12, keyInfo);
++            importKey(pkcs12, password, certInfo.nickname, keyInfo);
+ 
+             logger.debug("Importing user certificate " + certInfo.nickname);
+             cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname);
+@@ -671,19 +635,21 @@ public class PKCS12Util {
+             setTrustFlags(cert, certInfo.trustFlags);
+     }
+ 
+-    public void storeCertIntoNSS(PKCS12 pkcs12, String nickname, boolean overwrite) throws Exception {
++    public void storeCertIntoNSS(PKCS12 pkcs12, Password password, String nickname, boolean overwrite) throws Exception {
+         Collection<PKCS12CertInfo> certInfos = pkcs12.getCertInfosByNickname(nickname);
+         for (PKCS12CertInfo certInfo : certInfos) {
+-            storeCertIntoNSS(pkcs12, certInfo, overwrite);
++            storeCertIntoNSS(pkcs12, password, certInfo, overwrite);
+         }
      }
  
+-    public void storeIntoNSS(PKCS12 pkcs12, boolean overwrite) throws Exception {
+-
++    public void storeIntoNSS(
++            PKCS12 pkcs12, Password password, boolean overwrite)
++        throws Exception
++    {
+         logger.info("Storing data into NSS database");
+ 
+         for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) {
+-            storeCertIntoNSS(pkcs12, certInfo, overwrite);
++            storeCertIntoNSS(pkcs12, password, certInfo, overwrite);
+         }
+     }
+ }
 -- 
 1.8.3.1
 
 
-From e948a42f8bf7823b18ad4551a8fe8a5db991e966 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 8 Aug 2016 13:08:17 +0200
-Subject: [PATCH 92/96] Improve setup.py for standalone Dogtag client releases
-
-PyPI requires a different spelling of LGPLv3+ classifier.
+From 118f648961e502f55d6997f59f6cf8f355218da5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 28 Apr 2017 19:45:53 +1000
+Subject: [PATCH 48/49] PKCS12Util: add some much-needed comments
 
-The correct name for installation requirements is 'install_requires',
-not 'requirements'.
+Part of: https://pagure.io/dogtagpki/issue/2610
 
-Add a new version_info command that rewrites setup.py in place to
-include the current version. This fixes a problem with source
-distributions of the client package.
+Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6
+(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8)
 ---
- base/common/python/setup.cfg |  2 +-
- base/common/python/setup.py  | 83 +++++++++++++++++++++++++++++++++-----------
- 2 files changed, 63 insertions(+), 22 deletions(-)
-
-diff --git a/base/common/python/setup.cfg b/base/common/python/setup.cfg
-index ad43486..32f2126 100644
---- a/base/common/python/setup.cfg
-+++ b/base/common/python/setup.cfg
-@@ -2,5 +2,5 @@
- universal = 1
- 
- [aliases]
--packages = clean --all egg_info bdist_wheel sdist --format=zip
-+packages = clean --all version_info egg_info bdist_wheel sdist --format=zip
- release = packages register upload
-diff --git a/base/common/python/setup.py b/base/common/python/setup.py
-index 86e0704..e0920c1 100644
---- a/base/common/python/setup.py
-+++ b/base/common/python/setup.py
-@@ -43,28 +43,67 @@ try:
- except ImportError:
-     from distutils.core import setup
- 
-+from distutils.cmd import Command
-+
-+
-+class VersionInfo(Command):
-+    user_options = []
- 
--def get_version(specfile='../../../specs/pki-core.spec'):
-     version_re = re.compile('^Version:\s*(\d+\.\d+\.\d+)')
-     release_re = re.compile('^Release:.*?([\d\.]+)')
--    version = release = None
--    with open(specfile) as f:
--        for line in f:
--            if version is None:
--                match = version_re.match(line)
--                if match is not None:
--                    version = match.group(1)
--            if release is None:
--                match = release_re.match(line)
--                if match is not None:
--                    release = match.group(1)
--            if version is not None and release is not None:
--                break
--    if version is None or release is None:
--        raise ValueError(version, release)
--    return "%s.%s" % (version, release)
--
--VERSION = get_version()
-+    specfile = '../../../specs/pki-core.spec'
-+
-+    def initialize_options(self):
-+        self.rpm_version = None
-+
-+    def finalize_options(self):
-+        try:
-+            version, release = self.get_version()
-+        except IOError:
-+            pass
-+        else:
-+            self.rpm_version = "%s.%s" % (version, release)
-+
-+    def run(self):
-+        if self.rpm_version is not None:
-+            self.distribution.metadata.version = self.rpm_version
-+            self.rewrite_setup_py()
-+        else:
-+            raise ValueError(
-+                'Cannot load version from {}'.format(self.specfile)
-+            )
-+
-+    def get_version(self):
-+        version = release = None
-+        with open(self.specfile) as f:
-+            for line in f:
-+                if version is None:
-+                    match = self.version_re.match(line)
-+                    if match is not None:
-+                        version = match.group(1)
-+                if release is None:
-+                    match = self.release_re.match(line)
-+                    if match is not None:
-+                        release = match.group(1)
-+                if version is not None and release is not None:
-+                    break
-+        if version is None or release is None:
-+            raise ValueError(version, release)
-+        return version, release
-+
-+    def rewrite_setup_py(self):
-+        with open(__file__) as f:
-+            lines = list(f)
-+        for i, line in enumerate(lines):
-+            if line.startswith('VERSION ='):
-+                lines[i] = "VERSION = '{}'\n".format(self.rpm_version)
-+        with open(__file__, 'w') as f:
-+            f.write(''.join(lines))
-+
-+
-+# auto-generated by version_info
-+VERSION = None
-+
- 
- setup(
-     author='Dogtag Certificate System Team',
-@@ -85,7 +124,8 @@ and set up in less than an hour.""",
-     keywords='pki x509 cert certificate',
-     url='http://pki.fedoraproject.org/',
-     packages=['pki', 'pki.cli'],
--    requirements=['python-nss', 'requests', 'six'],
-+    install_requires=['python-nss', 'requests', 'six'],
-+    cmdclass={'version_info': VersionInfo},
-     classifiers=[
-         'Development Status :: 5 - Production/Stable',
-         'Environment :: Web Environment',
-@@ -93,7 +133,8 @@ and set up in less than an hour.""",
-         'Operating System :: OS Independent',
-         'Programming Language :: Python :: 2.7',
-         'Programming Language :: Python :: 3.4',
--        'License :: OSI Approved :: GNU Lesser General Public License v3+ (LGPLv3+)',
-+        'License :: OSI Approved :: GNU Lesser General Public License ' +
-+            'v3 or later (LGPLv3+)',
-         'Topic :: Security :: Cryptography',
-     ],
- )
+ .../src/netscape/security/pkcs/PKCS12KeyInfo.java     | 19 +++++++++++++++++++
+ base/util/src/netscape/security/pkcs/PKCS12Util.java  | 17 +++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
+index f180cf2..ddcc3db 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12KeyInfo.java
+@@ -21,6 +21,17 @@ import java.math.BigInteger;
+ 
+ import org.mozilla.jss.crypto.PrivateKey;
+ 
++/**
++ * This object is used for carrying key info around.
++ *
++ * It does not handle raw key material (but it used to).
++ *
++ * FIXME: A clear refactoring opportunity exists.  The 'privateKey'
++ * field (and associated constructor) is only used during export,
++ * and the 'epkiBytes' field (and associated constructor) is only
++ * used during import.  Therefore this should be two different
++ * types.
++ */
+ public class PKCS12KeyInfo {
+ 
+     private PrivateKey privateKey;
+@@ -31,10 +42,18 @@ public class PKCS12KeyInfo {
+     public PKCS12KeyInfo() {
+     }
+ 
++    /**
++     * Construct with a PrivateKey.  This constructor is used
++     * for moving the PrivateKey handle around during export.
++     */
+     public PKCS12KeyInfo(PrivateKey k) {
+         this.privateKey = k;
+     }
+ 
++    /** Construct with a (serialised) EncrypedPrivateKeyInfo.  This
++     * constructor is used for moving the EPKI data around during
++     * import.
++     */
+     public PKCS12KeyInfo(byte[] epkiBytes) {
+         this.epkiBytes = epkiBytes;
+     }
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+index 9f9a35e..31c7126 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+@@ -102,6 +102,14 @@ public class PKCS12Util {
+         icert.setObjectSigningTrust(PKCS12.decodeFlags(flags[2]));
+     }
+ 
++    /**
++     * Used during EXPORT to add a private key to the PKCS12.
++     *
++     * The private key is exported directly from the token, into
++     * an EncryptedPrivateKeyInfo value, then added as a
++     * "Shrouded Key Bag" to the PKCS #12 object.  Unencrypted
++     * key material is never seen.
++     */
+     public void addKeyBag(PKCS12KeyInfo keyInfo, Password password,
+             SEQUENCE encSafeContents) throws Exception {
+         PrivateKey k = keyInfo.getPrivateKey();
+@@ -346,6 +354,12 @@ public class PKCS12Util {
+         }
+     }
+ 
++    /**
++     * Loads key bags (for IMPORT and other operations on existing
++     * PKCS #12 files).  Does not decrypt EncryptedPrivateKeyInfo
++     * values, but stores them in PKCS12KeyInfo objects for possible
++     * later use.
++     */
+     public PKCS12KeyInfo getKeyInfo(SafeBag bag, Password password) throws Exception {
+ 
+         PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(bag.getBagContent().getEncoded());
+@@ -598,6 +612,9 @@ public class PKCS12Util {
+         }
+     }
+ 
++    /**
++     * Store a certificate (and key, if present) in NSSDB.
++     */
+     public void storeCertIntoNSS(
+             PKCS12 pkcs12, Password password,
+             PKCS12CertInfo certInfo, boolean overwrite)
 -- 
 1.8.3.1
 
 
-From a38b8b875e40d0d8551752af7aa2567d2891384a Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date: Mon, 8 Aug 2016 11:34:52 -0700
-Subject: [PATCH 93/96] Ticket #2428 - part2 handle NullPointerException
-
----
- .../src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java    | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-index caf2cf1..0073bd2 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-@@ -423,8 +423,8 @@ public class ProfileReviewServlet extends ProfileServlet {
- 
-                 try {
-                     defValue = def.getValue(defName, locale, req);
--                } catch (EPropertyException ee) {
--                    CMS.debug("ProfileReviewServlet: " + ee.toString());
-+                } catch (Exception exp) {
-+                    CMS.debug("ProfileReviewServlet: " + exp.toString());
-                 }
- 
-                 defset.set(ARG_DEF_ID, defName);
--- 
-1.8.3.1
+From 012718d24aff8c37713f42f2ca69c5bd7aec97df Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 6 Apr 2017 13:27:56 +1000
+Subject: [PATCH 49/49] KRA: use AES in PKCS #12 recovery for wrapped keys
 
+The KRA has two private key recovery code paths: one dealing with
+keys wrapped to the storage key, and one dealing with symmetrically
+encrypted keys.  Each has a separate function for constructing a
+PKCS #12 file for the recovered key.
 
-From a808013629d4b4de886ec1563daebf6ea5138f0c Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 8 Aug 2016 19:19:16 +0200
-Subject: [PATCH 94/96] Improved SystemConfigService.configure() error message.
+This commit updates the PKCS #12 generation for wrapped keys to use
+AES encryption.  The JSS PBE facility is not expressive enough to
+handle PBES2 encryption, which is necessary for many algorithms
+including AES, so we now use CryptoStore.getEncryptedPrivateKeyInfo.
 
-The pkispawn has been modified to improve the way it displays the
-error message returned by SystemConfigService.configure(). If the
-method throws a PKIException, the response is returned as a JSON
-message, so pkispawn will parse it and display the actual error
-message. For other exceptions pkispawn will display the entire
-HTML message returned by Tomcat.
+Part of: https://pagure.io/dogtagpki/issue/2610
 
-https://fedorahosted.org/pki/ticket/2399
+Change-Id: Iba67f15642338316e4a6d09f78504327e8853b85
+(cherry picked from commit 8e663b6270d9a9409a04bfcb445318a6d5622b52)
 ---
- .../python/pki/server/deployment/pkihelper.py      | 23 +---------------------
- base/server/sbin/pkispawn                          | 20 +++++++++++++++++--
- 2 files changed, 19 insertions(+), 24 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
-index 8a1dbdd..b6eacf1 100644
---- a/base/server/python/pki/server/deployment/pkihelper.py
-+++ b/base/server/python/pki/server/deployment/pkihelper.py
-@@ -3959,28 +3959,7 @@ class ConfigClient:
-                     admin_cert = response['adminCert']['cert']
-                     self.process_admin_cert(admin_cert)
- 
--        except Exception as e:
--            config.pki_log.error(
--                log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e),
--                extra=config.PKI_INDENTATION_LEVEL_2)
--
--            if hasattr(e, 'response'):
--                text = e.response.text  # pylint: disable=E1101
--                try:
--                    root = ET.fromstring(text)
--                except ET.ParseError as pe:
--                    config.pki_log.error(
--                        "ParseError: %s: %s " % (pe, text),
--                        extra=config.PKI_INDENTATION_LEVEL_2)
--                    raise
--
--                if root.tag == 'PKIException':
--                    message = root.findall('.//Message')[0].text
--                    if message is not None:
--                        config.pki_log.error(
--                            log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " +
--                            message,
--                            extra=config.PKI_INDENTATION_LEVEL_2)
-+        except:
- 
-             raise
- 
-diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
-index 13139fa..c87c49a 100755
---- a/base/server/sbin/pkispawn
-+++ b/base/server/sbin/pkispawn
-@@ -527,8 +527,24 @@ def main(argv):
- 
-             scriptlet.spawn(deployer)
- 
--    # pylint: disable=W0703
--    except Exception as e:
-+    except requests.HTTPError as e:
-+        r = e.response
-+        print()
-+
-+        print('Installation failed:')
-+        if r.headers['content-type'] == 'application/json':
-+            data = r.json()
-+            print('%s: %s' % (data['ClassName'], data['Message']))
-+        else:
-+            print(r.text)
-+
-+        print()
-+        print('Please check the %s logs in %s.' %
-+              (config.pki_subsystem, deployer.mdict['pki_subsystem_log_path']))
-+
-+        sys.exit(1)
-+
-+    except Exception as e:  # pylint: disable=broad-except
-         log_error_details()
-         print()
-         print("Installation failed: %s" % e)
+ base/kra/src/com/netscape/kra/RecoveryService.java | 24 ++++++++++++----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
+index 5609b19..eee800a 100644
+--- a/base/kra/src/com/netscape/kra/RecoveryService.java
++++ b/base/kra/src/com/netscape/kra/RecoveryService.java
+@@ -31,6 +31,7 @@ import java.util.Random;
+ 
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ASN1Util;
++import org.mozilla.jss.asn1.ANY;
+ import org.mozilla.jss.asn1.ASN1Value;
+ import org.mozilla.jss.asn1.BMPString;
+ import org.mozilla.jss.asn1.OCTET_STRING;
+@@ -38,6 +39,7 @@ import org.mozilla.jss.asn1.SEQUENCE;
+ import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.PBEAlgorithm;
++import org.mozilla.jss.crypto.EncryptionAlgorithm;
+ import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.pkcs12.AuthenticatedSafes;
+ import org.mozilla.jss.pkcs12.CertBag;
+@@ -484,20 +486,20 @@ public class RecoveryService implements IService {
+             SEQUENCE safeContents = new SEQUENCE();
+             PasswordConverter passConverter = new
+                     PasswordConverter();
+-            Random ran = new SecureRandom();
+-            byte[] salt = new byte[20];
+-            ran.nextBytes(salt);
+ 
+-            ASN1Value key = EncryptedPrivateKeyInfo.createPBE(
+-                    PBEAlgorithm.PBE_SHA1_DES3_CBC,
+-                    pass, salt, 1, passConverter, priKey, ct);
+-            CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned");
+-            if (key == null) {
+-                CMS.debug("RecoverService: createPFX() key null");
+-                throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed");
++            byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo(
++                /* NSS has a bug that causes any AES CBC encryption
++                 * to use AES-256, but AlgorithmID contains chosen
++                 * alg.  To avoid mismatch, use AES_256_CBC. */
++                passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey);
++            CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned");
++            if (epkiBytes == null) {
++                CMS.debug("RecoverService: createPFX() epkiBytes null");
++                throw new EBaseException("getEncryptedPrivateKeyInfo returned null");
+             } else {
+-                CMS.debug("RecoverService: createPFX() key not null");
++                CMS.debug("RecoverService: createPFX() epkiBytes not null");
+             }
++            ASN1Value key = new ANY(epkiBytes);
+ 
+             SET keyAttrs = createBagAttrs(
+                     x509cert.getSubjectDN().toString(),
 -- 
 1.8.3.1
 
diff --git a/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch b/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch
deleted file mode 100644
index be93088..0000000
--- a/SOURCES/pki-core-ca-cert-request-submit-missing-authentication.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5332079797f763e9997685eaf188206c4631daa8 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 22 Nov 2016 19:29:58 +0100
-Subject: [PATCH] Updated pki-cert man page.
-
-The pki-cert man page has been updated to clarify that certain
-profiles may require authentication and the CLI supports certain
-authentication types.
-
-https://fedorahosted.org/pki/ticket/2289
-(cherry picked from commit 52694cd6acf81446623b6d24947d8d3afdc8536c)
-(cherry picked from commit b99469a9805df722a58fe20ca7160de706b69e7c)
----
- base/java-tools/man/man1/pki-cert.1 | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/base/java-tools/man/man1/pki-cert.1 b/base/java-tools/man/man1/pki-cert.1
-index 7ece1ad..146c82b 100644
---- a/base/java-tools/man/man1/pki-cert.1
-+++ b/base/java-tools/man/man1/pki-cert.1
-@@ -215,7 +215,10 @@ profile, and submit the request using the following command:
- 
- .B pki ca-cert-request-submit <request file>
- 
--Depending on the profile, an agent may need to review the request by running
-+Depending on the profile, the command may require authentication (see the profile configuration file).
-+The CLI currently supports client certificate authentication and directory-based authentication.
-+
-+Also depending on the profile, an agent may need to review and approve the request by running
- the following command:
- 
- .B pki <agent authentication> ca-cert-request-review <request ID> --file <file to store the certificate request>
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-cmc-plugin-default-change.patch b/SOURCES/pki-core-cmc-plugin-default-change.patch
new file mode 100644
index 0000000..2a9b5aa
--- /dev/null
+++ b/SOURCES/pki-core-cmc-plugin-default-change.patch
@@ -0,0 +1,28 @@
+From 7c075ba00c81dd01ebdb3ee455a07a2fe1256f13 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 29 Jun 2017 15:44:13 -0700
+Subject: [PATCH] Ticket #2779 cmc plugin default change
+
+(cherry picked from commit 876d13c6d20e7e1235b9efbd601b47315debb492)
+---
+ base/ca/shared/conf/CS.cfg | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 4da7429..5a244d7 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -735,8 +735,8 @@ ca.publish.rule.instance.LdapXCertRule.predicate=
+ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher
+ ca.publish.rule.instance.LdapXCertRule.type=xcert
+ cmc.popLinkWitnessRequired=false
+-cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+-cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
++#cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
++#cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+ cmc.token=internal
+ cms.passwordlist=internaldb,replicationdb
+ cms.password.ignore.publishing.failure=true
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch b/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch
deleted file mode 100644
index 9686063..0000000
--- a/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From bd7606fc9f2f7349ab33c0d9629667533a4fa7cd Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 22 Sep 2016 12:00:35 +1000
-Subject: [PATCH] Compare serialised DNs in host authority check
-
-CA startup creates an LWCA entry for the host authority if it
-determines that one has not already been created.  It determines if
-an LWCA entry corresponds to the host CA by comparing the DN from
-LDAP with the DN from the host authority's certificate.
-
-If the DN from the host authority's certificate contains values
-encoded as PrintableString, it will compare unequal to the DN from
-LDAP, which parses to UTF8String AVA values.  This causes the
-addition of a spurious host authority entry every time the server
-starts.
-
-Serialise DNs before comparing, to avoid these false negatives.
-
-Fixes: https://fedorahosted.org/pki/ticket/2475
-(cherry picked from commit 84606cc69390187b7f0f11fff41a372fd96f8f93)
----
- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index a4f1024..ae90d3a 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -3256,7 +3256,12 @@ public class CertificateAuthority
-         if (descAttr != null)
-             desc = (String) descAttr.getStringValues().nextElement();
- 
--        if (dn.equals(mName)) {
-+        /* Determine if it is the host authority's entry, by
-+         * comparing DNs.  DNs must be serialised in case different
-+         * encodings are used for AVA values, e.g. PrintableString
-+         * from LDAP vs UTF8String in certificate.
-+         */
-+        if (dn.toString().equals(mName.toString())) {
-             CMS.debug("Found host authority");
-             foundHostAuthority = true;
-             this.authorityID = aid;
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch b/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch
deleted file mode 100644
index a39457a..0000000
--- a/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-From 3c6aa16ac1e1350a9700d7a3f9e836a44c9a134e Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 5 Oct 2016 22:58:16 +0200
-Subject: [PATCH] Removed duplicate classes.
-
-The CMake scripts have been modified to store compiled Java classes
-in separate folders for each JAR files to avoid duplicates.
-
-https://fedorahosted.org/pki/ticket/2505
-(cherry picked from commit 0f9212ee0fee093be5e47afc15629d281984ec09)
-(cherry picked from commit 9bfe6101e82319d9f14edc0b0c1c16ca02a0f9a4)
----
- CMakeLists.txt                                     | 1 -
- base/ca/src/CMakeLists.txt                         | 4 ++--
- base/common/src/CMakeLists.txt                     | 4 ++--
- base/java-tools/src/CMakeLists.txt                 | 4 ++--
- base/kra/src/CMakeLists.txt                        | 4 ++--
- base/server/cms/src/CMakeLists.txt                 | 4 ++--
- base/server/cmscore/src/CMakeLists.txt             | 4 ++--
- base/symkey/src/CMakeLists.txt                     | 4 ++--
- base/symkey/src/com/netscape/symkey/CMakeLists.txt | 2 +-
- base/util/src/CMakeLists.txt                       | 8 ++++----
- 10 files changed, 19 insertions(+), 20 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index c746056..457e144 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -54,7 +54,6 @@ macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source buil
- include(MacroCopyFile)
- include(Java)
- 
--file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/classes)
- file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/dist)
- 
- # required for all PKI components
-diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
-index 854ce28..e612d72 100644
---- a/base/ca/src/CMakeLists.txt
-+++ b/base/ca/src/CMakeLists.txt
-@@ -96,7 +96,7 @@ javac(pki-ca-classes
-         ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR}
-         ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
- )
-@@ -114,7 +114,7 @@ jar(pki-ca-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-ca.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/ca/*.class
-         org/dogtagpki/server/ca/*.class
-diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
-index ee41b2f..7ce833c 100644
---- a/base/common/src/CMakeLists.txt
-+++ b/base/common/src/CMakeLists.txt
-@@ -131,7 +131,7 @@ javac(pki-certsrv-classes
-         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
-         ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         pki-nsutil-jar pki-cmsutil-jar
- )
-@@ -149,7 +149,7 @@ jar(pki-certsrv-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-certsrv.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/certsrv/*.class
-         org/dogtagpki/tps/*.class
-diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
-index e7ca5db..6753102 100644
---- a/base/java-tools/src/CMakeLists.txt
-+++ b/base/java-tools/src/CMakeLists.txt
-@@ -100,7 +100,7 @@ javac(pki-tools-classes
-         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
-         ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar
- )
-@@ -118,7 +118,7 @@ jar(pki-tools-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-tools.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/cmstools/*.class
-     DEPENDS
-diff --git a/base/kra/src/CMakeLists.txt b/base/kra/src/CMakeLists.txt
-index 400ec01..c04d7fe 100644
---- a/base/kra/src/CMakeLists.txt
-+++ b/base/kra/src/CMakeLists.txt
-@@ -118,7 +118,7 @@ javac(pki-kra-classes
-         ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR}
-         ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} ${TOMCAT_CATALINA_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
- )
-@@ -136,7 +136,7 @@ jar(pki-kra-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-kra.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/kra/*.class
-         org/dogtagpki/server/kra/*.class
-diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
-index 93f4a8a..447dcb1 100644
---- a/base/server/cms/src/CMakeLists.txt
-+++ b/base/server/cms/src/CMakeLists.txt
-@@ -133,7 +133,7 @@ javac(pki-cms-classes
-         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
-         ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_TOMCAT_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-tomcat-jar
- )
-@@ -151,7 +151,7 @@ jar(pki-cms-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-cms.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/cms/*.class
-         org/dogtagpki/server/*.class
-diff --git a/base/server/cmscore/src/CMakeLists.txt b/base/server/cmscore/src/CMakeLists.txt
-index 32e4351..fe8dba2 100644
---- a/base/server/cmscore/src/CMakeLists.txt
-+++ b/base/server/cmscore/src/CMakeLists.txt
-@@ -133,7 +133,7 @@ javac(pki-cmscore-classes
-         ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
-         ${NUXWDOG_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-tomcat-jar
- )
-@@ -151,7 +151,7 @@ jar(pki-cmscore-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-cmscore.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/cmscore/*.class
-     DEPENDS
-diff --git a/base/symkey/src/CMakeLists.txt b/base/symkey/src/CMakeLists.txt
-index 9a4e10f..8455d59 100644
---- a/base/symkey/src/CMakeLists.txt
-+++ b/base/symkey/src/CMakeLists.txt
-@@ -15,14 +15,14 @@ javac(symkey-classes
-     CLASSPATH
-         ${JSS_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
- )
- 
- jar(symkey-jar
-     CREATE
-         ${CMAKE_BINARY_DIR}/dist/symkey.jar
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/symkey/*.class
-     DEPENDS
-diff --git a/base/symkey/src/com/netscape/symkey/CMakeLists.txt b/base/symkey/src/com/netscape/symkey/CMakeLists.txt
-index 590a7d8..6915ee9 100644
---- a/base/symkey/src/com/netscape/symkey/CMakeLists.txt
-+++ b/base/symkey/src/com/netscape/symkey/CMakeLists.txt
-@@ -42,7 +42,7 @@ add_custom_command(
-         ${symkey_library_HDRS}
-     COMMAND
-         ${Java_JAVAH_EXECUTABLE}
--            -classpath ${CMAKE_BINARY_DIR}/classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar
-+            -classpath ${CMAKE_CURRENT_BINARY_DIR}/../../../classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar
-             -jni -d ${CMAKE_CURRENT_BINARY_DIR}
-             com.netscape.symkey.SessionKey
- )
-diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt
-index f374c01..bf531d4 100644
---- a/base/util/src/CMakeLists.txt
-+++ b/base/util/src/CMakeLists.txt
-@@ -76,7 +76,7 @@ javac(pki-nsutil-classes
-         ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
-         ${JSS_JAR} ${COMMONS_CODEC_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
- )
- 
- configure_file(
-@@ -92,7 +92,7 @@ jar(pki-nsutil-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-nsutil.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         netscape/*.class
-     DEPENDS
-@@ -118,7 +118,7 @@ javac(pki-cmsutil-classes
-         ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
-         ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR}
-     OUTPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     DEPENDS
-         pki-nsutil-jar
- )
-@@ -136,7 +136,7 @@ jar(pki-cmsutil-jar
-     PARAMS
-         ${CMAKE_CURRENT_BINARY_DIR}/pki-cmsutil.mf
-     INPUT_DIR
--        ${CMAKE_BINARY_DIR}/classes
-+        ${CMAKE_CURRENT_BINARY_DIR}/classes
-     FILES
-         com/netscape/cmsutil/*.class
-     DEPENDS
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-fixed-problem-searching-for-latest-cert-req.patch b/SOURCES/pki-core-fixed-problem-searching-for-latest-cert-req.patch
deleted file mode 100644
index e546a5f..0000000
--- a/SOURCES/pki-core-fixed-problem-searching-for-latest-cert-req.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-commit e1ae89e9f110cf4af75f6ea82a38a9ce085617ac
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Thu Jan 26 23:38:53 2017 +0100
-
-    Fixed problem searching the latest certificate request.
-    
-    Previously if a certificate request page only has one entry the
-    entry itself will be removed from the page, resulting in a blank
-    page.
-    
-    The QueryReq.trim() has been modified not to remove the marker
-    entry if it's the only entry in the page.
-    
-    https://fedorahosted.org/pki/ticket/2450
-    
-    (cherry picked from commit 755fb2834d22131628ad1929c1bd4b1cd7592203)
-    (cherry picked from commit 196ae21e55a3210ef9db1ad6b8c84d64d4d1959e)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
-index d05da10..376349b 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java
-@@ -503,6 +503,12 @@ public class QueryReq extends CMSServlet {
-      */
-     private void trim(Vector<IRequest> v, RequestId marker) {
-         int i = v.size() - 1;
-+
-+        if (i == 0) {
-+            // do not remove the only element in the list
-+            return;
-+        }
-+
-         if (v.elementAt(i).getRequestId().toString().equals(
-                 marker.toString())) {
-             v.remove(i);
diff --git a/SOURCES/pki-core-javadoc-special-characters.patch b/SOURCES/pki-core-javadoc-special-characters.patch
deleted file mode 100644
index 0e43e3e..0000000
--- a/SOURCES/pki-core-javadoc-special-characters.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-commit ef0710a1b4f1e49aba7877eb90c8274a25240afd
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Tue Jan 24 22:00:12 2017 +0100
-
-    Fixed Javadoc failure caused by HTML special characters.
-    
-    The CMSTemplate has been fixed to escape HTML special characters
-    in method documentation.
-    
-    Fixes: https://fedorahosted.org/pki/ticket/2579
-    (cherry picked from commit 8c6707f1117e56c68d147e0b37c018efa3c81fb2)
-    (cherry picked from commit 423c986c57a0baacf1dc8d817dc8b356b9cf0d06)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
-index ba4e840..fe5a14b 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMSTemplate.java
-@@ -343,7 +343,7 @@ public class CMSTemplate extends CMSFile {
- 
-     /**
-      * Escape the contents of src string in preparation to be enclosed in
--     * double quotes as a JavaScript String Literal within an <script>
-+     * double quotes as a JavaScript String Literal within an &lt;script&gt;
-      * portion of an HTML document.
-      * stevep - performance improvements - about 4 times faster than before.
-      */
diff --git a/SOURCES/pki-core-log-properties-and-man-pages.patch b/SOURCES/pki-core-log-properties-and-man-pages.patch
deleted file mode 100644
index 15a2473..0000000
--- a/SOURCES/pki-core-log-properties-and-man-pages.patch
+++ /dev/null
@@ -1,1087 +0,0 @@
-From c5b7d9c16449f63bcf570772badcb5485cead3f7 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 17 Nov 2016 00:10:55 +0100
-Subject: [PATCH 1/8] Removed unused CA and KRA logging.properties.
-
-The logging.properties files in CA and KRA folders are never
-deployed so they have been removed.
-
-https://fedorahosted.org/pki/ticket/1897
-(cherry picked from commit f6ee4065c0bdb59e22fa92c5f56d49851f4ec6e1)
-(cherry picked from commit 038f18ae08e760f96524a73c02f452711601bdb0)
----
- base/ca/shared/conf/logging.properties  | 70 ---------------------------------
- base/kra/shared/conf/logging.properties | 70 ---------------------------------
- 2 files changed, 140 deletions(-)
- delete mode 100644 base/ca/shared/conf/logging.properties
- delete mode 100644 base/kra/shared/conf/logging.properties
-
-diff --git a/base/ca/shared/conf/logging.properties b/base/ca/shared/conf/logging.properties
-deleted file mode 100644
-index 796cfc0..0000000
---- a/base/ca/shared/conf/logging.properties
-+++ /dev/null
-@@ -1,70 +0,0 @@
--# --- BEGIN COPYRIGHT BLOCK ---
--# Copyright (C) 2006-2010 Red Hat, Inc.
--# All rights reserved.
--# Modifications: configuration parameters
--# --- END COPYRIGHT BLOCK ---
--
--# Licensed to the Apache Software Foundation (ASF) under one or more
--# contributor license agreements.  See the NOTICE file distributed with
--# this work for additional information regarding copyright ownership.
--# The ASF licenses this file to You under the Apache License, Version 2.0
--# (the "License"); you may not use this file except in compliance with
--# the License.  You may obtain a copy of the License at
--#
--#     http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
--
--.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
--
--############################################################
--# Handler specific properties.
--# Describes specific configuration info for Handlers.
--############################################################
--
--1catalina.org.apache.juli.FileHandler.level = FINE
--1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--1catalina.org.apache.juli.FileHandler.prefix = catalina.
--
--2localhost.org.apache.juli.FileHandler.level = FINE
--2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--2localhost.org.apache.juli.FileHandler.prefix = localhost.
--
--3manager.org.apache.juli.FileHandler.level = FINE
--3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--3manager.org.apache.juli.FileHandler.prefix = manager.
--
--4host-manager.org.apache.juli.FileHandler.level = FINE
--4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
--
--java.util.logging.ConsoleHandler.level = FINE
--java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
--
--
--############################################################
--# Facility specific properties.
--# Provides extra control for each logger.
--############################################################
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
--
--# For example, set the com.xyz.foo logger to only log SEVERE
--# messages:
--#org.apache.catalina.startup.ContextConfig.level = FINE
--#org.apache.catalina.startup.HostConfig.level = FINE
--#org.apache.catalina.session.ManagerBase.level = FINE
--#org.apache.catalina.core.AprLifecycleListener.level=FINE
-diff --git a/base/kra/shared/conf/logging.properties b/base/kra/shared/conf/logging.properties
-deleted file mode 100644
-index 796cfc0..0000000
---- a/base/kra/shared/conf/logging.properties
-+++ /dev/null
-@@ -1,70 +0,0 @@
--# --- BEGIN COPYRIGHT BLOCK ---
--# Copyright (C) 2006-2010 Red Hat, Inc.
--# All rights reserved.
--# Modifications: configuration parameters
--# --- END COPYRIGHT BLOCK ---
--
--# Licensed to the Apache Software Foundation (ASF) under one or more
--# contributor license agreements.  See the NOTICE file distributed with
--# this work for additional information regarding copyright ownership.
--# The ASF licenses this file to You under the Apache License, Version 2.0
--# (the "License"); you may not use this file except in compliance with
--# the License.  You may obtain a copy of the License at
--#
--#     http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
--
--.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
--
--############################################################
--# Handler specific properties.
--# Describes specific configuration info for Handlers.
--############################################################
--
--1catalina.org.apache.juli.FileHandler.level = FINE
--1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--1catalina.org.apache.juli.FileHandler.prefix = catalina.
--
--2localhost.org.apache.juli.FileHandler.level = FINE
--2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--2localhost.org.apache.juli.FileHandler.prefix = localhost.
--
--3manager.org.apache.juli.FileHandler.level = FINE
--3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--3manager.org.apache.juli.FileHandler.prefix = manager.
--
--4host-manager.org.apache.juli.FileHandler.level = FINE
--4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
--4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
--
--java.util.logging.ConsoleHandler.level = FINE
--java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
--
--
--############################################################
--# Facility specific properties.
--# Provides extra control for each logger.
--############################################################
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
--
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
--org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
--
--# For example, set the com.xyz.foo logger to only log SEVERE
--# messages:
--#org.apache.catalina.startup.ContextConfig.level = FINE
--#org.apache.catalina.startup.HostConfig.level = FINE
--#org.apache.catalina.session.ManagerBase.level = FINE
--#org.apache.catalina.core.AprLifecycleListener.level=FINE
--- 
-1.8.3.1
-
-
-From b64fa73078df0e750a54fd8ee4fb1581f5be0e97 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 17 Nov 2016 00:27:58 +0100
-Subject: [PATCH 3/8] Updated logging.properties.
-
-To reduce maintenance the logging.properties is no longer copied
-into the instance folder during deployment. Instead, a link will
-be created in /etc/pki/<instance> pointing to the default file
-in /usr/share/pki/server/conf.
-
-The default logging.properties has been updated to only log
-messages with level WARNING or higher on the console.
-
-https://fedorahosted.org/pki/ticket/1897
-(cherry picked from commit e674bc51b4d23bc362a1312addd0b09625cf5747)
-(cherry picked from commit 882ad281c235cbe3a3074d1da00acb8c1b486d6f)
----
- base/common/share/etc/logging.properties           |  1 +
- .../deployment/scriptlets/instance_layout.py       | 16 +++++++++++++--
- base/server/share/conf/logging.properties          | 24 +++++-----------------
- 3 files changed, 20 insertions(+), 21 deletions(-)
-
-diff --git a/base/common/share/etc/logging.properties b/base/common/share/etc/logging.properties
-index bd5b5b6..fe879c4 100644
---- a/base/common/share/etc/logging.properties
-+++ b/base/common/share/etc/logging.properties
-@@ -26,3 +26,4 @@ java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
- java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
- 
- .level = WARNING
-+.handlers = java.util.logging.ConsoleHandler
-diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-index c470c7f..07eecbd 100644
---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-@@ -55,6 +55,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 deployer.mdict['pki_instance_configuration_path'],
-                 ignore_cb=file_ignore_callback_src_server)
- 
-+            # Link /etc/pki/<instance>/logging.properties
-+            # to /usr/share/pki/server/conf/logging.properties.
-+            deployer.symlink.create(
-+                os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"),
-+                os.path.join(deployer.mdict['pki_instance_configuration_path'],
-+                             "logging.properties"))
-+
-             # create /etc/sysconfig/<instance>
-             deployer.file.copy_with_slot_substitution(
-                 deployer.mdict['pki_source_tomcat_conf'],
-@@ -219,5 +226,10 @@ def file_ignore_callback_src_server(src, names):
-     config.pki_log.info(log.FILE_EXCLUDE_CALLBACK_2, src, names,
-                         extra=config.PKI_INDENTATION_LEVEL_1)
- 
--    excludes = {'schema.ldif', 'database.ldif', 'manager.ldif', 'pki.xml'}
--    return excludes
-+    return {
-+        'schema.ldif',
-+        'database.ldif',
-+        'manager.ldif',
-+        'pki.xml',
-+        'logging.properties'
-+    }
-diff --git a/base/server/share/conf/logging.properties b/base/server/share/conf/logging.properties
-index dfdc0a4..7c1ac37 100644
---- a/base/server/share/conf/logging.properties
-+++ b/base/server/share/conf/logging.properties
-@@ -21,28 +21,11 @@
- 
- handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
- 
--.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
--
- ############################################################
- # Handler specific properties.
- # Describes specific configuration info for Handlers.
- ############################################################
- 
--# Change the following settings to allow for more granular debugging:
--#
--#     * 1catalina.org.apache.juli.FileHandler.level = ALL
--#     * 2localhost.org.apache.juli.FileHandler.level = ALL
--#
--# and add the following lines to the end of this file:
--#
--#     * org.apache.catalina.loader.level = FINEST
--#     * org.apache.catalina.loader.WebappClassLoader.level = FINEST
--#     * org.apache.catalina.loader.StandardClassLoader.level = FINEST
--#     * com.netscape.cms.servlet.base.level = FINEST
--#     * com.netscape.cms.servlet.base.CMSStartServlet.level = FINEST
--#     * java.net.URLClassLoader.level = FINEST
--#
--
- 1catalina.org.apache.juli.FileHandler.level = FINE
- 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
- 1catalina.org.apache.juli.FileHandler.prefix = catalina.
-@@ -59,15 +42,18 @@ handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.Fil
- 4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
- 4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
- 
--java.util.logging.ConsoleHandler.level = FINE
-+java.util.logging.ConsoleHandler.level = ALL
- java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
--
-+java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
- 
- ############################################################
- # Facility specific properties.
- # Provides extra control for each logger.
- ############################################################
- 
-+.level = WARNING
-+.handlers = java.util.logging.ConsoleHandler
-+
- org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
- org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
- 
--- 
-1.8.3.1
-
-
-From c7f0585680dbfdd0019da6d2713dc9b1ded42761 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 17 Nov 2016 03:41:25 +0100
-Subject: [PATCH 4/8] Updated log4j.properties.
-
-To reduce maintenance the log4j.properties is no longer copied
-into the instance folder during deployment. Instead, a link will
-be created in the /var/lib/pki/<instance>/lib folder pointing to
-the default file in /usr/share/pki/server/conf.
-
-The default log4j.properties has been updated to remove redundant
-lines. By default only log messages with level WARN or higher will
-be logged on the console.
-
-https://fedorahosted.org/pki/ticket/1897
-(cherry picked from commit bfd7fc1c9ec665b4affda5bf48c9aca20f8f5775)
-(cherry picked from commit 4f381a0832ec069370f9461aabbbd1033371d6b0)
----
- .../deployment/scriptlets/instance_layout.py       |  7 +++-
- base/server/share/conf/log4j.properties            | 45 ++++++++++------------
- 2 files changed, 27 insertions(+), 25 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-index 07eecbd..330aa46 100644
---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
-@@ -139,8 +139,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     os.path.join(
-                         deployer.mdict['pki_instance_lib'],
-                         name))
-+
-+            # Link /var/lib/pki/<instance>/lib/log4j.properties
-+            # to /usr/share/pki/server/conf/log4j.properties.
-             deployer.symlink.create(
--                deployer.mdict['pki_instance_conf_log4j_properties'],
-+                os.path.join(deployer.mdict['pki_source_server_path'],
-+                             "log4j.properties"),
-                 deployer.mdict['pki_instance_lib_log4j_properties'])
- 
-             # Link /var/lib/pki/<instance>/common to /usr/share/pki/server/common
-@@ -231,5 +235,6 @@ def file_ignore_callback_src_server(src, names):
-         'database.ldif',
-         'manager.ldif',
-         'pki.xml',
-+        'log4j.properties',
-         'logging.properties'
-     }
-diff --git a/base/server/share/conf/log4j.properties b/base/server/share/conf/log4j.properties
-index dd4bd93..43b6009 100644
---- a/base/server/share/conf/log4j.properties
-+++ b/base/server/share/conf/log4j.properties
-@@ -1,30 +1,27 @@
- # --- BEGIN COPYRIGHT BLOCK ---
--# Copyright (C) 2012 Red Hat, Inc.
-+# Copyright (C) 2016 Red Hat, Inc.
- # All rights reserved.
- # Modifications: configuration parameters
- # --- END COPYRIGHT BLOCK ---
- 
--log4j.rootLogger=debug, R
--log4j.appender.R=org.apache.log4j.RollingFileAppender
--log4j.appender.R.File=${catalina.base}/logs/catalina.out
--log4j.appender.R.MaxFileSize=10MB
--log4j.appender.R.MaxBackupIndex=10
--log4j.appender.R.layout=org.apache.log4j.PatternLayout
--log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
--log4j.logger.org.apache.catalina=DEBUG, R
--log4j.logger.org.apache.catalina.core.ContainerBase.[Catalina].[localhost]=DEBUG, R
--log4j.logger.org.apache.catalina.core=DEBUG, R
--log4j.logger.org.apache.catalina.session=DEBUG, R
-+# Licensed to the Apache Software Foundation (ASF) under one or more
-+# contributor license agreements.  See the NOTICE file distributed with
-+# this work for additional information regarding copyright ownership.
-+# The ASF licenses this file to You under the Apache License, Version 2.0
-+# (the "License"); you may not use this file except in compliance with
-+# the License.  You may obtain a copy of the License at
-+#
-+#     http://www.apache.org/licenses/LICENSE-2.0
-+#
-+# Unless required by applicable law or agreed to in writing, software
-+# distributed under the License is distributed on an "AS IS" BASIS,
-+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+# See the License for the specific language governing permissions and
-+# limitations under the License.
- 
--#resteasy
--log4j.appender.stdout=org.apache.log4j.ConsoleAppender
--log4j.appender.stdout.Target=System.out
--log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
--log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p (%c:%L) - %m%n
--log4j.rootLogger=warn, stdout
--log4j.rootCategory=debug, stdout
--log4j.category.org.jboss.resteasy.core=debug
--log4j.category.org.jboss.resteasy.plugins.providers=debug
--log4j.category.org.jboss.resteasy.specimpl=debug
--log4j.category.org.jboss.resteasy.plugins.server=debug
--log4j.logger.org.jboss.resteasy.mock=debug
-+log4j.appender.console = org.apache.log4j.ConsoleAppender
-+log4j.appender.console.Target = System.err
-+log4j.appender.console.layout = org.apache.log4j.PatternLayout
-+log4j.appender.console.layout.ConversionPattern = %p: %m%n
-+
-+log4j.rootLogger = WARN, console
--- 
-1.8.3.1
-
-
-From 730880bbd32aca11d5dd075c25aca68a8840b883 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 8 Nov 2016 16:42:01 +0100
-Subject: [PATCH 5/8] Added man pages for logging configuration.
-
-New man pages have been added for the common and server logging
-configurations.
-
-https://fedorahosted.org/pki/ticket/1897
-(cherry picked from commit dbff34d56615e888823c89a4a4f6d476bb1ccf17)
-(cherry picked from commit 751df721c158f98320d6abc37ef4380acf29a42a)
----
- base/common/man/man5/pki-logging.5        |  94 +++++++++++++++
- base/common/share/etc/logging.properties  |   2 -
- base/server/man/man5/pki-server-logging.5 | 191 ++++++++++++++++++++++++++++++
- 3 files changed, 285 insertions(+), 2 deletions(-)
- create mode 100644 base/common/man/man5/pki-logging.5
- create mode 100644 base/server/man/man5/pki-server-logging.5
-
-diff --git a/base/common/man/man5/pki-logging.5 b/base/common/man/man5/pki-logging.5
-new file mode 100644
-index 0000000..ab37402
---- /dev/null
-+++ b/base/common/man/man5/pki-logging.5
-@@ -0,0 +1,94 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH pki-logging 5 "November 3, 2016" "version 10.3" "PKI Common Logging Configuration" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+pki-logging \- PKI Common Logging Configuration
-+
-+.SH LOCATION
-+/usr/share/pki/etc/logging.properties, /etc/pki/logging.properties
-+
-+.SH DESCRIPTION
-+
-+PKI clients and tools use java.util.logging (JUL) as the logging framework
-+(see https://docs.oracle.com/javase/8/docs/api/java/util/logging/package-summary.html).
-+
-+The default logging configuration is located at /usr/share/pki/etc/logging.properties.
-+
-+By default only log messages with level WARNING or higher will be logged on the console.
-+
-+.IP
-+.nf
-+java.util.logging.ConsoleHandler.level = ALL
-+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
-+java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
-+
-+\[char46]level = WARNING
-+\[char46]handlers = java.util.logging.ConsoleHandler
-+.fi
-+.PP
-+
-+For more information see the following documents:
-+
-+.nf
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/ConsoleHandler.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/SimpleFormatter.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/Formatter.html
-+.fi
-+
-+.SH CUSTOMIZATION
-+
-+To customize the logging configuration, copy the default logging configuration into a new location:
-+
-+$ cp /usr/share/pki/etc/logging.properties /etc/pki/logging.properties
-+
-+Then edit the file as needed.
-+For example, to troubleshoot issues with PKI library add the following lines:
-+
-+.IP
-+.nf
-+netscape.level = ALL
-+com.netscape.level = ALL
-+org.dogtagpki.level = ALL
-+.fi
-+.PP
-+
-+To troubleshoot issues with RESTEasy add the following line:
-+
-+.IP
-+.nf
-+org.jboss.resteasy.level = ALL
-+.fi
-+.PP
-+
-+Then specify the location of the custom logging configuration in the following parameter in /etc/pki/pki.conf:
-+
-+.IP
-+.nf
-+LOGGING_CONFIG=/etc/pki/logging.properties
-+.fi
-+.PP
-+
-+Then restart the application.
-+
-+.SH AUTHORS
-+Dogtag Team <pki-devel@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki-server-logging(5)
-diff --git a/base/common/share/etc/logging.properties b/base/common/share/etc/logging.properties
-index fe879c4..2a14c4e 100644
---- a/base/common/share/etc/logging.properties
-+++ b/base/common/share/etc/logging.properties
-@@ -19,8 +19,6 @@
- # See the License for the specific language governing permissions and
- # limitations under the License.
- 
--handlers = java.util.logging.ConsoleHandler
--
- java.util.logging.ConsoleHandler.level = ALL
- java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
- java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
-diff --git a/base/server/man/man5/pki-server-logging.5 b/base/server/man/man5/pki-server-logging.5
-new file mode 100644
-index 0000000..9aed7d8
---- /dev/null
-+++ b/base/server/man/man5/pki-server-logging.5
-@@ -0,0 +1,191 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH pki-server-logging 5 "November 3, 2016" "version 10.3" "PKI Server Logging Configuration" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+pki-server-logging \- PKI Server Logging Configuration
-+
-+.SH LOCATION
-+/etc/pki/<instance>/logging.properties, /var/lib/pki/<instance>/lib/log4j.properties, /etc/pki/<instance>/<subsystem>/CS.cfg
-+
-+.SH DESCRIPTION
-+
-+PKI server logging can be configured using the following logging frameworks:
-+
-+.nf
-+- java.util.logging (JUL) (https://docs.oracle.com/javase/8/docs/api/java/util/logging/package-summary.html)
-+- Log4j (http://logging.apache.org/log4j/1.2/)
-+- Internal Logging
-+.fi
-+
-+.SS  java.util.logging (JUL)
-+
-+Tomcat uses JUL as the default logging framework.
-+The configuration is described in http://tomcat.apache.org/tomcat-7.0-doc/logging.html and http://tomcat.apache.org/tomcat-8.0-doc/logging.html.
-+
-+The default configuration is located at /usr/share/pki/server/conf/logging.properties.
-+During server deployment a link will be created at /etc/pki/<instance>/logging.properties.
-+
-+By default only log messages with level WARNING or higher will be logged on the console (i.e. systemd journal).
-+
-+.IP
-+.nf
-+java.util.logging.ConsoleHandler.level = ALL
-+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
-+java.util.logging.SimpleFormatter.format = %4$s: %5$s%6$s%n
-+
-+\[char46]level = WARNING
-+\[char46]handlers = java.util.logging.ConsoleHandler
-+.fi
-+.PP
-+
-+The systemd journal can be viewed with the following command:
-+
-+.nf
-+$ journalctl -u pki-tomcatd@<instance>.service
-+.fi
-+
-+For more information see the following documents:
-+
-+.nf
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/ConsoleHandler.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/Level.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/logging/SimpleFormatter.html
-+- https://docs.oracle.com/javase/8/docs/api/java/util/Formatter.html
-+.fi
-+
-+.SS Log4j
-+
-+The default Tomcat 7 classpath does include Log4j, but the server itself is not configured to use Log4j for logging by default.
-+However, since the Log4j is in the classpath the RESTEasy will use Log4j for logging automatically (see https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/Installation_Configuration.html#RESTEasyLogging).
-+
-+The default Log4j configuration is located at /usr/share/pki/server/conf/log4j.properties.
-+During server deployment a link will be created at /var/lib/pki/<instance>/lib/log4j.properties.
-+
-+By default only log messages with level WARN or higher will be logged on the console (i.e. systemd journal).
-+
-+.IP
-+.nf
-+log4j.appender.console = org.apache.log4j.ConsoleAppender
-+log4j.appender.console.Target = System.err
-+log4j.appender.console.layout = org.apache.log4j.PatternLayout
-+log4j.appender.console.layout.ConversionPattern = %p: %m%n
-+
-+log4j.rootLogger = WARN, console
-+.fi
-+.PP
-+
-+The default Tomcat 8 classpath does not include Log4j, so RESTEasy will use JUL instead.
-+
-+For more information see the following documents:
-+
-+.nf
-+- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/ConsoleAppender.html
-+- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html
-+- http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/PatternLayout.html
-+.fi
-+
-+.SS Internal  Logging
-+
-+Each PKI subsystem uses an internal logging framework for debugging purposes.
-+
-+The logging configuration is stored in /etc/pki/<instance>/<subsystem>/CS.cfg.
-+
-+.IP
-+.nf
-+debug.enabled=true
-+debug.level=0
-+debug.filename=/var/lib/pki/<instance>/logs/<subsystem>/debug
-+debug.hashkeytypes=
-+debug.showcaller=false
-+.fi
-+.PP
-+
-+The \fBdebug.enabled\fP determines whether the debug log is enabled. By default it is enabled.
-+
-+The \fBdebug.level\fP determines the amount of details to be logged. The value ranges from 0 (most details) to 10 (least details). The default is 0.
-+
-+The \fBdebug.filename\fP determines the debug log file location. By default it is located at /var/lib/pki/<instance>/logs/<subsystem>/debug.
-+
-+The \fBdebug.hashkeytypes\fP is a comma-separated list of additional components to log. By default it's empty.
-+
-+The \fBdebug.showcaller\fP determines whether to include the caller information in the log message. By default it's disabled.
-+
-+.SH CUSTOMIZATION
-+
-+.SS  java.util.logging (JUL)
-+
-+To customize JUL configuration, replace the link with a copy of the default configuration:
-+
-+.nf
-+$ rm -f /etc/pki/<instance>/logging.properties
-+$ cp /usr/share/pki/server/conf/logging.properties /etc/pki/<instance>
-+$ chown pkiuser.pkiuser /etc/pki/<instance>/logging.properties
-+.fi
-+
-+Then edit the file as needed.
-+For example, to troubleshoot issues with PKI library add the following lines:
-+
-+.IP
-+.nf
-+netscape.level = ALL
-+com.netscape.level = ALL
-+org.dogtagpki.level = ALL
-+.fi
-+.PP
-+
-+To troubleshoot issues with RESTEasy add the following line (unless Log4j is installed in Tomcat classpath):
-+
-+.IP
-+.nf
-+org.jboss.resteasy.level = ALL
-+.fi
-+.PP
-+
-+Then restart the server.
-+
-+.SS Log4j
-+
-+To customize Log4j configuration, replace the link with a copy of the default configuration:
-+
-+.nf
-+$ rm -f /var/lib/pki/<instance>/lib/log4j.properties
-+$ cp /usr/share/pki/server/conf/log4j.properties /var/lib/pki/<instance>/lib
-+$ chown pkiuser.pkiuser /var/lib/pki/<instance>/lib/log4j.properties
-+.fi
-+
-+Then edit the file as needed.
-+For example, to troubleshoot issues with RESTEasy add the following line (unless Log4j is not installed in Tomcat classpath):
-+
-+.IP
-+.nf
-+log4j.logger.org.jboss.resteasy = ALL
-+.fi
-+.PP
-+
-+Then restart the server.
-+
-+.SS Internal  Logging
-+
-+To customize the internal logging configuration, edit the CS.cfg as needed, then restart the server.
-+
-+.SH AUTHORS
-+Dogtag Team <pki-devel@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki-logging(5)
--- 
-1.8.3.1
-
-
-From f76d73502c7b013f0fe7eb3b5665553a8005ad02 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 29 Oct 2016 07:53:02 +0200
-Subject: [PATCH 7/8] Added man pages for PKCS #12 utilities.
-
-New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and
-pki-pkcs12-key.
-
-https://fedorahosted.org/pki/ticket/1920
-(cherry picked from commit e8b2aa675f617efd2d40984651e0b501dc334690)
-(cherry picked from commit 580410f5b2a90a46b0a456c2a6c8523e56e55f77)
----
- base/java-tools/man/man1/pki-pkcs12-cert.1 | 122 +++++++++++++++++++++++++++++
- base/java-tools/man/man1/pki-pkcs12-key.1  |  76 ++++++++++++++++++
- base/java-tools/man/man1/pki-pkcs12.1      | 114 +++++++++++++++++++++++++++
- 3 files changed, 312 insertions(+)
- create mode 100644 base/java-tools/man/man1/pki-pkcs12-cert.1
- create mode 100644 base/java-tools/man/man1/pki-pkcs12-key.1
- create mode 100644 base/java-tools/man/man1/pki-pkcs12.1
-
-diff --git a/base/java-tools/man/man1/pki-pkcs12-cert.1 b/base/java-tools/man/man1/pki-pkcs12-cert.1
-new file mode 100644
-index 0000000..8a94de7
---- /dev/null
-+++ b/base/java-tools/man/man1/pki-pkcs12-cert.1
-@@ -0,0 +1,122 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH pki-pkcs12-cert 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Certificate Management Commands" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+pki-pkcs12-cert \- Command-Line Interface for managing individual certificates in PKCS #12 file.
-+
-+.SH SYNOPSIS
-+.nf
-+\fBpki\fR [CLI options] \fBpkcs12-cert\fR
-+\fBpki\fR [CLI options] \fBpkcs12-cert-find\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-cert-export <nickname>\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-cert-add <nickanme>\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-cert-mod <nickname>\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-cert-del <nickname>\fR [command options]
-+.fi
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBpki pkcs12-cert\fR commands provide command-line interfaces to manage certificates in a PKCS #12 file.
-+
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert-find\fR [command options]
-+.RS 4
-+This command is to list certificates in a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert-export <nickname>\fR [command options]
-+.RS 4
-+This command is to export a certificate from a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert-add <nickname>\fR [command options]
-+.RS 4
-+This command is to add a certificate into a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert-mod <nickname>\fR [command options]
-+.RS 4
-+This command is to modify a certificate in a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert-del <nickname>\fR [command options]
-+.RS 4
-+This command is to delete a certificate from a PKCS #12 file.
-+.RE
-+
-+.SH OPTIONS
-+The CLI options are described in \fBpki\fR(1).
-+
-+.SH OPERATIONS
-+
-+To view available profile commands, type \fBpki pkcs12-cert\fP. To view each command's usage, type \fB pki pkcs12-cert-<command> \-\-help\fP.
-+
-+All \fBpkcs12-cert\fP commands require a PKCS #12 file and its password.
-+The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter.
-+The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter.
-+
-+Some \fBpki pkcs12-cert\fP commands require an NSS database and its password.
-+The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb).
-+The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter.
-+
-+.SS Viewing certificates in a PKCS #12 file
-+
-+To list the certificates in a PKCS #12 file:
-+
-+.B pki pkcs12-cert-find <PKCS #12 file> <PKCS #12 password>
-+
-+.SS Exporting a certificate from a PKCS #12 file
-+
-+To export a certificate from a PKCS #12 file into a file in PEM format:
-+
-+.B pki pkcs12-cert-export <nickname> <PKCS #12 file> <PKCS #12 password> <cert file>
-+
-+The certificate file can be specified with the \fB--cert-file\fP parameter.
-+
-+.SS Adding a certificate from an NSS database into a PKCS #12 file
-+
-+To add a certificate including its key and trust flags from an NSS database into a PKCS #12 file:
-+
-+.B pki <NSS database location> <NSS database password> pkcs12-cert-add <nickname> <PKCS #12 file> <PKCS #12 password>
-+
-+If the PKCS #12 file does not exist, it will be created automatically.
-+If the PKCS #12 file already exists, the certificate will be added into the file.
-+
-+The trust flags can be overwritten with the \fB--trust-flags\fP parameter.
-+If the key is not needed, specify the \fB--no-key\fP parameter.
-+
-+.SS Modifying a certificate in a PKCS #12 file
-+
-+To modify the trust flags of a certificate in a PKCS #12 file:
-+
-+.B pki pkcs12-cert-mod <nickname> <PKCS #12 file> <PKCS #12 password> <trust flags>
-+
-+The trust flags can be specified with the \fB--trust-flags\fP parameter.
-+
-+.SS Deleting a certificate from a PKCS #12 file
-+
-+To delete a certificate and its key from a PKCS #12 file:
-+
-+.B pki pkcs12-cert-del <nickname> <PKCS #12 file> <PKCS #12 password>
-+
-+.SH AUTHORS
-+Endi S. Dewata <edewata@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki-pkcs12(1)
-diff --git a/base/java-tools/man/man1/pki-pkcs12-key.1 b/base/java-tools/man/man1/pki-pkcs12-key.1
-new file mode 100644
-index 0000000..884278d
---- /dev/null
-+++ b/base/java-tools/man/man1/pki-pkcs12-key.1
-@@ -0,0 +1,76 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH pki-pkcs12-key 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Key Management Commands" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+pki-pkcs12-key \- Command-Line Interface for managing individual keys in PKCS #12 file.
-+
-+.SH SYNOPSIS
-+.nf
-+\fBpki\fR [CLI options] \fBpkcs12-key\fR
-+\fBpki\fR [CLI options] \fBpkcs12-key-find\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-key-del <key ID>\fR [command options]
-+.fi
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBpki pkcs12-key\fR commands provide command-line interfaces to manage keys in a PKCS #12 file.
-+
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-key-find\fR [command options]
-+.RS 4
-+This command is to list keys in a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-key-del <key ID>\fR [command options]
-+.RS 4
-+This command is to delete a key from a PKCS #12 file.
-+.RE
-+
-+.SH OPTIONS
-+The CLI options are described in \fBpki\fR(1).
-+
-+.SH OPERATIONS
-+
-+To view available profile commands, type \fBpki pkcs12-key\fP. To view each command's usage, type \fB pki pkcs12-key-<command> \-\-help\fP.
-+
-+All \fBpkcs12-key\fP commands require a PKCS #12 file and its password.
-+The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter.
-+The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter.
-+
-+All \fBpkcs12-key\fP commands also require an NSS database and its password.
-+The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb).
-+The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter.
-+
-+.SS Viewing keys in a PKCS #12 file
-+
-+To list the keys in a PKCS #12 file:
-+
-+.B pki <NSS database location> <NSS database password> pkcs12-key-find <PKCS #12 file> <PKCS #12 password>
-+
-+.SS Deleting a key from a PKCS #12 file
-+
-+To delete a key from a PKCS #12 file:
-+
-+.B pki <NSS database location> <NSS database password> pkcs12-key-del <key ID> <PKCS #12 file> <PKCS #12 password>
-+
-+.SH AUTHORS
-+Endi S. Dewata <edewata@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki-pkcs12(1)
-diff --git a/base/java-tools/man/man1/pki-pkcs12.1 b/base/java-tools/man/man1/pki-pkcs12.1
-new file mode 100644
-index 0000000..5056930
---- /dev/null
-+++ b/base/java-tools/man/man1/pki-pkcs12.1
-@@ -0,0 +1,114 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH pki-pkcs12 1 "Oct 28, 2016" "version 10.3" "PKI PKCS #12 Management Commands" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+pki-pkcs12 \- Command-Line Interface for managing certificates and keys in PKCS #12 file.
-+
-+.SH SYNOPSIS
-+.nf
-+\fBpki\fR [CLI options] \fBpkcs12\fR
-+\fBpki\fR [CLI options] \fBpkcs12-export\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-import\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-cert\fR [command options]
-+\fBpki\fR [CLI options] \fBpkcs12-key\fR [command options]
-+.fi
-+
-+.SH DESCRIPTION
-+.PP
-+The \fBpki pkcs12\fR commands provide command-line interfaces to manage certificate and keys in a PKCS #12 file.
-+
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-export\fR [command options]
-+.RS 4
-+This command is to export all certificates and keys from an NSS database into a PKCS #12 file.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-import\fR [command options]
-+.RS 4
-+This command is to import all certificates and keys from a PKCS #12 file into an NSS database.
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-cert\fR [command options]
-+.RS 4
-+This command is to manage individual certificates in a PKCS #12 file. See \fBpki-pkcs12-cert\fR(1).
-+.RE
-+.PP
-+\fBpki\fR [CLI options] \fBpkcs12-key\fR [command options]
-+.RS 4
-+This command is to import individual keys in a PKCS #12 file. See \fBpki-pkcs12-key\fR(1).
-+.RE
-+
-+.SH OPTIONS
-+The CLI options are described in \fBpki\fR(1).
-+
-+.SH OPERATIONS
-+
-+To view available PKCS #12 commands, type \fBpki pkcs12\fP. To view each command's usage, type \fB pki pkcs12-<command> \-\-help\fP.
-+
-+All \fBpki pkcs12\fP commands require a PKCS #12 file and its password.
-+The PKCS #12 file can be specified with the \fB--pkcs12-file\fP parameter.
-+The password can be specified either directly with the \fB--pkcs12-password\fP parameter, or in a file with the \fB--pkcs12-password-file\fP parameter.
-+
-+Some \fBpki pkcs12\fP commands require an NSS database and its password.
-+The NSS database location can be specified with the \fB-d\fP parameter (default: ~/.dogtag/nssdb).
-+The NSS database password can be specified with the \fB-c\fP or the \fB-C\fP parameter.
-+
-+.SS Exporting all certificates and keys into a PKCS #12 file
-+
-+To export all certificates and keys from an NSS database into a PKCS #12 file:
-+
-+.B pki <NSS database location> <NSS database password> pkcs12-export <PKCS #12 file> <PKCS #12 password> [nicknames...]
-+
-+By default the command will export all certificates in the NSS database.
-+To export certain certificates only, specify the certificate nicknames as separate arguments.
-+
-+By default the command will always create a new PKCS #12 file.
-+To export into an existing PKCS #12 file, specify the \fB--append\fP parameter.
-+
-+By default the command will include the certificate chain.
-+To export without certificate chain, specify the \fB--no-chain\fP parameter.
-+
-+By default the command will include the key of each certificate.
-+To export without the key, specify the \fB--no-key\fP parameter.
-+
-+By default the command will include the trust flags of each certificate.
-+To export without the trust flags, specify the \fB--no-trust-flags\fP parameter.
-+
-+.SS Importing certificates and keys from a PKCS #12 file
-+
-+To import certificates and keys from a PKCS #12 file into an NSS database:
-+
-+.B pki <NSS database location> <NSS database password> pkcs12-import <PKCS #12 file> <PKCS #12 password>
-+
-+By default the command will include all certificates in the PKCS #12 file.
-+To import without the CA certificates (certificates without keys), specify the \fB--no-ca-certs\fP parameter.
-+To import without the user certificates (certificates with keys), specify the \fB--no-user-certs\fP parameter.
-+
-+By default the command will skip a certificate if it already exists in the NSS database.
-+To overwrite the nickname, the key, and the trust flags of existing certificates, specify the \fB--overwrite\fP parameter.
-+
-+By default the command will include the trust flags of each certificate.
-+To import without the trust flags, specify the \fB--no-trust-flags\fP parameter.
-+
-+.SH AUTHORS
-+Endi S. Dewata <edewata@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public License, version 2 (GPLv2). A copy of this license is available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR pki-pkcs12-cert(1),
-+.BR pki-pkcs12-key(1)
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-omit-parameter-field-from-ECDSA-certs-Alg-IDs.patch b/SOURCES/pki-core-omit-parameter-field-from-ECDSA-certs-Alg-IDs.patch
deleted file mode 100644
index 59e0b1e..0000000
--- a/SOURCES/pki-core-omit-parameter-field-from-ECDSA-certs-Alg-IDs.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-commit ee6b7ede62f62c6ea4da7fbb88176762a0c1cbc2
-Author: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date:   Fri Jan 20 16:01:17 2017 -0800
-
-    Ticket #1741 ECDSA certs Alg IDs contian parameter field
-    Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
-    Note: Since we do not support DSA, this patch does not attempt to address them.
-    Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness.  However, it does not attempt to offer it as part of the signing algorithms.
-    
-    (cherry picked from commit 76ca6d1691e56274945b6f03760273208fafd791)
-    (cherry picked from commit 1e567854e643f50a7ca1f24daac0e92359eafe81)
-
-diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
-index 08c9c4f..a89843e 100644
---- a/base/util/src/netscape/security/x509/AlgorithmId.java
-+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
-@@ -230,10 +230,18 @@ public class AlgorithmId implements Serializable, DerEncoder {
-         try (DerOutputStream tmp = new DerOutputStream()) {
-             DerOutputStream bytes = new DerOutputStream();
-             bytes.putOID(algid);
--            if (params == null)
--                bytes.putNull();
--            else
--                bytes.putDerValue(params);
-+
-+            // omit parameter field for ECDSA
-+            if (!algid.equals(sha224WithEC_oid) &&
-+                    !algid.equals(sha256WithEC_oid) &&
-+                    !algid.equals(sha384WithEC_oid) &&
-+                    !algid.equals(sha512WithEC_oid)) {
-+                if (params == null) {
-+                    bytes.putNull();
-+                } else
-+                    bytes.putDerValue(params);
-+            }
-+
-             tmp.write(DerValue.tag_Sequence, bytes);
-             out.write(tmp.toByteArray());
-         }
-@@ -246,12 +254,19 @@ public class AlgorithmId implements Serializable, DerEncoder {
-     public final byte[] encode() throws IOException {
-         try (DerOutputStream out = new DerOutputStream()) {
-             DerOutputStream bytes = new DerOutputStream();
--
-             bytes.putOID(algid);
--            if (params == null)
--                bytes.putNull();
--            else
--                bytes.putDerValue(params);
-+
-+            // omit parameter field for ECDSA
-+            if (!algid.equals(sha224WithEC_oid) &&
-+                    !algid.equals(sha256WithEC_oid) &&
-+                    !algid.equals(sha384WithEC_oid) &&
-+                    !algid.equals(sha512WithEC_oid)) {
-+                if (params == null) {
-+                    bytes.putNull();
-+                } else
-+                    bytes.putDerValue(params);
-+            }
-+
-             out.write(DerValue.tag_Sequence, bytes);
-             return out.toByteArray();
-         }
-@@ -314,6 +329,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
-         if (name.equals("SHA1withEC") || name.equals("SHA1/EC")
-                 || name.equals("1.2.840.10045.4.1"))
-             return AlgorithmId.sha1WithEC_oid;
-+        if (name.equals("SHA224withEC") || name.equals("SHA224/EC")
-+                || name.equals("1.2.840.10045.4.3.1"))
-+            return AlgorithmId.sha224WithEC_oid;
-         if (name.equals("SHA256withEC") || name.equals("SHA256/EC")
-                 || name.equals("1.2.840.10045.4.3.2"))
-             return AlgorithmId.sha256WithEC_oid;
-@@ -646,6 +664,8 @@ public class AlgorithmId implements Serializable, DerEncoder {
-      */
-     private static final int sha1WithEC_data[] =
-                                    { 1, 2, 840, 10045, 4, 1 };
-+    private static final int sha224WithEC_data[] =
-+                                   { 1, 2, 840, 10045, 4, 3, 1 };
-     private static final int sha256WithEC_data[] =
-                                    { 1, 2, 840, 10045, 4, 3, 2 };
-     private static final int sha384WithEC_data[] =
-@@ -676,6 +696,9 @@ public class AlgorithmId implements Serializable, DerEncoder {
-     public static final ObjectIdentifier sha1WithEC_oid = new
-             ObjectIdentifier(sha1WithEC_data);
- 
-+    public static final ObjectIdentifier sha224WithEC_oid = new
-+            ObjectIdentifier(sha224WithEC_data);
-+
-     public static final ObjectIdentifier sha256WithEC_oid = new
-             ObjectIdentifier(sha256WithEC_data);
- 
diff --git a/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch b/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch
deleted file mode 100644
index 356c7e5..0000000
--- a/SOURCES/pki-core-pkispawn-ecc-key-size-change.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 74b69a5c718b21958cf17287f2fe49d3490dd80e Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Thu, 8 Dec 2016 16:35:20 -0800
-Subject: [PATCH] Resolve: pkispawn does not change default ecc key size from
- nistp256 when nistp384 is specified in spawn config
-
-Ticket #2552.
-
-This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the
-"keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
-
-(cherry picked from commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1)
-(cherry picked from commit ad986509b8446d8fbe02d68f4ff62cb3d39c3fdd)
----
- .../cms/src/org/dogtagpki/server/rest/SystemConfigService.java    | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-index 9d7c176..26c97fe 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-@@ -34,6 +34,8 @@ import javax.ws.rs.core.HttpHeaders;
- import javax.ws.rs.core.Request;
- import javax.ws.rs.core.UriInfo;
- 
-+import netscape.security.x509.X509CertImpl;
-+
- import org.apache.commons.lang.StringUtils;
- import org.apache.commons.lang.mutable.MutableBoolean;
- import org.mozilla.jss.CryptoManager;
-@@ -66,8 +68,6 @@ import com.netscape.cms.servlet.csadmin.SystemCertDataFactory;
- import com.netscape.cmsutil.crypto.CryptoUtil;
- import com.netscape.cmsutil.util.Utils;
- 
--import netscape.security.x509.X509CertImpl;
--
- /**
-  * @author alee
-  *
-@@ -457,8 +457,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
- 
-         } else if (!request.getStepTwo()) {
-             if (keytype.equals("ecc")) {
--                String curvename = certData.getKeyCurveName() != null ?
--                        certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
-+                String curvename = certData.getKeySize() != null ?
-+                        certData.getKeySize() : cs.getString("keys.ecc.curve.default");
-                 cs.putString("preop.cert." + tag + ".curvename.name", curvename);
-                 ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
- 
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-post-beta.patch b/SOURCES/pki-core-post-beta.patch
new file mode 100644
index 0000000..49bb244
--- /dev/null
+++ b/SOURCES/pki-core-post-beta.patch
@@ -0,0 +1,1733 @@
+From c95cff5899e2975b16db61b811b626742e5e7114 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 1 May 2017 17:48:33 -0700
+Subject: [PATCH 01/10] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false
+ would cause error This patch would fix the issue.  It also adds the
+ CMCUserSignedAuth authentication instance that was missed in the CS.cfg
+
+---
+ base/ca/shared/conf/CS.cfg                                        | 1 +
+ .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java    | 8 +++-----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 078abee..3eb5b1b 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -180,6 +180,7 @@ auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAu
+ auths.instance.TokenAuth.pluginName=TokenAuth
+ auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
+ auths.instance.AgentCertAuth.pluginName=AgentCertAuth
++auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth
+ auths.instance.raCertAuth.agentGroup=Registration Manager Agents
+ auths.instance.raCertAuth.pluginName=AgentCertAuth
+ auths.instance.flatFileAuth.pluginName=FlatFileAuth
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 57f07d1..7d52fc8 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -885,10 +885,7 @@ public abstract class EnrollProfile extends BasicProfile
+             }
+ 
+             int nummsgs = reqSeq.size();
+-            if (!popLinkWitnessRequired) {
+-                CMS.debug(method + "popLinkWitnessRequired false, skip check");
+-            } else if (nummsgs > 0) {
+-                CMS.debug(method + "cmc.popLinkWitnessRequired is true");
++            if (nummsgs > 0) {
+                 CMS.debug(method + "nummsgs =" + nummsgs);
+                 msgs = new TaggedRequest[reqSeq.size()];
+                 SEQUENCE bpids = new SEQUENCE();
+@@ -896,7 +893,8 @@ public abstract class EnrollProfile extends BasicProfile
+                 boolean valid = true;
+                 for (int i = 0; i < nummsgs; i++) {
+                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
+-                    if (!context.containsKey("POPLinkWitnessV2") &&
++                    if (popLinkWitnessRequired &&
++                            !context.containsKey("POPLinkWitnessV2") &&
+                             !context.containsKey("POPLinkWitness")) {
+                         CMS.debug(method + "popLinkWitness(V2) required");
+                         if (randomSeed == null) {
+-- 
+1.8.3.1
+
+
+From 220e35d2b5610cb051831b990451b3b3ff53604e Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 2 May 2017 21:44:36 +1000
+Subject: [PATCH 02/10] CAInfoService: retrieve info from KRA
+
+The CAInfoService returns CA configuration info, including
+KRA-related values the CA clients may need to know (e.g. for
+generating a CRMF cert request that will cause keys to be archived
+in KRA).  Currently that information is statically configured and
+does not respect the actual configuration of the KRA.
+
+Update the service to retrieve info from the KRA, which is queried
+according to the KRA Connector configuration.  After the KRA has
+been successfully contacted, the recorded KRA-related settings are
+regarded as authoritative.
+
+The KRA is contacted ONLY if the current info is NOT authoritative,
+otherwise the currently recorded values are used.  This means that
+any change to relevant KRA configuration (which should occur seldom
+if ever) necessitates restart of the CA subsystem.
+
+If this is unsuccessful (e.g. if the KRA is down or the connector is
+misconfigured) we use the default values, which may be incorrect.
+
+Fixes: https://pagure.io/dogtagpki/issue/2665
+Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
+---
+ .../org/dogtagpki/server/rest/CAInfoService.java   | 143 ++++++++++++++++++---
+ 1 file changed, 126 insertions(+), 17 deletions(-)
+
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+index f4724a6..398f499 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+@@ -18,26 +18,63 @@
+ 
+ package org.dogtagpki.server.rest;
+ 
++import java.net.MalformedURLException;
++import java.net.URISyntaxException;
++
+ import javax.servlet.http.HttpSession;
+ import javax.ws.rs.core.Response;
+ 
+ import org.dogtagpki.common.CAInfo;
+ import org.dogtagpki.common.CAInfoResource;
++import org.dogtagpki.common.KRAInfo;
++import org.dogtagpki.common.KRAInfoClient;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.base.PKIException;
++import com.netscape.certsrv.client.ClientConfig;
++import com.netscape.certsrv.client.PKIClient;
++import com.netscape.certsrv.system.KRAConnectorInfo;
++import com.netscape.cms.servlet.admin.KRAConnectorProcessor;
+ import com.netscape.cms.servlet.base.PKIService;
+ 
+ /**
+  * @author Ade Lee
++ *
++ * This class returns CA info, including KRA-related values the CA
++ * clients may need to know (e.g. for generating a CRMF cert request
++ * that will cause keys to be archived in KRA).
++ *
++ * The KRA-related info is read from the KRAInfoService, which is
++ * queried according to the KRA Connector configuration.  After
++ * the KRAInfoService has been successfully contacted, the recorded
++ * KRA-related settings are regarded as authoritative.
++ *
++ * The KRA is contacted ONLY if the current info is NOT
++ * authoritative, otherwise the currently recorded values are used.
++ * This means that any change to relevant KRA configuration (which
++ * should occur seldom if ever) necessitates restart of the CA
++ * subsystem.
++ *
++ * If this is unsuccessful (e.g. if the KRA is down or the
++ * connector is misconfigured) we use the default values, which
++ * may be incorrect.
+  */
+ public class CAInfoService extends PKIService implements CAInfoResource {
+ 
+     private static Logger logger = LoggerFactory.getLogger(InfoService.class);
+ 
++    // is the current KRA-related info authoritative?
++    private static boolean kraInfoAuthoritative = false;
++
++    // KRA-related fields (the initial values are only used if we
++    // did not yet receive authoritative info from KRA)
++    private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM;
++    private static String wrappingKeySet = "0";
++
+     @Override
+     public Response getInfo() throws Exception {
+ 
+@@ -45,30 +82,102 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+         logger.debug("CAInfoService.getInfo(): session: " + session.getId());
+ 
+         CAInfo info = new CAInfo();
+-        String archivalMechanism = getArchivalMechanism();
+-
+-        if (archivalMechanism != null)
+-            info.setArchivalMechanism(getArchivalMechanism());
+ 
+-        info.setWrappingKeySet(getWrappingKeySet());
++        addKRAInfo(info);
+ 
+         return createOKResponse(info);
+     }
+ 
+-    String getArchivalMechanism() throws EBaseException {
+-        IConfigStore cs = CMS.getConfigStore();
+-        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
+-        if (!kra_present) return null;
+-
+-        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+-        return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;
++    /**
++     * Add KRA fields if KRA is configured, querying the KRA
++     * if necessary.
++     *
++     * Apart from reading 'headers', this method doesn't access
++     * any instance data.
++     */
++    private void addKRAInfo(CAInfo info) {
++        KRAConnectorInfo connInfo = null;
++        try {
++            KRAConnectorProcessor processor =
++                new KRAConnectorProcessor(getLocale(headers));
++            connInfo = processor.getConnectorInfo();
++        } catch (Throwable e) {
++            // connInfo remains as null
++        }
++        boolean kraEnabled =
++            connInfo != null
++            && "true".equalsIgnoreCase(connInfo.getEnable());
++
++        if (kraEnabled) {
++            if (!kraInfoAuthoritative) {
++                // KRA is enabled but we are yet to successfully
++                // query the KRA-related info.  Do it now.
++                queryKRAInfo(connInfo);
++            }
++
++            info.setArchivalMechanism(archivalMechanism);
++            info.setWrappingKeySet(wrappingKeySet);
++        }
+     }
+ 
+-    String getWrappingKeySet() throws EBaseException {
+-        IConfigStore cs = CMS.getConfigStore();
+-        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
+-        if (!kra_present) return null;
++    private static void queryKRAInfo(KRAConnectorInfo connInfo) {
++        try {
++            KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();
++
++            archivalMechanism = kraInfo.getArchivalMechanism();
++
++            // request succeeded; the KRA is 10.4 or higher,
++            // therefore supports key set v1
++            wrappingKeySet = "1";
++
++            // mark info as authoritative
++            kraInfoAuthoritative = true;
++        } catch (PKIException e) {
++            if (e.getCode() == 404) {
++                // The KRAInfoResource was added in 10.4,
++                // so we are talking to a pre-10.4 KRA
++
++                // pre-10.4 only supports key set v0
++                wrappingKeySet = "0";
++
++                // pre-10.4 KRA does not advertise the archival
++                // mechanism; look for the old knob in CA's config
++                // or fall back to the default
++                IConfigStore cs = CMS.getConfigStore();
++                boolean encrypt_archival;
++                try {
++                    encrypt_archival = cs.getBoolean(
++                        "kra.allowEncDecrypt.archival", false);
++                } catch (EBaseException e1) {
++                    encrypt_archival = false;
++                }
++                archivalMechanism = encrypt_archival
++                    ? KRAInfoService.ENCRYPT_MECHANISM
++                    : KRAInfoService.KEYWRAP_MECHANISM;
++
++                // mark info as authoritative
++                kraInfoAuthoritative = true;
++            } else {
++                CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);
++                CMS.debug(e);
++            }
++        } catch (Throwable e) {
++            CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);
++            CMS.debug(e);
++        }
++    }
+ 
+-        return cs.getString("kra.wrappingKeySet", "1");
++    /**
++     * Construct KRAInfoClient given KRAConnectorInfo
++     */
++    private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo)
++            throws MalformedURLException, URISyntaxException, EBaseException {
++        ClientConfig config = new ClientConfig();
++        int port = Integer.parseInt(connInfo.getPort());
++        config.setServerURL("https", connInfo.getHost(), port);
++        config.setCertDatabase(
++            CMS.getConfigStore().getString("instanceRoot") + "/alias");
++        return new KRAInfoClient(new PKIClient(config), "kra");
+     }
++
+ }
+-- 
+1.8.3.1
+
+
+From c64d6331d52dcf07108226c5dff26bd8b6c41e70 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Thu, 4 May 2017 10:36:49 +0200
+Subject: [PATCH 03/10] pki.authority: Don't send header as POST body
+
+pki.authority was mistakenly sending headers as POST body instead of
+sending an empty POST body with right headers.
+
+Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ base/common/python/pki/authority.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
+index 9fa459c..0d83a4b 100644
+--- a/base/common/python/pki/authority.py
++++ b/base/common/python/pki/authority.py
+@@ -140,7 +140,7 @@ class AuthorityClient(object):
+         url = self.ca_url + '/' + str(aid)
+         headers = {'Content-type': 'application/json',
+                    'Accept': 'application/json'}
+-        r = self.connection.get(url, headers)
++        r = self.connection.get(url, headers=headers)
+         return AuthorityData.from_json(r.json())
+ 
+     @pki.handle_exceptions()
+@@ -167,7 +167,7 @@ class AuthorityClient(object):
+             raise ValueError(
+                 "Invalid format passed in - PEM or DER expected.")
+ 
+-        r = self.connection.get(url, headers)
++        r = self.connection.get(url, headers=headers)
+         return r.text
+ 
+     @pki.handle_exceptions()
+@@ -189,7 +189,7 @@ class AuthorityClient(object):
+         elif output_format == "PKCS7":
+             headers['Accept'] = "application/pkcs7-mime"
+ 
+-        r = self.connection.get(url, headers)
++        r = self.connection.get(url, headers=headers)
+         return r.text
+ 
+     @pki.handle_exceptions()
+@@ -238,7 +238,7 @@ class AuthorityClient(object):
+         response = self.connection.post(
+             self.ca_url,
+             create_request,
+-            headers)
++            headers=headers)
+ 
+         new_ca = AuthorityData.from_json(response.json())
+         return new_ca
+@@ -257,7 +257,7 @@ class AuthorityClient(object):
+         headers = {'Content-type': 'application/json',
+                    'Accept': 'application/json'}
+ 
+-        self.connection.post(url, headers)
++        self.connection.post(url, None, headers=headers)
+ 
+     @pki.handle_exceptions()
+     def disable_ca(self, aid):
+@@ -272,7 +272,7 @@ class AuthorityClient(object):
+         headers = {'Content-type': 'application/json',
+                    'Accept': 'application/json'}
+ 
+-        self.connection.post(url, headers)
++        self.connection.post(url, None, headers=headers)
+ 
+     @pki.handle_exceptions()
+     def delete_ca(self, aid):
+@@ -287,7 +287,7 @@ class AuthorityClient(object):
+         headers = {'Content-type': 'application/json',
+                    'Accept': 'application/json'}
+ 
+-        self.connection.delete(url, headers)
++        self.connection.delete(url, headers=headers)
+ 
+ 
+ encoder.NOTYPES['AuthorityData'] = AuthorityData
+-- 
+1.8.3.1
+
+
+From 62a78bfa227b5e75a7cb931d7e65e824f5fe01ec Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 5 May 2017 19:54:15 +1000
+Subject: [PATCH 04/10] Fix PKCS #12 import during clone installation
+
+PKCS #12 export was updated to use AES / PBES2 encryption for the
+key bags, but an import code path used when spawning a clone was
+missed, and now fails (because it doesn't grok PBES2).
+
+Update it to use CryptoStore.importEncryptedPrivateKeyInfo()
+instead, fixing the problem.
+
+Fixes: https://pagure.io/dogtagpki/issue/2677
+Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9
+---
+ .../cms/servlet/csadmin/ConfigurationUtils.java    | 32 +++++++---------------
+ 1 file changed, 10 insertions(+), 22 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index ee1984b..07c64af 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -886,9 +886,7 @@ public class ConfigurationUtils {
+                 if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) {
+ 
+                     CMS.debug("  - Bag #" + j + ": key");
+-                    EncryptedPrivateKeyInfo privkeyinfo =
+-                            (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent();
+-                    PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter());
++                    byte[] epki = bag.getBagContent().getEncoded();
+ 
+                     SET bagAttrs = bag.getBagAttributes();
+                     String subjectDN = null;
+@@ -910,9 +908,10 @@ public class ConfigurationUtils {
+                         }
+                     }
+ 
+-                    // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String)
++                    // pkeyinfo_v stores EncryptedPrivateKeyInfo
++                    // (byte[]) and subject DN (String)
+                     Vector<Object> pkeyinfo_v = new Vector<Object>();
+-                    pkeyinfo_v.addElement(pkeyinfo);
++                    pkeyinfo_v.addElement(epki);
+                     if (subjectDN != null)
+                         pkeyinfo_v.addElement(subjectDN);
+ 
+@@ -971,7 +970,7 @@ public class ConfigurationUtils {
+             }
+         }
+ 
+-        importKeyCert(pkeyinfo_collection, cert_collection);
++        importKeyCert(password, pkeyinfo_collection, cert_collection);
+     }
+ 
+     public static void verifySystemCertificates() throws Exception {
+@@ -1012,6 +1011,7 @@ public class ConfigurationUtils {
+     }
+ 
+     public static void importKeyCert(
++            Password password,
+             Vector<Vector<Object>> pkeyinfo_collection,
+             Vector<Vector<Object>> cert_collection
+             ) throws Exception {
+@@ -1028,7 +1028,7 @@ public class ConfigurationUtils {
+         CMS.debug("Importing new keys:");
+         for (int i = 0; i < pkeyinfo_collection.size(); i++) {
+             Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i);
+-            PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0);
++            byte[] epki = (byte[]) pkeyinfo_v.elementAt(0);
+             String nickname = (String) pkeyinfo_v.elementAt(1);
+             CMS.debug("- Key: " + nickname);
+ 
+@@ -1037,11 +1037,6 @@ public class ConfigurationUtils {
+                 continue;
+             }
+ 
+-            // encode private key
+-            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+-            pkeyinfo.encode(bos);
+-            byte[] pkey = bos.toByteArray();
+-
+             CMS.debug("  Find cert with subject DN " + nickname);
+             // TODO: use better mechanism to find the cert
+             byte[] x509cert = getX509Cert(nickname, cert_collection);
+@@ -1063,16 +1058,9 @@ public class ConfigurationUtils {
+                 // this is OK
+             }
+ 
+-            // encrypt private key
+-            SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true);
+-            byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-            IVParameterSpec param = new IVParameterSpec(iv);
+-            byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(token, sk, pkey, EncryptionAlgorithm.DES3_CBC_PAD, param);
+-
+-            // unwrap private key to load into database
+-            KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+-            wrapper.initUnwrap(sk, param);
+-            wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);
++            // import private key into database
++            store.importEncryptedPrivateKeyInfo(
++                new PasswordConverter(), password, nickname, publicKey, epki);
+         }
+ 
+         CMS.debug("Importing new certificates:");
+-- 
+1.8.3.1
+
+
+From 3fb95590cdf0e45418fa0be7a020691567ef152a Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 5 May 2017 20:13:07 +1000
+Subject: [PATCH 05/10] Delete unused methods
+
+Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203
+---
+ .../cms/servlet/csadmin/ConfigurationUtils.java    | 103 ---------------------
+ 1 file changed, 103 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 07c64af..c9a375f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -1203,13 +1203,6 @@ public class ConfigurationUtils {
+         return null;
+     }
+ 
+-    public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) {
+-        if (pubkey.getAlgorithm().equals("EC")) {
+-            return org.mozilla.jss.crypto.PrivateKey.Type.EC;
+-        }
+-        return org.mozilla.jss.crypto.PrivateKey.Type.RSA;
+-    }
+-
+     public static boolean isCASigningCert(String name) throws EBaseException {
+         IConfigStore cs = CMS.getConfigStore();
+         try {
+@@ -3495,102 +3488,6 @@ public class ConfigurationUtils {
+         }
+     }
+ 
+-    public static void addKeyBag(PrivateKey pkey, X509Certificate x509cert,
+-            Password pass, byte[] localKeyId, SEQUENCE safeContents)
+-            throws NoSuchAlgorithmException, InvalidBERException, InvalidKeyException,
+-            InvalidAlgorithmParameterException, NotInitializedException, TokenException, IllegalStateException,
+-            IllegalBlockSizeException, BadPaddingException, CharConversionException {
+-
+-        PasswordConverter passConverter = new PasswordConverter();
+-
+-        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+-        byte salt[] = random.generateSeed(4); // 4 bytes salt
+-        byte[] priData = getEncodedKey(pkey);
+-
+-        PrivateKeyInfo pki = (PrivateKeyInfo)
+-                ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData);
+-        ASN1Value key = EncryptedPrivateKeyInfo.createPBE(
+-                PBEAlgorithm.PBE_SHA1_DES3_CBC,
+-                pass, salt, 1, passConverter, pki);
+-        SET keyAttrs = createBagAttrs(
+-                x509cert.getSubjectDN().toString(), localKeyId);
+-        SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG,
+-                key, keyAttrs);
+-        safeContents.addElement(keyBag);
+-
+-    }
+-
+-    public static byte[] addCertBag(X509Certificate x509cert, String nickname,
+-            SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException,
+-            CharConversionException {
+-        byte[] localKeyId = null;
+-
+-        ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());
+-        localKeyId = createLocalKeyId(x509cert);
+-        SET certAttrs = null;
+-        if (nickname != null)
+-            certAttrs = createBagAttrs(nickname, localKeyId);
+-        SafeBag certBag = new SafeBag(SafeBag.CERT_BAG,
+-                new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs);
+-        safeContents.addElement(certBag);
+-
+-        return localKeyId;
+-    }
+-
+-    public static byte[] getEncodedKey(PrivateKey pkey) throws NotInitializedException, NoSuchAlgorithmException,
+-            TokenException, IllegalStateException, CharConversionException, InvalidKeyException,
+-            InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
+-        CryptoManager cm = CryptoManager.getInstance();
+-        CryptoToken token = cm.getInternalKeyStorageToken();
+-        KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3);
+-        SymmetricKey sk = kg.generate();
+-        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+-        byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-        IVParameterSpec param = new IVParameterSpec(iv);
+-        wrapper.initWrap(sk, param);
+-        byte[] enckey = wrapper.wrap(pkey);
+-        Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
+-        c.initDecrypt(sk, param);
+-        byte[] recovered = c.doFinal(enckey);
+-        return recovered;
+-    }
+-
+-    public static byte[] createLocalKeyId(X509Certificate cert)
+-            throws NoSuchAlgorithmException, CertificateEncodingException {
+-
+-        // SHA1 hash of the X509Cert der encoding
+-        byte certDer[] = cert.getEncoded();
+-
+-        MessageDigest md = MessageDigest.getInstance("SHA");
+-
+-        md.update(certDer);
+-        return md.digest();
+-
+-    }
+-
+-    public static SET createBagAttrs(String nickName, byte localKeyId[]) throws CharConversionException {
+-
+-        SET attrs = new SET();
+-        SEQUENCE nickNameAttr = new SEQUENCE();
+-
+-        nickNameAttr.addElement(SafeBag.FRIENDLY_NAME);
+-        SET nickNameSet = new SET();
+-
+-        nickNameSet.addElement(new BMPString(nickName));
+-        nickNameAttr.addElement(nickNameSet);
+-        attrs.addElement(nickNameAttr);
+-        SEQUENCE localKeyAttr = new SEQUENCE();
+-
+-        localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID);
+-        SET localKeySet = new SET();
+-
+-        localKeySet.addElement(new OCTET_STRING(localKeyId));
+-        localKeyAttr.addElement(localKeySet);
+-        attrs.addElement(localKeyAttr);
+-        return attrs;
+-
+-    }
+-
+     public static void createAdminCertificate(String certRequest, String certRequestType, String subject)
+             throws Exception {
+         IConfigStore cs = CMS.getConfigStore();
+-- 
+1.8.3.1
+
+
+From f26b3aaee1cf36941f387b464b937ffee1403048 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Fri, 5 May 2017 11:44:17 -0700
+Subject: [PATCH 06/10] Non server keygen issue in SCP03.
+
+Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
+
+We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
+---
+ .../server/tps/channel/SecureChannel.java          |  4 +-
+ .../server/tps/processor/TPSProcessor.java         | 51 +++++++++++++++-------
+ 2 files changed, 37 insertions(+), 18 deletions(-)
+
+diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+index fc5472c..5e5646b 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
++++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+@@ -148,8 +148,8 @@ public class SecureChannel {
+ 
+         CMS.debug("SecureChannel.SecureChannel: For SCP03. :  ");
+ 
+-        CMS.debug("kekDesKey: " + kekDesKey.toHexString());
+-        CMS.debug("keyCheck: " + keyCheck.toHexString());
++        if (keyCheck != null)
++            CMS.debug("keyCheck: " + keyCheck.toHexString());
+ 
+         this.platProtInfo = platformInfo;
+         this.processor = processor;
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+index 0cfac59..0f96915 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+@@ -33,6 +33,8 @@ import java.util.List;
+ import java.util.Map;
+ import java.util.Set;
+ 
++import netscape.security.x509.RevocationReason;
++
+ import org.dogtagpki.server.tps.TPSSession;
+ import org.dogtagpki.server.tps.TPSSubsystem;
+ import org.dogtagpki.server.tps.authentication.AuthUIParameter;
+@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.symkey.SessionKey;
+ 
+-import netscape.security.x509.RevocationReason;
+-
+ public class TPSProcessor {
+ 
+     public static final int RESULT_NO_ERROR = 0;
+@@ -923,20 +923,39 @@ public class TPSProcessor {
+             TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey();
+             TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey();
+ 
+-            CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
+-            CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
+-            CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
+-            CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
+-            CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
+-            CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
+-            CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());
+-
+-            encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
+-                    encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+-            macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
+-                    macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+-            kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
+-                    kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
++            if (encSessionKeyBuff != null)
++                CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
++
++            if (kekSessionKeyBuff != null)
++                CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
++
++            if (macSessionKeyBuff != null)
++                CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
++
++            if (hostCryptogramBuff != null)
++                CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
++
++            if (keyCheckBuff != null)
++                CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
++
++            if (drmDesKeyBuff != null)
++                CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
++
++            if (kekDesKeyBuff != null)
++                CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());
++
++
++            if (encSessionKeyBuff != null)
++                encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
++                        encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
++
++            if (macSessionKeyBuff != null)
++                macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
++                        macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
++
++            if (kekSessionKeyBuff != null)
++                kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
++                        kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+ 
+             channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,
+                     drmDesKeyBuff, kekDesKeyBuff,
+-- 
+1.8.3.1
+
+
+From f84bfab30647ae1492fcdca0a026bfa4d91350c9 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 1 May 2017 15:56:58 -0400
+Subject: [PATCH 07/10] Make sure generated asym keys are extractable
+
+In HSMs, we were not able to retrieve asym keys that were
+generated from the AsymKeyGenService, because the right
+flags were not set (ie. set like in the server side
+keygen case).
+
+To do this, I extracted the key generation function from
+NetKeygenService to KeyRecoveryAuthority, so that it could
+be used by both services.
+
+Bugzilla BZ# 1386303
+
+Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
+---
+ .../certsrv/kra/IKeyRecoveryAuthority.java         |  17 ++
+ .../src/com/netscape/kra/AsymKeyGenService.java    |  23 +--
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 184 ++++++++++++++++++++
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 185 +--------------------
+ 4 files changed, 213 insertions(+), 196 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
+index a12d773..4f709e9 100644
+--- a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
++++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
+@@ -17,12 +17,15 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.certsrv.kra;
+ 
++import java.security.KeyPair;
+ import java.util.Enumeration;
+ import java.util.Hashtable;
+ import java.util.Vector;
+ 
+ import org.dogtagpki.legacy.policy.IPolicyProcessor;
+ import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
++import org.mozilla.jss.crypto.PQGParams;
+ 
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.ISubsystem;
+@@ -337,4 +340,18 @@ public interface IKeyRecoveryAuthority extends ISubsystem {
+      * @return
+      */
+     public boolean isRetrievalSynchronous(String realm);
++
++    /**
++     * Generate an asymmetric key pair.
++     *
++     * @param alg
++     * @param keySize
++     * @param keyCurve
++     * @param pqg
++     * @param usageList - RSA only for now
++     * @return key pair
++     * @throws EBaseException
++     */
++    public KeyPair generateKeyPair(String alg, int keySize, String keyCurve,
++            PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException;
+ }
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index 9528972..7351d50 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -19,14 +19,10 @@ package com.netscape.kra;
+ 
+ import java.math.BigInteger;
+ import java.security.KeyPair;
+-import java.security.NoSuchAlgorithmException;
+ 
+ import org.mozilla.jss.crypto.CryptoToken;
+-import org.mozilla.jss.crypto.KeyPairAlgorithm;
+-import org.mozilla.jss.crypto.KeyPairGenerator;
+ import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
+ import org.mozilla.jss.crypto.PrivateKey;
+-import org.mozilla.jss.crypto.TokenException;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+@@ -42,7 +38,6 @@ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+-import com.netscape.cms.servlet.key.KeyRequestDAO;
+ import com.netscape.cmscore.dbs.KeyRecord;
+ 
+ import netscape.security.util.WrappingParams;
+@@ -132,8 +127,6 @@ public class AsymKeyGenService implements IService {
+         CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId());
+         CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm);
+ 
+-        KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase());
+-
+         String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+         String auditSubjectID = owner;
+ 
+@@ -141,16 +134,18 @@ public class AsymKeyGenService implements IService {
+         CryptoToken token = kra.getKeygenToken();
+ 
+         // Generating the asymmetric keys
+-        KeyPairGenerator keyPairGen = null;
+         KeyPair kp = null;
+ 
+         try {
+-            keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm);
+-            keyPairGen.initialize(keySize);
+-            if (usageList != null)
+-                keyPairGen.setKeyPairUsages(usageList, usageList);
+-            kp = keyPairGen.genKeyPair();
+-        } catch (NoSuchAlgorithmException | TokenException e) {
++            kp = kra.generateKeyPair(
++                    algorithm.toUpperCase(),
++                    keySize,
++                    null, // keyCurve for ECC, not yet supported
++                    null, // PQG not yet supported
++                    usageList
++                 );
++
++        } catch (EBaseException e) {
+             CMS.debugStackTrace();
+             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+                     clientKeyId, null, "Failed to generate Asymmetric key");
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index ec920e6..54953d1 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -20,6 +20,10 @@ package com.netscape.kra;
+ import java.io.ByteArrayOutputStream;
+ import java.io.IOException;
+ import java.math.BigInteger;
++import java.security.InvalidAlgorithmParameterException;
++import java.security.InvalidParameterException;
++import java.security.KeyPair;
++import java.security.NoSuchAlgorithmException;
+ import java.security.cert.CertificateEncodingException;
+ import java.security.cert.CertificateException;
+ import java.security.cert.X509Certificate;
+@@ -32,6 +36,12 @@ import org.dogtagpki.legacy.kra.KRAPolicy;
+ import org.dogtagpki.legacy.policy.IPolicyProcessor;
+ import org.mozilla.jss.NoSuchTokenException;
+ import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.KeyPairAlgorithm;
++import org.mozilla.jss.crypto.KeyPairGenerator;
++import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
++import org.mozilla.jss.crypto.PQGParamGenException;
++import org.mozilla.jss.crypto.PQGParams;
++import org.mozilla.jss.crypto.TokenException;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authority.IAuthority;
+@@ -1816,4 +1826,178 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+         return agents;
+     }
++
++    public KeyPair generateKeyPair(String alg, int keySize, String keyCurve,
++            PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException {
++        KeyPairAlgorithm kpAlg = null;
++
++        if (alg.equals("RSA"))
++            kpAlg = KeyPairAlgorithm.RSA;
++        else if (alg.equals("EC"))
++            kpAlg = KeyPairAlgorithm.EC;
++        else
++            kpAlg = KeyPairAlgorithm.DSA;
++
++        try {
++            KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg, usageList);
++
++            return kp;
++        } catch (InvalidParameterException e) {
++            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS",
++                        "" + keySize));
++        } catch (PQGParamGenException e) {
++            throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
++        } catch (NoSuchAlgorithmException e) {
++            throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED",
++                        kpAlg.toString()));
++        } catch (TokenException e) {
++            throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString()));
++        } catch (InvalidAlgorithmParameterException e) {
++            throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA"));
++        }
++    }
++
++    public KeyPair generateKeyPair(
++            KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg,
++            KeyPairGeneratorSpi.Usage[] usageList )
++            throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
++            InvalidParameterException, PQGParamGenException {
++
++        CryptoToken token = getKeygenToken();
++
++        CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName());
++
++        /*
++           make it temporary so can work with HSM
++           netHSM works with
++              temporary == true
++              sensitive == <do not specify>
++              extractable == <do not specify>
++           LunaSA2 works with
++              temporary == true
++              sensitive == true
++              extractable == true
++        */
++        KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg);
++        IConfigStore config = CMS.getConfigStore();
++        IConfigStore kgConfig = config.getSubStore("kra.keygen");
++        boolean tp = false;
++        boolean sp = false;
++        boolean ep = false;
++        if ((kgConfig != null) && (!kgConfig.equals(""))) {
++            try {
++                tp = kgConfig.getBoolean("temporaryPairs", false);
++                sp = kgConfig.getBoolean("sensitivePairs", false);
++                ep = kgConfig.getBoolean("extractablePairs", false);
++                CMS.debug("NetkeyKeygenService: found config store: kra.keygen");
++                // by default, let nethsm work
++                if ((tp == false) && (sp == false) && (ep == false)) {
++                    if (kpAlg == KeyPairAlgorithm.EC) {
++                        // set to what works for nethsm
++                        tp = true;
++                        sp = false;
++                        ep = true;
++                    } else
++                        tp = true;
++                    }
++            } catch (Exception e) {
++                CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
++                // by default, let nethsm work
++                tp = true;
++            }
++        } else {
++            // by default, let nethsm work
++            CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
++            if (kpAlg == KeyPairAlgorithm.EC) {
++                // set to what works for nethsm
++                tp = true;
++                sp = false;
++                ep = true;
++            } else {
++                tp = true;
++            }
++        }
++
++        if (kpAlg == KeyPairAlgorithm.EC) {
++
++            boolean isECDHE = false;
++            KeyPair pair = null;
++
++            // used with isECDHE == true
++            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = {
++                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
++            };
++
++            // used with isECDHE == false
++            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = {
++                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
++                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER
++            };
++
++            try {
++                pair = CryptoUtil.generateECCKeyPair(token.getName(),
++                    keyCurve /*ECC_curve default*/,
++                    null,
++                    (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH,
++                    tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/);
++                CMS.debug("NetkeyKeygenService: after key pair generation" );
++            } catch (Exception e) {
++                CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString());
++            }
++            return pair;
++
++        } else { // !EC
++            //only specified to "true" will it be set
++            if (tp == true) {
++                CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
++                kpGen.temporaryPairs(true);
++            }
++
++            if (sp == true) {
++                CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
++                kpGen.sensitivePairs(true);
++            }
++
++            if (ep == true) {
++                CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
++                kpGen.extractablePairs(true);
++            }
++
++            if (kpAlg == KeyPairAlgorithm.DSA) {
++                if (pqg == null) {
++                    kpGen.initialize(keySize);
++                } else {
++                    kpGen.initialize(pqg);
++                }
++            } else {
++                kpGen.initialize(keySize);
++            }
++
++            if (usageList != null)
++                kpGen.setKeyPairUsages(usageList, usageList);
++
++            if (pqg == null) {
++                KeyPair kp = null;
++                synchronized (new Object()) {
++                    CMS.debug("NetkeyKeygenService: key pair generation begins");
++                    kp = kpGen.genKeyPair();
++                    CMS.debug("NetkeyKeygenService: key pair generation done");
++                    addEntropy(true);
++                }
++                return kp;
++            } else {
++                // DSA
++                KeyPair kp = null;
++
++                /* no DSA for now... netkey prototype
++                do {
++                    // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
++                    kp = kpGen.genKeyPair();
++                }
++                while (isBadDSAKeyPair(kp));
++                */
++                return kp;
++            }
++        }
++    }
+ }
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index e09eb42..f068a4a 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -23,11 +23,8 @@ import java.io.FilterOutputStream;
+ import java.io.IOException;
+ import java.io.PrintStream;
+ import java.math.BigInteger;
+-import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+-import java.security.InvalidParameterException;
+ import java.security.KeyPair;
+-import java.security.NoSuchAlgorithmException;
+ import java.security.SecureRandom;
+ 
+ import org.mozilla.jss.asn1.ASN1Util;
+@@ -35,21 +32,15 @@ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.EncryptionAlgorithm;
+ import org.mozilla.jss.crypto.IVParameterSpec;
+ import org.mozilla.jss.crypto.KeyGenAlgorithm;
+-import org.mozilla.jss.crypto.KeyPairAlgorithm;
+-import org.mozilla.jss.crypto.KeyPairGenerator;
+ import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+-import org.mozilla.jss.crypto.PQGParamGenException;
+-import org.mozilla.jss.crypto.PQGParams;
+ import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.crypto.SymmetricKey;
+-import org.mozilla.jss.crypto.TokenException;
+ import org.mozilla.jss.pkcs11.PK11SymKey;
+ import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
+ import org.mozilla.jss.util.Base64OutputStream;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+-import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.MetaInfo;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+@@ -122,177 +113,6 @@ public class NetkeyKeygenService implements IService {
+         return archOpts;
+     }
+ 
+-    public KeyPair generateKeyPair(
+-            KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg)
+-            throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
+-            InvalidParameterException, PQGParamGenException {
+-
+-        CryptoToken token = mKRA.getKeygenToken();
+-
+-        CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName());
+-
+-        /*
+-           make it temporary so can work with HSM
+-           netHSM works with
+-              temporary == true
+-              sensitive == <do not specify>
+-              extractable == <do not specify>
+-           LunaSA2 works with
+-              temporary == true
+-              sensitive == true
+-              extractable == true
+-        */
+-        KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg);
+-        IConfigStore config = CMS.getConfigStore();
+-        IConfigStore kgConfig = config.getSubStore("kra.keygen");
+-        boolean tp = false;
+-        boolean sp = false;
+-        boolean ep = false;
+-        if ((kgConfig != null) && (!kgConfig.equals(""))) {
+-            try {
+-                tp = kgConfig.getBoolean("temporaryPairs", false);
+-                sp = kgConfig.getBoolean("sensitivePairs", false);
+-                ep = kgConfig.getBoolean("extractablePairs", false);
+-                CMS.debug("NetkeyKeygenService: found config store: kra.keygen");
+-                // by default, let nethsm work
+-                if ((tp == false) && (sp == false) && (ep == false)) {
+-                    if (kpAlg == KeyPairAlgorithm.EC) {
+-                        // set to what works for nethsm
+-                        tp = true;
+-                        sp = false;
+-                        ep = true;
+-                    } else
+-                        tp = true;
+-                    }
+-            } catch (Exception e) {
+-                CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
+-                // by default, let nethsm work
+-                tp = true;
+-            }
+-        } else {
+-            // by default, let nethsm work
+-            CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
+-            if (kpAlg == KeyPairAlgorithm.EC) {
+-                // set to what works for nethsm
+-                tp = true;
+-                sp = false;
+-                ep = true;
+-            } else {
+-                tp = true;
+-            }
+-        }
+-
+-        if (kpAlg == KeyPairAlgorithm.EC) {
+-
+-            boolean isECDHE = false;
+-            KeyPair pair = null;
+-
+-            // used with isECDHE == true
+-            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = {
+-                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
+-            };
+-
+-            // used with isECDHE == false
+-            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = {
+-                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
+-                org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER
+-            };
+-
+-            try {
+-                pair = CryptoUtil.generateECCKeyPair(token.getName(),
+-                    keyCurve /*ECC_curve default*/,
+-                    null,
+-                    (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH,
+-                    tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/);
+-                CMS.debug("NetkeyKeygenService: after key pair generation" );
+-            } catch (Exception e) {
+-                CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString());
+-            }
+-            return pair;
+-
+-        } else { // !EC
+-            //only specified to "true" will it be set
+-            if (tp == true) {
+-                CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
+-                kpGen.temporaryPairs(true);
+-            }
+-
+-            if (sp == true) {
+-                CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
+-                kpGen.sensitivePairs(true);
+-            }
+-
+-            if (ep == true) {
+-                CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
+-                kpGen.extractablePairs(true);
+-            }
+-
+-            if (kpAlg == KeyPairAlgorithm.DSA) {
+-                if (pqg == null) {
+-                    kpGen.initialize(keySize);
+-                } else {
+-                    kpGen.initialize(pqg);
+-                }
+-            } else {
+-                kpGen.initialize(keySize);
+-            }
+-
+-            if (pqg == null) {
+-                KeyPair kp = null;
+-                synchronized (new Object()) {
+-                    CMS.debug("NetkeyKeygenService: key pair generation begins");
+-                    kp = kpGen.genKeyPair();
+-                    CMS.debug("NetkeyKeygenService: key pair generation done");
+-                    mKRA.addEntropy(true);
+-                }
+-                return kp;
+-            } else {
+-                // DSA
+-                KeyPair kp = null;
+-
+-                /* no DSA for now... netkey prototype
+-                do {
+-                    // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
+-                    kp = kpGen.genKeyPair();
+-                }
+-                while (isBadDSAKeyPair(kp));
+-                */
+-                return kp;
+-            }
+-        }
+-    }
+-
+-    public KeyPair generateKeyPair(String alg,
+-            int keySize, String keyCurve,  PQGParams pqg) throws EBaseException {
+-
+-        KeyPairAlgorithm kpAlg = null;
+-
+-        if (alg.equals("RSA"))
+-            kpAlg = KeyPairAlgorithm.RSA;
+-        else if (alg.equals("EC"))
+-            kpAlg = KeyPairAlgorithm.EC;
+-        else
+-            kpAlg = KeyPairAlgorithm.DSA;
+-
+-        try {
+-            KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg);
+-
+-            return kp;
+-        } catch (InvalidParameterException e) {
+-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS",
+-                        "" + keySize));
+-        } catch (PQGParamGenException e) {
+-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
+-        } catch (NoSuchAlgorithmException e) {
+-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED",
+-                        kpAlg.toString()));
+-        } catch (TokenException e) {
+-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString()));
+-        } catch (InvalidAlgorithmParameterException e) {
+-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA"));
+-        }
+-    }
+-
+     private static String base64Encode(byte[] bytes) throws IOException {
+         // All this streaming is lame, but Base64OutputStream needs a
+         // PrintStream
+@@ -430,10 +250,11 @@ public class NetkeyKeygenService implements IService {
+ 
+             CMS.debug("NetkeyKeygenService: about to generate key pair");
+ 
+-            keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */,
++            keypair = mKRA.generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */,
+                 keysize /*Integer.parseInt(len)*/,
+                 rKeycurve /* for "EC" only */,
+-                null /*pqgParams*/);
++                null /*pqgParams*/,
++                null /* usageList*/);
+ 
+             if (keypair == null) {
+                 CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid);
+-- 
+1.8.3.1
+
+
+From bea446868e282955d9c70028be657530eaccbe29 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Mon, 1 May 2017 18:25:59 -0400
+Subject: [PATCH 08/10] Use AES-CBC in storage unit for archival in key
+ wrapping
+
+When AES-KW or AES-KWP is not available, we need to be sure to use
+a key wrap algorithm that is available for keywrap.  This would
+be AES-CBC.  Removes some TODOs.
+
+Refactor so that getWrappingParams is only defined on the StorageUnit,
+which is where it makes sense in any case.
+
+Part of Bugzilla BZ# 1386303
+
+Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
+---
+ .../src/com/netscape/certsrv/security/IEncryptionUnit.java   |  2 --
+ .../src/com/netscape/certsrv/security/IStorageKeyUnit.java   |  6 ++++++
+ base/kra/src/com/netscape/kra/AsymKeyGenService.java         | 11 +++--------
+ base/kra/src/com/netscape/kra/EncryptionUnit.java            |  2 --
+ base/kra/src/com/netscape/kra/EnrollmentService.java         |  2 +-
+ base/kra/src/com/netscape/kra/NetkeyKeygenService.java       |  7 +++++--
+ base/kra/src/com/netscape/kra/SecurityDataProcessor.java     |  2 +-
+ base/kra/src/com/netscape/kra/StorageKeyUnit.java            | 12 +++++++++++-
+ base/kra/src/com/netscape/kra/SymKeyGenService.java          |  7 +++++--
+ base/kra/src/com/netscape/kra/TransportKeyUnit.java          |  4 ----
+ 10 files changed, 32 insertions(+), 23 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+index add15cb..e55713d 100644
+--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
++++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+@@ -63,7 +63,5 @@ public interface IEncryptionUnit extends IToken {
+             SymmetricKey.Usage usage, WrappingParams params) throws Exception;
+ 
+ 
+-    public WrappingParams getWrappingParams() throws Exception;
+-
+     public WrappingParams getOldWrappingParams();
+ }
+diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
+index cd94143..bfc6012 100644
+--- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
++++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
+@@ -174,4 +174,10 @@ public interface IStorageKeyUnit extends IEncryptionUnit {
+     public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary,
+             WrappingParams params) throws Exception;
+ 
++    /**
++     * Get the wrapping parameters for this storage unit
++     *
++     */
++    public WrappingParams getWrappingParams(boolean encrypt) throws Exception;
++
+ }
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index 7351d50..cfee504 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -20,7 +20,6 @@ package com.netscape.kra;
+ import java.math.BigInteger;
+ import java.security.KeyPair;
+ 
+-import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
+ import org.mozilla.jss.crypto.PrivateKey;
+ 
+@@ -68,7 +67,7 @@ public class AsymKeyGenService implements IService {
+ 
+     @Override
+     public boolean serviceRequest(IRequest request) throws EBaseException {
+-        IConfigStore cs = CMS.getConfigStore();
++        IConfigStore configStore = CMS.getConfigStore();
+         String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
+         String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
+ 
+@@ -77,7 +76,7 @@ public class AsymKeyGenService implements IService {
+ 
+         String realm = request.getRealm();
+ 
+-        boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++        boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
+ 
+         KeyPairGeneratorSpi.Usage[] usageList = null;
+         String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
+@@ -130,9 +129,6 @@ public class AsymKeyGenService implements IService {
+         String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+         String auditSubjectID = owner;
+ 
+-        // Get the token
+-        CryptoToken token = kra.getKeygenToken();
+-
+         // Generating the asymmetric keys
+         KeyPair kp = null;
+ 
+@@ -162,8 +158,7 @@ public class AsymKeyGenService implements IService {
+         WrappingParams params = null;
+ 
+         try {
+-            // TODO(alee) What happens if key wrap algorithm is not supported?
+-            params = storageUnit.getWrappingParams();
++            params = storageUnit.getWrappingParams(allowEncDecrypt_archival);
+             privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
+         } catch (Exception e) {
+             CMS.debug("Failed to generate security data to archive: " + e);
+diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
+index 02a4ca1..b460c9e 100644
+--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
++++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
+@@ -67,8 +67,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
+ 
+     public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
+ 
+-    public abstract WrappingParams getWrappingParams() throws Exception;
+-
+     public WrappingParams getOldWrappingParams() {
+         return new WrappingParams(
+                 SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index a200c34..e413a06 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -396,7 +396,7 @@ public class EnrollmentService implements IService {
+             WrappingParams params =  null;
+ 
+             try {
+-                params = mStorageUnit.getWrappingParams();
++                params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+                 if (allowEncDecrypt_archival == true) {
+                     privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params);
+                 } else {
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index f068a4a..636e93e 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.MetaInfo;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+@@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService {
+ 
+         IVParameterSpec algParam = new IVParameterSpec(iv);
+ 
++        IConfigStore configStore = CMS.getConfigStore();
++        boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
++
+         wrapped_des_key = null;
+         boolean archive = true;
+         byte[] publicKeyData = null;
+@@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService {
+                     WrappingParams params = null;
+ 
+                     try {
+-                        // TODO(alee)  What happens if key wrap algorithm is not supported?
+-                        params = mStorageUnit.getWrappingParams();
++                        params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
+                     } catch (Exception e) {
+                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 701b611..95d07c4 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -217,7 +217,7 @@ public class SecurityDataProcessor {
+         boolean doEncrypt = false;
+ 
+         try {
+-            params = storageUnit.getWrappingParams();
++            params = storageUnit.getWrappingParams(allowEncDecrypt_archival);
+             if (securitySymKey != null && unwrapped == null) {
+                 privateSecurityData = storageUnit.wrap(securitySymKey, params);
+             } else if (unwrapped != null && allowEncDecrypt_archival == true) {
+diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+index 3e7f1de..1df30f6 100644
+--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
++++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+@@ -133,7 +133,7 @@ public class StorageKeyUnit extends EncryptionUnit implements
+         throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION"));
+     }
+ 
+-    public WrappingParams getWrappingParams() throws Exception {
++    public WrappingParams getWrappingParams(boolean encrypt) throws Exception {
+         String choice = null;
+         try {
+             choice = mConfig.getString(PROP_WRAPPING_CHOICE);
+@@ -177,6 +177,16 @@ public class StorageKeyUnit extends EncryptionUnit implements
+                 KeyRecordParser.OUT_PL_WRAP_IV_LEN);
+         if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv));
+ 
++        if (encrypt) {
++            // Some HSMs have not yet implemented AES-KW.  Use AES-CBC-PAD instead
++            if (params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP) ||
++                params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD)) {
++                params.setPayloadWrapAlgorithm(KeyWrapAlgorithm.AES_CBC_PAD);
++                iv = CryptoUtil.getNonceData(16);
++                params.setPayloadWrappingIV(new IVParameterSpec(iv));
++            }
++        }
++
+         return params;
+     }
+ 
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index c1830ec..bf350d5 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -29,6 +29,7 @@ import org.mozilla.jss.crypto.SymmetricKey;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.key.KeyRequestResource;
+@@ -107,6 +108,9 @@ public class SymKeyGenService implements IService {
+             throw new EBaseException("Bad data in SymKeyGenService.serviceRequest");
+         }
+ 
++        IConfigStore configStore = CMS.getConfigStore();
++        boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
++
+         CryptoToken token = mStorageUnit.getToken();
+         KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm);
+         if (kgAlg == null) {
+@@ -170,8 +174,7 @@ public class SymKeyGenService implements IService {
+         }
+ 
+         try {
+-            // TODO(alee) what happens if key wrap algorithm is not supported?
+-            params = mStorageUnit.getWrappingParams();
++            params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+             privateSecurityData = mStorageUnit.wrap(sk, params);
+         } catch (Exception e) {
+             CMS.debug("Failed to generate security data to archive: " + e);
+diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+index 513c0b2..fc66e66 100644
+--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+@@ -115,10 +115,6 @@ public class TransportKeyUnit extends EncryptionUnit implements
+         }
+     }
+ 
+-    public WrappingParams getWrappingParams() {
+-        return getOldWrappingParams();
+-    }
+-
+     public CryptoToken getInternalToken() {
+         try {
+             return CryptoManager.getInstance().getInternalKeyStorageToken();
+-- 
+1.8.3.1
+
+
+From 00c17b3e2f81c9df12e1a89fc85dc2e3d4c3a2b1 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 5 May 2017 21:30:15 -0400
+Subject: [PATCH 09/10] Fix symmetic key retrieval in HSM
+
+When using an HSM, AES KeyWrapping is not available and so
+some different code paths were exercised.  Fixing bugs in those
+paths uncovered a case where we were calling unwrapSymmetric()
+with bits and not bytes for the key length.
+
+This does not matter for 3DES, where JSS expects a length of 0,
+but very much matters for AES.  Fixing this - and the KeyClient
+to actually use the returned wrapping algorithm to unwrap, allows
+us now to return generated symmetric keys correctly.
+
+Bugzilla BZ#1448521
+Pagure: 2690
+
+Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
+---
+ base/common/src/com/netscape/certsrv/key/KeyClient.java   |  4 ++--
+ base/kra/src/com/netscape/kra/EncryptionUnit.java         |  2 +-
+ base/kra/src/com/netscape/kra/SecurityDataProcessor.java  | 12 ++++++++++++
+ base/kra/src/com/netscape/kra/TransportKeyUnit.java       |  4 ++--
+ base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java |  4 ++--
+ 5 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+index 2c99e1c..9a69372 100644
+--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
++++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
+@@ -429,7 +429,7 @@ public class KeyClient extends Client {
+             bytes = crypto.unwrapSymmetricKeyWithSessionKey(
+                     data.getEncryptedData(),
+                     sessionKey,
+-                    wrapAlgorithm,
++                    KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()),
+                     data.getNonceData(),
+                     data.getAlgorithm(),
+                     data.getSize());
+@@ -446,7 +446,7 @@ public class KeyClient extends Client {
+             bytes = crypto.unwrapAsymmetricKeyWithSessionKey(
+                     data.getEncryptedData(),
+                     sessionKey,
+-                    wrapAlgorithm,
++                    KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()),
+                     data.getNonceData(),
+                     pubKey);
+         }
+diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
+index b460c9e..eb8a2f8 100644
+--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
++++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
+@@ -84,7 +84,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
+         return CryptoUtil.unwrap(
+                 token,
+                 params.getSkType(),
+-                0,
++                params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
+                 usage, wrappingKey,
+                 encSymmKey,
+                 params.getSkWrapAlgorithm());
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 95d07c4..344f376 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -411,6 +411,18 @@ public class SecurityDataProcessor {
+         String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME);
+         String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm();
+ 
++        if (allowEncDecrypt_recovery) {
++            if (payloadWrapName == null) {
++                // assume old client
++                payloadWrapName = "DES3/CBC/Pad";
++            } else if (payloadWrapName.equals("AES KeyWrap/Padding") ||
++                    payloadWrapName.equals("AES KeyWrap")) {
++                // Some HSMs have not implemented AES-KW yet
++                // Make sure we select an algorithm that is supported.
++                payloadWrapName = "AES/CBC/PKCS5Padding";
++            }
++        }
++
+         byte[] iv = null;
+         byte[] iv_wrap = null;
+         try {
+diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+index fc66e66..d0ad8b3 100644
+--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+@@ -289,7 +289,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
+         SymmetricKey sk = CryptoUtil.unwrap(
+                 token,
+                 params.getSkType(),
+-                0,
++                params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
+                 SymmetricKey.Usage.DECRYPT,
+                 wrappingKey,
+                 encSymmKey,
+@@ -360,7 +360,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
+         SymmetricKey sk = CryptoUtil.unwrap(
+                 token,
+                 params.getSkType(),
+-                0,
++                params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
+                 SymmetricKey.Usage.UNWRAP,
+                 wrappingKey,
+                 encSymmKey,
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index d22856d..e529a0f 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -2346,7 +2346,7 @@ public class CryptoUtil {
+             KeyWrapAlgorithm wrapAlgorithm, IVParameterSpec wrappingIV) throws Exception {
+         KeyWrapper wrapper = token.getKeyWrapper(wrapAlgorithm);
+         wrapper.initUnwrap(wrappingKey, wrappingIV);
+-        return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength);
++        return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8);
+     }
+ 
+     public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Type keyType,
+@@ -2355,7 +2355,7 @@ public class CryptoUtil {
+         KeyWrapper keyWrapper = token.getKeyWrapper(wrapAlgorithm);
+         keyWrapper.initUnwrap(wrappingKey, null);
+ 
+-        return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength);
++        return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8);
+     }
+ 
+     public static PrivateKey unwrap(CryptoToken token, PublicKey pubKey, boolean temporary,
+-- 
+1.8.3.1
+
+
+From c0bb0ee8e36a85673e30352a7205414b215196a5 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 8 May 2017 18:53:26 +0200
+Subject: [PATCH 10/10] pkispawn: wait after final restart
+
+The finalization scriptlet now waits after service has been restarted.
+
+Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de
+Bugzilla: BZ#1446364
+Pagure: 2644
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ .travis/40-spawn-ca                                                | 5 -----
+ .travis/50-spawn-kra                                               | 5 -----
+ .../server/python/pki/server/deployment/scriptlets/finalization.py | 7 +++++++
+ 3 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca
+index d6771db..d57e6b7 100755
+--- a/.travis/40-spawn-ca
++++ b/.travis/40-spawn-ca
+@@ -2,8 +2,3 @@
+ set -e
+ 
+ pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA
+-
+-echo "Waiting for port 8080"
+-for i in {1..20}; do
+-    curl http://localhost:8080 && break || sleep 1
+-done
+diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra
+index 93f2f4c..f7e8fc1 100755
+--- a/.travis/50-spawn-kra
++++ b/.travis/50-spawn-kra
+@@ -2,8 +2,3 @@
+ set -e
+ 
+ pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA
+-
+-echo "Waiting for port 8080"
+-for i in {1..20}; do
+-    curl http://localhost:8080 && break || sleep 1
+-done
+diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+index 3dc7f66..941691c 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+@@ -57,6 +57,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         # Optionally, programmatically 'restart' the configured PKI instance
+         if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
+             deployer.systemd.restart()
++            # wait for startup
++            status = deployer.instance.wait_for_startup(60)
++            if status is None:
++                config.pki_log.error(
++                    "server failed to restart",
++                    extra=config.PKI_INDENTATION_LEVEL_1)
++                raise RuntimeError("server failed to restart")
+ 
+         # Optionally, 'purge' the entire temporary client infrastructure
+         # including the client NSS security databases and password files
+-- 
+1.8.3.1
+
diff --git a/SOURCES/pki-core-post-re-base.patch b/SOURCES/pki-core-post-re-base.patch
deleted file mode 100644
index b2cded9..0000000
--- a/SOURCES/pki-core-post-re-base.patch
+++ /dev/null
@@ -1,5567 +0,0 @@
-From e897fbd1b37d16d60858717f74e09952a45693d2 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 25 Jun 2016 00:14:11 +0200
-Subject: Fixed problem reading HSM password from password file.
-
-A new method get_token_password() has been added into PKIInstance
-Python class in order to read the token password correctly from
-password.conf. If the token is an internal token, it will read the
-'internal' password. If it is an HSM it will read the password for
-'hardware-<token>'.
-
-The codes that call the get_password() to get token password have
-been modified to use get_token_password() instead.
-
-https://fedorahosted.org/pki/ticket/2384
----
- base/server/python/pki/server/__init__.py      | 59 +++++++++++++++++++-------
- base/server/python/pki/server/cli/instance.py  |  4 +-
- base/server/python/pki/server/cli/subsystem.py | 11 ++---
- 3 files changed, 50 insertions(+), 24 deletions(-)
-
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index bf705fd..454408f 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -186,9 +186,11 @@ class PKISubsystem(object):
-         cert = self.get_subsystem_cert(cert_id)
-         nickname = cert['nickname']
-         token = cert['token']
--        if token == 'Internal Key Storage Token':
--            token = 'internal'
--        nssdb_password = self.instance.get_password(token)
-+
-+        if token and token.lower() in ['internal', 'internal key storage token']:
-+            token = None
-+
-+        nssdb_password = self.instance.get_token_password(token)
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -204,7 +206,7 @@ class PKISubsystem(object):
-                 '-C', nssdb_password_file
-             ]
- 
--            if token and token != 'internal':
-+            if token:
-                 cmd.extend(['--token', token])
- 
-             cmd.extend([
-@@ -234,9 +236,11 @@ class PKISubsystem(object):
-         cert = self.get_subsystem_cert('subsystem')
-         nickname = cert['nickname']
-         token = cert['token']
--        if token == 'Internal Key Storage Token':
--            token = 'internal'
--        nssdb_password = self.instance.get_password(token)
-+
-+        if token and token.lower() in ['internal', 'internal key storage token']:
-+            token = None
-+
-+        nssdb_password = self.instance.get_token_password(token)
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -252,7 +256,7 @@ class PKISubsystem(object):
-                 '-C', nssdb_password_file
-             ]
- 
--            if token and token != 'internal':
-+            if token:
-                 cmd.extend(['--token', token])
- 
-             cmd.extend([
-@@ -271,7 +275,7 @@ class PKISubsystem(object):
-                 '-C', nssdb_password_file
-             ]
- 
--            if token and token != 'internal':
-+            if token:
-                 cmd.extend(['--token', token])
- 
-             cmd.extend([
-@@ -359,7 +363,8 @@ class PKISubsystem(object):
-             connection.set_credentials(
-                 client_cert_nickname=self.config[
-                     '%s.ldapauth.clientCertNickname' % name],
--                nssdb_password=self.instance.get_password('internal')
-+                # TODO: remove hard-coded token name
-+                nssdb_password=self.instance.get_token_password('internal')
-             )
- 
-         else:
-@@ -543,19 +548,41 @@ class PKIInstance(object):
-         return external_certs
- 
-     def get_password(self, name):
-+
-+        # find password (e.g. internaldb, replicationdb) in password.conf
-         if name in self.passwords:
-             return self.passwords[name]
- 
-+        # prompt for password if not found
-         password = getpass.getpass(prompt='Enter password for %s: ' % name)
-         self.passwords[name] = password
- 
-         return password
- 
-+    def get_token_password(self, token='internal'):
-+
-+        # determine the password name for the token
-+        if token.lower() in ['internal', 'internal key storage token']:
-+            name = 'internal'
-+
-+        else:
-+            name = 'hardware-%s' % token
-+
-+        # find password in password.conf
-+        if name in self.passwords:
-+            return self.passwords[name]
-+
-+        # prompt for password if not found
-+        password = getpass.getpass(prompt='Enter password for %s: ' % token)
-+        self.passwords[name] = password
-+
-+        return password
-+
-     def open_nssdb(self, token='internal'):
-         return pki.nssdb.NSSDatabase(
-             directory=self.nssdb_dir,
-             token=token,
--            password=self.get_password(token))
-+            password=self.get_token_password(token))
- 
-     def external_cert_exists(self, nickname, token):
-         for cert in self.external_certs:
-@@ -588,9 +615,11 @@ class PKIInstance(object):
-         for cert in self.external_certs:
-             nickname = cert.nickname
-             token = cert.token
--            if token == 'Internal Key Storage Token':
--                token = 'internal'
--            nssdb_password = self.get_password(token)
-+
-+            if token and token.lower() in ['internal', 'internal key storage token']:
-+                token = None
-+
-+            nssdb_password = self.get_token_password(token)
- 
-             tmpdir = tempfile.mkdtemp()
- 
-@@ -606,7 +635,7 @@ class PKIInstance(object):
-                     '-C', nssdb_password_file
-                 ]
- 
--                if token and token != 'internal':
-+                if token:
-                     cmd.extend(['--token', token])
- 
-                 cmd.extend([
-diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
-index 6e336e1..4a5a3b3 100644
---- a/base/server/python/pki/server/cli/instance.py
-+++ b/base/server/python/pki/server/cli/instance.py
-@@ -679,7 +679,7 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
-                            instance_name)
- 
-     def import_certs(self, instance, cert_file, nickname, token, trust_args):
--        password = instance.get_password(token)
-+        password = instance.get_token_password(token)
-         certdb = pki.nssdb.NSSDatabase(
-             directory=instance.nssdb_dir,
-             password=password,
-@@ -762,7 +762,7 @@ class InstanceExternalCertDeleteCLI(pki.cli.CLI):
-                            instance_name)
- 
-     def remove_cert(self, instance, nickname, token):
--        password = instance.get_password(token)
-+        password = instance.get_token_password(token)
-         certdb = pki.nssdb.NSSDatabase(
-             directory=instance.nssdb_dir,
-             password=password,
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index c92ed16..615b55e 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -843,14 +843,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
- 
-         print('  Token: %s' % token)
- 
--        if token == 'Internal Key Storage Token':
--            token = 'internal'
-+        if token and token.lower() in ['internal', 'internal key storage token']:
-+            token = None
- 
-         # get token password and store in temporary file
--        if token == 'internal':
--            passwd = instance.get_password('internal')
--        else:
--            passwd = instance.get_password("hardware-%s" % token)
-+        passwd = instance.get_token_password(token)
- 
-         pwfile_handle, pwfile_path = mkstemp()
-         os.write(pwfile_handle, passwd)
-@@ -860,7 +857,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-             cmd = ['pki', '-d', instance.nssdb_dir,
-                    '-C', pwfile_path ]
- 
--            if token != 'internal':
-+            if token:
-                 cmd.extend(['--token', token])
- 
-             cmd.extend(['client-cert-validate',
--- 
-2.5.5
-
-
-From f0ab1c3d8bcd084ffe611e954b2d4f548f64cfd2 Mon Sep 17 00:00:00 2001
-From: Amol Kahat <akahat@redhat.com>
-Date: Tue, 21 Jun 2016 12:47:23 +0530
-Subject: Fixes pki-server subsystem-* --help options.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
----
- base/server/python/pki/server/cli/subsystem.py | 155 +++++++++++++------------
- 1 file changed, 81 insertions(+), 74 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index 615b55e..45f5be9 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -90,7 +90,7 @@ class SubsystemFindCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -138,12 +138,6 @@ class SubsystemShowCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) != 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -154,7 +148,7 @@ class SubsystemShowCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -162,6 +156,13 @@ class SubsystemShowCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) != 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -195,12 +196,6 @@ class SubsystemEnableCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) != 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -211,7 +206,7 @@ class SubsystemEnableCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -219,6 +214,13 @@ class SubsystemEnableCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) != 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -257,12 +259,6 @@ class SubsystemDisableCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) != 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -273,7 +269,7 @@ class SubsystemDisableCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -281,6 +277,13 @@ class SubsystemDisableCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) != 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -342,12 +345,6 @@ class SubsystemCertFindCLI(pki.cli.CLI):
-             self.print_help()
-             sys.exit(1)
- 
--        if len(args) != 1:
--            print('ERROR: missing subsystem ID')
--            self.print_help()
--            sys.exit(1)
--
--        subsystem_name = args[0]
-         instance_name = 'pki-tomcat'
-         show_all = False
- 
-@@ -370,6 +367,13 @@ class SubsystemCertFindCLI(pki.cli.CLI):
-                 self.print_help()
-                 sys.exit(1)
- 
-+        if len(args) != 1:
-+            print('ERROR: missing subsystem ID')
-+            self.print_help()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -414,18 +418,6 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) < 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        if len(args) < 2:
--            print('ERROR: missing cert ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
--        cert_id = args[1]
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -436,7 +428,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -444,6 +436,20 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) < 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+
-+        if len(args) < 2:
-+            print('ERROR: missing cert ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+        cert_id = args[1]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -491,13 +497,6 @@ class SubsystemCertExportCLI(pki.cli.CLI):
-             self.print_help()
-             sys.exit(1)
- 
--        if len(args) < 1:
--            print('ERROR: missing subsystem ID')
--            self.print_help()
--            sys.exit(1)
--
--        subsystem_name = args[0]
--
-         instance_name = 'pki-tomcat'
-         cert_file = None
-         csr_file = None
-@@ -556,6 +555,13 @@ class SubsystemCertExportCLI(pki.cli.CLI):
-                 self.print_help()
-                 sys.exit(1)
- 
-+        if len(args) < 1:
-+            print('ERROR: missing subsystem ID')
-+            self.print_help()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-         if not (cert_file or csr_file or pkcs12_file):
-             print('ERROR: missing output file')
-             self.print_help()
-@@ -646,18 +652,6 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) < 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        if len(args) < 2:
--            print('ERROR: missing cert ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
--        cert_id = args[1]
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -668,7 +662,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -676,6 +670,19 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) < 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        if len(args) < 2:
-+            print('ERROR: missing cert ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+        cert_id = args[1]
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
-@@ -745,18 +752,6 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-             self.usage()
-             sys.exit(1)
- 
--        if len(args) < 1:
--            print('ERROR: missing subsystem ID')
--            self.usage()
--            sys.exit(1)
--
--        subsystem_name = args[0]
--
--        if len(args) >=2:
--            cert_id = args[1]
--        else:
--            cert_id = None
--
-         instance_name = 'pki-tomcat'
- 
-         for o, a in opts:
-@@ -767,7 +762,7 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-                 self.set_verbose(True)
- 
-             elif o == '--help':
--                self.print_help()
-+                self.usage()
-                 sys.exit()
- 
-             else:
-@@ -775,6 +770,18 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-                 self.usage()
-                 sys.exit(1)
- 
-+        if len(args) < 1:
-+            print('ERROR: missing subsystem ID')
-+            self.usage()
-+            sys.exit(1)
-+
-+        subsystem_name = args[0]
-+
-+        if len(args) >=2:
-+            cert_id = args[1]
-+        else:
-+            cert_id = None
-+
-         instance = pki.server.PKIInstance(instance_name)
-         instance.load()
- 
--- 
-2.5.5
-
-
-From 7e1ffced6b91b28a0fcbb65df5087220be0b6c68 Mon Sep 17 00:00:00 2001
-From: Amol Kahat <akahat@redhat.com>
-Date: Tue, 21 Jun 2016 13:20:59 +0530
-Subject: Fixes: Invalid instance exception issue.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
----
- base/server/python/pki/server/cli/instance.py | 40 +++++++++++++++++++++++++--
- 1 file changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
-index 4a5a3b3..b69519d 100644
---- a/base/server/python/pki/server/cli/instance.py
-+++ b/base/server/python/pki/server/cli/instance.py
-@@ -157,6 +157,11 @@ class InstanceCertExportCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         if not pkcs12_password and not pkcs12_password_file:
-@@ -282,6 +287,11 @@ class InstanceShowCLI(pki.cli.CLI):
-         instance_name = args[0]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         InstanceCLI.print_instance(instance)
-@@ -333,7 +343,7 @@ class InstanceStartCLI(pki.cli.CLI):
-         instance = pki.server.PKIInstance(instance_name)
- 
-         if not instance.is_valid():
--            self.print_message('%s instance not found' % instance_name)
-+            print('ERROR: Invalid instance %s.' % instance_name)
-             sys.exit(1)
- 
-         if instance.is_active():
-@@ -392,7 +402,7 @@ class InstanceStopCLI(pki.cli.CLI):
-         instance = pki.server.PKIInstance(instance_name)
- 
-         if not instance.is_valid():
--            self.print_message('%s instance not found' % instance_name)
-+            print('ERROR: Invalid instance %s.' % instance_name)
-             sys.exit(1)
- 
-         if not instance.is_active():
-@@ -470,6 +480,11 @@ class InstanceMigrateCLI(pki.cli.CLI):
-         module.set_debug(self.debug)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         module.migrate(  # pylint: disable=no-member,maybe-no-member
-@@ -526,8 +541,12 @@ class InstanceNuxwdogEnableCLI(pki.cli.CLI):
-         module.set_verbose(self.verbose)
- 
-         instance = pki.server.PKIInstance(instance_name)
--        instance.load()
- 
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-+        instance.load()
-         module.enable_nuxwdog(  # pylint: disable=no-member,maybe-no-member
-             instance)
- 
-@@ -580,6 +599,11 @@ class InstanceNuxwdogDisableCLI(pki.cli.CLI):
-         module.set_verbose(self.verbose)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         module.disable_nuxwdog(
-@@ -664,6 +688,11 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         if instance.external_cert_exists(nickname, token):
-@@ -753,6 +782,11 @@ class InstanceExternalCertDeleteCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         self.remove_cert(instance, nickname, token)
--- 
-2.5.5
-
-
-From 66223629c5d8e74be9f5a59734ab091b081435bc Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Tue, 28 Jun 2016 11:28:42 -0700
-Subject: Ticket #1308 [RFE] Provide ability to perform off-card key generation
- for non-encryption token keys This is the patch to add missing serverKeygen
- params for non-encryption certs. By default it is disabled.
-
----
- base/tps/shared/conf/CS.cfg | 43 +++++++++++++++++++++++++++++++++++--------
- 1 file changed, 35 insertions(+), 8 deletions(-)
-
-diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
-index f552a54..258d5a7 100644
---- a/base/tps/shared/conf/CS.cfg
-+++ b/base/tps/shared/conf/CS.cfg
-@@ -332,6 +332,9 @@ op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=Ge
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false
-+op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
-+op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false
- op.enroll.delegateIEtoken.keyGen.encryption.ca.conn=ca1
- op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.decrypt=true
- op.enroll.delegateIEtoken.keyGen.encryption.private.keyCapabilities.derive=false
-@@ -359,7 +362,7 @@ op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover
- op.enroll.delegateIEtoken.keyGen.encryption.public.keyCapabilities.wrap=true
- op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.archive=true
- op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1
--op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=true
-+op.enroll.delegateIEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
- op.enroll.delegateIEtoken.keyGen.keyType.num=1
- op.enroll.delegateIEtoken.keyGen.keyType.value.0=authentication
- op.enroll.delegateIEtoken.keyGen.recovery.destroyed.keyType.num=1
-@@ -501,6 +504,9 @@ op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.scheme=G
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.archive=false
-+op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
-+op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.enable=false
- op.enroll.delegateISEtoken.keyGen.encryption.SANpattern=$auth.mail$,$auth.exec-edipi$.$auth.exec-pcc$@EXAMPLE.com
- op.enroll.delegateISEtoken.keyGen.encryption._000=#########################################
- op.enroll.delegateISEtoken.keyGen.encryption._001=# encryption cert/keys are "recovered" for this profile
-@@ -556,7 +562,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
- op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.archive=true
- op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1
--op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=true
-+op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
- op.enroll.delegateISEtoken.keyGen.keyType.num=2
- op.enroll.delegateISEtoken.keyGen.keyType.value.0=signing
- op.enroll.delegateISEtoken.keyGen.keyType.value.1=authentication
-@@ -618,6 +624,9 @@ op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.scheme=Generate
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.archive=false
-+op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.drm.conn=kra1
-+op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.enable=false
- op.enroll.delegateISEtoken.keyGen.tokenName=$auth.cn$
- op.enroll.delegateISEtoken.loginRequest.enable=true
- op.enroll.delegateISEtoken.pinReset.enable=true
-@@ -736,12 +745,12 @@ op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.wrap=tr
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.signing.recovery.destroyed.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.signing.recovery.keyCompromise.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.signing.recovery.onHold.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false
- op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true
- op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1
--op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=true
-+op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
- op.enroll.externalRegAddToToken.keyGen.tokenName=$auth.cn$
- op.enroll.externalRegAddToToken.loginRequest.enable=true
- op.enroll.externalRegAddToToken.pkcs11obj.compress.enable=true
-@@ -894,6 +903,9 @@ op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
- op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.signing.serverKeygen.archive=false
-+op.enroll.soKey.keyGen.signing.serverKeygen.drm.conn=kra1
-+op.enroll.soKey.keyGen.signing.serverKeygen.enable=false
- op.enroll.soKey.keyGen.tokenName=$auth.cn$
- op.enroll.soKey.loginRequest.enable=true
- op.enroll.soKey.pinReset.enable=true
-@@ -948,6 +960,9 @@ op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.unwrap=false
- op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
- op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
- op.enroll.soKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
-+op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.archive=false
-+op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1
-+op.enroll.soKeyTemporary.keyGen.auth.serverKeygen.enable=false
- op.enroll.soKeyTemporary.keyGen.auth.publicKeyNumber=1
- op.enroll.soKeyTemporary.keyGen.encryption.ca.conn=ca1
- op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
-@@ -992,7 +1007,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
- op.enroll.soKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
- op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.archive=true
- op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1
--op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=true
-+op.enroll.soKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
- op.enroll.soKeyTemporary.keyGen.keyType.num=3
- op.enroll.soKeyTemporary.keyGen.keyType.value.0=auth
- op.enroll.soKeyTemporary.keyGen.keyType.value.1=signing
-@@ -1041,6 +1056,9 @@ op.enroll.soKeyTemporary.keyGen.signing.publicKeyNumber=3
- op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
- op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.soKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.archive=false
-+op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1
-+op.enroll.soKeyTemporary.keyGen.signing.serverKeygen.enable=false
- op.enroll.soKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
- op.enroll.soKeyTemporary.loginRequest.enable=true
- op.enroll.soKeyTemporary.pinReset.enable=true
-@@ -1187,6 +1205,9 @@ op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
- op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.signing.serverKeygen.archive=false
-+op.enroll.userKey.keyGen.signing.serverKeygen.drm.conn=kra1
-+op.enroll.userKey.keyGen.signing.serverKeygen.enable=false
- op.enroll.userKey.keyGen.tokenName=$auth.cn$
- op.enroll.userKey.loginRequest.enable=true
- op.enroll.userKey.pinReset.enable=true
-@@ -1255,6 +1276,9 @@ op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verifyRecover=true
- op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.verify=true
- op.enroll.userKeyTemporary.keyGen.auth.public.keyCapabilities.wrap=false
- op.enroll.userKeyTemporary.keyGen.auth.publicKeyNumber=1
-+op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.archive=false
-+op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.drm.conn=kra1
-+op.enroll.userKeyTemporary.keyGen.auth.serverKeygen.enable=false
- op.enroll.userKeyTemporary.keyGen.encryption.ca.conn=ca1
- op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptionKeyEnrollment
- op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
-@@ -1298,7 +1322,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.revokeCert=true
- op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=RecoverLast
- op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.archive=true
- op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.drm.conn=kra1
--op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=true
-+op.enroll.userKeyTemporary.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
- op.enroll.userKeyTemporary.keyGen.keyType.num=3
- op.enroll.userKeyTemporary.keyGen.keyType.value.0=auth
- op.enroll.userKeyTemporary.keyGen.keyType.value.1=signing
-@@ -1347,6 +1371,9 @@ op.enroll.userKeyTemporary.keyGen.signing.publicKeyNumber=3
- op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert.reason=0
- op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.archive=false
-+op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.drm.conn=kra1
-+op.enroll.userKeyTemporary.keyGen.signing.serverKeygen.enable=false
- op.enroll.userKeyTemporary.keyGen.tokenName=$auth.cn$ (Temporary)
- op.enroll.userKeyTemporary.loginRequest.enable=true
- op.enroll.userKeyTemporary.pinReset.enable=true
--- 
-2.5.5
-
-
-From 8598a68ac954d1020f4e0063e257a20512961567 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 21 Jun 2016 18:39:25 +0200
-Subject: Fixed KRA cloning issue.
-
-The pki pkcs12-import CLI has been modified not to import
-certificates that already exist in the NSS database unless
-specifically requested with the --overwrite parameter. This
-will avoid changing the trust flags of the CA signing
-certificate during KRA cloning.
-
-The some other classes have been modified to provide better
-debugging information.
-
-https://fedorahosted.org/pki/ticket/2374
----
- base/common/python/pki/cli/pkcs12.py               | 19 +++++++++++++-
- base/common/python/pki/nssdb.py                    | 22 ++++++++++++----
- .../netscape/cmstools/pkcs12/PKCS12ImportCLI.java  |  6 +++--
- .../cms/servlet/csadmin/ConfigurationUtils.java    | 29 ++++++++++++++++++++--
- .../cmscore/ldapconn/LdapJssSSLSocketFactory.java  | 18 ++++++++------
- .../src/netscape/security/pkcs/PKCS12Util.java     | 21 +++++++++++-----
- 6 files changed, 91 insertions(+), 24 deletions(-)
-
-diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
-index a7c32cc..3fcea35 100644
---- a/base/common/python/pki/cli/pkcs12.py
-+++ b/base/common/python/pki/cli/pkcs12.py
-@@ -55,6 +55,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
-         print('      --no-trust-flags               Do not include trust flags')
-         print('      --no-user-certs                Do not import user certificates')
-         print('      --no-ca-certs                  Do not import CA certificates')
-+        print('      --overwrite                    Overwrite existing certificates')
-         print('  -v, --verbose                      Run in verbose mode.')
-         print('      --debug                        Run in debug mode.')
-         print('      --help                         Show help message.')
-@@ -65,7 +66,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
-         try:
-             opts, _ = getopt.gnu_getopt(args, 'v', [
-                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
--                'no-trust-flags', 'no-user-certs', 'no-ca-certs',
-+                'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
-                 'verbose', 'debug', 'help'])
- 
-         except getopt.GetoptError as e:
-@@ -79,6 +80,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
-         no_trust_flags = False
-         import_user_certs = True
-         import_ca_certs = True
-+        overwrite = False
-         debug = False
- 
-         for o, a in opts:
-@@ -100,6 +102,9 @@ class PKCS12ImportCLI(pki.cli.CLI):
-             elif o == '--no-ca-certs':
-                 import_ca_certs = False
- 
-+            elif o == '--overwrite':
-+                overwrite = True
-+
-             elif o in ('-v', '--verbose'):
-                 self.set_verbose(True)
- 
-@@ -221,6 +226,15 @@ class PKCS12ImportCLI(pki.cli.CLI):
-                     cert_id = cert_info['id']
-                     nickname = cert_info['nickname']
- 
-+                    cert = nssdb.get_cert(nickname)
-+
-+                    if cert:
-+                        if not overwrite:
-+                            print('WARNING: cert %s already exists' % nickname)
-+                            continue
-+
-+                        nssdb.remove_cert(nickname)
-+
-                     if 'trust_flags' in cert_info:
-                         trust_flags = cert_info['trust_flags']
-                     else:
-@@ -292,6 +306,9 @@ class PKCS12ImportCLI(pki.cli.CLI):
-             if no_trust_flags:
-                 cmd.extend(['--no-trust-flags'])
- 
-+            if overwrite:
-+                cmd.extend(['--overwrite'])
-+
-             if self.verbose:
-                 cmd.extend(['--verbose'])
- 
-diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
-index 0c27c3f..f563fd8 100644
---- a/base/common/python/pki/nssdb.py
-+++ b/base/common/python/pki/nssdb.py
-@@ -423,12 +423,20 @@ class NSSDatabase(object):
-             output_format_option
-         ])
- 
--        cert_data = subprocess.check_output(cmd)
-+        try:
-+            cert_data = subprocess.check_output(cmd)
-+
-+            if output_format == 'base64':
-+                cert_data = base64.b64encode(cert_data)
- 
--        if output_format == 'base64':
--            cert_data = base64.b64encode(cert_data)
-+            return cert_data
- 
--        return cert_data
-+        except subprocess.CalledProcessError:
-+            # All certutil errors return the same code (i.e. 255).
-+            # For now assume it was caused by missing certificate.
-+            # TODO: Check error message. If it's caused by other
-+            # issue, throw exception.
-+            return None
- 
-     def remove_cert(self, nickname):
- 
-@@ -576,7 +584,8 @@ class NSSDatabase(object):
-                       pkcs12_password=None,
-                       pkcs12_password_file=None,
-                       no_user_certs=False,
--                      no_ca_certs=False):
-+                      no_ca_certs=False,
-+                      overwrite=False):
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -613,6 +622,9 @@ class NSSDatabase(object):
-             if no_ca_certs:
-                 cmd.extend(['--no-ca-certs'])
- 
-+            if overwrite:
-+                cmd.extend(['--overwrite'])
-+
-             subprocess.check_call(cmd)
- 
-         finally:
-diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
-index ae574d3..862fffb 100644
---- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
-+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java
-@@ -61,6 +61,7 @@ public class PKCS12ImportCLI extends CLI {
-         options.addOption(option);
- 
-         options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
-+        options.addOption(null, "overwrite", false, "Overwrite existing certificates");
- 
-         options.addOption("v", "verbose", false, "Run in verbose mode.");
-         options.addOption(null, "debug", false, "Run in debug mode.");
-@@ -125,6 +126,7 @@ public class PKCS12ImportCLI extends CLI {
-         Password password = new Password(passwordString.toCharArray());
- 
-         boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags");
-+        boolean overwrite = cmd.hasOption("overwrite");
- 
-         try {
-             PKCS12Util util = new PKCS12Util();
-@@ -134,12 +136,12 @@ public class PKCS12ImportCLI extends CLI {
- 
-             if (nicknames.length == 0) {
-                 // store all certificates
--                util.storeIntoNSS(pkcs12);
-+                util.storeIntoNSS(pkcs12, overwrite);
- 
-             } else {
-                 // load specified certificates
-                 for (String nickname : nicknames) {
--                    util.storeCertIntoNSS(pkcs12, nickname);
-+                    util.storeCertIntoNSS(pkcs12, nickname, overwrite);
-                 }
-             }
- 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 2da4e48..308f3e7 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -686,6 +686,7 @@ public class ConfigurationUtils {
-     public static boolean updateConfigEntries(String hostname, int port, boolean https,
-             String servlet, MultivaluedMap<String, String> content, IConfigStore config)
-                     throws Exception {
-+
-         CMS.debug("updateConfigEntries start");
-         String c = post(hostname, port, https, servlet, content, null, null);
- 
-@@ -704,6 +705,7 @@ public class ConfigurationUtils {
- 
-                 cstype = config.getString("cs.type", "");
- 
-+                CMS.debug("Master's configuration:");
-                 Document doc = parser.getDocument();
-                 NodeList list = doc.getElementsByTagName("name");
-                 int len = list.getLength();
-@@ -711,9 +713,12 @@ public class ConfigurationUtils {
-                     Node n = list.item(i);
-                     NodeList nn = n.getChildNodes();
-                     String name = nn.item(0).getNodeValue();
-+                    CMS.debug(" - " + name);
-+
-                     Node parent = n.getParentNode();
-                     nn = parent.getChildNodes();
-                     int len1 = nn.getLength();
-+
-                     String v = "";
-                     for (int j = 0; j < len1; j++) {
-                         Node nv = nn.item(j);
-@@ -729,33 +734,43 @@ public class ConfigurationUtils {
-                     if (name.equals("internaldb.basedn")) {
-                         config.putString(name, v);
-                         config.putString("preop.internaldb.master.basedn", v);
-+
-                     } else if (name.startsWith("internaldb")) {
-                         config.putString(name.replaceFirst("internaldb", "preop.internaldb.master"), v);
-+
-                     } else if (name.equals("instanceId")) {
-                         config.putString("preop.master.instanceId", v);
-+
-                     } else if (name.equals("cloning.signing.nickname")) {
-                         config.putString("preop.master.signing.nickname", v);
-                         config.putString("preop.cert.signing.nickname", v);
-+
-                     } else if (name.equals("cloning.ocsp_signing.nickname")) {
-                         config.putString("preop.master.ocsp_signing.nickname", v);
-                         config.putString("preop.cert.ocsp_signing.nickname", v);
-+
-                     } else if (name.equals("cloning.subsystem.nickname")) {
-                         config.putString("preop.master.subsystem.nickname", v);
-                         config.putString("preop.cert.subsystem.nickname", v);
-+
-                     } else if (name.equals("cloning.transport.nickname")) {
-                         config.putString("preop.master.transport.nickname", v);
-                         config.putString("kra.transportUnit.nickName", v);
-                         config.putString("preop.cert.transport.nickname", v);
-+
-                     } else if (name.equals("cloning.storage.nickname")) {
-                         config.putString("preop.master.storage.nickname", v);
-                         config.putString("kra.storageUnit.nickName", v);
-                         config.putString("preop.cert.storage.nickname", v);
-+
-                     } else if (name.equals("cloning.audit_signing.nickname")) {
-                         config.putString("preop.master.audit_signing.nickname", v);
-                         config.putString("preop.cert.audit_signing.nickname", v);
-                         config.putString(name, v);
-+
-                     } else if (name.startsWith("cloning.ca")) {
-                         config.putString(name.replaceFirst("cloning", "preop"), v);
-+
-                     } else if (name.equals("cloning.signing.keyalgorithm")) {
-                         config.putString(name.replaceFirst("cloning", "preop.cert"), v);
-                         if (cstype.equals("CA")) {
-@@ -767,13 +782,16 @@ public class ConfigurationUtils {
-                     } else if (name.equals("cloning.transport.keyalgorithm")) {
-                         config.putString(name.replaceFirst("cloning", "preop.cert"), v);
-                         config.putString("kra.transportUnit.signingAlgorithm", v);
-+
-                     } else if (name.equals("cloning.ocsp_signing.keyalgorithm")) {
-                         config.putString(name.replaceFirst("cloning", "preop.cert"), v);
-                         if (cstype.equals("CA")) {
-                             config.putString("ca.ocsp_signing.defaultSigningAlgorithm", v);
-                         }
-+
-                     } else if (name.startsWith("cloning")) {
-                         config.putString(name.replaceFirst("cloning", "preop.cert"), v);
-+
-                     } else {
-                         config.putString(name, v);
-                     }
-@@ -1183,12 +1201,15 @@ public class ConfigurationUtils {
-         return org.mozilla.jss.crypto.PrivateKey.Type.RSA;
-     }
- 
--    public static boolean isCASigningCert(String name) {
-+    public static boolean isCASigningCert(String name) throws EBaseException {
-         IConfigStore cs = CMS.getConfigStore();
-         try {
-             String nickname = cs.getString("preop.master.signing.nickname");
-+            CMS.debug("Property preop.master.signing.nickname: " + nickname);
-             if (nickname.equals(name)) return true;
--        } catch(Exception e) {
-+
-+        } catch (EPropertyNotFound e) {
-+            CMS.debug("Property preop.master.signing.nickname not found -> cert " + name + " is not CA signing cert");
-             // nickname may not exist if this is not cloning a CA
-         };
- 
-@@ -1245,6 +1266,8 @@ public class ConfigurationUtils {
-         IConfigStore cs = CMS.getConfigStore();
-         String certList = cs.getString("preop.cert.list", "");
-         StringTokenizer st = new StringTokenizer(certList, ",");
-+
-+        CMS.debug("Master certs:");
-         while (st.hasMoreTokens()) {
-             String s = st.nextToken();
-             if (s.equals("sslserver"))
-@@ -1256,7 +1279,9 @@ public class ConfigurationUtils {
-             name = "preop.cert." + s + ".dn";
-             String dn = cs.getString(name);
-             list.add(dn);
-+            CMS.debug(" - " + name + ": " + dn);
-         }
-+
-         return list;
-     }
- 
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-index 720882a..182812c 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-@@ -21,9 +21,6 @@ import java.io.IOException;
- import java.net.Socket;
- import java.net.UnknownHostException;
- 
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPSSLSocketFactoryExt;
--
- import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
- import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
- import org.mozilla.jss.ssl.SSLSocket;
-@@ -31,6 +28,9 @@ import org.mozilla.jss.ssl.SSLSocket;
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.logging.ILogger;
- 
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPSSLSocketFactoryExt;
-+
- /**
-  * Uses HCL ssl socket.
-  *
-@@ -65,17 +65,18 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
- 
-             if (mClientAuthCertNickname != null) {
-                 mClientAuth = true;
--                CMS.debug(
--                        "LdapJssSSLSocket set client auth cert nickname" +
--                                mClientAuthCertNickname);
-+                CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
-+                        mClientAuthCertNickname);
-                 s.setClientCertNickname(mClientAuthCertNickname);
-             }
-             s.forceHandshake();
-+
-         } catch (UnknownHostException e) {
-             log(ILogger.LL_FAILURE,
-                     CMS.getLogMessage("CMSCORE_LDAPCONN_UNKNOWN_HOST"));
-             throw new LDAPException(
--                    "Cannot Create JSS SSL Socket - Unknown host");
-+                    "Cannot Create JSS SSL Socket - Unknown host: " + e);
-+
-         } catch (IOException e) {
-             if (s != null) {
-                 try {
-@@ -85,8 +86,9 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
-                 }
-             }
-             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_LDAPCONN_IO_ERROR", e.toString()));
--            throw new LDAPException("IO Error creating JSS SSL Socket");
-+            throw new LDAPException("IO Error creating JSS SSL Socket: " + e);
-         }
-+
-         return s;
-     }
- 
-diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
-index b1b0f07..178a861 100644
---- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
-+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
-@@ -635,14 +635,23 @@ public class PKCS12Util {
-         wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);
-     }
- 
--    public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception {
-+    public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
- 
-         CryptoManager cm = CryptoManager.getInstance();
-+        CryptoToken ct = cm.getInternalKeyStorageToken();
-+        CryptoStore store = ct.getCryptoStore();
- 
--        X509Certificate cert;
-         BigInteger id = certInfo.getID();
-         PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(id);
- 
-+        for (X509Certificate cert : cm.findCertsByNickname(certInfo.nickname)) {
-+            if (!overwrite) {
-+                return;
-+            }
-+            store.deleteCert(cert);
-+        }
-+
-+        X509Certificate cert;
-         if (keyInfo != null) { // cert has key
-             logger.fine("Importing user key for " + certInfo.nickname);
-             importKey(pkcs12, keyInfo);
-@@ -660,19 +669,19 @@ public class PKCS12Util {
-             setTrustFlags(cert, certInfo.trustFlags);
-     }
- 
--    public void storeCertIntoNSS(PKCS12 pkcs12, String nickname) throws Exception {
-+    public void storeCertIntoNSS(PKCS12 pkcs12, String nickname, boolean overwrite) throws Exception {
-         Collection<PKCS12CertInfo> certInfos = pkcs12.getCertInfosByNickname(nickname);
-         for (PKCS12CertInfo certInfo : certInfos) {
--            storeCertIntoNSS(pkcs12, certInfo);
-+            storeCertIntoNSS(pkcs12, certInfo, overwrite);
-         }
-     }
- 
--    public void storeIntoNSS(PKCS12 pkcs12) throws Exception {
-+    public void storeIntoNSS(PKCS12 pkcs12, boolean overwrite) throws Exception {
- 
-         logger.info("Storing data into NSS database");
- 
-         for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) {
--            storeCertIntoNSS(pkcs12, certInfo);
-+            storeCertIntoNSS(pkcs12, certInfo, overwrite);
-         }
-     }
- }
--- 
-2.5.5
-
-
-From 00ac032c8995756f5bfdaab5a7f6ae441ac7dda3 Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
-Date: Fri, 24 Jun 2016 14:39:59 -0600
-Subject: Normalize default softokn name
-
-- PKI TRAC Ticket #2311 - When pki_token_name=Internal,
-  consider normalizing it to "internal"
----
- base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index b1fc213..dc5d7f6 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -1181,6 +1181,11 @@ class PKIConfigParser:
-             #         self.mdict['pki_clone_pkcs12_path']
-             #         self.mdict['pki_clone_uri']
-             #         self.mdict['pki_security_domain_https_port']
-+            #
-+            #     The following variables are established via the specified PKI
-+            #     deployment configuration file and potentially "normalized"
-+            #     below:
-+            #
-             #         self.mdict['pki_token_name']
-             #
-             #     The following variables are established via the specified PKI
-@@ -1191,6 +1196,11 @@ class PKIConfigParser:
-             #         self.mdict['pki_issuing_ca']
-             #
- 
-+            # if the case insensitive softokn name is the 'default' value
-+            if (self.mdict['pki_token_name'].lower() == "internal"):
-+                # always normalize 'default' softokn name
-+                self.mdict['pki_token_name'] = "internal"
-+
-             # if security domain user is not defined
-             if not len(self.mdict['pki_security_domain_user']):
- 
--- 
-2.5.5
-
-
-From 659c90869a27871eda27fd730d00b0499873dae2 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Tue, 28 Jun 2016 18:00:03 -0700
-Subject: Ticket 2389 Installation: subsystem certs could have notAfter beyond
- CA signing cert in case of external or existing CA
-
-This patch implements validity check on the notAfter value of the certInfo
-and adjusts it to that of the CA's notAfter if exceeding
----
- .../netscape/cms/profile/def/ValidityDefault.java  | 23 ++++++++++++++++++++++
- .../com/netscape/cms/servlet/csadmin/CertUtil.java |  3 +++
- 2 files changed, 26 insertions(+)
-
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-index 634d070..21ec8ea 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
-@@ -26,6 +26,7 @@ import java.util.Locale;
- 
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.IConfigStore;
-+import com.netscape.certsrv.ca.ICertificateAuthority;
- import com.netscape.certsrv.profile.EProfileException;
- import com.netscape.certsrv.profile.IProfile;
- import com.netscape.certsrv.property.Descriptor;
-@@ -34,6 +35,7 @@ import com.netscape.certsrv.property.IDescriptor;
- import com.netscape.certsrv.request.IRequest;
- 
- import netscape.security.x509.CertificateValidity;
-+import netscape.security.x509.X509CertImpl;
- import netscape.security.x509.X509CertInfo;
- 
- /**
-@@ -301,6 +303,27 @@ public class ValidityDefault extends EnrollDefault {
-         Date notAfter = date.getTime();
-         CMS.debug("ValidityDefault: not after: " + notAfter);
- 
-+        // check and fix notAfter if needed
-+        // installAdjustValidity is set during installation if needed
-+        boolean adjustValidity =
-+                request.getExtDataInBoolean("installAdjustValidity", false);
-+        if (adjustValidity) {
-+            CMS.debug("ValidityDefault: populate: adjustValidity is true");
-+            ICertificateAuthority ca = (ICertificateAuthority)
-+                    CMS.getSubsystem(CMS.SUBSYSTEM_CA);
-+            try {
-+                X509CertImpl caCert = ca.getCACert();
-+                Date caNotAfter = caCert.getNotAfter();
-+                if (notAfter.after(caNotAfter)) {
-+                    notAfter = caNotAfter;
-+                    CMS.debug("ValidityDefault: populate: resetting notAfter to caNotAfter");
-+                }
-+            } catch (Exception e) {
-+                throw new EProfileException(
-+                        "Unable to get ca certificate: " + e.getMessage(), e);
-+            }
-+        }
-+
-         CertificateValidity validity =
-                 new CertificateValidity(notBefore, notAfter);
- 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-index 774ff94..495e4c0 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
-@@ -535,6 +535,9 @@ public class CertUtil {
-                 CMS.debug("Creating local request exception:" + e.toString());
-             }
- 
-+            // installAdjustValidity tells ValidityDefault to adjust the
-+            // notAfter value to that of the CA's signing cert if needed
-+            req.setExtData("installAdjustValidity", "true");
-             processor.populate(req, info);
- 
-             PrivateKey caPrik = null;
--- 
-2.5.5
-
-
-From 63a58cf51ef2982e8a35eff1f98dd42453e5681e Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Thu, 30 Jun 2016 14:03:24 -0700
-Subject: Ticket #1306 config params: Add granularity to token termination in
- TPS
-
-This patch adds the missing configuration parameters that go with the
-original bug.  The code would take on defaults when these parameters are
-missing, but putting them in the CS.cfg would make it easier for the
-administrators.
----
- base/tps/shared/conf/CS.cfg | 123 ++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 119 insertions(+), 4 deletions(-)
-
-diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
-index 258d5a7..4f2b391 100644
---- a/base/tps/shared/conf/CS.cfg
-+++ b/base/tps/shared/conf/CS.cfg
-@@ -265,7 +265,20 @@ op.enroll._000=#########################################
- op.enroll._001=# TPS Profiles
- op.enroll._002=#  - Operations
- op.enroll._003=#   <op> - operation; enroll,pinReset,format
--op.enroll._004=#########################################
-+op.enroll._004=#
-+op.enroll._005=# Revocation Reasons (revokeCert.reason) according to RFC 5280
-+op.enroll._006=#     unspecified (0)
-+op.enroll._007=#     keyCompromise (1)
-+op.enroll._008=#     CACompromise (2)
-+op.enroll._009=#     affiliationChanged (3)
-+op.enroll._010=#     superseded (4)
-+op.enroll._011=#     cessationOfOperation (5)
-+op.enroll._012=#     certificateHold (6)
-+op.enroll._013=#     removeFromCRL (8)
-+op.enroll._014=#     privilegeWithdrawn (9)
-+op.enroll._015=#     AACompromise (10)
-+op.enroll._016=#
-+op.enroll._017=#########################################
- op.enroll.delegateIEtoken._000=#########################################
- op.enroll.delegateIEtoken._001=# Enrollment for externalReg 
- op.enroll.delegateIEtoken._002=#     ID, Encryption
-@@ -326,12 +339,23 @@ op.enroll.delegateIEtoken.keyGen.authentication.publicKeyNumber=7
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert=true
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason=1
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts=false
- op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false
- op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
- op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false
-@@ -498,12 +522,23 @@ op.enroll.delegateISEtoken.keyGen.authentication.publicKeyNumber=7
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.terminated.revokeCert=true
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason=1
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.archive=false
- op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
- op.enroll.delegateISEtoken.keyGen.authentication.serverKeygen.enable=false
-@@ -554,12 +589,23 @@ op.enroll.delegateISEtoken.keyGen.encryption.publicKeyNumber=5
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.destroyed.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.terminated.revokeCert=true
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.terminated.revokeCert.reason=1
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.archive=true
- op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.drm.conn=kra1
- op.enroll.delegateISEtoken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-@@ -618,12 +664,23 @@ op.enroll.delegateISEtoken.keyGen.signing.publicKeyNumber=3
- op.enroll.delegateISEtoken.keyGen.signing.recovery.destroyed.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.destroyed.revokeCert.reason=0
- op.enroll.delegateISEtoken.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.terminated.revokeCert=true
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.terminated.revokeCert.reason=1
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.terminated.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert=false
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.delegateISEtoken.keyGen.signing.recovery.onHold.revokeExpiredCerts=false
- op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.archive=false
- op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.drm.conn=kra1
- op.enroll.delegateISEtoken.keyGen.signing.serverKeygen.enable=false
-@@ -743,11 +800,25 @@ op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.verify=
- op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.verifyRecover=false
- op.enroll.externalRegAddToToken.keyGen.encryption.public.keyCapabilities.wrap=true
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.terminated.revokeCert=true
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.terminated.revokeCert.reason=1
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false
- op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.encryption.recovery.destroyed.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.encryption.recovery.keyCompromise.revokeCert=false
--op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeCert.reason=6
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.externalRegAddToToken.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
- op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.archive=true
- op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.drm.conn=kra1
- op.enroll.externalRegAddToToken.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-@@ -835,12 +906,23 @@ op.enroll.soKey.keyGen.encryption.publicKeyNumber=5
- op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert=false
- op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
- op.enroll.soKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
-+op.enroll.soKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
- op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.soKey.keyGen.encryption.recovery.terminated.revokeCert.reason=1
-+op.enroll.soKey.keyGen.encryption.recovery.terminated.revokeCert=true
-+op.enroll.soKey.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
- op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeCert=true
- op.enroll.soKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.encryption.serverKeygen.archive=true
- op.enroll.soKey.keyGen.encryption.serverKeygen.drm.conn=kra1
- op.enroll.soKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-@@ -897,12 +979,23 @@ op.enroll.soKey.keyGen.signing.publicKeyNumber=3
- op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
- op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeCert=true
- op.enroll.soKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.signing.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
- op.enroll.soKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.soKey.keyGen.signing.recovery.terminated.revokeCert.reason=1
-+op.enroll.soKey.keyGen.signing.recovery.terminated.revokeCert=true
-+op.enroll.soKey.keyGen.signing.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.signing.recovery.terminated.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.soKey.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.soKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.soKey.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.soKey.keyGen.signing.recovery.onHold.revokeExpiredCerts=false
- op.enroll.soKey.keyGen.signing.serverKeygen.archive=false
- op.enroll.soKey.keyGen.signing.serverKeygen.drm.conn=kra1
- op.enroll.soKey.keyGen.signing.serverKeygen.enable=false
-@@ -1137,12 +1230,23 @@ op.enroll.userKey.keyGen.encryption.publicKeyNumber=5
- op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert=false
- op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeCert.reason=0
- op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast
-+op.enroll.userKey.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.encryption.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeCert=true
- op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert.reason=1
-+op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeCert=true
-+op.enroll.userKey.keyGen.encryption.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.encryption.recovery.terminated.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert.reason=6
- op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeCert=true
- op.enroll.userKey.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.encryption.recovery.onHold.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
- op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=kra1
- op.enroll.userKey.keyGen.encryption.serverKeygen.enable=[SERVER_KEYGEN]
-@@ -1199,12 +1303,23 @@ op.enroll.userKey.keyGen.signing.publicKeyNumber=3
- op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
- op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
- op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert.reason=1
- op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeCert=true
- op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts=false
-+op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert.reason=1
-+op.enroll.userKey.keyGen.signing.recovery.terminated.revokeCert=true
-+op.enroll.userKey.keyGen.signing.recovery.terminated.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.signing.recovery.terminated.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert.reason=6
- op.enroll.userKey.keyGen.signing.recovery.onHold.revokeCert=true
- op.enroll.userKey.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
-+op.enroll.userKey.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential=false
-+op.enroll.userKey.keyGen.signing.recovery.onHold.revokeExpiredCerts=false
- op.enroll.userKey.keyGen.signing.serverKeygen.archive=false
- op.enroll.userKey.keyGen.signing.serverKeygen.drm.conn=kra1
- op.enroll.userKey.keyGen.signing.serverKeygen.enable=false
--- 
-2.5.5
-
-
-From e326cd2f06bd651cdd87646eea94622e18cec28d Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Fri, 24 Jun 2016 11:02:35 -0700
-Subject: Add ability to disallow TPS to enroll a single user on multiple
- tokens.
-
-This patch will install a check during the early portion of the enrollment
-process check a configurable policy whether or not a user should be allowed
-to have more that one active token.
-
-This check will take place only for brand new tokens not seen before.
-The check will prevent the enrollment to proceed and will exit before the system
-has a chance to add this new token to the TPS tokendb.
-
-The behavior will be configurable for the the external reg and not external reg scenarios
-as follows:
-
-tokendb.nonExternalReg.allowMultiActiveTokensUser=false
-tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
----
- base/tps/shared/conf/CS.cfg                        |   3 +
- .../org/dogtagpki/server/tps/engine/TPSEngine.java |   3 +
- .../server/tps/processor/TPSEnrollProcessor.java   | 100 +++++++++++++++------
- 3 files changed, 80 insertions(+), 26 deletions(-)
-
-diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
-index 4f2b391..a8499a2 100644
---- a/base/tps/shared/conf/CS.cfg
-+++ b/base/tps/shared/conf/CS.cfg
-@@ -2169,6 +2169,9 @@ tokendb.ssl=false
- tokendb.templateDir=[PKI_INSTANCE_PATH]/docroot/tus
- tokendb.userBaseDN=[TOKENDB_ROOT]
- tokendb.userDeleteTemplate=userDelete.template
-+tokendb.nonExternalReg.allowMultiActiveTokensUser=false
-+tokendb.externalReg.allowMultiActiveTokensUser=false
-+
- tps._000=########################################
- tps._001=# For verifying system certificates
- tps._002=# tps.cert.list=sslserver,subsystem,audit_signing
-diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
-index a5fbc3b..93edfde 100644
---- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
-+++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java
-@@ -91,6 +91,7 @@ public class TPSEngine {
-     public static final String CFG_ERROR_PREFIX = "logging.error";
-     public static final String CFG_DEBUG_PREFIX = "logging.debug";
-     public static final String CFG_SELFTEST_PREFIX = "selftests.container.logger";
-+    public static final String CFG_TOKENDB = "tokendb";
-     public static final String CFG_TOKENDB_ALLOWED_TRANSITIONS = "tokendb.allowedTransitions";
-     public static final String CFG_OPERATIONS_ALLOWED_TRANSITIONS = "tps.operations.allowedTransitions";
- 
-@@ -153,6 +154,7 @@ public class TPSEngine {
- 
-     public static final String CFG_EXTERNAL_REG = "externalReg";
-     public static final String CFG_ER_DELEGATION = "delegation";
-+    public static final String CFG_NON_EXTERNAL_REG = "nonExternalReg";
- 
-     /* misc values */
- 
-@@ -192,6 +194,7 @@ public class TPSEngine {
-     public static final String ENROLL_MODE_ENROLLMENT = ENROLL_OP;
-     public static final String ENROLL_MODE_RECOVERY = RECOVERY_OP;
-     public static final String ERNOLL_MODE_RENEWAL = RENEWAL_OP;
-+    public static final String CFG_ALLOW_MULTI_TOKENS_USER = "allowMultiActiveTokensUser";
- 
-     public void init() {
-         //ToDo
-diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
-index 6240ea6..9d42546 100644
---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
-+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
-@@ -14,6 +14,11 @@ import java.util.Map;
- import java.util.Random;
- import java.util.zip.DataFormatException;
- 
-+import netscape.security.provider.RSAPublicKey;
-+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-+import netscape.security.util.BigInt;
-+import netscape.security.x509.X509CertImpl;
-+
- import org.dogtagpki.server.tps.TPSSession;
- import org.dogtagpki.server.tps.TPSSubsystem;
- import org.dogtagpki.server.tps.TPSTokenPolicy;
-@@ -53,6 +58,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
- import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
- import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
- 
-+import sun.security.pkcs11.wrapper.PKCS11Constants;
-+
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.EPropertyNotFound;
-@@ -60,12 +67,6 @@ import com.netscape.certsrv.base.IConfigStore;
- import com.netscape.certsrv.tps.token.TokenStatus;
- import com.netscape.cmsutil.util.Utils;
- 
--import netscape.security.provider.RSAPublicKey;
--//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
--import netscape.security.util.BigInt;
--import netscape.security.x509.X509CertImpl;
--import sun.security.pkcs11.wrapper.PKCS11Constants;
--
- public class TPSEnrollProcessor extends TPSProcessor {
- 
-     public TPSEnrollProcessor(TPSSession session) {
-@@ -329,6 +330,24 @@ public class TPSEnrollProcessor extends TPSProcessor {
-         if (!isExternalReg)
-             checkAndAuthenticateUser(appletInfo, getSelectedTokenType());
- 
-+        //Do this here after all authentication has taken place, so we have a (userid)
-+
-+        boolean allowMultiTokens = checkAllowMultiActiveTokensUser(isExternalReg);
-+
-+        if (isTokenPresent == false && allowMultiTokens == false) {
-+            boolean alreadyHasActiveToken = checkUserAlreadyHasActiveToken(userid);
-+
-+            if (alreadyHasActiveToken == true) {
-+                //We don't allow the user to have more than one active token, nip it in the bud right now
-+                //If this token is brand new and not known to the system
-+
-+                throw new TPSException(method
-+                        + " User already has an active token when trying to enroll this new token!",
-+                        TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
-+            }
-+
-+        }
-+
-         if (do_force_format) {
-             //We will skip the auth step inside of format
-             format(true);
-@@ -1030,22 +1049,9 @@ public class TPSEnrollProcessor extends TPSProcessor {
-                     } else {
-                         CMS.debug(method + ": There are multiple token entries for user "
-                                 + userid);
--                        try {
--                            // this is assuming that the user can only have one single active token
--                            // TODO: for future, maybe should allow multiple active tokens
--                            tps.tdb.tdbHasActiveToken(userid);
- 
--                        } catch (Exception e1) {
--                            /*
--                             * user has no active token, need to find a token to recover from
--                             * there are no other active tokens for this user
--                             */
-                             isRecover = true;
-                             continue; // TODO: or break?
--                        }
--                        logMsg = method + ": user already has an active token";
--                        CMS.debug(logMsg);
--                        throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
-                     }
- 
-                 } else if (tokenRecord.getTokenStatus() == TokenStatus.ACTIVE) {
-@@ -1070,17 +1076,10 @@ public class TPSEnrollProcessor extends TPSProcessor {
-                     throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UNUSABLE_TOKEN_KEYCOMPROMISE);
- 
-                 } else if (tokenRecord.getTokenStatus() == TokenStatus.SUSPENDED) {
--                    try {
--                        tps.tdb.tdbHasActiveToken(userid);
--                        logMsg = "user already has an active token";
--                        CMS.debug(method + ": " + logMsg);
--                        throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_HAS_AT_LEAST_ONE_ACTIVE_TOKEN);
- 
--                    } catch (Exception e2) {
-                         logMsg = "User needs to contact administrator to report lost token (it should be put on Hold).";
-                         CMS.debug(method + ": " + logMsg);
-                         break;
--                    }
- 
-                 } else if (tokenRecord.getTokenStatus() == TokenStatus.DAMAGED) {
-                     logMsg = "This destroyed lost case should not be executed because the token is so damaged. It should not get here";
-@@ -3559,6 +3558,55 @@ public class TPSEnrollProcessor extends TPSProcessor {
-         audit(auditMessage);
-     }
- 
-+    private boolean checkUserAlreadyHasActiveToken(String userid) {
-+
-+        String method = "TPSEnrollProcessor.checkUserAlreadyHasActiveToken: ";
-+        boolean result = false;
-+
-+        TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
-+        try {
-+            tps.tdb.tdbHasActiveToken(userid);
-+            result = true;
-+
-+        } catch (Exception e) {
-+            result = false;
-+        }
-+
-+        CMS.debug(method + " user: " + userid + " has a token already: " + result);
-+
-+        return result;
-+    }
-+
-+    private boolean checkAllowMultiActiveTokensUser(boolean isExternalReg) {
-+        boolean allow = true;
-+
-+        String method = "TPSEnrollProcessor.checkAllowMultiActiveTokensUser: ";
-+        IConfigStore configStore = CMS.getConfigStore();
-+
-+        String scheme = null;
-+
-+        if (isExternalReg == true) {
-+            scheme = TPSEngine.CFG_EXTERNAL_REG;
-+        } else {
-+            scheme = TPSEngine.CFG_NON_EXTERNAL_REG;
-+        }
-+
-+        String allowMultiConfig =  TPSEngine.CFG_TOKENDB + "." + scheme + "."
-+                + TPSEngine.CFG_ALLOW_MULTI_TOKENS_USER;
-+
-+        CMS.debug(method + " trying config: " + allowMultiConfig);
-+
-+        try {
-+            allow = configStore.getBoolean(allowMultiConfig, false);
-+        } catch (EBaseException e) {
-+            allow = false;
-+        }
-+
-+        CMS.debug(method + "returning allow: " + allow);
-+
-+        return allow;
-+    }
-+
-     public static void main(String[] args) {
-     }
- 
--- 
-2.5.5
-
-
-From d86a514800483edf3310c4bde6c8b5bd56b074bc Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Wed, 29 Jun 2016 20:51:03 -0600
-Subject: Separate PKI Instances versus Shared PKI Instances
-
-- PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for
-  shared vs non shared tomcat instance installation
----
- base/server/man/man8/pkispawn.8 | 360 +++++++++++++++++++++++++++++++++++-----
- 1 file changed, 318 insertions(+), 42 deletions(-)
-
-diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
-index fa601fc..3ad6fdb 100644
---- a/base/server/man/man8/pkispawn.8
-+++ b/base/server/man/man8/pkispawn.8
-@@ -92,6 +92,37 @@ Displays verbose information about the installation.  This flag can be provided
- .B pkispawn -h 
- for details.
- 
-+.SH SEPARATE VERSUS SHARED INSTANCES
-+.IP
-+.SS Separate PKI instances:
-+.BR
-+.PP
-+As described above, this version of Certificate System continues to support separate PKI instances for all subsystems.
-+.PP
-+Separate PKI instances run as a single Java-based Apache Tomcat instance, contain a single PKI subsystem (CA, KRA, OCSP, TKS, or TPS), and must utilize unique ports if co-located on the same physical machine or virtual machine (VM).
-+.PP
-+.SS Shared PKI instances:
-+.BR
-+.PP
-+Additionally, this version of Certificate System introduces the notion of a shared PKI instance.
-+.PP
-+Shared PKI instances also run as a single Java-based Apache Tomcat instance, but may contain any combination of up to one of each type of PKI subsystem:
-+.IP
-+.nf
-+CA
-+TKS
-+CA, KRA
-+CA, OCSP
-+TKS, TPS
-+CA, KRA, TKS, TPS
-+CA, KRA, OCSP, TKS, TPS
-+etc.
-+.fi
-+.PP
-+Shared PKI instances allow all of their subsystems contained within that instance to share the same ports, and must utilize unique ports if more than one shared PKI instance is co-located on the same physical machine or VM.
-+.PP
-+Semantically, a shared PKI instance that contains a single PKI subsystem is identical to a separate PKI instance.
-+
- .SH INTERACTIVE MODE
- .PP
- If no options are specified, pkispawn will provide an interactive menu to
-@@ -319,17 +350,46 @@ For all PKI subsystems including the CA, ECC is not supported for the correspond
- .SS Installing a KRA, OCSP, TKS, or TPS in a shared instance
- .BR
- .PP
--To install a KRA, OCSP, TKS, or TPS in the same instance used by the CA execute
-+For this example, assume that a new CA instance has been installed by
-+executing the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+.if
- 
-+.PP
-+To install a shared KRA in the same instance used by the CA execute
- the following command:
--
- .IP
--\x'-1'\fBpkispawn \-s <subsystem> \-f myconfig.txt\fR
--
-+\x'-1'\fBpkispawn \-s KRA \-f myconfig.txt\fR
- .PP
--where subsystem is KRA, OCSP, TKS, or TPS, and \fImyconfig.txt\fP contains the
--following text:
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+.if
- 
-+.PP
-+To install a shared OCSP in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s OCSP \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
- .IP
- .nf
- [DEFAULT]
-@@ -338,21 +398,74 @@ pki_client_database_password=\fISecret123\fP
- pki_client_pkcs12_password=\fISecret123\fP
- pki_ds_password=\fISecret123\fP
- pki_security_domain_password=\fISecret123\fP
--.fi
-+.if
- 
- .PP
--The \fBpki_security_domain_password\fP is the admin password of the CA
--installed in the same instance. This command should be run after a CA is
--installed. This installs another subsystem within the same instance using the
--certificate generated for the CA administrator for the subsystem's
--administrator. This allows a user to access both subsystems on the browser
--with a single administrator certificate. To access the new subsystem's
--functionality, simply point the browser to https://<hostname>:8443 and click
--the relevant top-level links.
-+To install a shared TKS in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TKS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+.if
- 
- .PP
--To install TPS in a shared instance the following section must be added to
--\fImyconfig.txt\fP:
-+To install a shared TPS in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TPS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+[TPS]
-+# Shared TPS instances optionally utilize their shared KRA
-+# for server-side keygen
-+pki_enable_server_side_keygen=True
-+pki_authdb_basedn=\fIdc=example,dc=com\fP
-+.if
-+
-+.TP
-+\fBNote:\fP
-+For this particular example, the computed default values for a
-+PKI instance name including its ports, URLs, machine names, etc.
-+were utilized as defined in \fI/etc/pki/default.cfg\fP.  Each
-+subsystem in this example will reside under the
-+\fI/var/lib/pki/pki-tomcat\fP instance housed within their own
-+\fIca\fP, \fIkra\fP, \fIocsp\fP, \fItks\fP, and \fItps\fP
-+subdirectories, utilizing the same default port values of
-+8080 (http), 8443 (https), 8009 (ajp), 8005 (tomcat), using the
-+same computed hostname and URL information, and sharing a single
-+common PKI Administrator Certificate.
-+
-+.PP
-+The \fBpki_security_domain_password\fP is the admin password of the
-+CA installed in the same instance. This command should be run after
-+a CA is installed. This installs another subsystem within the same
-+instance using the certificate generated for the CA administrator
-+for the subsystem's administrator. This allows a user to access
-+both subsystems on the browser with a single administrator
-+certificate. To access the new subsystem's functionality, simply
-+point the browser to https://<hostname>:8443 and click the
-+relevant top-level links.
-+
-+.PP
-+To install TPS in a shared instance the following section must be
-+added to \fImyconfig.txt\fP:
- 
- .IP
- .nf
-@@ -385,16 +498,110 @@ installed in the same instance.
- .SS Installing a KRA, OCSP, TKS, or TPS in a separate instance
- .BR
- .PP
--To install a KRA, OCSP, TKS, or TPS with a remote a CA execute the following
--command:
-+For this example, assume that a new CA instance has been installed by executing the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Separated CA instance name and ports
-+pki_instance_name=\fIpki-ca\fP
-+pki_http_port=\fI18080\fP
-+pki_https_port=\fI18443\fP
-+# This Separated CA instance will be its own security domain
-+pki_security_domain_https_port=\fI18443\fP
-+[Tomcat]
-+# Separated CA Tomcat ports
-+pki_ajp_port=\fI18009\fP
-+pki_tomcat_server_port=\fI18005\fP
-+.if
- 
-+.PP
-+To install a separate KRA which connects to this remote CA execute
-+the following command:
- .IP
--\x'-1'\fBpkispawn \-s <subsystem> \-f myconfig.txt\fR
-+\x'-1'\fBpkispawn \-s KRA \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Separated KRA instance name and ports
-+pki_instance_name=\fIpki-kra\fP
-+pki_http_port=\fI28080\fP
-+pki_https_port=\fI28443\fP
-+# Separated KRA instance security domain references
-+pki_issuing_ca=\fIhttps://pki.example.com:18443\fP
-+pki_security_domain_hostname=\fIpki.example.com\fP
-+pki_security_domain_https_port=\fI18443\fP
-+pki_security_domain_user=caadmin
-+[Tomcat]
-+# Separated KRA Tomcat ports
-+pki_ajp_port=\fI28009\fP
-+pki_tomcat_server_port=\fI28005\fP
-+[KRA]
-+# A Separated KRA instance requires its own
-+# PKI Administrator Certificate
-+pki_import_admin_cert=False
-+.if
- 
- .PP
--where subsystem is KRA, OCSP, TKS, or TPS, and \fImyconfig.txt\fP contains the
--following text:
-+To install a separate OCSP which connects to this remote CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s OCSP \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Separated OCSP instance name and ports
-+pki_instance_name=\fIpki-ocsp\fP
-+pki_http_port=\fI29080\fP
-+pki_https_port=\fI29443\fP
-+# Separated OCSP instance security domain references
-+pki_issuing_ca=\fIhttps://pki.example.com:18443\fP
-+pki_security_domain_hostname=\fIpki.example.com\fP
-+pki_security_domain_https_port=\fI18443\fP
-+pki_security_domain_user=caadmin
-+[Tomcat]
-+# Separated OCSP Tomcat ports
-+pki_ajp_port=\fI29009\fP
-+pki_tomcat_server_port=\fI29005\fP
-+[OCSP]
-+# A Separated OCSP instance requires its own
-+# PKI Administrator Certificate
-+pki_import_admin_cert=False
-+.if
- 
-+.PP
-+To install a separate TKS which connects to this remote CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TKS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
- .IP
- .nf
- [DEFAULT]
-@@ -403,37 +610,106 @@ pki_client_database_password=\fISecret123\fP
- pki_client_pkcs12_password=\fISecret123\fP
- pki_ds_password=\fISecret123\fP
- pki_security_domain_password=\fISecret123\fP
--pki_security_domain_hostname=<ca_hostname>
--pki_security_domain_https_port=<ca_https_port>
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Separated TKS instance name and ports
-+pki_instance_name=\fIpki-tks\fP
-+pki_http_port=\fI30080\fP
-+pki_https_port=\fI30443\fP
-+# Separated TKS instance security domain references
-+pki_issuing_ca=\fIhttps://pki.example.com:18443\fP
-+pki_security_domain_hostname=\fIpki.example.com\fP
-+pki_security_domain_https_port=\fI18443\fP
- pki_security_domain_user=caadmin
--pki_issuing_ca=https://<ca_hostname>:<ca_https_port>
-+[Tomcat]
-+# Separated TKS Tomcat ports
-+pki_ajp_port=\fI30009\fP
-+pki_tomcat_server_port=\fI30005\fP
-+[TKS]
-+# A Separated TKS instance requires its own
-+# PKI Administrator Certificate
-+pki_import_admin_cert=False
-+.if
- 
--[KRA/OCSP/TKS/TPS]
-+.PP
-+To install a separate TPS which connects to this remote CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TPS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Separated TPS instance name and ports
-+pki_instance_name=\fIpki-tps\fP
-+pki_http_port=\fI31080\fP
-+pki_https_port=\fI31443\fP
-+# Separated TPS instance security domain references
-+pki_issuing_ca=\fIhttps://pki.example.com:18443\fP
-+pki_security_domain_hostname=\fIpki.example.com\fP
-+pki_security_domain_https_port=\fI18443\fP
-+pki_security_domain_user=caadmin
-+[Tomcat]
-+# Separated TPS Tomcat ports
-+pki_ajp_port=\fI31009\fP
-+pki_tomcat_server_port=\fI31005\fP
-+[TPS]
-+# Separated TPS instances require specifying a remote CA
-+pki_ca_uri=\fIhttps://pki.example.com:18443\fP
-+# Separated TPS instances optionally utilize a remote KRA
-+# for server-side keygen
-+pki_kra_uri=\fIhttps://pki.example.com:28443\fP
-+pki_enable_server_side_keygen=True
-+pki_authdb_basedn=\fIdc=example,dc=com\fP
-+# Separated TPS instances require specifying a remote TKS
-+pki_tks_uri=\fIhttps://pki.example.com:30443\fP
-+pki_import_shared_secret=True
-+# A Separated TPS instance requires its own
-+# PKI Administrator Certificate
- pki_import_admin_cert=False
--.fi
-+.if
-+
-+.TP
-+\fBNote:\fP
-+For this particular example, besides passwords, sample
-+values were also utilized for PKI instance names, ports,
-+URLs, machine names, etc.  Under no circumstances should
-+these demonstrative values be construed to be required
-+literal values.
- 
- .PP
--A remote CA is one where the CA resides in another Certificate Server instance,
--either on the local machine or a remote machine.  In this case,
--\fImyconfig.txt\fP must specify the connection information for the remote CA
--and the information about the security domain (the trusted collection of
--subsystems within an instance).
-+A remote CA is one where the CA resides in another
-+Certificate Server instance, either on the local machine
-+or a remote machine.  In this case, \fImyconfig.txt\fP must
-+specify the connection information for the remote CA and the
-+information about the security domain (the trusted collection
-+of subsystems within an instance).
- 
- .PP
--The subsystem section is [KRA], [OCSP], [TKS], or [TPS].  This example assumes
--that the specified CA hosts the security domain.  The CA must be running and
--accessible.
-+The subsystem section is [KRA], [OCSP], [TKS], or [TPS].
-+This example assumes that the specified CA hosts the security
-+domain.  The CA must be running and accessible.
- 
- .PP 
--A new administrator certificate is generated for the new subsystem and stored
--in a PKCS #12 file in \fI$HOME/.dogtag/pki-tomcat\fP.
-+A new administrator certificate is generated for the new
-+subsystem and stored in a PKCS #12 file
-+in \fI$HOME/.dogtag/<pki_instance_name>\fP.
- 
- .PP
--As in a shared instance, to install TPS in a separate instance the
--authentication database must be specified in the [TPS] section, and optionally
--the server-side key generation can be enabled. If the CA, KRA, or TKS
--subsystems required by TPS are running on a remote instance the following
--parameters must be added into the [TPS] section to specify their locations:
-+As in a shared instance, to install TPS in a separate instance
-+the authentication database must be specified in the [TPS] section,
-+and optionally the server-side key generation can be enabled.
-+If the CA, KRA, or TKS subsystems required by TPS are running
-+on a remote instance the following parameters must be added into
-+the [TPS] section to specify their locations:
- 
- .IP
- .nf
--- 
-2.5.5
-
-
-From f0ad71e8a4fbae665a6b4875cce5b82895ad74f0 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Thu, 30 Jun 2016 15:01:42 -0700
-Subject: Bugzilla #1203407 tomcatjss: missing ciphers
-
-This patch removes references to the ciphers currently unsupported by NSS:
-    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
-    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
----
- base/server/python/pki/server/deployment/pkiparser.py     | 3 ---
- base/server/share/conf/ciphers.info                       | 4 ++--
- base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ----
- 3 files changed, 2 insertions(+), 9 deletions(-)
-
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index dc5d7f6..d940e2c 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -971,7 +971,6 @@ class PKIConfigParser:
-                     "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
-                     "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
-                     "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
--                    "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," + \
-                     "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
-                     "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
-                     "-TLS_RSA_WITH_AES_128_CBC_SHA," + \
-@@ -1006,8 +1005,6 @@ class PKIConfigParser:
-                     "-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \
-                     "-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \
-                     "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \
--                    "-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," + \
--                    "-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +\
-                     "-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
-                     "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
-                     "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
-diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
-index 69aaeaa..71face5 100644
---- a/base/server/share/conf/ciphers.info
-+++ b/base/server/share/conf/ciphers.info
-@@ -67,8 +67,8 @@
- #
- ##
- # For RSA servers:
--           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
-+           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
- #
- #
- # For ECC servers:
--           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-+           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
-diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-index 979b047..4a2558b 100644
---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-@@ -879,12 +879,8 @@ public class CryptoUtil {
-                 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
-         cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-                 SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
--        cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
--                SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
-         cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
--        cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
--                SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
- 
-     }
- 
--- 
-2.5.5
-
-
-From 097e116c8557e7bee170bc2764c2e000bd49d4c9 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Wed, 29 Jun 2016 14:44:45 +0530
-Subject: Added condition to verify instance id in db-schema-upgrade
-
-Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
----
- base/server/python/pki/server/cli/db.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
-index c643182..5915417 100644
---- a/base/server/python/pki/server/cli/db.py
-+++ b/base/server/python/pki/server/cli/db.py
-@@ -95,7 +95,11 @@ class DBSchemaUpgrade(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print("ERROR: Instance name '%s' not found" % instance)
-+            sys.exit(1)
-         instance.load()
-+
-         self.update_schema(instance, bind_dn, bind_password)
- 
-         self.print_message('Upgrade complete')
--- 
-2.5.5
-
-
-From 1913ff38f04dd27641f23cb76b13cb4806720946 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Wed, 29 Jun 2016 18:06:12 +0530
-Subject: Added fix for checking ldapmodify return code in db-schema-upgrade
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
----
- base/server/python/pki/server/cli/db.py | 12 +++++++-----
- 1 file changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
-index 5915417..6555e40 100644
---- a/base/server/python/pki/server/cli/db.py
-+++ b/base/server/python/pki/server/cli/db.py
-@@ -100,7 +100,12 @@ class DBSchemaUpgrade(pki.cli.CLI):
-             sys.exit(1)
-         instance.load()
- 
--        self.update_schema(instance, bind_dn, bind_password)
-+        try:
-+            self.update_schema(instance, bind_dn, bind_password)
-+
-+        except subprocess.CalledProcessError as e:
-+            print("ERROR: " + e.output)
-+            sys.exit(e.returncode)
- 
-         self.print_message('Upgrade complete')
- 
-@@ -122,10 +127,7 @@ class DBSchemaUpgrade(pki.cli.CLI):
-         if secure.lower() == "true":
-             cmd.append('-Z')
- 
--        try:
--            subprocess.check_output(cmd)
--        except subprocess.CalledProcessError as e:
--            print('ldapmodify returns {}: {}'.format(e.returncode, e.output))
-+        subprocess.check_output(cmd, stderr=subprocess.STDOUT)
- 
- 
- class DBUpgrade(pki.cli.CLI):
--- 
-2.5.5
-
-
-From 99a93af1ca5cce26d625ce7cee07dab4a890f1be Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Thu, 30 Jun 2016 15:18:24 +0530
-Subject: Added condition for checking instance id in kra commands
-
-Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/java-tools/bin/pki                   |  5 ++---
- base/server/python/pki/server/__init__.py |  2 +-
- base/server/python/pki/server/cli/kra.py  | 23 +++++++++++++++++++++--
- base/server/sbin/pki-server               | 13 ++++++++++++-
- 4 files changed, 36 insertions(+), 7 deletions(-)
-
-diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
-index c917083..6104a5f 100644
---- a/base/java-tools/bin/pki
-+++ b/base/java-tools/bin/pki
-@@ -261,7 +261,6 @@ if __name__ == '__main__':
- 
-     except subprocess.CalledProcessError as e:
-         if cli.verbose:
--            print('ERROR: %s' % e)
--        elif cli.debug:
-             traceback.print_exc()
--        exit(e.returncode)
-+        print('ERROR: %s' % e)
-+        sys.exit(e.returncode)
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index 454408f..87303cd 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -562,7 +562,7 @@ class PKIInstance(object):
-     def get_token_password(self, token='internal'):
- 
-         # determine the password name for the token
--        if token.lower() in ['internal', 'internal key storage token']:
-+        if not token or token.lower() in ['internal', 'internal key storage token']:
-             name = 'internal'
- 
-         else:
-diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
-index b4f0df4..676d1f5 100644
---- a/base/server/python/pki/server/cli/kra.py
-+++ b/base/server/python/pki/server/cli/kra.py
-@@ -132,9 +132,15 @@ class KRAClonePrepareCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('kra')
-+        if not subsystem:
-+            print('ERROR: No KRA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -151,6 +157,7 @@ class KRAClonePrepareCLI(pki.cli.CLI):
-                 'storage', pkcs12_file, pkcs12_password_file)
-             subsystem.export_system_cert(
-                 'audit_signing', pkcs12_file, pkcs12_password_file)
-+
-             instance.export_external_certs(pkcs12_file, pkcs12_password_file)
- 
-         finally:
-@@ -235,12 +242,15 @@ class KRADBVLVFindCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('kra')
--
-         if not subsystem:
--            raise Exception('Subsystem not found')
-+            print('ERROR: No KRA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         self.find_vlv(subsystem, bind_dn, bind_password)
- 
-@@ -347,6 +357,9 @@ class KRADBVLVAddCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
-         self.add_vlv(instance, bind_dn, bind_password)
- 
-@@ -442,6 +455,9 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
-         self.delete_vlv(instance, bind_dn, bind_password)
- 
-@@ -557,6 +573,9 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
-         self.reindex_vlv(instance, bind_dn, bind_password)
- 
-diff --git a/base/server/sbin/pki-server b/base/server/sbin/pki-server
-index cd00de0..cea62b7 100644
---- a/base/server/sbin/pki-server
-+++ b/base/server/sbin/pki-server
-@@ -22,7 +22,9 @@
- from __future__ import absolute_import
- from __future__ import print_function
- import getopt
-+import subprocess
- import sys
-+import traceback
- 
- import pki.cli
- import pki.server.cli.ca
-@@ -103,5 +105,14 @@ class PKIServerCLI(pki.cli.CLI):
- 
- 
- if __name__ == '__main__':
-+
-     cli = PKIServerCLI()
--    cli.execute(sys.argv)
-+
-+    try:
-+        cli.execute(sys.argv)
-+
-+    except subprocess.CalledProcessError as e:
-+        if cli.verbose:
-+            traceback.print_exc()
-+        print('ERROR: %s' % e)
-+        sys.exit(e.returncode)
--- 
-2.5.5
-
-
-From 8e40b74dc5d314912c65722b4284cab0ffbffbcc Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Thu, 30 Jun 2016 16:53:36 +0530
-Subject: Updated notification message for kra-db-vlv-del command
-
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/kra.py | 28 ++++++++++++++++------------
- 1 file changed, 16 insertions(+), 12 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
-index 676d1f5..17611a8 100644
---- a/base/server/python/pki/server/cli/kra.py
-+++ b/base/server/python/pki/server/cli/kra.py
-@@ -455,28 +455,34 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-         if not instance.is_valid():
-             print('ERROR: Invalid instance %s.' % instance_name)
-             sys.exit(1)
-+
-         instance.load()
--        self.delete_vlv(instance, bind_dn, bind_password)
- 
--    def delete_vlv(self, instance, bind_dn, bind_password):
-         subsystem = instance.get_subsystem('kra')
-+
-         if not subsystem:
--            if self.verbose:
--                print('modify_kra_vlv: No KRA subsystem available.  '
--                      'Skipping ...')
--                return
-+            print('ERROR: No KRA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
-+
-+        self.delete_vlv(subsystem, bind_dn, bind_password)
-+
-+        print('KRA VLVs deleted from the database for ' + instance_name)
-+
-+    def delete_vlv(self, subsystem, bind_dn, bind_password):
-+
-         database = subsystem.config['internaldb.database']
- 
-         if self.out_file:
-             with open(self.out_file, "w") as f:
-                 for vlv in KRA_VLVS:
--                    dn = ("cn=" + vlv + '-' + instance.name +
-+                    dn = ("cn=" + vlv + '-' + subsystem.instance.name +
-                           ',cn=' + database +
-                           ',cn=ldbm database, cn=plugins, cn=config')
--                    index_dn = ("cn=" + vlv + '-' + instance.name +
-+                    index_dn = ("cn=" + vlv + '-' + subsystem.instance.name +
-                                 "Index," + dn)
-                     f.write('dn: ' + index_dn + '\n')
-                     f.write('changetype: delete' + '\n')
-@@ -491,9 +497,9 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
-                                        bind_password=bind_password)
-         try:
-             for vlv in KRA_VLVS:
--                dn = ("cn=" + vlv + '-' + instance.name + ',cn=' + database +
-+                dn = ("cn=" + vlv + '-' + subsystem.instance.name + ',cn=' + database +
-                       ',cn=ldbm database, cn=plugins, cn=config')
--                index_dn = "cn=" + vlv + '-' + instance.name + "Index," + dn
-+                index_dn = "cn=" + vlv + '-' + subsystem.instance.name + "Index," + dn
- 
-                 try:
-                     conn.ldap.delete_s(index_dn)
-@@ -508,8 +514,6 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
-         finally:
-             conn.close()
- 
--        print('KRA VLVs deleted from the database for ' + instance.name)
--
- 
- class KRADBVLVReindexCLI(pki.cli.CLI):
- 
--- 
-2.5.5
-
-
-From c7f9e6c4e0711dfafc81d201dcfadee3e0efa335 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Fri, 1 Jul 2016 10:25:15 +1000
-Subject: Respond 400 if lightweight CA cert issuance fails
-
-If certificate issuance fails during lightweight CA creation (e.g.
-due to a profile constraint violation such as Subject DN not
-matching pattern) the API responds with status 500.
-
-Raise BadRequestDataException if cert issuance fails in a way that
-indicates bad or invalid CSR data, and catch it to respond with
-status 400.
-
-Also do some drive-by exception chaining.
-
-Fixes: https://fedorahosted.org/pki/ticket/2388
----
- base/ca/src/com/netscape/ca/CertificateAuthority.java  | 18 +++++++++++++++---
- .../org/dogtagpki/server/ca/rest/AuthorityService.java |  3 ++-
- 2 files changed, 17 insertions(+), 4 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index e501380..502ab18 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -74,6 +74,7 @@ import org.mozilla.jss.pkix.primitive.Name;
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.authentication.IAuthToken;
- import com.netscape.certsrv.authority.ICertAuthority;
-+import com.netscape.certsrv.base.BadRequestDataException;
- import com.netscape.certsrv.base.EBaseException;
- import com.netscape.certsrv.base.EPropertyNotFound;
- import com.netscape.certsrv.base.IConfigStore;
-@@ -2680,8 +2681,16 @@ public class CertificateAuthority
-             if (result != null && !result.equals(IRequest.RES_SUCCESS))
-                 throw new EBaseException("createSubCA: certificate request submission resulted in error: " + result);
-             RequestStatus requestStatus = request.getRequestStatus();
--            if (requestStatus != RequestStatus.COMPLETE)
--                throw new EBaseException("createSubCA: certificate request did not complete; status: " + requestStatus);
-+            if (requestStatus != RequestStatus.COMPLETE) {
-+                // The request did not complete.  Inference: something
-+                // incorrect in the request (e.g. profile constraint
-+                // violated).
-+                String msg = "Failed to issue CA certificate. Final status: " + requestStatus + ".";
-+                String errorMsg = request.getExtDataInString(IRequest.ERROR);
-+                if (errorMsg != null)
-+                    msg += " Additional info: " + errorMsg;
-+                throw new BadRequestDataException(msg);
-+            }
- 
-             // Add certificate to nssdb
-             cert = request.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
-@@ -2697,7 +2706,10 @@ public class CertificateAuthority
-                 // log this error.
-                 CMS.debug("Error deleting new authority entry after failure during certificate generation: " + e2);
-             }
--            throw new ECAException("Error creating lightweight CA certificate: " + e);
-+            if (e instanceof BadRequestDataException)
-+                throw (BadRequestDataException) e;  // re-throw
-+            else
-+                throw new ECAException("Error creating lightweight CA certificate: " + e, e);
-         }
- 
-         CertificateAuthority ca = new CertificateAuthority(
-diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-index 5ecabac..7bca10f 100644
---- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-@@ -38,6 +38,7 @@ import javax.ws.rs.core.UriInfo;
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.authority.AuthorityData;
- import com.netscape.certsrv.authority.AuthorityResource;
-+import com.netscape.certsrv.base.BadRequestDataException;
- import com.netscape.certsrv.base.BadRequestException;
- import com.netscape.certsrv.base.ConflictingOperationException;
- import com.netscape.certsrv.base.EBaseException;
-@@ -207,7 +208,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
-             audit(ILogger.SUCCESS, OpDef.OP_ADD,
-                     subCA.getAuthorityID().toString(), auditParams);
-             return createOKResponse(readAuthorityData(subCA));
--        } catch (IllegalArgumentException e) {
-+        } catch (IllegalArgumentException | BadRequestDataException e) {
-             throw new BadRequestException(e.toString());
-         } catch (CANotFoundException e) {
-             throw new ResourceNotFoundException(e.toString());
--- 
-2.5.5
-
-
-From ca8edcd504ab81dbc30547c3c59a51fe98ff21cf Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Mon, 27 Jun 2016 15:04:44 +1000
-Subject: AuthInfoAccess: use default OCSP URI if configured
-
-The AuthInfoAccessExtDefault profile component constructs an OCSP
-URI based on the current host and port, if no URI is explicitly
-configured in the profile.
-
-Update the component to look in CS.cfg for the "ca.defaultOcspUri"
-config, and use its value if present.  If not present, the old
-behaviour prevails.
-
-Also add the 'pki_default_ocsp_uri' pkispawn config to add the
-config during instance creation, so that the value will be used for
-the CA and system certificates.
-
-Fixes: https://fedorahosted.org/pki/ticket/2387
----
- .../src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java   | 5 +++--
- base/server/etc/default.cfg                                          | 5 +++++
- base/server/python/pki/server/deployment/scriptlets/configuration.py | 5 +++++
- 3 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java
-index 36818a9..1190f28 100644
---- a/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java
-+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthInfoAccessExtDefault.java
-@@ -430,9 +430,10 @@ public class AuthInfoAccessExtDefault extends EnrollExtDefault {
-                         if (method.equals("1.3.6.1.5.5.7.48.1")) {
-                             String hostname = CMS.getEENonSSLHost();
-                             String port = CMS.getEENonSSLPort();
-+                            String uri = "";
-                             if (hostname != null && port != null)
--                                // location = "http://"+hostname+":"+port+"/ocsp/ee/ocsp";
--                                location = "http://" + hostname + ":" + port + "/ca/ocsp";
-+                                uri = "http://" + hostname + ":" + port + "/ca/ocsp";
-+                            location = CMS.getConfigStore().getString("ca.defaultOcspUri", uri);
-                         }
-                     }
- 
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index aa97e1f..edd2632 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -417,6 +417,11 @@ pki_ds_hostname=%(pki_hostname)s
- pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
- pki_share_db=False
- 
-+# Default OCSP URI added by AuthInfoAccessExtDefault if the profile
-+# config is blank.  If both are blank, the value is constructed
-+# based on the CMS hostname and port.
-+pki_default_ocsp_uri=
-+
- # Paths
- # These are used in the processing of pkispawn and are not supposed
- # to be overwritten by user configuration files.
-diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-index b8505dd..64ee4e5 100644
---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-@@ -87,6 +87,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-         subsystem = instance.get_subsystem(
-             deployer.mdict['pki_subsystem'].lower())
- 
-+        ocsp_uri = deployer.mdict.get('pki_default_ocsp_uri')
-+        if ocsp_uri:
-+            subsystem.config['ca.defaultOcspUri'] = ocsp_uri
-+            subsystem.save()
-+
-         token = deployer.mdict['pki_token_name']
-         nssdb = instance.open_nssdb(token)
- 
--- 
-2.5.5
-
-
-From 2dea243d51765e3a8f01f7680592143c842921ce Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 22 Jun 2016 13:34:01 +1000
-Subject: Add profiles container to LDAP if missing
-
-CMS startup was changed a while back to wait for
-LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
-initialisation waits for all known profiles to be loaded by the LDAP
-persistent search thread.  If the ou=certificateProfiles container
-object does not exist, startup hangs.
-
-This can cause a race condition in FreeIPA upgrade.  FreeIPA
-switches the Dogtag instance to the LDAPProfileSubsystem and
-restarts it.  The restart fails because the container object does
-not get added until after the restart.
-
-Update LDAPProfileSubsystem to add the container object itself, if
-it is missing, before commencing the persistent search.
-
-Fixes: https://fedorahosted.org/pki/ticket/2285
----
- .../cmscore/profile/LDAPProfileSubsystem.java         | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-index 28b34cd..6dea1a0 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-@@ -27,6 +27,7 @@ import java.util.TreeSet;
- import java.util.concurrent.CountDownLatch;
- 
- import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPAttributeSet;
- import netscape.ldap.LDAPConnection;
- import netscape.ldap.LDAPDN;
- import netscape.ldap.LDAPEntry;
-@@ -400,6 +401,23 @@ public class LDAPProfileSubsystem
-             initialLoadDone.countDown();
-     }
- 
-+    private void ensureProfilesOU(LDAPConnection conn) throws LDAPException {
-+        try {
-+            conn.search(dn, LDAPConnection.SCOPE_BASE, "(objectclass=*)", null, false);
-+        } catch (LDAPException e) {
-+            if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
-+                CMS.debug("Adding LDAP certificate profiles container");
-+                LDAPAttribute[] attrs = {
-+                    new LDAPAttribute("objectClass", "organizationalUnit"),
-+                    new LDAPAttribute("ou", "certificateProfiles")
-+                };
-+                LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
-+                LDAPEntry entry = new LDAPEntry(dn, attrSet);
-+                conn.add(entry);
-+            }
-+        }
-+    }
-+
-     public void run() {
-         int op = LDAPPersistSearchControl.ADD
-             | LDAPPersistSearchControl.MODIFY
-@@ -416,6 +434,7 @@ public class LDAPProfileSubsystem
-             forgetAllProfiles();
-             try {
-                 conn = dbFactory.getConn();
-+                ensureProfilesOU(conn);
-                 LDAPSearchConstraints cons = conn.getSearchConstraints();
-                 cons.setServerControls(persistCtrl);
-                 cons.setBatchSize(1);
--- 
-2.5.5
-
-
-From 943e8231fc77ed0ccb6ed34b71817a6d3927d3e5 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 1 Jul 2016 03:54:58 +0200
-Subject: Removed excessive error message in pki CLI.
-
-A recent change in the pki CLI caused excessive error message in
-normal usage. The change has been reverted.
-
-https://fedorahosted.org/pki/ticket/2390
----
- base/java-tools/bin/pki | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
-index 6104a5f..c1ba34e 100644
---- a/base/java-tools/bin/pki
-+++ b/base/java-tools/bin/pki
-@@ -261,6 +261,7 @@ if __name__ == '__main__':
- 
-     except subprocess.CalledProcessError as e:
-         if cli.verbose:
-+            print('ERROR: %s' % e)
-+        elif cli.debug:
-             traceback.print_exc()
--        print('ERROR: %s' % e)
-         sys.exit(e.returncode)
--- 
-2.5.5
-
-
-From 67bbdc5edd1404f89e638037599b4231f50490f8 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 29 Jun 2016 17:13:20 +0200
-Subject: Fixed pki-server subsystem-cert-update.
-
-The pki-server subsystem-cert-update is supposed to restore the
-system certificate data and requests into CS.cfg. The command was
-broken since the CASubsystem class that contains the code to find
-the certificate requests from database was not loaded correctly.
-To fix the problem the CASubsystem class has been moved into the
-pki/server/__init__.py.
-
-All pki-server subsystem-* commands have been modified to check
-the validity of the instance.
-
-An option has been added to the pki-server subsystem-cert-show
-command to display the data and request of a particular system
-certificate.
-
-The redundant output of the pki-server subsystem-cert-update has
-been removed. The updated certificate data and request can be
-obtained using the pki-server subsystem-cert-show command.
-
-https://fedorahosted.org/pki/ticket/2385
----
- base/server/python/pki/server/__init__.py      | 67 +++++++++++++++++++
- base/server/python/pki/server/ca.py            | 91 --------------------------
- base/server/python/pki/server/cli/subsystem.py | 58 ++++++++++++++--
- 3 files changed, 120 insertions(+), 96 deletions(-)
- delete mode 100644 base/server/python/pki/server/ca.py
-
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index 87303cd..03bb225 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -25,6 +25,7 @@ import getpass
- import grp
- import io
- import ldap
-+import ldap.filter
- import operator
- import os
- import pwd
-@@ -389,6 +390,72 @@ class PKISubsystem(object):
-         return str(self.instance) + '/' + self.name
- 
- 
-+class CASubsystem(PKISubsystem):
-+
-+    def __init__(self, instance):
-+        super(CASubsystem, self).__init__(instance, 'ca')
-+
-+    def find_cert_requests(self, cert=None):
-+
-+        base_dn = self.config['internaldb.basedn']
-+
-+        if cert:
-+            escaped_value = ldap.filter.escape_filter_chars(cert)
-+            search_filter = '(extdata-req--005fissued--005fcert=%s)' % escaped_value
-+
-+        else:
-+            search_filter = '(objectClass=*)'
-+
-+        con = self.open_database()
-+
-+        entries = con.ldap.search_s(
-+            'ou=ca,ou=requests,%s' % base_dn,
-+            ldap.SCOPE_ONELEVEL,
-+            search_filter,
-+            None)
-+
-+        con.close()
-+
-+        requests = []
-+        for entry in entries:
-+            requests.append(self.create_request_object(entry))
-+
-+        return requests
-+
-+    def get_cert_requests(self, request_id):
-+
-+        base_dn = self.config['internaldb.basedn']
-+
-+        con = self.open_database()
-+
-+        entries = con.ldap.search_s(
-+            'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn),
-+            ldap.SCOPE_BASE,
-+            '(objectClass=*)',
-+            None)
-+
-+        con.close()
-+
-+        entry = entries[0]
-+        return self.create_request_object(entry)
-+
-+    def create_request_object(self, entry):
-+
-+        attrs = entry[1]
-+
-+        request = {}
-+        request['id'] = attrs['cn'][0]
-+        request['type'] = attrs['requestType'][0]
-+        request['status'] = attrs['requestState'][0]
-+        request['request'] = attrs['extdata-cert--005frequest'][0]
-+
-+        return request
-+
-+
-+# register CASubsystem
-+SUBSYSTEM_CLASSES['ca'] = CASubsystem
-+
-+
- class ExternalCert(object):
- 
-     def __init__(self, nickname=None, token=None):
-diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py
-deleted file mode 100644
-index afb281c..0000000
---- a/base/server/python/pki/server/ca.py
-+++ /dev/null
-@@ -1,91 +0,0 @@
--# Authors:
--#     Endi S. Dewata <edewata@redhat.com>
--#
--# This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
--#
--# Copyright (C) 2015 Red Hat, Inc.
--# All rights reserved.
--#
--
--from __future__ import absolute_import
--import ldap
--import ldap.filter
--
--import pki
--import pki.server
--
--
--class CASubsystem(pki.server.PKISubsystem):
--
--    def __init__(self, instance):
--        super(CASubsystem, self).__init__(instance, 'ca')
--
--    def find_cert_requests(self, cert=None):
--
--        base_dn = self.config['internaldb.basedn']
--
--        if cert:
--            escaped_value = ldap.filter.escape_filter_chars(cert)
--            search_filter = '(extdata-req--005fissued--005fcert=%s)' % escaped_value
--
--        else:
--            search_filter = '(objectClass=*)'
--
--        con = self.open_database()
--
--        entries = con.ldap.search_s(
--            'ou=ca,ou=requests,%s' % base_dn,
--            ldap.SCOPE_ONELEVEL,
--            search_filter,
--            None)
--
--        con.close()
--
--        requests = []
--        for entry in entries:
--            requests.append(self.create_request_object(entry))
--
--        return requests
--
--    def get_cert_requests(self, request_id):
--
--        base_dn = self.config['internaldb.basedn']
--
--        con = self.open_database()
--
--        entries = con.ldap.search_s(
--            'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn),
--            ldap.SCOPE_BASE,
--            '(objectClass=*)',
--            None)
--
--        con.close()
--
--        entry = entries[0]
--        return self.create_request_object(entry)
--
--    def create_request_object(self, entry):
--
--        attrs = entry[1]
--
--        request = {}
--        request['id'] = attrs['cn'][0]
--        request['type'] = attrs['requestType'][0]
--        request['status'] = attrs['requestState'][0]
--        request['request'] = attrs['extdata-cert--005frequest'][0]
--
--        return request
--
--
--pki.server.SUBSYSTEM_CLASSES['ca'] = CASubsystem
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index 45f5be9..49215cf 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -99,6 +99,11 @@ class SubsystemFindCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         self.print_message('%s entries matched' % len(instance.subsystems))
-@@ -164,6 +169,11 @@ class SubsystemShowCLI(pki.cli.CLI):
-         subsystem_name = args[0]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -222,6 +232,11 @@ class SubsystemEnableCLI(pki.cli.CLI):
-         subsystem_name = args[0]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -285,6 +300,11 @@ class SubsystemDisableCLI(pki.cli.CLI):
-         subsystem_name = args[0]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -375,6 +395,11 @@ class SubsystemCertFindCLI(pki.cli.CLI):
-         subsystem_name = args[0]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -402,6 +427,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-         print('Usage: pki-server subsystem-cert-show [OPTIONS] <subsystem ID> <cert ID>')
-         print()
-         print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
-+        print('      --show-all                  Show all attributes.')
-         print('  -v, --verbose                   Run in verbose mode.')
-         print('      --help                      Show help message.')
-         print()
-@@ -410,7 +436,7 @@ class SubsystemCertShowCLI(pki.cli.CLI):
- 
-         try:
-             opts, args = getopt.gnu_getopt(argv, 'i:v', [
--                'instance=',
-+                'instance=',  'show-all',
-                 'verbose', 'help'])
- 
-         except getopt.GetoptError as e:
-@@ -419,11 +445,15 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance_name = 'pki-tomcat'
-+        show_all = False
- 
-         for o, a in opts:
-             if o in ('-i', '--instance'):
-                 instance_name = a
- 
-+            elif o == '--show-all':
-+                show_all = True
-+
-             elif o in ('-v', '--verbose'):
-                 self.set_verbose(True)
- 
-@@ -451,12 +481,17 @@ class SubsystemCertShowCLI(pki.cli.CLI):
-         cert_id = args[1]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
--        subsystem_cert = subsystem.get_subsystem_cert(cert_id)
-+        cert = subsystem.get_subsystem_cert(cert_id)
- 
--        SubsystemCertCLI.print_subsystem_cert(subsystem_cert)
-+        SubsystemCertCLI.print_subsystem_cert(cert, show_all)
- 
- 
- class SubsystemCertExportCLI(pki.cli.CLI):
-@@ -568,6 +603,11 @@ class SubsystemCertExportCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -684,6 +724,11 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-         cert_id = args[1]
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
-@@ -723,8 +768,6 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
- 
-         self.print_message('Updated "%s" subsystem certificate' % cert_id)
- 
--        SubsystemCertCLI.print_subsystem_cert(subsystem_cert)
--
- 
- class SubsystemCertValidateCLI(pki.cli.CLI):
- 
-@@ -783,6 +826,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-             cert_id = None
- 
-         instance = pki.server.PKIInstance(instance_name)
-+
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem(subsystem_name)
--- 
-2.5.5
-
-
-From f8310a4ff306d28cf25ec71693a2e89c5323564d Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 1 Jul 2016 03:26:23 +0200
-Subject: Added instance and subsystem validation for pki-server ca-* commands.
-
-The pki-server ca-* commands have been modified to validate
-the instance and the CA subsystem before proceeding with the
-operation.
-
-The usage() methods and invocations have been renamed into
-print_help() for consistency.
-
-https://fedorahosted.org/pki/ticket/2364
----
- base/server/python/pki/server/cli/ca.py | 44 +++++++++++++++++++++++++++------
- 1 file changed, 37 insertions(+), 7 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
-index dbf8239..1d1c00f 100644
---- a/base/server/python/pki/server/cli/ca.py
-+++ b/base/server/python/pki/server/cli/ca.py
-@@ -129,9 +129,16 @@ class CACertChainExportCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ca')
-+        if not subsystem:
-+            print('ERROR: No CA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -171,7 +178,7 @@ class CACertRequestFindCLI(pki.cli.CLI):
-         super(CACertRequestFindCLI, self).__init__(
-             'find', 'Find CA certificate requests')
- 
--    def usage(self):
-+    def print_help(self):
-         print('Usage: pki-server ca-cert-request-find [OPTIONS]')
-         print()
-         print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
-@@ -190,7 +197,7 @@ class CACertRequestFindCLI(pki.cli.CLI):
- 
-         except getopt.GetoptError as e:
-             print('ERROR: ' + str(e))
--            self.usage()
-+            self.print_help()
-             sys.exit(1)
- 
-         instance_name = 'pki-tomcat'
-@@ -216,13 +223,21 @@ class CACertRequestFindCLI(pki.cli.CLI):
- 
-             else:
-                 print('ERROR: unknown option ' + o)
--                self.usage()
-+                self.print_help()
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ca')
-+        if not subsystem:
-+            print('ERROR: No CA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         results = subsystem.find_cert_requests(cert=cert)
- 
-         self.print_message('%s entries matched' % len(results))
-@@ -243,7 +258,7 @@ class CACertRequestShowCLI(pki.cli.CLI):
-         super(CACertRequestShowCLI, self).__init__(
-             'show', 'Show CA certificate request')
- 
--    def usage(self):
-+    def print_help(self):
-         print('Usage: pki-server ca-cert-request-show <request ID> [OPTIONS]')
-         print()
-         print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
-@@ -260,12 +275,12 @@ class CACertRequestShowCLI(pki.cli.CLI):
- 
-         except getopt.GetoptError as e:
-             print('ERROR: ' + str(e))
--            self.usage()
-+            self.print_help()
-             sys.exit(1)
- 
-         if len(args) != 1:
-             print('ERROR: missing request ID')
--            self.usage()
-+            self.print_help()
-             sys.exit(1)
- 
-         request_id = args[0]
-@@ -288,13 +303,21 @@ class CACertRequestShowCLI(pki.cli.CLI):
- 
-             else:
-                 print('ERROR: unknown option ' + o)
--                self.usage()
-+                self.print_help()
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ca')
-+        if not subsystem:
-+            print('ERROR: No CA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         request = subsystem.get_cert_requests(request_id)
- 
-         if output_file:
-@@ -384,9 +407,16 @@ class CAClonePrepareCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ca')
-+        if not subsystem:
-+            print('ERROR: No CA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
--- 
-2.5.5
-
-
-From e81cf4e11ca86562b27548d469fa606a072da23b Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Fri, 1 Jul 2016 10:05:05 +0530
-Subject: Updated notification message for kra-db-vlv* command
-
-Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/kra.py | 38 +++++++++++++++++++-------------
- 1 file changed, 23 insertions(+), 15 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
-index 17611a8..5c9111d 100644
---- a/base/server/python/pki/server/cli/kra.py
-+++ b/base/server/python/pki/server/cli/kra.py
-@@ -361,19 +361,28 @@ class KRADBVLVAddCLI(pki.cli.CLI):
-             print('ERROR: Invalid instance %s.' % instance_name)
-             sys.exit(1)
-         instance.load()
--        self.add_vlv(instance, bind_dn, bind_password)
- 
--    def add_vlv(self, instance, bind_dn, bind_password):
-         subsystem = instance.get_subsystem('kra')
-         if not subsystem:
--            print('No KRA subsystem available.')
--            return
-+            print('ERROR: No KRA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         if self.out_file:
-             subsystem.customize_file(KRA_VLV_PATH, self.out_file)
-             print('KRA VLVs written to ' + self.out_file)
-             return
- 
-+        try:
-+            self.add_vlv(subsystem, bind_dn, bind_password)
-+
-+            print('KRA VLVs added to the database for ' + instance_name)
-+
-+        except ldap.LDAPError as e:
-+            print("ERROR: " + e.message['desc'])
-+            sys.exit(1)
-+
-+    def add_vlv(self, subsystem, bind_dn, bind_password):
-+
-         ldif_file = tempfile.NamedTemporaryFile(delete=False)
-         subsystem.customize_file(KRA_VLV_PATH, ldif_file.name)
- 
-@@ -386,12 +395,11 @@ class KRADBVLVAddCLI(pki.cli.CLI):
-             for dn, entry in parser.all_records:
-                 add_modlist = ldap.modlist.addModlist(entry)
-                 conn.ldap.add_s(dn, add_modlist)
-+
-         finally:
-             os.unlink(ldif_file.name)
-             conn.close()
- 
--        print('KRA VLVs added to the database for ' + instance.name)
--
- 
- class KRADBVLVDeleteCLI(pki.cli.CLI):
- 
-@@ -581,28 +589,30 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
-             print('ERROR: Invalid instance %s.' % instance_name)
-             sys.exit(1)
-         instance.load()
--        self.reindex_vlv(instance, bind_dn, bind_password)
- 
--    def reindex_vlv(self, instance, bind_dn, bind_password):
-         subsystem = instance.get_subsystem('kra')
-         if not subsystem:
--            if self.verbose:
--                print('reindex_vlv: No KRA subsystem available.  '
--                      'Skipping ...')
--                return
-+            print('ERROR: No KRA subsystem in instance %s.' % instance_name)
-+            sys.exit(1)
- 
-         if self.out_file:
-             subsystem.customize_file(KRA_VLV_TASKS_PATH, self.out_file)
-             print('KRA VLV reindex task written to ' + self.out_file)
-             return
- 
-+        self.reindex_vlv(subsystem, bind_dn, bind_password)
-+
-+        print('KRA VLV reindex completed for ' + instance_name)
-+
-+    def reindex_vlv(self, subsystem, bind_dn, bind_password):
-+
-         ldif_file = tempfile.NamedTemporaryFile(delete=False)
-         subsystem.customize_file(KRA_VLV_TASKS_PATH, ldif_file.name)
- 
-         conn = subsystem.open_database(bind_dn=bind_dn,
-                                        bind_password=bind_password)
- 
--        print('Initiating KRA VLV reindex for ' + instance.name)
-+        print('Initiating KRA VLV reindex for ' + subsystem.instance.name)
- 
-         try:
-             parser = ldif.LDIFRecordList(open(ldif_file.name, "rb"))
-@@ -630,5 +640,3 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
-         finally:
-             os.unlink(ldif_file.name)
-             conn.close()
--
--        print('KRA VLV reindex completed for ' + instance.name)
--- 
-2.5.5
-
-
-From a646c1b6e67a5c4d105208254fa3288cdbd86c6e Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Fri, 1 Jul 2016 10:23:53 +0530
-Subject: Updated notification message for OCSP subsystem command
-
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/ocsp.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
-index c32e8de..246f593 100644
---- a/base/server/python/pki/server/cli/ocsp.py
-+++ b/base/server/python/pki/server/cli/ocsp.py
-@@ -118,9 +118,15 @@ class OCSPClonePrepareCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ocsp')
-+        if not subsystem:
-+            print("ERROR: No OCSP subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
--- 
-2.5.5
-
-
-From ab8655ca693ddf5afc0579db42cfbea61e8fee89 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Fri, 1 Jul 2016 10:31:32 +0530
-Subject: Updated notification message for TKS subsystem command
-
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/tks.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
-index 0bcf748..2c4157a 100644
---- a/base/server/python/pki/server/cli/tks.py
-+++ b/base/server/python/pki/server/cli/tks.py
-@@ -118,9 +118,16 @@ class TKSClonePrepareCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-+
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tks')
-+        if not subsystem:
-+            print("ERROR: No TKS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
--- 
-2.5.5
-
-
-From eb0f8d0f1e9d396efb071c6432aa22ff0a39d613 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Fri, 1 Jul 2016 10:35:21 +0530
-Subject: Updated notification message for TPS subsystem command
-
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/tps.py | 34 ++++++++++++++++++++++++--------
- 1 file changed, 26 insertions(+), 8 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
-index 63da341..1f71b8e 100644
---- a/base/server/python/pki/server/cli/tps.py
-+++ b/base/server/python/pki/server/cli/tps.py
-@@ -127,9 +127,15 @@ class TPSClonePrepareCLI(pki.cli.CLI):
-             sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tps')
-+        if not subsystem:
-+            print("ERROR: No TPS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         tmpdir = tempfile.mkdtemp()
- 
-@@ -228,12 +234,15 @@ class TPSDBVLVFindCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tps')
--
-         if not subsystem:
--            raise Exception('Subsystem not found')
-+            print("ERROR: No TPS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         self.find_vlv(subsystem, bind_dn, bind_password)
- 
-@@ -340,12 +349,15 @@ class TPSDBVLVAddCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tps')
--
-         if not subsystem:
--            raise Exception('Subsystem not found')
-+            print("ERROR: No TPS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         if out_file:
-             self.generate_ldif(subsystem, out_file)
-@@ -450,12 +462,15 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tps')
--
-         if not subsystem:
--            raise Exception('Subsystem not found')
-+            print("ERROR: No TPS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         if out_file:
-             self.generate_ldif(subsystem, out_file)
-@@ -582,12 +597,15 @@ class TPSDBVLVReindexCLI(pki.cli.CLI):
-                 sys.exit(1)
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print('ERROR: Invalid instance %s.' % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('tps')
--
-         if not subsystem:
--            raise Exception('Subsystem not found')
-+            print("ERROR: No TPS subsystem in instance %s." % instance_name)
-+            sys.exit(1)
- 
-         if out_file:
-             self.generate_ldif(subsystem, out_file)
--- 
-2.5.5
-
-
-From aef84ae829bf2645937363ee3e61f002c2682869 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Fri, 1 Jul 2016 15:08:09 +0530
-Subject: Updated notification message for DB subsystem command
-
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
----
- base/server/python/pki/server/cli/db.py | 20 +++++++++++++++-----
- 1 file changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
-index 6555e40..cc768da 100644
---- a/base/server/python/pki/server/cli/db.py
-+++ b/base/server/python/pki/server/cli/db.py
-@@ -25,6 +25,7 @@ import ldap
- import nss.nss as nss
- import subprocess
- import sys
-+import getpass
- 
- import pki.cli
- 
-@@ -96,12 +97,19 @@ class DBSchemaUpgrade(pki.cli.CLI):
- 
-         instance = pki.server.PKIInstance(instance_name)
-         if not instance.is_valid():
--            print("ERROR: Instance name '%s' not found" % instance)
-+            print("ERROR: Invalid instance %s." % instance_name)
-             sys.exit(1)
-         instance.load()
- 
-+        if not instance.subsystems:
-+            print("ERROR: No subsystem in instance %s." % instance_name)
-+            sys.exit(1)
-+
-+        if not bind_password:
-+            bind_password = getpass.getpass(prompt='Enter password: ')
-+
-         try:
--            self.update_schema(instance, bind_dn, bind_password)
-+            self.update_schema(instance.subsystems[0], bind_dn, bind_password)
- 
-         except subprocess.CalledProcessError as e:
-             print("ERROR: " + e.output)
-@@ -109,9 +117,8 @@ class DBSchemaUpgrade(pki.cli.CLI):
- 
-         self.print_message('Upgrade complete')
- 
--    def update_schema(self, instance, bind_dn, bind_password):
-+    def update_schema(self, subsystem, bind_dn, bind_password):
-         # TODO(alee) re-implement this using open_database
--        subsystem = instance.subsystems[0]
-         host = subsystem.config['internaldb.ldapconn.host']
-         port = subsystem.config['internaldb.ldapconn.port']
-         secure = subsystem.config['internaldb.ldapconn.secureConn']
-@@ -174,11 +181,14 @@ class DBUpgrade(pki.cli.CLI):
-         nss.nss_init_nodb()
- 
-         instance = pki.server.PKIInstance(instance_name)
-+        if not instance.is_valid():
-+            print("ERROR: Invalid instance %s." % instance_name)
-+            sys.exit(1)
-         instance.load()
- 
-         subsystem = instance.get_subsystem('ca')
-         if not subsystem:
--            print('ERROR: missing subsystem ca')
-+            print('ERROR: No CA subsystem in instance %s.' + instance_name)
-             sys.exit(1)
- 
-         base_dn = subsystem.config['internaldb.basedn']
--- 
-2.5.5
-
-
-From 17e86cc2c5dde2f45f4ceef5bedb6e05062866e1 Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Fri, 1 Jul 2016 14:45:57 -0600
-Subject: Add HSM information
-
-- PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' &
-  'pkispawn' man pages
----
- base/server/man/man5/pki_default.cfg.5 |   8 +-
- base/server/man/man8/pkispawn.8        | 173 +++++++++++++++++++++++++++++++++
- 2 files changed, 180 insertions(+), 1 deletion(-)
-
-diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
-index 550e2aa..aaf7b53 100644
---- a/base/server/man/man5/pki_default.cfg.5
-+++ b/base/server/man/man5/pki_default.cfg.5
-@@ -184,7 +184,10 @@ Location for the PKCS #12 file containing the administrative user's certificate
- .B pki_backup_keys, pki_backup_password
- .IP
- Set to True to back up the subsystem certificates and keys to a PKCS #12 file.  This file will be located in \fI/var/lib/pki/<instance_name>/alias\fP.  pki_backup_password is the password of the PKCS#12 file.
--  
-+.TP
-+\fBImportant:\fP
-+Since HSM keys are stored in the HSM (hardware), they cannot be backed up to a PKCS #12 file (software).  Therefore, if \fBpki_hsm_enable\fP is set to True, \fBpki_backup_keys\fP should be set to False and \fBpki_backup_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
-+
- .SS CLIENT DIRECTORY PARAMETERS
- .TP
- .B pki_client_dir
-@@ -295,6 +298,9 @@ Installs a clone, rather than original, subsystem.
- .IP
- Location and password of the PKCS #12 file containing the system certificates for the master subsystem being cloned.  This file should be readable by the user that the Certificate Server is running as (default of pkiuser), and have the correct selinux context (pki_tomcat_cert_t).  This can be achieved by placing the file in \fI/var/lib/pki/<instance_name>/alias\fP.
- .TP
-+\fBImportant:\fP
-+Since HSM keys are stored in the HSM (hardware), they cannot be copied to a PKCS #12 file (software).  For the case of clones using an HSM, this means that the HSM keys must be shared between the master and its clones.  Therefore, if \fBpki_hsm_enable\fP is set to True, both \fBpki_clone_pkcs12_path\fP and \fBpki_clone_pkcs12_password\fP should be left unset (the default values in \fB/etc/pki/default.cfg\fP).  Failure to do so will result in \fBpkispawn\fP reporting this error and exiting.
-+.TP
- .B pki_clone_setup_replication
- .IP
- Defaults to True.  If set to False, the installer does not set up replication agreements from the master to the clone as part of the subsystem configuration.  In this case, it is expected that the top level suffix already exists, and that the data has already been replicated.  This option is useful if you want to use other tools to create and manage your replication topology, or if the baseDN is already replicated as part of a top-level suffix.
-diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
-index 3ad6fdb..3678cff 100644
---- a/base/server/man/man8/pkispawn.8
-+++ b/base/server/man/man8/pkispawn.8
-@@ -756,6 +756,179 @@ conn.tks1.tksSharedSymKeyName=sharedSecret
- .PP
- Finally, restart the TPS instance.
- 
-+.SS Installing a CA, KRA, OCSP, TKS, or TPS using a Hardware Security Module (HSM)
-+.BR
-+.PP
-+This section provides sample \fBmyconfig.txt\fP files when an HSM is being utilized in a shared PKI instance.
-+
-+.PP
-+For this example, assume that a new CA instance has been installed by
-+executing the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+# Optionally keep client databases
-+pki_client_database_purge=False
-+# Provide HSM parameters
-+pki_hsm_enable=True
-+pki_hsm_libfile=<hsm_libfile>
-+pki_hsm_modulename=<hsm_modulename>
-+pki_token_name=<hsm_token_name>
-+pki_token_password=<pki_token_password>
-+# Provide PKI-specific HSM token names
-+pki_audit_signing_token=<hsm_token_name>
-+pki_ssl_server_token=<hsm_token_name>
-+pki_subsystem_token=<hsm_token_name>
-+[CA]
-+# Provide CA-specific HSM token names
-+pki_ca_signing_token=<hsm_token_name>
-+pki_ocsp_signing_token=<hsm_token_name>
-+.if
-+
-+.PP
-+To install a shared KRA in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s KRA \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Provide HSM parameters
-+pki_hsm_enable=True
-+pki_hsm_libfile=<hsm_libfile>
-+pki_hsm_modulename=<hsm_modulename>
-+pki_token_name=<hsm_token_name>
-+pki_token_password=<pki_token_password>
-+# Provide PKI-specific HSM token names
-+pki_audit_signing_token=<hsm_token_name>
-+pki_ssl_server_token=<hsm_token_name>
-+pki_subsystem_token=<hsm_token_name>
-+[KRA]
-+# Provide KRA-specific HSM token names
-+pki_storage_token=<hsm_token_name>
-+pki_transport_token=<hsm_token_name>
-+.if
-+
-+.PP
-+To install a shared OCSP in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s OCSP \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Provide HSM parameters
-+pki_hsm_enable=True
-+pki_hsm_libfile=<hsm_libfile>
-+pki_hsm_modulename=<hsm_modulename>
-+pki_token_name=<hsm_token_name>
-+pki_token_password=<pki_token_password>
-+# Provide PKI-specific HSM token names
-+pki_audit_signing_token=<hsm_token_name>
-+pki_ssl_server_token=<hsm_token_name>
-+pki_subsystem_token=<hsm_token_name>
-+[OCSP]
-+# Provide OCSP-specific HSM token names
-+pki_ocsp_signing_token=<hsm_token_name>
-+.if
-+
-+.PP
-+To install a shared TKS in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TKS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Provide HSM parameters
-+pki_hsm_enable=True
-+pki_hsm_libfile=<hsm_libfile>
-+pki_hsm_modulename=<hsm_modulename>
-+pki_token_name=<hsm_token_name>
-+pki_token_password=<pki_token_password>
-+# Provide PKI-specific HSM token names
-+pki_audit_signing_token=<hsm_token_name>
-+pki_ssl_server_token=<hsm_token_name>
-+pki_subsystem_token=<hsm_token_name>
-+.if
-+
-+.PP
-+To install a shared TPS in the same instance used by the CA execute
-+the following command:
-+.IP
-+\x'-1'\fBpkispawn \-s TPS \-f myconfig.txt\fR
-+.PP
-+where \fImyconfig.txt\fP contains the following text:
-+.IP
-+.nf
-+[DEFAULT]
-+pki_admin_password=\fISecret123\fP
-+pki_client_database_password=\fISecret123\fP
-+pki_client_pkcs12_password=\fISecret123\fP
-+pki_ds_password=\fISecret123\fP
-+pki_security_domain_password=\fISecret123\fP
-+# Provide HSM parameters
-+pki_hsm_enable=True
-+pki_hsm_libfile=<hsm_libfile>
-+pki_hsm_modulename=<hsm_modulename>
-+pki_token_name=<hsm_token_name>
-+pki_token_password=<pki_token_password>
-+# Provide PKI-specific HSM token names
-+pki_audit_signing_token=<hsm_token_name>
-+pki_ssl_server_token=<hsm_token_name>
-+pki_subsystem_token=<hsm_token_name>
-+[TPS]
-+# Shared TPS instances optionally utilize their shared KRA
-+# for server-side keygen
-+pki_enable_server_side_keygen=True
-+pki_authdb_basedn=\fIdc=example,dc=com\fP
-+.if
-+
-+.TP
-+\fBImportant:\fP
-+Since HSM keys are stored in the HSM (hardware), they cannot be
-+backed up, moved, or copied to a PKCS #12 file (software).
-+For example, if \fBpki_hsm_enable\fP is set to True,
-+\fBpki_backup_keys\fP should be set to False and
-+\fBpki_backup_password\fP should be left unset (the default
-+values in \fB/etc/pki/default.cfg\fP).  Similarly, for the case
-+of clones using an HSM, this means that the HSM keys must be
-+shared between the master and its clones.  Therefore, if
-+\fBpki_hsm_enable\fP is set to True, both
-+\fBpki_clone_pkcs12_path\fP and \fBpki_clone_pkcs12_password\fP
-+should be left unset (the default values in
-+\fB/etc/pki/default.cfg\fP).  Failure to comply with these rules
-+will result in \fBpkispawn\fP reporting an appropriate error and
-+exiting.
-+
- .SS Installing a CA clone
- .BR
- .PP
--- 
-2.5.5
-
-
-From cfab57d057c7ada71ea9c360c278249d14e018d9 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Fri, 24 Jun 2016 17:04:15 -0700
-Subject: Generting Symmetric key fails with key-generate when --usages verify
- is passed
-
-Ticket #1114
-
-Minor adjustment to the man page for the key management commands to say
-which usages are appropriate for sym keys and those appropriate for asym keys.
-
-t
----
- base/java-tools/man/man1/pki-key.1 | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/base/java-tools/man/man1/pki-key.1 b/base/java-tools/man/man1/pki-key.1
-index 30ac909..669ab86 100644
---- a/base/java-tools/man/man1/pki-key.1
-+++ b/base/java-tools/man/man1/pki-key.1
-@@ -329,7 +329,9 @@ Following is the description of the various parameters in the key retrieval temp
-     -- clientKeyID - Client specified unique key identifier
-     -- keyAlgorithm - Algorithm to be used to generate key (AES/DES/DES3/DESede/RC2/RC4)
-     -- keySize - Value for the size of the key to be generated.
--    -- keyUsage - usages of the generated key(wrap,unwrap,sign,verify,encrypt,decrypt)
-+    -- keyUsage - usages of the generated key
-+        useful for Symmetric Keys (DES3,AES,etc) (wrap,unwrap,encrypt,decrypt)
-+        useful for Asymmetric Keys (RSA, EC,etc) (wrap,unwrap,encrypt,decrypt,sign,verify,sign_recover,verify_recover)
- 
- To create a key generation request using the template file:
- 
--- 
-2.5.5
-
-
-From 0f056221d096a30307834265ecd1c527087bb0f7 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Mon, 13 Jun 2016 11:27:59 -0700
-Subject: Separated TPS does not automatically receive shared secret from
- remote TKS.
-
-Support to allow the TPS to do the following:
-
-1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
-2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
-3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
-4. Given a name that is mapped to the TPS's id string.
-
-Additional fixes:
-
-1. The TKS was modified to actually be able to use multiple shared secrets registered by
-multiple TPS instances.
-
-Caveat:
-
-At this point if the same remote TPS instance is created over and over again, the TPS's user
-in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
-not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
-at this time.
----
- .../src/com/netscape/certsrv/key/KeyData.java      |  21 +-
- .../cms/servlet/csadmin/ConfigurationUtils.java    | 247 ++++++++++++---------
- .../cms/servlet/tks/SecureChannelProtocol.java     |   3 +-
- .../com/netscape/cms/servlet/tks/TokenServlet.java |  26 ++-
- base/server/man/man8/pkispawn.8                    |  11 +-
- .../server/tks/rest/TPSConnectorService.java       | 147 +++++++++---
- .../server/tps/processor/TPSProcessor.java         |   8 +-
- .../server/tps/rest/TPSInstallerService.java       |  12 +-
- .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 157 +++++++++----
- 9 files changed, 435 insertions(+), 197 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/key/KeyData.java b/base/common/src/com/netscape/certsrv/key/KeyData.java
-index 6da4d38..e31cfb3 100644
---- a/base/common/src/com/netscape/certsrv/key/KeyData.java
-+++ b/base/common/src/com/netscape/certsrv/key/KeyData.java
-@@ -48,7 +48,11 @@ public class KeyData {
-     @XmlElement
-     Integer size;
- 
--    String privateData;
-+    @XmlElement
-+    String additionalWrappedPrivateData;
-+    // Optionally used for importing a shared secret from TKS to TPS
-+    // Will contain wrapped shared secret data.
-+    // Can be used for anything in other scenarios
- 
-     public KeyData() {
-         // required for JAXB (defaults)
-@@ -68,6 +72,15 @@ public class KeyData {
-         this.wrappedPrivateData = wrappedPrivateData;
-     }
- 
-+    public String getAdditionalWrappedPrivateData() {
-+        return additionalWrappedPrivateData;
-+    }
-+
-+
-+    public void setAdditionalWrappedPrivateData(String additionalWrappedPrivateData) {
-+        this.additionalWrappedPrivateData = additionalWrappedPrivateData;
-+    }
-+
-     /**
-      * @return the nonceData
-      */
-@@ -126,11 +139,5 @@ public class KeyData {
-         this.size = size;
-     }
- 
--    public String getPrivateData() {
--        return privateData;
--    }
- 
--    public void setPrivateData(String privateData) {
--        this.privateData = privateData;
--    }
- }
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 308f3e7..ab5e4d6 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -15,7 +15,7 @@
- // (C) 2012 Red Hat, Inc.
- // All rights reserved.
- // --- END COPYRIGHT BLOCK ---
-- package com.netscape.cms.servlet.csadmin;
-+package com.netscape.cms.servlet.csadmin;
- 
- import java.io.BufferedReader;
- import java.io.ByteArrayInputStream;
-@@ -58,6 +58,34 @@ import javax.ws.rs.core.MultivaluedMap;
- import javax.ws.rs.core.Response;
- import javax.xml.parsers.ParserConfigurationException;
- 
-+import netscape.ldap.LDAPAttribute;
-+import netscape.ldap.LDAPAttributeSet;
-+import netscape.ldap.LDAPConnection;
-+import netscape.ldap.LDAPDN;
-+import netscape.ldap.LDAPEntry;
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPModification;
-+import netscape.ldap.LDAPSearchConstraints;
-+import netscape.ldap.LDAPSearchResults;
-+import netscape.ldap.LDAPv3;
-+import netscape.security.pkcs.ContentInfo;
-+import netscape.security.pkcs.PKCS10;
-+import netscape.security.pkcs.PKCS12;
-+import netscape.security.pkcs.PKCS12Util;
-+import netscape.security.pkcs.PKCS7;
-+import netscape.security.pkcs.SignerInfo;
-+import netscape.security.util.DerOutputStream;
-+import netscape.security.util.ObjectIdentifier;
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.BasicConstraintsExtension;
-+import netscape.security.x509.CertificateChain;
-+import netscape.security.x509.Extension;
-+import netscape.security.x509.Extensions;
-+import netscape.security.x509.KeyUsageExtension;
-+import netscape.security.x509.X500Name;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509Key;
-+
- import org.apache.commons.lang.StringUtils;
- import org.apache.velocity.context.Context;
- import org.mozilla.jss.CryptoManager;
-@@ -149,36 +177,9 @@ import com.netscape.certsrv.usrgrp.IUGSubsystem;
- import com.netscape.certsrv.usrgrp.IUser;
- import com.netscape.cmsutil.crypto.CryptoUtil;
- import com.netscape.cmsutil.ldap.LDAPUtil;
-+import com.netscape.cmsutil.util.Utils;
- import com.netscape.cmsutil.xml.XMLObject;
- 
--import netscape.ldap.LDAPAttribute;
--import netscape.ldap.LDAPAttributeSet;
--import netscape.ldap.LDAPConnection;
--import netscape.ldap.LDAPDN;
--import netscape.ldap.LDAPEntry;
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPModification;
--import netscape.ldap.LDAPSearchConstraints;
--import netscape.ldap.LDAPSearchResults;
--import netscape.ldap.LDAPv3;
--import netscape.security.pkcs.ContentInfo;
--import netscape.security.pkcs.PKCS10;
--import netscape.security.pkcs.PKCS12;
--import netscape.security.pkcs.PKCS12Util;
--import netscape.security.pkcs.PKCS7;
--import netscape.security.pkcs.SignerInfo;
--import netscape.security.util.DerOutputStream;
--import netscape.security.util.ObjectIdentifier;
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.BasicConstraintsExtension;
--import netscape.security.x509.CertificateChain;
--import netscape.security.x509.Extension;
--import netscape.security.x509.Extensions;
--import netscape.security.x509.KeyUsageExtension;
--import netscape.security.x509.X500Name;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509Key;
--
- /**
-  * Utility class for functions to be used by the RESTful installer.
-  *
-@@ -377,7 +378,7 @@ public class ConfigurationUtils {
-             if (eqPos != -1) {
-                 String name = line.substring(0, eqPos).trim();
-                 String tempval = line.substring(eqPos + 1).trim();
--                String value = tempval.replaceAll("(^\")|(\";$)","");
-+                String value = tempval.replaceAll("(^\")|(\";$)", "");
- 
-                 if (name.equals(header)) {
-                     return value;
-@@ -634,7 +635,7 @@ public class ConfigurationUtils {
-                 throw new IOException("The server you want to contact is not available");
-             }
- 
--            CMS.debug("content from admin interface ="+ c);
-+            CMS.debug("content from admin interface =" + c);
-             // when the admin servlet is unavailable, we return a badly formatted error page
-             // in that case, this will throw an exception and be passed into the catch block.
-             parser = new XMLObject(new ByteArrayInputStream(c.getBytes()));
-@@ -685,8 +686,7 @@ public class ConfigurationUtils {
- 
-     public static boolean updateConfigEntries(String hostname, int port, boolean https,
-             String servlet, MultivaluedMap<String, String> content, IConfigStore config)
--                    throws Exception {
--
-+            throws Exception {
-         CMS.debug("updateConfigEntries start");
-         String c = post(hostname, port, https, servlet, content, null, null);
- 
-@@ -892,7 +892,8 @@ public class ConfigurationUtils {
-                     // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String)
-                     Vector<Object> pkeyinfo_v = new Vector<Object>();
-                     pkeyinfo_v.addElement(pkeyinfo);
--                    if (subjectDN != null) pkeyinfo_v.addElement(subjectDN);
-+                    if (subjectDN != null)
-+                        pkeyinfo_v.addElement(subjectDN);
- 
-                     pkeyinfo_collection.addElement(pkeyinfo_v);
- 
-@@ -941,7 +942,8 @@ public class ConfigurationUtils {
-                     // cert_v stores certificate (byte[]) and nickname (String)
-                     Vector<Object> cert_v = new Vector<Object>();
-                     cert_v.addElement(x509cert);
--                    if (nickname != null) cert_v.addElement(nickname);
-+                    if (nickname != null)
-+                        cert_v.addElement(nickname);
- 
-                     cert_collection.addElement(cert_v);
-                 }
-@@ -992,10 +994,11 @@ public class ConfigurationUtils {
-     public static void importKeyCert(
-             Vector<Vector<Object>> pkeyinfo_collection,
-             Vector<Vector<Object>> cert_collection
--        ) throws IOException, CertificateException, TokenException,
--            NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalStateException,
--            IllegalBlockSizeException, BadPaddingException, NotInitializedException, NicknameConflictException,
--            UserCertConflictException, NoSuchItemOnTokenException, EPropertyNotFound, EBaseException {
-+            ) throws IOException, CertificateException, TokenException,
-+                    NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException,
-+                    IllegalStateException,
-+                    IllegalBlockSizeException, BadPaddingException, NotInitializedException, NicknameConflictException,
-+                    UserCertConflictException, NoSuchItemOnTokenException, EPropertyNotFound, EBaseException {
- 
-         CMS.debug("ConfigurationUtils.importKeyCert()");
-         CryptoManager cm = CryptoManager.getInstance();
-@@ -1069,7 +1072,7 @@ public class ConfigurationUtils {
-                 String name = (String) cert_v.elementAt(1);
-                 CMS.debug("- Certificate: " + name);
- 
--                if (! masterList.contains(name)) {
-+                if (!masterList.contains(name)) {
-                     CMS.debug("  Certificate not in master list, ignore certificate");
-                     continue;
-                 }
-@@ -1160,10 +1163,11 @@ public class ConfigurationUtils {
-             return true;
-         try {
-             X500Name xname = new X500Name(nickname);
--            for (String key: masterList) {
-+            for (String key : masterList) {
-                 try {
-                     X500Name xkey = new X500Name(key);
--                    if (xkey.equals(xname)) return true;
-+                    if (xkey.equals(xname))
-+                        return true;
-                 } catch (IOException e) {
-                     // xkey not an X500Name
-                 }
-@@ -1216,10 +1220,12 @@ public class ConfigurationUtils {
-         return false;
-     }
- 
-+
-     public static boolean isAuditSigningCert(String name) throws EPropertyNotFound, EBaseException {
-         IConfigStore cs = CMS.getConfigStore();
-         String nickname = cs.getString("preop.master.audit_signing.nickname");
--        if (nickname.equals(name)) return true;
-+        if (nickname.equals(name))
-+            return true;
-         return false;
-     }
- 
-@@ -1271,7 +1277,7 @@ public class ConfigurationUtils {
-         while (st.hasMoreTokens()) {
-             String s = st.nextToken();
-             if (s.equals("sslserver"))
--                    continue;
-+                continue;
-             String name = "preop.master." + s + ".nickname";
-             String nickname = cs.getString(name);
-             list.add(nickname);
-@@ -1293,14 +1299,16 @@ public class ConfigurationUtils {
-             X509CertImpl impl = null;
-             impl = new X509CertImpl(b);
-             Principal subjectdn = impl.getSubjectDN();
--            if (LDAPDN.equals(subjectdn.toString(), nickname)) return b;
-+            if (LDAPDN.equals(subjectdn.toString(), nickname))
-+                return b;
-         }
-         return null;
-     }
- 
-     public static void releaseConnection(LDAPConnection conn) {
-         try {
--            if (conn != null) conn.disconnect();
-+            if (conn != null)
-+                conn.disconnect();
-         } catch (LDAPException e) {
-             CMS.debug(e);
-             CMS.debug("releaseConnection: " + e);
-@@ -1551,14 +1559,15 @@ public class ConfigurationUtils {
-             LDAPSearchResults res = conn.search(
-                     "cn=mapping tree, cn=config", LDAPConnection.SCOPE_ONE,
-                     "nsslapd-backend=" + LDAPUtil.escapeFilter(database),
--                    null, false, (LDAPSearchConstraints)null);
-+                    null, false, (LDAPSearchConstraints) null);
- 
-             while (res.hasMoreElements()) {
-                 LDAPEntry entry = res.next();
- 
-                 LDAPAttribute cn = entry.getAttribute("cn");
-                 String dn = cn.getStringValueArray()[0];
--                if (LDAPDN.equals(baseDN, dn)) continue;
-+                if (LDAPDN.equals(baseDN, dn))
-+                    continue;
- 
-                 CMS.debug("confirmMappings: Database " + database + " is used by " + dn + ".");
-                 throw new EBaseException("The database (" + database + ") is used by another base DN. " +
-@@ -1646,12 +1655,12 @@ public class ConfigurationUtils {
- 
-     private static void checkParentExists(String baseDN, LDAPConnection conn) throws EBaseException {
-         String[] dns = LDAPDN.explodeDN(baseDN, false);
--        if (dns.length == 1 ) {
-+        if (dns.length == 1) {
-             CMS.debug("checkParentExists: no parent in baseDN: " + baseDN);
-             throw new EBaseException("Invalid BaseDN. No parent DN in " + baseDN);
-         }
-         String parentDN = Arrays.toString(Arrays.copyOfRange(dns, 1, dns.length));
--        parentDN = parentDN.substring(1,parentDN.length() -1);
-+        parentDN = parentDN.substring(1, parentDN.length() - 1);
-         try {
-             CMS.debug("checkParentExists: Checking parent " + parentDN + ".");
-             conn.read(parentDN);
-@@ -1666,11 +1675,13 @@ public class ConfigurationUtils {
-         }
-     }
- 
--    public static void importLDIFS(String param, LDAPConnection conn) throws EPropertyNotFound, IOException, EBaseException {
-+    public static void importLDIFS(String param, LDAPConnection conn) throws EPropertyNotFound, IOException,
-+            EBaseException {
-         importLDIFS(param, conn, true);
-     }
- 
--    public static void importLDIFS(String param, LDAPConnection conn, boolean suppressErrors) throws IOException, EPropertyNotFound,
-+    public static void importLDIFS(String param, LDAPConnection conn, boolean suppressErrors) throws IOException,
-+            EPropertyNotFound,
-             EBaseException {
-         IConfigStore cs = CMS.getConfigStore();
- 
-@@ -1764,7 +1775,7 @@ public class ConfigurationUtils {
-         try {
-             LDAPSearchResults res = conn.search(
-                     dn, LDAPConnection.SCOPE_BASE, "objectclass=*",
--                    null, true, (LDAPSearchConstraints)null);
-+                    null, true, (LDAPSearchConstraints) null);
-             deleteEntries(res, conn, excludedDNs);
- 
-         } catch (LDAPException e) {
-@@ -1777,14 +1788,15 @@ public class ConfigurationUtils {
-         }
-     }
- 
--    public static void deleteEntries(LDAPSearchResults res, LDAPConnection conn, String[] excludedDNs) throws LDAPException {
-+    public static void deleteEntries(LDAPSearchResults res, LDAPConnection conn, String[] excludedDNs)
-+            throws LDAPException {
-         while (res.hasMoreElements()) {
-             LDAPEntry entry = res.next();
-             String dn = entry.getDN();
- 
-             LDAPSearchResults res1 = conn.search(
-                     dn, 1, "objectclass=*",
--                    null, true, (LDAPSearchConstraints)null);
-+                    null, true, (LDAPSearchConstraints) null);
-             deleteEntries(res1, conn, excludedDNs);
-             deleteEntry(conn, dn, excludedDNs);
-         }
-@@ -1792,7 +1804,8 @@ public class ConfigurationUtils {
- 
-     public static void deleteEntry(LDAPConnection conn, String dn, String[] excludedDNs) throws LDAPException {
-         for (String excludedDN : excludedDNs) {
--            if (!LDAPDN.equals(dn, excludedDN)) continue;
-+            if (!LDAPDN.equals(dn, excludedDN))
-+                continue;
- 
-             CMS.debug("deleteEntry: entry with this dn " + dn + " is not deleted.");
-             return;
-@@ -1997,7 +2010,7 @@ public class ConfigurationUtils {
- 
-             String status = replicationStatus(replicadn, masterConn, masterAgreementName);
-             if (!status.startsWith("0 ")) {
--                CMS.debug("setupReplication: consumer initialization failed. " +status);
-+                CMS.debug("setupReplication: consumer initialization failed. " + status);
-                 throw new IOException("consumer initialization failed. " + status);
-             }
- 
-@@ -2015,7 +2028,7 @@ public class ConfigurationUtils {
-             releaseConnection(masterConn);
-             releaseConnection(replicaConn);
-         }
--}
-+    }
- 
-     public static void createReplicationManager(LDAPConnection conn, String bindUser, String pwd)
-             throws LDAPException {
-@@ -2277,7 +2290,8 @@ public class ConfigurationUtils {
-         CMS.reinit(IUGSubsystem.ID);
-     }
- 
--    public static void setExternalCACert(String certStr, String subsystem, IConfigStore config, Cert certObj) throws Exception {
-+    public static void setExternalCACert(String certStr, String subsystem, IConfigStore config, Cert certObj)
-+            throws Exception {
-         certStr = CryptoUtil.stripCertBrackets(certStr.trim());
-         certStr = CryptoUtil.normalizeCertStr(certStr);
-         config.putString(subsystem + ".external_ca.cert", certStr);
-@@ -2365,7 +2379,8 @@ public class ConfigurationUtils {
-         String sslType = "ECDHE";
-         try {
-             sslType = config.getString(PCERT_PREFIX + ct + "ec.type", "ECDHE");
--        } catch (Exception e) {}
-+        } catch (Exception e) {
-+        }
- 
-         // ECDHE needs "SIGN" but no "DERIVE"
-         org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = {
-@@ -2380,13 +2395,15 @@ public class ConfigurationUtils {
- 
-         do {
-             if (ct.equals("sslserver") && sslType.equalsIgnoreCase("ECDH")) {
--                CMS.debug("ConfigurationUtils: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set " +
--                          "properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
-+                CMS.debug("ConfigurationUtils: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set "
-+                        +
-+                        "properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
-                 pair = CryptoUtil.generateECCKeyPair(token, curveName, null, ECDH_usages_mask);
-             } else {
-                 if (ct.equals("sslserver")) {
--                    CMS.debug("ConfigurationUtils: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set " +
--                              "properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
-+                    CMS.debug("ConfigurationUtils: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set "
-+                            +
-+                            "properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
-                 }
-                 pair = CryptoUtil.generateECCKeyPair(token, curveName, null, usages_mask);
-             }
-@@ -2443,7 +2460,8 @@ public class ConfigurationUtils {
-         setSigningAlgorithm(ct, keyAlgo, config);
-     }
- 
--    public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound, EBaseException {
-+    public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound,
-+            EBaseException {
-         String systemType = config.getString("cs.type");
-         if (systemType.equalsIgnoreCase("CA")) {
-             if (ct.equals("signing")) {
-@@ -2523,16 +2541,16 @@ public class ConfigurationUtils {
-                 // retrieve and store original 'CS.cfg' entries
-                 preop_ca_type = config.getString("preop.ca.type", "");
-                 preop_cert_signing_type = config.getString("preop.cert.signing.type", "");
--                preop_cert_signing_profile = config.getString("preop.cert.signing.profile","");
-+                preop_cert_signing_profile = config.getString("preop.cert.signing.profile", "");
-                 preop_cert_sslserver_type = config.getString("preop.cert.sslserver.type", "");
--                preop_cert_sslserver_profile = config.getString("preop.cert.sslserver.profile","");
-+                preop_cert_sslserver_profile = config.getString("preop.cert.sslserver.profile", "");
- 
-                 // add/modify 'CS.cfg' entries
-                 config.putString("preop.ca.type", "sdca");
-                 config.putString("preop.cert.signing.type", "remote");
--                config.putString("preop.cert.signing.profile","caInstallCACert");
-+                config.putString("preop.cert.signing.profile", "caInstallCACert");
-                 config.putString("preop.cert.sslserver.type", "remote");
--                config.putString("preop.cert.sslserver.profile","caInternalAuthServerCert");
-+                config.putString("preop.cert.sslserver.profile", "caInternalAuthServerCert");
- 
-                 // store original caType
-                 original_caType = caType;
-@@ -2568,7 +2586,7 @@ public class ConfigurationUtils {
-                     if (standalone) {
-                         // Treat standalone subsystem the same as "otherca"
-                         config.putString(subsystem + "." + certTag + ".cert",
--                                         "...paste certificate here...");
-+                                "...paste certificate here...");
- 
-                     } else {
-                         String sd_hostname = config.getString("securitydomain.host", "");
-@@ -2594,8 +2612,8 @@ public class ConfigurationUtils {
-                     try {
-                         if (sign_clone_sslserver_cert_using_master) {
-                             CMS.debug("ConfigurationUtils: For this Cloned CA, always use its Master CA to generate " +
--                                      "the 'sslserver' certificate to avoid any changes which may have been " +
--                                      "made to the X500Name directory string encoding order.");
-+                                    "the 'sslserver' certificate to avoid any changes which may have been " +
-+                                    "made to the X500Name directory string encoding order.");
-                             ca_hostname = config.getString("preop.master.hostname", "");
-                             ca_port = config.getInteger("preop.master.httpsport", -1);
-                         } else {
-@@ -2607,12 +2625,12 @@ public class ConfigurationUtils {
- 
-                     String sslserver_extension = "";
-                     Boolean injectSAN = config.getBoolean(
--                                      "service.injectSAN", false);
--                    CMS.debug("ConfigurationUtils: injectSAN="+injectSAN);
-+                            "service.injectSAN", false);
-+                    CMS.debug("ConfigurationUtils: injectSAN=" + injectSAN);
-                     if (certTag.equals("sslserver") &&
--                        injectSAN == true) {
-+                            injectSAN == true) {
-                         sslserver_extension =
--                            CertUtil.buildSANSSLserverURLExtension(config);
-+                                CertUtil.buildSANSSLserverURLExtension(config);
-                     }
- 
-                     MultivaluedMap<String, String> content = new MultivaluedHashMap<String, String>();
-@@ -3115,7 +3133,8 @@ public class ConfigurationUtils {
-         IConfigStore config = CMS.getConfigStore();
- 
-         boolean enable = config.getBoolean(PCERT_PREFIX + certTag + ".enable", true);
--        if (!enable) return 0;
-+        if (!enable)
-+            return 0;
- 
-         CMS.debug("handleCerts(): for cert tag '" + cert.getCertTag() + "' using cert type '" + cert.getType() + "'");
-         String b64 = cert.getCert();
-@@ -3131,7 +3150,8 @@ public class ConfigurationUtils {
-             }
- 
-             if (findCertificate(tokenname, nickname)) {
--                if (!certTag.equals("sslserver")) return 0;
-+                if (!certTag.equals("sslserver"))
-+                    return 0;
-             }
-             X509CertImpl impl = CertUtil.createLocalCert(config, x509key,
-                     PCERT_PREFIX, certTag, cert.getType(), null);
-@@ -3156,7 +3176,8 @@ public class ConfigurationUtils {
-                     CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'");
-                 } catch (Exception ee) {
-                     CMS.debug(ee);
--                    CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: " + ee.toString());
-+                    CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: "
-+                            + ee.toString());
-                 }
-             }
-         } else if (cert.getType().equals("remote")) {
-@@ -3216,7 +3237,7 @@ public class ConfigurationUtils {
-                     CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag);
-                 } catch (Exception ee) {
-                     ee.printStackTrace();
--                    CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: "+ ee.toString());
-+                    CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString());
-                 }
- 
-             } else {
-@@ -3268,7 +3289,8 @@ public class ConfigurationUtils {
- 
-     public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
-             ObjectNotFoundException, TokenException {
--        if (tag.equals("signing") || tag.equals("external_signing")) return;
-+        if (tag.equals("signing") || tag.equals("external_signing"))
-+            return;
- 
-         IConfigStore cs = CMS.getConfigStore();
-         String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
-@@ -3327,7 +3349,6 @@ public class ConfigurationUtils {
-         return true;
-     }
- 
--
-     public static boolean findBootstrapServerCert() throws EBaseException, NotInitializedException, TokenException {
-         IConfigStore cs = CMS.getConfigStore();
- 
-@@ -3342,7 +3363,8 @@ public class ConfigurationUtils {
-         }
-         Principal issuerDN = cert.getIssuerDN();
-         Principal subjectDN = cert.getSubjectDN();
--        if (issuerDN.equals(subjectDN)) return true;
-+        if (issuerDN.equals(subjectDN))
-+            return true;
- 
-         return false;
-     }
-@@ -3473,7 +3495,8 @@ public class ConfigurationUtils {
-     }
- 
-     public static byte[] addCertBag(X509Certificate x509cert, String nickname,
--            SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException, CharConversionException {
-+            SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException,
-+            CharConversionException {
-         byte[] localKeyId = null;
- 
-         ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());
-@@ -3636,49 +3659,56 @@ public class ConfigurationUtils {
-         if (select.equals("new")) {
-             group = system.getGroupFromName("Security Domain Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Security Domain Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Security Domain Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise CA Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise CA Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise CA Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise KRA Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise KRA Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise KRA Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise RA Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise RA Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise RA Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise TKS Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise TKS Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise TKS Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise OCSP Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise OCSP Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise OCSP Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
- 
-             group = system.getGroupFromName("Enterprise TPS Administrators");
-             if (group != null && !group.isMember(uid)) {
--                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid + "' to group 'Enterprise TPS Administrators'");
-+                CMS.debug("ConfigurationUtils: createAdmin:  add user '" + uid
-+                        + "' to group 'Enterprise TPS Administrators'");
-                 group.addMemberName(uid);
-                 system.modifyGroup(group);
-             }
-@@ -3833,7 +3863,7 @@ public class ConfigurationUtils {
-             CMS.debug("Cloning a domain master");
-         }
- 
--        String url =  "/ca/admin/ca/updateDomainXML";
-+        String url = "/ca/admin/ca/updateDomainXML";
- 
-         MultivaluedMap<String, String> content = new MultivaluedHashMap<String, String>();
-         content.putSingle("list", type + "List");
-@@ -3862,7 +3892,7 @@ public class ConfigurationUtils {
-             CMS.debug("Unable to access admin interface: " + e);
- 
-             CMS.debug("Update security domain using agent interface");
--            url =  "/ca/agent/ca/updateDomainXML";
-+            url = "/ca/agent/ca/updateDomainXML";
-             updateDomainXML(sd_host, sd_agent_port, true, url, content, true);
-         }
- 
-@@ -3903,7 +3933,7 @@ public class ConfigurationUtils {
- 
-     public static void updateDomainXML(String hostname, int port, boolean https,
-             String servlet, MultivaluedMap<String, String> content, boolean useClientAuth)
--                    throws Exception {
-+            throws Exception {
- 
-         CMS.debug("ConfigurationUtils: updateDomainXML start hostname=" + hostname + " port=" + port);
- 
-@@ -4047,7 +4077,7 @@ public class ConfigurationUtils {
-             try {
-                 CMS.debug("setupClientAuthUser: Adding cert to user: " + id);
-                 system.addUserCert(user);
--            } catch(ConflictingOperationException e) {
-+            } catch (ConflictingOperationException e) {
-                 // ignore exception
-                 CMS.debug("setupClientAuthUser: Cert already added: " + e);
-             }
-@@ -4121,7 +4151,9 @@ public class ConfigurationUtils {
-     }
- 
-     public static void getSharedSecret(String tksHost, int tksPort, boolean importKey) throws EPropertyNotFound,
--            EBaseException, URISyntaxException {
-+            EBaseException, URISyntaxException, InvalidKeyException, NoSuchAlgorithmException,
-+            InvalidAlgorithmParameterException, NotInitializedException, TokenException, ObjectNotFoundException,
-+            IOException {
-         IConfigStore cs = CMS.getConfigStore();
-         String host = cs.getString("service.machineName");
-         String port = cs.getString("service.securePort");
-@@ -4140,6 +4172,8 @@ public class ConfigurationUtils {
- 
-         PKIClient client = new PKIClient(config, null);
- 
-+        CMS.debug("In ConfigurationUtils.getSharedSecret! importKey: " + importKey);
-+
-         // Ignore the "UNTRUSTED_ISSUER" and "CA_CERT_INVALID" validity status
-         // during PKI instance creation since we are using an untrusted temporary CA cert.
-         client.addIgnoredCertStatus(SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER);
-@@ -4156,6 +4190,9 @@ public class ConfigurationUtils {
-             // no connector exists
-             data = null;
-         }
-+
-+
-+        // The connId or data.getID will be the id of the shared secret
-         KeyData keyData = null;
-         if (data == null) {
-             data = tpsConnectorClient.createConnector(host, port);
-@@ -4171,14 +4208,24 @@ public class ConfigurationUtils {
-         }
-         accountClient.logout();
- 
-+        String nick = "TPS-" + host + "-" + port + " sharedSecret";
-+
-         if (importKey) {
--            // TODO - we need code here to import the key into the tps certdb
-+            CMS.debug("getSharedSecret: About to attempt to import shared secret key.");
-+            byte[] sessionKeyData = Utils.base64decode(keyData.getWrappedPrivateData());
-+            byte[] sharedSecretData = Utils.base64decode(keyData.getAdditionalWrappedPrivateData());
-+
-+            try {
-+                CryptoUtil.importSharedSecret(sessionKeyData, sharedSecretData, dbNick, nick);
-+            } catch (Exception e) {
-+                CMS.debug("getSharedSecret()): WARNING, Failed to automatically import shared secret. Please follow the manual procedure." + e.toString());
-+            }
-             // this is not needed if we are using a shared database with
-             // the tks.
-         }
- 
-         // store the new nick in CS.cfg
--        String nick = "TPS-" + host + "-" + port + " sharedSecret";
-+
-         cs.putString("conn.tks1.tksSharedSymKeyName", nick);
-         cs.commit(false);
-     }
-@@ -4388,7 +4435,7 @@ public class ConfigurationUtils {
- 
-             if (status.equals(SUCCESS)) {
-                 CMS.debug("registerUser: Successfully added user " + uid + " to " + targetURI +
--                          " using " + targetURL);
-+                        " using " + targetURL);
- 
-             } else if (status.equals(AUTH_FAILURE)) {
-                 throw new EAuthException(AUTH_FAILURE);
-@@ -4500,7 +4547,6 @@ public class ConfigurationUtils {
-         cs.putString("auths.instance.ldap1.ldap.ldapconn.secureConn", secureConn);
-     }
- 
--
-     public static void updateNextRanges() throws EBaseException, LDAPException {
-         IConfigStore cs = CMS.getConfigStore();
- 
-@@ -4541,6 +4587,7 @@ public class ConfigurationUtils {
- 
-     /**
-      * save variables needed for cloning and remove preops
-+     *
-      * @throws EBaseException
-      */
-     public static void removePreopConfigEntries() throws EBaseException {
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-index 7dab140..9593816 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-@@ -418,7 +418,8 @@ public class SecureChannelProtocol {
-         String method = "SecureChannelProtocol.getSharedSecretKeyName:";
-         CMS.debug(method + " Entering...");
- 
--        if (name != null && SecureChannelProtocol.sharedSecretKeyName == null) {
-+        // No longer cache the secret name, there could be a different one for each incoming TPS connection.
-+        if (name != null) {
-             SecureChannelProtocol.sharedSecretKeyName = name;
-         }
- 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
-index ab2ade9..9c143fd 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
-@@ -70,6 +70,7 @@ public class TokenServlet extends CMSServlet {
-     public static int ERROR = 1;
-     String mKeyNickName = null;
-     String mNewKeyNickName = null;
-+    String mCurrentUID = null;
-     IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
- 
-     private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
-@@ -951,8 +952,6 @@ public class TokenServlet extends CMSServlet {
- 
-         transportKeyName = getSharedSecretName(sconfig);
- 
--        CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName);
--
-         String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
-         String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
-         String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
-@@ -1537,13 +1536,32 @@ public class TokenServlet extends CMSServlet {
- 
-         if (useNewNames) {
-             String tpsList = cs.getString("tps.list", "");
-+            String firstSharedSecretName = null;
-             if (!tpsList.isEmpty()) {
-                 for (String tpsID : tpsList.split(",")) {
-                     String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
-+
-+                    // This one will be a fall back in case we can't get a specific one
-+                    if (firstSharedSecretName == null) {
-+                        firstSharedSecretName = sharedSecretName;
-+                    }
-+
-                     if (!sharedSecretName.isEmpty()) {
--                        return sharedSecretName;
-+                        if (mCurrentUID != null) {
-+                            String csUid = cs.getString("tps." + tpsID + ".userid", "");
-+
-+                            if (mCurrentUID.equalsIgnoreCase(csUid)) {
-+                                CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid);
-+                                return sharedSecretName;
-+                            }
-+                        }
-                     }
-                 }
-+
-+                if (firstSharedSecretName != null) {
-+                    //Return the first in the list if we couldn't isolate one
-+                    return firstSharedSecretName;
-+                }
-             }
-             CMS.debug("getSharedSecretName: no shared secret has been configured");
-             throw new EBaseException("No shared secret has been configured");
-@@ -2351,6 +2369,8 @@ public class TokenServlet extends CMSServlet {
-         IAuthToken authToken = authenticate(cmsReq);
-         AuthzToken authzToken = null;
- 
-+        mCurrentUID = (String) authToken.get(IAuthToken.UID) ;
-+
-         try {
-             authzToken = authorize(mAclMethod, authToken,
-                     mAuthzResourceName, "execute");
-diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
-index 3678cff..40ec7f0 100644
---- a/base/server/man/man8/pkispawn.8
-+++ b/base/server/man/man8/pkispawn.8
-@@ -719,10 +719,15 @@ pki_tks_uri=\fIhttps://<tks_hostname>:<tks_https_port>\fP
- .fi
- 
- .PP
--If TPS and TKS are installed on separate instances the shared secret key needs
--to be generated manually in TKS, then manually imported into TPS.
-+If TPS and TKS are installed on separate instances the shared secret key
-+should be imported over the wire between the TKS and TPS automatically.
- 
--Generate the shared secret key in TKS with the following command:
-+If the automated procedure fails for any unlikely reason the following
-+manual procedure will serve as a fallback. The key needs to be created
-+on the TKS side and imported into the TPS side in this case.
-+
-+
-+Generate the shared secret key (if needed) in TKS with the following command:
- 
- .IP
- tkstool -T -d /var/lib/pki/pki-tomcat/alias -n sharedSecret
-diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
-index bc655d6..a2d18f1 100644
---- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
-+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
-@@ -1,5 +1,6 @@
- package org.dogtagpki.server.tks.rest;
- 
-+import java.io.CharConversionException;
- import java.io.IOException;
- import java.net.URI;
- import java.security.InvalidAlgorithmParameterException;
-@@ -10,6 +11,7 @@ import java.security.cert.X509Certificate;
- import java.util.Arrays;
- import java.util.Collection;
- import java.util.Iterator;
-+import java.util.List;
- import java.util.TreeSet;
- 
- import javax.servlet.http.HttpServletRequest;
-@@ -20,8 +22,13 @@ import javax.ws.rs.core.UriInfo;
- import org.apache.commons.lang.ArrayUtils;
- import org.apache.commons.lang.StringUtils;
- import org.jboss.resteasy.plugins.providers.atom.Link;
-+import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.CryptoManager.NotInitializedException;
-+import org.mozilla.jss.crypto.CryptoToken;
- import org.mozilla.jss.crypto.InvalidKeyFormatException;
-+import org.mozilla.jss.crypto.KeyGenAlgorithm;
-+import org.mozilla.jss.crypto.KeyGenerator;
-+import org.mozilla.jss.crypto.SymmetricKey;
- import org.mozilla.jss.crypto.TokenException;
- 
- import com.netscape.certsrv.apps.CMS;
-@@ -60,30 +67,32 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     public Response findConnectors(Integer start, Integer size) {
-         try {
-             String tpsList = cs.getString(TPS_LIST, "");
--            Iterator<String> entries = Arrays.asList(StringUtils.split(tpsList,",")).iterator();
-+            Iterator<String> entries = Arrays.asList(StringUtils.split(tpsList, ",")).iterator();
- 
-             TPSConnectorCollection response = new TPSConnectorCollection();
-             int i = 0;
- 
-             // skip to the start of the page
--            for ( ; i<start && entries.hasNext(); i++) entries.next();
-+            for (; i < start && entries.hasNext(); i++)
-+                entries.next();
- 
-             // return entries up to the page size
--            for ( ; i<start+size && entries.hasNext(); i++) {
-+            for (; i < start + size && entries.hasNext(); i++) {
-                 response.addEntry(createTPSConnectorData(entries.next()));
-             }
- 
-             // count the total entries
--            for ( ; entries.hasNext(); i++) entries.next();
-+            for (; entries.hasNext(); i++)
-+                entries.next();
-             response.setTotal(i);
- 
-             if (start > 0) {
--                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build();
-+                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start - size, 0)).build();
-                 response.addLink(new Link("prev", uri));
-             }
- 
--            if (start+size < i) {
--                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build();
-+            if (start + size < i) {
-+                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start + size).build();
-                 response.addLink(new Link("next", uri));
-             }
- 
-@@ -114,7 +123,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
- 
-     public TPSConnectorData getConnectorData(String id) {
- 
--        if (id == null) throw new BadRequestException("TPS connector ID is null.");
-+        if (id == null)
-+            throw new BadRequestException("TPS connector ID is null.");
- 
-         try {
-             if (!connectorExists(id))
-@@ -131,8 +141,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response getConnector(String host, String port) {
- 
--        if (host == null) throw new BadRequestException("TPS connector host is null.");
--        if (port == null) throw new BadRequestException("TPS connector port is null.");
-+        if (host == null)
-+            throw new BadRequestException("TPS connector host is null.");
-+        if (port == null)
-+            throw new BadRequestException("TPS connector port is null.");
- 
-         try {
-             String id = getConnectorID(host, port);
-@@ -151,8 +163,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response createConnector(String tpsHost, String tpsPort) {
- 
--        if (tpsHost == null) throw new BadRequestException("TPS connector host is null.");
--        if (tpsPort == null) throw new BadRequestException("TPS connector port is null.");
-+        if (tpsHost == null)
-+            throw new BadRequestException("TPS connector host is null.");
-+        if (tpsPort == null)
-+            throw new BadRequestException("TPS connector port is null.");
- 
-         try {
-             String id = getConnectorID(tpsHost, tpsPort);
-@@ -245,7 +259,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-             if (StringUtils.isEmpty(id))
-                 throw new BadRequestException("Attempt to delete TPS connection with null or empty id");
- 
--            if (!connectorExists(id)) return createNoContentResponse();
-+            if (!connectorExists(id))
-+                return createNoContentResponse();
- 
-             deleteSharedSecret(id);
-             cs.removeSubStore("tps." + id);
-@@ -263,8 +278,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response deleteConnector(String host, String port) {
- 
--        if (host == null) throw new BadRequestException("TPS connector host is null.");
--        if (port == null) throw new BadRequestException("TPS connector port is null.");
-+        if (host == null)
-+            throw new BadRequestException("TPS connector host is null.");
-+        if (port == null)
-+            throw new BadRequestException("TPS connector port is null.");
- 
-         String id;
-         try {
-@@ -281,7 +298,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response createSharedSecret(String id) {
- 
--        if (id == null) throw new BadRequestException("TPS connector ID is null.");
-+        CMS.debug("TPSConnectorService.createSharedSecret.id: " + id);
-+
-+        if (id == null)
-+            throw new BadRequestException("TPS connector ID is null.");
- 
-         try {
-             if (!connectorExists(id)) {
-@@ -293,9 +313,13 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
- 
-             // get user cert
-             IUser user = userGroupManager.getUser(userid);
-+
-+            CMS.debug("TPSConnectorService.createSharedSecret.userid: " + userid);
-             X509Certificate[] certs = user.getX509Certificates();
- 
-             String nickname = userid + " sharedSecret";
-+
-+            CMS.debug("TPSConnectorService.createSharedSecret. nickname: " + nickname);
-             if (CryptoUtil.sharedSecretExists(nickname)) {
-                 throw new BadRequestException("Shared secret already exists");
-             }
-@@ -305,9 +329,21 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-             cs.putString("tps." + id + ".nickname", nickname);
-             cs.commit(true);
- 
--            byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]);
-+            //Create des3 session sym key to wrap the shared secret.
-+            SymmetricKey tempKey = createDes3SessionKeyOnInternal();
-+
-+            if (tempKey == null) {
-+                return createNoContentResponse();
-+            }
-+
-+            List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname, certs[0], tempKey);
-+
-+            byte[] wrappedSessionKey = listWrappedKeys.get(0);
-+            byte[] wrappedSharedSecret = listWrappedKeys.get(1);
-+
-             KeyData keyData = new KeyData();
--            keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey));
-+            keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey));
-+            keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret));
- 
-             return createOKResponse(keyData);
- 
-@@ -341,7 +377,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response replaceSharedSecret(String id) {
- 
--        if (id == null) throw new BadRequestException("TPS connector ID is null.");
-+        if (id == null)
-+            throw new BadRequestException("TPS connector ID is null.");
- 
-         try {
-             if (!connectorExists(id)) {
-@@ -362,9 +399,22 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
- 
-             CryptoUtil.deleteSharedSecret(nickname);
-             CryptoUtil.createSharedSecret(nickname);
--            byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]);
-+
-+            //Create des3 session sym key to wrap the shared secret.
-+            SymmetricKey tempKey = createDes3SessionKeyOnInternal();
-+
-+            if (tempKey == null) {
-+                return createNoContentResponse();
-+            }
-+
-+            List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname,certs[0], tempKey);
-+
-+            byte[] wrappedSessionKey = listWrappedKeys.get(0);
-+            byte[] wrappedSharedSecret = listWrappedKeys.get(1);
-+
-             KeyData keyData = new KeyData();
--            keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey));
-+            keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey));
-+            keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret));
- 
-             return createOKResponse(keyData);
- 
-@@ -380,7 +430,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response deleteSharedSecret(String id) {
- 
--        if (id == null) throw new BadRequestException("TPS connector ID is null.");
-+        if (id == null)
-+            throw new BadRequestException("TPS connector ID is null.");
- 
-         try {
-             if (!connectorExists(id)) {
-@@ -415,8 +466,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-     @Override
-     public Response getSharedSecret(String id) {
- 
--        if (id == null) throw new BadRequestException("TPS connector ID is null.");
-+        if (id == null)
-+            throw new BadRequestException("TPS connector ID is null.");
- 
-+        CMS.debug("TPSConnectorServlet.getSharedSecret: id : " + id);
-         try {
-             if (!connectorExists(id)) {
-                 throw new ResourceNotFoundException("TPS connection does not exist");
-@@ -434,9 +487,20 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-             IUser user = userGroupManager.getUser(userid);
-             X509Certificate[] certs = user.getX509Certificates();
- 
--            byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]);
-+            //Create des3 session sym key to wrap the shared secrt.
-+            SymmetricKey tempKey = createDes3SessionKeyOnInternal();
-+
-+            if (tempKey == null) {
-+                return createNoContentResponse();
-+            }
-+
-+            List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname, certs[0], tempKey);
-+            byte[] wrappedSessionKey = listWrappedKeys.get(0);
-+            byte[] wrappedSharedSecret = listWrappedKeys.get(1);
-+
-             KeyData keyData = new KeyData();
--            keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey));
-+            keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey));
-+            keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret));
- 
-             return createOKResponse(keyData);
- 
-@@ -456,7 +520,7 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
- 
-     private String getConnectorID(String host, String port) throws EBaseException {
-         String tpsList = cs.getString(TPS_LIST, "");
--        for (String tpsID : StringUtils.split(tpsList,",")) {
-+        for (String tpsID : StringUtils.split(tpsList, ",")) {
-             TPSConnectorData data = createTPSConnectorData(tpsID);
-             if (data.getHost().equals(host) && data.getPort().equals(port))
-                 return tpsID;
-@@ -486,7 +550,36 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
-         sorted.addAll(Arrays.asList(StringUtils.split(tpsList, ",")));
- 
-         int index = 0;
--        while (sorted.contains(Integer.toString(index))) index++;
-+        while (sorted.contains(Integer.toString(index)))
-+            index++;
-         return Integer.toString(index);
-     }
-+
-+    private SymmetricKey createDes3SessionKeyOnInternal() throws EBaseException {
-+
-+        SymmetricKey tempKey = null;
-+        try {
-+            CryptoManager cm = CryptoManager.getInstance();
-+            CryptoToken token = cm.getInternalKeyStorageToken();
-+            KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3);
-+
-+            SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4];
-+            usages[0] = SymmetricKey.Usage.WRAP;
-+            usages[1] = SymmetricKey.Usage.UNWRAP;
-+            usages[2] = SymmetricKey.Usage.ENCRYPT;
-+            usages[3] = SymmetricKey.Usage.DECRYPT;
-+
-+            kg.setKeyUsages(usages);
-+            kg.temporaryKeys(true);
-+            tempKey = kg.generate();
-+        } catch (NoSuchAlgorithmException | TokenException | IllegalStateException | CharConversionException
-+                | NotInitializedException e) {
-+            CMS.debug("TPSConnectorService.createDes3SesisonKeyOnInternal: Can't generate temporary session key.");
-+
-+            throw new EBaseException(e);
-+        }
-+
-+        return tempKey;
-+    }
-+
- }
-diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
-index ff64208..94e6497 100644
---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
-+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
-@@ -33,6 +33,8 @@ import java.util.List;
- import java.util.Map;
- import java.util.Set;
- 
-+import netscape.security.x509.RevocationReason;
-+
- import org.dogtagpki.server.tps.TPSSession;
- import org.dogtagpki.server.tps.TPSSubsystem;
- import org.dogtagpki.server.tps.authentication.AuthUIParameter;
-@@ -96,8 +98,6 @@ import com.netscape.certsrv.tps.token.TokenStatus;
- import com.netscape.cms.servlet.tks.SecureChannelProtocol;
- import com.netscape.symkey.SessionKey;
- 
--import netscape.security.x509.RevocationReason;
--
- public class TPSProcessor {
- 
-     public static final int RESULT_NO_ERROR = 0;
-@@ -686,9 +686,6 @@ public class TPSProcessor {
-                sessionKey =  (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret, sessionKeyWrapped.toBytesArray(), false);
- 
- 
--
--
--
-                 if (sessionKey == null) {
-                     CMS.debug("TPSProcessor.generateSecureChannel: Can't extract session key!");
-                     throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract session key!",
-@@ -708,7 +705,6 @@ public class TPSProcessor {
-                             TPSStatus.STATUS_ERROR_SECURE_CHANNEL);
-                 }
- 
--                //CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key: " + encSessionKey);
-                 CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key");
- 
-                 TPSBuffer drmDesKey = null;
-diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-index dab80e4..068293e 100644
---- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-@@ -142,11 +142,21 @@ public class TPSInstallerService extends SystemConfigService  {
-                 ConfigurationUtils.exportTransportCert(secdomainURI, tksURI, transportCert);
-             }
- 
-+            String doImportStr = request.getImportSharedSecret();
-+            CMS.debug("finalizeConfiguration: importSharedSecret:" + doImportStr);
-             // generate shared secret from the tks
-+
-+            boolean doImport = false;
-+
-+            if("true".equalsIgnoreCase(doImportStr)) {
-+                CMS.debug("finalizeConfiguration: importSharedSecret: importSharedSecret is true.");
-+                doImport = true;
-+            }
-+
-             ConfigurationUtils.getSharedSecret(
-                     tksURI.getHost(),
-                     tksURI.getPort(),
--                    Boolean.getBoolean(request.getImportSharedSecret()));
-+                    doImport);
- 
-         } catch (URISyntaxException e) {
-             throw new BadRequestException("Invalid URI for CA, TKS or KRA");
-diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-index 4a2558b..9cabdc5 100644
---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-@@ -47,7 +47,32 @@ import java.util.Random;
- import java.util.StringTokenizer;
- import java.util.Vector;
- 
--import javax.crypto.SecretKey;
-+import netscape.security.pkcs.PKCS10;
-+import netscape.security.pkcs.PKCS10Attribute;
-+import netscape.security.pkcs.PKCS10Attributes;
-+import netscape.security.pkcs.PKCS7;
-+import netscape.security.pkcs.PKCS9Attribute;
-+import netscape.security.util.BigInt;
-+import netscape.security.util.DerInputStream;
-+import netscape.security.util.DerOutputStream;
-+import netscape.security.util.DerValue;
-+import netscape.security.util.ObjectIdentifier;
-+import netscape.security.x509.AlgorithmId;
-+import netscape.security.x509.CertificateAlgorithmId;
-+import netscape.security.x509.CertificateChain;
-+import netscape.security.x509.CertificateExtensions;
-+import netscape.security.x509.CertificateIssuerName;
-+import netscape.security.x509.CertificateSerialNumber;
-+import netscape.security.x509.CertificateSubjectName;
-+import netscape.security.x509.CertificateValidity;
-+import netscape.security.x509.CertificateVersion;
-+import netscape.security.x509.CertificateX509Key;
-+import netscape.security.x509.Extensions;
-+import netscape.security.x509.X500Name;
-+import netscape.security.x509.X500Signer;
-+import netscape.security.x509.X509CertImpl;
-+import netscape.security.x509.X509CertInfo;
-+import netscape.security.x509.X509Key;
- 
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.CryptoManager.NotInitializedException;
-@@ -82,7 +107,6 @@ import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
- import org.mozilla.jss.crypto.ObjectNotFoundException;
- import org.mozilla.jss.crypto.PBEAlgorithm;
- import org.mozilla.jss.crypto.PrivateKey;
--import org.mozilla.jss.crypto.SecretKeyFacade;
- import org.mozilla.jss.crypto.Signature;
- import org.mozilla.jss.crypto.SignatureAlgorithm;
- import org.mozilla.jss.crypto.SymmetricKey;
-@@ -108,33 +132,6 @@ import org.mozilla.jss.util.Password;
- import com.netscape.cmsutil.util.Cert;
- import com.netscape.cmsutil.util.Utils;
- 
--import netscape.security.pkcs.PKCS10;
--import netscape.security.pkcs.PKCS10Attribute;
--import netscape.security.pkcs.PKCS10Attributes;
--import netscape.security.pkcs.PKCS7;
--import netscape.security.pkcs.PKCS9Attribute;
--import netscape.security.util.BigInt;
--import netscape.security.util.DerInputStream;
--import netscape.security.util.DerOutputStream;
--import netscape.security.util.DerValue;
--import netscape.security.util.ObjectIdentifier;
--import netscape.security.x509.AlgorithmId;
--import netscape.security.x509.CertificateAlgorithmId;
--import netscape.security.x509.CertificateChain;
--import netscape.security.x509.CertificateExtensions;
--import netscape.security.x509.CertificateIssuerName;
--import netscape.security.x509.CertificateSerialNumber;
--import netscape.security.x509.CertificateSubjectName;
--import netscape.security.x509.CertificateValidity;
--import netscape.security.x509.CertificateVersion;
--import netscape.security.x509.CertificateX509Key;
--import netscape.security.x509.Extensions;
--import netscape.security.x509.X500Name;
--import netscape.security.x509.X500Signer;
--import netscape.security.x509.X509CertImpl;
--import netscape.security.x509.X509CertInfo;
--import netscape.security.x509.X509Key;
--
- @SuppressWarnings("serial")
- public class CryptoUtil {
- 
-@@ -2072,55 +2069,117 @@ public class CryptoUtil {
-         km.deleteUniqueNamedKey(nickname);
-     }
- 
--    public static byte[] exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert)
-+    // Return a list of two wrapped keys: first element: temp DES3 key wrapped by cert , second element: shared secret wrapped by temp DES3 key
-+    public static List<byte[]> exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert,SymmetricKey wrappingKey)
-             throws NotInitializedException, TokenException, IOException, NoSuchAlgorithmException, InvalidKeyException,
-             InvalidAlgorithmParameterException, InvalidKeyFormatException {
-         CryptoManager cm = CryptoManager.getInstance();
-         CryptoToken token = cm.getInternalKeyStorageToken();
-+
-+        List<byte[]> listWrappedKeys = new ArrayList<byte[]>();
-+
-+
-         KeyManager km = new KeyManager(token);
-         if (!km.uniqueNamedKeyExists(nickname)) {
-             throw new IOException("Shared secret " + nickname + " does not exist");
-         }
--        SecretKey skey = km.lookupUniqueNamedKey(EncryptionAlgorithm.DES3_ECB, nickname);
-+
-+        SymmetricKey sharedSecretKey =  null;
-+
-+        try {
-+            sharedSecretKey = getSymKeyByName(token, nickname);
-+        } catch (Exception e) {
-+            sharedSecretKey = null;
-+        }
-+
-+        if (sharedSecretKey == null) {
-+            throw new IOException("Shared secret " + nickname + " does not exist");
-+        }
- 
-         KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
-         PublicKey pub = wrappingCert.getPublicKey();
-         PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded());
-         keyWrap.initWrap(pubK, null);
--        byte[] wrappedKey = keyWrap.wrap(((SecretKeyFacade) skey).key);
--        return wrappedKey;
-+
-+        //Wrap the temp DES3 key with the cert
-+        byte[] wrappedKey = keyWrap.wrap(wrappingKey);
-+
-+        listWrappedKeys.add(wrappedKey);
-+        //Use the DES3 key to wrap the shared secret
-+
-+        KeyWrapper keyWrapSharedSecret = token.getKeyWrapper(KeyWrapAlgorithm.DES3_ECB);
-+        keyWrapSharedSecret.initWrap(wrappingKey,null);
-+
-+        byte[] wrappedSharedSecret = keyWrapSharedSecret.wrap(sharedSecretKey);
-+
-+        listWrappedKeys.add(wrappedSharedSecret);
-+
-+        if(listWrappedKeys.size() != 2) {
-+            throw new IOException("Can't write out shared secret data to export for nickname: " + nickname);
-+        }
-+
-+        return listWrappedKeys;
-     }
- 
--    /*
--    public static void importSharedSecret(KeyData data) throws EBaseException, NotInitializedException, TokenException,
-+
-+    public static void importSharedSecret(byte[] wrappedSessionKey,byte[] wrappedSharedSecret,String subsystemCertNickname,String sharedSecretNickname) throws Exception, NotInitializedException, TokenException,
-             NoSuchAlgorithmException, ObjectNotFoundException, InvalidKeyException, InvalidAlgorithmParameterException,
-             IOException {
--        byte[] wrappedKey = Utils.base64decode(data.getWrappedPrivateData());
--
--        IConfigStore cs = CMS.getConfigStore();
--        String subsystemNick = cs.getString("tps.cert.subsystem.nickname");
--        String keyNick = cs.getString("conn.tks1.tksSharedSymKeyName", "sharedSecret");
- 
-         CryptoManager cm = CryptoManager.getInstance();
-         CryptoToken token = cm.getInternalKeyStorageToken();
-+
-         KeyManager km = new KeyManager(token);
- 
--        if (km.uniqueNamedKeyExists(keyNick)) {
--            throw new IOException("Shared secret " + keyNick + " already exists");
-+        if (km.uniqueNamedKeyExists(sharedSecretNickname)) {
-+            throw new IOException("Shared secret " + sharedSecretNickname + " already exists");
-         }
- 
-+        //Unwrap session key
-+
-         KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
--        X509Certificate cert = cm.findCertByNickname(subsystemNick);
-+        X509Certificate cert = cm.findCertByNickname(subsystemCertNickname);
-         PrivateKey subsystemPrivateKey = cm.findPrivKeyByCert(cert);
-         keyWrap.initUnwrap(subsystemPrivateKey, null);
- 
--        @SuppressWarnings("unused")
--        SymmetricKey unwrapped = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES,
--                SymmetricKey.Usage.DECRYPT, 0);
-+        SymmetricKey unwrappedSessionKey = keyWrap.unwrapSymmetric(wrappedSessionKey, SymmetricKey.DES3,
-+                0);
-+
-+        SymmetricKey unwrappedSharedSecret = null;
-+
-+        //Unwrap shared secret permanently with session key
-+
-+        KeyWrapper sharedSecretWrap = token.getKeyWrapper(KeyWrapAlgorithm.DES3_ECB);
-+        sharedSecretWrap.initUnwrap(unwrappedSessionKey,null);
-+        unwrappedSharedSecret = sharedSecretWrap.unwrapSymmetricPerm(wrappedSharedSecret,SymmetricKey.DES3,0 );
-+        unwrappedSharedSecret.setNickName(sharedSecretNickname);
-+    }
- 
--        // TODO - I have a key - now what to do with it?
--        // need to somehow import/label the symkey
--    }*/
-+    public static SymmetricKey getSymKeyByName(CryptoToken token, String name) throws Exception {
-+
-+        String method = "CryptoUtil.getSymKeyByName:";
-+        if (token == null || name == null) {
-+            throw new Exception(method + "Invalid input data!");
-+        }
-+        SymmetricKey[] keys;
-+
-+        try {
-+            keys = token.getCryptoStore().getSymmetricKeys();
-+        } catch (TokenException e) {
-+            throw new Exception(method + "Can't get the list of symmetric keys!");
-+        }
-+        int len = keys.length;
-+        for (int i = 0; i < len; i++) {
-+            SymmetricKey cur = keys[i];
-+            if (cur != null) {
-+                if (name.equals(cur.getNickName())) {
-+                    return cur;
-+                }
-+            }
-+        }
-+
-+        return null;
-+    }
- 
-     public static String[] getECcurves() {
-         return ecCurves;
--- 
-2.5.5
-
diff --git a/SOURCES/pki-core-problems-with-FIPS-mode.patch b/SOURCES/pki-core-problems-with-FIPS-mode.patch
deleted file mode 100644
index 390c0e5..0000000
--- a/SOURCES/pki-core-problems-with-FIPS-mode.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 78fa2f5955225cd38f3c5b996396453899017b31 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 12 Oct 2016 03:26:41 +0200
-Subject: [PATCH] Fixed CryptoUtil.getTokenName().
-
-The CryptoUtil.getTokenName() has been modified to check both the
-short name and full name of the internal token.
-
-The ConfigurationUtils.deleteCert() has also been modified to call
-CryptoUtil.getTokenName().
-
-https://fedorahosted.org/pki/ticket/2500
-(cherry picked from commit 5be68e38fd77f171331d27ca52a291f06f7c686c)
-(cherry picked from commit 42c52b18467212dde0cdebedca55ab22c4629cb5)
----
- .../cms/servlet/csadmin/ConfigurationUtils.java    |  2 +-
- .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 23 +++++++++++++---------
- 2 files changed, 15 insertions(+), 10 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index ecf8157..afd8d28 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -3419,7 +3419,7 @@ public class ConfigurationUtils {
-             NoSuchTokenException, TokenException {
- 
-         CryptoManager cm = CryptoManager.getInstance();
--        CryptoToken tok = cm.getTokenByName(tokenname);
-+        CryptoToken tok = CryptoUtil.getTokenByName(tokenname);
-         CryptoStore store = tok.getCryptoStore();
-         String fullnickname = nickname;
-         if (!tokenname.equals("") &&
-diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-index b02c363..b6b5e6a 100644
---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
-@@ -135,6 +135,9 @@ import netscape.security.x509.X509Key;
- @SuppressWarnings("serial")
- public class CryptoUtil {
- 
-+    public final static String INTERNAL_TOKEN_NAME = "internal";
-+    public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token";
-+
-     public static final String CERTREQ_BEGIN_HEADING = "-----BEGIN CERTIFICATE REQUEST-----";
-     public static final String CERTREQ_END_HEADING = "-----END CERTIFICATE REQUEST-----";
-     public static final int LINE_COUNT = 76;
-@@ -472,21 +475,23 @@ public class CryptoUtil {
-         return true;
-     }
- 
-+    public static boolean isInternalToken(String name) {
-+        return name.equalsIgnoreCase(INTERNAL_TOKEN_NAME) || name.equalsIgnoreCase(INTERNAL_TOKEN_FULL_NAME);
-+    }
-+
-     /**
-      * Retrieves handle to a JSS token.
-      */
--    public static CryptoToken getTokenByName(String token)
--            throws CryptoManager.NotInitializedException,
--                NoSuchTokenException {
-+    public static CryptoToken getTokenByName(String name)
-+            throws NotInitializedException, NoSuchTokenException {
-+
-         CryptoManager cm = CryptoManager.getInstance();
--        CryptoToken t = null;
- 
--        if (token.equals("internal")) {
--            t = cm.getInternalKeyStorageToken();
--        } else {
--            t = cm.getTokenByName(token);
-+        if (isInternalToken(name)) {
-+            return cm.getInternalKeyStorageToken();
-         }
--        return t;
-+
-+        return cm.getTokenByName(name);
-     }
- 
-     /**
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-replace-default-AJP-hostname-with-localhost.patch b/SOURCES/pki-core-replace-default-AJP-hostname-with-localhost.patch
deleted file mode 100644
index 081e57b..0000000
--- a/SOURCES/pki-core-replace-default-AJP-hostname-with-localhost.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-commit 6dabd74991f54aa827bd38b7e1b50925620535ae
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Thu Jan 5 07:28:51 2017 +0100
-
-    Replaced default AJP hostname with generic loopback address.
-    
-    Previously the default AJP hostname was an IPv4 loopback address.
-    To avoid problems in IPv6 environments the default has been
-    changed to a generic "localhost" address. The man page has been
-    updated accordingly.
-    
-    https://fedorahosted.org/pki/ticket/2570
-    
-    (cherry picked from commit 5ec9701229b4945cadcf60d84863521ad8485ca5)
-    (cherry picked from commit 3a49b9b3738befc03914b0a96aad61f9650fb935)
-
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 6e9b074..e79ff06 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -198,7 +198,7 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry
- ##               are MUTUALLY EXCLUSIVE entities!!!                          ##
- ###############################################################################
- [Tomcat]
--pki_ajp_host=127.0.0.1
-+pki_ajp_host=localhost
- pki_ajp_port=8009
- pki_server_pkcs12_path=
- pki_server_pkcs12_password=
-diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
-index aaf7b53..1eb4ab9 100644
---- a/base/server/man/man5/pki_default.cfg.5
-+++ b/base/server/man/man5/pki_default.cfg.5
-@@ -86,7 +86,7 @@ Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009 and 8005
- .TP
- .B pki_ajp_host
- .IP
--Host on which to listen for AJP requests.  Defaults to 127.0.0.1 to listen to local traffic only.
-+Host on which to listen for AJP requests.  Defaults to localhost to listen to local traffic only.
- .TP
- .B pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
- .IP
diff --git a/SOURCES/pki-core-slf4j-api.patch b/SOURCES/pki-core-slf4j-api.patch
deleted file mode 100644
index 5f24d50..0000000
--- a/SOURCES/pki-core-slf4j-api.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-commit 6b5c4705cee2ef4ab1ee150ac751f047a408e0cb
-Author: Endi S. Dewata <edewata@redhat.com>
-Date:   Tue Jan 24 21:42:58 2017 +0100
-
-    Fixed missing SLF4J in Javadoc classpath.
-    
-    The CMake script for Javadoc has been fixed to include the missing
-    SLF4J library in the class path.
-    
-    Fixes: https://fedorahosted.org/pki/ticket/2579
-    (cherry picked from commit 69cfd4328504ee78646bb34a551ef5d711ea3f18)
-    (cherry picked from commit eab6f76739e575f8d7a7fb9da7c1e6de3c8e3bfa)
-
-diff --git a/base/javadoc/CMakeLists.txt b/base/javadoc/CMakeLists.txt
-index 1341935..a71270c 100644
---- a/base/javadoc/CMakeLists.txt
-+++ b/base/javadoc/CMakeLists.txt
-@@ -88,6 +88,7 @@ javadoc(pki-javadoc
-         com.netscape.cmsutil
-         org.dogtagpki
-     CLASSPATH
-+        ${SLF4J_API_JAR}
-         ${XALAN_JAR} ${XERCES_JAR}
-         ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
-         ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
diff --git a/SOURCES/pki-core-snapshot-1.patch b/SOURCES/pki-core-snapshot-1.patch
index f23cbcd..ca2391a 100644
--- a/SOURCES/pki-core-snapshot-1.patch
+++ b/SOURCES/pki-core-snapshot-1.patch
@@ -1,1332 +1,6661 @@
-From 53eec401f222178ff2ac34fd6223b121f485969d Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 12 Aug 2016 02:23:18 +0200
-Subject: [PATCH 01/10] Removed PKCS #7 from add user cert dialog in TPS UI.
-
-The dialog box for adding user certificate in TPS UI has been
-modified to no longer mention PKCS #7. The REST service itself
-still accepts PKCS #7, but it should be cleaned up in the future.
+From ee5af05036e87a9dad821c9dd8bc0198dac9bd65 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Fri, 12 May 2017 13:00:54 -0600
+Subject: [PATCH 01/27] Fix CA installation with HSM in FIPS mode
 
-https://fedorahosted.org/pki/ticket/2437
-(cherry picked from commit d27d4600784acb49c42764d02835dedf3ee87227)
-(cherry picked from commit 2dae5f18fa5c68f7923b6b6691395790fb14791f)
+Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
+dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
 ---
- base/server/cms/src/org/dogtagpki/server/rest/UserService.java | 2 ++
- base/tps/shared/webapps/tps/ui/user-certs.html                 | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
-index 0893c4b..1f8e9fa 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
-@@ -863,6 +863,8 @@ public class UserService extends PKIService implements UserResource {
-             }
+ base/server/python/pki/server/deployment/pkihelper.py | 19 ++++++++++++++-----
+ .../pki/server/deployment/scriptlets/finalization.py  |  3 ++-
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
+index 051778d..a1345de 100644
+--- a/base/server/python/pki/server/deployment/pkihelper.py
++++ b/base/server/python/pki/server/deployment/pkihelper.py
+@@ -1017,11 +1017,20 @@ class Instance:
+                                  extra=config.PKI_INDENTATION_LEVEL_2)
+             raise
+ 
+-    def get_instance_status(self):
++    def get_instance_status(self, secure_connection=True):
++        pki_protocol = None
++        pki_port = None
++        if secure_connection:
++            pki_protocol = "https"
++            pki_port = self.mdict['pki_https_port']
++        else:
++            pki_protocol = "http"
++            pki_port = self.mdict['pki_http_port']
++
+         connection = pki.client.PKIConnection(
+-            protocol='https',
++            protocol=pki_protocol,
+             hostname=self.mdict['pki_hostname'],
+-            port=self.mdict['pki_https_port'],
++            port=pki_port,
+             subsystem=self.mdict['pki_subsystem_type'],
+             accept='application/xml',
+             trust_env=False)
+@@ -1049,11 +1058,11 @@ class Instance:
+                 extra=config.PKI_INDENTATION_LEVEL_3)
+             return None
  
-             if (cert == null) {
-+                // TODO: Remove this code. Importing PKCS #7 is not supported.
-+
-                 // cert chain direction
-                 boolean assending = true;
- 
-diff --git a/base/tps/shared/webapps/tps/ui/user-certs.html b/base/tps/shared/webapps/tps/ui/user-certs.html
-index 049583e..04593f3 100644
---- a/base/tps/shared/webapps/tps/ui/user-certs.html
-+++ b/base/tps/shared/webapps/tps/ui/user-certs.html
-@@ -93,7 +93,7 @@
-                     <input name="userID" readonly="readonly"><br>
-                     <label>Certificate</label>
-                     <textarea name="encoded" rows="20" cols="80"></textarea><br>
--                    Enter a PEM certificate or PKCS #7 data.
-+                    Enter a PEM certificate.
-                 </fieldset>
-             </div>
-             <div class="modal-footer">
+-    def wait_for_startup(self, timeout):
++    def wait_for_startup(self, timeout, secure_connection=True):
+         start_time = datetime.today()
+         status = None
+         while status != "running":
+-            status = self.get_instance_status()
++            status = self.get_instance_status(secure_connection)
+             time.sleep(1)
+             stop_time = datetime.today()
+             if (stop_time - start_time).total_seconds() >= timeout:
+diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+index 941691c..75bb80e 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+@@ -58,7 +58,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
+             deployer.systemd.restart()
+             # wait for startup
+-            status = deployer.instance.wait_for_startup(60)
++            # (must use 'http' protocol due to potential FIPS configuration)
++            status = deployer.instance.wait_for_startup(60, False)
+             if status is None:
+                 config.pki_log.error(
+                     "server failed to restart",
 -- 
 1.8.3.1
 
 
-From 3bfd5acb075751e429eeb8b46f17c624a5178a41 Mon Sep 17 00:00:00 2001
+From 4557cd497ecc3c753461617dd8f10067a3815042 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 12 Aug 2016 04:42:25 +0200
-Subject: [PATCH 02/10] Added cert validation error message in selftest log.
+Date: Tue, 16 May 2017 01:43:33 +0200
+Subject: [PATCH 02/27] Added log messages for server shutdown.
 
-To help troubleshooting the selftest log has been modified to
-include the cert validation error message returned by JSS.
+Some log messages have been added to help troubleshoot the cause
+of server shutdown.
 
-https://fedorahosted.org/pki/ticket/2436
-(cherry picked from commit 0fd31368d871c513c9833ca02bc08d15a48d6aa5)
-(cherry picked from commit 488303542161103cbbac6814dffd8818fccf455d)
+Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
 ---
- .../src/com/netscape/cms/selftests/common/SystemCertsVerification.java  | 2 +-
- base/server/cmsbundle/src/LogMessages.properties                        | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
-index e4fc1cb..cc52f83 100644
---- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
-+++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java
-@@ -200,7 +200,7 @@ public class SystemCertsVerification
-         } catch (Exception e) {
-             String logMessage = CMS.getLogMessage(
-                     "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE",
--                    getSelfTestName());
-+                    getSelfTestName(), e.getMessage());
-             mSelfTestSubsystem.log(logger, logMessage);
+ base/common/src/com/netscape/certsrv/apps/CMS.java                    | 4 ++++
+ .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java       | 3 +++
+ .../server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java | 1 +
+ .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++
+ 4 files changed, 12 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
+index 8f1d648..cc634cc 100644
+--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
+@@ -1627,6 +1627,8 @@ public final class CMS {
+             // Raidzilla Bug #57592:  Always print error message to stdout.
+             System.out.println(e);
+ 
++            CMS.debug("CMS.start(): shutdown server");
++
+             shutdown();
              throw e;
+ 
+@@ -1722,6 +1724,8 @@ public final class CMS {
+                         ILogger.LL_INFO,
+                         "CMSEngine: Received shutdown signal");
+ 
++                CMS.debug("CMS.main(): shutdown server");
++
+                 CMS.shutdown();
+             };
+         });
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+index e5a1474..f8bc34a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+@@ -750,6 +750,7 @@ public final class CMSAdminServlet extends AdminServlet {
+         if (stop != null) {
+             //XXX Send response first then shutdown
+             sendResponse(SUCCESS, null, params, resp);
++            CMS.debug("CMSAdminServlet.performTasks(): shutdown server");
+             CMS.shutdown();
+             return;
          }
-diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
-index 12c580a..0bcbcc5 100644
---- a/base/server/cmsbundle/src/LogMessages.properties
-+++ b/base/server/cmsbundle/src/LogMessages.properties
-@@ -2766,7 +2766,7 @@ SELFTESTS_PARAMETER_WAS_NULL={0}:  a self test parameter was null
- SELFTESTS_MISSING_NAME={0}:  the self test property name {1} does not exist
- SELFTESTS_MISSING_VALUES={0}:  the self test property name {1} contained no value(s)
- SELFTESTS_INVALID_VALUES={0}:  the self test property name {1} contained invalid value(s)
--SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure
-+SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_FAILURE={0}: system certs verification failure: {1}
- SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS={0}: system certs verification success
- SELFTESTS_CA_IS_NOT_PRESENT={0}:  CA is NOT present
- SELFTESTS_CA_IS_NOT_INITIALIZED={0}:  CA is NOT yet initialized
+@@ -3271,6 +3272,8 @@ public final class CMSAdminServlet extends AdminServlet {
+                                     + "\n";
+                             sendResponse(ERROR, content, null, resp);
+ 
++                            CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server");
++
+                             // shutdown the system gracefully
+                             CMS.shutdown();
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+index cfbf724..9609b06 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+@@ -148,6 +148,7 @@ public class CMSStartServlet extends HttpServlet {
+      * This method will be called when Tomcat is shutdown.
+      */
+     public void destroy() {
++        CMS.debug("CMSStartServlet.destroy(): shutdown server");
+         CMS.shutdown();
+     }
+ }
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+index 6ee3176..e1d6e15 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+@@ -547,6 +547,8 @@ public class SelfTestSubsystem
+                                     "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED",
+                                     instanceFullName));
+ 
++                    CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server");
++
+                     // shutdown the system gracefully
+                     CMS.shutdown();
+ 
+@@ -1845,6 +1847,8 @@ public class SelfTestSubsystem
+ 
+             audit(auditMessage);
+ 
++            CMS.debug("SelfTestSubsystem.startup(): shutdown server");
++
+             // shutdown the system gracefully
+             CMS.shutdown();
+ 
 -- 
 1.8.3.1
 
 
-From 6431cac7c8f6a4874249bf1ea8b287e1a9a9f0c3 Mon Sep 17 00:00:00 2001
+From 587cfa90b3b065f4c9c5bd0292202d5d9a4c2f54 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Fri, 12 Aug 2016 23:06:24 +0200
-Subject: [PATCH 03/10] Added exception wrapper for invalid LDAP attribute
- syntax.
+Date: Tue, 25 Apr 2017 22:12:20 +0200
+Subject: [PATCH 03/27] Simplified conditions to log CERT_REQUEST_PROCESSED.
 
-The LDAPExceptionConverter has been modified to wrap LDAPException
-for invalid attribute syntax with BadRequestException.
+The conditions to log CERT_REQUEST_PROCESSED have been simplified
+since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE
+if the certificate object is not available in the request object.
 
-https://fedorahosted.org/pki/ticket/833
-(cherry picked from commit 71acaed02642c618a729fbebbf7a7025684967a3)
-(cherry picked from commit 26aa8bd616148b5318b87817aafae926d1c375d2)
+https://pagure.io/dogtagpki/issue/2636
+
+Change-Id: I946481c17729d2c349c949def113fc5563ec90ad
 ---
- .../src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java       | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
+ .../logging/event/CertRequestProcessedEvent.java   |  2 +-
+ .../netscape/cms/servlet/cert/CertProcessor.java   | 24 +++++------
+ .../cms/servlet/connector/ConnectorServlet.java    | 47 +++++++++-------------
+ .../servlet/profile/ProfileSubmitCMCServlet.java   | 44 +++++++++-----------
+ 4 files changed, 48 insertions(+), 69 deletions(-)
 
-diff --git a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
-index 88b1263..51a1109 100644
---- a/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
-+++ b/base/common/src/com/netscape/certsrv/ldap/LDAPExceptionConverter.java
-@@ -17,13 +17,13 @@
- // --- END COPYRIGHT BLOCK ---
- package com.netscape.certsrv.ldap;
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+index 777434b..a17f7d5 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -96,7 +96,7 @@ public class CertRequestProcessedEvent extends AuditEvent {
+      * @param x509cert an X509CertImpl
+      * @return cert string containing the certificate
+      */
+-    public static String auditInfoCertValue(X509CertImpl x509cert) {
++    String auditInfoCertValue(X509CertImpl x509cert) {
+ 
+         if (x509cert == null) {
+             return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index d25d817..1becd1b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -246,21 +246,17 @@ public class CertProcessor extends CAProcessor {
+                 req.setRequestStatus(RequestStatus.COMPLETE);
  
--import netscape.ldap.LDAPException;
+                 X509CertImpl x509cert = req.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
 -
- import com.netscape.certsrv.base.BadRequestException;
- import com.netscape.certsrv.base.ConflictingOperationException;
- import com.netscape.certsrv.base.PKIException;
- import com.netscape.certsrv.base.ResourceNotFoundException;
+-                // TODO: simplify this condition
+-                if (auditInfoCertValue != null) {
+-                    if (!(auditInfoCertValue.equals(
+-                            ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-
+-                        audit(new CertRequestProcessedEvent(
+-                                auditSubjectID,
+-                                ILogger.SUCCESS,
+-                                auditRequesterID,
+-                                ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                x509cert));
+-                    }
++
++                if (x509cert != null) {
++
++                    audit(new CertRequestProcessedEvent(
++                            auditSubjectID,
++                            ILogger.SUCCESS,
++                            auditRequesterID,
++                            ILogger.SIGNED_AUDIT_ACCEPTANCE,
++                            x509cert));
+                 }
++
+             } catch (EDeferException e) {
+                 // return defer message to the user
+                 req.setRequestStatus(RequestStatus.PENDING);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index b5ccdd2..eeb640e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -620,40 +620,31 @@ public class ConnectorServlet extends CMSServlet {
+                 if (isProfileRequest(thisreq)) {
  
-+import netscape.ldap.LDAPException;
+                     X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+-
+-                    // TODO: simplify this condition
+-                    if (auditInfoCertValue != null) {
+-                        if (!(auditInfoCertValue.equals(
+-                                   ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-
+-                            audit(new CertRequestProcessedEvent(
+-                                    auditSubjectID,
+-                                    ILogger.SUCCESS,
+-                                    auditRequesterID,
+-                                    ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    x509cert));
+-                        }
 +
- /**
-  * @author Endi S. Dewata
-  */
-@@ -39,6 +39,8 @@ public class LDAPExceptionConverter {
-             return new ResourceNotFoundException("No such attribute.", e);
-         case LDAPException.INVALID_DN_SYNTAX:
-             return new BadRequestException("Invalid DN syntax.", e);
-+        case LDAPException.INVALID_ATTRIBUTE_SYNTAX:
-+            return new BadRequestException("Invalid attribute syntax.", e);
-         case LDAPException.ENTRY_ALREADY_EXISTS:
-             return new ConflictingOperationException("Entry already exists.", e);
-         default:
--- 
-1.8.3.1
-
-
-From 90c6537038caa9a241d1c4123e1a642860a0aa5a Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 16 Aug 2016 00:15:15 +0200
-Subject: [PATCH 04/10] Removed misleading log in SelfTestSubsystem.
-
-To avoid confusion, the isSelfTestCriticalAtStartup() and
-isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
-modified to no longer log an error message if the selftest
-being checked does not exist in the corresponding property
-in CS.cfg.
-
-https://fedorahosted.org/pki/ticket/2432
-(cherry picked from commit 6bfee0e46aee93e1255ecb5652d46348557664d5)
-(cherry picked from commit 422fc92597d80aa115efa59a592fbaf8851b243e)
----
- .../com/netscape/cmscore/selftests/SelfTestSubsystem.java  | 14 ++------------
- 1 file changed, 2 insertions(+), 12 deletions(-)
-
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-index ff938dd..8dc95cc 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-@@ -473,12 +473,7 @@ public class SelfTestSubsystem
-             }
-         }
++                    if (x509cert != null) {
++
++                        audit(new CertRequestProcessedEvent(
++                                auditSubjectID,
++                                ILogger.SUCCESS,
++                                auditRequesterID,
++                                ILogger.SIGNED_AUDIT_ACCEPTANCE,
++                                x509cert));
+                     }
+                 }
++
+             } catch (EBaseException eAudit1) {
+                 if (isProfileRequest(thisreq)) {
  
--        // self test plugin instance property name is not present
--        log(mLogger,
--                CMS.getLogMessage(
--                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
--                        instanceFullName));
+                     X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
 -
-+        // self test undefined in selftests.container.order.onDemand
-         throw new EMissingSelfTestException(instanceFullName);
-     }
+-                    // TODO: simplify this condition
+-                    if (auditInfoCertValue != null) {
+-                        if (!(auditInfoCertValue.equals(
+-                                   ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-
+-                            audit(new CertRequestProcessedEvent(
+-                                    auditSubjectID,
+-                                    ILogger.FAILURE,
+-                                    auditRequesterID,
+-                                    ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    x509cert));
+-                        }
++
++                    if (x509cert != null) {
++
++                        audit(new CertRequestProcessedEvent(
++                                auditSubjectID,
++                                ILogger.FAILURE,
++                                auditRequesterID,
++                                ILogger.SIGNED_AUDIT_ACCEPTANCE,
++                                x509cert));
+                     }
+                 }
  
-@@ -799,12 +794,7 @@ public class SelfTestSubsystem
-             }
-         }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 1e128d0..0e101ed 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -696,21 +696,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     reqs[k].setRequestStatus(RequestStatus.COMPLETE);
  
--        // self test plugin instance property name is not present
--        log(mLogger,
--                CMS.getLogMessage(
--                        "CMSCORE_SELFTESTS_PROPERTY_MISSING_NAME",
--                        instanceFullName));
+                     X509CertImpl x509cert = reqs[k].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
 -
-+        // self test undefined in selftests.container.order.startup
-         throw new EMissingSelfTestException(instanceFullName);
-     }
+-                    // TODO: simplify this condition
+-                    if (auditInfoCertValue != null) {
+-                        if (!(auditInfoCertValue.equals(
+-                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
+-
+-                            audit(new CertRequestProcessedEvent(
+-                                        auditSubjectID,
+-                                        ILogger.SUCCESS,
+-                                        auditRequesterID,
+-                                        ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                        x509cert));
+-                        }
++
++                    if (x509cert != null) {
++
++                        audit(new CertRequestProcessedEvent(
++                                    auditSubjectID,
++                                    ILogger.SUCCESS,
++                                    auditRequesterID,
++                                    ILogger.SIGNED_AUDIT_ACCEPTANCE,
++                                    x509cert));
+                     }
++
+                 } catch (EDeferException e) {
+                     // return defer message to the user
+                     CMS.debug("ProfileSubmitCMCServlet: set request to PENDING");
+@@ -794,21 +790,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     CMS.debug("ProfileSubmitCMCServlet: provedReq set to complete");
+ 
+                     X509CertImpl x509cert = reqs[0].getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-                    String auditInfoCertValue = CertRequestProcessedEvent.auditInfoCertValue(x509cert);
+ 
+-                    // TODO: simplify this condition
+-                    if (auditInfoCertValue != null) {
+-                        if (!(auditInfoCertValue.equals(
+-                                ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
++                    if (x509cert != null) {
  
+-                            audit(new CertRequestProcessedEvent(
+-                                    auditSubjectID,
+-                                    ILogger.SUCCESS,
+-                                    auditRequesterID,
+-                                    ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                    x509cert));
+-                        }
++                        audit(new CertRequestProcessedEvent(
++                                auditSubjectID,
++                                ILogger.SUCCESS,
++                                auditRequesterID,
++                                ILogger.SIGNED_AUDIT_ACCEPTANCE,
++                                x509cert));
+                     }
++
+                 } catch (ERejectException e) {
+                     // return error to the user
+                     provedReq.setRequestStatus(RequestStatus.REJECTED);
 -- 
 1.8.3.1
 
 
-From 561191eacd168ed3b75de0c502ee82a6517f4348 Mon Sep 17 00:00:00 2001
+From 3abf731d9e6f02ac8d315978d31c28c2f9c85db9 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 16 Aug 2016 01:43:36 +0200
-Subject: [PATCH 05/10] Fixed SelfTestService.findSelfTests().
+Date: Wed, 26 Apr 2017 01:27:17 +0200
+Subject: [PATCH 04/27] Added AuditEvent attributes.
+
+The AuditEvent class has been modified to support variable number
+of event attributes which can be used to generate more flexible
+audit log entries.
 
-The SelfTestService.findSelfTests() has been modified to return
-all selftests defined in the CS.cfg.
+https://pagure.io/dogtagpki/issue/2655
 
-https://fedorahosted.org/pki/ticket/2432
-(cherry picked from commit 4001335ed5105112c64c433a26272286ecf66196)
-(cherry picked from commit e860276fc5889aae40beda33ea523358fbe76911)
+Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212
 ---
- .../common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java | 4 ++++
- base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java    | 2 +-
- .../cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 4 ++++
- 3 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
-index c07b96a..a55c651 100644
---- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
-+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
-@@ -20,6 +20,8 @@
- 
- package com.netscape.certsrv.selftests;
- 
-+import java.util.Collection;
-+
- ///////////////////////
- // import statements //
- ///////////////////////
-@@ -68,6 +70,8 @@ public interface ISelfTestSubsystem
-     // ISelfTestSubsystem methods //
-     ////////////////////////////////
- 
-+    public Collection<String> getSelfTestNames();
-+
-     //
-     // methods associated with the list of on demand self tests
-     //
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
-index e662ba9..9108a45 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
-@@ -113,7 +113,7 @@ public class SelfTestService extends PKIService implements SelfTestResource {
- 
-             // filter self tests
-             Collection<String> results = new ArrayList<String>();
--            for (String name : subsystem.listSelfTestsEnabledOnDemand()) {
-+            for (String name : subsystem.getSelfTestNames()) {
-                 if (filter != null && !name.contains(filter)) continue;
-                 results.add(name);
-             }
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-index 8dc95cc..d7d7a3a 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
-@@ -243,6 +243,10 @@ public class SelfTestSubsystem
-     // SelfTestSubsystem methods //
-     ///////////////////////////////
+ .../com/netscape/certsrv/logging/AuditEvent.java   | 24 ++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 7a4aa9b..9ba9271 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -18,7 +18,9 @@
+ package com.netscape.certsrv.logging;
  
-+    public Collection<String> getSelfTestNames() {
-+        return mSelfTestInstances.keySet();
+ import java.text.MessageFormat;
++import java.util.LinkedHashMap;
+ import java.util.Locale;
++import java.util.Map;
+ 
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.MessageFormatter;
+@@ -265,6 +267,7 @@ public class AuditEvent implements IBundleLogEvent {
+     private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
+ 
+     protected Object mParams[] = null;
++    protected Map<String, Object> attributes = new LinkedHashMap<>();
+ 
+     private String mEventType = null;
+     private String mMessage = null;
+@@ -574,4 +577,25 @@ public class AuditEvent implements IBundleLogEvent {
+         } else
+             return toContent();
+     }
++
++    public void setAttribute(String name, Object value) {
++        attributes.put(name, value);
 +    }
 +
-     //
-     // methods associated with the list of on demand self tests
-     //
++    public String getAttributeList() {
++
++        StringBuilder sb = new StringBuilder();
++
++        for (String name : attributes.keySet()) {
++            Object value = attributes.get(name);
++
++            sb.append("[");
++            sb.append(name);
++            sb.append("=");
++            sb.append(value);
++            sb.append("]");
++        }
++
++        return sb.toString();
++    }
+ }
 -- 
 1.8.3.1
 
 
-From 15a6f83a651949af7ba7bfe8fc1b3626d064fa87 Mon Sep 17 00:00:00 2001
+From cec9efefe027ed4e7592827889eb3b487e7e485a Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 18 Aug 2016 05:40:25 +0200
-Subject: [PATCH 06/10] Added debug messages for
- ConfigurationUtils.handleCerts().
+Date: Wed, 26 Apr 2017 20:04:46 +0200
+Subject: [PATCH 05/27] Added ConfigTrustedPublicKeyEvent.
+
+A new ConfigTrustedPublicKeyEvent class of has been added to
+encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events.
 
-To help troubleshooting some debug messages have been added into
-ConfigurationUtils.handleCerts().
+https://pagure.io/dogtagpki/issue/2641
 
-https://fedorahosted.org/pki/ticket/2436
-(cherry picked from commit 9aa6640e7e94a591343478ee806a6e6d4c9f81e8)
-(cherry picked from commit 4e5c8e53345d500bfa620267a8ae35df0e2973b6)
+Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908
 ---
- .../cms/servlet/csadmin/ConfigurationUtils.java     | 21 ++++++++++++++++++++-
- 1 file changed, 20 insertions(+), 1 deletion(-)
+ .../com/netscape/certsrv/logging/AuditEvent.java   |   2 -
+ .../logging/event/ConfigTrustedPublicKeyEvent.java |  42 ++++
+ .../cms/servlet/admin/CMSAdminServlet.java         | 218 +++++++--------------
+ 3 files changed, 114 insertions(+), 148 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java
 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 7723665..3bd6d87 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -3153,6 +3153,9 @@ public class ConfigurationUtils {
-         String tokenname = config.getString("preop.module.token", "");
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 9ba9271..ff5d344 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -63,8 +63,6 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
+     public final static String CONFIG_ENCRYPTION =
+             "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
+-    public final static String CONFIG_TRUSTED_PUBLIC_KEY =
+-            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
+     public final static String CONFIG_DRM =
+             "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
+     public final static String SELFTESTS_EXECUTION =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java
+new file mode 100644
+index 0000000..b0dd781
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigTrustedPublicKeyEvent.java
+@@ -0,0 +1,42 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class ConfigTrustedPublicKeyEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
++
++    public ConfigTrustedPublicKeyEvent(
++            String subjectID,
++            String outcome,
++            String params) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                params
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+index f8bc34a..8d28408 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+@@ -62,6 +62,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ConfigTrustedPublicKeyEvent;
+ import com.netscape.certsrv.ocsp.IOCSPAuthority;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.security.ICryptoSubsystem;
+@@ -1434,7 +1435,7 @@ public final class CMSAdminServlet extends AdminServlet {
+     private void issueImportCert(HttpServletRequest req,
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
  
-         if (cert.getType().equals("local") && b64.equals("...certificate be generated internally...")) {
+         // ensure that any low-level exceptions are reported
+@@ -1484,14 +1485,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                 nicknameWithoutTokenName = nickname.substring(index + 1);
+                 oldtokenname = nickname.substring(0, index);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-+            CMS.debug("handleCerts(): processing local cert");
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+             }
+@@ -1504,14 +1502,11 @@ public final class CMSAdminServlet extends AdminServlet {
+             } else if (index > 0 && (index < (canickname.length() - 1))) {
+                 canicknameWithoutTokenName = canickname.substring(index + 1);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-             String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype");
-             X509Key x509key = null;
-             if (pubKeyType.equals("rsa")) {
-@@ -3177,24 +3180,33 @@ public class ConfigurationUtils {
-                 CMS.debug("handleCerts(): nickname=" + nickname);
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
  
-                 try {
-+                    CMS.debug("handleCerts(): deleting existing cert");
-                     if (certTag.equals("sslserver") && findBootstrapServerCert())
-                         deleteBootstrapServerCert();
-                     if (findCertificate(tokenname, nickname))
-                         deleteCert(tokenname, nickname);
-+
-+                    CMS.debug("handleCerts(): importing new cert");
-                     if (certTag.equals("signing") && subsystem.equals("ca"))
-                         CryptoUtil.importUserCertificate(impl, nickname);
-                     else
-                         CryptoUtil.importUserCertificate(impl, nickname, false);
-                     CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'");
-+
-                 } catch (Exception ee) {
-                     CMS.debug(ee);
-                     CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: "
-                             + ee.toString());
-                 }
+                 throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
              }
+@@ -1524,14 +1519,11 @@ public final class CMSAdminServlet extends AdminServlet {
+             KeyPair pair = null;
+ 
+             if (nickname.equals("")) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-         } else if (cert.getType().equals("remote")) {
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 throw new EBaseException(CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+             }
+@@ -1771,40 +1763,30 @@ public final class CMSAdminServlet extends AdminServlet {
+             properties.clear();
+             properties = null;
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             mConfig.commit(true);
+             sendResponse(SUCCESS, null, null, resp);
+         } catch (EBaseException eAudit1) {
+             CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString());
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-+            CMS.debug("handleCerts(): processing remote cert");
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+             CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString());
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-             if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) {
--                CMS.debug("handleCerts(): process remote...import cert");
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -1890,14 +1872,11 @@ public final class CMSAdminServlet extends AdminServlet {
+             try {
+                 if (pkcs == null || pkcs.equals("")) {
+                     if (certpath == null || certpath.equals("")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-+                CMS.debug("handleCerts(): deleting existing cert");
-                 String b64chain = cert.getCertChain();
++                        audit(new ConfigTrustedPublicKeyEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                        audit(auditMessage);
++                                auditParams(req)));
  
-                 try {
-@@ -3207,6 +3219,7 @@ public class ConfigurationUtils {
-                     CMS.debug("ConfigurationUtils: update (remote): deleteCert Exception=" + e.toString());
+                         EBaseException ex = new EBaseException(
+                                 CMS.getLogMessage("BASE_INVALID_FILE_PATH"));
+@@ -1924,14 +1903,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                     }
                  }
+             } catch (IOException ee) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 throw new EBaseException(
+                         CMS.getLogMessage("BASE_OPEN_FILE_FAILED"));
+@@ -1954,14 +1930,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                 tokenName = nickname.substring(0, index);
+                 nicknameWithoutTokenName = nickname.substring(index + 1);
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 throw new EBaseException(
+                         CMS.getLogMessage("BASE_CERT_NOT_FOUND"));
+@@ -2203,14 +2176,10 @@ public final class CMSAdminServlet extends AdminServlet {
+                 audit(auditMessage);
+             }
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
  
-+                CMS.debug("handleCerts(): importing new cert");
-                 b64 = CryptoUtil.stripCertBrackets(b64.trim());
-                 String certs = CryptoUtil.normalizeCertStr(b64);
-                 byte[] certb = CryptoUtil.base64Decode(certs);
-@@ -3256,11 +3269,16 @@ public class ConfigurationUtils {
-                 CMS.debug("handleCerts(): b64 not set");
-                 return 1;
+             mConfig.commit(true);
+             if (verified == true) {
+@@ -2220,26 +2189,20 @@ public final class CMSAdminServlet extends AdminServlet {
+                         null, resp);
              }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-         } else {
-+            CMS.debug("handleCerts(): processing " + cert.getType() + " cert");
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
 +
-             b64 = CryptoUtil.stripCertBrackets(b64.trim());
-             String certs = CryptoUtil.normalizeCertStr(b64);
-             byte[] certb = CryptoUtil.base64Decode(certs);
-             X509CertImpl impl = new X509CertImpl(certb);
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -2275,7 +2238,7 @@ public final class CMSAdminServlet extends AdminServlet {
+     private void importXCert(HttpServletRequest req,
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+-        String auditMessage = null;
 +
-+            CMS.debug("handleCerts(): deleting existing cert");
+         String auditSubjectID = auditSubjectID();
+ 
+         // ensure that any low-level exceptions are reported
+@@ -2309,14 +2272,11 @@ public final class CMSAdminServlet extends AdminServlet {
              try {
-                 if (certTag.equals("sslserver") && findBootstrapServerCert())
-                     deleteBootstrapServerCert();
-@@ -3271,6 +3289,7 @@ public class ConfigurationUtils {
-                 CMS.debug("handleCerts(): deleteCert Exception=" + ee.toString());
+                 if (b64Cert == null || b64Cert.equals("")) {
+                     if (certpath == null || certpath.equals("")) {
+-                        // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                        audit(new ConfigTrustedPublicKeyEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditParams(req));
+-
+-                        audit(auditMessage);
++                                auditParams(req)));
+ 
+                         EBaseException ex = new EBaseException(
+                                 CMS.getLogMessage("BASE_INVALID_FILE_PATH"));
+@@ -2342,14 +2302,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                     }
+                 }
+             } catch (IOException ee) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 throw new EBaseException(
+                         CMS.getLogMessage("BASE_OPEN_FILE_FAILED"));
+@@ -2376,14 +2333,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                 //this will import into internal ldap crossCerts entry
+                 ccps.importCert(bCert);
+             } catch (Exception e) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(1, "xcert importing failure:" + e.toString(),
+                              null, resp);
+@@ -2395,14 +2349,11 @@ public final class CMSAdminServlet extends AdminServlet {
+                 // db to publishing directory, if turned on
+                 ccps.publishCertPairs();
+             } catch (EBaseException e) {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++                audit(new ConfigTrustedPublicKeyEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditParams(req));
+-
+-                audit(auditMessage);
++                            auditParams(req)));
+ 
+                 sendResponse(1, "xcerts publishing failure:" + e.toString(), null, resp);
+                 return;
+@@ -2416,37 +2367,27 @@ public final class CMSAdminServlet extends AdminServlet {
+             results.put(Constants.PR_NICKNAME, "FBCA cross-signed cert");
+             results.put(Constants.PR_CERT_CONTENT, content);
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             sendResponse(SUCCESS, null, results, resp);
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
+@@ -2929,7 +2870,7 @@ public final class CMSAdminServlet extends AdminServlet {
+     public void setRootCertTrust(HttpServletRequest req,
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+         String nickname = req.getParameter(Constants.PR_NICK_NAME);
+         String serialno = req.getParameter(Constants.PR_SERIAL_NUMBER);
+@@ -2943,25 +2884,20 @@ public final class CMSAdminServlet extends AdminServlet {
+         try {
+             jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust);
+         } catch (EBaseException e) {
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
++                        auditParams(req)));
+ 
+-            audit(auditMessage);
+             // rethrow the specific exception to be handled later
+             throw e;
+         }
+ 
+-        // store a message in the signed audit log file
+-        auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++        audit(new ConfigTrustedPublicKeyEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditParams(req));
+-
+-        audit(auditMessage);
++                    auditParams(req)));
+ 
+         sendResponse(SUCCESS, null, null, resp);
+     }
+@@ -2982,7 +2918,7 @@ public final class CMSAdminServlet extends AdminServlet {
+     private void trustCACert(HttpServletRequest req,
+             HttpServletResponse resp) throws ServletException,
+             IOException, EBaseException {
+-        String auditMessage = null;
++
+         String auditSubjectID = auditSubjectID();
+ 
+         CMS.debug("CMSAdminServlet: trustCACert()");
+@@ -3010,38 +2946,28 @@ public final class CMSAdminServlet extends AdminServlet {
+                 }
              }
  
-+            CMS.debug("handleCerts(): importing new cert");
-             try {
-                 if (certTag.equals("signing") && subsystem.equals("ca"))
-                     CryptoUtil.importUserCertificate(impl, nickname);
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             //sendResponse(SUCCESS, null, null, resp);
+             sendResponse(RESTART, null, null, resp);
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit1;
+         } catch (IOException eAudit2) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
++
++            audit(new ConfigTrustedPublicKeyEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditParams(req));
+-
+-            audit(auditMessage);
++                        auditParams(req)));
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit2;
 -- 
 1.8.3.1
 
 
-From 361eb16c8558f5be6cdb65ab412ab4f703a10bdc Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Fri, 19 Aug 2016 15:58:12 -0600
-Subject: [PATCH 07/10] pki-tools HEADER/FOOTER changes
+From 439ee21719064e60fb691c48aafdbc7fa722c8b7 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 26 Apr 2017 01:32:12 +0200
+Subject: [PATCH 06/27] Refactored CertRequestProcessedEvent to use AuditEvent
+ attributes.
 
-* PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
+The CertRequestProcessedEvent constructors have been modified to
+log the info attributes using the new AuditEvent attributes.
 
-(cherry picked from commit 534633885ae28db230786c25374fba66120ed933)
-(cherry picked from commit 94e009a03036194f4ee09a9a159acd906179ec9d)
+The logging property for CERT_REQUEST_PROCESSED event has been
+modified to accept a list of attributes as a single string instead
+of individual info attributes.
+
+The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced
+with a constant in CertRequestProcessedEvent class which points to
+the new logging property.
+
+https://pagure.io/dogtagpki/issue/2655
+
+Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c
 ---
- base/java-tools/src/com/netscape/cmstools/CMCEnroll.java    | 13 ++++++++-----
- base/java-tools/src/com/netscape/cmstools/CMCRequest.java   |  4 ++--
- base/java-tools/src/com/netscape/cmstools/CMCRevoke.java    | 11 ++++++-----
- .../java-tools/src/com/netscape/cmstools/CRMFPopClient.java |  8 ++++++--
- base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 11 +++++++----
- 5 files changed, 29 insertions(+), 18 deletions(-)
-
-diff --git a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
-index d13ed13..dc4b191 100644
---- a/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
-+++ b/base/java-tools/src/com/netscape/cmstools/CMCEnroll.java
-@@ -79,8 +79,11 @@ public class CMCEnroll {
-     public static final String PR_REQUEST_PKCS10 = "PKCS10";
- 
-     public static final int ARGC = 4;
--    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
--    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
-+    public static final String HEADER = "-----BEGIN";
-+    public static final String TRAILER = "-----END";
-+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
-+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
-+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
- 
-     void cleanArgs(String[] s) {
- 
-@@ -434,10 +437,10 @@ public class CMCEnroll {
-                     return;
-                 }
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  2 --
+ .../logging/event/CertRequestProcessedEvent.java   | 27 ++++++++++++++--------
+ base/server/cmsbundle/src/LogMessages.properties   |  2 +-
+ 3 files changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index ff5d344..523b204 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -103,8 +103,6 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+     public final static String PROFILE_CERT_REQUEST =
+             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+-    public final static String CERT_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+     public final static String CERT_STATUS_CHANGE_REQUEST =
+             "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+     public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+index a17f7d5..5155672 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -30,6 +30,9 @@ public class CertRequestProcessedEvent extends AuditEvent {
  
--                System.out.println(HEADER);
--                System.out.println(asciiBASE64Blob.toString() + TRAILER);
-+                System.out.println(RFC7468_HEADER);
-+                System.out.println(asciiBASE64Blob.toString() + RFC7468_TRAILER);
-                 try {
--                    asciiBASE64Blob_str = HEADER + "\n" + asciiBASE64Blob_str.toString() + TRAILER;
-+                    asciiBASE64Blob_str = RFC7468_HEADER + "\n" + asciiBASE64Blob_str.toString() + RFC7468_TRAILER;
-                     outputBlob.write(asciiBASE64Blob_str.getBytes());
-                 } catch (IOException e) {
-                     System.out.println("CMCEnroll:  I/O error " +
-diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
-index 167c461..1f508c3 100644
---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
-+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
-@@ -97,8 +97,8 @@ public class CMCRequest {
-     public static final String PR_INTERNAL_TOKEN_NAME = "internal";
+     private static final long serialVersionUID = 1L;
  
-     public static final int ARGC = 1;
--    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
--    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
-+    public static final String HEADER = "-----BEGIN";
-+    public static final String TRAILER = "-----END";
++    private final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED";
++
+     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON = "requestNotes";
  
-     void cleanArgs(String[] s) {
+     public CertRequestProcessedEvent(
+@@ -39,14 +42,16 @@ public class CertRequestProcessedEvent extends AuditEvent {
+             String infoName,
+             String infoValue) {
  
-diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
-index 3f9d811..45c3f07 100644
---- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
-+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
-@@ -69,8 +69,9 @@ import com.netscape.cmsutil.util.Utils;
-  */
- public class CMCRevoke {
-     public static final int ARGC = 8;
--    public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
--    public static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
-+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
-+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
-+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
-     static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null,
-             pValue = null, cValue = null;
- 
-@@ -224,10 +225,10 @@ public class CMCRevoke {
-             return;
-         }
+-        super(CERT_REQUEST_PROCESSED);
++        super(LOGGING_PROPERTY);
++
++        setAttribute("InfoName", infoName);
++        setAttribute("InfoValue", infoValue);
  
--        System.out.println(HEADER);
--        System.out.println(asciiBASE64Blob + TRAILER);
-+        System.out.println(RFC7468_HEADER);
-+        System.out.println(asciiBASE64Blob + RFC7468_TRAILER);
-         try {
--            asciiBASE64Blob = HEADER + "\n" + asciiBASE64Blob + TRAILER;
-+            asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER;
-             outputBlob.write(asciiBASE64Blob.getBytes());
-         } catch (IOException e) {
-             System.out.println("CMCSigning:  I/O error " +
-diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
-index 76d8f51..450f950 100644
---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
-+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
-@@ -101,6 +101,10 @@ public class CRMFPopClient {
+         setParameters(new Object[] {
+                 subjectID,
+                 outcome,
+                 requesterID,
+-                infoName,
+-                infoValue
++                getAttributeList()
+         });
+     }
  
-     public boolean verbose;
+@@ -57,14 +62,16 @@ public class CertRequestProcessedEvent extends AuditEvent {
+             String infoName,
+             X509CertImpl x509cert) {
  
-+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
-+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
-+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
+-        super(CERT_REQUEST_PROCESSED);
++        super(LOGGING_PROPERTY);
 +
-     public static Options createOptions() {
++        setAttribute("InfoName", infoName);
++        setAttribute("InfoValue", auditInfoCertValue(x509cert));
  
-         Options options = new Options();
-@@ -472,9 +476,9 @@ public class CRMFPopClient {
+         setParameters(new Object[] {
+                 subjectID,
+                 outcome,
+                 requesterID,
+-                infoName,
+-                auditInfoCertValue(x509cert)
++                getAttributeList()
+         });
+     }
  
-             StringWriter sw = new StringWriter();
-             try (PrintWriter out = new PrintWriter(sw)) {
--                out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
-+                out.println(RFC7468_HEADER);
-                 out.println(request);
--                out.println("-----END NEW CERTIFICATE REQUEST-----");
-+                out.println(RFC7468_TRAILER);
-             }
-             String csr = sw.toString();
+@@ -75,14 +82,16 @@ public class CertRequestProcessedEvent extends AuditEvent {
+             String infoName,
+             IRequest request) {
  
-diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
-index d1c787e..0a35827 100644
---- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
-+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
-@@ -71,6 +71,9 @@ import com.netscape.cmsutil.util.Utils;
-  * @version $Revision$, $Date$
-  */
- public class PKCS10Client {
-+    // From https://www.rfc-editor.org/rfc/rfc7468.txt
-+    public static final String RFC7468_HEADER = "-----BEGIN CERTIFICATE REQUEST-----";
-+    public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
+-        super(CERT_REQUEST_PROCESSED);
++        super(LOGGING_PROPERTY);
++
++        setAttribute("InfoName", infoName);
++        setAttribute("InfoValue", auditInfoValue(request));
  
-     private static void printUsage() {
-         System.out.println(
-@@ -323,15 +326,15 @@ public class PKCS10Client {
-                 b64E = CryptoUtil.base64Encode(certReqb);
-             }
+         setParameters(new Object[] {
+                 subjectID,
+                 outcome,
+                 requesterID,
+-                infoName,
+-                auditInfoValue(request)
++                getAttributeList()
+         });
+     }
  
--            System.out.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
-+            System.out.println(RFC7468_HEADER);
-             System.out.println(b64E);
--            System.out.println("-----END NEW CERTIFICATE REQUEST-----");
-+            System.out.println(RFC7468_TRAILER);
- 
-             PrintStream ps = null;
-             ps = new PrintStream(new FileOutputStream(ofilename));
--            ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----");
-+            ps.println(RFC7468_HEADER);
-             ps.println(b64E);
--            ps.println("-----END NEW CERTIFICATE REQUEST-----");
-+            ps.println(RFC7468_TRAILER);
-             ps.flush();
-             ps.close();
-             System.out.println("PKCS10Client: done. Request written to file: "+ ofilename);
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index d3ac06a..1a5b37a 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2088,7 +2088,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
+ # InfoValue must contain the certificate (in case of success), a reject reason in
+ #        text, or a cancel reason in text
+ #
+-LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}][InfoName={3}][InfoValue={4}] certificate request processed
++LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ReqID={2}]{3} certificate request processed
+ #
+ # LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST
+ # - used when a certificate status change request (e.g. revocation)
 -- 
 1.8.3.1
 
 
-From f11b2d72f710e4a8a25e3779b2e57eb6b66742b7 Mon Sep 17 00:00:00 2001
-From: Matthew Harmsen <mharmsen@redhat.com>
-Date: Fri, 19 Aug 2016 16:08:56 -0600
-Subject: [PATCH 08/10] pki-tools CMCEnroll man page
+From 3edee861f0f31910020825a4bdc18f36017b6a26 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 26 Apr 2017 02:02:34 +0200
+Subject: [PATCH 07/27] Added certificate serial number for
+ CERT_REQUEST_PROCESSED.
 
-* PKI TRAC Ticket #690 - [MAN] pki-tools man pages
-      - CMCEnroll
+The CertRequestProcessedEvent constructor that takes a certificate
+object was modified to log the certificate serial number instead of
+the base64-encoded certificate data.
 
-(cherry picked from commit fb8cff8cef10580ff5c14c5d5df535613779f9c5)
-(cherry picked from commit 44046589bc9ed15d591d863056698232c25514bd)
+https://pagure.io/dogtagpki/issue/2655
+
+Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472
 ---
- base/java-tools/man/man1/CMCEnroll.1 | 570 +++++++++++++++++++++++++++++++++++
- 1 file changed, 570 insertions(+)
- create mode 100644 base/java-tools/man/man1/CMCEnroll.1
+ .../com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java  | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
 
-diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
-new file mode 100644
-index 0000000..4cc861f
---- /dev/null
-+++ b/base/java-tools/man/man1/CMCEnroll.1
-@@ -0,0 +1,570 @@
-+.\" First parameter, NAME, should be all caps
-+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
-+.\" other parameters are allowed: see man(7), man(1)
-+.TH CMCEnroll 1 "July 20, 2016" "version 10.3" "PKI CMC Enrollment Tool" Dogtag Team
-+.\" Please adjust this date whenever revising the man page.
-+.\"
-+.\" Some roff macros, for reference:
-+.\" .nh        disable hyphenation
-+.\" .hy        enable hyphenation
-+.\" .ad l      left justify
-+.\" .ad b      justify to both left and right margins
-+.\" .nf        disable filling
-+.\" .fi        enable filling
-+.\" .br        insert line break
-+.\" .sp <n>    insert n+1 empty lines
-+.\" for man page specific macros, see man(7)
-+.SH NAME
-+CMCEnroll \- Used to sign a certificate request with an agent's certificate.
-+
-+.SH SYNOPSIS
-+.PP
-+\fBCMCEnroll -d <directory_of_NSS_security_database_containing_agent_cert> -n <certificate_nickname> -r <certificate_request_file> -p <certificate_DB_passwd>\fP
-+
-+.SH DESCRIPTION
-+.PP
-+The Certificate Management over Cryptographic Message Syntax (CMC) Enrollment utility, \fBCMCEnroll\fP, provides a command-line utility used to sign a certificate request with an agent's certificate. This can be used in conjunction with the CA end-entity CMC Enrollment form to sign and enroll certificates for users.
-+.PP
-+\fBCMCEnroll\fP takes a standard PKCS #10 certificate request and signs it with an agent certificate. The output is also a certificate request which can be submitted through the appropriate profile.
-+
-+.SH OPTIONS
-+.PP
-+The following parameters are mandatory:
-+.PP
-+\fBNote:\fP
-+Surround values that include spaces with quotation marks.
-+.TP
-+.B -d <directory_of_NSS_security_database_containing_agent_cert>
-+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files associated with the agent certificate. This is usually the agent's personal directory, such as their browser certificate database in the home directory.
-+
-+.TP
-+.B -n <certificate_nickname>
-+The nickname of the agent certificate that is used to sign the request.
-+
-+.TP
-+.B -r <certificate_request_file>
-+The filename of the certificate request.
-+
-+.TP
-+.B -p <certificate_DB_passwd>
-+The password to the NSS certificate database which contains the agent certificate, given in \fB-d <directory_of_NSS_security_database_containing_agent_cert>\fP.
-+
-+.SH EXAMPLES
-+.PP
-+Signed requests must be submitted to the CA to be processed.
-+.PP
-+\fBNote:\fP For this example to work automatically, the \fBCMCAuth\fP plug-in must be enabled on the CA server (which it is by default).
-+.TP
-+(1) Create a PKCS #10 certificate request using a tool like \fBcertutil\fP:
-+.IP
-+.nf
-+# cd ~/.mozilla/firefox/<browser profile>
-+
-+# certutil -d . -L
-+Certificate Nickname                                         Trust Attributes
-+                                                             SSL,S/MIME,JAR/XPI
-+
-+Google Internet Authority G2                                 ,,
-+COMODO RSA Domain Validation Secure Server CA                ,,
-+pki.example.com                                              ,,
-+DigiCert SHA2 Secure Server CA                               ,,
-+DigiCert SHA2 Extended Validation Server CA                  ,,
-+COMODO RSA Extended Validation Secure Server CA 2            ,,
-+Symantec Class 3 Secure Server CA - G4                       ,,
-+Go Daddy Secure Certificate Authority - G2                   ,,
-+Oracle SSL CA - G2                                           ,,
-+GeoTrust EV SSL CA - G4                                      ,,
-+Symantec Class 3 Secure Server SHA256 SSL CA                 ,,
-+GeoTrust SSL CA - G3                                         ,,
-+PKI Administrator for example.com                            u,u,u
-+DigiCert SHA2 High Assurance Server CA                       ,,
-+COMODO RSA Organization Validation Secure Server CA          ,,
-+CA Signing Certificate - example.com Security Domain         CT,C,C
-+
-+# certutil -d . -R -s "CN=CMCEnroll Test Certificate" -a
-+
-+A random seed must be generated that will be used in the
-+creation of your key.  One of the easiest ways to create a
-+random seed is to use the timing of keystrokes on a keyboard.
-+
-+To begin, type keys on the keyboard until this progress meter
-+is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
-+
-+
-+Continue typing until the progress meter is full:
-+
-+|************************************************************|
-+
-+Finished.  Press enter to continue:
-+
-+
-+Generating key.  This may take a few moments...
-+
-+
-+Certificate request generated by Netscape certutil
-+Phone: (not specified)
-+
-+Common Name: CMCEnroll Test Certificate
-+Email: (not specified)
-+Organization: (not specified)
-+State: (not specified)
-+Country: (not specified)
-+
-+-----BEGIN CERTIFICATE REQUEST-----
-+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
-+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
-+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
-+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
-+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
-+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
-+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
-+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
-+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
-+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
-+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
-+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
-+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
-+-----END CERTIFICATE REQUEST-----
-+.if
-+
-+.TP
-+(2) Copy the PKCS #10 ASCII output to a text file.
-+.IP
-+.nf
-+# vi cert.req
-+-----BEGIN CERTIFICATE REQUEST-----
-+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNh
-+dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAt
-+IyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK7
-+6NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGM
-+QduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2R
-+WOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrF
-+rGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH
-+68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJp
-+YtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6
-+sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHL
-+FsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+Ub
-+ucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTL
-+TAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==
-+-----END CERTIFICATE REQUEST-----
-+.if
-+
-+.TP
-+(3) Run the \fBCMCEnroll\fP command to sign the certificate request. If the input file is "\fB~/.mozilla/firefox/<profile>/cert.req\fP", the agent's certificate is stored in the "\fB~/.mozilla/firefox\<profile>fP" directory, the certificate common name for this CA is "\fBPKI Administrator for example.com\fP", and the password for the certificate database is "\fBSecret123\fP", the command is as follows:
-+.IP
-+.nf
-+# CMCEnroll -d "~/.mozilla/firefox/<profile>/" -n "PKI Administrator for example.com" -r "~/.mozilla/firefox/<profile>/cert.req" -p "Secret123"
-+cert/key prefix =
-+path = ~/.mozilla/firefox/<profile>/
-+-----BEGIN CERTIFICATE REQUEST-----
-+MIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAQ9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9wXz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ+FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SBSa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9DRJd1FJoocw0eGhw31I5rJA==-----END CERTIFICATE REQUEST-----
-+.if
-+The output of this command is stored in a file with the same filename as the request with a \fB.out\fP appended to the filename (e. g. - cert.req.out):
-+.IP
-+.nf
-+# cat cert.req.out
-+-----BEGIN CERTIFICATE REQUEST-----
-+MIIMhwYJKoZIhvcNAQcCoIIMeDCCDHQCAQMxCzAJBgUrDgMCGgUAMIIC6QYIKwYB
-+BQUHDAKgggLbBIIC1zCCAtMwVDAvAgECBggrBgEFBQcHBjEgBB5Da2UvQ1V6VEZF
-+Rzgwa1Ryb1dsNjVuTUZhMEU9DQowIQIBAwYIKwYBBQUHBwUxEgIQU05oqk+q+FdR
-+go/eIzsjGTCCAnWgggJxAgEBMIICajCCAVICAQAwJTEjMCEGA1UEAxMaQ01DRW5y
-+b2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-+AoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJSrR/C7W05tPvrlp5vUKxpmcA
-++Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad7ay9IBBY4QqqBmRnfT3Mm6U5
-+tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+srGSe0fM7bqK+AU6aJh4r0jc1
-+A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8sUzKgNhkuhjPU5U5YGt9+0jiu
-+qv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x/Hgw/aZoSDFYXON9jFTFyMUy
-+UkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
-+Q9aHQvPDcDuOJOL62pQeoDJpYtFmsDaksdhedG27usjPuX06XmzSIV3/D2zfPib2
-+fpfdrHB5901TdehlghQVOkN6sSoih60GSD9zCkFD1eESywJJeZssRfDG4gk2Ls9w
-+Xz5ZY/QwSx6C97SodF0cuDHLFsymesuxhePL7sYkkmazjgQTkA/JXLe6FYX213xQ
-++FGfQvmAqc9xHu5jvnBXX+UbucixaLKUiRIVHfTmuUb/qenEBQM2vzWDZawHL5SB
-+Sa/Zxjy2iVMrQBeOiLcu8bTLTAmSCbonRTilFrKFVG0H+Y9+5bulOdJc64XOvj9D
-+RJd1FJoocw0eGhw31I5rJDAAMACggge1MIIDzDCCArSgAwIBAgIBATANBgkqhkiG
-+9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vyc3lzLnJlZGhhdC5jb20gU2VjdXJpdHkg
-+RG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE2MDcy
-+MTIzNDAyNVoXDTM2MDcyMTIzNDAyNVowTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
-+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
-+aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmWoikqOPpH
-+0JLW3SZ1SPojvndjdILqDuGuRmqtcLuzZtmNuY7ZVwrXt61G1SCCBoEiy/OcUCKM
-+GVpw0M15Dn3sjJmd9F2R5lrGT2eMWWfVTr15RyEwK9Pn0mxTDN+0eZ4WDY9U4Zg4
-+2qZYIhkfGSTR5jhA4rs3uNOFm0ElLqDumGw3EXjJOy+RURvNbY4Pjlz89+Q2o6M0
-+/XMmMYzxVtXusKu1bvTKIiWoWCXR5ge78GoT/8reer+zxuSXiKSeVV2myvCQhmMH
-+AD2rik/7hazuY2ztC8h9HF09PMSeK2ev6PlzSV/PEqj9u5bgOcbqeiQkzR6IOcSi
-+JCn9o7B+AUMCAwEAAaOBtDCBsTAfBgNVHSMEGDAWgBS7NphdZcuI4IcjN29b96+L
-+iuu6tTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU
-+uzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEEQjBAMD4GCCsGAQUFBzAB
-+hjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRoYXQuY29tOjgwODAvY2Ev
-+b2NzcDANBgkqhkiG9w0BAQsFAAOCAQEANUYLK65kV0na9zmtNGFje4akz4FBRAOh
-+f/RYvtH4/0z38vW/E6fZkfb6CHrC4pNPfL6c0q/8H0mIrAft4kkQlTyJB9tdF5qY
-+vCfUMmZ+zM664U/97nf7NSUu9PIFcNfh+/O9IoVUd7gEerRISJzbsmHAcCcfIiKX
-+FsM+6HbEt+lH47flb/eSA2cUS84bC+XlZmKpse1R8PL/rKzngReZmMhNx73pYlEN
-+0qOpJILEMC1FVUExp6XnnP/m1+gY3T2FrIcUU7Jm1mCnln3VcLxkRU2c9tGj4xYr
-+H8teMoQHLZTiqe/54h+3/pUEDgSATAHnex/uG33TXNDbpeNeq720eDCCA+EwggLJ
-+oAMCAQICAQYwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNlcnN5cy5yZWRo
-+YXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0
-+aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMzBaFw0xODA3MTEyMzQwMzBaMHQxKzApBgNV
-+BAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xKTAnBgkqhkiG
-+9w0BCQEWGmNhYWRtaW5AdXNlcnN5cy5yZWRoYXQuY29tMRowGAYDVQQDDBFQS0kg
-+QWRtaW5pc3RyYXRvcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPQ
-+fOUyTIkdDnPzBrFRBknHqjYMrRpUDBR+JlarT/Sr6PqNQPMcM7JvgBNmXG32H+5w
-+QH/sfVjOmKEJOMsh71vKiTM0wb5rIo08B34i9E5Cf2Wzx2/ht4qfWvSmb5ZBxy22
-+YpasKLdv7SwSDQr0U7h+Q/96Hgq85ONxWWN6XubgZxSfbs7QVcA0jVq+2inhT67B
-+0u4DO6MTxFJNCfDcWiA/M6xzKbjEqDUEh46Rk19krGPYsbfW2BMuOi7pyfTDJVJ5
-+CAUbo4bpR3eeo5KMbUvgF3WUxA1whOF2Oc6t0hdINW6Xeq3vpnwn3RyX2TRQ0zqi
-+n3K3uPdahteQNcRb/Q8CAwEAAaOBozCBoDAfBgNVHSMEGDAWgBS7NphdZcuI4Icj
-+N29b96+Liuu6tTBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAGGMmh0dHA6Ly9w
-+a2ktZGVza3RvcC51c2Vyc3lzLnJlZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1Ud
-+DwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZI
-+hvcNAQELBQADggEBAADJNrg4qAZ1LxSz2Nn1k1SEmbugxrh8o1jpBAaSvLlv+blL
-++6wNq0D7c1GPzRO5TObyXgpbtHgofpKLSxw8cB3y8ugZMp7qJeCYxgzxQKEVMANW
-+6eZgAxvEe1J5Vyk/ELNiCtQmY7Mi+BtwvCF0xkCwYtOGlgeLV5t6GjBdG+jpZSIb
-+B0En0+t/JOwvqUAhzVStz/j9LgBza0P8ACd/s2Z/zjpot2JTXDofF0mbiGwMz4Em
-+/dOT3QhUr3QqFY/Q6T7c/wW7KbUXpNjwvLAV86A9Oojq32Z3ppJPnnDoLxLWvn8f
-+4rBdhhKrFhRZBYd91r3OExUIAEkFH9cmgPusjMsxggG6MIIBtgIBAzBTME4xKzAp
-+BgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNV
-+BAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUCAQYwCQYFKw4DAhoFAKA+MBcGCSqG
-+SIb3DQEJAzEKBggrBgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUeIRBuSA10uyZK8LB
-+yc5Abz4f74AwDQYJKoZIhvcNAQEBBQAEggEAC1DFoKDcAzJUdIIucV61TqQtbBJT
-+H8hhnln3+TwAO+u3X55o74xZMgawy/3Hkt3CjYxYmWIYY9MZILb2UeD0VZz63yzq
-+F9tEZu2IhlvaOgP6NLcu8SxDImQ/GuvPIvGkGg0m/X3cwCHKymH7ZXAUfxQXgqbw
-+CAMc+DH99xx0yotaAr5HE9tauNJejo4CDVYwUn/5syTcw3molt2Ely2FIFEyI3HD
-+yPmP2OHw/xqlBhFvnoecbtpTq2DiWGPWJHSnzcdInuXudHHaIsribXK8HGw2MnCD
-+8Sq7UsrvBe50v0YebYzQdXYrsnluNc+Cwm2PdDQDfPT39e7iwGSLGi4KrQ==
-+-----END CERTIFICATE REQUEST-----
-+.if
-+
-+.TP
-+(4) Submit the signed certificate request through the CA end-entities page:
-+.IP
-+.nf
-+(a) Open the end-entities page.
-+
-+(b) Select the "Signed CMC-Authenticated User Certificate Enrollment" profile.
-+
-+(c) Paste the content of the output file into the first text area of this form.
-+
-+(d) Remove the "-----BEGIN CERTIFICATE REQUEST-----" header and the "-----END CERTIFICATE REQUEST-----" footer from the pasted content.
-+
-+(e) Fill in the contact information, and submit the form.
-+.if
-+
-+.TP
-+(5) The certificate is immediately processed and returned since a signed request was sent and the CMCAuth plug-in was enabled:
-+.IP
-+.nf
-+Congratulations, your request has been processed successfully
-+
-+Your request ID is \fB7\fP.
-+
-+\fBOutputs\fP
-+
-+* Certificate Pretty Print
-+
-+    Certificate:
-+        Data:
-+            Version:  v3
-+            Serial Number: 0x7
-+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
-+            Validity:
-+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
-+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
-+            Subject: CN=CMCEnroll Test Certificate
-+            Subject Public Key Info:
-+                Algorithm: RSA - 1.2.840.113549.1.1.1
-+                Public Key:
-+                    Exponent: 65537
-+                    Public Key Modulus: (2048 bits) :
-+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
-+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
-+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
-+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
-+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
-+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
-+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
-+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
-+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
-+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
-+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
-+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
-+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
-+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
-+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
-+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
-+            Extensions:
-+                Identifier: Authority Key Identifier - 2.5.29.35
-+                    Critical: no
-+                    Key Identifier:
-+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
-+                        8A:EB:BA:B5
-+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
-+                    Critical: no
-+                    Access Description:
-+                        Method #0: ocsp
-+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
-+                Identifier: Key Usage: - 2.5.29.15
-+                    Critical: yes
-+                    Key Usage:
-+                        Digital Signature
-+                        Non Repudiation
-+                        Key Encipherment
-+                Identifier: Extended Key Usage: - 2.5.29.37
-+                    Critical: no
-+                    Extended Key Usage:
-+                        1.3.6.1.5.5.7.3.2
-+                        1.3.6.1.5.5.7.3.4
-+        Signature:
-+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Signature:
-+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
-+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
-+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
-+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
-+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
-+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
-+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
-+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
-+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
-+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
-+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
-+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
-+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
-+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
-+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
-+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
-+        FingerPrint
-+            MD2:
-+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
-+            MD5:
-+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
-+            SHA-1:
-+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
-+                5C:A9:71:27
-+            SHA-256:
-+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
-+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
-+            SHA-512:
-+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
-+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
-+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
-+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
-+
-+* Certificate Base-64 Encoded
-+
-+-----BEGIN CERTIFICATE-----
-+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
-+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
-+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
-+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
-+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
-+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
-+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
-+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
-+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
-+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
-+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
-+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
-+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
-+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
-+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
-+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
-+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
-+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
-+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
-+axszSMsh
-+-----END CERTIFICATE-----
-+
-+* Certificate Imports
-+----------------------
-+| Import Certificate |
-+----------------------
-+.if
-+
-+.TP
-+(6) Use the agent page to search for the new certificate:
-+.IP
-+.nf
-+Certificate   0x07
-+
-+Certificate contents
-+
-+    Certificate:
-+        Data:
-+            Version:  v3
-+            Serial Number: 0x7
-+            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
-+            Validity:
-+                Not Before: Thursday, July 21, 2016 6:28:20 PM MDT America/Denver
-+                Not  After: Tuesday, January 17, 2017 6:28:20 PM MST America/Denver
-+            Subject: CN=CMCEnroll Test Certificate
-+            Subject Public Key Info:
-+                Algorithm: RSA - 1.2.840.113549.1.1.1
-+                Public Key:
-+                    Exponent: 65537
-+                    Public Key Modulus: (2048 bits) :
-+                        DA:99:00:3A:A6:C2:BB:4E:78:9C:DC:30:2D:23:20:0C:
-+                        0A:4E:C5:2B:73:EE:4A:C7:89:4A:B4:7F:0B:B5:B4:E6:
-+                        D3:EF:AE:5A:79:BD:42:B1:A6:67:00:F8:F8:37:00:03:
-+                        69:E6:05:4C:40:EA:6C:EA:B8:80:BE:82:BB:E8:D2:93:
-+                        93:0E:0C:7B:4F:42:A3:06:9D:ED:AC:BD:20:10:58:E1:
-+                        0A:AA:06:64:67:7D:3D:CC:9B:A5:39:B4:95:9E:AA:FA:
-+                        B5:70:89:30:A3:1C:C7:96:58:2C:18:11:8C:41:DB:88:
-+                        ED:44:63:85:06:31:DE:9F:AC:AC:64:9E:D1:F3:3B:6E:
-+                        A2:BE:01:4E:9A:26:1E:2B:D2:37:35:03:AA:42:BF:FD:
-+                        97:30:E6:35:21:4C:E6:8C:81:27:36:AD:91:58:EA:67:
-+                        B1:64:38:50:39:9A:D6:BF:2C:53:32:A0:36:19:2E:86:
-+                        33:D4:E5:4E:58:1A:DF:7E:D2:38:AE:AA:FD:78:75:B2:
-+                        A2:ED:42:4D:DC:33:ED:90:45:D9:34:EA:C5:AC:68:2A:
-+                        2A:17:54:A8:B8:6B:76:6F:B1:FC:78:30:FD:A6:68:48:
-+                        31:58:5C:E3:7D:8C:54:C5:C8:C5:32:52:45:97:66:AE:
-+                        6C:7F:08:21:59:40:B6:AB:80:EC:6D:FB:C7:EB:C8:75
-+            Extensions:
-+                Identifier: Authority Key Identifier - 2.5.29.35
-+                    Critical: no
-+                    Key Identifier:
-+                        BB:36:98:5D:65:CB:88:E0:87:23:37:6F:5B:F7:AF:8B:
-+                        8A:EB:BA:B5
-+                Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
-+                    Critical: no
-+                    Access Description:
-+                        Method #0: ocsp
-+                        Location #0: URIName: http://pki.example.com:8080/ca/ocsp
-+                Identifier: Key Usage: - 2.5.29.15
-+                    Critical: yes
-+                    Key Usage:
-+                        Digital Signature
-+                        Non Repudiation
-+                        Key Encipherment
-+                Identifier: Extended Key Usage: - 2.5.29.37
-+                    Critical: no
-+                    Extended Key Usage:
-+                        1.3.6.1.5.5.7.3.2
-+                        1.3.6.1.5.5.7.3.4
-+        Signature:
-+            Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
-+            Signature:
-+                6D:8B:99:D2:E9:D3:4E:7F:55:20:A6:7F:80:0C:72:B4:
-+                30:C5:4F:CB:D4:AC:57:85:D7:D2:CA:75:90:F7:2F:57:
-+                11:CB:67:16:08:0C:4C:23:D2:A5:A7:2E:4E:21:39:F5:
-+                D5:C7:6D:0B:DC:AD:48:E2:92:FF:99:C5:FC:CF:0E:89:
-+                69:B9:09:BA:9F:0E:84:AB:81:32:A7:8B:99:30:DF:75:
-+                2F:6C:61:5A:9C:87:77:DA:2C:EA:40:85:20:F2:DE:95:
-+                76:6B:D7:0B:8C:88:25:62:00:2D:04:30:F0:24:4B:64:
-+                2A:4A:E7:37:04:A2:BC:AD:B7:7F:BA:AA:74:41:2C:55:
-+                E9:E5:4B:92:18:BC:18:DC:FC:4B:EA:15:18:CE:B0:7A:
-+                3A:84:64:E2:31:1C:64:0A:79:3E:80:6E:43:12:30:8A:
-+                2A:67:6F:56:4B:56:55:C7:56:86:87:27:E4:C3:28:CA:
-+                05:D2:BD:0B:5D:10:A2:4E:96:9D:5B:2A:A0:0B:9B:B6:
-+                BB:8F:15:1F:D3:AF:79:E0:38:D3:F1:ED:D5:F1:F0:EB:
-+                F8:66:56:3F:2F:4F:4A:93:0E:2E:11:F3:F7:1B:37:61:
-+                08:E4:4A:92:4C:60:E3:1E:0A:0D:61:F2:AF:B2:E3:48:
-+                39:74:AA:5E:32:5B:AB:F3:55:3B:6B:1B:33:48:CB:21
-+        FingerPrint
-+            MD2:
-+                C2:58:80:9F:03:7D:5A:C2:3A:C2:42:D9:B8:CF:2D:17
-+            MD5:
-+                5F:D3:7C:1D:1F:59:3D:11:5E:B4:BE:75:D7:61:47:C6
-+            SHA-1:
-+                F4:29:98:68:76:3F:41:FD:5E:E9:C3:F6:8A:3A:25:F3:
-+                5C:A9:71:27
-+            SHA-256:
-+                66:8F:00:98:D4:FF:F1:E4:35:F2:8E:54:26:AD:98:02:
-+                8F:6C:98:02:49:0B:A7:E5:98:41:1D:FE:92:E1:6A:57
-+            SHA-512:
-+                E3:DB:3E:FB:9F:5F:CF:6D:79:1A:15:68:1A:42:5E:73:
-+                9A:ED:15:98:1D:D9:31:AF:00:45:37:1E:8A:98:C1:EA:
-+                F0:DF:57:E9:A7:F7:19:01:5B:79:2B:79:07:CE:66:D6:
-+                D6:C3:42:C9:D5:EE:50:71:7D:A5:94:DF:25:E6:CC:49
-+
-+Certificate request info
-+
-+Request ID: 7
-+
-+Installing this certificate in a server
-+
-+The following format can be used to install this certificate into a server.
-+
-+Base 64 encoded certificate
-+
-+-----BEGIN CERTIFICATE-----
-+MIIDkjCCAnqgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy
-+c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu
-+aW5nIENlcnRpZmljYXRlMB4XDTE2MDcyMjAwMjgyMFoXDTE3MDExODAxMjgyMFow
-+JTEjMCEGA1UEAxMaQ01DRW5yb2xsIFRlc3QgQ2VydGlmaWNhdGUwggEiMA0GCSqG
-+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDamQA6psK7Tnic3DAtIyAMCk7FK3PuSseJ
-+SrR/C7W05tPvrlp5vUKxpmcA+Pg3AANp5gVMQOps6riAvoK76NKTkw4Me09Cowad
-+7ay9IBBY4QqqBmRnfT3Mm6U5tJWeqvq1cIkwoxzHllgsGBGMQduI7URjhQYx3p+s
-+rGSe0fM7bqK+AU6aJh4r0jc1A6pCv/2XMOY1IUzmjIEnNq2RWOpnsWQ4UDma1r8s
-+UzKgNhkuhjPU5U5YGt9+0jiuqv14dbKi7UJN3DPtkEXZNOrFrGgqKhdUqLhrdm+x
-+/Hgw/aZoSDFYXON9jFTFyMUyUkWXZq5sfwghWUC2q4DsbfvH68h1AgMBAAGjgaMw
-+gaAwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwTgYIKwYBBQUHAQEE
-+QjBAMD4GCCsGAQUFBzABhjJodHRwOi8vcGtpLWRlc2t0b3AudXNlcnN5cy5yZWRo
-+YXQuY29tOjgwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYI
-+KwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBti5nS6dNOf1Ug
-+pn+ADHK0MMVPy9SsV4XX0sp1kPcvVxHLZxYIDEwj0qWnLk4hOfXVx20L3K1I4pL/
-+mcX8zw6JabkJup8OhKuBMqeLmTDfdS9sYVqch3faLOpAhSDy3pV2a9cLjIglYgAt
-+BDDwJEtkKkrnNwSivK23f7qqdEEsVenlS5IYvBjc/EvqFRjOsHo6hGTiMRxkCnk+
-+gG5DEjCKKmdvVktWVcdWhocn5MMoygXSvQtdEKJOlp1bKqALm7a7jxUf06954DjT
-+8e3V8fDr+GZWPy9PSpMOLhHz9xs3YQjkSpJMYOMeCg1h8q+y40g5dKpeMlur81U7
-+axszSMsh
-+-----END CERTIFICATE-----
-+
-+Base 64 encoded certificate with CA certificate chain in pkcs7 format
-+
-+-----BEGIN PKCS7-----
-+MIIHlQYJKoZIhvcNAQcCoIIHhjCCB4ICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIH
-+ZjCCA5IwggJ6oAMCAQICAQcwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UECgwidXNl
-+cnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwWQ0EgU2ln
-+bmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjIwMDI4MjBaFw0xNzAxMTgwMTI4MjBa
-+MCUxIzAhBgNVBAMTGkNNQ0Vucm9sbCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkq
-+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pkAOqbCu054nNwwLSMgDApOxStz7krH
-+iUq0fwu1tObT765aeb1CsaZnAPj4NwADaeYFTEDqbOq4gL6Cu+jSk5MODHtPQqMG
-+ne2svSAQWOEKqgZkZ309zJulObSVnqr6tXCJMKMcx5ZYLBgRjEHbiO1EY4UGMd6f
-+rKxkntHzO26ivgFOmiYeK9I3NQOqQr/9lzDmNSFM5oyBJzatkVjqZ7FkOFA5mta/
-+LFMyoDYZLoYz1OVOWBrfftI4rqr9eHWyou1CTdwz7ZBF2TTqxaxoKioXVKi4a3Zv
-+sfx4MP2maEgxWFzjfYxUxcjFMlJFl2aubH8IIVlAtquA7G37x+vIdQIDAQABo4Gj
-+MIGgMB8GA1UdIwQYMBaAFLs2mF1ly4jghyM3b1v3r4uK67q1ME4GCCsGAQUFBwEB
-+BEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNrdG9wLnVzZXJzeXMucmVk
-+aGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQG
-+CCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAbYuZ0unTTn9V
-+IKZ/gAxytDDFT8vUrFeF19LKdZD3L1cRy2cWCAxMI9Klpy5OITn11cdtC9ytSOKS
-+/5nF/M8OiWm5CbqfDoSrgTKni5kw33UvbGFanId32izqQIUg8t6VdmvXC4yIJWIA
-+LQQw8CRLZCpK5zcEorytt3+6qnRBLFXp5UuSGLwY3PxL6hUYzrB6OoRk4jEcZAp5
-+PoBuQxIwiipnb1ZLVlXHVoaHJ+TDKMoF0r0LXRCiTpadWyqgC5u2u48VH9OveeA4
-+0/Ht1fHw6/hmVj8vT0qTDi4R8/cbN2EI5EqSTGDjHgoNYfKvsuNIOXSqXjJbq/NV
-+O2sbM0jLITCCA8wwggK0oAMCAQICAQEwDQYJKoZIhvcNAQELBQAwTjErMCkGA1UE
-+CgwidXNlcnN5cy5yZWRoYXQuY29tIFNlY3VyaXR5IERvbWFpbjEfMB0GA1UEAwwW
-+Q0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNjA3MjEyMzQwMjVaFw0zNjA3MjEy
-+MzQwMjVaME4xKzApBgNVBAoMInVzZXJzeXMucmVkaGF0LmNvbSBTZWN1cml0eSBE
-+b21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqG
-+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplqIpKjj6R9CS1t0mdUj6I753Y3SC6g7h
-+rkZqrXC7s2bZjbmO2VcK17etRtUgggaBIsvznFAijBlacNDNeQ597IyZnfRdkeZa
-+xk9njFln1U69eUchMCvT59JsUwzftHmeFg2PVOGYONqmWCIZHxkk0eY4QOK7N7jT
-+hZtBJS6g7phsNxF4yTsvkVEbzW2OD45c/PfkNqOjNP1zJjGM8VbV7rCrtW70yiIl
-+qFgl0eYHu/BqE//K3nq/s8bkl4iknlVdpsrwkIZjBwA9q4pP+4Ws7mNs7QvIfRxd
-+PTzEnitnr+j5c0lfzxKo/buW4DnG6nokJM0eiDnEoiQp/aOwfgFDAgMBAAGjgbQw
-+gbEwHwYDVR0jBBgwFoAUuzaYXWXLiOCHIzdvW/evi4rrurUwDwYDVR0TAQH/BAUw
-+AwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFLs2mF1ly4jghyM3b1v3r4uK
-+67q1ME4GCCsGAQUFBwEBBEIwQDA+BggrBgEFBQcwAYYyaHR0cDovL3BraS1kZXNr
-+dG9wLnVzZXJzeXMucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDQYJKoZIhvcNAQEL
-+BQADggEBADVGCyuuZFdJ2vc5rTRhY3uGpM+BQUQDoX/0WL7R+P9M9/L1vxOn2ZH2
-++gh6wuKTT3y+nNKv/B9JiKwH7eJJEJU8iQfbXReamLwn1DJmfszOuuFP/e53+zUl
-+LvTyBXDX4fvzvSKFVHe4BHq0SEic27JhwHAnHyIilxbDPuh2xLfpR+O35W/3kgNn
-+FEvOGwvl5WZiqbHtUfDy/6ys54EXmZjITce96WJRDdKjqSSCxDAtRVVBMael55z/
-+5tfoGN09hayHFFOyZtZgp5Z91XC8ZEVNnPbRo+MWKx/LXjKEBy2U4qnv+eIft/6V
-+BA4EgEwB53sf7ht901zQ26XjXqu9tHgxAA==
-+-----END PKCS7-----
-+.if
-+
-+.SH AUTHORS
-+Matthew Harmsen <mharmsen@redhat.com>.
-+
-+.SH COPYRIGHT
-+Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU General Public
-+License, version 2 (GPLv2). A copy of this license is available at
-+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-+
-+.SH SEE ALSO
-+.BR CMCRequest(1), CMCResponse(1), CMCRevoke(1), pki(1)
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+index 5155672..d095ab6 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertRequestProcessedEvent.java
+@@ -64,8 +64,7 @@ public class CertRequestProcessedEvent extends AuditEvent {
+ 
+         super(LOGGING_PROPERTY);
+ 
+-        setAttribute("InfoName", infoName);
+-        setAttribute("InfoValue", auditInfoCertValue(x509cert));
++        setAttribute("CertSerialNum", x509cert.getSerialNumber());
+ 
+         setParameters(new Object[] {
+                 subjectID,
 -- 
 1.8.3.1
 
 
-From eeaf6c2ec45415b2e32c46a0949539bef5e770a7 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 17 Aug 2016 16:44:48 +0200
-Subject: [PATCH 09/10] Allowing optional CA signing CSR.
-
-The CA signing CSR is already stored in request record which will
-be imported as part of migration process, so it's not necessary to
-export and reimport the CSR file again for migration.
-
-To allow optional CSR, the pki-server subsystem-cert-validate
-CLI has been modified to no longer check the CSR in CS.cfg. The
-ConfigurationUtils.loadCertRequest() has been modified to ignore
-the missing CSR in CS.cfg.
+From 641180a465d7fdf12a978c9c458e39bf6829cac2 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Tue, 16 May 2017 12:58:17 -0600
+Subject: [PATCH 08/27] Added FIPS class to pkispawn
 
-https://fedorahosted.org/pki/ticket/2440
-(cherry picked from commit bde2cd1d3e65850c82a6ea7a6cebcae46a4408f2)
-(cherry picked from commit f422b219ec989bc7a5be9569643d4cb598b2887c)
+Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
+dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
 ---
- .../netscape/cms/servlet/csadmin/ConfigurationUtils.java    | 13 ++++++++++---
- base/server/python/pki/server/cli/subsystem.py              |  4 ----
- 2 files changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 3bd6d87..34500d0 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -2947,10 +2947,17 @@ public class ConfigurationUtils {
-         cert.setDN(subjectDN);
- 
-         String subsystem = config.getString(PCERT_PREFIX + tag + ".subsystem");
--        String certreq = config.getString(subsystem + "." + tag + ".certreq");
--        String formattedCertreq = CryptoUtil.reqFormat(certreq);
- 
--        cert.setRequest(formattedCertreq);
-+        try {
-+            String certreq = config.getString(subsystem + "." + tag + ".certreq");
-+            String formattedCertreq = CryptoUtil.reqFormat(certreq);
+ .../python/pki/server/deployment/__init__.py       |  2 ++
+ .../python/pki/server/deployment/pkihelper.py      | 41 ++++++++++++++++++++++
+ .../python/pki/server/deployment/pkimessages.py    |  4 +++
+ .../server/deployment/scriptlets/finalization.py   | 10 ++++--
+ base/server/sbin/pkispawn                          | 10 ++++++
+ 5 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
+index 3d719de..709fe70 100644
+--- a/base/server/python/pki/server/deployment/__init__.py
++++ b/base/server/python/pki/server/deployment/__init__.py
+@@ -55,6 +55,7 @@ class PKIDeployer:
+         self.symlink = None
+         self.war = None
+         self.password = None
++        self.fips = None
+         self.hsm = None
+         self.certutil = None
+         self.modutil = None
+@@ -99,6 +100,7 @@ class PKIDeployer:
+         self.symlink = util.Symlink(self)
+         self.war = util.War(self)
+         self.password = util.Password(self)
++        self.fips = util.FIPS(self)
+         self.hsm = util.HSM(self)
+         self.certutil = util.Certutil(self)
+         self.modutil = util.Modutil(self)
+diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
+index a1345de..cf2a748 100644
+--- a/base/server/python/pki/server/deployment/pkihelper.py
++++ b/base/server/python/pki/server/deployment/pkihelper.py
+@@ -2172,6 +2172,47 @@ class Password:
+         return token_pwd
+ 
+ 
++class FIPS:
++    """PKI Deployment FIPS class"""
 +
-+            cert.setRequest(formattedCertreq);
++    def __init__(self, deployer):
++        self.mdict = deployer.mdict
 +
-+        } catch (EPropertyNotFound e) {
-+            // The CSR is optional for existing CA case.
-+            CMS.debug("ConfigurationUtils.loadCertRequest: " + tag + " cert has no CSR");
-+        }
-     }
++    def is_fips_enabled(self, critical_failure=False):
++        try:
++            # Always initialize FIPS mode as NOT enabled
++            self.mdict['pki_fips_mode_enabled'] = False
++
++            # Check to see if FIPS is enabled on this system
++            command = ["sysctl", "crypto.fips_enabled", "-bn"]
++
++            # Execute this "sysctl" command.
++            with open(os.devnull, "w") as fnull:
++                output = subprocess.check_output(command, stderr=fnull,
++                                                 close_fds=True)
++                if (output != "0"):
++                    # Set FIPS mode as enabled
++                    self.mdict['pki_fips_mode_enabled'] = True
++                    config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED,
++                                        extra=config.PKI_INDENTATION_LEVEL_3)
++                    return True
++                else:
++                    config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_NOT_ENABLED,
++                                        extra=config.PKI_INDENTATION_LEVEL_3)
++                    return False
++        except subprocess.CalledProcessError as exc:
++            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
++                                 extra=config.PKI_INDENTATION_LEVEL_2)
++            if critical_failure:
++                raise
++        except OSError as exc:
++            config.pki_log.error(log.PKI_OSERROR_1, exc,
++                                 extra=config.PKI_INDENTATION_LEVEL_2)
++            if critical_failure:
++                raise
++        return False
++
++
+ class HSM:
+     """PKI Deployment HSM class"""
  
-     public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception {
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index 4651d74..c173ea2 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -917,10 +917,6 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
+diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
+index c8821bb..52c8e62 100644
+--- a/base/server/python/pki/server/deployment/pkimessages.py
++++ b/base/server/python/pki/server/deployment/pkimessages.py
+@@ -222,6 +222,10 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
+ PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
+ PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError:  pki_gid %s"
+ PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError:  pki_group %s"
++PKIHELPER_FIPS_MODE_IS_ENABLED = "FIPS mode is enabled on this operating "\
++    "system."
++PKIHELPER_FIPS_MODE_IS_NOT_ENABLED = "FIPS mode is NOT enabled on this "\
++    "operating system."
+ PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \
+     "Since clones using Hardware Security Modules (HSMs) must share their "\
+     "master's private keys, the 'pki_clone_pkcs12_path' and "\
+diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+index 75bb80e..ef750b9 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
+@@ -58,8 +58,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
+             deployer.systemd.restart()
+             # wait for startup
+-            # (must use 'http' protocol due to potential FIPS configuration)
+-            status = deployer.instance.wait_for_startup(60, False)
++            status = None
++            if deployer.fips.is_fips_enabled():
++                # must use 'http' protocol when FIPS mode is enabled
++                status = deployer.instance.wait_for_startup(
++                    60, secure_connection=False)
++            else:
++                status = deployer.instance.wait_for_startup(
++                    60, secure_connection=True)
+             if status is None:
+                 config.pki_log.error(
+                     "server failed to restart",
+diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
+index e6e337b..9394b8e 100755
+--- a/base/server/sbin/pkispawn
++++ b/base/server/sbin/pkispawn
+@@ -756,6 +756,16 @@ def print_final_install_information(mdict):
+               "      is a clone." %
+               (deployer.subsystem_name, mdict['pki_instance_name']))
  
-         print('  Cert ID: %s' % cert['id'])
++    if mdict['pki_fips_mode_enabled']:
++        print()
++        print("      This %s subsystem of the '%s' instance\n"
++              "      has FIPS mode enabled on this operating system." %
++              (deployer.subsystem_name, mdict['pki_instance_name']))
++        print()
++        print("      REMINDER:  Don't forget to update the appropriate FIPS\n"
++              "                 algorithms in server.xml in the '%s' instance."
++              % mdict['pki_instance_name'])
++
+     print(log.PKI_CHECK_STATUS_MESSAGE % mdict['pki_instance_name'])
+     print(log.PKI_INSTANCE_RESTART_MESSAGE % mdict['pki_instance_name'])
  
--        if not cert['request']:
--            print('  Status: ERROR: missing certificate request')
--            return False
--
-         if not cert['data']:
-             print('  Status: ERROR: missing certificate data')
-             return False
 -- 
 1.8.3.1
 
 
-From 5117e59121048db4c172caf322d803e26c3644fb Mon Sep 17 00:00:00 2001
+From dcbe7ce08fcf9512a6cf1ecf22ed080c0085e28a Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 20 Aug 2016 10:47:15 +0200
-Subject: [PATCH 10/10] Updated pki-server subsystem-cert-update CLI.
+Date: Wed, 17 May 2017 02:53:59 +0200
+Subject: [PATCH 10/27] Fixed audit event outcome for agent-rejected cert
+ request.
 
-The pki-server subsystem-cert-update CLI has been updated to
-use certutil to retrieve the certificate data from the proper
-token. It will also show a warning if the certificate request
-cannot be found.
+The outcome of CERT_REQUEST_PROCESSED event has been changed to
+Failure when the certificate request is rejected by an agent.
 
-The NSSDatabase constructor has been modified to normalize the
-name of internal NSS token to None. If the token name is None,
-the certutil will be executed without the -h option.
+https://pagure.io/dogtagpki/issue/2693
 
-The NSSDatabase.get_cert() has been modified to prepend the token
-name to the certificate nickname.
-
-https://fedorahosted.org/pki/ticket/2440
-(cherry picked from commit eb28cf05cfad246383dbda054c8cd477bc7acc73)
-(cherry picked from commit e0db19f831159689e9fd63b988799ee16b618dc6)
+Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40
 ---
- base/common/python/pki/nssdb.py                | 11 ++++--
- base/server/python/pki/server/cli/subsystem.py | 49 +++++++++++++++-----------
- 2 files changed, 38 insertions(+), 22 deletions(-)
-
-diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
-index ed45654..736efca 100644
---- a/base/common/python/pki/nssdb.py
-+++ b/base/common/python/pki/nssdb.py
-@@ -105,7 +105,11 @@ class NSSDatabase(object):
-             directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
- 
-         self.directory = directory
--        self.token = token
-+
-+        if token == 'internal' or token == 'Internal Key Storage Token':
-+            self.token = None
-+        else:
-+            self.token = token
- 
-         self.tmpdir = tempfile.mkdtemp()
- 
-@@ -425,12 +429,15 @@ class NSSDatabase(object):
-             '-d', self.directory
-         ]
- 
-+        fullname = nickname
-+
-         if self.token:
-             cmd.extend(['-h', self.token])
-+            fullname = self.token + ':' + fullname
- 
-         cmd.extend([
-             '-f', self.password_file,
--            '-n', nickname,
-+            '-n', fullname,
-             output_format_option
-         ])
- 
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index c173ea2..42da26e 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -21,10 +21,8 @@
- 
- from __future__ import absolute_import
- from __future__ import print_function
--import base64
- import getopt
- import getpass
--import nss.nss as nss
- import os
- import string
- import subprocess
-@@ -778,36 +776,47 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
-             sys.exit(1)
-         subsystem_cert = subsystem.get_subsystem_cert(cert_id)
- 
--        # get cert data from NSS database
--        nss.nss_init(instance.nssdb_dir)
--        nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname'])
--        data = base64.b64encode(nss_cert.der_data)
--        del nss_cert
--        nss.nss_shutdown()
-+        if self.verbose:
-+            print('Retrieving certificate %s from %s' %
-+                  (subsystem_cert['nickname'], subsystem_cert['token']))
-+
-+        token = subsystem_cert['token']
-+        nssdb = instance.open_nssdb(token)
-+        data = nssdb.get_cert(
-+            nickname=subsystem_cert['nickname'],
-+            output_format='base64')
-         subsystem_cert['data'] = data
- 
-         # format cert data for LDAP database
-         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
-         data = string.join(lines, '\r\n') + '\r\n'
- 
--        # get cert request from local CA
-+        if self.verbose:
-+            print('Retrieving certificate request from CA database')
-+
-         # TODO: add support for remote CA
-         ca = instance.get_subsystem('ca')
-         if not ca:
-             print('ERROR: No CA subsystem in instance %s.' % instance_name)
-             sys.exit(1)
-+
-         results = ca.find_cert_requests(cert=data)
--        cert_request = results[-1]
--        request = cert_request['request']
--
--        # format cert request for CS.cfg
--        lines = request.splitlines()
--        if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
--            lines = lines[1:]
--        if lines[-1] == '-----END CERTIFICATE REQUEST-----':
--            lines = lines[:-1]
--        request = string.join(lines, '')
--        subsystem_cert['request'] = request
-+
-+        if results:
-+            cert_request = results[-1]
-+            request = cert_request['request']
-+
-+            # format cert request for CS.cfg
-+            lines = request.splitlines()
-+            if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----':
-+                lines = lines[1:]
-+            if lines[-1] == '-----END CERTIFICATE REQUEST-----':
-+                lines = lines[:-1]
-+            request = string.join(lines, '')
-+            subsystem_cert['request'] = request
-+
-+        else:
-+            print('WARNING: Certificate request not found')
+ base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index 4494d2c..d8d8803 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -311,7 +311,7 @@ public class RequestProcessor extends CertProcessor {
+ 
+         audit(new CertRequestProcessedEvent(
+                 auditSubjectID,
+-                ILogger.SUCCESS,
++                ILogger.FAILURE,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_REJECTION,
+                 req));
+-- 
+1.8.3.1
+
+
+From e54873d6dbb95e82632f888b90dc6d0d7836ad4d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 17:43:00 +0200
+Subject: [PATCH 11/27] Fixed audit event outcome for agent-canceled cert
+ request.
+
+The outcome of CERT_REQUEST_PROCESSED event has been changed to
+Failure when the certificate request is canceled by an agent.
+
+https://pagure.io/dogtagpki/issue/2694
+
+Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a
+---
+ base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+index d8d8803..df5aae0 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+@@ -281,7 +281,7 @@ public class RequestProcessor extends CertProcessor {
+ 
+         audit(new CertRequestProcessedEvent(
+                 auditSubjectID,
+-                ILogger.SUCCESS,
++                ILogger.FAILURE,
+                 auditRequesterID,
+                 ILogger.SIGNED_AUDIT_CANCELLATION,
+                 req));
+-- 
+1.8.3.1
+
+
+From c6ed9679acba5d0072a16878ecf98e0843ab6a3a Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 19:25:20 +0200
+Subject: [PATCH 12/27] Refactored UpdateCRL.process() (part 1).
+
+The UpdateCRL.process() has been refactored to reduce deeply
+nested if-statements with early return.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198
+---
+ base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index d873b1a..1182922 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -331,7 +331,11 @@ public class UpdateCRL extends CMSServlet {
+         header.addStringValue("crlIssuingPoint", crlIssuingPointId);
+         IPublisherProcessor lpm = mCA.getPublisherProcessor();
+ 
+-        if (crlIssuingPoint != null) {
++        if (crlIssuingPoint == null) {
++            CMS.debug("UpdateCRL: no CRL issuing point");
++            return;
++        }
++
+             if (clearCache != null && clearCache.equals("true") &&
+                     crlIssuingPoint.isCRLGenerationEnabled() &&
+                     crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+@@ -523,7 +527,5 @@ public class UpdateCRL extends CMSServlet {
+                     header.addStringValue("crlUpdate", "Scheduled");
+                 }
+             }
+-        }
+-        return;
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 69d5dc82f8664d1eb5dfcdcec615088127c0ad97 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 19:40:51 +0200
+Subject: [PATCH 13/27] Refactored UpdateCRL.process() (part 2).
+
+The UpdateCRL.process() has been refactored to reduce deeply
+nested if-statements with early return.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5
+---
+ .../com/netscape/cms/servlet/cert/UpdateCRL.java   | 32 +++++++++++-----------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index 1182922..8669361 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -343,11 +343,25 @@ public class UpdateCRL extends CMSServlet {
+                                 == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+                 crlIssuingPoint.clearCRLCache();
+             }
+-            if (waitForUpdate != null && waitForUpdate.equals("true") &&
++            if (!(waitForUpdate != null && waitForUpdate.equals("true") &&
+                     crlIssuingPoint.isCRLGenerationEnabled() &&
+                     crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+                     crlIssuingPoint.isCRLIssuingPointInitialized()
+-                                == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++                                == ICRLIssuingPoint.CRL_IP_INITIALIZED)) {
++                if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++                    header.addStringValue("crlUpdate", "notInitialized");
++                } else if (crlIssuingPoint.isCRLUpdateInProgress()
++                           != ICRLIssuingPoint.CRL_UPDATE_DONE ||
++                           crlIssuingPoint.isManualUpdateSet()) {
++                    header.addStringValue("crlUpdate", "inProgress");
++                } else if (!crlIssuingPoint.isCRLGenerationEnabled()) {
++                    header.addStringValue("crlUpdate", "Disabled");
++                } else {
++                    crlIssuingPoint.setManualUpdate(signatureAlgorithm);
++                    header.addStringValue("crlUpdate", "Scheduled");
++                }
++                return;
++            }
+                 if (test != null && test.equals("true") &&
+                         crlIssuingPoint.isCRLCacheTestingEnabled() &&
+                         (!mTesting.contains(crlIssuingPointId))) {
+@@ -513,19 +527,5 @@ public class UpdateCRL extends CMSServlet {
+                         }
+                     }
+                 }
+-            } else {
+-                if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+-                    header.addStringValue("crlUpdate", "notInitialized");
+-                } else if (crlIssuingPoint.isCRLUpdateInProgress()
+-                           != ICRLIssuingPoint.CRL_UPDATE_DONE ||
+-                           crlIssuingPoint.isManualUpdateSet()) {
+-                    header.addStringValue("crlUpdate", "inProgress");
+-                } else if (!crlIssuingPoint.isCRLGenerationEnabled()) {
+-                    header.addStringValue("crlUpdate", "Disabled");
+-                } else {
+-                    crlIssuingPoint.setManualUpdate(signatureAlgorithm);
+-                    header.addStringValue("crlUpdate", "Scheduled");
+-                }
+-            }
+     }
+ }
+-- 
+1.8.3.1
+
+
+From ce9e6f1704d6c821429faafc778358202e1a233e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 19:43:06 +0200
+Subject: [PATCH 14/27] Refactored UpdateCRL.process() (part 3).
+
+The UpdateCRL.process() has been refactored to reduce deeply
+nested if-statements with early return.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47
+---
+ base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index 8669361..ca4a5bf 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -436,14 +436,17 @@ public class UpdateCRL extends CMSServlet {
+ 
+                     mTesting.remove(crlIssuingPointId);
+                     CMS.debug("CRL test finished.");
++                    return;
+                 } else if (test != null && test.equals("true") &&
+                            crlIssuingPoint.isCRLCacheTestingEnabled() &&
+                            mTesting.contains(crlIssuingPointId)) {
+                     header.addStringValue("crlUpdate", "testingInProgress");
++                    return;
+                 } else if (test != null && test.equals("true") &&
+                            (!crlIssuingPoint.isCRLCacheTestingEnabled())) {
+                     header.addStringValue("crlUpdate", "testingNotEnabled");
+-                } else {
++                    return;
++                }
+                     try {
+                         EBaseException publishError = null;
+ 
+@@ -526,6 +529,5 @@ public class UpdateCRL extends CMSServlet {
+                             throw e;
+                         }
+                     }
+-                }
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 19:45:39 +0200
+Subject: [PATCH 15/27] Reformatted UpdateCRL.process().
+
+The UpdateCRL.process() has been reformatted to adjust the
+indentations after refactoring.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c
+---
+ .../com/netscape/cms/servlet/cert/UpdateCRL.java   | 348 ++++++++++-----------
+ 1 file changed, 174 insertions(+), 174 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index ca4a5bf..7faecf1 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -336,198 +336,198 @@ public class UpdateCRL extends CMSServlet {
+             return;
+         }
+ 
+-            if (clearCache != null && clearCache.equals("true") &&
+-                    crlIssuingPoint.isCRLGenerationEnabled() &&
+-                    crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+-                    crlIssuingPoint.isCRLIssuingPointInitialized()
+-                                == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+-                crlIssuingPoint.clearCRLCache();
++        if (clearCache != null && clearCache.equals("true") &&
++                crlIssuingPoint.isCRLGenerationEnabled() &&
++                crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
++                crlIssuingPoint.isCRLIssuingPointInitialized()
++                            == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++            crlIssuingPoint.clearCRLCache();
++        }
++        if (!(waitForUpdate != null && waitForUpdate.equals("true") &&
++                crlIssuingPoint.isCRLGenerationEnabled() &&
++                crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
++                crlIssuingPoint.isCRLIssuingPointInitialized()
++                            == ICRLIssuingPoint.CRL_IP_INITIALIZED)) {
++            if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++                header.addStringValue("crlUpdate", "notInitialized");
++            } else if (crlIssuingPoint.isCRLUpdateInProgress()
++                       != ICRLIssuingPoint.CRL_UPDATE_DONE ||
++                       crlIssuingPoint.isManualUpdateSet()) {
++                header.addStringValue("crlUpdate", "inProgress");
++            } else if (!crlIssuingPoint.isCRLGenerationEnabled()) {
++                header.addStringValue("crlUpdate", "Disabled");
++            } else {
++                crlIssuingPoint.setManualUpdate(signatureAlgorithm);
++                header.addStringValue("crlUpdate", "Scheduled");
+             }
+-            if (!(waitForUpdate != null && waitForUpdate.equals("true") &&
+-                    crlIssuingPoint.isCRLGenerationEnabled() &&
+-                    crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+-                    crlIssuingPoint.isCRLIssuingPointInitialized()
+-                                == ICRLIssuingPoint.CRL_IP_INITIALIZED)) {
+-                if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
+-                    header.addStringValue("crlUpdate", "notInitialized");
+-                } else if (crlIssuingPoint.isCRLUpdateInProgress()
+-                           != ICRLIssuingPoint.CRL_UPDATE_DONE ||
+-                           crlIssuingPoint.isManualUpdateSet()) {
+-                    header.addStringValue("crlUpdate", "inProgress");
+-                } else if (!crlIssuingPoint.isCRLGenerationEnabled()) {
+-                    header.addStringValue("crlUpdate", "Disabled");
+-                } else {
+-                    crlIssuingPoint.setManualUpdate(signatureAlgorithm);
+-                    header.addStringValue("crlUpdate", "Scheduled");
++            return;
++        }
++        if (test != null && test.equals("true") &&
++                crlIssuingPoint.isCRLCacheTestingEnabled() &&
++                (!mTesting.contains(crlIssuingPointId))) {
++            CMS.debug("CRL test started.");
++            mTesting.add(crlIssuingPointId);
++            BigInteger addLen = null;
++            BigInteger startFrom = null;
++            if (add != null && add.length() > 0 &&
++                    from != null && from.length() > 0) {
++                try {
++                    addLen = new BigInteger(add);
++                    startFrom = new BigInteger(from);
++                } catch (Exception e) {
+                 }
+-                return;
+             }
+-                if (test != null && test.equals("true") &&
+-                        crlIssuingPoint.isCRLCacheTestingEnabled() &&
+-                        (!mTesting.contains(crlIssuingPointId))) {
+-                    CMS.debug("CRL test started.");
+-                    mTesting.add(crlIssuingPointId);
+-                    BigInteger addLen = null;
+-                    BigInteger startFrom = null;
+-                    if (add != null && add.length() > 0 &&
+-                            from != null && from.length() > 0) {
+-                        try {
+-                            addLen = new BigInteger(add);
+-                            startFrom = new BigInteger(from);
+-                        } catch (Exception e) {
+-                        }
+-                    }
+-                    if (addLen != null && startFrom != null) {
+-                        Date revocationDate = CMS.getCurrentDate();
+-                        String err = null;
+-
+-                        CRLExtensions entryExts = crlEntryExtensions(reason, invalidity);
+-
+-                        BigInteger serialNumber = startFrom;
+-                        BigInteger counter = addLen;
+-                        BigInteger stepBy = null;
+-                        if (by != null && by.length() > 0) {
+-                            try {
+-                                stepBy = new BigInteger(by);
+-                            } catch (Exception e) {
+-                            }
+-                        }
++            if (addLen != null && startFrom != null) {
++                Date revocationDate = CMS.getCurrentDate();
++                String err = null;
+ 
+-                        long t1 = System.currentTimeMillis();
+-                        long t2 = 0;
+-
+-                        while (counter.compareTo(BigInteger.ZERO) > 0) {
+-                            RevokedCertImpl revokedCert =
+-                                    new RevokedCertImpl(serialNumber, revocationDate, entryExts);
+-                            crlIssuingPoint.addRevokedCert(serialNumber, revokedCert);
+-                            serialNumber = serialNumber.add(BigInteger.ONE);
+-                            counter = counter.subtract(BigInteger.ONE);
+-
+-                            if ((counter.compareTo(BigInteger.ZERO) == 0) ||
+-                                    (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) {
+-                                t2 = System.currentTimeMillis();
+-                                long t0 = t2 - t1;
+-                                t1 = t2;
+-                                try {
+-                                    if (signatureAlgorithm != null) {
+-                                        crlIssuingPoint.updateCRLNow(signatureAlgorithm);
+-                                    } else {
+-                                        crlIssuingPoint.updateCRLNow();
+-                                    }
+-                                } catch (Throwable e) {
+-                                    counter = BigInteger.ZERO;
+-                                    err = e.toString();
+-                                }
+-                                if (results != null && results.equals("1")) {
+-                                    addInfo(argSet, crlIssuingPoint, t0);
+-                                }
+-                            }
+-                        }
+-                        if (err != null) {
+-                            header.addStringValue("crlUpdate", "Failure");
+-                            header.addStringValue("error", err);
+-                        } else {
+-                            header.addStringValue("crlUpdate", "Success");
+-                        }
+-                    } else {
+-                        CMS.debug("CRL test error: missing parameters.");
+-                        header.addStringValue("crlUpdate", "missingParameters");
+-                    }
++                CRLExtensions entryExts = crlEntryExtensions(reason, invalidity);
+ 
+-                    mTesting.remove(crlIssuingPointId);
+-                    CMS.debug("CRL test finished.");
+-                    return;
+-                } else if (test != null && test.equals("true") &&
+-                           crlIssuingPoint.isCRLCacheTestingEnabled() &&
+-                           mTesting.contains(crlIssuingPointId)) {
+-                    header.addStringValue("crlUpdate", "testingInProgress");
+-                    return;
+-                } else if (test != null && test.equals("true") &&
+-                           (!crlIssuingPoint.isCRLCacheTestingEnabled())) {
+-                    header.addStringValue("crlUpdate", "testingNotEnabled");
+-                    return;
+-                }
++                BigInteger serialNumber = startFrom;
++                BigInteger counter = addLen;
++                BigInteger stepBy = null;
++                if (by != null && by.length() > 0) {
+                     try {
+-                        EBaseException publishError = null;
++                        stepBy = new BigInteger(by);
++                    } catch (Exception e) {
++                    }
++                }
+ 
++                long t1 = System.currentTimeMillis();
++                long t2 = 0;
++
++                while (counter.compareTo(BigInteger.ZERO) > 0) {
++                    RevokedCertImpl revokedCert =
++                            new RevokedCertImpl(serialNumber, revocationDate, entryExts);
++                    crlIssuingPoint.addRevokedCert(serialNumber, revokedCert);
++                    serialNumber = serialNumber.add(BigInteger.ONE);
++                    counter = counter.subtract(BigInteger.ONE);
++
++                    if ((counter.compareTo(BigInteger.ZERO) == 0) ||
++                            (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) {
++                        t2 = System.currentTimeMillis();
++                        long t0 = t2 - t1;
++                        t1 = t2;
+                         try {
+-                            long now1 = System.currentTimeMillis();
+-
+                             if (signatureAlgorithm != null) {
+                                 crlIssuingPoint.updateCRLNow(signatureAlgorithm);
+                             } else {
+                                 crlIssuingPoint.updateCRLNow();
+                             }
++                        } catch (Throwable e) {
++                            counter = BigInteger.ZERO;
++                            err = e.toString();
++                        }
++                        if (results != null && results.equals("1")) {
++                            addInfo(argSet, crlIssuingPoint, t0);
++                        }
++                    }
++                }
++                if (err != null) {
++                    header.addStringValue("crlUpdate", "Failure");
++                    header.addStringValue("error", err);
++                } else {
++                    header.addStringValue("crlUpdate", "Success");
++                }
++            } else {
++                CMS.debug("CRL test error: missing parameters.");
++                header.addStringValue("crlUpdate", "missingParameters");
++            }
+ 
+-                            long now2 = System.currentTimeMillis();
++            mTesting.remove(crlIssuingPointId);
++            CMS.debug("CRL test finished.");
++            return;
++        } else if (test != null && test.equals("true") &&
++                   crlIssuingPoint.isCRLCacheTestingEnabled() &&
++                   mTesting.contains(crlIssuingPointId)) {
++            header.addStringValue("crlUpdate", "testingInProgress");
++            return;
++        } else if (test != null && test.equals("true") &&
++                   (!crlIssuingPoint.isCRLCacheTestingEnabled())) {
++            header.addStringValue("crlUpdate", "testingNotEnabled");
++            return;
++        }
++        try {
++            EBaseException publishError = null;
+ 
+-                            header.addStringValue("time", "" + (now2 - now1));
+-                        } catch (EErrorPublishCRL e) {
+-                            publishError = e;
+-                        }
++            try {
++                long now1 = System.currentTimeMillis();
+ 
+-                        if (lpm != null && lpm.isCRLPublishingEnabled()) {
+-                            Enumeration<ILdapRule> rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL);
+-                            if (rules != null && rules.hasMoreElements()) {
+-                                if (publishError != null) {
+-                                    header.addStringValue("crlPublished", "Failure");
+-                                    header.addStringValue("error", publishError.toString(locale));
+-                                } else {
+-                                    header.addStringValue("crlPublished", "Success");
+-                                }
+-                            }
+-                        }
++                if (signatureAlgorithm != null) {
++                    crlIssuingPoint.updateCRLNow(signatureAlgorithm);
++                } else {
++                    crlIssuingPoint.updateCRLNow();
++                }
+ 
+-                        // for audit log
+-                        SessionContext sContext = SessionContext.getContext();
+-                        String agentId = (String) sContext.get(SessionContext.USER_ID);
+-                        IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN);
+-                        String authMgr = AuditFormat.NOAUTH;
++                long now2 = System.currentTimeMillis();
+ 
+-                        if (authToken != null) {
+-                            authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+-                        }
+-                        long endTime = CMS.getCurrentDate().getTime();
+-
+-                        if (crlIssuingPoint.getNextUpdate() != null) {
+-                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+-                                    AuditFormat.LEVEL,
+-                                    AuditFormat.CRLUPDATEFORMAT,
+-                                    new Object[] {
+-                                            AuditFormat.FROMAGENT + " agentID: " + agentId,
+-                                            authMgr,
+-                                            "completed",
+-                                            crlIssuingPoint.getId(),
+-                                            crlIssuingPoint.getCRLNumber(),
+-                                            crlIssuingPoint.getLastUpdate(),
+-                                            crlIssuingPoint.getNextUpdate(),
+-                                            Long.toString(crlIssuingPoint.getCRLSize())
+-                                                    + " time: " + (endTime - startTime) }
+-                                    );
+-                        } else {
+-                            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+-                                    AuditFormat.LEVEL,
+-                                    AuditFormat.CRLUPDATEFORMAT,
+-                                    new Object[] {
+-                                            AuditFormat.FROMAGENT + " agentID: " + agentId,
+-                                            authMgr,
+-                                            "completed",
+-                                            crlIssuingPoint.getId(),
+-                                            crlIssuingPoint.getCRLNumber(),
+-                                            crlIssuingPoint.getLastUpdate(),
+-                                            "not set",
+-                                            Long.toString(crlIssuingPoint.getCRLSize())
+-                                                    + " time: " + (endTime - startTime) }
+-                                    );
+-                        }
+-                    } catch (EBaseException e) {
+-                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString()));
+-                        if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) {
+-                            header.addStringValue("crlPublished", "Failure");
+-                            header.addStringValue("error", e.toString(locale));
+-                        } else {
+-                            throw e;
+-                        }
++                header.addStringValue("time", "" + (now2 - now1));
++            } catch (EErrorPublishCRL e) {
++                publishError = e;
++            }
++
++            if (lpm != null && lpm.isCRLPublishingEnabled()) {
++                Enumeration<ILdapRule> rules = lpm.getRules(IPublisherProcessor.PROP_LOCAL_CRL);
++                if (rules != null && rules.hasMoreElements()) {
++                    if (publishError != null) {
++                        header.addStringValue("crlPublished", "Failure");
++                        header.addStringValue("error", publishError.toString(locale));
++                    } else {
++                        header.addStringValue("crlPublished", "Success");
+                     }
++                }
++            }
++
++            // for audit log
++            SessionContext sContext = SessionContext.getContext();
++            String agentId = (String) sContext.get(SessionContext.USER_ID);
++            IAuthToken authToken = (IAuthToken) sContext.get(SessionContext.AUTH_TOKEN);
++            String authMgr = AuditFormat.NOAUTH;
++
++            if (authToken != null) {
++                authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
++            }
++            long endTime = CMS.getCurrentDate().getTime();
++
++            if (crlIssuingPoint.getNextUpdate() != null) {
++                mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
++                        AuditFormat.LEVEL,
++                        AuditFormat.CRLUPDATEFORMAT,
++                        new Object[] {
++                                AuditFormat.FROMAGENT + " agentID: " + agentId,
++                                authMgr,
++                                "completed",
++                                crlIssuingPoint.getId(),
++                                crlIssuingPoint.getCRLNumber(),
++                                crlIssuingPoint.getLastUpdate(),
++                                crlIssuingPoint.getNextUpdate(),
++                                Long.toString(crlIssuingPoint.getCRLSize())
++                                        + " time: " + (endTime - startTime) }
++                        );
++            } else {
++                mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
++                        AuditFormat.LEVEL,
++                        AuditFormat.CRLUPDATEFORMAT,
++                        new Object[] {
++                                AuditFormat.FROMAGENT + " agentID: " + agentId,
++                                authMgr,
++                                "completed",
++                                crlIssuingPoint.getId(),
++                                crlIssuingPoint.getCRLNumber(),
++                                crlIssuingPoint.getLastUpdate(),
++                                "not set",
++                                Long.toString(crlIssuingPoint.getCRLSize())
++                                        + " time: " + (endTime - startTime) }
++                        );
++            }
++        } catch (EBaseException e) {
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString()));
++            if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) {
++                header.addStringValue("crlPublished", "Failure");
++                header.addStringValue("error", e.toString(locale));
++            } else {
++                throw e;
++            }
++        }
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 15 May 2017 18:15:36 -0700
+Subject: [PATCH 16/27] Tocket2673- CMC: allow enrollment key signed
+ (self-signed) CMC with identity proof
+
+This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
+---
+ base/ca/shared/conf/CS.cfg                         |   9 +-
+ .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg |  85 ++++
+ base/ca/shared/webapps/ca/WEB-INF/web.xml          |  28 ++
+ .../certsrv/authentication/IAuthManager.java       |   1 +
+ .../certsrv/authentication/IAuthSubsystem.java     |   5 +
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  12 +-
+ .../src/com/netscape/cmstools/CMCRequest.java      | 166 ++++++-
+ .../src/com/netscape/cmstools/CRMFPopClient.java   |  32 ++
+ .../src/com/netscape/cmstools/PKCS10Client.java    |  87 ++--
+ .../cms/authentication/CMCUserSignedAuth.java      | 543 +++++++++++++--------
+ .../netscape/cms/profile/common/EnrollProfile.java | 223 +++++++--
+ .../netscape/cms/profile/def/CAEnrollDefault.java  |  37 +-
+ .../def/SubjectKeyIdentifierExtDefault.java        |  21 +-
+ .../netscape/cms/profile/input/EnrollInput.java    |  19 +-
+ .../cms/servlet/processors/CRMFProcessor.java      |  35 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |  49 +-
+ base/server/cmsbundle/src/LogMessages.properties   |  24 +-
+ .../com/netscape/cmscore/security/KeyCertUtil.java |  12 +-
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 181 ++++++-
+ base/util/src/netscape/security/pkcs/PKCS10.java   |  31 +-
+ .../netscape/security/pkcs/PKCS10Attributes.java   |   2 +
+ 21 files changed, 1204 insertions(+), 398 deletions(-)
+ create mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 3eb5b1b..f6297a3 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -735,7 +735,6 @@ ca.publish.rule.instance.LdapXCertRule.predicate=
+ ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher
+ ca.publish.rule.instance.LdapXCertRule.type=xcert
+ cmc.cert.confirmRequired=false
+-cmc.lraPopWitness.verify.allow=false
+ cmc.popLinkWitnessRequired=false
+ cmc.revokeCert.verify=true
+ cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret
+@@ -908,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+@@ -971,7 +970,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
+ oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
+ oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
+ os.userid=nobody
+-profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
++profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+ profile.caUUIDdeviceCert.class_id=caEnrollImpl
+ profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
+ profile.caManualRenewal.class_id=caEnrollImpl
+@@ -1018,6 +1017,8 @@ profile.caFullCMCUserCert.class_id=caEnrollImpl
+ profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg
+ profile.caFullCMCUserSignedCert.class_id=caEnrollImpl
+ profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg
++profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl
++profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg
+ profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
+ profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg
+ profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
+diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+new file mode 100644
+index 0000000..db3fbd6
+--- /dev/null
++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+@@ -0,0 +1,85 @@
++desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
++enable=true
++enableBy=admin
++name=Self-Signed CMC User Certificate Enrollment
++visible=false
++auth.instance_id=CMCUserSignedAuth
++input.list=i1,i2
++input.i1.class_id=cmcCertReqInputImpl
++input.i2.class_id=submitterInfoInputImpl
++output.list=o1
++output.o1.class_id=certOutputImpl
++policyset.list=cmcUserCertSet
++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
++policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
++policyset.cmcUserCertSet.1.constraint.params.accept=true
++policyset.cmcUserCertSet.1.constraint.params.pattern=.*
++policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
++policyset.cmcUserCertSet.1.default.name=Subject Name Default
++policyset.cmcUserCertSet.1.default.params.name=
++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
++policyset.cmcUserCertSet.2.constraint.params.range=365
++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
++policyset.cmcUserCertSet.2.default.name=Validity Default
++policyset.cmcUserCertSet.2.default.params.range=180
++policyset.cmcUserCertSet.2.default.params.startTime=0
++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
++policyset.cmcUserCertSet.3.constraint.name=Key Constraint
++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
++policyset.cmcUserCertSet.3.constraint.params.keyType=-
++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
++policyset.cmcUserCertSet.3.default.name=Key Default
++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.4.constraint.name=No Constraint
++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.5.constraint.name=No Constraint
++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
++policyset.cmcUserCertSet.5.default.name=AIA Extension Default
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
++policyset.cmcUserCertSet.6.default.name=Key Usage Default
++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
++policyset.cmcUserCertSet.7.constraint.name=No Constraint
++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
++policyset.cmcUserCertSet.8.constraint.name=No Constraint
++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
++policyset.cmcUserCertSet.8.default.name=Signing Alg
++policyset.cmcUserCertSet.8.default.params.signingAlg=-
+diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+index dc61ab3..a550142 100644
+--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
+@@ -1576,6 +1576,29 @@
+    </servlet>
+ 
+    <servlet>
++      <servlet-name>  caProfileSubmitSelfSignedCMCFull  </servlet-name>
++      <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet  </servlet-class>
++             <init-param><param-name>  GetClientCert  </param-name>
++                         <param-value> false       </param-value> </init-param>
++             <init-param><param-name>  cert_request_type  </param-name>
++                         <param-value> cmc         </param-value> </init-param>
++             <init-param><param-name>  profileId   </param-name>
++                         <param-value> caFullCMCSelfSignedCert </param-value> </init-param>
++             <init-param><param-name>  AuthzMgr    </param-name>
++                         <param-value> BasicAclAuthz </param-value> </init-param>
++             <init-param><param-name>  authorityId  </param-name>
++                         <param-value> ca          </param-value> </init-param>
++             <init-param><param-name>  ID          </param-name>
++                         <param-value> caProfileSubmitSelfSignedCMCFull </param-value> </init-param>
++             <init-param><param-name>  templatePath  </param-name>
++                         <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param>
++             <init-param><param-name>  resourceID  </param-name>
++                         <param-value> certServer.ee.profile </param-value> </init-param>
++             <init-param><param-name>  interface   </param-name>
++                         <param-value> ee          </param-value> </init-param>
++   </servlet>
++
++   <servlet>
+       <servlet-name>  caProfileList  </servlet-name>
+       <servlet-class> com.netscape.cms.servlet.profile.ProfileListServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+@@ -2284,6 +2307,11 @@
+       <url-pattern>   /ee/ca/profileSubmitUserSignedCMCFull  </url-pattern>
+    </servlet-mapping>
+ 
++   <servlet-mapping>
++      <servlet-name>  caProfileSubmitSelfSignedCMCFull  </servlet-name>
++      <url-pattern>   /ee/ca/profileSubmitSelfSignedCMCFull  </url-pattern>
++   </servlet-mapping>
++
+    <servlet-mapping>  
+       <servlet-name>  caProfileList  </servlet-name>
+       <url-pattern>   /ee/ca/profileList  </url-pattern>
+diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
+index 21639e2..7d30d2e 100644
+--- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
+@@ -33,6 +33,7 @@ public interface IAuthManager {
+ 
+     /* standard credential for CMC request signing cert */
+     public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert";
++    public static final String CRED_CMC_SELF_SIGNED = "cmcSelfSigned";
+ 
+     /**
+      * Standard credential for client cert's serial number from revocation.
+diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
+index e1ccc2d..9089527 100644
+--- a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
+@@ -119,6 +119,11 @@ public interface IAuthSubsystem extends ISubsystem {
+     public static final String CMCAUTH_AUTHMGR_ID = "CMCAuth";
+ 
+     /**
++     * Constant for CMC user-signed authentication manager ID.
++     */
++    public static final String CMC_USER_SIGNED_AUTH_AUTHMGR_ID = "CMCUserSignedAuth";
++
++    /**
+      * Authenticate the given credentials using the given manager name.
+      *
+      * @param authCred The authentication credentials
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 523b204..059363e 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -125,7 +125,11 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String CERT_PROFILE_APPROVAL =
+             "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
+     public final static String PROOF_OF_POSSESSION =
+-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
++            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3";
++    public final static String CMC_PROOF_OF_IDENTIFICATION =
++            "LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3";
++    public final static String CMC_ID_POP_LINK_WITNESS =
++            "LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3";
+ 
+     public final static String CRL_RETRIEVAL =
+             "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
+@@ -143,8 +147,10 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
+     public final static String CMC_SIGNED_REQUEST_SIG_VERIFY =
+             "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
+-    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY =
+-            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5";
++    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS =
++            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5";
++    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE =
++            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6";
+ 
+     public final static String COMPUTE_RANDOM_DATA_REQUEST =
+             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index ac523ad..6e27cb1 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -103,6 +103,9 @@ import com.netscape.cmsutil.util.HMACDigest;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.pkcs.PKCS10;
++import netscape.security.x509.KeyIdentifier;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.SubjectKeyIdentifierExtension;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ 
+@@ -121,6 +124,7 @@ public class CMCRequest {
+     public static final int ARGC = 1;
+     public static final String HEADER = "-----BEGIN";
+     public static final String TRAILER = "-----END";
++    public static SubjectKeyIdentifierExtension skiExtn = null;
+ 
+     void cleanArgs(String[] s) {
+ 
+@@ -193,7 +197,7 @@ public class CMCRequest {
+     }
+ 
+     /**
+-     * signData signs the request PKIData
++     * signData signs the request PKIData using existing cert
+      *
+      * @param signerCert the certificate of the authorized signer of the CMC revocation request.
+      * @param nickname the nickname of the certificate inside the token.
+@@ -212,6 +216,15 @@ public class CMCRequest {
+         SignedData req = null;
+         System.out.println(method + "begins: ");
+ 
++        if (signerCert == null ||
++                tokenName == null ||
++                nickname == null ||
++                manager == null ||
++                pkidata == null) {
++            System.out.println(method + "method parameters cannot be null");
++            System.exit(1);
++        }
++
+         try {
+             java.security.PrivateKey privKey = null;
+             SignerIdentifier si = null;
+@@ -232,7 +245,72 @@ public class CMCRequest {
+             privKey = getPrivateKey(tokenName, nickname);
+             if (privKey != null)
+                 System.out.println(method + " got signer privKey");
++            else {
++                System.out.println(method + " signer privKey not foudn on token");
++                System.exit(1);
++            }
++
++            org.mozilla.jss.crypto.X509Certificate[] certChain = manager.buildCertificateChain(signerCert);
++            req = createSignedData(privKey, si, certChain, pkidata);
++
++            System.out.println(method + "signed request generated.");
++        } catch (Exception e) {
++            e.printStackTrace();
++            System.exit(1);
++        }
++
++        return req;
++    }
++
++    /*
++     * signData self-signs the PKIData using the private key that matches
++     * the public key in the request
++     */
++    static SignedData signData(
++            java.security.PrivateKey privKey,
++            PKIData pkidata) {
++        String method = "signData for selfSign: ";
++        System.out.println(method + "begins: ");
++        SignedData req = null;
++
++        if (privKey == null ||
++                pkidata == null) {
++            System.out.println(method + "method parameters cannot be null");
++            System.exit(1);
++        }
++
++        KeyIdentifier keyIdObj = null;
++        try {
++            keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID);
++            SignerIdentifier si = new SignerIdentifier(
++                    SignerIdentifier.SUBJECT_KEY_IDENTIFIER,
++                    null, new OCTET_STRING(keyIdObj.getIdentifier()));
++            req = createSignedData(privKey, si, null /*certChain*/, pkidata);
++        } catch (Exception e) {
++            e.printStackTrace();
++            System.exit(1);
++        }
++        return req;
++    }
+ 
++    static SignedData createSignedData(
++            java.security.PrivateKey privKey,
++            SignerIdentifier signerId,
++            org.mozilla.jss.crypto.X509Certificate[] certChain,
++            PKIData pkidata) {
++
++        String method = "createSignedData: ";
++        System.out.println(method + "begins");
++        if (privKey == null ||
++                signerId == null ||
++                pkidata == null) {
++            // certChain could be null
++            System.out.println(method + "method parameters cannot be null");
++            System.exit(1);
++        }
++
++        SignedData req = null;
++        try {
+             EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
+             DigestAlgorithm digestAlg = null;
+             SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey);
+@@ -251,11 +329,18 @@ public class CMCRequest {
+                 pkidata.encode(ostream);
+                 digest = SHADigest.digest(ostream.toByteArray());
+             } catch (NoSuchAlgorithmException e) {
+-                System.out.println(e); System.exit(1);}
++                System.out.println(e);
++                System.exit(1);
++            }
+             System.out.println(method + "digest created for pkidata");
+ 
+-            SignerInfo signInfo = new SignerInfo(si, null, null, OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg,
++            SignerInfo signInfo = new SignerInfo(signerId, null, null,
++                    OBJECT_IDENTIFIER.id_cct_PKIData, digest, signAlg,
+                     (org.mozilla.jss.crypto.PrivateKey) privKey);
++
++            String digestAlgName = signInfo.getDigestEncryptionAlgorithm().toString();
++            System.out.println(method + "digest algorithm =" + digestAlgName);
++
+             SET signInfos = new SET();
+             signInfos.addElement(signInfo);
+ 
+@@ -266,21 +351,20 @@ public class CMCRequest {
+                 digestAlgs.addElement(ai);
+             }
+ 
+-            org.mozilla.jss.crypto.X509Certificate[] agentChain = manager.buildCertificateChain(signerCert);
+             SET certs = new SET();
+-
+-            for (int i = 0; i < agentChain.length; i++) {
+-                ANY cert = new ANY(agentChain[i].getEncoded());
+-                certs.addElement(cert);
++            if (certChain != null) {
++                System.out.println(method + "building cert chain");
++                for (int i = 0; i < certChain.length; i++) {
++                    ANY cert = new ANY(certChain[i].getEncoded());
++                    certs.addElement(cert);
++                }
+             }
+ 
+             req = new SignedData(digestAlgs, ci, certs, null, signInfos);
+-            System.out.println(method + "signed request generated.");
+         } catch (Exception e) {
+             e.printStackTrace();
+             System.exit(1);
+         }
+-
+         return req;
+     }
+ 
+@@ -325,6 +409,7 @@ public class CMCRequest {
+      * @return request in PKIData
+      */
+     static PKIData createPKIData(
++            String selfSign,
+             String[] rValue, String format, String transactionMgtEnable,
+             String transactionMgtId,
+             String identificationEnable, String identification,
+@@ -387,13 +472,26 @@ public class CMCRequest {
+                         }
+                         certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0);
+ 
++                        CertRequest certReq = certReqMsg.getCertReq();
++                        CertTemplate certTemplate = certReq.getCertTemplate();
++                        if (selfSign.equals("true")) {
++                            skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate(
++                                    certTemplate,
++                                    PKIXExtensions.SubjectKey_Id);
++                            if (skiExtn != null) {
++                                System.out.println(method +
++                                        " SubjectKeyIdentifier extension found in self-signed request");
++                            } else {
++                                System.out.println(method +
++                                        " SubjectKeyIdentifier extension missing in self-signed request");
++                                System.exit(1);
++                            }
++                        }
+                         if (popLinkWitnessV2Enable.equals("true")) {
+                             System.out.println(method +
+                                     "popLinkWitnessV2 enabled. reconstructing crmf");
+                             //crmf reconstruction to include PopLinkWitnessV2 control
+-                            CertRequest certReq = certReqMsg.getCertReq();
+                             INTEGER certReqId = certReq.getCertReqId();
+-                            CertTemplate certTemplate = certReq.getCertTemplate();
+                             SEQUENCE controls = certReq.getControls();
+                             controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2,
+                                     popLinkWitnessV2Control));
+@@ -449,6 +547,22 @@ public class CMCRequest {
+                             System.out.println(method + " Excception:" + e2.toString());
+                             System.exit(1);
+                         }
++
++                        if (selfSign.equals("true")) {
++                            try {
++                                skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10(
++                                        pkcs, "SubjectKeyIdentifier");
++                            } catch (IOException e) {
++                                System.out.println(method + "getting SubjectKeyIdentifiere..." + e);
++                            }
++
++                            if (skiExtn != null) {
++                                System.out.println(method + " SubjectKeyIdentifier extension found");
++                            } else {
++                                System.out.println(method + " SubjectKeyIdentifier extension missing");
++                                System.exit(1);
++                            }
++                        }
+                         ByteArrayInputStream crInputStream = new ByteArrayInputStream(
+                                 pkcs.toByteArray());
+                         CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate()
+@@ -661,8 +775,13 @@ public class CMCRequest {
+         System.out.println("");
+         System.out.println("#nickname: nickname for agent certificate which will be used");
+         System.out.println("#to sign the CMC full request.");
++        System.out.println("#selfSign: if selfSign is true, the CMC request will be");
++        System.out.println("#signed with the pairing private key of the request;");
++        System.out.println("#and in which case the nickname will be ignored");
+         System.out.println("nickname=CMS Agent Certificate");
+         System.out.println("");
++        System.out.println("selfSign=false");
++        System.out.println("");
+         System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
+         System.out.println("dbdir=./");
+         System.out.println("");
+@@ -1700,6 +1819,7 @@ public class CMCRequest {
+         String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256";
+         String popLinkWitnessEnable = "false";
+         String bodyPartIDs = null, lraPopWitnessEnable = "false";
++        String selfSign = "false";
+ 
+         System.out.println("");
+ 
+@@ -1760,6 +1880,8 @@ public class CMCRequest {
+                         decryptedPopEnable = val;
+                     } else if (name.equals("encryptedPopResponseFile")) {
+                         encryptedPopResponseFile = val;
++                    } else if (name.equals("request.selfSign")) {
++                        selfSign = val;
+                     } else if (name.equals("request.privKeyId")) {
+                         privKeyId = val;
+                     } else if (name.equals("decryptedPopRequestFile")) {
+@@ -1846,7 +1968,7 @@ public class CMCRequest {
+             printUsage();
+         }
+ 
+-        if (nickname == null) {
++        if (!selfSign.equals("true") && nickname == null) {
+             System.out.println("Missing nickname.");
+             printUsage();
+         }
+@@ -1898,14 +2020,14 @@ public class CMCRequest {
+                 System.out.println("got signerCert: "+ certname.toString());
+             }
+ 
+-            //cfu
+             ContentInfo cmcblob = null;
+             PKIData pkidata = null;
+             PrivateKey privk = null;
+-            if (decryptedPopEnable.equalsIgnoreCase("true") ||
++            if (selfSign.equalsIgnoreCase("true") ||
++                    decryptedPopEnable.equalsIgnoreCase("true") ||
+                     popLinkWitnessV2Enable.equalsIgnoreCase("true")) {
+                 if (privKeyId == null) {
+-                    System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified.");
++                    System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified.");
+                     printUsage();
+                 } else {
+                     System.out.println("got request privKeyId: " + privKeyId);
+@@ -2095,6 +2217,7 @@ public class CMCRequest {
+ 
+                 // create the request PKIData
+                 pkidata = createPKIData(
++                        selfSign,
+                         requests,
+                         format, transactionMgtEnable, transactionMgtId,
+                         identificationEnable, identification,
+@@ -2114,7 +2237,16 @@ public class CMCRequest {
+             }
+ 
+             // sign the request
+-            SignedData signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
++            SignedData signedData = null;
++            if (selfSign.equalsIgnoreCase("true")) {
++                // selfSign signes with private key
++                System.out.println("selfSign is true...");
++                signedData = signData(privk, pkidata);
++            } else {
++                // none selfSign signes with  existing cert
++                System.out.println("selfSign is false...");
++                signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
++            }
+             if (signedData == null) {
+                 System.out.println("signData() returns null. Exiting with error");
+                 System.exit(1);
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index d0e5c27..0057a1d 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -86,6 +86,8 @@ import com.netscape.cmsutil.util.HMACDigest;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.util.WrappingParams;
++import netscape.security.x509.KeyIdentifier;
++import netscape.security.x509.PKIXExtensions;
+ import netscape.security.x509.X500Name;
+ 
+ /**
+@@ -196,6 +198,8 @@ public class CRMFPopClient {
+         option.setArgName("keySet");
+         options.addOption(option);
+ 
++        options.addOption("y", false, "for Self-signed cmc.");
++
+         options.addOption("v", "verbose", false, "Run in verbose mode.");
+         options.addOption(null, "help", false, "Show help message.");
+ 
+@@ -214,6 +218,9 @@ public class CRMFPopClient {
+         System.out.println("  -k <true|false>              Attribute value encoding in subject DN (default: false)");
+         System.out.println("                               - true: enabled");
+         System.out.println("                               - false: disabled");
++        System.out.println("  -y <true|false>              Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)");
++        System.out.println("                               - true: enabled");
++        System.out.println("                               - false: disabled");
+         System.out.println("  -a <rsa|ec>                  Key algorithm (default: rsa)");
+         System.out.println("                               - rsa: RSA");
+         System.out.println("                               - ec: ECC");
+@@ -320,6 +327,8 @@ public class CRMFPopClient {
+         int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
+         int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
+ 
++        boolean self_sign = cmd.hasOption("y");
++
+         // get the key wrapping mechanism
+         boolean keyWrap = true;
+         if (cmd.hasOption("g")) {
+@@ -516,6 +525,7 @@ public class CRMFPopClient {
+ 
+             if (verbose) System.out.println("Creating certificate request");
+             CertRequest certRequest = client.createCertRequest(
++                    self_sign,
+                     token, transportCert, algorithm, keyPair,
+                     subject, archivalMechanism, wrappingKeySet);
+ 
+@@ -629,6 +639,19 @@ public class CRMFPopClient {
+             Name subject,
+             String archivalMechanism,
+             String wrappingKeySet) throws Exception {
++        return createCertRequest(false, token, transportCert, algorithm, keyPair,
++            subject, archivalMechanism, wrappingKeySet);
++    }
++
++    public CertRequest createCertRequest(
++            boolean self_sign,
++            CryptoToken token,
++            X509Certificate transportCert,
++            String algorithm,
++            KeyPair keyPair,
++            Name subject,
++            String archivalMechanism,
++            String wrappingKeySet) throws Exception {
+         EncryptionAlgorithm encryptAlg = null;
+ 
+         if (wrappingKeySet == null) {
+@@ -663,6 +686,15 @@ public class CRMFPopClient {
+         seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr));
+         */
+ 
++        if (self_sign) { // per rfc 5272
++            System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension.");
++            KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair);
++            OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString());
++            SEQUENCE extns = new SEQUENCE();
++            extns.addElement(new AVA(oid, new OCTET_STRING(subjKeyId.getIdentifier())));
++            certTemplate.setExtensions(extns);
++        }
++
+         return new CertRequest(new INTEGER(1), certTemplate, seq);
+     }
+ 
+diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+index fd1d087..795c24b 100644
+--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+@@ -17,19 +17,15 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.cmstools;
+ 
+-import java.io.ByteArrayOutputStream;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.PrintStream;
+ import java.security.KeyPair;
+-import java.security.PublicKey;
+ 
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.BMPString;
+-import org.mozilla.jss.asn1.INTEGER;
+ import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+ import org.mozilla.jss.asn1.PrintableString;
+-import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.asn1.TeletexString;
+ import org.mozilla.jss.asn1.UTF8String;
+ import org.mozilla.jss.asn1.UniversalString;
+@@ -37,20 +33,17 @@ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.KeyPairAlgorithm;
+ import org.mozilla.jss.crypto.KeyPairGenerator;
+ import org.mozilla.jss.crypto.PrivateKey;
+-import org.mozilla.jss.crypto.SignatureAlgorithm;
+-import org.mozilla.jss.pkcs10.CertificationRequest;
+-import org.mozilla.jss.pkcs10.CertificationRequestInfo;
+ import org.mozilla.jss.pkix.primitive.AVA;
+ import org.mozilla.jss.pkix.primitive.Name;
+-import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ import org.mozilla.jss.util.Password;
+ 
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+-import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.pkcs.PKCS10;
++import netscape.security.x509.Extensions;
++import netscape.security.x509.KeyIdentifier;
++import netscape.security.x509.SubjectKeyIdentifierExtension;
+ import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509Key;
+ 
+ /**
+  * Generates an ECC or RSA key pair in the security database, constructs a
+@@ -91,6 +84,8 @@ public class PKCS10Client {
+                 "    -x <true for SSL cert that does ECDH ECDSA; false otherwise; default false>\n");
+         System.out.println(
+                 "   available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n");
++        System.out.println(
++                "In addition: -y <true for adding SubjectKeyIdentifier extensionfor self-signed cmc requests; false otherwise; default false>\n");
+     }
+ 
+     public static void main(String args[]) throws Exception {
+@@ -105,6 +100,8 @@ public class PKCS10Client {
+         boolean ec_ssl_ecdh = false;
+         int rsa_keylen = 2048;
+ 
++        boolean self_sign = false;
++
+         if (args.length < 4) {
+             printUsage();
+             System.exit(1);
+@@ -171,6 +168,12 @@ public class PKCS10Client {
+                 subjectName = args[i+1];
+             } else if (name.equals("-h")) {
+                 tokenName = args[i+1];
++            } else if (name.equals("-y")) {
++                String temp = args[i+1];
++                if (temp.equals("true"))
++                    self_sign = true;
++                else
++                    self_sign = false;
+             } else {
+                 System.out.println("Unrecognized argument(" + i + "): "
+                     + name);
+@@ -273,55 +276,29 @@ public class PKCS10Client {
+             Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr);
+             ***/
+ 
+-            SET attributes = new SET();
+-            //attributes.addElement(attr);
+-            Name n = getJssName(enable_encoding, subjectName);
+-            SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic());
+-            System.out.println("PKCS10Client: pair.getPublic() called.");
+-            CertificationRequestInfo certReqInfo =
+-                new CertificationRequestInfo(new INTEGER(0), n, subjectPub, attributes);
+-            System.out.println("PKCS10Client: CertificationRequestInfo() created.");
+ 
+-            String b64E = "";
+-            if (alg.equals("rsa")) {
+-                CertificationRequest certRequest = null;
+-                certRequest = new CertificationRequest(certReqInfo,
+-                pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest);
+-                System.out.println("PKCS10Client: CertificationRequest created.");
++            Extensions extns = new Extensions();
++            if (self_sign) { // per rfc 5272
++                System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension.");
++                KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair);
++                SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false,
++                        subjKeyId.getIdentifier());
++                extns.add(extn);
++            }
+ 
+-                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+-                certRequest.encode(bos);
+-                byte[] bb = bos.toByteArray();
++            String b64E = "";
++            PKCS10 certReq = CryptoUtil.createCertificationRequest(
++                    subjectName, pair, extns);
+ 
+-                System.out.println("PKCS10Client: calling Utils.b64encode.");
+-                b64E = Utils.base64encode(bb);
+-                System.out.println("PKCS10Client: b64encode completes.");
+-            } else { // "ec"
++            if (certReq == null) {
++                System.out.println("PKCS10Client: cert request null");
++                System.exit(1);
++            } else
++                System.out.println("PKCS10Client: CertificationRequest created.");
++            byte[] certReqb = certReq.toByteArray();
++            b64E = CryptoUtil.base64Encode(certReqb);
+ 
+-                CryptoToken t = cm.getThreadToken();
+-                System.out.println("PKCS10Client: token is: "+ t.getName());
+-                PublicKey pubk =  pair.getPublic();
+-                if (pubk == null) {
+-                    System.out.println("PKCS10Client: pubk null.");
+-                    System.exit(1);
+-                }
+-                X509Key xKey = null;
+-                byte pubk_encoded[] =  pubk.getEncoded();
+-                xKey = CryptoUtil.getPublicX509ECCKey(pubk_encoded);
+-                System.out.println("PKCS10Client: calling CryptoUtil.createCertificationRequest");
+-                PKCS10 certReq = CryptoUtil.createCertificationRequest(
+-                    subjectName, xKey, (org.mozilla.jss.crypto.PrivateKey) pair.getPrivate(),
+-                    "SHA256withEC");
+-
+-                System.out.println("PKCS10Client: created cert request");
+-                if (certReq == null) {
+-                    System.out.println("PKCS10Client: cert request null");
+-                    System.exit(1);
+-                } else
+-                    System.out.println("PKCS10Client: cert request not null");
+-                byte[] certReqb = certReq.toByteArray();
+-                b64E = CryptoUtil.base64Encode(certReqb);
+-            }
++            System.out.println("PKCS10Client: b64encode completes.");
+ 
+             // print out keyid to be used in cmc popLinkWitnessV2
+             PrivateKey privateKey = (PrivateKey) pair.getPrivate();
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index a72ce58..2128c1e 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -39,6 +39,7 @@ import java.util.Vector;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.CryptoManager.NotInitializedException;
+ import org.mozilla.jss.asn1.ASN1Util;
++import org.mozilla.jss.asn1.BIT_STRING;
+ import org.mozilla.jss.asn1.INTEGER;
+ import org.mozilla.jss.asn1.InvalidBERException;
+ import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+@@ -66,6 +67,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest;
+ import org.mozilla.jss.pkix.crmf.CertTemplate;
+ import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+ import org.mozilla.jss.pkix.primitive.Name;
++import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+@@ -90,6 +92,9 @@ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.cmsutil.util.Utils;
+ 
+ import netscape.security.pkcs.PKCS10;
++import netscape.security.x509.KeyIdentifier;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.SubjectKeyIdentifierExtension;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509CertInfo;
+@@ -103,14 +108,15 @@ import netscape.security.x509.X509Key;
+ /**
+  * User Signed CMC authentication plug-in
+  * note:
+- *  - this version differs from CMCAuth in that it allows non-agent users
+- *  to sign own cmc requests;  It is expected to be used with
+- *  CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint
+- *  so that the resulting cert will bear the same subjectDN of that of the CMC
+- *  signing cert
+- *  - it originates from CMCAuth with modification for user-signed cmc
++ * - this version differs from CMCAuth in that it allows non-agent users
++ * to sign own cmc requests; It is expected to be used with
++ * CMCUserSignedSubjectNameDefault and CMCUserSignedSubjectNameConstraint
++ * so that the resulting cert will bear the same subjectDN of that of the CMC
++ * signing cert
++ * - it originates from CMCAuth with modification for user-signed cmc
++ *
+  * @author cfu - user signed cmc authentication
+- * <P>
++ *         <P>
+  *
+  * @version $Revision$, $Date$
+  */
+@@ -121,6 +127,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+     // default parameters //
+     ////////////////////////
+ 
++    // only one request for self-signed
++    boolean selfSigned = false;
++    SubjectKeyIdentifierExtension selfsign_skiExtn = null;
++    PK11PubKey selfsign_pubK = null;
++    byte[] selfsign_digest = null;
++
+     /////////////////////////////
+     // IAuthManager parameters //
+     /////////////////////////////
+@@ -144,8 +156,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+      * for instances of this implementation can be configured through the
+      * console.
+      */
+-    protected static String[] mConfigParams =
+-            new String[] {};
++    protected static String[] mConfigParams = new String[] {};
+ 
+     /* authentication plug-in values */
+ 
+@@ -171,7 +182,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+         mExtendedPluginInfo
+                 .add(IExtendedPluginInfo.HELP_TEXT +
+-                    ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\"");
++                        ";Authenticate the CMC request. The \"Authentication Instance ID\" must be named \"CMCUserSignedAuth\"");
+         mExtendedPluginInfo.add(IExtendedPluginInfo.HELP_TOKEN +
+                 ";configuration-authentication");
+     }
+@@ -185,10 +196,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+     /* signed audit parameters */
+     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+-    private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE =
+-            "enrollment";
+-    private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE =
+-            "revocation";
++    private final static String SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE = "enrollment";
++    private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE = "revocation";
+ 
+     /////////////////////
+     // default methods //
+@@ -228,7 +237,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+      * <P>
+      *
+      * <ul>
+-     * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC (user-pre-signed) cert
++     * <li>signed.audit LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY used when CMC
++     *  (user-pre-signed or self-signed) cert
+      * requests or revocation requests are submitted and signature is verified
+      * </ul>
+      *
+@@ -245,6 +255,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+     public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials,
+             EBaseException {
+         String method = "CMCUserSignedAuth: authenticate: ";
++        String msg = "";
+         CMS.debug(method + "begins");
+ 
+         String auditMessage = null;
+@@ -273,40 +284,19 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             if (cmc == null) {
+                 CMS.debug(method + " Authentication failed. Missing CMC.");
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditReqType,
+-                        auditCertSubject,
+-                        auditSignerInfo);
+-
+-                audit(auditMessage);
+-
+                 throw new EMissingCredential(CMS.getUserMessage(
+                         "CMS_AUTHENTICATION_NULL_CREDENTIAL", CRED_CMC));
+             }
+ 
+             if (cmc.equals("")) {
+-                log(ILogger.LL_FAILURE,
+-                        "cmc : attempted login with empty CMC.");
+-
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditReqType,
+-                        auditCertSubject,
+-                        auditSignerInfo);
+-
+-                audit(auditMessage);
+-
+-                throw new EInvalidCredentials(CMS.getUserMessage(
+-                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                msg = "attempted login with empty cert_request in authCred.";
++                CMS.debug(method + msg);
++
++                throw new EInvalidCredentials(msg);
+             }
+ 
++            SessionContext auditContext = SessionContext.getExistingContext();
++
+             // authenticate by checking CMC.
+ 
+             // everything OK.
+@@ -330,84 +320,88 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                     asciiBASE64Blob = cmc;
+ 
+                 byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob);
+-                ByteArrayInputStream cmcBlobIn = new
+-                                                 ByteArrayInputStream(cmcBlob);
++                ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob);
+ 
+                 org.mozilla.jss.pkix.cms.ContentInfo cmcReq =
+-                        (org.mozilla.jss.pkix.cms.ContentInfo)
+-                        org.mozilla.jss.pkix.cms.ContentInfo.getTemplate().decode(
++                        (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
++                        .getTemplate().decode(
+                                 cmcBlobIn);
+ 
+                 if (!cmcReq.getContentType().equals(
+                         org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) ||
+                         !cmcReq.hasContent()) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                            auditSubjectID,
+-                            ILogger.FAILURE,
+-                            auditReqType,
+-                            auditCertSubject,
+-                            auditSignerInfo);
+ 
+-                    audit(auditMessage);
+-
+-                    // throw new ECMSGWException(CMSGWResources.NO_CMC_CONTENT);
+-
+-                    throw new EBaseException("NO_CMC_CONTENT");
++                    cmcBlobIn.close();
++                    msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA";
++                    CMS.debug(msg);
++                    throw new EBaseException(msg);
+                 }
+ 
+-                SignedData cmcFullReq = (SignedData)
+-                                        cmcReq.getInterpretedContent();
++                SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent();
++
++                String userid = ILogger.UNIDENTIFIED;
++                String uid = ILogger.UNIDENTIFIED;
+ 
+                 IConfigStore cmc_config = CMS.getConfigStore();
+-                boolean checkSignerInfo =
+-                        cmc_config.getBoolean("cmc.signerInfo.verify", true);
+-                String userid = "defUser";
+-                String uid = "defUser";
++                boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true);
+                 if (checkSignerInfo) {
+-                    IAuthToken userToken = verifySignerInfo(authToken, cmcFullReq);
++                    // selfSigned will be set in verifySignerInfo if applicable
++                    IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq);
+                     if (userToken == null) {
+-                        CMS.debug(method + " authenticate() userToken null");
+-                        throw new EBaseException(method + " verifySignerInfo failure");
++                        msg = "userToken null; verifySignerInfo failure";
++                        CMS.debug(method + msg);
++                        throw new EBaseException(msg);
++                    } else {
++                        if (selfSigned) {
++                            CMS.debug(method
++                                    + " self-signed cmc request will not have user identification info at this point.");
++                            auditSignerInfo = "selfSigned";
++                        } else {
++                            CMS.debug(method + "signed with user cert");
++                            userid = userToken.getInString("userid");
++                            uid = userToken.getInString("cn");
++                            if (userid == null && uid == null) {
++                                msg = " verifySignerInfo failure... missing userid and cn";
++                                CMS.debug(method + msg);
++                                throw new EBaseException(msg);
++                            }
++                            // reset value of auditSignerInfo
++                            if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) {
++                                CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim());
++                                auditSignerInfo = uid.trim();
++                                auditSubjectID = uid.trim();
++                                authToken.set(IAuthToken.USER_ID, auditSubjectID);
++                            } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) {
++                                CMS.debug(method + "setting auditSignerInfo to userid:" + userid);
++                                auditSignerInfo = userid.trim();
++                                auditSubjectID = userid.trim();
++                                authToken.set(IAuthToken.USER_ID, auditSubjectID);
++                            }
++                        }
+                     }
+-                    userid = userToken.getInString("userid");
+-                    uid = userToken.getInString("cn");
+                 } else {
+-                    CMS.debug(method + " authenticate() signerInfo verification bypassed");
+-                }
+-                // reset value of auditSignerInfo
+-                if (uid != null) {
+-                    auditSignerInfo = uid.trim();
++                    CMS.debug(method + " signerInfo verification bypassed");
+                 }
+ 
+                 EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
++                SET sis = cmcFullReq.getSignerInfos();
++                // only one SignerInfo for selfSigned
++                org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo =
++                        (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0);
+ 
+                 OBJECT_IDENTIFIER id = ci.getContentType();
+ 
+                 if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
+                         !ci.hasContent()) {
+-                    // store a message in the signed audit log file
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                            auditSubjectID,
+-                            ILogger.FAILURE,
+-                            auditReqType,
+-                            auditCertSubject,
+-                            auditSignerInfo);
+-
+-                    audit(auditMessage);
++                    msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData";
++                    CMS.debug(method + msg);
+ 
+-                    //  throw new ECMSGWException(
+-                    // CMSGWResources.NO_PKIDATA);
+-
+-                    throw new EBaseException("NO_PKIDATA");
++                    throw new EBaseException(msg);
+                 }
+ 
+                 OCTET_STRING content = ci.getContent();
+ 
+-                ByteArrayInputStream s = new
+-                        ByteArrayInputStream(content.toByteArray());
++                ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+                 PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
+ 
+                 SEQUENCE reqSequence = pkiData.getReqSequence();
+@@ -426,13 +420,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                     if (controlSize > 0) {
+                         for (int i = 0; i < controlSize; i++) {
+-                            TaggedAttribute taggedAttribute =
+-                                    (TaggedAttribute) controlSequence.elementAt(i);
++                            TaggedAttribute taggedAttribute = (TaggedAttribute) controlSequence.elementAt(i);
+                             OBJECT_IDENTIFIER type = taggedAttribute.getType();
+ 
+                             if (type.equals(
+                                     OBJECT_IDENTIFIER.id_cmc_revokeRequest)) {
+-/* TODO: user-signed revocation to be handled in next ticket
++                                /* TODO: user-signed revocation to be handled in next ticket
+                                 // if( i ==1 ) {
+                                 //     taggedAttribute.getType() ==
+                                 //       OBJECT_IDENTIFIER.id_cmc_revokeRequest
+@@ -479,10 +472,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                     Integer IntObject = Integer.valueOf((int) reasonCode);
+                                     authToken.set(REASON_CODE, IntObject);
+ 
+-                                    authToken.set("uid", uid);
+-                                    authToken.set("userid", userid);
++
++                                    //authToken.set("uid", uid);
++                                    //authToken.set("userid", userid);
++
+                                 }
+-*/
++                                */
++
+                             }
+                         }
+ 
+@@ -499,8 +495,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                     for (int i = 0; i < numReqs; i++) {
+                         // decode message.
+-                        TaggedRequest taggedRequest =
+-                                (TaggedRequest) reqSequence.elementAt(i);
++                        TaggedRequest taggedRequest = (TaggedRequest) reqSequence.elementAt(i);
+ 
+                         TaggedRequest.Type type = taggedRequest.getType();
+ 
+@@ -508,18 +503,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                             CMS.debug(method + " type is PKCS10");
+                             authToken.set("cert_request_type", "cmc-pkcs10");
+ 
+-                            TaggedCertificationRequest tcr =
+-                                    taggedRequest.getTcr();
++                            TaggedCertificationRequest tcr = taggedRequest.getTcr();
+                             int p10Id = tcr.getBodyPartID().intValue();
+ 
+                             reqIdArray[i] = String.valueOf(p10Id);
+ 
+-                            CertificationRequest p10 =
+-                                    tcr.getCertificationRequest();
++                            CertificationRequest p10 = tcr.getCertificationRequest();
+ 
+                             // transfer to sun class
+-                            ByteArrayOutputStream ostream =
+-                                    new ByteArrayOutputStream();
++                            ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+ 
+                             p10.encode(ostream);
+                             boolean sigver = true;
+@@ -533,8 +525,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                             try {
+                                 cm = CryptoManager.getInstance();
+                                 if (sigver == true) {
+-                                    String tokenName =
+-                                        CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
++                                    String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
++                                            CryptoUtil.INTERNAL_TOKEN_NAME);
+                                     savedToken = cm.getThreadToken();
+                                     signToken = CryptoUtil.getCryptoToken(tokenName);
+                                     if (!savedToken.getName().equals(signToken.getName())) {
+@@ -543,65 +535,92 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                     }
+                                 }
+ 
+-                                PKCS10 pkcs10 =
+-                                        new PKCS10(ostream.toByteArray(), sigver);
++                                PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver);
++                                // reset value of auditCertSubject
++                                X500Name tempName = pkcs10.getSubjectName();
++                                CMS.debug(method + "request subject name=" + tempName.toString());
++                                if (tempName != null) {
++                                    auditCertSubject = tempName.toString().trim();
++                                    if (auditCertSubject.equals("")) {
++                                        auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                    }
++                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
++                                            auditCertSubject/*tempName.toString()*/);
++                                }
++
++                                if (selfSigned) {
++                                    // prepare for checking SKI extension
++                                    try {
++                                        selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil
++                                                .getExtensionFromPKCS10(pkcs10, "SubjectKeyIdentifier");
++                                        if (selfsign_skiExtn != null)
++                                            CMS.debug(method + "SubjectKeyIdentifierExtension found:");
++                                        else {
++                                            msg = "missing SubjectKeyIdentifierExtension in request";
++                                            CMS.debug(method + msg);
++                                            throw new EBaseException(msg);
++                                        }
++                                    } catch (IOException e) {
++                                        msg = method + "SubjectKeyIdentifierExtension not found:" + e;
++                                        CMS.debug(msg);
++                                        throw new EBaseException(msg);
++                                    } catch (Exception e) {
++                                        msg = method + "SubjectKeyIdentifierExtension not found:" + e;
++                                        CMS.debug(msg);
++                                        throw new EBaseException(msg);
++                                    }
++
++                                    X509Key pubKey = pkcs10.getSubjectPublicKeyInfo();
++                                    PrivateKey.Type keyType = null;
++                                    String alg = pubKey.getAlgorithm();
++
++                                    if (alg.equals("RSA")) {
++                                        CMS.debug(method + "signing key alg=RSA");
++                                        keyType = PrivateKey.RSA;
++                                        selfsign_pubK = PK11PubKey.fromRaw(keyType, pubKey.getKey());
++                                    } else if (alg.equals("EC")) {
++                                        CMS.debug(method + "signing key alg=EC");
++                                        keyType = PrivateKey.EC;
++                                        byte publicKeyData[] = (pubKey).getEncoded();
++                                        selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
++                                    } else {
++                                        msg = "unsupported signature algorithm: " + alg;
++                                        CMS.debug(method + msg);
++                                        throw new EInvalidCredentials(msg);
++                                    }
++                                    CMS.debug(method + "public key retrieved");
++                                    verifySelfSignedCMC(selfsign_signerInfo, id);
++
++                                } //selfSigned
+ 
+                                 // xxx do we need to do anything else?
+-                                X509CertInfo certInfo =
+-                                        CMS.getDefaultX509CertInfo();
++                                X509CertInfo certInfo = CMS.getDefaultX509CertInfo();
+ 
+                                 // fillPKCS10(certInfo,pkcs10,authToken,null);
+ 
+                                 // authToken.set(
+                                 //     pkcs10.getSubjectPublicKeyInfo());
+ 
+-                                X500Name tempName = pkcs10.getSubjectName();
+-
+-                                // reset value of auditCertSubject
+-                                if (tempName != null) {
+-                                    auditCertSubject =
+-                                            tempName.toString().trim();
+-                                    if (auditCertSubject.equals("")) {
+-                                        auditCertSubject =
+-                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+-                                    }
+-                                    authToken.set(AuthToken.TOKEN_CERT_SUBJECT,
+-                                              tempName.toString());
+-                                }
+-
++                                /*
+                                 authToken.set("uid", uid);
+                                 authToken.set("userid", userid);
++                                */
+ 
+                                 certInfoArray[i] = certInfo;
+                             } catch (Exception e) {
+-                                // store a message in the signed audit log file
+-                                auditMessage = CMS.getLogMessage(
+-                                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                                        auditSubjectID,
+-                                        ILogger.FAILURE,
+-                                        auditReqType,
+-                                        auditCertSubject,
+-                                        auditSignerInfo);
+-
+-                                audit(auditMessage);
+-
+-                                //throw new ECMSGWException(
+-                                //CMSGWResources.ERROR_PKCS101, e.toString());
+-
+                                 e.printStackTrace();
+                                 throw new EBaseException(e.toString());
+                             } finally {
+-                                if ((sigver == true) && (tokenSwitched == true)){
++                                if ((sigver == true) && (tokenSwitched == true)) {
+                                     cm.setThreadToken(savedToken);
+                                 }
+-                             }
++                            }
+                         } else if (type.equals(TaggedRequest.CRMF)) {
+ 
+                             CMS.debug(method + " type is CRMF");
+                             authToken.set("cert_request_type", "cmc-crmf");
+                             try {
+-                                CertReqMsg crm =
+-                                        taggedRequest.getCrm();
++                                CertReqMsg crm = taggedRequest.getCrm();
+                                 CertRequest certReq = crm.getCertReq();
+                                 INTEGER reqID = certReq.getCertReqId();
+                                 reqIdArray[i] = reqID.toString();
+@@ -609,70 +628,82 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 Name name = template.getSubject();
+ 
+                                 // xxx do we need to do anything else?
+-                                X509CertInfo certInfo =
+-                                        CMS.getDefaultX509CertInfo();
++                                X509CertInfo certInfo = CMS.getDefaultX509CertInfo();
+ 
+                                 // reset value of auditCertSubject
+                                 if (name != null) {
+                                     String ss = name.getRFC1485();
+ 
++                                    CMS.debug(method + "setting auditCertSubject to: " + ss);
+                                     auditCertSubject = ss;
+                                     if (auditCertSubject.equals("")) {
+-                                        auditCertSubject =
+-                                                ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++                                        auditCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                     }
+ 
+                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
+-                                    authToken.set("uid", uid);
+-                                    authToken.set("userid", userid);
++                                    //authToken.set("uid", uid);
++                                    //authToken.set("userid", userid);
+                                 }
+                                 certInfoArray[i] = certInfo;
+-                            } catch (Exception e) {
+-                                // store a message in the signed audit log file
+-                                auditMessage = CMS.getLogMessage(
+-                                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                                        auditSubjectID,
+-                                        ILogger.FAILURE,
+-                                        auditReqType,
+-                                        auditCertSubject,
+-                                        auditSignerInfo);
+ 
+-                                audit(auditMessage);
++                                if (selfSigned) {
++                                    selfsign_skiExtn =
++                                            (SubjectKeyIdentifierExtension) CryptoUtil
++                                            .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id);
++                                    if (selfsign_skiExtn != null) {
++                                        CMS.debug(method +
++                                                "SubjectKeyIdentifierExtension found");
++                                    } else {
++                                        CMS.debug(method +
++                                                "SubjectKeyIdentifierExtension not found");
++                                    }
++
++                                    // get public key for verifying signature later
++                                    SubjectPublicKeyInfo pkinfo = template.getPublicKey();
++                                    PrivateKey.Type keyType = null;
++                                    String alg = pkinfo.getAlgorithm();
++                                    BIT_STRING bitString = pkinfo.getSubjectPublicKey();
++                                    byte[] publicKeyData = bitString.getBits();
++                                    if (alg.equals("RSA")) {
++                                        CMS.debug(method + "signing key alg=RSA");
++                                        keyType = PrivateKey.RSA;
++                                        selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData);
++                                    } else if (alg.equals("EC")) {
++                                        CMS.debug(method + "signing key alg=EC");
++                                        keyType = PrivateKey.EC;
++                                        selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
++                                    } else {
++                                        msg = "unsupported signature algorithm: " + alg;
++                                        CMS.debug(method + msg);
++                                        throw new EInvalidCredentials(msg);
++                                    }
++                                    CMS.debug(method + "public key retrieved");
+ 
+-                                //throw new ECMSGWException(
+-                                //CMSGWResources.ERROR_PKCS101, e.toString());
++                                    verifySelfSignedCMC(selfsign_signerInfo, id);
++                                } //selfSigned
+ 
++                            } catch (Exception e) {
+                                 e.printStackTrace();
++                                cmcBlobIn.close();
++                                s.close();
+                                 throw new EBaseException(e.toString());
+                             }
+                         }
+ 
+-                        // authToken.set(AgentAuthentication.CRED_CERT, new
+-                        //     com.netscape.certsrv.usrgrp.Certificates(
+-                        //     x509Certs));
+                     }
+                 }
++
++                authToken.set("uid", uid);
++                authToken.set("userid", userid);
+             } catch (Exception e) {
+                 CMS.debug(method + e);
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditReqType,
+-                        auditCertSubject,
+-                        auditSignerInfo);
+-
+-                audit(auditMessage);
+-
+                 //Debug.printStackTrace(e);
+-                throw new EInvalidCredentials(CMS.getUserMessage(
+-                        "CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                throw new EInvalidCredentials(e.toString());
+             }
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+                     auditReqType,
+@@ -687,12 +718,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             CMS.debug(method + eAudit1);
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+                     auditCertSubject,
+-                    auditSignerInfo);
++                    auditSignerInfo,
++                    eAudit1.toString());
+ 
+             audit(auditMessage);
+ 
+@@ -702,12 +734,13 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             CMS.debug(method + eAudit2);
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+                     auditCertSubject,
+-                    auditSignerInfo);
++                    auditSignerInfo,
++                    eAudit2.toString());
+ 
+             audit(auditMessage);
+ 
+@@ -717,17 +750,70 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             CMS.debug(method + eAudit3);
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY,
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
+                     auditSubjectID,
+                     ILogger.FAILURE,
+                     auditReqType,
+                     auditCertSubject,
+-                    auditSignerInfo);
++                    auditSignerInfo,
++                    eAudit3.toString());
+ 
+             audit(auditMessage);
+ 
+             // rethrow the specific exception to be handled later
+             throw eAudit3;
++        } catch (Exception eAudit4) {
++            CMS.debug(method + eAudit4);
++            // store a message in the signed audit log file
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditReqType,
++                    auditCertSubject,
++                    auditSignerInfo,
++                    eAudit4.toString());
++
++            audit(auditMessage);
++
++            // rethrow the specific exception to be handled later
++            throw eAudit4;
++        }
++    }
++
++    /*
++    * verifySelfSignedCMC() verifies the following
++    * a. the required (per RFC 5272) SKI extension in the request matches that in the
++    *    SignerIdentifier
++    * b. the signature in the request
++    */
++    protected void verifySelfSignedCMC(
++            org.mozilla.jss.pkix.cms.SignerInfo signerInfo,
++            OBJECT_IDENTIFIER id)
++            throws EBaseException {
++        String method = "CMCUserSignedAuth: verifySelfSignedCMC: ";
++        CMS.debug(method + "begins");
++        try {
++            SignerIdentifier sid = signerInfo.getSignerIdentifier();
++            OCTET_STRING subjKeyId = sid.getSubjectKeyIdentifier();
++            KeyIdentifier keyIdObj =
++                    (KeyIdentifier) selfsign_skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID);
++            boolean match = CryptoUtil.compare(subjKeyId.toByteArray(), keyIdObj.getIdentifier());
++            if (match) {
++                CMS.debug(method +
++                        " SignerIdentifier SUBJECT_KEY_IDENTIFIER matches SKI of request");
++            } else {
++                CMS.debug(method +
++                        " SignerIdentifier SUBJECT_KEY_IDENTIFIER failed to match");
++                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++            }
++            // verify sig using public key in request
++            CMS.debug(method + "verifying request signature with public key");
++            signerInfo.verify(selfsign_digest, id, selfsign_pubK);
++            CMS.debug(method + " signature verified");
++        } catch (Exception e) {
++            CMS.debug(method + e.toString());
++            throw new EBaseException(method + e.toString());
+         }
+     }
+ 
+@@ -825,10 +911,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                 level, "CMC User Signed Authentication: " + msg);
+     }
+ 
+-    protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException {
++    /**
++     * User-signed CMC requests can be signed in two ways:
++     * a. signed with previously issued user signing cert
++     * b. self-signed with the private key paired with the public key in
++     * the request
++     *
++     * In case "a", the resulting authToke would contain
++     * (IAuthManager.CRED_CMC_SIGNING_CERT, signing cert serial number)
++     * In case "b", the resulting authToke would not contain the attribute
++     * IAuthManager.CRED_CMC_SIGNING_CERT
++     */
++    protected IAuthToken verifySignerInfo(
++            SessionContext auditContext, // to capture info in case of failure
++            AuthToken authToken,
++            SignedData cmcFullReq)
++            throws EBaseException {
+         String method = "CMCUserSignedAuth: verifySignerInfo: ";
+         CMS.debug(method + "begins");
+-
+         EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+         OBJECT_IDENTIFIER id = ci.getContentType();
+         OCTET_STRING content = ci.getContent();
+@@ -849,13 +949,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+             //if request key is used for signing, there MUST be only one signerInfo
+             //object in the signedData object.
+             for (int i = 0; i < numDig; i++) {
+-                AlgorithmIdentifier dai =
+-                        (AlgorithmIdentifier) dais.elementAt(i);
+-                String name =
+-                        DigestAlgorithm.fromOID(dai.getOID()).toString();
++                AlgorithmIdentifier dai = (AlgorithmIdentifier) dais.elementAt(i);
++                String name = DigestAlgorithm.fromOID(dai.getOID()).toString();
+ 
+-                MessageDigest md =
+-                        MessageDigest.getInstance(name);
++                MessageDigest md = MessageDigest.getInstance(name);
+ 
+                 byte[] digest = md.digest(content.toByteArray());
+ 
+@@ -867,6 +964,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+             for (int i = 0; i < numSis; i++) {
+                 org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
++                //selfsign_SignerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
+ 
+                 String name = si.getDigestAlgorithm().toString();
+                 byte[] digest = digs.get(name);
+@@ -879,11 +977,14 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                     digest = md.digest(ostream.toByteArray());
+ 
+                 }
++
+                 // signed  by  previously certified signature key
+                 SignerIdentifier sid = si.getSignerIdentifier();
+-                // TODO: need to handle signing key being the matching key from
+-                // the request
+                 if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) {
++                    CMS.debug(method + "SignerIdentifier type: ISSUER_AND_SERIALNUMBER");
++                    selfSigned = false;
++                    CMS.debug(method + "selfSigned is false");
++
+                     IssuerAndSerialNumber issuerAndSerialNumber = sid.getIssuerAndSerialNumber();
+                     // find from the certs in the signedData
+                     java.security.cert.X509Certificate cert = null;
+@@ -899,14 +1000,12 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                             Name issuer = certI.getIssuer();
+ 
+                             byte[] issuerB = ASN1Util.encode(issuer);
+-CMS.debug(method + "issuer = " + new String(issuerB));
+                             INTEGER sn = certI.getSerialNumber();
+                             // if this cert is the signer cert, not a cert in the chain
+                             if (new String(issuerB).equals(new String(
+                                     ASN1Util.encode(issuerAndSerialNumber.getIssuer())))
+                                     && sn.toString().equals(issuerAndSerialNumber.getSerialNumber().toString())) {
+-                                ByteArrayOutputStream os = new
+-                                        ByteArrayOutputStream();
++                                ByteArrayOutputStream os = new ByteArrayOutputStream();
+ 
+                                 certJss.encode(os);
+                                 certByteArray = os.toByteArray();
+@@ -919,13 +1018,23 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+ 
+                             }
+                         }
++
+                         CMS.debug(method + "start checking signature");
++                        String CN = null;
+                         if (cert == null) {
+                             // find from certDB
+                             CMS.debug(method + "verifying signature");
+                             si.verify(digest, id);
+                         } else {
+                             CMS.debug(method + "found signing cert... verifying");
++
++                            //capture auditSubjectID first in case of failure
++                            netscape.security.x509.X500Name tempPrincipal =
++                                    (X500Name) x509Certs[0].getSubjectDN();
++                            CN = tempPrincipal.getCommonName(); //tempToken.get("userid");
++                            CMS.debug(method + " Principal name = " + CN);
++                            auditContext.put(SessionContext.USER_ID, CN);
++
+                             PublicKey signKey = cert.getPublicKey();
+                             PrivateKey.Type keyType = null;
+                             String alg = signKey.getAlgorithm();
+@@ -942,21 +1051,24 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+                                 pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
+                             } else {
+                                 CMS.debug(method + "unsupported signature algorithm: " + alg);
+-                                throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                                s.close();
++                                throw new EInvalidCredentials(
++                                        CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                             }
+ 
+-                            String tokenName =
+-                                CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
++                            String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token",
++                                    CryptoUtil.INTERNAL_TOKEN_NAME);
+                             // by default JSS will use internal crypto token
+                             if (!CryptoUtil.isInternalToken(tokenName)) {
+                                 savedToken = cm.getThreadToken();
+                                 signToken = CryptoUtil.getCryptoToken(tokenName);
+-                                if(signToken != null) {
++                                if (signToken != null) {
+                                     cm.setThreadToken(signToken);
+                                     tokenSwitched = true;
+-                                    CMS.debug(method + "verifySignerInfo token switched:"+ tokenName);
++                                    CMS.debug(method + "verifySignerInfo token switched:" + tokenName);
+                                 } else {
+-                                    CMS.debug(method + "verifySignerInfo token not found:"+ tokenName+ ", trying internal");
++                                    CMS.debug(method + "verifySignerInfo token not found:" + tokenName
++                                            + ", trying internal");
+                                 }
+                             }
+ 
+@@ -967,6 +1079,7 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+                         // verify signer's certificate using the revocator
+                         if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
+                             CMS.debug(method + "CMC signature failed to be verified");
++                            s.close();
+                             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                         } else {
+                             CMS.debug(method + "CMC signature verified; but signer not yet;");
+@@ -974,23 +1087,38 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+                         // At this point, the signature has been verified;
+ 
+                         IAuthToken tempToken = new AuthToken(null);
++/*
+                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+                         String CN = tempPrincipal.getCommonName(); //tempToken.get("userid");
+                         CMS.debug(method + " Principal name = " + CN);
++*/
+ 
+                         BigInteger certSerial = x509Certs[0].getSerialNumber();
+                         CMS.debug(method + " verified cert serial=" + certSerial.toString());
+                         authToken.set(IAuthManager.CRED_CMC_SIGNING_CERT, certSerial.toString());
+                         tempToken.set("cn", CN);
+ 
++                        s.close();
+                         return tempToken;
+ 
++                    } else {
++                        CMS.debug(method + "no certificate found in cmcFullReq");
+                     }
+-
++                } else if (sid.getType().equals(SignerIdentifier.SUBJECT_KEY_IDENTIFIER)) {
++                    CMS.debug(method + "SignerIdentifier type: SUBJECT_KEY_IDENTIFIER");
++                    CMS.debug(method + "selfSigned is true");
++                    selfSigned = true;
++                    selfsign_digest = digest;
++
++                    IAuthToken tempToken = new AuthToken(null);
++                    authToken.set(IAuthManager.CRED_CMC_SELF_SIGNED, "true");
++                    s.close();
++                    return tempToken;
+                 } else {
+                     CMS.debug(method + "unsupported SignerIdentifier type");
+                 }
+-            }
++            } //for
++
+         } catch (InvalidBERException e) {
+             CMS.debug(method + e.toString());
+         } catch (IOException e) {
+@@ -1001,7 +1129,7 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+             CMS.debug(method + e.toString());
+             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+         } finally {
+-            if ((tokenSwitched == true) && (savedToken != null)){
++            if ((tokenSwitched == true) && (savedToken != null)) {
+                 cm.setThreadToken(savedToken);
+                 CMS.debug(method + "verifySignerInfo token restored");
+             }
+@@ -1123,8 +1251,7 @@ CMS.debug(method + "issuer = " + new String(issuerB));
+         SessionContext auditContext = SessionContext.getExistingContext();
+ 
+         if (auditContext != null) {
+-            subjectID = (String)
+-                    auditContext.get(SessionContext.USER_ID);
++            subjectID = (String) auditContext.get(SessionContext.USER_ID);
+ 
+             if (subjectID != null) {
+                 subjectID = subjectID.trim();
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 7d52fc8..1443a0a 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -110,6 +110,8 @@ import netscape.security.x509.CertificateVersion;
+ import netscape.security.x509.CertificateX509Key;
+ import netscape.security.x509.Extension;
+ import netscape.security.x509.Extensions;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.SubjectKeyIdentifierExtension;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509CertInfo;
+@@ -656,6 +658,8 @@ public abstract class EnrollProfile extends BasicProfile
+         String msg = ""; // for capturing debug and throw info
+         //CMS.debug(method + " Start parseCMC(): " + certreq);
+         CMS.debug(method + "starts");
++        String auditMessage = "";
++        String auditSubjectID = auditSubjectID();
+ 
+         /* cert request must not be null */
+         if (certreq == null) {
+@@ -742,22 +746,27 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+                             msg = " id_cmc_identification attribute value not found in";
+                             CMS.debug(method + msg);
++/*
+                             throw new EProfileException(
+                                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                                             msg);
++*/
++                        } else {
++                            ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(),
++                                    ASN1Util.encode(ident.elementAt(0))));
+                         }
+-                        ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(),
+-                                ASN1Util.encode(ident.elementAt(0))));
+-                        if (ident_s == null) {
++                        if (ident == null && ident_s == null) {
+                             msg = " id_cmc_identification contains invalid content";
+                             CMS.debug(method + msg);
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+ 
+                             CMS.debug(method + msg);
++/*
+                             throw new EProfileException(
+                                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                                             msg);
++*/
+                         }
+                     }
+ 
+@@ -776,19 +785,27 @@ public abstract class EnrollProfile extends BasicProfile
+                         }
+                     } else if (id_cmc_identityProofV2 && (attr != null)) {
+                         // either V2 or not V2; can't be both
+-                        CMS.debug(method + "not pre-signed CMC request; calling verifyIdentityProofV2;");
+-                        if (!id_cmc_identification) {
++                        CMS.debug(method +
++                                "not pre-signed CMC request; calling verifyIdentityProofV2;");
++                        if (!id_cmc_identification || ident_s == null) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("identification", bpids);
+                             context.put("identityProofV2", bpids);
+                             msg = "id_cmc_identityProofV2 missing id_cmc_identification";
+                             CMS.debug(method + msg);
++                            auditMessage = CMS.getLogMessage(
++                                    AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                                    auditSubjectID,
++                                    ILogger.FAILURE,
++                                    method + msg);
++                            audit(auditMessage);
++
+                             throw new EProfileException(
+                                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                                             msg);
+                         }
+ 
+-                        boolean valid = verifyIdentityProofV2(attr, ident_s,
++                        boolean valid = verifyIdentityProofV2(context, attr, ident_s,
+                                 reqSeq);
+                         if (!valid) {
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+@@ -815,10 +832,18 @@ public abstract class EnrollProfile extends BasicProfile
+                                     "CMS_POI_VERIFICATION_ERROR") + msg);
+                         } else {
+                             CMS.debug(method + "passed verifyIdentityProof; Proof of Identity successful;");
++                            // in case it was set
++                            auditSubjectID = auditSubjectID();
+                         }
+                     } else {
+                         msg = "not pre-signed CMC request; missing Proof of Identification control";
+                         CMS.debug(method + msg);
++                        auditMessage = CMS.getLogMessage(
++                                AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                                auditSubjectID,
++                                ILogger.FAILURE,
++                                method + msg);
++                        audit(auditMessage);
+                         throw new EProfileException(CMS.getUserMessage(locale,
+                                 "CMS_POI_VERIFICATION_ERROR") + ":" + method + msg);
+                     }
+@@ -837,6 +862,13 @@ public abstract class EnrollProfile extends BasicProfile
+                         } else { //decPopVals == null
+                             msg = "id_cmc_decryptedPOP contains invalid DecryptedPOP";
+                             CMS.debug(method + msg);
++                            auditMessage = CMS.getLogMessage(
++                                    AuditEvent.PROOF_OF_POSSESSION,
++                                    auditSubjectID,
++                                    ILogger.SUCCESS,
++                                    method + msg);
++                            audit(auditMessage);
++
+                             SEQUENCE bpids = getRequestBpids(reqSeq);
+                             context.put("decryptedPOP", bpids);
+                         }
+@@ -877,6 +909,11 @@ public abstract class EnrollProfile extends BasicProfile
+                 String configName = "cmc.popLinkWitnessRequired";
+                 CMS.debug(method + "getting :" + configName);
+                 popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, false);
++                if (popLinkWitnessRequired) {
++                    CMS.debug(method + "popLinkWitness(V2) required");
++                } else {
++                    CMS.debug(method + "popLinkWitness(V2) not required");
++                }
+             } catch (Exception e) {
+                 // unlikely to get here
+                 msg = method + " Failed to retrieve cmc.popLinkWitnessRequired";
+@@ -897,8 +934,16 @@ public abstract class EnrollProfile extends BasicProfile
+                             !context.containsKey("POPLinkWitnessV2") &&
+                             !context.containsKey("POPLinkWitness")) {
+                         CMS.debug(method + "popLinkWitness(V2) required");
+-                        if (randomSeed == null) {
+-                            CMS.debug(method + "no randomSeed found");
++                        if (randomSeed == null || ident_s == null) {
++                            msg = "no randomSeed or identification found needed for popLinkWitness(V2)";
++                            CMS.debug(method + msg);
++                            auditMessage = CMS.getLogMessage(
++                                    AuditEvent.CMC_ID_POP_LINK_WITNESS,
++                                    auditSubjectID,
++                                    ILogger.FAILURE,
++                                    method + msg);
++                            audit(auditMessage);
++
+                             context.put("POPLinkWitnessV2", bpids);
+                             return null;
+                         }
+@@ -913,11 +958,26 @@ public abstract class EnrollProfile extends BasicProfile
+                             else if (context.containsKey("POPLinkWitness"))
+                                 msg = " in POPLinkWitness";
+                             else
+-                                msg = " unspecified failure from verifyPOPLinkWitness";
++                                msg = " failure from verifyPOPLinkWitness";
+ 
++                            msg = msg + ": ident_s=" + ident_s;
+                             CMS.debug(method + msg);
++                            auditMessage = CMS.getLogMessage(
++                                    AuditEvent.CMC_ID_POP_LINK_WITNESS,
++                                    auditSubjectID,
++                                    ILogger.FAILURE,
++                                    method + msg);
++                            audit(auditMessage);
+                             throw new EProfileException(CMS.getUserMessage(locale,
+                                     "CMS_POP_LINK_WITNESS_VERIFICATION_ERROR") + msg);
++                        } else {
++                            msg = ": ident_s=" + ident_s;
++                            auditMessage = CMS.getLogMessage(
++                                    AuditEvent.CMC_ID_POP_LINK_WITNESS,
++                                    auditSubjectID,
++                                    ILogger.SUCCESS,
++                                    method + msg);
++                            audit(auditMessage);
+                         }
+                     }
+                 } //for
+@@ -1441,22 +1501,37 @@ public abstract class EnrollProfile extends BasicProfile
+      * @author cfu
+      */
+     private boolean verifyIdentityProofV2(
++            SessionContext sessionContext,
+             TaggedAttribute attr,
+             UTF8String ident,
+             SEQUENCE reqSeq) {
+         String method = "EnrollProfile:verifyIdentityProofV2: ";
++        String msg = "";
+         CMS.debug(method + " begins");
++        boolean verified = false;
++        String auditMessage = method;
++
+         if ((attr == null) ||
+                 (ident == null) ||
+                 (reqSeq == null)) {
+             CMS.debug(method + "method parameters cannot be null");
++            // this is internal error
+             return false;
+         }
+ 
+         String ident_string = ident.toString();
++        String auditAttemptedCred = null;
+ 
+         SET vals = attr.getValues(); // getting the IdentityProofV2 structure
+         if (vals.size() < 1) {
++            msg = " invalid TaggedAttribute in request";
++            CMS.debug(method + msg);
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                    auditAttemptedCred,
++                    ILogger.FAILURE,
++                    method + msg);
++            audit(auditMessage);
+             return false;
+         }
+ 
+@@ -1464,18 +1539,33 @@ public abstract class EnrollProfile extends BasicProfile
+         ISharedToken tokenClass = getSharedTokenClass(configName);
+ 
+         if (tokenClass == null) {
+-            CMS.debug(method + " Failed to retrieve shared secret plugin class");
++            msg = " Failed to retrieve shared secret plugin class";
++            CMS.debug(method + msg);
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                    auditAttemptedCred,
++                    ILogger.FAILURE,
++                    method + msg);
++            audit(auditMessage);
+             return false;
+         }
+ 
+         String token = null;
+-        if (ident_string != null)
++        if (ident_string != null) {
++            auditAttemptedCred = ident_string;
+             token = tokenClass.getSharedToken(ident_string);
+-        else
++        } else
+             token = tokenClass.getSharedToken(mCMCData);
+ 
+         if (token == null) {
+-            CMS.debug(method + " Failed to retrieve shared secret");
++            msg = " Failed to retrieve shared secret";
++            CMS.debug(method + msg);
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                    auditAttemptedCred,
++                    ILogger.FAILURE,
++                    method + msg);
++            audit(auditMessage);
+             return false;
+         }
+ 
+@@ -1493,26 +1583,64 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             OCTET_STRING witness = idV2val.getWitness();
+             if (witness == null) {
+-                CMS.debug(method + " witness reurned by idV2val.getWitness is null");
+-                return false;
++                msg = " witness reurned by idV2val.getWitness is null";
++                CMS.debug(method + msg);
++                throw new EBaseException(msg);
+             }
+ 
+             byte[] witness_bytes = witness.toByteArray();
+             byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field
+-            return verifyDigest(
++            verified = verifyDigest(
+                     (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(),
+                     request_bytes,
+                     witness_bytes,
+                     hashAlg, macAlg);
++
++            String authMgrID =
++                    (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID);
++            String auditSubjectID = null;
++
++            if (verified) {
++                // update auditSubjectID
++                if (sessionContext != null) {
++                    auditSubjectID = (String)
++                            sessionContext.get(SessionContext.USER_ID);
++                    CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
++                    CMS.debug(method + "identity verified. Updating auditSubjectID");
++                    CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
++                    auditSubjectID = ident_string;
++                    sessionContext.put(SessionContext.USER_ID, auditSubjectID);
++                } else { //very unlikely
++                    CMS.debug(method + "sessionContext null; cannot update auditSubjectID");
++                }
++
++                auditMessage = CMS.getLogMessage(
++                        AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                        auditSubjectID,
++                        ILogger.SUCCESS,
++                        "method=" + method);
++                audit(auditMessage);
++            } else {
++                throw new EBaseException("failed to verify");
++            }
++            return verified;
+         } catch (Exception e) {
+             CMS.debug(method + " Failed with Exception: " + e.toString());
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
++                    auditAttemptedCred,
++                    ILogger.FAILURE,
++                    method + e.toString());
++            audit(auditMessage);
+             return false;
+         }
+ 
+     } // verifyIdentityProofV2
+ 
+-    private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) {
++    private boolean verifyIdentityProof(
++            TaggedAttribute attr, SEQUENCE reqSeq) {
+         String method = "verifyIdentityProof: ";
++        boolean verified = false;
+ 
+         SET vals = attr.getValues();
+         if (vals.size() < 1)
+@@ -1537,7 +1665,11 @@ public abstract class EnrollProfile extends BasicProfile
+             byte[] b = ostr.toByteArray();
+             byte[] text = ASN1Util.encode(reqSeq);
+ 
+-            return verifyDigest(token.getBytes(), text, b);
++            verified = verifyDigest(token.getBytes(), text, b);
++            if (verified) {// update auditSubjectID
++                //placeholder. Should probably just disable this v1 method
++            }
++            return verified;
+     }
+ 
+     public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info,
+@@ -1592,13 +1724,22 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+                 p10.encode(ostream);
+                 PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver);
++                if (sigver) {
++                    auditMessage = CMS.getLogMessage(
++                            AuditEvent.PROOF_OF_POSSESSION,
++                            auditSubjectID,
++                            ILogger.SUCCESS,
++                            "method="+method);
++                    audit(auditMessage);
++                }
+ 
+                 req.setExtData("bodyPartId", tcr.getBodyPartID());
+                 fillPKCS10(locale, pkcs10, info, req);
+             } catch (Exception e) {
+                 CMS.debug(method + e);
+                 // this will throw
+-                popFailed(locale, auditSubjectID, auditMessage, e);
++                if (sigver)
++                    popFailed(locale, auditSubjectID, auditMessage, e);
+             }  finally {
+                 if ((sigver == true) && (tokenSwitched == true)){
+                     cm.setThreadToken(savedToken);
+@@ -1787,8 +1928,9 @@ public abstract class EnrollProfile extends BasicProfile
+     public void fillCertReqMsg(Locale locale, CertReqMsg certReqMsg, X509CertInfo info,
+             IRequest req)
+             throws EProfileException {
++        String method = "EnrollProfile: fillCertReqMsg: ";
+         try {
+-            CMS.debug("Start parseCertReqMsg ");
++            CMS.debug(method + "Start parseCertReqMsg ");
+             CertRequest certReq = certReqMsg.getCertReq();
+             req.setExtData("bodyPartId", certReq.getCertReqId());
+             // handle PKIArchiveOption (key archival)
+@@ -1897,12 +2039,20 @@ public abstract class EnrollProfile extends BasicProfile
+                     extensions = new CertificateExtensions();
+                 int numexts = certTemplate.numExtensions();
+ 
++                /*
++                 * there seems to be an issue with constructor in Extension
++                 * when feeding SubjectKeyIdentifierExtension;
++                 * Special-case it
++                 */
++                OBJECT_IDENTIFIER SKIoid =
++                        new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString());
+                 for (int j = 0; j < numexts; j++) {
+                     org.mozilla.jss.pkix.cert.Extension jssext =
+                             certTemplate.extensionAt(j);
+                     boolean isCritical = jssext.getCritical();
+                     org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssoid =
+                             jssext.getExtnId();
++                    CMS.debug(method + "found extension:" + jssoid.toString());
+                     long[] numbers = jssoid.getNumbers();
+                     int[] oidNumbers = new int[numbers.length];
+ 
+@@ -1919,8 +2069,14 @@ public abstract class EnrollProfile extends BasicProfile
+                     jssvalue.encode(jssvalueout);
+                     byte[] extValue = jssvalueout.toByteArray();
+ 
+-                    Extension ext =
+-                            new Extension(oid, isCritical, extValue);
++                    Extension ext = null;
++                    if (jssoid.equals(SKIoid)) {
++                        CMS.debug(method + "found SUBJECT_KEY_IDENTIFIER extension");
++                        ext = new SubjectKeyIdentifierExtension(false,
++                                jssext.getExtnValue().toByteArray());
++                    } else {
++                        new Extension(oid, isCritical, extValue);
++                    }
+ 
+                     extensions.parseExtension(ext);
+                 }
+@@ -2042,12 +2198,12 @@ public abstract class EnrollProfile extends BasicProfile
+                     DerInputStream extIn = new DerInputStream(extB);
+                     CertificateExtensions exts = new CertificateExtensions(extIn);
+                     if (exts != null) {
+-                        CMS.debug(method + "Set extensions " + exts);
++                        CMS.debug(method + "PKCS10 found extensions " + exts);
+                         // info.set(X509CertInfo.EXTENSIONS, exts);
+                         req.setExtData(REQUEST_EXTENSIONS, exts);
+                     }
+                 } else {
+-                    CMS.debug(method + "PKCS10 extension Not Found");
++                    CMS.debug(method + "PKCS10 no extension found");
+                 }
+             }
+ 
+@@ -2406,7 +2562,7 @@ public abstract class EnrollProfile extends BasicProfile
+         String method = "EnrollProfile: verifyPOP: ";
+         CMS.debug(method + "for signing keys begins.");
+ 
+-        String auditMessage = null;
++        String auditMessage = method;
+         String auditSubjectID = auditSubjectID();
+ 
+         if (!certReqMsg.hasPop()) {
+@@ -2437,7 +2593,8 @@ public abstract class EnrollProfile extends BasicProfile
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+-                    ILogger.SUCCESS);
++                    ILogger.SUCCESS,
++                    "method="+method);
+             audit(auditMessage);
+         } catch (Exception e) {
+             CMS.debug(method + "Unable to verify POP: " + e);
+@@ -2446,19 +2603,21 @@ public abstract class EnrollProfile extends BasicProfile
+         CMS.debug(method + "done.");
+     }
+ 
+-    private void popFailed(Locale locale, String auditSubjectID, String auditMessage)
++    private void popFailed(Locale locale, String auditSubjectID, String msg)
+             throws EProfileException {
+-        popFailed(locale, auditSubjectID, auditMessage, null);
++        popFailed(locale, auditSubjectID, msg, null);
+     }
+-    private void popFailed(Locale locale, String auditSubjectID, String auditMessage, Exception e)
++    private void popFailed(Locale locale, String auditSubjectID, String msg, Exception e)
+             throws EProfileException {
+ 
++            if (e != null)
++                msg = msg + e.toString();
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
++            String auditMessage = CMS.getLogMessage(
+                     AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+-                    ILogger.FAILURE);
+-
++                    ILogger.FAILURE,
++                    msg);
+             audit(auditMessage);
+ 
+             if (e != null) {
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
+index 14484e0..635c044 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/CAEnrollDefault.java
+@@ -25,6 +25,7 @@ import java.security.cert.CertificateException;
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
++import com.netscape.cmsutil.crypto.CryptoUtil;
+ 
+ import netscape.security.x509.CertificateX509Key;
+ import netscape.security.x509.KeyIdentifier;
+@@ -46,30 +47,29 @@ public abstract class CAEnrollDefault extends EnrollDefault {
+     }
+ 
+     public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
++        String method = "CAEnrollDefault: getKeyIdentifier: ";
+         try {
+             CertificateX509Key ckey = (CertificateX509Key)
+                     info.get(X509CertInfo.KEY);
+             X509Key key = (X509Key) ckey.get(CertificateX509Key.KEY);
+-            MessageDigest md = MessageDigest.getInstance("SHA-1");
+-
+-            md.update(key.getKey());
+-            byte[] hash = md.digest();
++            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
++            if (hash == null) {
++                CMS.debug(method +
++                    "CryptoUtil.generateKeyIdentifier returns null");
++                return null;
++            }
+ 
+             return new KeyIdentifier(hash);
+         } catch (IOException e) {
+-            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+-                    e.toString());
++            CMS.debug(method + e.toString());
+         } catch (CertificateException e) {
+-            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+-                    e.toString());
+-        } catch (NoSuchAlgorithmException e) {
+-            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+-                    e.toString());
++            CMS.debug(method + e.toString());
+         }
+         return null;
+     }
+ 
+     public KeyIdentifier getCAKeyIdentifier(ICertificateAuthority ca) throws EBaseException {
++        String method = "CAEnrollDefault: getCAKeyIdentifier: ";
+         X509CertImpl caCert = ca.getCACert();
+         if (caCert == null) {
+             // during configuration, we dont have the CA certificate
+@@ -89,16 +89,11 @@ public abstract class CAEnrollDefault extends EnrollDefault {
+             }
+         }
+ 
+-        try {
+-            MessageDigest md = MessageDigest.getInstance("SHA-1");
+-
+-            md.update(key.getKey());
+-            byte[] hash = md.digest();
+-
+-            return new KeyIdentifier(hash);
+-        } catch (NoSuchAlgorithmException e) {
+-            CMS.debug("AuthorityKeyIdentifierExtDefault: getKeyId " +
+-                    e.toString());
++        byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
++        if (hash == null) {
++            CMS.debug(method +
++                "CryptoUtil.generateKeyIdentifier returns null");
++            return null;
+         }
+         return null;
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java
+index a8f6a74..d787575 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectKeyIdentifierExtDefault.java
+@@ -37,6 +37,7 @@ import com.netscape.certsrv.property.Descriptor;
+ import com.netscape.certsrv.property.EPropertyException;
+ import com.netscape.certsrv.property.IDescriptor;
+ import com.netscape.certsrv.request.IRequest;
++import com.netscape.cmsutil.crypto.CryptoUtil;
+ 
+ /**
+  * This class implements an enrollment default policy
+@@ -195,22 +196,26 @@ public class SubjectKeyIdentifierExtDefault extends EnrollExtDefault {
+     }
+ 
+     public KeyIdentifier getKeyIdentifier(X509CertInfo info) {
++        String method = "SubjectKeyIdentifierExtDefault: getKeyIdentifier: ";
+         try {
+             CertificateX509Key infokey = (CertificateX509Key)
+                     info.get(X509CertInfo.KEY);
+             X509Key key = (X509Key) infokey.get(CertificateX509Key.KEY);
+-            MessageDigest md = MessageDigest.getInstance("SHA-1");
+ 
+-            md.update(key.getKey());
+-            byte[] hash = md.digest();
++            // "SHA-1" is default for CryptoUtil.generateKeyIdentifier.
++            // you could specify different algorithm with the alg parameter
++            // like this:
++            //byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey(), "SHA-256");
++            byte[] hash = CryptoUtil.generateKeyIdentifier(key.getKey());
+ 
++            if (hash == null) {
++                CMS.debug(method +
++                    "CryptoUtil.generateKeyIdentifier returns null");
++                return null;
++            }
+             return new KeyIdentifier(hash);
+-        } catch (NoSuchAlgorithmException e) {
+-            CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " +
+-                    e.toString());
+         } catch (Exception e) {
+-            CMS.debug("SubjectKeyIdentifierExtDefault: getKeyIdentifier " +
+-                    e.toString());
++            CMS.debug(method + e.toString());
+         }
+         return null;
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+index 84a6398..2affaf3 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
++++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+@@ -179,26 +179,27 @@ public abstract class EnrollInput implements IProfileInput {
+ 
+     public void verifyPOP(Locale locale, CertReqMsg certReqMsg)
+             throws EProfileException {
++        String method = "EnrollInput: verifyPOP: ";
+         CMS.debug("EnrollInput ::in verifyPOP");
+ 
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         if (!certReqMsg.hasPop()) {
+-            CMS.debug("CertReqMsg has not POP, return");
++            CMS.debug(method + "CertReqMsg has not POP, return");
+             return;
+         }
+         ProofOfPossession pop = certReqMsg.getPop();
+         ProofOfPossession.Type popType = pop.getType();
+ 
+         if (popType != ProofOfPossession.SIGNATURE) {
+-            CMS.debug("not POP SIGNATURE, return");
++            CMS.debug(method + "not POP SIGNATURE, return");
+             return;
+         }
+ 
+         try {
+             if (CMS.getConfigStore().getBoolean("cms.skipPOPVerify", false)) {
+-                CMS.debug("skipPOPVerify on, return");
++                CMS.debug(method + "skipPOPVerify on, return");
+                 return;
+             }
+             CMS.debug("POP verification begins:");
+@@ -207,10 +208,10 @@ public abstract class EnrollInput implements IProfileInput {
+             CryptoToken verifyToken = null;
+             String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME);
+             if (CryptoUtil.isInternalToken(tokenName)) {
+-                CMS.debug("POP verification using internal token");
++                CMS.debug(method + "POP verification using internal token");
+                 certReqMsg.verify();
+             } else {
+-                CMS.debug("POP verification using token:" + tokenName);
++                CMS.debug(method + "POP verification using token:" + tokenName);
+                 verifyToken = CryptoUtil.getCryptoToken(tokenName);
+                 certReqMsg.verify(verifyToken);
+             }
+@@ -219,18 +220,20 @@ public abstract class EnrollInput implements IProfileInput {
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+-                    ILogger.SUCCESS);
++                    ILogger.SUCCESS,
++                    "method="+method);
+             audit(auditMessage);
+         } catch (Exception e) {
+ 
+-            CMS.debug("Failed POP verify! " + e.toString());
++            CMS.debug(method + "Failed POP verify! " + e.toString());
+             CMS.debug(e);
+ 
+             // store a message in the signed audit log file
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+-                    ILogger.FAILURE);
++                    ILogger.FAILURE,
++                    method + e.toString());
+ 
+             audit(auditMessage);
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+index 70a4a42..c57c532 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+@@ -23,17 +23,6 @@ import java.io.IOException;
+ import java.security.InvalidKeyException;
+ import java.security.cert.CertificateException;
+ 
+-import netscape.security.util.ObjectIdentifier;
+-import netscape.security.x509.CertificateExtensions;
+-import netscape.security.x509.CertificateSubjectName;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.CertificateVersion;
+-import netscape.security.x509.CertificateX509Key;
+-import netscape.security.x509.Extension;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509CertInfo;
+-import netscape.security.x509.X509Key;
+-
+ import org.mozilla.jss.asn1.INTEGER;
+ import org.mozilla.jss.asn1.InvalidBERException;
+ import org.mozilla.jss.asn1.SEQUENCE;
+@@ -56,6 +45,17 @@ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.ECMSGWException;
+ 
++import netscape.security.util.ObjectIdentifier;
++import netscape.security.x509.CertificateExtensions;
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.CertificateVersion;
++import netscape.security.x509.CertificateX509Key;
++import netscape.security.x509.Extension;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
++import netscape.security.x509.X509Key;
++
+ /**
+  * Process CRMF requests, according to RFC 2511
+  * See http://www.ietf.org/rfc/rfc2511.txt
+@@ -98,6 +98,7 @@ public class CRMFProcessor extends PKIProcessor {
+      */
+     private void verifyPOP(CertReqMsg certReqMsg)
+             throws EBaseException {
++        String method = "CRMFProcessor: verifyPOP: ";
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+ 
+@@ -118,7 +119,8 @@ public class CRMFProcessor extends PKIProcessor {
+                         auditMessage = CMS.getLogMessage(
+                                 AuditEvent.PROOF_OF_POSSESSION,
+                                 auditSubjectID,
+-                                ILogger.SUCCESS);
++                                ILogger.SUCCESS,
++                                "method=" + method);
+ 
+                         audit(auditMessage);
+                     } catch (Exception e) {
+@@ -131,7 +133,8 @@ public class CRMFProcessor extends PKIProcessor {
+                         auditMessage = CMS.getLogMessage(
+                                 AuditEvent.PROOF_OF_POSSESSION,
+                                 auditSubjectID,
+-                                ILogger.FAILURE);
++                                ILogger.FAILURE,
++                                method + e.toString());
+ 
+                         audit(auditMessage);
+ 
+@@ -148,7 +151,8 @@ public class CRMFProcessor extends PKIProcessor {
+                     auditMessage = CMS.getLogMessage(
+                             AuditEvent.PROOF_OF_POSSESSION,
+                             auditSubjectID,
+-                            ILogger.FAILURE);
++                            ILogger.FAILURE,
++                            method + "required POP missing");
+ 
+                     audit(auditMessage);
+ 
+@@ -161,7 +165,8 @@ public class CRMFProcessor extends PKIProcessor {
+             auditMessage = CMS.getLogMessage(
+                     AuditEvent.PROOF_OF_POSSESSION,
+                     auditSubjectID,
+-                    ILogger.FAILURE);
++                    ILogger.FAILURE,
++                    method + eAudit1.toString());
+ 
+             audit(auditMessage);
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 0e101ed..93039a4 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -39,12 +39,16 @@ import org.mozilla.jss.pkix.cmc.OtherInfo;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ 
+ import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.EInvalidCredentials;
++import com.netscape.certsrv.authentication.EMissingCredential;
+ import com.netscape.certsrv.authentication.IAuthManager;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authorization.AuthzToken;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AuthFailEvent;
++import com.netscape.certsrv.logging.event.AuthSuccessEvent;
+ import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
+ import com.netscape.certsrv.profile.EDeferException;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -143,6 +147,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ 
+     public IAuthToken authenticate(IProfileAuthenticator authenticator,
+             HttpServletRequest request) throws EBaseException {
++        String method = "ProfileSubmitCMCServlet: authenticate: ";
+         AuthCredentials credentials = new AuthCredentials();
+ 
+         // build credential
+@@ -158,15 +163,47 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+                     credentials.set(authName, request.getParameter(authName));
+             }
+         }
+-        IAuthToken authToken = authenticator.authenticate(credentials);
+ 
++        IAuthToken authToken = null;
++        String auditSubjectID = null;
++        String authMgrID = authenticator.getName();
+         SessionContext sc = SessionContext.getContext();
+-        if (sc != null) {
+-            sc.put(SessionContext.AUTH_MANAGER_ID, authenticator.getName());
+-            String userid = authToken.getInString(IAuthToken.USER_ID);
+-            if (userid != null) {
+-                sc.put(SessionContext.USER_ID, userid);
++
++        try {
++            authToken = authenticator.authenticate(credentials);
++            if (sc != null) {
++                sc.put(SessionContext.AUTH_MANAGER_ID, authMgrID);
++                auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
++                if (auditSubjectID != null) {
++                    CMS.debug(method + "setting auditSubjectID in SessionContext:" +
++                            auditSubjectID);
++                    sc.put(SessionContext.USER_ID, auditSubjectID);
++                } else {
++                    CMS.debug(method + "no auditSubjectID found in authToken");
++                }
++            }
++
++            if (!auditSubjectID.equals(ILogger.UNIDENTIFIED) &&
++                    !auditSubjectID.equals(ILogger.NONROLEUSER)) {
++                audit(new AuthSuccessEvent(
++                        auditSubjectID,
++                        ILogger.SUCCESS,
++                        authMgrID));
++            }
++
++        } catch (EBaseException e) {
++            CMS.debug(method + e);
++            String attempted_auditSubjectID = null;
++            if (sc != null) {
++                attempted_auditSubjectID =
++                        (String) sc.get(SessionContext.USER_ID);
+             }
++            audit(new AuthFailEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    authMgrID,
++                    attempted_auditSubjectID));
++            throw(e);
+         }
+ 
+         return authToken;
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 1a5b37a..6bc2d82 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2181,9 +2181,18 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3=<type=AUTH_SUCCESS>:[AuditEvent=AUTH_SUCCESS
+ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
+ #
+ # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
+-# - used when proof of possession is checked during certificate enrollment
++# - used for proof of possession during certificate enrollment processing
+ #
+-LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}] checking proof of possession
++LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
++# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION
++# - used for proof of identification during CMC request processing
++# - In case of success, "SubjectID" is the actual identified identification;
++# - In case of failure, "SubjectID" is the attempted identification
++#
++LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
++# - used for identification and POP linking verification during CMC request processing
++#
++LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
+ #
+ # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+ # - used when CRLs are retrieved by the OCSP Responder
+@@ -2235,7 +2244,16 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=<type=OCSP_REMOV
+ # SignerInfo must be a unique String representation for the signer
+ #
+ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification
+-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification
++#
++# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY
++# - used when CMC (user-signed or self-signed) certificate requests or revocation requests
++#   are submitted and signature is verified
++# ReqType must be the request type (enrollment, or revocation)
++# CertSubject must be the certificate subject name of the certificate request
++# SignerInfo must be a unique String representation for the signer
++#
++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success
++LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure
+ 
+ # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST 
+ # - used for TPS to TKS to get random challenge data
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java
+index 6dabd0c..177d540 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/security/KeyCertUtil.java
+@@ -1032,13 +1032,17 @@ public class KeyCertUtil {
+ 
+     public static KeyIdentifier createKeyIdentifier(KeyPair keypair)
+             throws NoSuchAlgorithmException, InvalidKeyException {
+-        MessageDigest md = MessageDigest.getInstance("SHA-1");
+         X509Key subjectKeyInfo = convertPublicKeyToX509Key(
+                 keypair.getPublic());
+ 
+-        //md.update(subjectKeyInfo.getEncoded());
+-        md.update(subjectKeyInfo.getKey());
+-        return new KeyIdentifier(md.digest());
++        byte[] hash = CryptoUtil.generateKeyIdentifier(subjectKeyInfo.getKey());
++
++        if (hash == null) {
++            CMS.debug("KeyCertUtil: createKeyIdentifier " +
++                "CryptoUtil.generateKeyIdentifier returns null");
++            return null;
++        }
++        return new KeyIdentifier(hash);
+     }
+ 
+     public static BigInteger getSerialNumber(LDAPConnection conn, String baseDN)
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index e529a0f..8b8c443 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -27,6 +27,7 @@ import java.net.SocketException;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+ import java.security.KeyPair;
++import java.security.MessageDigest;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.NoSuchProviderException;
+ import java.security.PublicKey;
+@@ -127,6 +128,7 @@ import netscape.security.util.DerValue;
+ import netscape.security.util.ObjectIdentifier;
+ import netscape.security.util.WrappingParams;
+ import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.CertAttrSet;
+ import netscape.security.x509.CertificateAlgorithmId;
+ import netscape.security.x509.CertificateChain;
+ import netscape.security.x509.CertificateExtensions;
+@@ -136,7 +138,11 @@ import netscape.security.x509.CertificateSubjectName;
+ import netscape.security.x509.CertificateValidity;
+ import netscape.security.x509.CertificateVersion;
+ import netscape.security.x509.CertificateX509Key;
++import netscape.security.x509.Extension;
+ import netscape.security.x509.Extensions;
++import netscape.security.x509.KeyIdentifier;
++import netscape.security.x509.PKIXExtensions;
++import netscape.security.x509.SubjectKeyIdentifierExtension;
+ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X500Signer;
+ import netscape.security.x509.X509CertImpl;
+@@ -1536,10 +1542,33 @@ public class CryptoUtil {
+      * This createCertificationRequest() allows extensions to be added to the CSR
+      */
+     public static PKCS10 createCertificationRequest(String subjectName,
++            KeyPair keyPair, Extensions exts)
++            throws NoSuchAlgorithmException, NoSuchProviderException,
++            InvalidKeyException, IOException, CertificateException,
++            SignatureException {
++        String method = "CryptoUtil: createCertificationRequest: ";
++
++        String alg = "SHA256withRSA";
++        PublicKey pubk = keyPair.getPublic();
++        X509Key key = convertPublicKeyToX509Key(pubk);
++        if (pubk instanceof RSAPublicKey) {
++            alg = "SHA256withRSA";
++        } else if (isECCKey(key)) {
++            alg = "SHA256withEC";
++        } else {
++            throw new NoSuchAlgorithmException(method + alg);
++        }
++
++        return createCertificationRequest(
++                subjectName, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(),
++                alg, exts);
++    }
++
++    public static PKCS10 createCertificationRequest(String subjectName,
+             X509Key pubk, PrivateKey prik, String alg, Extensions exts)
+             throws NoSuchAlgorithmException, NoSuchProviderException,
+-                InvalidKeyException, IOException, CertificateException,
+-                SignatureException {
++            InvalidKeyException, IOException, CertificateException,
++            SignatureException {
+         X509Key key = pubk;
+         java.security.Signature sig = java.security.Signature.getInstance(alg,
+                 "Mozilla-JSS");
+@@ -1548,11 +1577,12 @@ public class CryptoUtil {
+         PKCS10 pkcs10 = null;
+ 
+         if (exts != null && !exts.isEmpty()) {
+-            PKCS10Attribute attr = new
+-                    PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID,
+-                            exts);
++            PKCS10Attribute attr = new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID,
++                    exts);
+             PKCS10Attributes attrs = new PKCS10Attributes();
+ 
++            System.out.println("PKCS10: createCertificationRequest: adding attribute name =" +
++                    attr.getAttributeValue().getName());
+             attrs.setAttribute(attr.getAttributeValue().getName(), attr);
+ 
+             pkcs10 = new PKCS10(key, attrs);
+@@ -1566,6 +1596,51 @@ public class CryptoUtil {
+         return pkcs10;
+     }
+ 
++    public static KeyIdentifier createKeyIdentifier(KeyPair keypair)
++            throws NoSuchAlgorithmException, InvalidKeyException {
++        String method = "CryptoUtil: createKeyIdentifier: ";
++        System.out.println(method + "begins");
++
++        X509Key subjectKeyInfo = convertPublicKeyToX509Key(
++                keypair.getPublic());
++
++        byte[] hash = generateKeyIdentifier(subjectKeyInfo.getKey());
++
++        if (hash == null) {
++            System.out.println(method +
++                    "generateKeyIdentifier returns null");
++            return null;
++        }
++        return new KeyIdentifier(hash);
++    }
++
++    public static byte[] generateKeyIdentifier(byte[] rawKey) {
++        return generateKeyIdentifier(rawKey, null);
++    }
++
++    public static byte[] generateKeyIdentifier(byte[] rawKey, String alg) {
++        String method = "CryptoUtil: generateKeyIdentifier: ";
++        String msg = "";
++        if (alg == null) {
++            alg = "SHA-1";
++        }
++        try {
++            MessageDigest md = MessageDigest.getInstance(alg);
++
++            md.update(rawKey);
++            byte[] hash = md.digest();
++
++            return hash;
++        } catch (NoSuchAlgorithmException e) {
++            msg = method + e;
++            System.out.println(msg);
++        } catch (Exception e) {
++            msg = method + e;
++            System.out.println(msg);
++        }
++        return null;
++    }
++
+     /**
+      * Creates a PKCS#10 request.
+      */
+@@ -1611,6 +1686,102 @@ public class CryptoUtil {
+         return pkcs10;
+     }
+ 
++    /*
++     * get extention from  PKCS10 request
++     */
++    public static netscape.security.x509.Extension getExtensionFromPKCS10(PKCS10 pkcs10, String extnName)
++            throws IOException, CertificateException {
++        Extension extn = null;
++
++        String method = "CryptoUtiil: getExtensionFromPKCS10: ";
++        System.out.println(method + "begins");
++
++        PKCS10Attributes attributeSet = pkcs10.getAttributes();
++        if (attributeSet == null) {
++            System.out.println(method + "attributeSet not found");
++            return null;
++        }
++        PKCS10Attribute attr = attributeSet.getAttribute("extensions");
++        if (attr == null) {
++            System.out.println(method + "extensions attribute not found");
++            return null;
++        }
++        System.out.println(method + attr.toString());
++
++        CertAttrSet cas = attr.getAttributeValue();
++        if (cas == null) {
++            System.out.println(method + "CertAttrSet not found in PKCS10Attribute");
++            return null;
++        }
++
++        Enumeration<String> en = cas.getAttributeNames();
++        while (en.hasMoreElements()) {
++            String name = en.nextElement();
++            System.out.println(method + " checking extension in request:" + name);
++            if (name.equals(extnName)) {
++                System.out.println(method + "extension matches");
++                extn = (Extension)cas.get(name);
++            }
++        }
++
++        System.out.println(method + "ends");
++        return extn;
++    }
++
++    /*
++     * get extension from CRMF cert request (CertTemplate)
++     */
++    public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, ObjectIdentifier csOID) {
++        //ObjectIdentifier csOID = PKIXExtensions.SubjectKey_Id;
++        OBJECT_IDENTIFIER jssOID =
++                new OBJECT_IDENTIFIER(csOID.toString());
++/*
++        return getExtensionFromCertTemplate(certTemplate, jssOID);
++    }
++    public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssOID) {
++*/
++
++        String method = "CryptoUtil: getSKIExtensionFromCertTemplate: ";
++        Extension extn = null;
++
++       /*
++        * there seems to be an issue with constructor in Extension
++        * when feeding SubjectKeyIdentifierExtension;
++        * Special-case it
++        */
++        OBJECT_IDENTIFIER SKIoid =
++                new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString());
++
++        if (certTemplate.hasExtensions()) {
++            int numexts = certTemplate.numExtensions();
++            for (int j = 0; j < numexts; j++) {
++                 org.mozilla.jss.pkix.cert.Extension jssext =
++                         certTemplate.extensionAt(j);
++                 org.mozilla.jss.asn1.OBJECT_IDENTIFIER extnoid =
++                         jssext.getExtnId();
++                 System.out.println(method + "checking extension in request:" + extnoid.toString());
++                 if (extnoid.equals(jssOID)) {
++                     System.out.println(method + "extension found");
++                     try {
++                       if (jssOID.equals(SKIoid)) {
++                         extn =
++                             new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray());
++                       } else {
++                         extn =
++                             new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray());
++                       }
++                     } catch (IOException e) {
++                       System.out.println(method + e);
++                     }
++                 }
++            }
++        } else {
++            System.out.println(method + "no extension found");
++        }
++
++        return extn;
++    }
++
+     public static void unTrustCert(InternalCertificate cert) {
+         // remove TRUSTED_CA
+         int flag = cert.getSSLTrust();
+diff --git a/base/util/src/netscape/security/pkcs/PKCS10.java b/base/util/src/netscape/security/pkcs/PKCS10.java
+index 0702e82..10933b0 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS10.java
++++ b/base/util/src/netscape/security/pkcs/PKCS10.java
+@@ -123,6 +123,13 @@ public class PKCS10 {
+         byte sigData[];
+         Signature sig;
+ 
++        String method = "PKCS10: PKCS10: ";
++        String msg = "";
++
++        System.out.println(method + "begins");
++        if (data == null) {
++            throw new IllegalArgumentException(method + "param data cann't be null");
++        }
+         certificateRequest = data;
+ 
+         //
+@@ -131,9 +138,12 @@ public class PKCS10 {
+         //
+         in = new DerInputStream(data);
+         seq = in.getSequence(3);
++        if (seq == null) {
++            throw new IllegalArgumentException(method + "in.getSequence null");
++        }
+ 
+         if (seq.length != 3)
+-            throw new IllegalArgumentException("not a PKCS #10 request");
++            throw new IllegalArgumentException(method + "not a PKCS #10 request");
+ 
+         data = seq[0].toByteArray(); // reusing this variable
+         certRequestInfo = seq[0].toByteArray(); // make a copy
+@@ -152,20 +162,22 @@ public class PKCS10 {
+         */
+ 
+         subject = new X500Name(seq[0].data);
++        msg = "Request Subject: " + subject + ": ";
+ 
+         byte val1[] = seq[0].data.getDerValue().toByteArray();
+         subjectPublicKeyInfo = X509Key.parse(new DerValue(val1));
+         PublicKey publicKey = X509Key.parsePublicKey(new DerValue(val1));
+         if (publicKey == null) {
+-            System.out.println("PKCS10: publicKey null");
+-            throw new SignatureException ("publicKey null");
++            System.out.println(method + msg + "publicKey null");
++            throw new SignatureException (method + msg + "publicKey null");
+         }
+ 
+         // Cope with a somewhat common illegal PKCS #10 format
+-        if (seq[0].data.available() != 0)
++        if (seq[0].data.available() != 0) {
+             attributeSet = new PKCS10Attributes(seq[0].data);
+-        else
++        } else {
+             attributeSet = new PKCS10Attributes();
++        }
+ 
+         //
+         // OK, we parsed it all ... validate the signature using the
+@@ -202,14 +214,15 @@ public class PKCS10 {
+                 sig.initVerify(publicKey);
+                 sig.update(data);
+                 if (!sig.verify(sigData)) {
+-                System.out.println("PKCS10: sig.verify() failed");
+-                    throw new SignatureException("Invalid PKCS #10 signature");
++                    System.out.println(method + msg + "sig.verify() failed");
++                        throw new SignatureException(method + msg + "Invalid PKCS #10 signature");
+                 }
+             }
+         } catch (InvalidKeyException e) {
+-            System.out.println("PKCS10: "+ e.toString());
+-            throw new SignatureException("invalid key");
++            System.out.println(method + msg + e.toString());
++            throw new SignatureException(method + msg + "invalid key");
+         }
++        System.out.println(method + "ends");
+     }
+ 
+     public PKCS10(byte data[])
+diff --git a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java
+index 4c97218..45d5695 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java
++++ b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java
+@@ -66,6 +66,8 @@ public class PKCS10Attributes extends Vector<PKCS10Attribute> implements DerEnco
+             for (int i = 0; i < attrs.length; i++) {
+                 PKCS10Attribute attr = new PKCS10Attribute(attrs[i]);
+                 addElement(attr);
++                System.out.println("PKCS10Attributes: adding attribute: " +
++                        attr.getAttributeValue().getName());
+                 map.put(attr.getAttributeValue().getName(), attr);
+             }
+         }
+-- 
+1.8.3.1
+
+
+From 8751cd2c5cc0c41c5d85724fddfd5d872ad994ed Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 16:30:52 +0200
+Subject: [PATCH 17/27] Fixed CERT_REQUEST_PROCESSED events in
+ ConnectorServlet.
+
+The code that generates CERT_REQUEST_PROCESSED events in
+ConnectorServlet.processRequest() has been moved into a finally-
+clause that wraps around IRequestQueue.processRequest() to ensure
+that the events are generated properly.
+
+If a cert was issued for the request that has just been processed
+the event outcome is a Success, otherwise it's a Failure.
+
+Any exception thrown by the IRequestQueue.processRequest() will be
+passed to the ConnectorServlet.processRequest()'s callers.
+
+https://pagure.io/dogtagpki/issue/2690
+
+Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
+---
+ .../cms/servlet/connector/ConnectorServlet.java       | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+index eeb640e..82f3071 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+@@ -617,6 +617,8 @@ public class ConnectorServlet extends CMSServlet {
+             try {
+                 queue.processRequest(thisreq);
+ 
++            } finally {
++
+                 if (isProfileRequest(thisreq)) {
+ 
+                     X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+@@ -629,28 +631,17 @@ public class ConnectorServlet extends CMSServlet {
+                                 auditRequesterID,
+                                 ILogger.SIGNED_AUDIT_ACCEPTANCE,
+                                 x509cert));
+-                    }
+-                }
+ 
+-            } catch (EBaseException eAudit1) {
+-                if (isProfileRequest(thisreq)) {
+-
+-                    X509CertImpl x509cert = thisreq.getExtDataInCert(IEnrollProfile.REQUEST_ISSUED_CERT);
+-
+-                    if (x509cert != null) {
++                    } else {
+ 
+                         audit(new CertRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+-                                ILogger.SIGNED_AUDIT_ACCEPTANCE,
+-                                x509cert));
++                                ILogger.SIGNED_AUDIT_REJECTION,
++                                ILogger.SIGNED_AUDIT_EMPTY_VALUE));
+                     }
+                 }
+-
+-                // rethrow EBaseException to primary catch clause
+-                // within this method
+-                throw eAudit1;
+             }
+ 
+             replymsg = CMS.getHttpPKIMessage();
+-- 
+1.8.3.1
+
+
+From 579ed7eed16c9fc6e02928f71656d2a326d68c22 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 16 May 2017 02:42:12 +0200
+Subject: [PATCH 18/27] Added CertStatusChangeRequestProcessedEvent.
+
+A new CertStatusChangeRequestProcessedEvent class has been added to
+encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events.
+
+https://pagure.io/dogtagpki/issue/2636
+
+Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  2 -
+ .../CertStatusChangeRequestProcessedEvent.java     | 52 ++++++++++++++++++++
+ .../cms/servlet/cert/CMCRevReqServlet.java         | 55 +++++++++-------------
+ .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 33 +++++--------
+ .../netscape/cms/servlet/cert/DoUnrevokeTPS.java   | 17 +++----
+ .../cms/servlet/cert/RevocationProcessor.java      |  8 ++--
+ 6 files changed, 98 insertions(+), 69 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 059363e..21cac27 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -105,8 +105,6 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+     public final static String CERT_STATUS_CHANGE_REQUEST =
+             "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+-    public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+ 
+     public final static String AUTHZ_SUCCESS =
+             "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
+new file mode 100644
+index 0000000..f583ad2
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
+@@ -0,0 +1,52 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.request.RequestStatus;
++
++public class CertStatusChangeRequestProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
++
++    public CertStatusChangeRequestProcessedEvent(
++            String subjectID,
++            String outcome,
++            String requesterID,
++            String serialNumber,
++            String requestType,
++            String reasonNum,
++            RequestStatus approvalStatus) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requesterID,
++                serialNumber,
++                requestType,
++                reasonNum,
++                approvalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : approvalStatus.toString()
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+index f4d7f8f..24ba494 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+@@ -31,13 +31,6 @@ import javax.servlet.ServletOutputStream;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ 
+-import netscape.security.x509.CRLExtensions;
+-import netscape.security.x509.CRLReasonExtension;
+-import netscape.security.x509.InvalidityDateExtension;
+-import netscape.security.x509.RevocationReason;
+-import netscape.security.x509.RevokedCertImpl;
+-import netscape.security.x509.X509CertImpl;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.EMissingCredential;
+@@ -56,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.ra.IRegistrationAuthority;
+ import com.netscape.certsrv.request.IRequest;
+@@ -69,6 +63,13 @@ import com.netscape.cms.servlet.common.CMSTemplateParams;
+ import com.netscape.cms.servlet.common.ECMSGWException;
+ import com.netscape.cmsutil.util.Utils;
+ 
++import netscape.security.x509.CRLExtensions;
++import netscape.security.x509.CRLReasonExtension;
++import netscape.security.x509.InvalidityDateExtension;
++import netscape.security.x509.RevocationReason;
++import netscape.security.x509.RevokedCertImpl;
++import netscape.security.x509.X509CertImpl;
++
+ /**
+  * Revoke a certificate with a CMC-formatted revocation request
+  *
+@@ -810,17 +811,15 @@ public class CMCRevReqServlet extends CMSServlet {
+             if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                audit(new CertStatusChangeRequestProcessedEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRequesterID,
+                         auditSerialNumber,
+                         auditRequestType,
+                         auditReasonNum,
+-                        auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                audit(auditMessage);
++                        auditApprovalStatus));
+             }
+ 
+         } catch (CertificateException e) {
+@@ -844,17 +843,15 @@ public class CMCRevReqServlet extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                            auditApprovalStatus));
+                 }
+             }
+ 
+@@ -882,17 +879,15 @@ public class CMCRevReqServlet extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                            auditApprovalStatus));
+                 }
+             }
+ 
+@@ -921,17 +916,15 @@ public class CMCRevReqServlet extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                            auditApprovalStatus));
+                 }
+             }
+ 
+@@ -957,17 +950,15 @@ public class CMCRevReqServlet extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                            auditApprovalStatus));
+                 }
+             }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+index 68ac6da..a9a6238 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -557,17 +558,15 @@ public class DoRevokeTPS extends CMSServlet {
+                     if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                             auditApprovalStatus == RequestStatus.REJECTED ||
+                             auditApprovalStatus == RequestStatus.CANCELED) {
+-                        auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                        audit(new CertStatusChangeRequestProcessedEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+                                     auditRequesterID,
+                                     auditSerialNumber,
+                                     auditRequestType,
+                                     auditReasonNum,
+-                                    auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                        audit(auditMessage);
++                                    auditApprovalStatus));
+                     }
+ 
+                     return;
+@@ -748,17 +747,15 @@ public class DoRevokeTPS extends CMSServlet {
+             if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                audit(auditMessage);
++                            auditApprovalStatus));
+             }
+         } catch (EBaseException e) {
+             log(ILogger.LL_FAILURE, "error " + e);
+@@ -783,17 +780,15 @@ public class DoRevokeTPS extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditSerialNumber,
+                                 auditRequestType,
+                                 auditReasonNum,
+-                                auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                                auditApprovalStatus));
+                 }
+             }
+ 
+@@ -822,17 +817,15 @@ public class DoRevokeTPS extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditSerialNumber,
+                                 auditRequestType,
+                                 auditReasonNum,
+-                                auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                                auditApprovalStatus));
+                 }
+             }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
+index 30bde76..36a6802 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
+@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -461,17 +462,15 @@ public class DoUnrevokeTPS extends CMSServlet {
+             if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                     auditApprovalStatus == RequestStatus.REJECTED ||
+                     auditApprovalStatus == RequestStatus.CANCELED) {
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                audit(new CertStatusChangeRequestProcessedEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRequesterID,
+                             auditSerialNumber,
+                             auditRequestType,
+                             auditReasonNum,
+-                            auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                audit(auditMessage);
++                            auditApprovalStatus));
+             }
+ 
+         } catch (EBaseException eAudit1) {
+@@ -495,17 +494,15 @@ public class DoUnrevokeTPS extends CMSServlet {
+                 if (auditApprovalStatus == RequestStatus.COMPLETE ||
+                         auditApprovalStatus == RequestStatus.REJECTED ||
+                         auditApprovalStatus == RequestStatus.CANCELED) {
+-                    auditMessage = CMS.getLogMessage(
+-                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+                                 auditRequesterID,
+                                 auditSerialNumber,
+                                 auditRequestType,
+                                 auditReasonNum,
+-                                auditApprovalStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : auditApprovalStatus.toString());
+-
+-                    audit(auditMessage);
++                                auditApprovalStatus));
+                 }
+             }
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
+index b90966e..570aea2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
+@@ -39,6 +39,7 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -505,17 +506,14 @@ public class RevocationProcessor extends CertProcessor {
+                 || requestStatus == RequestStatus.REJECTED
+                 || requestStatus == RequestStatus.CANCELED)) return;
+ 
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
++        auditor.log(new CertStatusChangeRequestProcessedEvent(
+                 auditor.getSubjectID(),
+                 status,
+                 requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(),
+                 serialNumber == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : serialNumber.toHexString(),
+                 requestType,
+                 String.valueOf(revocationReason.toInt()),
+-                requestStatus == null ? ILogger.SIGNED_AUDIT_EMPTY_VALUE : requestStatus.toString());
+-
+-        auditor.log(auditMessage);
++                requestStatus));
+     }
+ 
+     public void log(int level, String message) {
+-- 
+1.8.3.1
+
+
+From 0b32d55d6c41dcdfbd63840a6681b12ad6675946 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 22:06:38 +0200
+Subject: [PATCH 19/27] Refactored RevocationRequestListener.accept().
+
+The RevocationRequestListener.accept() has been refactored to
+reduce deeply nested if-statements with early return.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index a593eb8..d105386 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -3068,10 +3068,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         public void accept(IRequest r) {
+             String requestType = r.getRequestType();
+ 
+-            if (requestType.equals(IRequest.REVOCATION_REQUEST) ||
++            if (!(requestType.equals(IRequest.REVOCATION_REQUEST) ||
+                     requestType.equals(IRequest.UNREVOCATION_REQUEST) ||
+                     requestType.equals(IRequest.CLA_CERT4CRL_REQUEST) ||
+-                    requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST)) {
++                    requestType.equals(IRequest.CLA_UNCERT4CRL_REQUEST))) {
++                return;
++            }
++
+                 CMS.debug("Revocation listener called.");
+                 // check if serial number is in begin/end range if set.
+                 if (mBeginSerial != null || mEndSerial != null) {
+@@ -3136,7 +3139,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+                                         CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())));
+                     }
+                 }
+-            }
+         }
+     }
+ }
+-- 
+1.8.3.1
+
+
+From 0af026413a65386a0e8c8aba81fe667412ef7f0d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 17 May 2017 22:12:19 +0200
+Subject: [PATCH 20/27] Reformatted RevocationRequestListener.accept().
+
+The RevocationRequestListener.accept() has been reformatted to
+adjust the indentations after refactoring.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 142 +++++++++++------------
+ 1 file changed, 71 insertions(+), 71 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index d105386..64101d7 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -31,23 +31,6 @@ import java.util.StringTokenizer;
+ import java.util.TimeZone;
+ import java.util.Vector;
+ 
+-import netscape.security.util.BitArray;
+-import netscape.security.x509.AlgorithmId;
+-import netscape.security.x509.CRLExtensions;
+-import netscape.security.x509.CRLNumberExtension;
+-import netscape.security.x509.CRLReasonExtension;
+-import netscape.security.x509.DeltaCRLIndicatorExtension;
+-import netscape.security.x509.Extension;
+-import netscape.security.x509.FreshestCRLExtension;
+-import netscape.security.x509.IssuingDistributionPoint;
+-import netscape.security.x509.IssuingDistributionPointExtension;
+-import netscape.security.x509.RevocationReason;
+-import netscape.security.x509.RevokedCertImpl;
+-import netscape.security.x509.RevokedCertificate;
+-import netscape.security.x509.X509CRLImpl;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509ExtensionException;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+@@ -83,6 +66,23 @@ import com.netscape.cmscore.dbs.CertRecord;
+ import com.netscape.cmscore.dbs.CertificateRepository;
+ import com.netscape.cmscore.util.Debug;
+ 
++import netscape.security.util.BitArray;
++import netscape.security.x509.AlgorithmId;
++import netscape.security.x509.CRLExtensions;
++import netscape.security.x509.CRLNumberExtension;
++import netscape.security.x509.CRLReasonExtension;
++import netscape.security.x509.DeltaCRLIndicatorExtension;
++import netscape.security.x509.Extension;
++import netscape.security.x509.FreshestCRLExtension;
++import netscape.security.x509.IssuingDistributionPoint;
++import netscape.security.x509.IssuingDistributionPointExtension;
++import netscape.security.x509.RevocationReason;
++import netscape.security.x509.RevokedCertImpl;
++import netscape.security.x509.RevokedCertificate;
++import netscape.security.x509.X509CRLImpl;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509ExtensionException;
++
+ /**
+  * This class encapsulates CRL issuing mechanism. CertificateAuthority
+  * contains a map of CRLIssuingPoint indexed by string ids. Each issuing
+@@ -3075,70 +3075,70 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+                 return;
+             }
+ 
+-                CMS.debug("Revocation listener called.");
+-                // check if serial number is in begin/end range if set.
+-                if (mBeginSerial != null || mEndSerial != null) {
+-                    CMS.debug(
+-                            "Checking if serial number is between " +
+-                                    mBeginSerial + " and " + mEndSerial);
+-                    BigInteger[] serialNos =
+-                            r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS);
++            CMS.debug("Revocation listener called.");
++            // check if serial number is in begin/end range if set.
++            if (mBeginSerial != null || mEndSerial != null) {
++                CMS.debug(
++                        "Checking if serial number is between " +
++                                mBeginSerial + " and " + mEndSerial);
++                BigInteger[] serialNos =
++                        r.getExtDataInBigIntegerArray(IRequest.OLD_SERIALS);
+ 
+-                    if (serialNos == null || serialNos.length == 0) {
+-                        X509CertImpl oldCerts[] =
+-                                r.getExtDataInCertArray(IRequest.OLD_CERTS);
++                if (serialNos == null || serialNos.length == 0) {
++                    X509CertImpl oldCerts[] =
++                            r.getExtDataInCertArray(IRequest.OLD_CERTS);
+ 
+-                        if (oldCerts == null || oldCerts.length == 0)
+-                            return;
+-                        serialNos = new BigInteger[oldCerts.length];
+-                        for (int i = 0; i < oldCerts.length; i++) {
+-                            serialNos[i] = oldCerts[i].getSerialNumber();
+-                        }
++                    if (oldCerts == null || oldCerts.length == 0)
++                        return;
++                    serialNos = new BigInteger[oldCerts.length];
++                    for (int i = 0; i < oldCerts.length; i++) {
++                        serialNos[i] = oldCerts[i].getSerialNumber();
+                     }
++                }
+ 
+-                    boolean inRange = false;
++                boolean inRange = false;
  
-         # store cert data and request in CS.cfg
-         subsystem.update_subsystem_cert(subsystem_cert)
+-                    for (int i = 0; i < serialNos.length; i++) {
+-                        if ((mBeginSerial == null ||
+-                                serialNos[i].compareTo(mBeginSerial) >= 0) &&
+-                                (mEndSerial == null ||
+-                                serialNos[i].compareTo(mEndSerial) <= 0)) {
+-                            inRange = true;
+-                        }
+-                    }
+-                    if (!inRange) {
+-                        return;
++                for (int i = 0; i < serialNos.length; i++) {
++                    if ((mBeginSerial == null ||
++                            serialNos[i].compareTo(mBeginSerial) >= 0) &&
++                            (mEndSerial == null ||
++                            serialNos[i].compareTo(mEndSerial) <= 0)) {
++                        inRange = true;
+                     }
+                 }
++                if (!inRange) {
++                    return;
++                }
++            }
+ 
+-                if (mAlwaysUpdate) {
+-                    try {
+-                        updateCRLNow();
+-                        r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS);
+-                        if (mPublisherProcessor != null) {
+-                            r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS);
+-                        }
+-                    } catch (EErrorPublishCRL e) {
+-                        // error already logged in updateCRLNow();
+-                        r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS);
+-                        if (mPublisherProcessor != null) {
+-                            r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR);
+-                            r.setExtData(mCrlPublishError, e);
+-                        }
+-                    } catch (EBaseException e) {
+-                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString()));
+-                        r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR);
+-                        r.setExtData(mCrlUpdateError, e);
+-                    } catch (Exception e) {
+-                        log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString()));
+-                        if (Debug.on())
+-                            Debug.printStackTrace(e);
+-                        r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR);
+-                        r.setExtData(mCrlUpdateError,
+-                                new EBaseException(
+-                                        CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())));
++            if (mAlwaysUpdate) {
++                try {
++                    updateCRLNow();
++                    r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS);
++                    if (mPublisherProcessor != null) {
++                        r.setExtData(mCrlPublishStatus, IRequest.RES_SUCCESS);
++                    }
++                } catch (EErrorPublishCRL e) {
++                    // error already logged in updateCRLNow();
++                    r.setExtData(mCrlUpdateStatus, IRequest.RES_SUCCESS);
++                    if (mPublisherProcessor != null) {
++                        r.setExtData(mCrlPublishStatus, IRequest.RES_ERROR);
++                        r.setExtData(mCrlPublishError, e);
+                     }
++                } catch (EBaseException e) {
++                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString()));
++                    r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR);
++                    r.setExtData(mCrlUpdateError, e);
++                } catch (Exception e) {
++                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_UPDATE_CRL", e.toString()));
++                    if (Debug.on())
++                        Debug.printStackTrace(e);
++                    r.setExtData(mCrlUpdateStatus, IRequest.RES_ERROR);
++                    r.setExtData(mCrlUpdateError,
++                            new EBaseException(
++                                    CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())));
+                 }
++            }
+         }
+     }
+ }
+-- 
+1.8.3.1
+
+
+From ea036b22d7d15cefb8f7a56e9c9781b545dec8ee Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Wed, 17 May 2017 17:17:42 -0600
+Subject: [PATCH 21/27] Correct section headings in user deployment
+ configuration file
+
+Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation
+dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
+                               creation
+---
+ base/server/sbin/pkispawn | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
+index 9394b8e..9e2ebc8 100755
+--- a/base/server/sbin/pkispawn
++++ b/base/server/sbin/pkispawn
+@@ -30,9 +30,12 @@ if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0:
+     print("Please upgrade to at least Python 2.7.0.")
+     sys.exit(1)
+ try:
++    import fileinput
+     import ldap
+     import os
+     import requests
++    import time
++    from time import strftime as date
+     import traceback
+     import pki
+     from pki.server.deployment import pkiconfig as config
+@@ -105,6 +108,8 @@ def main(argv):
+         interactive = True
+         parser.indent = 0
+         print(log.PKISPAWN_INTERACTIVE_INSTALLATION)
++    else:
++        sanitize_user_deployment_cfg(config.user_deployment_cfg)
+ 
+     # Only run this program as "root".
+     if not os.geteuid() == 0:
+@@ -574,6 +579,40 @@ def main(argv):
+         print_final_install_information(parser.mdict)
+ 
+ 
++def sanitize_user_deployment_cfg(cfg):
++    # Generate a timestamp
++    ticks = time.time()
++    timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks))
++
++    # Correct any section headings in the user's configuration file
++    for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp):
++        # Remove extraneous leading and trailing whitespace from all lines
++        line = line.strip()
++        # Normalize section headings to match '/etc/pki/default.cfg'
++        if line.startswith("["):
++            if line.upper().startswith("[DEFAULT"):
++                line = "[DEFAULT]"
++            elif line.upper().startswith("[TOMCAT"):
++                line = "[Tomcat]"
++            elif line.upper().startswith("[CA"):
++                line = "[CA]"
++            elif line.upper().startswith("[KRA"):
++                line = "[KRA]"
++            elif line.upper().startswith("[OCSP"):
++                line = "[OCSP]"
++            elif line.upper().startswith("[RA"):
++                line = "[RA]"
++            elif line.upper().startswith("[TKS"):
++                line = "[TKS]"
++            elif line.upper().startswith("[TPS"):
++                line = "[TPS]"
++            else:
++                # Notify user of the existence of an invalid section heading
++                sys.stderr.write("'%s' contains an invalid section "
++                                 "heading called '%s'!\n" % (cfg, line))
++        print(line)
++
++
+ def start_logging():
+     # Enable 'pkispawn' logging.
+     config.pki_log_dir = config.pki_root_prefix + \
+-- 
+1.8.3.1
+
+
+From 202c747564868432df93c6cf272fcd9d2979d8d8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 19 May 2017 00:09:29 +0200
+Subject: [PATCH 22/27] Added debug logs for UpdateCRL servlet.
+
+Some debug logs have been added into UpdateCRL servlet to improve
+code clarity.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839
+---
+ .../com/netscape/cms/servlet/cert/UpdateCRL.java   | 46 ++++++++++++++++++++--
+ 1 file changed, 43 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index 7faecf1..b4d9d29 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -294,6 +294,7 @@ public class UpdateCRL extends CMSServlet {
+             String signatureAlgorithm,
+             Locale locale)
+             throws EBaseException {
++
+         long startTime = CMS.getCurrentDate().getTime();
+         String waitForUpdate =
+                 req.getParameter("waitForUpdate");
+@@ -322,6 +323,7 @@ public class UpdateCRL extends CMSServlet {
+                     crlIssuingPointId = null;
+             }
+         }
++
+         if (crlIssuingPointId == null) {
+             crlIssuingPointId = ICertificateAuthority.PROP_MASTER_CRL;
+         }
+@@ -336,39 +338,61 @@ public class UpdateCRL extends CMSServlet {
+             return;
+         }
+ 
++        CMS.debug("UpdateCRL: CRL issuing point: " + crlIssuingPoint.getId());
++
+         if (clearCache != null && clearCache.equals("true") &&
+                 crlIssuingPoint.isCRLGenerationEnabled() &&
+                 crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+                 crlIssuingPoint.isCRLIssuingPointInitialized()
+                             == ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++
++            CMS.debug("UpdateCRL: clearing CRL cache");
+             crlIssuingPoint.clearCRLCache();
+         }
++
+         if (!(waitForUpdate != null && waitForUpdate.equals("true") &&
+                 crlIssuingPoint.isCRLGenerationEnabled() &&
+                 crlIssuingPoint.isCRLUpdateInProgress() == ICRLIssuingPoint.CRL_UPDATE_DONE &&
+                 crlIssuingPoint.isCRLIssuingPointInitialized()
+                             == ICRLIssuingPoint.CRL_IP_INITIALIZED)) {
++
+             if (crlIssuingPoint.isCRLIssuingPointInitialized() != ICRLIssuingPoint.CRL_IP_INITIALIZED) {
++
++                CMS.debug("UpdateCRL: CRL issuing point not initialized");
+                 header.addStringValue("crlUpdate", "notInitialized");
++
+             } else if (crlIssuingPoint.isCRLUpdateInProgress()
+                        != ICRLIssuingPoint.CRL_UPDATE_DONE ||
+                        crlIssuingPoint.isManualUpdateSet()) {
++
++                CMS.debug("UpdateCRL: CRL update in progress");
+                 header.addStringValue("crlUpdate", "inProgress");
++
+             } else if (!crlIssuingPoint.isCRLGenerationEnabled()) {
++
++                CMS.debug("UpdateCRL: CRL update disabled");
+                 header.addStringValue("crlUpdate", "Disabled");
++
+             } else {
++
++                CMS.debug("UpdateCRL: scheduling CRL update");
+                 crlIssuingPoint.setManualUpdate(signatureAlgorithm);
+                 header.addStringValue("crlUpdate", "Scheduled");
+             }
++
+             return;
+         }
++
+         if (test != null && test.equals("true") &&
+                 crlIssuingPoint.isCRLCacheTestingEnabled() &&
+                 (!mTesting.contains(crlIssuingPointId))) {
+-            CMS.debug("CRL test started.");
++
++            CMS.debug("UpdateCRL: CRL test started");
++
+             mTesting.add(crlIssuingPointId);
+             BigInteger addLen = null;
+             BigInteger startFrom = null;
++
+             if (add != null && add.length() > 0 &&
+                     from != null && from.length() > 0) {
+                 try {
+@@ -377,6 +401,7 @@ public class UpdateCRL extends CMSServlet {
+                 } catch (Exception e) {
+                 }
+             }
++
+             if (addLen != null && startFrom != null) {
+                 Date revocationDate = CMS.getCurrentDate();
+                 String err = null;
+@@ -386,6 +411,7 @@ public class UpdateCRL extends CMSServlet {
+                 BigInteger serialNumber = startFrom;
+                 BigInteger counter = addLen;
+                 BigInteger stepBy = null;
++
+                 if (by != null && by.length() > 0) {
+                     try {
+                         stepBy = new BigInteger(by);
+@@ -397,6 +423,7 @@ public class UpdateCRL extends CMSServlet {
+                 long t2 = 0;
+ 
+                 while (counter.compareTo(BigInteger.ZERO) > 0) {
++
+                     RevokedCertImpl revokedCert =
+                             new RevokedCertImpl(serialNumber, revocationDate, entryExts);
+                     crlIssuingPoint.addRevokedCert(serialNumber, revokedCert);
+@@ -405,9 +432,11 @@ public class UpdateCRL extends CMSServlet {
+ 
+                     if ((counter.compareTo(BigInteger.ZERO) == 0) ||
+                             (stepBy != null && ((counter.mod(stepBy)).compareTo(BigInteger.ZERO) == 0))) {
++
+                         t2 = System.currentTimeMillis();
+                         long t0 = t2 - t1;
+                         t1 = t2;
++
+                         try {
+                             if (signatureAlgorithm != null) {
+                                 crlIssuingPoint.updateCRLNow(signatureAlgorithm);
+@@ -418,35 +447,43 @@ public class UpdateCRL extends CMSServlet {
+                             counter = BigInteger.ZERO;
+                             err = e.toString();
+                         }
++
+                         if (results != null && results.equals("1")) {
+                             addInfo(argSet, crlIssuingPoint, t0);
+                         }
+                     }
+                 }
++
+                 if (err != null) {
+                     header.addStringValue("crlUpdate", "Failure");
+                     header.addStringValue("error", err);
+                 } else {
+                     header.addStringValue("crlUpdate", "Success");
+                 }
++
+             } else {
+-                CMS.debug("CRL test error: missing parameters.");
++                CMS.debug("UpdateCRL: CRL test error: missing parameters");
+                 header.addStringValue("crlUpdate", "missingParameters");
+             }
+ 
+             mTesting.remove(crlIssuingPointId);
+-            CMS.debug("CRL test finished.");
++            CMS.debug("UpdateCRL: CRL test finished");
+             return;
++
+         } else if (test != null && test.equals("true") &&
+                    crlIssuingPoint.isCRLCacheTestingEnabled() &&
+                    mTesting.contains(crlIssuingPointId)) {
+             header.addStringValue("crlUpdate", "testingInProgress");
+             return;
++
+         } else if (test != null && test.equals("true") &&
+                    (!crlIssuingPoint.isCRLCacheTestingEnabled())) {
+             header.addStringValue("crlUpdate", "testingNotEnabled");
+             return;
+         }
++
++        CMS.debug("UpdateCRL: updating CRL");
++
+         try {
+             EBaseException publishError = null;
+ 
+@@ -462,6 +499,7 @@ public class UpdateCRL extends CMSServlet {
+                 long now2 = System.currentTimeMillis();
+ 
+                 header.addStringValue("time", "" + (now2 - now1));
++
+             } catch (EErrorPublishCRL e) {
+                 publishError = e;
+             }
+@@ -487,6 +525,7 @@ public class UpdateCRL extends CMSServlet {
+             if (authToken != null) {
+                 authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+             }
++
+             long endTime = CMS.getCurrentDate().getTime();
+ 
+             if (crlIssuingPoint.getNextUpdate() != null) {
+@@ -520,6 +559,7 @@ public class UpdateCRL extends CMSServlet {
+                                         + " time: " + (endTime - startTime) }
+                         );
+             }
++
+         } catch (EBaseException e) {
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_UPDATE_CRL", e.toString()));
+             if ((lpm != null) && lpm.isCRLPublishingEnabled() && (e instanceof ELdapException)) {
+-- 
+1.8.3.1
+
+
+From e1fd9685e5442e5e2efa9a26e07bf45274b6fb93 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Fri, 19 May 2017 09:47:47 -0600
+Subject: [PATCH 23/27] Fixed hardcoded values in ca CS.cfg
+
+- Bugzilla Bug #1452123 -  CA CS.cfg shows default port
+- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
+---
+ base/ca/shared/conf/CS.cfg | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index f6297a3..8f9af5c 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -290,7 +290,7 @@ ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.cms.policy.exten
+ ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.cms.policy.extensions.SubjectKeyIdentifierExt
+ ca.Policy.impl.UniqueSubjectNameConstraints.class=com.netscape.cms.policy.constraints.UniqueSubjectNameConstraints
+ ca.Policy.impl.ValidityConstraints.class=com.netscape.cms.policy.constraints.ValidityConstraints
+-ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:8080/ocsp
++ca.Policy.rule.AuthInfoAccessExt.ad0_location=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp
+ ca.Policy.rule.AuthInfoAccessExt.ad0_location_type=URL
+ ca.Policy.rule.AuthInfoAccessExt.ad0_method=ocsp
+ ca.Policy.rule.AuthInfoAccessExt.enable=false
+@@ -773,8 +773,8 @@ cmsgateway._027=##       'cmsgateway.enableAdminEnroll=false' should have
+ cmsgateway._028=##       already been reset.
+ cmsgateway._029=##
+ cmsgateway.enableAdminEnroll=false
+-https.port=8443
+-http.port=8080
++https.port=[PKI_SECURE_PORT]
++http.port=[PKI_UNSECURE_PORT]
+ dbs.enableSerialManagement=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS]
+ dbs.enableRandomSerialNumbers=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS]
+ dbs.randomSerialNumberCounter=0
+-- 
+1.8.3.1
+
+
+From f30be692453ccb323f874e5a751e2381cbb4ebb0 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 19 May 2017 21:35:00 +0200
+Subject: [PATCH 24/27] Added debug logs for JssSubsystem.
+
+Some debug logs have been added into JssSubsystem to improve code
+clarity.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc
+---
+ .../netscape/cmscore/security/JssSubsystem.java    | 31 ++++++++++++++--------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
+index dab9ac9..9031a92 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
+@@ -264,12 +264,15 @@ public final class JssSubsystem implements ICryptoSubsystem {
+      */
+     public void init(ISubsystem owner, IConfigStore config)
+             throws EBaseException {
++
++        CMS.debug("JssSubsystem: initializing JSS subsystem");
++
+         mLogger = CMS.getLogger();
+ 
+         if (mInited) {
+             // This used to throw an exeception (e.g. - on Solaris).
+             // If JSS is already initialized simply return.
+-            CMS.debug("JssSubsystem already inited.. returning.");
++            CMS.debug("JssSubsystem: already initialized");
+             return;
+         }
+ 
+@@ -277,9 +280,11 @@ public final class JssSubsystem implements ICryptoSubsystem {
+ 
+         // If disabled, just return
+         boolean enabled = config.getBoolean(PROP_ENABLE, true);
++        CMS.debug("JssSubsystem: enabled: " + enabled);
+ 
+-        if (!enabled)
++        if (!enabled) {
+             return;
++        }
+ 
+         try {
+             devRandomInputStream = new FileInputStream("/dev/urandom");
+@@ -287,28 +292,28 @@ public final class JssSubsystem implements ICryptoSubsystem {
+             // XXX - add new exception
+         }
+ 
+-        // get hardcoded password (for debugging.
+-        String pw;
++        // get debugging password from config file
++        String pw = config.getString(PASSWORD_ALIAS, null);
+ 
+-        if ((pw = config.getString(PASSWORD_ALIAS, null)) != null) {
+-            // hardcoded password in config file
++        if (pw != null) {
++            CMS.debug("JssSubsystem: use debug password");
+             mPWCB = new Password(pw.toCharArray());
+-            CMS.debug("JssSubsystem init() got password from hardcoded in config");
+         }
+ 
+-        String certDir;
+-
+-        certDir = config.getString(CONFIG_DIR, null);
++        String certDir = config.getString(CONFIG_DIR, null);
++        CMS.debug("JssSubsystem: NSS database: " + certDir);
+ 
+         CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(certDir, "", "", "secmod.db");
+-
+         vals.removeSunProvider = false;
+         vals.installJSSProvider = true;
++
+         try {
++            CMS.debug("JssSubsystem: initializing CryptoManager");
+             CryptoManager.initialize(vals);
+         } catch (AlreadyInitializedException e) {
+             // do nothing
+         } catch (Exception e) {
++            CMS.debug(e);
+             String[] params = { mId, e.toString() };
+             EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
+ 
+@@ -317,9 +322,11 @@ public final class JssSubsystem implements ICryptoSubsystem {
+         }
+ 
+         try {
++            CMS.debug("JssSubsystem: initializing SSL");
+             mCryptoManager = CryptoManager.getInstance();
+             initSSL();
+         } catch (CryptoManager.NotInitializedException e) {
++            CMS.debug(e);
+             String[] params = { mId, e.toString() };
+             EBaseException ex = new EBaseException(CMS.getUserMessage("CMS_BASE_CREATE_SERVICE_FAILED", params));
+ 
+@@ -328,6 +335,8 @@ public final class JssSubsystem implements ICryptoSubsystem {
+         }
+ 
+         mInited = true;
++
++        CMS.debug("JssSubsystem: initialization complete");
+     }
+ 
+     public String getCipherVersion() throws EBaseException {
+-- 
+1.8.3.1
+
+
+From 62841380c6400023cf973e273ab974352885fabd Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 04:06:17 +0200
+Subject: [PATCH 25/27] Fixed problem with --ignore-banner option.
+
+The pki CLI has been modified to parse the --ignore-banner option
+properly and pass it only to Java-based CLI commands.
+
+https://pagure.io/dogtagpki/issue/2683
+
+Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5
+---
+ base/common/python/pki/cli/main.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
+index 268547b..f201c1d 100644
+--- a/base/common/python/pki/cli/main.py
++++ b/base/common/python/pki/cli/main.py
+@@ -44,6 +44,7 @@ class PKICLI(pki.cli.CLI):
+         self.password = None
+         self.password_file = None
+         self.token = None
++        self.ignore_banner = False
+ 
+         self.add_module(pki.cli.pkcs12.PKCS12CLI())
+ 
+@@ -96,6 +97,9 @@ class PKICLI(pki.cli.CLI):
+         if self.token and self.token != 'internal':
+             cmd.extend(['--token', self.token])
+ 
++        if self.ignore_banner:
++            cmd.extend(['--ignore-banner'])
++
+         if self.verbose:
+             cmd.extend(['--verbose'])
+ 
+@@ -157,6 +161,12 @@ class PKICLI(pki.cli.CLI):
+                 pki_options.append(args[i + 1])
+                 i = i + 2
+ 
++            # check ignore banner option
++            elif args[i] == '--ignore-banner':
++                self.ignore_banner = True
++                pki_options.append(args[i])
++                i = i + 1
++
+             # check verbose option
+             elif args[i] == '-v' or args[i] == '--verbose':
+                 self.set_verbose(True)
+-- 
+1.8.3.1
+
+
+From 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 19 May 2017 11:55:14 -0700
+Subject: [PATCH 26/27] Ticket#2618 feature: pre-signed CMC renewal request
+
+This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
+The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
+UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate.  It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
+The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint.  They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
+---
+ .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |  13 ++-
+ .../src/com/netscape/cmstools/CMCRequest.java      |  14 ++-
+ .../constraint/RenewGracePeriodConstraint.java     |  26 +++--
+ .../profile/constraint/UniqueKeyConstraint.java    | 123 ++++++++++++++++-----
+ 4 files changed, 132 insertions(+), 44 deletions(-)
+
+diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+index 229a3cd..63a4bca 100644
+--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+@@ -10,12 +10,23 @@ input.i2.class_id=submitterInfoInputImpl
+ output.list=o1
+ output.o1.class_id=certOutputImpl
+ policyset.list=cmcUserCertSet
+-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
++policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8
+ policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl
+ policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint
+ policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl
+ policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default
+ policyset.cmcUserCertSet.1.default.params.name=
++policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl
++policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
++policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true
++policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl
++policyset.cmcUserCertSet.9.default.name=No Default
++policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
++policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
++policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30
++policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30
++policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl
++policyset.cmcUserCertSet.10.default.name=No Default
+ policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+ policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+ policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index 6e27cb1..9c41403 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -2014,10 +2014,12 @@ public class CMCRequest {
+                 certname.append(tokenName);
+                 certname.append(":");
+             }
+-            certname.append(nickname);
+-            signerCert = cm.findCertByNickname(certname.toString());
+-            if (signerCert != null) {
+-                System.out.println("got signerCert: "+ certname.toString());
++            if (!selfSign.equals("true") && nickname != null) {
++                certname.append(nickname);
++                signerCert = cm.findCertByNickname(certname.toString());
++                if (signerCert != null) {
++                    System.out.println("got signerCert: "+ certname.toString());
++                }
+             }
+ 
+             ContentInfo cmcblob = null;
+@@ -2239,11 +2241,11 @@ public class CMCRequest {
+             // sign the request
+             SignedData signedData = null;
+             if (selfSign.equalsIgnoreCase("true")) {
+-                // selfSign signes with private key
++                // selfSign signs with private key
+                 System.out.println("selfSign is true...");
+                 signedData = signData(privk, pkidata);
+             } else {
+-                // none selfSign signes with  existing cert
++                // none selfSign signs with  existing cert
+                 System.out.println("selfSign is false...");
+                 signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
+             }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
+index d140396..a5f7994 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
+@@ -87,14 +87,16 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
+ 
+     public void validate(IRequest req, X509CertInfo info)
+             throws ERejectException {
++        String method = "RenewGracePeriodConstraint: validate: ";
++        String msg = "";
++
+         String origExpDate_s = req.getExtDataInString("origNotAfter");
+-        // probably not for renewal
+-        if (origExpDate_s == null) {
++        if (origExpDate_s == null) { // probably not for renewal
++            CMS.debug(method + " original cert expiration date not found...return without validation");
+             return;
+-        } else {
+-            CMS.debug("validate RenewGracePeriod: original cert expiration date found... renewing");
++        } else { //should occur when it's renewal
++            CMS.debug(method + " original cert expiration date found... validating");
+         }
+-        CMS.debug("ValidilityConstraint: validateRenewGraceperiod begins");
+         BigInteger origExpDate_BI = new BigInteger(origExpDate_s);
+         Date origExpDate = new Date(origExpDate_BI.longValue());
+         String renew_grace_before_s = getConfig(CONFIG_RENEW_GRACE_BEFORE);
+@@ -122,7 +124,7 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
+ 
+         Date current = CMS.getCurrentDate();
+         long millisDiff = origExpDate.getTime() - current.getTime();
+-        CMS.debug("validateRenewGracePeriod: millisDiff="
++        CMS.debug(method + " millisDiff="
+                 + millisDiff + " origExpDate=" + origExpDate.getTime() + " current=" + current.getTime());
+ 
+         /*
+@@ -134,17 +136,17 @@ public class RenewGracePeriodConstraint extends EnrollConstraint {
+          */
+         if (millisDiff >= 0) {
+             if ((renew_grace_before > 0) && (millisDiff > renew_grace_before_BI.longValue())) {
++                msg = renew_grace_before + " days before and " +
++                        renew_grace_after + " days after original cert expiration date";
+                 throw new ERejectException(CMS.getUserMessage(getLocale(req),
+-                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
+-                        renew_grace_before + " days before and " +
+-                                renew_grace_after + " days after original cert expiration date"));
++                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg));
+             }
+         } else {
+             if ((renew_grace_after > 0) && ((0 - millisDiff) > renew_grace_after_BI.longValue())) {
++                msg = renew_grace_before + " days before and " +
++                        renew_grace_after + " days after original cert expiration date";
+                 throw new ERejectException(CMS.getUserMessage(getLocale(req),
+-                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD",
+-                        renew_grace_before + " days before and " +
+-                                renew_grace_after + " days after original cert expiration date"));
++                        "CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD", msg));
+             }
+         }
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+index 869f0e2..33cc7a9 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/UniqueKeyConstraint.java
+@@ -17,16 +17,11 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.cms.profile.constraint;
+ 
++import java.math.BigInteger;
++import java.util.Date;
+ import java.util.Enumeration;
+ import java.util.Locale;
+ 
+-import netscape.security.x509.CertificateSubjectName;
+-import netscape.security.x509.CertificateX509Key;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-import netscape.security.x509.X509Key;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+@@ -41,6 +36,13 @@ import com.netscape.certsrv.property.IDescriptor;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.cms.profile.def.NoDefault;
+ 
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.CertificateX509Key;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
++import netscape.security.x509.X509Key;
++
+ /**
+  * This constraint is to check for publickey uniqueness.
+  * The config param "allowSameKeyRenewal" enables the
+@@ -102,9 +104,29 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+     /**
+      * Validates the request. The request is not modified
+      * during the validation.
++     *
++     * It will try to capture orig cert expiration info for renewal later.
++     * Renewal can be either renewal with same key or new key.
++     *
++     * In case of renewing with same key, the old cert record
++     * can be retrieved and used to fill original info such as
++     * original expiration date for use with RenewGracePeriodConstraint.
++     *
++     * In case of renewing with new key, it would be no different from
++     * regular enrollment
++     *
++     * Search by ICertRecord.ATTR_X509CERT_PUBLIC_KEY_DATA
++     * would tell us if its reusing the same key or not.
++     * If any cert with the same key in the repository is found
++     * to be revoked, then the request is rejected
++     *
++     * This contraint has to go before the RenewGracePeriodConstraint,
++     * but after any of the SubjectName Default and Constraint
+      */
+     public void validate(IRequest request, X509CertInfo info)
+             throws ERejectException {
++        String method = "UniqueKeyConstraint: validate: ";
++        String msg = "";
+         boolean rejected = false;
+         int size = 0;
+         ICertRecordList list;
+@@ -114,6 +136,8 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+         getConfigBoolean(CONFIG_REVOKE_DUPKEY_CERT);
+         */
+         mAllowSameKeyRenewal = getConfigBoolean(CONFIG_ALLOW_SAME_KEY_RENEWAL);
++        msg = msg + ": allowSameKeyRenewal=" + mAllowSameKeyRenewal + ";";
++        CMS.debug(method + msg);
+ 
+         try {
+             CertificateX509Key infokey = (CertificateX509Key)
+@@ -131,18 +155,18 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+ 
+         } catch (Exception e) {
+             throw new ERejectException(
+-                        CMS.getUserMessage(
+-                                getLocale(request),
+-                                "CMS_PROFILE_INTERNAL_ERROR", e.toString()));
++                    CMS.getUserMessage(
++                            getLocale(request),
++                            "CMS_PROFILE_INTERNAL_ERROR", method + e.toString()));
+         }
+ 
+         /*
+          * It does not matter if the corresponding cert's status
+-         * is valid or not, we don't want a key that was once
+-         * generated before
++         * is valid or not, if mAllowSameKeyRenewal is false,
++         * we don't want a key that was once generated before
+          */
+         if (size > 0) {
+-            CMS.debug("UniqueKeyConstraint: found existing cert with duplicate key.");
++            CMS.debug(method + "found existing cert with same key");
+ 
+             /*
+                 The following code revokes the existing certs that have
+@@ -189,45 +213,94 @@ public class UniqueKeyConstraint extends EnrollConstraint {
+ 
+                         sjname_in_req =
+                                 (X500Name) subName.get(CertificateSubjectName.DN_NAME);
+-                        CMS.debug("UniqueKeyConstraint: cert request subject DN =" + sjname_in_req.toString());
++                        CMS.debug(method +" cert request subject DN =" + sjname_in_req.toString());
+                         Enumeration<ICertRecord> e = list.getCertRecords(0, size - 1);
++                        Date latestOrigNotAfter = null;
++                        Date origNotAfter = null;
++                        boolean first = true;
+                         while (e != null && e.hasMoreElements()) {
+                             ICertRecord rec = e.nextElement();
+-                            X509CertImpl cert = rec.getCertificate();
++                            BigInteger serial = rec.getSerialNumber();
++
++                            if (rec.getStatus().equals(ICertRecord.STATUS_REVOKED)
++                                    || rec.getStatus().equals(ICertRecord.STATUS_REVOKED_EXPIRED)) {
++                                msg = msg + "revoked cert cannot be renewed: serial=" + serial.toString() + ";";
++                                CMS.debug(method + msg);
++                                rejected = true;
++                                // this has to break
++                                break;
++                            }
++                            if (!rec.getStatus().equals(ICertRecord.STATUS_VALID)
++                                    && !rec.getStatus().equals(ICertRecord.STATUS_EXPIRED)) {
++                                CMS.debug(method + "invalid cert cannot be renewed; continue:" + serial.toString());
++                                // can still find another one to renew
++                                continue;
++                            }
++                            // only VALID or EXPIRED certs could have reached here
++                            X509CertImpl origCert = rec.getCertificate();
+                             String certDN =
+-                                    cert.getSubjectDN().toString();
+-                            CMS.debug("UniqueKeyConstraint: cert retrieved from ldap has subject DN =" + certDN);
++                                    origCert.getSubjectDN().toString();
++                            CMS.debug(method + " cert retrieved from ldap has subject DN =" + certDN);
+ 
+                             sjname_in_db = new X500Name(certDN);
+ 
+                             if (sjname_in_db.equals(sjname_in_req) == false) {
++                                msg = msg + "subject name not match in same key renewal;";
+                                 rejected = true;
+                                 break;
+                             } else {
+-                                rejected = false;
++                                CMS.debug("subject name match in same key renewal");
+                             }
++
++                            // find the latest expiration date to keep for
++                            // Renewal Grace Period Constraint later
++                            origNotAfter = origCert.getNotAfter();
++                            CMS.debug(method + "origNotAfter =" + origNotAfter.toString());
++                            if (first) {
++                                latestOrigNotAfter = origNotAfter;
++                                first = false;
++                            } else if (latestOrigNotAfter.before(origNotAfter)) {
++                                CMS.debug(method + "newer cert found");
++                                latestOrigNotAfter = origNotAfter;
++                            }
++
++                            // yes, this could be overwritten by later
++                            // found cert(s) that has violations
++                            rejected = false;
+                         } // while
++
++                        if (latestOrigNotAfter != null) {
++                            String existingOrigExpDate_s = request.getExtDataInString("origNotAfter");
++                            if (existingOrigExpDate_s != null) {
++                                // make sure not to interfere with renewal by serial
++                                CMS.debug(method +
++                                        " original cert expiration date already exists. Not overriding.");
++                            } else {
++                                // set origNotAfter for RenewGracePeriodConstraint
++                                CMS.debug(method + "setting latest original cert expiration in request");
++                                request.setExtData("origNotAfter", BigInteger.valueOf(latestOrigNotAfter.getTime()));
++                            }
++                        }
+                     } else { //subName is null
++                        msg =  msg +"subject name not found in cert request info;";
+                         rejected = true;
+                     }
+                 } catch (Exception ex1) {
+-                    CMS.debug("UniqueKeyConstraint: error in allowSameKeyRenewal: " + ex1.toString());
++                    CMS.debug(method +  msg + ex1.toString());
+                     rejected = true;
+                 } // try
+ 
+             } else {
++                msg = msg + "found existing cert with same key;";
+                 rejected = true;
+             }// allowSameKeyRenewal
+         } // (size > 0)
+ 
+         if (rejected == true) {
+-            CMS.debug("UniqueKeyConstraint: rejected");
+-            throw new ERejectException(
+-                           CMS.getUserMessage(
+-                                   getLocale(request),
+-                                   "CMS_PROFILE_DUPLICATE_KEY"));
++            CMS.debug(method + " rejected");
++            throw new ERejectException(msg);
+         } else {
+-            CMS.debug("UniqueKeyConstraint: approved");
++            CMS.debug(method + " approved");
+         }
+     }
+ 
+-- 
+1.8.3.1
+
+
+From b66409ba4a9ffa8cb58f643e891a4a50a67fb29a Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 00:06:41 +0200
+Subject: [PATCH 27/27] Added configurable random number generator in
+ JssSubsystem.
+
+The JssSubsystem has been modified to provide a configurable
+random number generator which uses PK11SecureRandom from JSS by
+default.
+
+The CertificateRepository has been modified to use the new random
+number generator to generate random serial number.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
+---
+ .../cmscore/dbs/CertificateRepository.java         | 32 +++++++++++-----------
+ .../netscape/cmscore/security/JssSubsystem.java    | 27 ++++++++++++++++++
+ 2 files changed, 43 insertions(+), 16 deletions(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
+index 8406f36..9a333fe 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
+@@ -19,27 +19,18 @@ package com.netscape.cmscore.dbs;
+ 
+ import java.io.Serializable;
+ import java.math.BigInteger;
++import java.security.SecureRandom;
+ import java.security.cert.Certificate;
+ import java.util.Arrays;
+ import java.util.Date;
+ import java.util.Enumeration;
+ import java.util.Hashtable;
+-import java.util.Random;
+ import java.util.Vector;
+ import java.util.concurrent.Executors;
+ import java.util.concurrent.ScheduledExecutorService;
+ import java.util.concurrent.ThreadFactory;
+ import java.util.concurrent.TimeUnit;
+ 
+-import netscape.ldap.LDAPAttributeSet;
+-import netscape.ldap.LDAPEntry;
+-import netscape.ldap.LDAPSearchResults;
+-import netscape.security.x509.CertificateValidity;
+-import netscape.security.x509.RevokedCertImpl;
+-import netscape.security.x509.X500Name;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509CertInfo;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+@@ -62,6 +53,16 @@ import com.netscape.certsrv.dbs.certdb.RenewableCertificateCollection;
+ import com.netscape.certsrv.dbs.repository.IRepository;
+ import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.cmscore.security.JssSubsystem;
++
++import netscape.ldap.LDAPAttributeSet;
++import netscape.ldap.LDAPEntry;
++import netscape.ldap.LDAPSearchResults;
++import netscape.security.x509.CertificateValidity;
++import netscape.security.x509.RevokedCertImpl;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509CertInfo;
+ 
+ /**
+  * A class represents a certificate repository. It
+@@ -99,7 +100,6 @@ public class CertificateRepository extends Repository
+     private int mTransitMaxRecords = 1000000;
+     private int mTransitRecordPageSize = 200;
+ 
+-    private Random mRandom = null;
+     private int mBitLength = 0;
+     private BigInteger mRangeSize = null;
+     private int mMinRandomBitLength = 4;
+@@ -169,11 +169,7 @@ public class CertificateRepository extends Repository
+     }
+ 
+     private BigInteger getRandomNumber() throws EBaseException {
+-        BigInteger randomNumber = null;
+ 
+-        if (mRandom == null) {
+-            mRandom = new Random();
+-        }
+         super.initCacheIfNeeded();
+ 
+         if (mRangeSize == null) {
+@@ -189,7 +185,11 @@ public class CertificateRepository extends Repository
+             CMS.debug("CertificateRepository: getRandomNumber:  Range size is too small to support random certificate serial numbers.");
+             throw new EBaseException ("Range size is too small to support random certificate serial numbers.");
+         }
+-        randomNumber = new BigInteger((mBitLength), mRandom);
++
++        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
++
++        BigInteger randomNumber = new BigInteger(mBitLength, random);
+         randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength);
+         CMS.debug("CertificateRepository: getRandomNumber  randomNumber="+randomNumber);
+ 
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
+index 9031a92..d346a12 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
+@@ -32,6 +32,7 @@ import java.security.NoSuchAlgorithmException;
+ import java.security.NoSuchProviderException;
+ import java.security.Principal;
+ import java.security.PublicKey;
++import java.security.SecureRandom;
+ import java.security.SignatureException;
+ import java.security.cert.CertificateEncodingException;
+ import java.security.cert.CertificateException;
+@@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
+     private boolean mInited = false;
+     private ILogger mLogger = null;
+     private CryptoManager mCryptoManager = null;
++    private SecureRandom random;
+ 
+     protected PasswordCallback mPWCB = null;
+ 
+@@ -334,11 +336,36 @@ public final class JssSubsystem implements ICryptoSubsystem {
+             throw ex;
+         }
+ 
++        // read jss.random.* properties
++        // by default use PK11SecureRandom from JSS
++        // see http://pki.fedoraproject.org/wiki/Random_Number_Generator
++
++        IConfigStore randomConfig = config.getSubStore("random");
++        CMS.debug("JssSubsystem: random:");
++
++        String algorithm = randomConfig.getString("algorithm", "pkcs11prng");
++        CMS.debug("JssSubsystem: - algorithm: " + algorithm);
++
++        String provider = randomConfig.getString("provider", "Mozilla-JSS");
++        CMS.debug("JssSubsystem: - provider: " + provider);
++
++        try {
++            random = SecureRandom.getInstance(algorithm, provider);
++
++        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
++            CMS.debug(e);
++            throw new EBaseException(e);
++        }
++
+         mInited = true;
+ 
+         CMS.debug("JssSubsystem: initialization complete");
+     }
+ 
++    public SecureRandom getRandomNumberGenerator() {
++        return random;
++    }
++
+     public String getCipherVersion() throws EBaseException {
+         return "cipherdomestic";
+     }
 -- 
 1.8.3.1
 
diff --git a/SOURCES/pki-core-snapshot-2.patch b/SOURCES/pki-core-snapshot-2.patch
index 421bf6e..54a39b3 100644
--- a/SOURCES/pki-core-snapshot-2.patch
+++ b/SOURCES/pki-core-snapshot-2.patch
@@ -1,563 +1,15017 @@
-From 5ffd30ff1c15ccedaf9f0a794d75a5e7476d192b Mon Sep 17 00:00:00 2001
+From 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 16 May 2017 17:29:45 -0400
+Subject: [PATCH 01/38] Encapsulate the archival audit log
+
+This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
+PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.
+
+The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
+SECURITY_DATA ones to simplify the whole structure.  They
+used to provide an archivalID parameter which was pretty much
+meaningless as it was at best just the same as the request id
+which is alreadty logged.  So this is now dropped.
+
+Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
+---
+ base/ca/src/com/netscape/ca/CAService.java         | 45 +++--------
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  4 -
+ .../logging/event/SecurityDataArchivalEvent.java   | 59 ++++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  4 +-
+ .../src/com/netscape/kra/EnrollmentService.java    | 92 ++++++----------------
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 27 ++-----
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 15 +---
+ .../server/kra/rest/KeyRequestService.java         |  9 +--
+ .../cms/profile/common/CAEnrollProfile.java        | 40 +++-------
+ .../cms/servlet/base/SubsystemService.java         | 10 +++
+ base/server/cmsbundle/src/LogMessages.properties   | 14 +---
+ 11 files changed, 132 insertions(+), 187 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
+
+diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
+index 2ad1967..45fae66 100644
+--- a/base/ca/src/com/netscape/ca/CAService.java
++++ b/base/ca/src/com/netscape/ca/CAService.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList;
+ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+@@ -368,10 +369,8 @@ public class CAService implements ICAService, IService {
+      * @return true or false
+      */
+     public boolean serviceRequest(IRequest request) {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+-        String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE;
+ 
+         boolean completed = false;
+ 
+@@ -392,7 +391,7 @@ public class CAService implements ICAService, IService {
+                 request.setExtData(IRequest.RESULT, IRequest.RES_ERROR);
+                 request.setExtData(IRequest.ERROR, e.toString());
+ 
+-                audit(auditMessage);
++                // TODO(alee) New audit message needed here
+ 
+                 return false;
+             }
+@@ -420,14 +419,10 @@ public class CAService implements ICAService, IService {
+                 CMS.debug("CAService: Sending enrollment request to KRA");
+ 
+                 // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID,
+-                        auditArchiveID);
+-
+-                audit(auditMessage);
++                        auditRequesterID));
+ 
+                 boolean sendStatus = mKRAConnector.send(request);
+ 
+@@ -439,14 +434,10 @@ public class CAService implements ICAService, IService {
+                                 new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST")));
+ 
+                         // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                        audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID,
+-                                auditArchiveID);
+-
+-                        audit(auditMessage);
++                                auditRequesterID));
+ 
+                         return true;
+                     } else {
+@@ -457,14 +448,10 @@ public class CAService implements ICAService, IService {
+                     }
+                     if (request.getExtDataInString(IRequest.ERROR) != null) {
+                         // store a message in the signed audit log file
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                        audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID,
+-                                auditArchiveID);
+-
+-                        audit(auditMessage);
++                                auditRequesterID));
+ 
+                         return true;
+                     }
+@@ -484,14 +471,10 @@ public class CAService implements ICAService, IService {
+             // store a message in the signed audit log file
+             if (!(type.equals(IRequest.REVOCATION_REQUEST) ||
+                     type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
+-
+-                audit(auditMessage);
++                        auditRequesterID));
+             }
+ 
+             return true;
+@@ -504,14 +487,10 @@ public class CAService implements ICAService, IService {
+         if (!(type.equals(IRequest.REVOCATION_REQUEST) ||
+                 type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++            audit(new SecurityDataArchivalEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditRequesterID,
+-                    auditArchiveID);
+-
+-            audit(auditMessage);
++                    auditRequesterID));
+         }
+ 
+         return completed;
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 21cac27..a224ae6 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String LOG_PATH_CHANGE =
+             "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+ 
+-    public final static String PRIVATE_KEY_ARCHIVE_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+     public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+     public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+@@ -182,8 +180,6 @@ public class AuditEvent implements IBundleLogEvent {
+ 
+     public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
+-    public static final String SECURITY_DATA_ARCHIVAL_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
+     public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+     public static final String SECURITY_DATA_RECOVERY_REQUEST =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
+new file mode 100644
+index 0000000..43f7525
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
+@@ -0,0 +1,59 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SecurityDataArchivalEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST";
++
++    public SecurityDataArchivalEvent(
++            String subjectID,
++            String outcome,
++            RequestId requestID,
++            String clientKeyID) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID
++        });
++    }
++
++    public SecurityDataArchivalEvent(
++            String subjectID,
++            String outcome,
++            String requestID) {
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                null
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index bd49a8d..be4ce71 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index e413a06..0a1fe1f 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.ProofOfArchival;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -155,13 +156,10 @@ public class EnrollmentService implements IService {
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+-        String auditArchiveID = ILogger.UNIDENTIFIED;
+         String auditPublicKey = ILogger.UNIDENTIFIED;
+ 
+         String id = request.getRequestId().toString();
+-        if (id != null) {
+-            auditArchiveID = id.trim();
+-        }
++
+         if (CMS.debugOn())
+             CMS.debug("EnrollmentServlet: KRA services enrollment request");
+ 
+@@ -198,15 +196,11 @@ public class EnrollmentService implements IService {
+                 aOpts = CRMFParser.getPKIArchiveOptions(
+                             request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST));
+             } catch (IOException e) {
+-
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+             }
+@@ -247,14 +241,11 @@ public class EnrollmentService implements IService {
+                 } catch (Exception e) {
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID,
+-                            auditArchiveID);
++                            auditRequesterID));
+ 
+-                    audit(auditMessage);
+                     throw new EKRAException(
+                             CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+                 }
+@@ -283,14 +274,11 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_FAILURE,
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+             }
+@@ -325,14 +313,11 @@ public class EnrollmentService implements IService {
+                     mKRA.log(ILogger.LL_DEBUG, e.getMessage());
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID,
+-                            auditArchiveID);
++                            auditRequesterID));
+ 
+-                    audit(auditMessage);
+                     throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e);
+                 }
+             } // !allowEncDecrypt_archival
+@@ -346,14 +331,11 @@ public class EnrollmentService implements IService {
+                     mKRA.log(ILogger.LL_FAILURE,
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                    audit(auditMessage);
+                     throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+                 }
+@@ -371,14 +353,11 @@ public class EnrollmentService implements IService {
+             if (owner == null) {
+                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+             }
+ 
+@@ -406,14 +385,11 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_DEBUG, e.getMessage());
+                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+             }
+ 
+@@ -433,14 +409,11 @@ public class EnrollmentService implements IService {
+                     rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
+                 } catch (InvalidKeyException e) {
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                    audit(auditMessage);
+                     throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+                 }
+             } else if (keyAlg.equals("EC")) {
+@@ -483,14 +456,11 @@ public class EnrollmentService implements IService {
+                         CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER",
+                                 rec.getSerialNumber().toString()));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+ 
+@@ -505,14 +475,11 @@ public class EnrollmentService implements IService {
+             } catch (Exception e) {
+                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
+                 // TODO(alee) Set correct audit message here
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+ 
+@@ -523,14 +490,11 @@ public class EnrollmentService implements IService {
+                 mKRA.log(ILogger.LL_FAILURE,
+                         CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-                audit(auditMessage);
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+             if (i == 0) {
+@@ -580,14 +544,10 @@ public class EnrollmentService implements IService {
+                     );
+ 
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++            audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID,
+-                        auditArchiveID);
+-
+-            audit(auditMessage);
++                        auditRequesterID));
+ 
+             // store a message in the signed audit log file
+             auditPublicKey = auditPublicKey(rec);
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 54953d1..de097b2 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -58,6 +58,7 @@ import com.netscape.certsrv.kra.IKeyService;
+ import com.netscape.certsrv.listeners.EListenersException;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.request.ARequestNotifier;
+ import com.netscape.certsrv.request.IPolicy;
+ import com.netscape.certsrv.request.IRequest;
+@@ -751,11 +752,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+         String auditPublicKey = auditPublicKey(rec);
+-        String auditArchiveID = ILogger.UNIDENTIFIED;
+ 
+         IRequestQueue queue = null;
+         IRequest r = null;
+-        String id = null;
+ 
+         // ensure that any low-level exceptions are reported
+         // to the signed audit log and stored as failures
+@@ -764,34 +763,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             r = queue.newRequest(KRAService.ENROLLMENT);
+ 
+-            if (r != null) {
+-                // overwrite "auditArchiveID" if and only if "id" != null
+-                id = r.getRequestId().toString();
+-                if (id != null) {
+-                    auditArchiveID = id.trim();
+-                }
+-            }
+-
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++            audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID,
+-                        auditArchiveID);
++                        auditRequesterID));
+ 
+-            audit(auditMessage);
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++            audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID,
+-                        auditArchiveID);
+-
+-            audit(auditMessage);
+-
++                        auditRequesterID));
+             throw eAudit1;
+         }
+ 
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 636e93e..0885469 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+@@ -142,7 +143,6 @@ public class NetkeyKeygenService implements IService {
+             throws EBaseException {
+         String auditMessage = null;
+         String auditSubjectID = null;
+-        String auditArchiveID = ILogger.UNIDENTIFIED;
+         byte[] wrapped_des_key;
+ 
+         byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+@@ -165,11 +165,6 @@ public class NetkeyKeygenService implements IService {
+         ;
+         String PubKey = "";
+ 
+-        String id = request.getRequestId().toString();
+-        if (id != null) {
+-            auditArchiveID = id.trim();
+-        }
+-
+         String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
+         if (rArchive.equals("true")) {
+             archive = true;
+@@ -395,14 +390,10 @@ public class NetkeyKeygenService implements IService {
+                     //
+                     //            mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit( new SecurityDataArchivalEvent(
+                             agentId,
+                             ILogger.SUCCESS,
+-                            auditSubjectID,
+-                            auditArchiveID);
+-
+-                    audit(auditMessage);
++                            auditSubjectID));
+ 
+                     CMS.debug("KRA encrypts private key to put on internal ldap db");
+                     byte privateKeyData[] = null;
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index 38f7e93..b0bcff2 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -50,6 +50,7 @@ import com.netscape.certsrv.key.KeyRequestResponse;
+ import com.netscape.certsrv.key.SymKeyGenerationRequest;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestNotFoundException;
+ import com.netscape.cms.realm.PKIPrincipal;
+@@ -354,13 +355,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+     }
+ 
+     public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST,
++        audit(new SecurityDataArchivalEvent(
+                 getRequestor(),
+                 status,
+-                requestId != null? requestId.toString(): "null",
+-                clientKeyID);
+-        auditor.log(msg);
++                requestId,
++                clientKeyID));
+     }
+ 
+     public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+index 02aa8c8..85db2cb 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+@@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID;
+ import com.netscape.certsrv.ca.ICAService;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.connector.IConnector;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.ERejectException;
+ import com.netscape.certsrv.profile.IProfileUpdater;
+@@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile {
+             throw new EProfileException("Profile Not Enabled");
+         }
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(request);
+-        String auditArchiveID = ILogger.UNIDENTIFIED;
+-
+         String id = request.getRequestId().toString();
+-        if (id != null) {
+-            auditArchiveID = id.trim();
+-        }
++
+ 
+         CMS.debug("CAEnrollProfile: execute request ID " + id);
+ 
+@@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile {
+                         CMS.debug("CAEnrollProfile: KRA connector " +
+                                 "not configured");
+ 
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                        audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID,
+-                                auditArchiveID);
+-
+-                        audit(auditMessage);
+-
++                                auditRequesterID));
+                     } else {
+                         CMS.debug("CAEnrollProfile: execute send request");
+                         kraConnector.send(request);
+ 
+                         // check response
+                         if (!request.isSuccess()) {
+-                            auditMessage = CMS.getLogMessage(
+-                                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                            audit(new SecurityDataArchivalEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditRequesterID,
+-                                    auditArchiveID);
++                                    auditRequesterID));
+ 
+-                            audit(auditMessage);
+                             if (request.getError(getLocale(request)) != null &&
+                                 (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) {
+                                 CMS.debug("CAEnrollProfile: execute set request status: REJECTED");
+@@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile {
+                                     request.getError(getLocale(request)));
+                         }
+ 
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                        audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+-                                auditRequesterID,
+-                                auditArchiveID);
+-
+-                        audit(auditMessage);
++                                auditRequesterID));
+                     }
+                 } catch (Exception e) {
+ 
+@@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile {
+                     CMS.debug("CAEnrollProfile: " + e);
+                     CMS.debug(e);
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
++                    audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID,
+-                            auditArchiveID);
++                            auditRequesterID));
+ 
+-                    audit(auditMessage);
+                     throw new EProfileException(e);
+                 }
+             }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+index 30d6b9c..2bcde64 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+@@ -81,6 +81,16 @@ public class SubsystemService extends PKIService {
+                 getClass().getSimpleName() + ": " + message);
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        auditor.log(message);
++    }
++
+     public void audit(String message, String scope, String type, String id, Map<String, String> params, String status) {
+ 
+         String auditMessage = CMS.getLogMessage(
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 6bc2d82..03af216 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -1943,18 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
+ # -- feature disabled --
+ #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
+ #
+-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
+-# - used when user private key archive request is made
+-#    this is an option in a certificate enrollment request detected by RA or CA
+-#    so should be seen logged right following the certificate request, if selected
+-# ReqID must be the certificate enrollment request ID associated with the
+-#    CA archive option (even if the request was originally submitted via
+-#    an RA) (this field is set to the "EntityID" in caase of server-side key gen)
+-# ArchiveID must be the DRM request ID associated with the enrollment ID,
+-#     ReqID (this field will be "N/A" when logged by the CA)
+-#
+-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=<type=PRIVATE_KEY_ARCHIVE_REQUEST>:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request
+-#
+ # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
+ # - used when user private key archive request is processed
+ #    this is when DRM receives and processed the request
+@@ -2490,7 +2478,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=<type=SECURITY_D
+ # RecoveryID must be the recovery request ID
+ # CientID is the ID of the security data to be archived
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made
+ #
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
+-- 
+1.8.3.1
+
+
+From 3a35eceffed65862e66806c20cff3a3b64d75ae8 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 16 May 2017 22:16:30 -0400
+Subject: [PATCH 02/38] Encapsulate archival processed audit logs
+
+Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
+and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED.  We have merged the
+two audit events.
+
+Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
+ .../event/SecurityDataArchivalProcessedEvent.java  | 49 ++++++++++++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  2 +-
+ .../src/com/netscape/kra/EnrollmentService.java    | 15 ++++---
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 33 ++++++++-------
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 13 +++---
+ .../com/netscape/kra/SecurityDataProcessor.java    |  8 ++--
+ base/server/cmsbundle/src/LogMessages.properties   | 10 +----
+ 8 files changed, 86 insertions(+), 48 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index a224ae6..ce5cc4b 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String LOG_PATH_CHANGE =
+             "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+ 
+-    public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+     public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+             "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+     public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String CONFIG_SERIAL_NUMBER =
+             "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+ 
+-    public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
+     public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+     public static final String SECURITY_DATA_RECOVERY_REQUEST =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+new file mode 100644
+index 0000000..8d7593b
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+@@ -0,0 +1,49 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class SecurityDataArchivalProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED";
++
++    public SecurityDataArchivalProcessedEvent(
++            String subjectID,
++            String outcome,
++            String requestID,
++            String clientKeyID,
++            String keyID,
++            String failureReason,
++            String pubkey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID,
++                keyID,
++                failureReason,
++                pubkey
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index be4ce71..23d2508 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index 0a1fe1f..cf2a88f 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -51,6 +51,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+@@ -153,13 +154,10 @@ public class EnrollmentService implements IService {
+             statsSub.startTiming("archival", true /* main action */);
+         }
+ 
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+         String auditPublicKey = ILogger.UNIDENTIFIED;
+ 
+-        String id = request.getRequestId().toString();
+-
+         if (CMS.debugOn())
+             CMS.debug("EnrollmentServlet: KRA services enrollment request");
+ 
+@@ -551,13 +549,14 @@ public class EnrollmentService implements IService {
+ 
+             // store a message in the signed audit log file
+             auditPublicKey = auditPublicKey(rec);
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++            audit(new SecurityDataArchivalProcessedEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++                        request.getRequestId().toString(),
++                        null,
++                        rec.getSerialNumber().toString(),
++                        null,
++                        auditPublicKey));
+ 
+             // Xxx - should sign this proof of archival
+             ProofOfArchival mProof = new ProofOfArchival(serialNo,
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index de097b2..bc58d14 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -59,6 +59,7 @@ import com.netscape.certsrv.listeners.EListenersException;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.request.ARequestNotifier;
+ import com.netscape.certsrv.request.IPolicy;
+ import com.netscape.certsrv.request.IRequest;
+@@ -786,23 +787,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+                 queue.processRequest(r);
+             }
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.SUCCESS,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++            audit(new SecurityDataArchivalProcessedEvent(
++                    auditSubjectID,
++                    ILogger.SUCCESS,
++                    r.getRequestId().toString(),
++                    null,
++                    rec.getSerialNumber().toString(),
++                    null,
++                    auditPublicKey));
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++            audit(new SecurityDataArchivalProcessedEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    r.getRequestId().toString(),
++                    null,
++                    rec.getSerialNumber().toString(),
++                    eAudit1.getMessage(),
++                    auditPublicKey));
+ 
+             throw eAudit1;
+         }
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 0885469..cd1079d 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+@@ -480,14 +481,14 @@ public class NetkeyKeygenService implements IService {
+                     storage.addKeyRecord(rec);
+                     CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid);
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
++                    audit(new SecurityDataArchivalProcessedEvent(
+                             agentId,
+                             ILogger.SUCCESS,
+-                            PubKey);
+-
+-                    audit(auditMessage);
+-
++                            request.getRequestId().toString(),
++                            null,
++                            serialNo.toString(),
++                            null,
++                            PubKey));
+                 } //if archive
+ 
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(1));
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 344f376..fa12805 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -40,6 +40,7 @@ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.RequestId;
+@@ -867,14 +868,13 @@ public class SecurityDataProcessor {
+ 
+     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+             String keyID, String reason) {
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
++        audit(new SecurityDataArchivalProcessedEvent(
+                 subjectID,
+                 status,
+                 requestID.toString(),
+                 clientKeyID,
+                 keyID != null ? keyID : "None",
+-                reason);
+-        audit(auditMessage);
++                reason,
++                null));
+     }
+ }
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 03af216..a7ce567 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -1943,14 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
+ # -- feature disabled --
+ #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
+ #
+-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
+-# - used when user private key archive request is processed
+-#    this is when DRM receives and processed the request
+-# PubKey must be the base-64 encoded public key associated with
+-#    the private key to be archived
+-#
+-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3=<type=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED>:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][PubKey={2}] private key archive request processed
+-#
+ # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
+ # - used when user private key export request is made and processed with success
+ # - this is used in case of server-side keygen when keys generated on the server
+@@ -2471,7 +2463,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEv
+ # Client ID must be the user supplied client ID associated with
+ #    the security data to be archived
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] security data archival request processed
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST
+ # - used when security data recovery request is made
+-- 
+1.8.3.1
+
+
+From 90f6d8ece46d70a3566b97b549efb1053895f407 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 16 May 2017 23:11:34 -0400
+Subject: [PATCH 03/38] Encapsulate key recovery audit events
+
+Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and
+KEY_RECOVERY_REQUEST audit events as audit event objects.
+We have collapse to a single audit event type.
+
+Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
+ .../event/SecurityDataArchivalProcessedEvent.java  |  6 ++-
+ .../logging/event/SecurityDataRecoveryEvent.java   | 48 +++++++++++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  4 +-
+ .../src/com/netscape/kra/EnrollmentService.java    |  5 ++-
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 49 ++++++++++++++--------
+ .../src/com/netscape/kra/NetkeyKeygenService.java  |  5 ++-
+ .../com/netscape/kra/SecurityDataProcessor.java    |  9 ++--
+ .../com/netscape/kra/TokenKeyRecoveryService.java  | 18 ++++----
+ .../server/kra/rest/KeyRequestService.java         | 10 ++---
+ base/server/cmsbundle/src/LogMessages.properties   |  2 +-
+ 11 files changed, 114 insertions(+), 46 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index ce5cc4b..da571fe 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -82,8 +82,6 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+     public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+             "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+-    public final static String KEY_RECOVERY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+     public final static String KEY_RECOVERY_REQUEST_ASYNC =
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
+     public final static String KEY_RECOVERY_AGENT_LOGIN =
+@@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent {
+ 
+     public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+-    public static final String SECURITY_DATA_RECOVERY_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4";
+     public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+     public final static String SECURITY_DATA_RETRIEVE_KEY =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+index 8d7593b..eb4f6b3 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+@@ -17,7 +17,9 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.certsrv.logging.event;
+ 
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
+ 
+ public class SecurityDataArchivalProcessedEvent extends AuditEvent {
+ 
+@@ -28,9 +30,9 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent {
+     public SecurityDataArchivalProcessedEvent(
+             String subjectID,
+             String outcome,
+-            String requestID,
++            RequestId requestID,
+             String clientKeyID,
+-            String keyID,
++            KeyId keyID,
+             String failureReason,
+             String pubkey) {
+ 
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java
+new file mode 100644
+index 0000000..97e3c96
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java
+@@ -0,0 +1,48 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SecurityDataRecoveryEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST";
++
++    public SecurityDataRecoveryEvent(
++            String subjectID,
++            String outcome,
++            RequestId recoveryID,
++            KeyId keyID,
++            String pubkey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                recoveryID,
++                keyID,
++                pubkey
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 23d2508..54adae1 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index cf2a88f..b28fbc6 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.MetaInfo;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.ProofOfArchival;
+@@ -552,9 +553,9 @@ public class EnrollmentService implements IService {
+             audit(new SecurityDataArchivalProcessedEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        request.getRequestId().toString(),
++                        request.getRequestId(),
+                         null,
+-                        rec.getSerialNumber().toString(),
++                        new KeyId(rec.getSerialNumber()),
+                         null,
+                         auditPublicKey));
+ 
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index bc58d14..8f86eef 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.base.ISubsystem;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.IDBSubsystem;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.IKeyService;
+@@ -60,6 +61,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+ import com.netscape.certsrv.request.ARequestNotifier;
+ import com.netscape.certsrv.request.IPolicy;
+ import com.netscape.certsrv.request.IRequest;
+@@ -749,7 +751,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+      */
+     public IRequest archiveKey(KeyRecord rec)
+             throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+         String auditPublicKey = auditPublicKey(rec);
+@@ -790,18 +791,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             audit(new SecurityDataArchivalProcessedEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    r.getRequestId().toString(),
++                    r.getRequestId(),
+                     null,
+-                    rec.getSerialNumber().toString(),
++                    new KeyId(rec.getSerialNumber()),
+                     null,
+                     auditPublicKey));
+         } catch (EBaseException eAudit1) {
+             audit(new SecurityDataArchivalProcessedEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
+-                    r.getRequestId().toString(),
++                    r.getRequestId(),
+                     null,
+-                    rec.getSerialNumber().toString(),
++                    new KeyId(rec.getSerialNumber()),
+                     eAudit1.getMessage(),
+                     auditPublicKey));
+ 
+@@ -994,7 +995,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             throws EBaseException {
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
++
++        // temporary variable till other audit events are converted
+         String auditRecoveryID = auditRecoveryID();
++
++        RequestId auditRequestID = auditRequestID();
+         String auditPublicKey = auditPublicKey(cert);
+         String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ 
+@@ -1029,24 +1034,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent);
+ 
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST,
++            audit(new SecurityDataRecoveryEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRecoveryID,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++                        auditRequestID,
++                        null,
++                        auditPublicKey));
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST,
++            audit(new SecurityDataRecoveryEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++                        auditRequestID,
++                        null,
++                        auditPublicKey));
+ 
+             throw eAudit1;
+         }
+@@ -1680,6 +1681,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+         return recoveryID;
+     }
++    /*
++     * temporary function till other audit messages are converted
++     */
++    private RequestId auditRequestID() {
++        SessionContext auditContext = SessionContext.getExistingContext();
++        if (auditContext != null) {
++            String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID);
++            if (recoveryID != null) {
++                return new RequestId(recoveryID.trim());
++            }
++        }
++
++        return null;
++    }
+ 
+     /**
+      * Signed Audit Log Public Key
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index cd1079d..5463b92 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -46,6 +46,7 @@ import com.netscape.certsrv.base.MetaInfo;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+@@ -484,9 +485,9 @@ public class NetkeyKeygenService implements IService {
+                     audit(new SecurityDataArchivalProcessedEvent(
+                             agentId,
+                             ILogger.SUCCESS,
+-                            request.getRequestId().toString(),
++                            request.getRequestId(),
+                             null,
+-                            serialNo.toString(),
++                            new KeyId(serialNo),
+                             null,
+                             PubKey));
+                 } //if archive
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index fa12805..da8dd9b 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+@@ -300,7 +301,7 @@ public class SecurityDataProcessor {
+         keyRepository.addKeyRecord(rec);
+ 
+         auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId,
+-                clientKeyId, serialNo.toString(), "None");
++                clientKeyId, new KeyId(serialNo), "None");
+ 
+         request.setExtData(ATTR_KEY_RECORD, serialNo);
+         request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+@@ -867,13 +868,13 @@ public class SecurityDataProcessor {
+     }
+ 
+     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+-            String keyID, String reason) {
++            KeyId keyID, String reason) {
+         audit(new SecurityDataArchivalProcessedEvent(
+                 subjectID,
+                 status,
+-                requestID.toString(),
++                requestID,
+                 clientKeyID,
+-                keyID != null ? keyID : "None",
++                keyID,
+                 reason,
+                 null));
+     }
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index 64f65a0..7aca24c 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -47,8 +47,10 @@ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cmscore.dbs.KeyRecord;
+@@ -211,6 +213,10 @@ public class TokenKeyRecoveryService implements IService {
+         if (id != null) {
+             auditRecoveryID = id.trim();
+         }
++
++        // temporary variable till other audit messages have been replaced
++        RequestId auditRequestID = request.getRequestId();
++
+         SessionContext sContext = SessionContext.getContext();
+         String agentId = "";
+         if (sContext != null) {
+@@ -563,14 +569,12 @@ public class TokenKeyRecoveryService implements IService {
+                 CMS.debug("TokenKeyRecoveryService: RSA PubKey base64 encoded");
+             }
+ 
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.KEY_RECOVERY_REQUEST,
++            audit(new SecurityDataRecoveryEvent(
+                     auditSubjectID,
+-                        ILogger.SUCCESS,
+-                    auditRecoveryID,
+-                    PubKey);
+-
+-            audit(auditMessage);
++                    ILogger.SUCCESS,
++                    auditRequestID,
++                    null,
++                    PubKey));
+ 
+             if (PubKey == null) {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index b0bcff2..a2d01f1 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -51,6 +51,7 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestNotFoundException;
+ import com.netscape.cms.realm.PKIPrincipal;
+@@ -345,13 +346,12 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+     }
+ 
+     public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST,
++        audit(new SecurityDataRecoveryEvent(
+                 getRequestor(),
+                 status,
+-                requestId != null? requestId.toString(): "null",
+-                dataId.toString());
+-        auditor.log(msg);
++                requestId,
++                dataId,
++                null));
+     }
+ 
+     public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) {
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index a7ce567..d594f1c 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2486,7 +2486,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=<type=SECURITY_D
+ # RecoveryID must be the recovery request ID
+ # DataID is the ID of the security data to be recovered
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}] security data recovery request made
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}][PubKey={4}] security data recovery request made
+ #
+ # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE
+ # - used when DRM agents login as recovery agents to change
+-- 
+1.8.3.1
+
+
+From 58927bc0573769480dd35b564b9791eb086b267e Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 17 May 2017 14:10:37 -0400
+Subject: [PATCH 04/38] Encapsulate recovery processed audit events
+
+This creates audit events for KEY_RECOVERY_PROCESSED and
+SECURITY_DATA_RECOVERY_PROCESSED audit logs.  We simplify by
+reducing the logs to the SECURITY_DATA ones.
+
+Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |   4 -
+ .../event/SecurityDataRecoveryProcessedEvent.java  |  50 ++++++
+ base/kra/shared/conf/CS.cfg                        |   4 +-
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java |  94 +++--------
+ .../com/netscape/kra/SecurityDataProcessor.java    |  45 ++---
+ .../com/netscape/kra/TokenKeyRecoveryService.java  | 182 ++++++++++-----------
+ base/server/cmsbundle/src/LogMessages.properties   |  12 +-
+ 7 files changed, 184 insertions(+), 207 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index da571fe..c9c8f96 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -86,8 +86,6 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
+     public final static String KEY_RECOVERY_AGENT_LOGIN =
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+-    public final static String KEY_RECOVERY_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+     public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
+     public final static String KEY_GEN_ASYMMETRIC =
+@@ -174,8 +172,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String CONFIG_SERIAL_NUMBER =
+             "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+ 
+-    public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+     public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+     public final static String SECURITY_DATA_RETRIEVE_KEY =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java
+new file mode 100644
+index 0000000..8e5ad4b
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java
+@@ -0,0 +1,50 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SecurityDataRecoveryProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED";
++
++    public SecurityDataRecoveryProcessedEvent(
++            String subjectID,
++            String outcome,
++            RequestId recoveryID,
++            KeyId keyID,
++            String failureReason,
++            String recoveryAgents) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                recoveryID,
++                keyID,
++                failureReason,
++                recoveryAgents
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 54adae1..8f55a37 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 8f86eef..670279e 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -62,6 +62,7 @@ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.request.ARequestNotifier;
+ import com.netscape.certsrv.request.IPolicy;
+ import com.netscape.certsrv.request.IRequest;
+@@ -980,7 +981,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+      * @param kid key identifier
+      * @param creds list of recovery agent credentials
+      * @param password password of the PKCS12 package
+-     * @param cert certficate that will be put in PKCS12
++     * @param cert certificate that will be put in PKCS12
+      * @param delivery file, mail or something else
+      * @param nickname string containing the nickname of the id cert for this
+      *            subsystem
+@@ -993,13 +994,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             String delivery, String nickname,
+             String agent)
+             throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+-
+-        // temporary variable till other audit events are converted
+-        String auditRecoveryID = auditRecoveryID();
+-
+-        RequestId auditRequestID = auditRequestID();
++        RequestId auditRecoveryID = auditRecoveryID();
+         String auditPublicKey = auditPublicKey(cert);
+         String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ 
+@@ -1037,16 +1033,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             audit(new SecurityDataRecoveryEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequestID,
+-                        null,
++                        auditRecoveryID,
++                        new KeyId(kid),
+                         auditPublicKey));
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             audit(new SecurityDataRecoveryEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequestID,
+-                        null,
++                        auditRecoveryID,
++                        new KeyId(kid),
+                         auditPublicKey));
+ 
+             throw eAudit1;
+@@ -1063,43 +1059,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+                 auditAgents = auditAgents(creds);
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRecoveryID,
+-                            auditAgents);
+-
+-                audit(auditMessage);
++                            new KeyId(kid),
++                            null,
++                            auditAgents));
+ 
+                 destroyVolatileRequest(r.getRequestId());
+ 
+                 return pkcs12;
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+                             auditRecoveryID,
+-                            auditAgents);
+-
+-                audit(auditMessage);
++                            new KeyId(kid),
++                            r.getExtDataInString(IRequest.ERROR),
++                            auditAgents));
+ 
+                 throw new EBaseException(r.getExtDataInString(IRequest.ERROR));
+             }
+         } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        auditAgents);
+-
+-            audit(auditMessage);
+-
++            audit(new SecurityDataRecoveryProcessedEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditRecoveryID,
++                    new KeyId(kid),
++                    eAudit1.getMessage(),
++                    auditAgents));
+             throw eAudit1;
+         }
+     }
+@@ -1646,45 +1635,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         return requesterID;
+     }
+ 
+-    /**
+-     * Signed Audit Log Recovery ID
+-     *
+-     * This method is called to obtain the "RecoveryID" for
+-     * a signed audit log message.
+-     * <P>
+-     *
+-     * @return id string containing the signed audit log message RecoveryID
+-     */
+-    private String auditRecoveryID() {
+-        // if no signed audit object exists, bail
+-        if (mSignedAuditLogger == null) {
+-            return null;
+-        }
+-
+-        String recoveryID = null;
+-
+-        // Initialize recoveryID
+-        SessionContext auditContext = SessionContext.getExistingContext();
+-
+-        if (auditContext != null) {
+-            recoveryID = (String)
+-                    auditContext.get(SessionContext.RECOVERY_ID);
+-
+-            if (recoveryID != null) {
+-                recoveryID = recoveryID.trim();
+-            } else {
+-                recoveryID = ILogger.UNIDENTIFIED;
+-            }
+-        } else {
+-            recoveryID = ILogger.UNIDENTIFIED;
+-        }
+-
+-        return recoveryID;
+-    }
+     /*
+-     * temporary function till other audit messages are converted
++     * Returns the requestID for the recovery request for audit logs.
+      */
+-    private RequestId auditRequestID() {
++    private RequestId auditRecoveryID() {
+         SessionContext auditContext = SessionContext.getExistingContext();
+         if (auditContext != null) {
+             String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID);
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index da8dd9b..a44eb2f 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -42,6 +42,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.RequestId;
+@@ -326,14 +327,15 @@ public class SecurityDataProcessor {
+ 
+         Hashtable<String, Object> params = kra.getVolatileRequest(
+                 request.getRequestId());
+-        BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO);
+-        request.setExtData(ATTR_KEY_RECORD, serialno);
++        KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO));
++        request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger());
+         RequestId requestID = request.getRequestId();
++        String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
+ 
+         if (params == null) {
+             CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params.");
+-            auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+-                    "cannot get volatile params");
++            auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
++                    "cannot get volatile params", approvers);
+             throw new EBaseException("Can't obtain volatile params!");
+         }
+ 
+@@ -355,7 +357,7 @@ public class SecurityDataProcessor {
+             return false;
+         }
+ 
+-        KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(serialno);
++        KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(keyId.toBigInteger());
+ 
+         String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE);
+         if (dataType == null) dataType = KeyRequestResource.ASYMMETRIC_KEY_TYPE;
+@@ -455,8 +457,8 @@ public class SecurityDataProcessor {
+                     iv != null? new IVParameterSpec(iv): null,
+                     iv_wrap != null? new IVParameterSpec(iv_wrap): null);
+             } catch (Exception e) {
+-                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+-                        "Cannot generate wrapping params");
++                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
++                        "Cannot generate wrapping params", approvers);
+                 throw new EBaseException("Cannot generate wrapping params: " + e, e);
+             }
+         }
+@@ -512,8 +514,8 @@ public class SecurityDataProcessor {
+                 params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData);
+ 
+             } catch (Exception e) {
+-                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+-                        "Cannot unwrap passphrase");
++                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
++                        "Cannot unwrap passphrase", approvers);
+                 throw new EBaseException("Cannot unwrap passphrase: " + e, e);
+ 
+             } finally {
+@@ -554,8 +556,8 @@ public class SecurityDataProcessor {
+                     }
+ 
+                 } catch (Exception e) {
+-                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+-                            "Cannot wrap symmetric key");
++                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
++                            "Cannot wrap symmetric key", approvers);
+                     throw new EBaseException("Cannot wrap symmetric key: " + e, e);
+                 }
+ 
+@@ -573,7 +575,7 @@ public class SecurityDataProcessor {
+                             wrapParams.getPayloadEncryptionIV());
+                 } catch (Exception e) {
+                     auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
+-                            serialno.toString(), "Cannot encrypt passphrase");
++                            keyId, "Cannot encrypt passphrase", approvers);
+                     throw new EBaseException("Cannot encrypt passphrase: " + e, e);
+                 }
+ 
+@@ -604,8 +606,8 @@ public class SecurityDataProcessor {
+                     }
+ 
+                 } catch (Exception e) {
+-                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+-                            "Cannot wrap private key");
++                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
++                            "Cannot wrap private key", approvers);
+                     throw new EBaseException("Cannot wrap private key: " + e, e);
+                 }
+             }
+@@ -639,8 +641,8 @@ public class SecurityDataProcessor {
+ 
+         params.put(IRequest.SECURITY_DATA_TYPE, dataType);
+ 
+-        auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(),
+-                "None");
++        auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId,
++                null, approvers);
+         request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+ 
+         return false; //return true ? TODO
+@@ -856,15 +858,14 @@ public class SecurityDataProcessor {
+     }
+ 
+     private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+-            String keyID, String reason) {
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
++            KeyId keyID, String reason, String recoveryAgents) {
++        audit(new SecurityDataRecoveryProcessedEvent(
+                 subjectID,
+                 status,
+-                requestID.toString(),
++                requestID,
+                 keyID,
+-                reason);
+-        audit(auditMessage);
++                reason,
++                recoveryAgents));
+     }
+ 
+     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index 7aca24c..2519a4d 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -43,11 +43,13 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.kra.EKRAException;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.request.RequestId;
+@@ -183,9 +185,7 @@ public class TokenKeyRecoveryService implements IService {
+      * @exception EBaseException failed to serve
+      */
+     public synchronized boolean serviceRequest(IRequest request) throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = null;
+-        String auditRecoveryID = ILogger.UNIDENTIFIED;
+         String iv_s = "";
+ 
+         CMS.debug("KRA services token key recovery request");
+@@ -209,12 +209,6 @@ public class TokenKeyRecoveryService implements IService {
+             CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString());
+         }
+ 
+-        String id = request.getRequestId().toString();
+-        if (id != null) {
+-            auditRecoveryID = id.trim();
+-        }
+-
+-        // temporary variable till other audit messages have been replaced
+         RequestId auditRequestID = request.getRequestId();
+ 
+         SessionContext sContext = SessionContext.getContext();
+@@ -240,7 +234,7 @@ public class TokenKeyRecoveryService implements IService {
+         String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID);
+         String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID);
+         String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY);
+-        // the request reocrd field delayLDAPCommit == "true" will cause
++        // the request record field delayLDAPCommit == "true" will cause
+         // updateRequest() to delay actual write to ldap
+         request.setExtData("delayLDAPCommit", "true");
+         // wrappedDesKey no longer needed. removing.
+@@ -272,32 +266,32 @@ public class TokenKeyRecoveryService implements IService {
+         } else {
+             CMS.debug("TokenKeyRecoveryService: not receive des key");
+             request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++            audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
++                        auditRequestID,
++                        null,
++                        "TokenRecoveryService: Did not receive DES key",
++                        agentId));
+ 
+-            audit(auditMessage);
+             return false;
+         }
+ 
+         // retrieve based on Certificate
+         String cert_s = request.getExtDataInString(ATTR_USER_CERT);
+         String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID);
++        KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID));
+         /* have to have at least one */
+         if ((cert_s == null) && (keyid_s == null)) {
+             CMS.debug("TokenKeyRecoveryService: not receive cert or keyid");
+             request.setExtData(IRequest.RESULT, Integer.valueOf(3));
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-            audit(auditMessage);
++            audit(new SecurityDataRecoveryProcessedEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditRequestID,
++                    keyId,
++                    "TokenRecoveryService: Did not receive cert or keyid",
++                    agentId));
+             return false;
+         }
+ 
+@@ -311,27 +305,25 @@ public class TokenKeyRecoveryService implements IService {
+                 if (x509cert == null) {
+                     CMS.debug("cert mapping failed");
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(5));
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                    audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRecoveryID,
+-                            agentId);
+-
+-                    audit(auditMessage);
++                            auditRequestID,
++                            keyId,
++                            "TokenRecoveryService: cert mapping failed",
++                            agentId));
+                     return false;
+                 }
+             } catch (IOException e) {
+                 CMS.debug("TokenKeyRecoveryService: mapCert failed");
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(6));
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                audit(auditMessage);
++                        auditRequestID,
++                        keyId,
++                        "TokenRecoveryService: mapCert failed: " + e.getMessage(),
++                        agentId));
+                 return false;
+             }
+         } else {
+@@ -363,27 +355,25 @@ public class TokenKeyRecoveryService implements IService {
+                 else {
+                     CMS.debug("key record not found");
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(8));
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                    audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRecoveryID,
+-                            agentId);
+-
+-                    audit(auditMessage);
++                            auditRequestID,
++                            keyId,
++                            "TokenRecoveryService: key record not found",
++                            agentId));
+                     return false;
+                 }
+             } catch (Exception e) {
+                 com.netscape.cmscore.util.Debug.printStackTrace(e);
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(9));
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                audit(auditMessage);
++                        auditRequestID,
++                        keyId,
++                        "TokenRecoveryService: error reading key record: " + e.getMessage(),
++                        agentId));
+                 return false;
+             }
+ 
+@@ -410,14 +400,14 @@ public class TokenKeyRecoveryService implements IService {
+ 
+                 if (inputPubData.length != pubData.length) {
+                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                    audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRecoveryID,
+-                            agentId);
++                            auditRequestID,
++                            keyId,
++                            CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"),
++                            agentId));
+ 
+-                    audit(auditMessage);
+                     throw new EKRAException(
+                             CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
+                 }
+@@ -425,14 +415,13 @@ public class TokenKeyRecoveryService implements IService {
+                 for (int i = 0; i < pubData.length; i++) {
+                     if (pubData[i] != inputPubData[i]) {
+                         mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+-                        auditMessage = CMS.getLogMessage(
+-                                AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                        audit(new SecurityDataRecoveryProcessedEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRecoveryID,
+-                                agentId);
+-
+-                        audit(auditMessage);
++                                auditRequestID,
++                                keyId,
++                                CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"),
++                                agentId));
+                         throw new EKRAException(
+                                 CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
+                     }
+@@ -455,13 +444,13 @@ public class TokenKeyRecoveryService implements IService {
+                 if (privateKeyData == null) {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
+-                    auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-                    audit(auditMessage);
++                    audit(new SecurityDataRecoveryProcessedEvent(
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditRequestID,
++                            keyId,
++                            "TokenKeyRecoveryService: failed getting private key",
++                            agentId));
+                     return false;
+                 }
+                 CMS.debug("TokenKeyRecoveryService: got private key...about to verify");
+@@ -485,14 +474,13 @@ public class TokenKeyRecoveryService implements IService {
+                 if (verifyKeyPair(pubData, privateKeyData) == false) {
+                     mKRA.log(ILogger.LL_FAILURE,
+                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+-                    auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                    audit(auditMessage);
++                    audit(new SecurityDataRecoveryProcessedEvent(
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditRequestID,
++                            keyId,
++                            CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"),
++                            agentId));
+                     throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+                 } else {
+@@ -511,14 +499,13 @@ public class TokenKeyRecoveryService implements IService {
+                 if (privKey == null) {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
+-                    auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                    audit(auditMessage);
++                    audit(new SecurityDataRecoveryProcessedEvent(
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditRequestID,
++                            keyId,
++                            "TokenKeyRecoveryService: failed getting private key",
++                            agentId));
+                     return false;
+                 }
+ 
+@@ -541,14 +528,13 @@ public class TokenKeyRecoveryService implements IService {
+             if (wrappedPrivKeyString == null) {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                 CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                audit(auditMessage);
++                        auditRequestID,
++                        keyId,
++                        "TokenKeyRecoveryService: failed generating wrapped private key",
++                        agentId));
+                 return false;
+             } else {
+                 CMS.debug("TokenKeyRecoveryService: got private key data wrapped");
+@@ -579,14 +565,13 @@ public class TokenKeyRecoveryService implements IService {
+             if (PubKey == null) {
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                 CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        agentId);
+-
+-                audit(auditMessage);
++                        auditRequestID,
++                        keyId,
++                        "TokenKeyRecoveryService: failed getting publickey encoded",
++                        agentId));
+                 return false;
+             } else {
+                 //CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " +
+@@ -594,15 +579,14 @@ public class TokenKeyRecoveryService implements IService {
+                 CMS.debug("TokenKeyRecoveryService: got publicKeyData");
+             }
+             request.setExtData("public_key", PubKey);
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
++
++            audit(new SecurityDataRecoveryProcessedEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditRecoveryID,
+-                    agentId);
+-
+-            audit(auditMessage);
+-
++                    auditRequestID,
++                    keyId,
++                    null,
++                    agentId));
+             return true;
+ 
+         } catch (Exception e) {
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index d594f1c..b85310c 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2009,15 +2009,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=<type=KEY_RECOVERY_REQUEST_ASY
+ #
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
+ #
+-#
+-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED
+-# - used when key recovery request is processed
+-# RecoveryID must be the recovery request ID
+-# RecoveryAgents must be a comma-separated list of
+-#       UIDs of the recovery agents approving this request
+-#
+-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4=<type=KEY_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgents={3}] key recovery request processed
+-#
+ # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
+ # - used when key recovery request is processed
+ # RequestID must be the recovery request ID
+@@ -2477,8 +2468,9 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL
+ # - used when security data recovery request is processed
+ # RecoveryID must be the recovery request ID
+ # KeyID is the ID of the security data being requested to be recovered
++# RecoveryAgents are the UIDs of the recovery agents approving this request
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data recovery request processed
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}][RecoveryAgents={5}] security data recovery request processed
+ #
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST
+-- 
+1.8.3.1
+
+
+From f52f5be832e37cc45e665708d3b59d2a3aa04370 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 17 May 2017 16:17:30 -0400
+Subject: [PATCH 05/38] Eliminate async recovery audit events
+
+There are now many ways to recover keys.  From an
+auditing point of view, its not helpful to distinguish
+between sync or async requests.  So we just use
+SECURITY_DATA ...
+
+Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
+ base/kra/shared/conf/CS.cfg                        |  4 +-
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 75 +++++++++-------------
+ base/server/cmsbundle/src/LogMessages.properties   | 17 -----
+ 4 files changed, 34 insertions(+), 66 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index c9c8f96..03340e1 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -82,12 +82,8 @@ public class AuditEvent implements IBundleLogEvent {
+             "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+     public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+             "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+-    public final static String KEY_RECOVERY_REQUEST_ASYNC =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
+     public final static String KEY_RECOVERY_AGENT_LOGIN =
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+-    public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
+-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
+     public final static String KEY_GEN_ASYMMETRIC =
+             "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
+ 
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 8f55a37..90ef4bc 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 670279e..3c29bbf 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -820,8 +820,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             throws EBaseException {
+ 
+         String auditPublicKey = auditPublicKey(cert);
+-        String auditRecoveryID = "undefined";
+-        String auditMessage = null;
++        RequestId auditRecoveryID = null;
+         String auditSubjectID = auditSubjectID();
+ 
+         IRequestQueue queue = null;
+@@ -838,28 +837,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             r.setRequestStatus(RequestStatus.PENDING);
+             r.setRealm(realm);
+             queue.updateRequest(r);
+-            auditRecoveryID = r.getRequestId().toString();
++            auditRecoveryID = r.getRequestId();
+ 
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
++            audit(new SecurityDataRecoveryEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+                         auditRecoveryID,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
++                        null,
++                        auditPublicKey));
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRecoveryID,
+-                        auditPublicKey);
+-
+-            audit(auditMessage);
+-
++            audit(new SecurityDataRecoveryEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditRecoveryID,
++                    null,
++                    auditPublicKey));
+             throw eAudit1;
+         }
+ 
+@@ -1115,10 +1109,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             String reqID,
+             String password)
+             throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+-        String auditRecoveryID = reqID;
++        RequestId auditRecoveryID = new RequestId(reqID);
+         String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
++        KeyId keyID = null;
+ 
+         IRequestQueue queue = null;
+         IRequest r = null;
+@@ -1129,6 +1123,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         r = queue.findRequest(new RequestId(reqID));
+ 
+         auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
++        keyID = new KeyId(r.getExtDataInBigInteger("serialNumber"));
+ 
+         // set transient parameters
+         params = createVolatileRequest(r.getRequestId());
+@@ -1147,42 +1142,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+                 byte pkcs12[] = (byte[]) params.get(
+                         RecoveryService.ATTR_PKCS12);
+ 
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                             auditSubjectID,
+                             ILogger.SUCCESS,
+                             auditRecoveryID,
+-                            auditAgents);
+-
+-                audit(auditMessage);
++                            keyID,
++                            null,
++                            auditAgents));
+ 
+                 destroyVolatileRequest(r.getRequestId());
+ 
+                 return pkcs12;
+             } else {
+-                // store a message in the signed audit log file
+-                auditMessage = CMS.getLogMessage(
+-                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+-                            auditSubjectID,
+-                            ILogger.FAILURE,
+-                            auditRecoveryID,
+-                            auditAgents);
+-
+-                audit(auditMessage);
+-
+-                throw new EBaseException(r.getExtDataInString(IRequest.ERROR));
+-            }
+-        } catch (EBaseException eAudit1) {
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
++                audit(new SecurityDataRecoveryProcessedEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+                         auditRecoveryID,
+-                        auditAgents);
++                        keyID,
++                        r.getExtDataInString(IRequest.ERROR),
++                        auditAgents));
+ 
+-            audit(auditMessage);
++                throw new EBaseException(r.getExtDataInString(IRequest.ERROR));
++            }
++        } catch (EBaseException eAudit1) {
++            audit(new SecurityDataRecoveryProcessedEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    auditRecoveryID,
++                    keyID,
++                    eAudit1.getMessage(),
++                    auditAgents));
+             throw eAudit1;
+         }
+     }
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index b85310c..5a01e13 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -1991,15 +1991,6 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=<type=SERVER
+ #
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
+ #
+-#
+-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC
+-# - used when asynchronous key recovery request is made
+-# RequestID  must be the recovery request ID
+-# PubKey must be the base-64 encoded public key associated with
+-#    the private key to be recovered
+-#
+-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=<type=KEY_RECOVERY_REQUEST_ASYNC>:[AuditEvent=KEY_RECOVERY_REQUEST_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][PubKey={3}] asynchronous key recovery request made
+-#
+ # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN
+ # - used when DRM agents login as recovery agents to approve
+ #       key recovery requests
+@@ -2009,14 +2000,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=<type=KEY_RECOVERY_REQUEST_ASY
+ #
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
+ #
+-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
+-# - used when key recovery request is processed
+-# RequestID must be the recovery request ID
+-# RecoveryAgents must be a comma-separated list of
+-#       UIDs of the recovery agents approving this request
+-#
+-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4=<type=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC>:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][RecoveryAgents={3}] asynchronous key recovery request processed
+-#
+ # LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC
+ # - used when asymmetric keys are generated
+ #   (like when CA certificate requests are generated -
+-- 
+1.8.3.1
+
+
+From 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 18 May 2017 01:27:12 -0400
+Subject: [PATCH 06/38] Encapsulate key retrieval audit events
+
+Key retrieval is when the key/secret is extracted and returned
+to the client (once the recovery request is approved).  We combine
+SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events.
+
+Note: an analysis of the key retrieval rest flow (and the auditing
+there will be done in a subsequent patch).
+
+Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  6 --
+ .../logging/event/SecurityDataExportEvent.java     | 70 ++++++++++++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  4 +-
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 18 +++---
+ .../org/dogtagpki/server/kra/rest/KeyService.java  | 14 ++---
+ .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 25 ++++----
+ .../src/com/netscape/cms/servlet/key/GetPk12.java  | 26 ++++----
+ base/server/cmsbundle/src/LogMessages.properties   | 26 ++------
+ 8 files changed, 117 insertions(+), 72 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 03340e1..45907d0 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -72,10 +72,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String LOG_PATH_CHANGE =
+             "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+ 
+-    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+-    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+     public final static String SERVER_SIDE_KEYGEN_REQUEST =
+             "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
+     public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
+@@ -170,8 +166,6 @@ public class AuditEvent implements IBundleLogEvent {
+ 
+     public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+-    public final static String SECURITY_DATA_RETRIEVE_KEY =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
+     public final static String KEY_STATUS_CHANGE =
+             "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+     public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java
+new file mode 100644
+index 0000000..a2c7939
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java
+@@ -0,0 +1,70 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SecurityDataExportEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY";
++
++    public SecurityDataExportEvent(
++            String subjectID,
++            String outcome,
++            RequestId recoveryID,
++            KeyId keyID,
++            String failureReason,
++            String pubKey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                recoveryID,
++                keyID,
++                failureReason,
++                pubKey
++        });
++    }
++
++    public SecurityDataExportEvent(
++            String subjectID,
++            String outcome,
++            String recoveryID,
++            KeyId keyID,
++            String failureReason,
++            String pubKey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                recoveryID,
++                keyID,
++                failureReason,
++                pubKey
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 90ef4bc..298e35a 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 5463b92..df42a4f 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
++import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+@@ -356,25 +357,26 @@ public class NetkeyKeygenService implements IService {
+                 if (wrappedPrivKeyString == null) {
+                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                     CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++                    audit(new SecurityDataExportEvent(
+                             agentId,
+                             ILogger.FAILURE,
+                             auditSubjectID,
+-                            PubKey);
++                            null,
++                            "NetkeyKeygenService: failed generating wrapped private key",
++                            PubKey));
+ 
+                     audit(auditMessage);
+                     return false;
+                 } else {
+                     request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++
++                    audit(new SecurityDataExportEvent(
+                             agentId,
+                             ILogger.SUCCESS,
+                             auditSubjectID,
+-                            PubKey);
+-
+-                    audit(auditMessage);
++                            null,
++                            null,
++                            PubKey));
+                 }
+ 
+                 iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index 7a21971..87e6f15 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -62,6 +62,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.IKeyService;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+ import com.netscape.certsrv.request.RequestId;
+@@ -601,15 +602,14 @@ public class KeyService extends SubsystemService implements KeyResource {
+     }
+ 
+     public void auditRetrieveKey(String status, String reason) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_RETRIEVE_KEY,
++        audit(new SecurityDataExportEvent(
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+-                requestId != null ? requestId.toString(): "null",
+-                keyId != null ? keyId.toString(): "null",
+-                (reason != null) ? auditInfo + ";" + reason : auditInfo
+-        );
+-        auditor.log(msg);
++                requestId,
++                keyId,
++                (reason != null) ? auditInfo + ";" + reason : auditInfo,
++                null
++        ));
+     }
+ 
+     public void auditRetrieveKey(String status) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
+index f0065e1..b28132d 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
+@@ -35,8 +35,9 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.common.CMSTemplate;
+@@ -207,14 +208,13 @@ public class GetAsyncPk12 extends CMSServlet {
+                     resp.getOutputStream().write(pkcs12);
+                     mRenderResult = false;
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++                    audit(new SecurityDataExportEvent(
+                             agent,
+                             ILogger.SUCCESS,
+-                            reqID,
+-                            "");
+-
+-                    audit(auditMessage);
++                            new RequestId(reqID),
++                            null,
++                            null,
++                            null));
+ 
+                     return;
+                 } catch (IOException e) {
+@@ -233,14 +233,13 @@ public class GetAsyncPk12 extends CMSServlet {
+         }
+ 
+         if ((agent != null) && (reqID != null)) {
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++            audit(new SecurityDataExportEvent(
+                     agent,
+                     ILogger.FAILURE,
+-                    reqID,
+-                    "");
+-
+-            audit(auditMessage);
++                    new RequestId(reqID),
++                    null,
++                    null,
++                    null));
+         }
+ 
+         try {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
+index 9bb52cd..c878605 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
+@@ -36,8 +36,9 @@ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.common.CMSTemplate;
+@@ -201,15 +202,13 @@ public class GetPk12 extends CMSServlet {
+                     resp.getOutputStream().write(pkcs12);
+                     mRenderResult = false;
+ 
+-                    auditMessage = CMS.getLogMessage(
+-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
++                    audit(new SecurityDataExportEvent(
+                             agent,
+                             ILogger.SUCCESS,
+-                            recoveryID,
+-                            "");
+-
+-                    audit(auditMessage);
+-
++                            new RequestId(recoveryID),
++                            null,
++                            null,
++                            null));
+                     return;
+                 } catch (IOException e) {
+                     header.addStringValue(OUT_ERROR,
+@@ -227,14 +226,13 @@ public class GetPk12 extends CMSServlet {
+         }
+ 
+         if ((agent != null) && (recoveryID != null)) {
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
++            audit(new SecurityDataExportEvent(
+                     agent,
+                     ILogger.FAILURE,
+-                    recoveryID,
+-                    "");
+-
+-            audit(auditMessage);
++                    new RequestId(recoveryID),
++                    null,
++                    null,
++                    null));
+         }
+ 
+         try {
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 5a01e13..9cdcae6 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -1943,26 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
+ # -- feature disabled --
+ #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
+ #
+-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
+-# - used when user private key export request is made and processed with success
+-# - this is used in case of server-side keygen when keys generated on the server
+-#   need to be transported back to the client
+-# EntityID must be the id that represents the client
+-# PubKey must be the base-64 encoded public key associated with
+-#    the private key to be archived
+-#
+-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4=<type=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with success
+-#
+-# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
+-# - used when user private key export request is made and processed with failure
+-# - this is used in case of server-side keygen when keys generated on the server
+-#   need to be transported back to the client
+-# EntityID must be the id that represents the client
+-# PubKey must be the base-64 encoded public key associated with
+-#    the private key to be archived
+-#
+-LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4=<type=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE>:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with failure
+-#
+ # LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST
+ # - used when server-side key generation request is made
+ #    This is for tokenkeys
+@@ -2476,9 +2456,11 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURIT
+ #   has been approved.
+ # 
+ # RecoveryID must be the recovery request ID
+-# Operation is the operation performed (approve, reject, cancel etc.)
++# KeyID is the key being retrieved
++# Info is the failure reason if the export fails.
++# PubKey is the public key for the private key being retrieved
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5=<type=SECURITY_DATA_RETRIEVE_KEY>:[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}] security data retrieval request
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request
+ #
+ # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE
+ # - used when modify key status is executed
+-- 
+1.8.3.1
+
+
+From 8016ed7972d9211e7f0db14e45bc9658a7b292ef Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 22 May 2017 22:34:58 +0200
+Subject: [PATCH 07/38] Enabling all subsystems on startup.
+
+The operations script has been modified to enable all subsystems
+on startup by default. If the selftest fails, the subsystem will
+be shutdown again automatically as before. A pki.conf option has
+been added to configure this behavior.
+
+https://pagure.io/dogtagpki/issue/2699
+
+Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50
+---
+ base/common/share/etc/pki.conf                 |  6 +++
+ base/server/python/pki/server/cli/subsystem.py | 58 +++++++++++++++++++-------
+ base/server/scripts/operations                 | 14 +++++--
+ 3 files changed, 59 insertions(+), 19 deletions(-)
+
+diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
+index e9b5522..14bb8dd 100644
+--- a/base/common/share/etc/pki.conf
++++ b/base/common/share/etc/pki.conf
+@@ -60,3 +60,9 @@ export SSL_CIPHERS
+ #    Key Wrapping: AES KeyWrap with Padding
+ KEY_WRAP_PARAMETER_SET=1
+ export KEY_WRAP_PARAMETER_SET
++
++# Auto-enable subsystems
++# This boolean parameter determines whether to automatically enable all
++# subsystems on startup.
++PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS="true"
++export PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS
+diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
+index ee5d2d2..8395bd2 100644
+--- a/base/server/python/pki/server/cli/subsystem.py
++++ b/base/server/python/pki/server/cli/subsystem.py
+@@ -200,7 +200,7 @@ class SubsystemEnableCLI(pki.cli.CLI):
+ 
+         try:
+             opts, args = getopt.gnu_getopt(argv, 'i:v', [
+-                'instance=',
++                'instance=', 'all',
+                 'verbose', 'help'])
+ 
+         except getopt.GetoptError as e:
+@@ -209,11 +209,15 @@ class SubsystemEnableCLI(pki.cli.CLI):
+             sys.exit(1)
+ 
+         instance_name = 'pki-tomcat'
++        all_subsystems = False
+ 
+         for o, a in opts:
+             if o in ('-i', '--instance'):
+                 instance_name = a
+ 
++            elif o == '--all':
++                all_subsystems = True
++
+             elif o in ('-v', '--verbose'):
+                 self.set_verbose(True)
+ 
+@@ -226,13 +230,6 @@ class SubsystemEnableCLI(pki.cli.CLI):
+                 self.usage()
+                 sys.exit(1)
+ 
+-        if len(args) != 1:
+-            print('ERROR: missing subsystem ID')
+-            self.usage()
+-            sys.exit(1)
+-
+-        subsystem_name = args[0]
+-
+         instance = pki.server.PKIInstance(instance_name)
+ 
+         if not instance.is_valid():
+@@ -241,6 +238,22 @@ class SubsystemEnableCLI(pki.cli.CLI):
+ 
+         instance.load()
+ 
++        if all_subsystems:
++            for subsystem in instance.subsystems:
++                if not subsystem.is_enabled():
++                    subsystem.enable()
++
++            self.print_message('Enabled all subsystems')
++
++            return
++
++        if len(args) != 1:
++            print('ERROR: missing subsystem ID')
++            self.usage()
++            sys.exit(1)
++
++        subsystem_name = args[0]
++
+         subsystem = instance.get_subsystem(subsystem_name)
+         if not subsystem:
+             print('ERROR: No %s subsystem in instance '
+@@ -276,7 +289,7 @@ class SubsystemDisableCLI(pki.cli.CLI):
+ 
+         try:
+             opts, args = getopt.gnu_getopt(argv, 'i:v', [
+-                'instance=',
++                'instance=', 'all',
+                 'verbose', 'help'])
+ 
+         except getopt.GetoptError as e:
+@@ -285,11 +298,15 @@ class SubsystemDisableCLI(pki.cli.CLI):
+             sys.exit(1)
+ 
+         instance_name = 'pki-tomcat'
++        all_subsystems = False
+ 
+         for o, a in opts:
+             if o in ('-i', '--instance'):
+                 instance_name = a
+ 
++            elif o == '--all':
++                all_subsystems = True
++
+             elif o in ('-v', '--verbose'):
+                 self.set_verbose(True)
+ 
+@@ -302,13 +319,6 @@ class SubsystemDisableCLI(pki.cli.CLI):
+                 self.usage()
+                 sys.exit(1)
+ 
+-        if len(args) != 1:
+-            print('ERROR: missing subsystem ID')
+-            self.usage()
+-            sys.exit(1)
+-
+-        subsystem_name = args[0]
+-
+         instance = pki.server.PKIInstance(instance_name)
+ 
+         if not instance.is_valid():
+@@ -317,6 +327,22 @@ class SubsystemDisableCLI(pki.cli.CLI):
+ 
+         instance.load()
+ 
++        if all_subsystems:
++            for subsystem in instance.subsystems:
++                if subsystem.is_enabled():
++                    subsystem.disable()
++
++            self.print_message('Disabled all subsystems')
++
++            return
++
++        if len(args) != 1:
++            print('ERROR: missing subsystem ID')
++            self.usage()
++            sys.exit(1)
++
++        subsystem_name = args[0]
++
+         subsystem = instance.get_subsystem(subsystem_name)
+         if not subsystem:
+             print('ERROR: No %s subsystem in instance '
+diff --git a/base/server/scripts/operations b/base/server/scripts/operations
+index 5b50178..907dd0e 100644
+--- a/base/server/scripts/operations
++++ b/base/server/scripts/operations
+@@ -30,11 +30,14 @@
+ #  200-254 reserved
+ #
+ 
+-# Read default PKI configuration.
++# default PKI configuration
+ . /usr/share/pki/etc/pki.conf
+ 
+-# Read user-defined PKI configuration.
+-. /etc/pki/pki.conf
++# system-wide PKI configuration
++if [ -f /etc/pki/pki.conf ]
++then
++    . /etc/pki/pki.conf
++fi
+ 
+ default_error=0
+ 
+@@ -1294,6 +1297,11 @@ EOF
+         /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \
+         /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy
+ 
++    if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then
++        # enable all subsystems
++        pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all
++    fi
++
+     # We no longer start tomcat instances here.
+     # instead we rely on the tomcat unit scripts
+ 
+-- 
+1.8.3.1
+
+
+From 3027b565320c96857b7f7fdffed9a5fbec084bab Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 18 May 2017 16:05:07 -0400
+Subject: [PATCH 08/38] Fix auditing in retrieveKey
+
+The auditing in retrieveKey is all messed up.
+* Added new audit event to track accesses to KeyInfo queries.
+  They may produce a lot of events, especially if events are
+  generated for every listing of data.  By default, this event
+  may be turned off.
+* Added audit events for generation and processing of key
+  recovery requests.
+
+Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
+---
+ .../logging/event/SecurityDataInfoEvent.java       | 49 ++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  2 +-
+ .../org/dogtagpki/server/kra/rest/KeyService.java  | 88 +++++++++++++++++-----
+ base/server/cmsbundle/src/LogMessages.properties   | 12 ++-
+ 4 files changed, 132 insertions(+), 19 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java
+new file mode 100644
+index 0000000..82c049e
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java
+@@ -0,0 +1,49 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class SecurityDataInfoEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO";
++
++    public SecurityDataInfoEvent(
++            String subjectID,
++            String outcome,
++            KeyId keyID,
++            String clientKeyID,
++            String failureReason,
++            String pubKey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                keyID,
++                clientKeyID,
++                failureReason,
++                pubKey
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 298e35a..4b6ff74 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index 87e6f15..52799e6 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -63,6 +63,9 @@ import com.netscape.certsrv.kra.IKeyService;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
++import com.netscape.certsrv.logging.event.SecurityDataInfoEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+ import com.netscape.certsrv.request.RequestId;
+@@ -92,6 +95,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+     private RequestId requestId;
+     private KeyId keyId;
+     private String auditInfo;
++    private String approvers;
+ 
+     public KeyService() {
+         kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" );
+@@ -112,12 +116,14 @@ public class KeyService extends SubsystemService implements KeyResource {
+     @Override
+     public Response retrieveKey(KeyRecoveryRequest data) {
+         try {
+-            return retrieveKeyImpl(data);
++            Response response = retrieveKeyImpl(data);
++            auditRetrieveKey(ILogger.SUCCESS);
++            return response;
+         } catch(RuntimeException e) {
+-            auditError(e.getMessage());
++            auditRetrieveKeyError(e.getMessage());
+             throw e;
+         } catch (Exception e) {
+-            auditError(e.getMessage());
++            auditRetrieveKeyError(e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+     }
+@@ -191,17 +197,20 @@ public class KeyService extends SubsystemService implements KeyResource {
+                 try {
+                     queue.updateRequest(request);
+                 } catch (EBaseException e) {
++                    auditRecoveryRequest(ILogger.FAILURE);
+                     e.printStackTrace();
+                     throw new PKIException(e.getMessage(), e);
+                 }
+ 
+                 CMS.debug("Returning created recovery request");
+-                auditRetrieveKey(ILogger.SUCCESS, "Created recovery request");
++                auditRecoveryRequest(ILogger.SUCCESS);
+ 
+                 KeyData keyData = new KeyData();
+                 keyData.setRequestID(requestId);
+                 return createOKResponse(keyData);
+             }
++
++            auditRecoveryRequest(ILogger.SUCCESS);
+         }
+ 
+         data.setRequestId(requestId);
+@@ -226,15 +235,19 @@ public class KeyService extends SubsystemService implements KeyResource {
+                     throw new BadRequestException("Invalid request type: " + type);
+             }
+         } catch (Exception e) {
++            auditRecoveryRequestProcessed(ILogger.FAILURE, e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+ 
+         if (keyData == null) {
++            auditRecoveryRequestProcessed(ILogger.FAILURE, "No key record");
+             throw new HTTPGoneException("No key record.");
+         }
+ 
++        approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
++        auditRecoveryRequestProcessed(ILogger.SUCCESS, null);
++
+         CMS.debug("KeyService: key retrieved");
+-        auditRetrieveKey(ILogger.SUCCESS);
+         return createOKResponse(keyData);
+     }
+ 
+@@ -408,10 +421,8 @@ public class KeyService extends SubsystemService implements KeyResource {
+         try {
+             return createOKResponse(listKeyInfos(clientKeyID, status, maxResults, maxTime, start, size, realm));
+         } catch (RuntimeException e) {
+-            auditError(e.getMessage());
+             throw e;
+         } catch (Exception e) {
+-            auditError(e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+     }
+@@ -449,7 +460,6 @@ public class KeyService extends SubsystemService implements KeyResource {
+         try {
+             Enumeration<IKeyRecord> e = repo.searchKeys(filter, maxResults, maxTime);
+             if (e == null) {
+-                auditRetrieveKey(ILogger.SUCCESS);
+                 return infos;
+             }
+ 
+@@ -458,7 +468,11 @@ public class KeyService extends SubsystemService implements KeyResource {
+             while (e.hasMoreElements()) {
+                 IKeyRecord rec = e.nextElement();
+                 if (rec == null) continue;
+-                results.add(createKeyDataInfo(rec, false));
++
++                KeyInfo info = createKeyDataInfo(rec, false);
++                results.add(info);
++
++                auditKeyInfoSuccess(info.getKeyId(), null);
+             }
+ 
+             int total = results.size();
+@@ -482,7 +496,6 @@ public class KeyService extends SubsystemService implements KeyResource {
+         } catch (EBaseException e) {
+             throw new PKIException(e.getMessage(), e);
+         }
+-        auditRetrieveKey(ILogger.SUCCESS);
+ 
+         return infos;
+     }
+@@ -492,10 +505,10 @@ public class KeyService extends SubsystemService implements KeyResource {
+         try {
+             return getActiveKeyInfoImpl(clientKeyID);
+         } catch (RuntimeException e) {
+-            auditError(e.getMessage());
++            auditKeyInfoError(null, clientKeyID, e.getMessage());
+             throw e;
+         } catch (Exception e) {
+-            auditError(e.getMessage());
++            auditKeyInfoError(null, clientKeyID, e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+     }
+@@ -531,7 +544,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+                     throw new PKIException(e.toString(), e);
+                 }
+ 
+-                auditRetrieveKey(ILogger.SUCCESS);
++                auditKeyInfoSuccess(info.getKeyId(), clientKeyID);
+ 
+                 return createOKResponse(info);
+             }
+@@ -616,11 +629,31 @@ public class KeyService extends SubsystemService implements KeyResource {
+         auditRetrieveKey(status, null);
+     }
+ 
+-    public void auditError(String message) {
++    public void auditRetrieveKeyError(String message) {
+         CMS.debug(message);
+         auditRetrieveKey(ILogger.FAILURE, message);
+     }
+ 
++    public void auditKeyInfo(KeyId keyId, String clientKeyId, String status, String reason) {
++        audit(new SecurityDataInfoEvent(
++                servletRequest.getUserPrincipal().getName(),
++                status,
++                keyId,
++                clientKeyId,
++                (reason != null) ? auditInfo + ";" + reason : auditInfo,
++                null
++        ));
++    }
++
++    public void auditKeyInfoSuccess(KeyId keyid, String clientKeyId) {
++        auditKeyInfo(keyId, clientKeyId, ILogger.SUCCESS, null);
++    }
++
++    public void auditKeyInfoError(KeyId keyId, String clientKeyId, String message) {
++        CMS.debug(message);
++        auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message);
++    }
++
+     public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus,
+             String newKeyStatus, String info) {
+         String msg = CMS.getLogMessage(
+@@ -634,6 +667,27 @@ public class KeyService extends SubsystemService implements KeyResource {
+         auditor.log(msg);
+     }
+ 
++    public void auditRecoveryRequest(String status) {
++        audit(new SecurityDataRecoveryEvent(
++                servletRequest.getUserPrincipal().getName(),
++                status,
++                requestId,
++                keyId,
++                null
++        ));
++    }
++
++    public void auditRecoveryRequestProcessed(String status, String reason) {
++        audit(new SecurityDataRecoveryProcessedEvent(
++                servletRequest.getUserPrincipal().getName(),
++                status,
++                requestId,
++                keyId,
++                (reason != null) ? auditInfo + ";" + reason : auditInfo,
++                approvers
++        ));
++    }
++
+     /**
+      * Used to retrieve a key
+      * @param data
+@@ -697,10 +751,10 @@ public class KeyService extends SubsystemService implements KeyResource {
+         try {
+             return getKeyInfoImpl(keyId);
+         } catch (RuntimeException e) {
+-            auditError(e.getMessage());
++            auditKeyInfoError(keyId, null, e.getMessage());
+             throw e;
+         } catch (Exception e) {
+-            auditError(e.getMessage());
++            auditKeyInfoError(keyId, null, e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+     }
+@@ -715,7 +769,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+             rec = repo.readKeyRecord(keyId.toBigInteger());
+             authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read");
+             KeyInfo info = createKeyDataInfo(rec, true);
+-            auditRetrieveKey(ILogger.SUCCESS);
++            auditKeyInfoSuccess(keyId, null);
+ 
+             return createOKResponse(info);
+         } catch (EAuthzAccessDenied e) {
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 9cdcae6..3b998d9 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2451,7 +2451,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
+ #
+ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change
+ #
+-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY
++# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
+ # - used when user attempts to retrieve key after the recovery request 
+ #   has been approved.
+ # 
+@@ -2462,6 +2462,16 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURIT
+ #
+ LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request
+ #
++# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO
++# - used when user attempts to get metadata information about a key 
++# 
++# RecoveryID must be the recovery request ID
++# KeyID is the key being retrieved
++# Info is the failure reason if the export fails.
++# PubKey is the public key for the private key being retrieved
++#
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO][SubjectID={0}][Outcome={1}][KeyID={2}][ClientKeyId={3}[Info={4}][PubKey={5}] security data info request
++#
+ # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE
+ # - used when modify key status is executed
+ # keyID must be an existing key id in the database
+-- 
+1.8.3.1
+
+
+From f40d0aaf446b162994e9c8598a7b00a6d4c906f2 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 23 May 2017 10:01:47 -0400
+Subject: [PATCH 09/38] Encapsulate recovery request approval audit logs
+
+The audit logs where an agent grants an asynchronous recovery request
+and the case where recovery request is appproved from the REST API
+are consolidated and encapsulated in a class.
+
+Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  2 -
+ .../SecurityDataRecoveryStateChangeEvent.java      | 45 +++++++++++++++
+ .../server/kra/rest/KeyRequestService.java         |  9 ++-
+ .../cms/servlet/key/GrantAsyncRecovery.java        | 65 ++++------------------
+ base/server/cmsbundle/src/LogMessages.properties   |  2 +-
+ 5 files changed, 61 insertions(+), 62 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 45907d0..891398d 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -164,8 +164,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String CONFIG_SERIAL_NUMBER =
+             "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+ 
+-    public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+     public final static String KEY_STATUS_CHANGE =
+             "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+     public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java
+new file mode 100644
+index 0000000..d0e97f8
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java
+@@ -0,0 +1,45 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SecurityDataRecoveryStateChangeEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE";
++
++    public SecurityDataRecoveryStateChangeEvent(
++            String subjectID,
++            String outcome,
++            RequestId recoveryID,
++            String operation) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                recoveryID,
++                operation
++        });
++    }
++}
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index a2d01f1..12040e0 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestNotFoundException;
+ import com.netscape.cms.realm.PKIPrincipal;
+@@ -336,13 +337,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+     }
+ 
+     public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
++        audit(new SecurityDataRecoveryStateChangeEvent(
+                 getRequestor(),
+                 status,
+-                requestId.toString(),
+-                operation);
+-        auditor.log(msg);
++                requestId,
++                operation));
+     }
+ 
+     public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+index c410525..2a50067 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+@@ -34,8 +34,9 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.kra.IKeyService;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.cms.servlet.base.CMSServlet;
+ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.common.CMSTemplate;
+@@ -194,32 +195,7 @@ public class GrantAsyncRecovery extends CMSServlet {
+             String agentID,
+             HttpServletRequest req, HttpServletResponse resp,
+             Locale locale) {
+-        String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+-        String auditRequestID = reqID;
+-        String auditAgentID = agentID;
+-
+-        // "normalize" the "reqID"
+-        if (auditRequestID != null) {
+-            auditRequestID = auditRequestID.trim();
+-
+-            if (auditRequestID.equals("")) {
+-                auditRequestID = ILogger.UNIDENTIFIED;
+-            }
+-        } else {
+-            auditRequestID = ILogger.UNIDENTIFIED;
+-        }
+-
+-        // "normalize" the "auditAgentID"
+-        if (auditAgentID != null) {
+-            auditAgentID = auditAgentID.trim();
+-
+-            if (auditAgentID.equals("")) {
+-                auditAgentID = ILogger.UNIDENTIFIED;
+-            }
+-        } else {
+-            auditAgentID = ILogger.UNIDENTIFIED;
+-        }
+ 
+         try {
+             header.addStringValue(OUT_OP,
+@@ -233,40 +209,21 @@ public class GrantAsyncRecovery extends CMSServlet {
+             header.addStringValue("requestID", reqID);
+             header.addStringValue("agentID", agentID);
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+-                        auditSubjectID,
+-                        ILogger.SUCCESS,
+-                        auditRequestID,
+-                        auditAgentID);
+ 
+-            audit(auditMessage);
+-
+-        } catch (EBaseException e) {
+-            header.addStringValue(OUT_ERROR, e.toString(locale));
+-
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
++            audit(new SecurityDataRecoveryStateChangeEvent(
+                         auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRequestID,
+-                        auditAgentID);
++                        ILogger.SUCCESS,
++                        new RequestId(reqID),
++                        "approve"));
+ 
+-            audit(auditMessage);
+         } catch (Exception e) {
+             header.addStringValue(OUT_ERROR, e.toString());
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
+-                        auditSubjectID,
+-                        ILogger.FAILURE,
+-                        auditRequestID,
+-                        auditAgentID);
+-
+-            audit(auditMessage);
++            audit(new SecurityDataRecoveryStateChangeEvent(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    new RequestId(reqID),
++                    "approve"));
+         }
+     }
+ }
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 3b998d9..44eec23 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2449,7 +2449,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
+ # RecoveryID must be the recovery request ID
+ # Operation is the operation performed (approve, reject, cancel etc.)
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
+ # - used when user attempts to retrieve key after the recovery request 
+-- 
+1.8.3.1
+
+
+From 6dd0800d8bb24d9d2d3f9e377a90f641612c7c78 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 02:37:18 +0200
+Subject: [PATCH 10/38] Moved TokenServlet into pki-tks package.
+
+The TokenServlet has been moved into pki-tks package in order to
+use the JssSubsystem in pki-cmscore package.
+
+Some constants in SecureChannelProtocol have been made public so
+they can be accessed by the TokenServlet.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
+---
+ .../cms/servlet/tks/SecureChannelProtocol.java     |   27 +-
+ .../com/netscape/cms/servlet/tks/TokenServlet.java | 3223 -------------------
+ base/tks/shared/webapps/tks/WEB-INF/web.xml        |    8 +-
+ .../dogtagpki/server/tks/servlet/TokenServlet.java | 3226 ++++++++++++++++++++
+ 4 files changed, 3244 insertions(+), 3240 deletions(-)
+ delete mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+ create mode 100644 base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+index ef0c61b..0542470 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+@@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException;
+ import org.mozilla.jss.crypto.SymmetricKeyDeriver;
+ import org.mozilla.jss.crypto.TokenException;
+ 
+-import sun.security.pkcs11.wrapper.PKCS11Constants;
+-
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ 
++import sun.security.pkcs11.wrapper.PKCS11Constants;
++
+ public class SecureChannelProtocol {
+ 
+     static String sharedSecretKeyName = null;
+@@ -47,17 +47,18 @@ public class SecureChannelProtocol {
+     static final String DEFKEYSET_NAME = "defKeySet";
+     static int protocol = 1;
+ 
+-    static final String encType = "enc";
+-    static final String macType = "mac";
+-    static final String kekType = "kek";
+-    static final String authType = "auth";
+-    static final String dekType = "dek";
+-    static final String rmacType = "rmac";
+-    static final int PROTOCOL_ONE = 1;
+-    static final int PROTOCOL_TWO = 2;
+-    static final int PROTOCOL_THREE = 3;
+-    static final int HOST_CRYPTOGRAM = 0;
+-    static final int CARD_CRYPTOGRAM = 1;
++    public static final String encType = "enc";
++    public static final String macType = "mac";
++    public static final String kekType = "kek";
++    public static final String authType = "auth";
++    public static final String dekType = "dek";
++    public static final String rmacType = "rmac";
++    public static final int PROTOCOL_ONE = 1;
++    public static final int PROTOCOL_TWO = 2;
++    public static final int PROTOCOL_THREE = 3;
++    public static final int HOST_CRYPTOGRAM = 0;
++    public static final int CARD_CRYPTOGRAM = 1;
++
+     //Size of long type in bytes, since java7 has no define for this
+     static final int LONG_SIZE = 8;
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+deleted file mode 100644
+index 1377055..0000000
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
++++ /dev/null
+@@ -1,3223 +0,0 @@
+-// --- BEGIN COPYRIGHT BLOCK ---
+-// This program is free software; you can redistribute it and/or modify
+-// it under the terms of the GNU General Public License as published by
+-// the Free Software Foundation; version 2 of the License.
+-//
+-// This program is distributed in the hope that it will be useful,
+-// but WITHOUT ANY WARRANTY; without even the implied warranty of
+-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-// GNU General Public License for more details.
+-//
+-// You should have received a copy of the GNU General Public License along
+-// with this program; if not, write to the Free Software Foundation, Inc.,
+-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+-//
+-// (C) 2007 Red Hat, Inc.
+-// All rights reserved.
+-// --- END COPYRIGHT BLOCK ---
+-package com.netscape.cms.servlet.tks;
+-
+-import java.io.ByteArrayOutputStream;
+-import java.io.IOException;
+-import java.io.OutputStream;
+-import java.security.PublicKey;
+-import java.security.SecureRandom;
+-import java.util.ArrayList;
+-import java.util.StringTokenizer;
+-
+-import javax.servlet.ServletConfig;
+-import javax.servlet.ServletException;
+-import javax.servlet.http.HttpServletRequest;
+-import javax.servlet.http.HttpServletResponse;
+-
+-import org.dogtagpki.server.connector.IRemoteRequest;
+-import org.mozilla.jss.CryptoManager;
+-import org.mozilla.jss.CryptoManager.NotInitializedException;
+-import org.mozilla.jss.crypto.CryptoToken;
+-import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+-import org.mozilla.jss.crypto.KeyWrapper;
+-import org.mozilla.jss.crypto.SymmetricKey;
+-import org.mozilla.jss.crypto.X509Certificate;
+-import org.mozilla.jss.pkcs11.PK11SymKey;
+-
+-import com.netscape.certsrv.apps.CMS;
+-import com.netscape.certsrv.authentication.IAuthToken;
+-import com.netscape.certsrv.authorization.AuthzToken;
+-import com.netscape.certsrv.base.EBaseException;
+-import com.netscape.certsrv.base.IConfigStore;
+-import com.netscape.certsrv.base.IPrettyPrintFormat;
+-import com.netscape.certsrv.base.SessionContext;
+-import com.netscape.certsrv.logging.AuditEvent;
+-import com.netscape.certsrv.logging.ILogger;
+-import com.netscape.cms.servlet.base.CMSServlet;
+-import com.netscape.cms.servlet.common.CMSRequest;
+-import com.netscape.cmsutil.crypto.CryptoUtil;
+-import com.netscape.symkey.SessionKey;
+-
+-/**
+- * A class representings an administration servlet for Token Key
+- * Service Authority. This servlet is responsible to serve
+- * tks administrative operation such as configuration
+- * parameter updates.
+- *
+- * @version $Revision$, $Date$
+- */
+-public class TokenServlet extends CMSServlet {
+-    /**
+-     *
+-     */
+-    private static final long serialVersionUID = 8687436109695172791L;
+-    protected static final String PROP_ENABLED = "enabled";
+-    protected static final String TRANSPORT_KEY_NAME = "sharedSecret";
+-    private final static String INFO = "TokenServlet";
+-    public static int ERROR = 1;
+-    String mKeyNickName = null;
+-    String mNewKeyNickName = null;
+-    String mCurrentUID = null;
+-    IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
+-
+-    // Derivation Constants for SCP02
+-    public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 };
+-    public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 };
+-    public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 };
+-    public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 };
+-
+-    /**
+-     * Constructs tks servlet.
+-     */
+-    public TokenServlet() {
+-        super();
+-
+-    }
+-
+-    public static String trim(String a) {
+-        StringBuffer newa = new StringBuffer();
+-        StringTokenizer tokens = new StringTokenizer(a, "\n");
+-        while (tokens.hasMoreTokens()) {
+-            newa.append(tokens.nextToken());
+-        }
+-        return newa.toString();
+-    }
+-
+-    public void init(ServletConfig config) throws ServletException {
+-        super.init(config);
+-    }
+-
+-    /**
+-     * Returns serlvet information.
+-     *
+-     * @return name of this servlet
+-     */
+-    public String getServletInfo() {
+-        return INFO;
+-    }
+-
+-    /**
+-     * Process the HTTP request.
+-     *
+-     * @param s The URL to decode.
+-     */
+-    protected String URLdecode(String s) {
+-        if (s == null)
+-            return null;
+-        ByteArrayOutputStream out = new ByteArrayOutputStream(s.length());
+-
+-        for (int i = 0; i < s.length(); i++) {
+-            int c = s.charAt(i);
+-
+-            if (c == '+') {
+-                out.write(' ');
+-            } else if (c == '%') {
+-                int c1 = Character.digit(s.charAt(++i), 16);
+-                int c2 = Character.digit(s.charAt(++i), 16);
+-
+-                out.write((char) (c1 * 16 + c2));
+-            } else {
+-                out.write(c);
+-            }
+-        } // end for
+-        return out.toString();
+-    }
+-
+-    private void setDefaultSlotAndKeyName(HttpServletRequest req) {
+-        try {
+-
+-            String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-            if (keySet == null || keySet.equals("")) {
+-                keySet = "defKeySet";
+-            }
+-            CMS.debug("keySet selected: " + keySet);
+-
+-            String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null);
+-            String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx
+-            String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp;
+-            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-            if (mappingValue != null) {
+-                StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-                int tokenNumber = 0;
+-                while (st.hasMoreTokens()) {
+-
+-                    String currentToken = st.nextToken();
+-                    if (tokenNumber == 1)
+-                        mKeyNickName = currentToken;
+-                    tokenNumber++;
+-
+-                }
+-            }
+-            if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification
+-            {
+-                temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx
+-                String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp;
+-                String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null);
+-                if (newMappingValue != null) {
+-                    StringTokenizer st = new StringTokenizer(newMappingValue, ":");
+-                    int tokenNumber = 0;
+-                    while (st.hasMoreTokens()) {
+-                        String currentToken = st.nextToken();
+-                        if (tokenNumber == 1)
+-                            mNewKeyNickName = currentToken;
+-                        tokenNumber++;
+-
+-                    }
+-                }
+-            }
+-
+-            CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix);
+-
+-            SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix);
+-            /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/
+-
+-        } catch (Exception e) {
+-            e.printStackTrace();
+-            CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName");
+-        }
+-
+-    }
+-
+-    // AC: KDF SPEC CHANGE - read new setting value from config file
+-    // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility)
+-    // CAREFUL:  Result returned may be negative due to java's lack of unsigned types.
+-    //           Negative values need to be treated as higher key numbers than positive key numbers.
+-    private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception {
+-        String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion";
+-        // KDF phase1: default to 00
+-        String nistSP800_108KdfOnKeyVersion_value =
+-                CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/);
+-        short nistSP800_108KdfOnKeyVersion_short = 0;
+-        // if value does not exist in file
+-        if (nistSP800_108KdfOnKeyVersion_value == null) {
+-            // throw
+-            //  (we want admins to pay attention to this configuration item rather than guessing for them)
+-            throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map
+-                    + "\" missing from configuration file.");
+-        }
+-        // convert setting value (in ASCII-hex) to short
+-        try {
+-            nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16);
+-            if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) {
+-                throw new Exception("Out of range.");
+-            }
+-        } catch (Throwable t) {
+-            throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map
+-                    + "\" is in incorrect format. " +
+-                    "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map
+-                    + "=xx\" where xx is key version specified in ASCII-HEX format.", t);
+-        }
+-        // convert to byte (anything higher than 0x7F is represented as a negative)
+-        byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short;
+-        return nistSP800_108KdfOnKeyVersion_byte;
+-    }
+-
+-    // AC: KDF SPEC CHANGE - read new setting value from config file
+-    // (This value allows configuration of the NIST SP800-108 KDF:
+-    //   If "true" we use the CUID parameter within the NIST SP800-108 KDF.
+-    //   If "false" we use the KDD parameter within the NIST SP800-108 KDF.
+-    private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception {
+-        String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd";
+-        // KDF phase1: default to "false"
+-        String setting_str =
+-                CMS.getConfigStore().getString(setting_map, "false" /*null*/);
+-        boolean setting_boolean = false;
+-        // if value does not exist in file
+-        if (setting_str == null) {
+-            // throw
+-            //  (we want admins to pay attention to this configuration item rather than guessing for them)
+-            throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file.");
+-        }
+-        // convert setting value to boolean
+-        try {
+-            setting_boolean = Boolean.parseBoolean(setting_str);
+-        } catch (Throwable t) {
+-            throw new Exception("Configuration value \"" + setting_map
+-                    + "\" is in incorrect format.  Should be either \"true\" or \"false\".", t);
+-        }
+-        return setting_boolean;
+-    }
+-
+-    // AC: KDF SPEC CHANGE - Audit logging helper functions.
+-    // Converts a byte array to an ASCII-hex string.
+-    //   We implemented this ourselves rather than using this.pp.toHexArray() because
+-    //   the team preferred CUID and KDD strings to be without ":" separators every byte.
+-    final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray();
+-
+-    private String bytesToHex(byte[] bytes) {
+-        char[] hexChars = new char[bytes.length * 2];
+-        for (int i = 0; i < bytes.length; i++) {
+-            int thisChar = bytes[i] & 0x000000FF;
+-            hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16
+-            hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F];
+-        }
+-        return new String(hexChars);
+-    }
+-
+-    // AC: KDF SPEC CHANGE - Audit logging helper functions.
+-    // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa
+-    // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0].
+-    //   Returns "null" if parameter is null.
+-    //   Returns "invalid" if parameter.length < 1
+-    private String log_string_from_keyInfo(byte[] xkeyInfo) {
+-        return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x"
+-                + Integer.toHexString((xkeyInfo[0]) & 0x000000FF));
+-    }
+-
+-    // AC: KDF SPEC CHANGE - Audit logging helper functions.
+-    // Safely converts a byte array containing specialDecoded information to an ASCII-hex string.
+-    // Parameters:
+-    //   specialDecoded - byte array containing data.  May be null.
+-    // Returns:
+-    //   if specialDecoded is blank, returns "null"
+-    //   if specialDecoded != null, returns <ASCII-HEX string representation of specialDecoded>
+-    private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) {
+-        if (specialDecoded == null) {
+-            return "null";
+-        } else {
+-            return bytesToHex(specialDecoded);
+-        }
+-    }
+-
+-    /* Compute Session Key for SCP02
+-     *  For simplicity compute just one session key,unless it is the DEK key case.
+-     */
+-
+-    private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException {
+-
+-        CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering..");
+-        String auditMessage = null;
+-        String errorMsg = "";
+-        String badParams = "";
+-        String transportKeyName = "";
+-        boolean missingParam = false;
+-        String selectedToken = null;
+-        String keyNickName = null;
+-        byte[] drm_trans_wrapped_desKey = null;
+-
+-        byte[] xKDD = null;
+-        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
+-        boolean nistSP800_108KdfUseCuidAsKdd = false;
+-
+-        IConfigStore sconfig = CMS.getConfigStore();
+-
+-        boolean isCryptoValidate = false;
+-        byte[] keyInfo, xCUID = null, session_key = null;
+-
+-        Exception missingSettingException = null;
+-
+-        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
+-
+-        String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD);
+-
+-        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-
+-        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+-            badParams += " KeyInfo,";
+-            CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info");
+-            missingParam = true;
+-        }
+-
+-        keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-
+-        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-
+-        if (keySet == null || keySet.equals("")) {
+-            keySet = "defKeySet";
+-        }
+-        CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo);
+-
+-        boolean serversideKeygen = false;
+-
+-        String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT);
+-        String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER);
+-
+-        if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) {
+-            badParams += " derivation_constant,";
+-            CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant.");
+-            missingParam = true;
+-        }
+-
+-        if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) {
+-            badParams += " sequence_counter,";
+-            CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter.");
+-            missingParam = true;
+-        }
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+-                rCUID,
+-                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+-                ILogger.SUCCESS,
+-                agentId);
+-
+-        audit(auditMessage);
+-
+-        if (!missingParam) {
+-            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+-
+-            if (xCUID == null || xCUID.length != 10) {
+-                badParams += " CUID length,";
+-                CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length");
+-                missingParam = true;
+-            }
+-
+-            if ((rKDD == null) || (rKDD.length() == 0)) {
+-                CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD");
+-                badParams += " KDD,";
+-                missingParam = true;
+-            }
+-
+-            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
+-            if (xKDD == null || xKDD.length != 10) {
+-                badParams += " KDD length,";
+-                CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length");
+-                missingParam = true;
+-            }
+-
+-            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-            if (keyInfo == null || keyInfo.length != 2) {
+-                badParams += " KeyInfo length,";
+-                CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length.");
+-                missingParam = true;
+-            }
+-
+-            try {
+-                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
+-                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
+-
+-                // log settings read in to debug log along with xkeyInfo
+-                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  keyInfo[0] = 0x"
+-                        + Integer.toHexString((keyInfo[0]) & 0x0000000FF)
+-                        + ",  xkeyInfo[1] = 0x"
+-                        + Integer.toHexString((keyInfo[1]) & 0x0000000FF)
+-                        );
+-                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF will be used for key versions >= 0x"
+-                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
+-                        );
+-                if (nistSP800_108KdfUseCuidAsKdd == true) {
+-                    CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
+-                } else {
+-                    CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF (if used) will use KDD.");
+-                }
+-                // conform to the set-an-error-flag mentality
+-            } catch (Exception e) {
+-                missingSettingException = e;
+-                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Exception reading Nist SP800-108 KDF config values: "
+-                        + e.toString());
+-            }
+-
+-        }
+-
+-        String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
+-        String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-        if (mappingValue == null) {
+-            selectedToken =
+-                    CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-            keyNickName = rKeyInfo;
+-        } else {
+-            StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-            if (st.hasMoreTokens())
+-                selectedToken = st.nextToken();
+-            if (st.hasMoreTokens())
+-                keyNickName = st.nextToken();
+-        }
+-
+-        keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
+-        try {
+-            mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-        } catch (EBaseException e1) {
+-
+-            e1.printStackTrace();
+-        }
+-        if (mappingValue == null) {
+-            try {
+-                selectedToken =
+-                        CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-            } catch (EBaseException e) {
+-
+-                e.printStackTrace();
+-            }
+-            keyNickName = rKeyInfo;
+-        } else {
+-            StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-            if (st.hasMoreTokens())
+-                selectedToken = st.nextToken();
+-            if (st.hasMoreTokens())
+-                keyNickName = st.nextToken();
+-        }
+-
+-        CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName);
+-        String useSoftToken_s = null;
+-        try {
+-            useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
+-        } catch (EBaseException e1) {
+-            // TODO Auto-generated catch block
+-            e1.printStackTrace();
+-        }
+-        if (!useSoftToken_s.equalsIgnoreCase("true"))
+-            useSoftToken_s = "false";
+-
+-        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
+-        if (rServersideKeygen.equals("true")) {
+-            CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested");
+-            serversideKeygen = true;
+-        } else {
+-            CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested");
+-        }
+-
+-        transportKeyName = null;
+-        try {
+-            transportKeyName = getSharedSecretName(sconfig);
+-        } catch (EBaseException e1) {
+-            // TODO Auto-generated catch block
+-            e1.printStackTrace();
+-            CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!");
+-
+-        }
+-
+-        CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName);
+-
+-        try {
+-            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
+-        } catch (EBaseException eee) {
+-        }
+-
+-        byte macKeyArray[] = null;
+-        byte sequenceCounter[] = null;
+-        byte derivationConstant[] = null;
+-
+-        boolean errorFound = false;
+-
+-        String dek_wrapped_desKeyString = null;
+-        String keycheck_s = null;
+-
+-        if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) {
+-            try {
+-                macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                        + keySet + ".mac_key"));
+-
+-                sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter);
+-                derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant);
+-
+-                //Use old style for the moment.
+-                //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey
+-                //Perform in next ticket to fully implement nistXP800
+-
+-                session_key = SessionKey.ComputeSessionKeySCP02(
+-                        selectedToken, keyNickName,
+-                        keyInfo,
+-                        nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
+-                        nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant,
+-                        useSoftToken_s, keySet,
+-                        transportKeyName);
+-
+-                if (session_key == null) {
+-                    CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL ");
+-                    throw new EBaseException("Can't compute session key for SCP02!");
+-
+-                }
+-
+-                //Only do this for the dekSessionKey and if we are in the server side keygen case.
+-                if (derivationConstant[0] == DEKDerivationConstant[0]
+-                        && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) {
+-
+-                    CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token.");
+-
+-                    /**
+-                     * 0. generate des key
+-                     * 1. encrypt des key with dek key
+-                     * 2. encrypt des key with DRM transport key
+-                     * These two wrapped items are to be sent back to
+-                     * TPS. 2nd item is to DRM
+-                     **/
+-
+-                    PK11SymKey desKey = null;
+-                    PK11SymKey dekKey = null;
+-
+-                    /*generate it on whichever token the master key is at*/
+-                    if (useSoftToken_s.equals("true")) {
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal");
+-
+-                        desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME);
+-
+-                    } else {
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on "
+-                                + selectedToken);
+-                        desKey = SessionKey.GenerateSymkey(selectedToken);
+-                    }
+-                    if (desKey != null)
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID);
+-                    else {
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for "
+-                                + rCUID);
+-                        throw new EBaseException(
+-                                "TokenServlet.computeSessionKeySCP02: can't generate key encryption key");
+-                    }
+-
+-                    CryptoToken token = null;
+-                    if (useSoftToken_s.equals("true")) {
+-                        token = CryptoUtil.getCryptoToken(null);
+-                    } else {
+-                        token = CryptoUtil.getCryptoToken(selectedToken);
+-                    }
+-
+-                    //Now we have to create a sym key object for the wrapped session_key (dekKey)
+-                    // session_key wrapped by the shared Secret
+-
+-                    PK11SymKey sharedSecret = getSharedSecretKey();
+-
+-                    if (sharedSecret == null) {
+-                        throw new EBaseException(
+-                                "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!");
+-                    }
+-
+-                    dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret,
+-                            session_key);
+-
+-                    if (dekKey == null) {
+-                        throw new EBaseException(
+-                                "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!");
+-                    }
+-
+-                    /*
+-                     * ECBencrypt actually takes the 24 byte DES2 key
+-                     * and discard the last 8 bytes before it encrypts.
+-                     * This is done so that the applet can digest it
+-                     */
+-                    byte[] encDesKey =
+-                            SessionKey.ECBencrypt(dekKey,
+-                                    desKey);
+-
+-                    if (encDesKey == null) {
+-                        throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!");
+-                    }
+-
+-                    dek_wrapped_desKeyString =
+-                            com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
+-
+-                    byte[] keycheck =
+-                            SessionKey.ComputeKeyCheck(desKey);
+-
+-                    if (keycheck == null) {
+-                        throw new EBaseException(
+-                                "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!");
+-                    }
+-
+-                    keycheck_s =
+-                            com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
+-
+-                    //use DRM transport cert to wrap desKey
+-                    String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
+-
+-                    if ((drmTransNickname == null) || (drmTransNickname == "")) {
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname");
+-                        throw new EBaseException("can't find DRM transport certificate nickname");
+-                    } else {
+-                        CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname);
+-                    }
+-
+-                    X509Certificate drmTransCert = null;
+-                    drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
+-                    // wrap kek session key with DRM transport public key
+-
+-                    PublicKey pubKey = drmTransCert.getPublicKey();
+-                    String pubKeyAlgo = pubKey.getAlgorithm();
+-
+-                    KeyWrapper keyWrapper = null;
+-                    //For wrapping symmetric keys don't need IV, use ECB
+-                    if (pubKeyAlgo.equals("EC")) {
+-                        keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
+-                        keyWrapper.initWrap(pubKey, null);
+-                    } else {
+-                        keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
+-                        keyWrapper.initWrap(pubKey, null);
+-                    }
+-
+-                    drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
+-                    CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key.");
+-
+-                    CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out.");
+-
+-                }
+-
+-            } catch (Exception e) {
+-                CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString());
+-                errorFound = true;
+-
+-            }
+-
+-        }
+-
+-        String status = "0";
+-        String value = "";
+-        String outputString = "";
+-
+-        boolean statusDeclared = false;
+-
+-        if (session_key != null && session_key.length > 0 && errorFound == false) {
+-            outputString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
+-        } else {
+-
+-            status = "1";
+-            statusDeclared = true;
+-        }
+-
+-        if (selectedToken == null || keyNickName == null) {
+-            if (!statusDeclared) {
+-                status = "4";
+-                statusDeclared = true;
+-            }
+-        }
+-
+-        if (missingSettingException != null) {
+-            if (!statusDeclared) {
+-                status = "6";
+-                statusDeclared = true;
+-            }
+-        }
+-
+-        if (missingParam) {
+-            status = "3";
+-        }
+-
+-        String drm_trans_wrapped_desKeyString = null;
+-
+-        if (!status.equals("0")) {
+-            if (status.equals("1")) {
+-                errorMsg = "Problem generating session key info.";
+-            }
+-
+-            if (status.equals("4")) {
+-                errorMsg = "Problem obtaining token information.";
+-            }
+-
+-            if (status.equals("3")) {
+-                if (badParams.endsWith(",")) {
+-                    badParams = badParams.substring(0, badParams.length() - 1);
+-                }
+-                errorMsg = "Missing input parameters :" + badParams;
+-            }
+-
+-            if (status.equals("6")) {
+-                errorMsg = "Problem reading required configuration value.";
+-            }
+-
+-        } else {
+-
+-            if (serversideKeygen == true) {
+-
+-                if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) {
+-                    drm_trans_wrapped_desKeyString =
+-                            com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
+-                }
+-
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
+-                sb.append(outputString);
+-
+-                //Now add the trans wrapped des key
+-
+-                if (drm_trans_wrapped_desKeyString != null) {
+-                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
+-                    sb.append(drm_trans_wrapped_desKeyString);
+-                }
+-
+-                if (dek_wrapped_desKeyString != null) {
+-                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
+-                    sb.append(dek_wrapped_desKeyString);
+-                }
+-
+-                if (keycheck_s != null) {
+-                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
+-                    sb.append(keycheck_s);
+-                }
+-
+-                value = sb.toString();
+-            } else {
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
+-                sb.append(outputString);
+-                value = sb.toString();
+-            }
+-
+-        }
+-
+-        //CMS.debug("TokenServlet:outputString.encode " + value);
+-
+-        try {
+-            resp.setContentLength(value.length());
+-            CMS.debug("TokenServlet:outputString.length " + value.length());
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (IOException e) {
+-            CMS.debug("TokenServlet: " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.SUCCESS, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+-                    logParams);
+-
+-        } else {
+-
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.FAILURE, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+-                    errorMsg // Error
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+-                    logParams);
+-        }
+-
+-        audit(auditMessage);
+-
+-    }
+-
+-    private void processComputeSessionKey(HttpServletRequest req,
+-            HttpServletResponse resp) throws EBaseException {
+-        byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
+-
+-        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
+-        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
+-        boolean nistSP800_108KdfUseCuidAsKdd = false;
+-
+-        byte[] card_crypto, host_cryptogram, input_card_crypto;
+-        byte[] xcard_challenge, xhost_challenge;
+-        byte[] enc_session_key, xkeyInfo;
+-        String auditMessage = null;
+-        String errorMsg = "";
+-        String badParams = "";
+-        String transportKeyName = "";
+-        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        String rKDD = req.getParameter("KDD");
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            // KDF phase1: default to rCUID if not present
+-            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
+-            rKDD = rCUID;
+-        }
+-
+-        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-        if (keySet == null || keySet.equals("")) {
+-            keySet = "defKeySet";
+-        }
+-        CMS.debug("keySet selected: " + keySet);
+-
+-        boolean serversideKeygen = false;
+-        byte[] drm_trans_wrapped_desKey = null;
+-        SymmetricKey desKey = null;
+-        //        PK11SymKey kek_session_key;
+-        SymmetricKey kek_key;
+-
+-        IConfigStore sconfig = CMS.getConfigStore();
+-        boolean isCryptoValidate = true;
+-        boolean missingParam = false;
+-
+-        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
+-        Exception missingSetting_exception = null;
+-
+-        session_key = null;
+-        card_crypto = null;
+-        host_cryptogram = null;
+-        enc_session_key = null;
+-        //        kek_session_key = null;
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+-                rCUID,
+-                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+-                ILogger.SUCCESS,
+-                agentId);
+-
+-        audit(auditMessage);
+-
+-        String kek_wrapped_desKeyString = null;
+-        String keycheck_s = null;
+-
+-        CMS.debug("processComputeSessionKey:");
+-        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
+-        if (!useSoftToken_s.equalsIgnoreCase("true"))
+-            useSoftToken_s = "false";
+-
+-        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
+-        if (rServersideKeygen.equals("true")) {
+-            CMS.debug("TokenServlet: serversideKeygen requested");
+-            serversideKeygen = true;
+-        } else {
+-            CMS.debug("TokenServlet: serversideKeygen not requested");
+-        }
+-
+-        try {
+-            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
+-        } catch (EBaseException eee) {
+-        }
+-
+-        transportKeyName = getSharedSecretName(sconfig);
+-
+-        String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
+-        String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
+-        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-        String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM);
+-        if ((rCUID == null) || (rCUID.equals(""))) {
+-            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID");
+-            badParams += " CUID,";
+-            missingParam = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD");
+-            badParams += " KDD,";
+-            missingParam = true;
+-        }
+-
+-        if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
+-            badParams += " card_challenge,";
+-            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge");
+-            missingParam = true;
+-        }
+-
+-        if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
+-            badParams += " host_challenge,";
+-            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge");
+-            missingParam = true;
+-        }
+-
+-        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+-            badParams += " KeyInfo,";
+-            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info");
+-            missingParam = true;
+-        }
+-
+-        String selectedToken = null;
+-        String keyNickName = null;
+-        boolean sameCardCrypto = true;
+-
+-        // AC: KDF SPEC CHANGE
+-        xCUID = null; // avoid errors about non-initialization
+-        xKDD = null; // avoid errors about non-initialization
+-        xkeyInfo = null; // avoid errors about non-initialization
+-
+-        if (!missingParam) {
+-
+-            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+-            if (xCUID == null || xCUID.length != 10) {
+-                badParams += " CUID length,";
+-                CMS.debug("TokenServlet: Invalid CUID length");
+-                missingParam = true;
+-            }
+-
+-            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
+-            if (xKDD == null || xKDD.length != 10) {
+-                badParams += " KDD length,";
+-                CMS.debug("TokenServlet: Invalid KDD length");
+-                missingParam = true;
+-            }
+-
+-            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-            if (xkeyInfo == null || xkeyInfo.length != 2) {
+-                badParams += " KeyInfo length,";
+-                CMS.debug("TokenServlet: Invalid key info length.");
+-                missingParam = true;
+-            }
+-            xcard_challenge =
+-                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
+-            if (xcard_challenge == null || xcard_challenge.length != 8) {
+-                badParams += " card_challenge length,";
+-                CMS.debug("TokenServlet: Invalid card challenge length.");
+-                missingParam = true;
+-            }
+-
+-            xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
+-            if (xhost_challenge == null || xhost_challenge.length != 8) {
+-                badParams += " host_challenge length,";
+-                CMS.debug("TokenServlet: Invalid host challenge length");
+-                missingParam = true;
+-            }
+-
+-        }
+-
+-        if (!missingParam) {
+-            card_challenge =
+-                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
+-
+-            host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
+-            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-
+-            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey)
+-            //ToDo: Will use these values after completing next ticket
+-            try {
+-                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
+-                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
+-
+-                // log settings read in to debug log along with xkeyInfo
+-                CMS.debug("TokenServlet: ComputeSessionKey():  xkeyInfo[0] = 0x"
+-                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
+-                        + ",  xkeyInfo[1] = 0x"
+-                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
+-                        );
+-                CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF will be used for key versions >= 0x"
+-                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
+-                        );
+-                if (nistSP800_108KdfUseCuidAsKdd == true) {
+-                    CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
+-                } else {
+-                    CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF (if used) will use KDD.");
+-                }
+-                // conform to the set-an-error-flag mentality
+-            } catch (Exception e) {
+-                missingSetting_exception = e;
+-                CMS.debug("TokenServlet: ComputeSessionKey():  Exception reading Nist SP800-108 KDF config values: "
+-                        + e.toString());
+-            }
+-
+-            String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
+-            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-            if (mappingValue == null) {
+-                selectedToken =
+-                        CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-                keyNickName = rKeyInfo;
+-            } else {
+-                StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-                if (st.hasMoreTokens())
+-                    selectedToken = st.nextToken();
+-                if (st.hasMoreTokens())
+-                    keyNickName = st.nextToken();
+-            }
+-
+-            if (selectedToken != null && keyNickName != null
+-                    // AC: KDF SPEC CHANGE - check for error flag
+-                    && missingSetting_exception == null) {
+-
+-                try {
+-
+-                    byte macKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".mac_key"));
+-                    CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken="
+-                            + selectedToken + " keyNickName=" + keyNickName);
+-
+-                    SecureChannelProtocol protocol = new SecureChannelProtocol();
+-                    SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType,
+-                            selectedToken,
+-                            keyNickName, card_challenge,
+-                            host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID,
+-                            xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName);
+-
+-                    session_key = protocol.wrapSessionKey(selectedToken, macKey, null);
+-
+-                    if (session_key == null) {
+-                        CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL ");
+-                        throw new Exception("Can't compute session key!");
+-
+-                    }
+-
+-                    byte encKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".auth_key"));
+-                    SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType,
+-                            selectedToken,
+-                            keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion,
+-                            nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet,
+-                            transportKeyName);
+-
+-                    enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null);
+-
+-                    if (enc_session_key == null) {
+-                        CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL ");
+-                        throw new Exception("Can't compute enc session key!");
+-
+-                    }
+-
+-                    if (serversideKeygen == true) {
+-
+-                        /**
+-                         * 0. generate des key
+-                         * 1. encrypt des key with kek key
+-                         * 2. encrypt des key with DRM transport key
+-                         * These two wrapped items are to be sent back to
+-                         * TPS. 2nd item is to DRM
+-                         **/
+-                        CMS.debug("TokenServlet: calling ComputeKekKey");
+-
+-                        byte kekKeyArray[] =
+-                                com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                        + keySet + ".kek_key"));
+-
+-                        kek_key = protocol.computeKEKKey_SCP01(selectedToken,
+-                                keyNickName,
+-                                keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd,
+-                                xCUID,
+-                                xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName);
+-
+-                        CMS.debug("TokenServlet: called ComputeKekKey");
+-
+-                        if (kek_key == null) {
+-                            CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL ");
+-                            throw new Exception("Can't compute kek key!");
+-
+-                        }
+-                        // now use kek key to wrap kek session key..
+-                        CMS.debug("computeSessionKey:kek key len =" +
+-                                kek_key.getLength());
+-
+-                        // (1) generate DES key
+-                        /* applet does not support DES3
+-                        org.mozilla.jss.crypto.KeyGenerator kg =
+-                            internalToken.getKeyGenerator(KeyGenAlgorithm.DES3);
+-                            desKey = kg.generate();*/
+-
+-                        /*
+-                         * GenerateSymkey firt generates a 16 byte DES2 key.
+-                         * It then pads it into a 24 byte key with last
+-                         * 8 bytes copied from the 1st 8 bytes.  Effectively
+-                         * making it a 24 byte DES2 key.  We need this for
+-                         * wrapping private keys on DRM.
+-                         */
+-                        /*generate it on whichever token the master key is at*/
+-                        if (useSoftToken_s.equals("true")) {
+-                            CMS.debug("TokenServlet: key encryption key generated on internal");
+-                            //cfu audit here? sym key gen
+-
+-                            desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME);
+-                            //cfu audit here? sym key gen done
+-                        } else {
+-                            CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
+-                            desKey = protocol.generateSymKey(selectedToken);
+-                        }
+-                        if (desKey != null) {
+-                            // AC: KDF SPEC CHANGE - Output using CUID and KDD
+-                            CMS.debug("TokenServlet: key encryption key generated for CUID=" +
+-                                    trim(pp.toHexString(xCUID)) +
+-                                    ", KDD=" +
+-                                    trim(pp.toHexString(xKDD)));
+-                        } else {
+-                            // AC: KDF SPEC CHANGE - Output using CUID and KDD
+-                            CMS.debug("TokenServlet: key encryption key generation failed for CUID=" +
+-                                    trim(pp.toHexString(xCUID)) +
+-                                    ", KDD=" +
+-                                    trim(pp.toHexString(xKDD)));
+-
+-                            throw new Exception("can't generate key encryption key");
+-                        }
+-
+-                        /*
+-                         * ECBencrypt actually takes the 24 byte DES2 key
+-                         * and discard the last 8 bytes before it encrypts.
+-                         * This is done so that the applet can digest it
+-                         */
+-
+-                        byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken);
+-
+-                        /*
+-                        CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length);
+-                        CMS.debug(encDesKey);
+-                        */
+-
+-                        kek_wrapped_desKeyString =
+-                                com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
+-
+-                        // get keycheck
+-
+-                        byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken);
+-                        /*
+-                        CMS.debug("computeSessionKey:keycheck size = "+keycheck.length);
+-                        CMS.debug(keycheck);
+-                        */
+-                        keycheck_s =
+-                                com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
+-
+-                        //use DRM transport cert to wrap desKey
+-                        String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
+-
+-                        if ((drmTransNickname == null) || (drmTransNickname == "")) {
+-                            CMS.debug("TokenServlet:did not find DRM transport certificate nickname");
+-                            throw new Exception("can't find DRM transport certificate nickname");
+-                        } else {
+-                            CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname);
+-                        }
+-
+-                        X509Certificate drmTransCert = null;
+-                        drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
+-                        // wrap kek session key with DRM transport public key
+-                        CryptoToken token = null;
+-                        if (useSoftToken_s.equals("true")) {
+-                            token = CryptoUtil.getCryptoToken(null);
+-                        } else {
+-                            token = CryptoUtil.getCryptoToken(selectedToken);
+-                        }
+-                        PublicKey pubKey = drmTransCert.getPublicKey();
+-                        String pubKeyAlgo = pubKey.getAlgorithm();
+-                        CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo);
+-                        KeyWrapper keyWrapper = null;
+-                        //For wrapping symmetric keys don't need IV, use ECB
+-                        if (pubKeyAlgo.equals("EC")) {
+-                            keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
+-                            keyWrapper.initWrap(pubKey, null);
+-                        } else {
+-                            keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
+-                            keyWrapper.initWrap(pubKey, null);
+-                        }
+-                        CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName());
+-                        drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
+-                        CMS.debug("computeSessionKey:desKey wrapped with drm transportation key.");
+-
+-                    } // if (serversideKeygen == true)
+-
+-                    byte authKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".auth_key"));
+-
+-                    host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge,
+-                            host_challenge,
+-                            xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM,
+-                            authKeyArray, useSoftToken_s, keySet, transportKeyName);
+-
+-                    if (host_cryptogram == null) {
+-                        CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL ");
+-                        throw new Exception("Can't compute host cryptogram!");
+-
+-                    }
+-
+-                    card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge,
+-                            host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd,
+-                            xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName);
+-
+-                    if (card_crypto == null) {
+-                        CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL ");
+-                        throw new Exception("Can't compute card cryptogram!");
+-
+-                    }
+-
+-                    if (isCryptoValidate) {
+-                        if (rcard_cryptogram == null) {
+-                            CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram");
+-                            throw new Exception("Missing card cryptogram");
+-                        }
+-                        input_card_crypto =
+-                                com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram);
+-
+-                        //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto");
+-                        //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto");
+-
+-                        if (card_crypto.length == input_card_crypto.length) {
+-                            for (int i = 0; i < card_crypto.length; i++) {
+-                                if (card_crypto[i] != input_card_crypto[i]) {
+-                                    sameCardCrypto = false;
+-                                    break;
+-                                }
+-                            }
+-                        } else {
+-                            // different length; must be different
+-                            sameCardCrypto = false;
+-                        }
+-                    }
+-
+-                    // AC: KDF SPEC CHANGE - print both KDD and CUID
+-                    CMS.getLogger().log(ILogger.EV_AUDIT,
+-                            ILogger.S_TKS,
+-                            ILogger.LL_INFO, "processComputeSessionKey for CUID=" +
+-                                    trim(pp.toHexString(xCUID)) +
+-                                    ", KDD=" +
+-                                    trim(pp.toHexString(xKDD)));
+-                } catch (Exception e) {
+-                    CMS.debug(e);
+-                    CMS.debug("TokenServlet Computing Session Key: " + e.toString());
+-                    if (isCryptoValidate)
+-                        sameCardCrypto = false;
+-                }
+-            }
+-        } // ! missingParam
+-
+-        String value = "";
+-
+-        resp.setContentType("text/html");
+-
+-        String outputString = "";
+-        String encSessionKeyString = "";
+-        String drm_trans_wrapped_desKeyString = "";
+-        String cryptogram = "";
+-        String status = "0";
+-        if (session_key != null && session_key.length > 0) {
+-            outputString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
+-        } else {
+-
+-            status = "1";
+-        }
+-
+-        if (enc_session_key != null && enc_session_key.length > 0) {
+-            encSessionKeyString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
+-        } else {
+-            status = "1";
+-        }
+-
+-        if (serversideKeygen == true) {
+-            if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0)
+-                drm_trans_wrapped_desKeyString =
+-                        com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
+-            else {
+-                status = "1";
+-            }
+-        }
+-
+-        if (host_cryptogram != null && host_cryptogram.length > 0) {
+-            cryptogram =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
+-        } else {
+-            // AC: Bugfix: Don't override status's value if an error was already flagged
+-            if (status.equals("0") == true) {
+-                status = "2";
+-            }
+-        }
+-
+-        if (selectedToken == null || keyNickName == null) {
+-            // AC: Bugfix: Don't override status's value if an error was already flagged
+-            if (status.equals("0") == true) {
+-                status = "4";
+-            }
+-        }
+-
+-        if (!sameCardCrypto) {
+-            // AC: Bugfix: Don't override status's value if an error was already flagged
+-            if (status.equals("0") == true) {
+-                // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues
+-                status = "5";
+-            }
+-        }
+-
+-        // AC: KDF SPEC CHANGE - check for settings file issue (flag)
+-        if (missingSetting_exception != null) {
+-            // AC: Intentionally override previous errors if config file settings were missing.
+-            status = "6";
+-        }
+-
+-        if (missingParam) {
+-            // AC: Intentionally override previous errors if parameters were missing.
+-            status = "3";
+-        }
+-
+-        if (!status.equals("0")) {
+-
+-            if (status.equals("1")) {
+-                errorMsg = "Problem generating session key info.";
+-            }
+-
+-            if (status.equals("2")) {
+-                errorMsg = "Problem creating host_cryptogram.";
+-            }
+-
+-            // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues
+-            if (status.equals("5")) {
+-                errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys.";
+-            }
+-
+-            if (status.equals("4")) {
+-                errorMsg = "Problem obtaining token information.";
+-            }
+-
+-            // AC: KDF SPEC CHANGE - handle missing configuration item
+-            if (status.equals("6")) {
+-                errorMsg = "Problem reading required configuration value.";
+-            }
+-
+-            if (status.equals("3")) {
+-                if (badParams.endsWith(",")) {
+-                    badParams = badParams.substring(0, badParams.length() - 1);
+-                }
+-                errorMsg = "Missing input parameters :" + badParams;
+-            }
+-
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        } else {
+-            if (serversideKeygen == true) {
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
+-                sb.append(outputString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
+-                sb.append(cryptogram);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
+-                sb.append(encSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
+-                sb.append(kek_wrapped_desKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
+-                sb.append(keycheck_s);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
+-                sb.append(drm_trans_wrapped_desKeyString);
+-                value = sb.toString();
+-            } else {
+-
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
+-                sb.append(outputString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
+-                sb.append(cryptogram);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
+-                sb.append(encSessionKeyString);
+-                value = sb.toString();
+-            }
+-
+-        }
+-        //CMS.debug("TokenServlet:outputString.encode " + value);
+-
+-        try {
+-            resp.setContentLength(value.length());
+-            CMS.debug("TokenServlet:outputString.length " + value.length());
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (IOException e) {
+-            CMS.debug("TokenServlet: " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+-            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.SUCCESS, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+-                    logParams);
+-
+-        } else {
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.FAILURE, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+-                    errorMsg // Error
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+-                    logParams);
+-
+-        }
+-
+-        audit(auditMessage);
+-    }
+-
+-    // This method will return the shared secret name.  In new 10.1 subsystems, this
+-    // name will be stored in tps.X.nickname.
+-    //
+-    // Until multiple TKS/TPS connections is fully supported, this method will just
+-    // return the first shared secret nickname found, on the assumption that only
+-    // one nickname will be configured.  This will have to be changed to return the correct
+-    // key based on some parameter in the request in future.
+-    //
+-    // On legacy systems, this method just returns what was previously returned.
+-    private String getSharedSecretName(IConfigStore cs) throws EBaseException {
+-        boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false);
+-
+-        if (useNewNames) {
+-            String tpsList = cs.getString("tps.list", "");
+-            String firstSharedSecretName = null;
+-            if (!tpsList.isEmpty()) {
+-                for (String tpsID : tpsList.split(",")) {
+-                    String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
+-
+-                    // This one will be a fall back in case we can't get a specific one
+-                    if (firstSharedSecretName == null) {
+-                        firstSharedSecretName = sharedSecretName;
+-                    }
+-
+-                    if (!sharedSecretName.isEmpty()) {
+-                        if (mCurrentUID != null) {
+-                            String csUid = cs.getString("tps." + tpsID + ".userid", "");
+-
+-                            if (mCurrentUID.equalsIgnoreCase(csUid)) {
+-                                CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid);
+-                                return sharedSecretName;
+-                            }
+-                        }
+-                    }
+-                }
+-
+-                if (firstSharedSecretName != null) {
+-                    //Return the first in the list if we couldn't isolate one
+-                    return firstSharedSecretName;
+-                }
+-            }
+-            CMS.debug("getSharedSecretName: no shared secret has been configured");
+-            throw new EBaseException("No shared secret has been configured");
+-        }
+-
+-        // legacy system - return as before
+-        return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME);
+-    }
+-
+-    //Accepts protocol param and supports scp03.
+-    private void processDiversifyKey(HttpServletRequest req,
+-            HttpServletResponse resp) throws EBaseException {
+-
+-        String method = "TokenServlet.processDiversifyKey: ";
+-        byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
+-
+-        // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
+-        String oldKeyNickName = null;
+-        String newKeyNickName = null;
+-
+-        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
+-        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
+-        boolean nistSP800_108KdfUseCuidAsKdd = false;
+-
+-        // AC: BUGFIX for key versions higher than 09:  We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey.
+-        byte[] xkeyInfo = null, xnewkeyInfo = null;
+-
+-        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
+-        Exception missingSetting_exception = null;
+-
+-        boolean missingParam = false;
+-        String errorMsg = "";
+-        String badParams = "";
+-        byte[] xWrappedDekKey = null;
+-
+-        IConfigStore sconfig = CMS.getConfigStore();
+-        String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO);
+-        String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO);
+-        String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        String rKDD = req.getParameter("KDD");
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            // temporarily make it friendly before TPS change
+-            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
+-            rKDD = rCUID;
+-        }
+-
+-        String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
+-        String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY);
+-
+-        CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey);
+-
+-        int protocol = 1;
+-        String auditMessage = "";
+-
+-        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-        if (keySet == null || keySet.equals("")) {
+-            keySet = "defKeySet";
+-        }
+-        CMS.debug("keySet selected: " + keySet);
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.DIVERSIFY_KEY_REQUEST,
+-                rCUID,
+-                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+-                ILogger.SUCCESS,
+-                agentId,
+-                oldMasterKeyName,
+-                newMasterKeyName);
+-
+-        audit(auditMessage);
+-
+-        if ((rCUID == null) || (rCUID.equals(""))) {
+-            badParams += " CUID,";
+-            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID");
+-            missingParam = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD");
+-            badParams += " KDD,";
+-            missingParam = true;
+-        }
+-
+-        if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) {
+-            badParams += " newKeyInfo,";
+-            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo");
+-            missingParam = true;
+-        }
+-        if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) {
+-            badParams += " KeyInfo,";
+-            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo");
+-            missingParam = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE
+-        xCUID = null; // avoid errors about non-initialization
+-        xKDD = null; // avoid errors about non-initialization
+-        xkeyInfo = null; // avoid errors about non-initialization
+-        xnewkeyInfo = null; // avoid errors about non-initialization
+-
+-        if (!missingParam) {
+-            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName);
+-            if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) {
+-                badParams += " KeyInfo length,";
+-                CMS.debug("TokenServlet: Invalid key info length");
+-                missingParam = true;
+-            }
+-            xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName);
+-            if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) {
+-                badParams += " NewKeyInfo length,";
+-                CMS.debug("TokenServlet: Invalid new key info length");
+-                missingParam = true;
+-            }
+-
+-            if (rProtocol != null) {
+-                try {
+-                    protocol = Integer.parseInt(rProtocol);
+-                } catch (NumberFormatException e) {
+-                    protocol = 1;
+-                }
+-            }
+-            CMS.debug("process DiversifyKey: protocol value: " + protocol);
+-
+-            if (protocol == 2) {
+-                if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) {
+-                    badParams += " WrappedDekKey,";
+-                    CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02.");
+-                    missingParam = true;
+-                } else {
+-
+-                    CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey);
+-                    xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey);
+-                }
+-
+-            }
+-        }
+-        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
+-        if (!useSoftToken_s.equalsIgnoreCase("true"))
+-            useSoftToken_s = "false";
+-
+-        KeySetData = null;
+-        if (!missingParam) {
+-            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+-            if (xCUID == null || xCUID.length != 10) {
+-                badParams += " CUID length,";
+-                CMS.debug("TokenServlet: Invalid CUID length");
+-                missingParam = true;
+-            }
+-
+-            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
+-            if (xKDD == null || xKDD.length != 10) {
+-                badParams += " KDD length,";
+-                CMS.debug("TokenServlet: Invalid KDD length");
+-                missingParam = true;
+-            }
+-        }
+-        if (!missingParam) {
+-            // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing.
+-
+-            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey)
+-
+-            //ToDo: Refactor this, this same block occurs several times in the file
+-            try {
+-                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
+-                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
+-
+-                // log settings read in to debug log along with xkeyInfo and xnewkeyInfo
+-                CMS.debug("TokenServlet: processDiversifyKey():  xkeyInfo[0] (old) = 0x"
+-                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
+-                        + ",  xkeyInfo[1] (old) = 0x"
+-                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
+-                        + ",  xnewkeyInfo[0] = 0x"
+-                        + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF)
+-                        + ",  xnewkeyInfo[1] = 0x"
+-                        + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF)
+-                        );
+-                CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF will be used for key versions >= 0x"
+-                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
+-                        );
+-                if (nistSP800_108KdfUseCuidAsKdd == true) {
+-                    CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
+-                } else {
+-                    CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF (if used) will use KDD.");
+-                }
+-                // conform to the set-an-error-flag mentality
+-            } catch (Exception e) {
+-                missingSetting_exception = e;
+-                CMS.debug("TokenServlet: processDiversifyKey():  Exception reading Nist SP800-108 KDF config values: "
+-                        + e.toString());
+-            }
+-
+-            if (mKeyNickName != null)
+-                oldMasterKeyName = mKeyNickName;
+-            if (mNewKeyNickName != null)
+-                newMasterKeyName = mNewKeyNickName;
+-
+-            String tokKeyInfo =  req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-
+-            // Get the first 6 characters, since scp03 gives us extra characters.
+-            tokKeyInfo = tokKeyInfo.substring(0,6);
+-            String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx
+-            CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap);
+-            String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null);
+-            String oldSelectedToken = null;
+-            if (oldMappingValue == null) {
+-                oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-                oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-            } else {
+-                StringTokenizer st = new StringTokenizer(oldMappingValue, ":");
+-                oldSelectedToken = st.nextToken();
+-                oldKeyNickName = st.nextToken();
+-            }
+-
+-
+-            String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx
+-            CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap);
+-            String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null);
+-            String newSelectedToken = null;
+-            if (newMappingValue == null) {
+-                newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-                newKeyNickName = rnewKeyInfo;
+-            } else {
+-                StringTokenizer st = new StringTokenizer(newMappingValue, ":");
+-                newSelectedToken = st.nextToken();
+-                newKeyNickName = st.nextToken();
+-            }
+-
+-            CMS.debug("process DiversifyKey for oldSelectedToke=" +
+-                    oldSelectedToken + " newSelectedToken=" + newSelectedToken +
+-                    " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" +
+-                    newKeyNickName);
+-
+-            byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet);
+-            byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet);
+-            byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet);
+-
+-            //        com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
+-
+-            //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset
+-            // passed down to the SecureChannelProtocol functions that deal with SCP03
+-
+-            GPParams gp3Params = readGPSettings(keySet);
+-
+-            SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol);
+-            // AC: KDF SPEC CHANGE - check for error reading settings
+-            if (missingSetting_exception == null) {
+-                if (protocol == 1 || protocol == 3) {
+-                   KeySetData = secProtocol.diversifyKey(oldSelectedToken,
+-                            newSelectedToken, oldKeyNickName,
+-                            newKeyNickName,
+-                            xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use
+-                            xnewkeyInfo, // AC: BUGFIX for key versions higher than 09:  We need to specialDecode keyInfo parameters before sending them into symkey!  This means the parameters must be byte[]
+-                            nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
+-                            nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value
+-                            xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID'
+-                            xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use
+-                            kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params);
+-
+-                } else if (protocol == 2) {
+-                    KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName,
+-                            newKeyNickName, xkeyInfo,
+-                            xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD,
+-                            (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol);
+-                }
+-                //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: ");
+-                CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained");
+-
+-                if (KeySetData == null || KeySetData.length <= 1) {
+-                    CMS.getLogger().log(ILogger.EV_AUDIT,
+-                            ILogger.S_TKS,
+-                            ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot");
+-                }
+-
+-                CMS.getLogger().log(ILogger.EV_AUDIT,
+-                        ILogger.S_TKS,
+-                        ILogger.LL_INFO,
+-                        "process DiversifyKey for CUID=" +
+-                                trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE:  Log both CUID and KDD
+-                                ", KDD=" +
+-                                trim(pp.toHexString(xKDD))
+-                                + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName
+-                                + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName);
+-
+-                resp.setContentType("text/html");
+-
+-            } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file
+-
+-        } // ! missingParam
+-
+-        String value = "";
+-        String status = "0";
+-
+-        if (KeySetData != null && KeySetData.length > 1) {
+-            value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" +
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData);
+-            //CMS.debug("TokenServlet:process DiversifyKey.encode " + value);
+-            CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData");
+-            // AC: KDF SPEC CHANGE - check for settings file issue (flag)
+-        } else if (missingSetting_exception != null) {
+-            status = "6";
+-            errorMsg = "Problem reading required configuration value.";
+-            value = "status=" + status;
+-        } else if (missingParam) {
+-            status = "3";
+-            if (badParams.endsWith(",")) {
+-                badParams = badParams.substring(0, badParams.length() - 1);
+-            }
+-            errorMsg = "Missing input parameters: " + badParams;
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        } else {
+-            errorMsg = "Problem diversifying key data.";
+-            status = "1";
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        }
+-
+-        resp.setContentLength(value.length());
+-        CMS.debug("TokenServlet:outputString.length " + value.length());
+-
+-        try {
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (Exception e) {
+-            CMS.debug("TokenServlet:process DiversifyKey: " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-            //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.SUCCESS, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-
+-                    // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
+-                    oldKeyNickName, // oldMasterKeyName
+-                    newKeyNickName, // newMasterKeyName
+-
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion
+-                    log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
+-        } else {
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-            //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.FAILURE, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-
+-                    // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
+-                    oldKeyNickName, // oldMasterKeyName
+-                    newKeyNickName, // newMasterKeyName
+-
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion
+-                    log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+-                    errorMsg // Error
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
+-        }
+-
+-        audit(auditMessage);
+-    }
+-
+-    private void processEncryptData(HttpServletRequest req,
+-            HttpServletResponse resp) throws EBaseException {
+-        byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
+-
+-        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
+-        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
+-        boolean nistSP800_108KdfUseCuidAsKdd = false;
+-
+-        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
+-        Exception missingSetting_exception = null;
+-
+-        boolean missingParam = false;
+-        byte[] data = null;
+-        boolean isRandom = true; // randomly generate the data to be encrypted
+-
+-        String errorMsg = "";
+-        String badParams = "";
+-        IConfigStore sconfig = CMS.getConfigStore();
+-        encryptedData = null;
+-        String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA);
+-        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
+-
+-        String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        String rKDD = req.getParameter("KDD");
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            // temporarily make it friendly before TPS change
+-            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
+-            rKDD = rCUID;
+-        }
+-
+-        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-        if (keySet == null || keySet.equals("")) {
+-            keySet = "defKeySet";
+-        }
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        CMS.debug("keySet selected: " + keySet);
+-
+-        String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true");
+-        if (s_isRandom.equalsIgnoreCase("false")) {
+-            CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated");
+-            isRandom = false;
+-        } else {
+-            CMS.debug("TokenServlet: processEncryptData(): Random number generation required");
+-            isRandom = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.ENCRYPT_DATA_REQUEST,
+-                rCUID,
+-                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
+-                ILogger.SUCCESS,
+-                agentId,
+-                s_isRandom);
+-        audit(auditMessage);
+-
+-        GPParams gp3Params = readGPSettings(keySet);
+-
+-        if (isRandom) {
+-            if ((rdata == null) || (rdata.equals(""))) {
+-                CMS.debug("TokenServlet: processEncryptData(): no data in request.  Generating random number as data");
+-            } else {
+-                CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating...");
+-            }
+-            try {
+-                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+-                data = new byte[16];
+-                random.nextBytes(data);
+-            } catch (Exception e) {
+-                CMS.debug("TokenServlet: processEncryptData():" + e.toString());
+-                badParams += " Random Number,";
+-                missingParam = true;
+-            }
+-        } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) {
+-            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data.");
+-            badParams += " data,";
+-            missingParam = true;
+-        }
+-
+-        if ((rCUID == null) || (rCUID.equals(""))) {
+-            badParams += " CUID,";
+-            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID");
+-            missingParam = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD");
+-            badParams += " KDD,";
+-            missingParam = true;
+-        }
+-
+-        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+-            badParams += " KeyInfo,";
+-            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info");
+-            missingParam = true;
+-        }
+-
+-        // AC: KDF SPEC CHANGE
+-        xCUID = null; // avoid errors about non-initialization
+-        xKDD = null; // avoid errors about non-initialization
+-        xkeyInfo = null; // avoid errors about non-initialization
+-
+-        if (!missingParam) {
+-            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+-            if (xCUID == null || xCUID.length != 10) {
+-                badParams += " CUID length,";
+-                CMS.debug("TokenServlet: Invalid CUID length");
+-                missingParam = true;
+-            }
+-
+-            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
+-            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
+-            if (xKDD == null || xKDD.length != 10) {
+-                badParams += " KDD length,";
+-                CMS.debug("TokenServlet: Invalid KDD length");
+-                missingParam = true;
+-            }
+-
+-            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-            if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) {
+-                badParams += " KeyInfo length,";
+-                CMS.debug("TokenServlet: Invalid key info length");
+-                missingParam = true;
+-            }
+-        }
+-
+-        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
+-        if (!useSoftToken_s.equalsIgnoreCase("true"))
+-            useSoftToken_s = "false";
+-
+-        String selectedToken = null;
+-        String keyNickName = null;
+-        if (!missingParam) {
+-
+-            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey
+-            try {
+-                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
+-                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
+-
+-                // log settings read in to debug log along with xkeyInfo
+-                CMS.debug("TokenServlet: processEncryptData():  xkeyInfo[0] = 0x"
+-                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
+-                        + ",  xkeyInfo[1] = 0x"
+-                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
+-                        );
+-                CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF will be used for key versions >= 0x"
+-                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
+-                        );
+-                if (nistSP800_108KdfUseCuidAsKdd == true) {
+-                    CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
+-                } else {
+-                    CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF (if used) will use KDD.");
+-                }
+-                // conform to the set-an-error-flag mentality
+-            } catch (Exception e) {
+-                missingSetting_exception = e;
+-                CMS.debug("TokenServlet: processEncryptData():  Exception reading Nist SP800-108 KDF config values: "
+-                        + e.toString());
+-            }
+-
+-            if (!isRandom)
+-                data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
+-            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-
+-            String keyInfoMap = "tks." + keySet + ".mk_mappings." +  rKeyInfo.substring(0,6);
+-            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-            if (mappingValue == null) {
+-                selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
+-                keyNickName = rKeyInfo;
+-            } else {
+-                StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-                selectedToken = st.nextToken();
+-                keyNickName = st.nextToken();
+-            }
+-
+-
+-            //calculate the protocol
+-
+-            int protocolInt = SecureChannelProtocol.PROTOCOL_ONE;
+-            try
+-            {
+-                 protocolInt = Integer.parseInt(protocolValue);
+-            }
+-            catch (NumberFormatException nfe)
+-            {
+-                protocolInt = SecureChannelProtocol.PROTOCOL_ONE;
+-            }
+-
+-            CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt);
+-
+-            //Check for reasonable sanity, leave room for future versions
+-            if(protocolInt <= 0 || protocolInt > 20) {
+-                CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1.");
+-                protocolInt = 1;
+-
+-            }
+-
+-            byte kekKeyArray[] =
+-                    com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
+-            // AC: KDF SPEC CHANGE - check for error reading settings
+-            if (missingSetting_exception == null) {
+-
+-
+-                SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt);
+-
+-                if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) {
+-
+-                    encryptedData = protocol.encryptData(
+-                            selectedToken, keyNickName, data, keyInfo,
+-                            nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
+-                            nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value
+-                            xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID'
+-                            xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use
+-                            kekKeyArray, useSoftToken_s, keySet);
+-
+-                } else {
+-
+-                    encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo,
+-                            nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray,
+-                            useSoftToken_s, keySet,gp3Params);
+-
+-                }
+-
+-                SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: ");
+-
+-                // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-
+-                CMS.getLogger().log(ILogger.EV_AUDIT,
+-                        ILogger.S_TKS,
+-                        ILogger.LL_INFO, "process EncryptData for CUID=" +
+-                                trim(pp.toHexString(xCUID)) +
+-                                ", KDD=" +
+-                                trim(pp.toHexString(xKDD)));
+-
+-            } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file
+-
+-        } // !missingParam
+-
+-        resp.setContentType("text/html");
+-
+-        String value = "";
+-        String status = "0";
+-        if (encryptedData != null && encryptedData.length > 0) {
+-            // sending both the pre-encrypted and encrypted data back
+-            value = IRemoteRequest.RESPONSE_STATUS + "=0&"
+-                    + IRemoteRequest.TOKEN_DATA + "=" +
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(data) +
+-                    "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" +
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData);
+-            // AC: KDF SPEC CHANGE - check for settings file issue (flag)
+-        } else if (missingSetting_exception != null) {
+-            status = "6";
+-            errorMsg = "Problem reading required configuration value.";
+-            value = "status=" + status;
+-        } else if (missingParam) {
+-            if (badParams.endsWith(",")) {
+-                badParams = badParams.substring(0, badParams.length() - 1);
+-            }
+-            errorMsg = "Missing input parameters: " + badParams;
+-            status = "3";
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        } else {
+-            errorMsg = "Problem encrypting data.";
+-            status = "1";
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        }
+-
+-        //CMS.debug("TokenServlet:process EncryptData.encode " + value);
+-
+-        try {
+-            resp.setContentLength(value.length());
+-            CMS.debug("TokenServlet:outputString.lenght " + value.length());
+-
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (Exception e) {
+-            CMS.debug("TokenServlet: " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.SUCCESS, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    s_isRandom, // isRandom
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
+-        } else {
+-            // AC: KDF SPEC CHANGE - Log both CUID and KDD
+-            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+-            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.FAILURE, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    s_isRandom, // isRandom
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
+-                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
+-                    errorMsg // Error
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
+-        }
+-
+-        audit(auditMessage);
+-    }
+-
+-    /*
+-     *   For EncryptData:
+-     *   data=value1
+-     *   CUID=value2 // missing from RA
+-     *   versionID=value3  // missing from RA
+-     *
+-     *   For ComputeSession:
+-     *   card_challenge=value1
+-     *   host_challenge=value2
+-
+-     *   For DiversifyKey:
+-     *   new_master_key_index
+-     *   master_key_index
+-     */
+-
+-    private void processComputeRandomData(HttpServletRequest req,
+-            HttpServletResponse resp) throws EBaseException {
+-
+-        byte[] randomData = null;
+-        String status = "0";
+-        String errorMsg = "";
+-        String badParams = "";
+-        boolean missingParam = false;
+-        int dataSize = 0;
+-
+-        CMS.debug("TokenServlet::processComputeRandomData");
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES);
+-
+-        if (sDataSize == null || sDataSize.equals("")) {
+-            CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes");
+-            badParams += " Random Data size, ";
+-            missingParam = true;
+-            status = "1";
+-        } else {
+-            try {
+-                dataSize = Integer.parseInt(sDataSize.trim());
+-            } catch (NumberFormatException nfe) {
+-                CMS.debug("TokenServlet::processComputeRandomData invalid data size input!");
+-                badParams += " Random Data size, ";
+-                missingParam = true;
+-                status = "1";
+-            }
+-
+-        }
+-
+-        CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize);
+-
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.COMPUTE_RANDOM_DATA_REQUEST,
+-                ILogger.SUCCESS,
+-                agentId);
+-
+-        audit(auditMessage);
+-
+-        if (!missingParam) {
+-            try {
+-                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+-                randomData = new byte[dataSize];
+-                random.nextBytes(randomData);
+-            } catch (Exception e) {
+-                CMS.debug("TokenServlet::processComputeRandomData:" + e.toString());
+-                errorMsg = "Can't generate random data!";
+-                status = "2";
+-            }
+-        }
+-
+-        String randomDataOut = "";
+-        if (status.equals("0")) {
+-            if (randomData != null && randomData.length == dataSize) {
+-                randomDataOut =
+-                        com.netscape.cmsutil.util.Utils.SpecialEncode(randomData);
+-            } else {
+-                status = "2";
+-                errorMsg = "Can't convert random data!";
+-            }
+-        }
+-
+-        if (status.equals("1") && missingParam) {
+-
+-            if (badParams.endsWith(",")) {
+-                badParams = badParams.substring(0, badParams.length() - 1);
+-            }
+-            errorMsg = "Missing input parameters :" + badParams;
+-        }
+-
+-        resp.setContentType("text/html");
+-        String value = "";
+-
+-        value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        if (status.equals("0")) {
+-            value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut;
+-        }
+-
+-        try {
+-            resp.setContentLength(value.length());
+-            CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length());
+-
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (Exception e) {
+-            CMS.debug("TokenServlet::processComputeRandomData " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
+-                    ILogger.SUCCESS,
+-                    status,
+-                    agentId);
+-        } else {
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
+-                    ILogger.FAILURE,
+-                    status,
+-                    agentId,
+-                    errorMsg);
+-        }
+-
+-        audit(auditMessage);
+-    }
+-
+-    public void process(CMSRequest cmsReq) throws EBaseException {
+-        HttpServletRequest req = cmsReq.getHttpReq();
+-        HttpServletResponse resp = cmsReq.getHttpResp();
+-
+-        IAuthToken authToken = authenticate(cmsReq);
+-        AuthzToken authzToken = null;
+-
+-        mCurrentUID = (String) authToken.get(IAuthToken.UID) ;
+-
+-        try {
+-            authzToken = authorize(mAclMethod, authToken,
+-                    mAuthzResourceName, "execute");
+-        } catch (Exception e) {
+-        }
+-
+-        if (authzToken == null) {
+-
+-            try {
+-                resp.setContentType("text/html");
+-                String value = "unauthorized=";
+-                CMS.debug("TokenServlet: Unauthorized");
+-
+-                resp.setContentLength(value.length());
+-                OutputStream ooss = resp.getOutputStream();
+-                ooss.write(value.getBytes());
+-                ooss.flush();
+-                mRenderResult = false;
+-            } catch (Exception e) {
+-                CMS.debug("TokenServlet: " + e.toString());
+-            }
+-
+-            //       cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
+-            return;
+-        }
+-
+-        String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
+-        String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
+-        String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT);
+-        //CMS.debug("Protocol: " + protocol + " temp: " + temp);
+-
+-        setDefaultSlotAndKeyName(req);
+-        if (temp != null && protocol == null) {
+-            processComputeSessionKey(req, resp);
+-        } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) {
+-            processEncryptData(req, resp);
+-        } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) {
+-            processDiversifyKey(req, resp);
+-        } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) {
+-            processComputeRandomData(req, resp);
+-        } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) {
+-            //SCP02 compute one session key.
+-            processComputeSessionKeySCP02(req, resp);
+-
+-        }  else if (protocol != null && protocol.contains("3") ) {
+-            processComputeSessionKeysSCP03(req,resp);
+-        } else {
+-            throw new EBaseException("Process: Can't decide upon function to call!");
+-        }
+-    }
+-
+-    //Create all the session keys for scp03 at once and return.
+-    //ToDo: calcualte the optional rmac key
+-    private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException {
+-        String method = "processComputeSessionKeysSCP03:";
+-        CMS.debug(method + " entering ...");
+-
+-        byte[] card_challenge, host_challenge, xCUID, xKDD;
+-        byte[] card_crypto, host_cryptogram, input_card_crypto;
+-        byte[] xcard_challenge, xhost_challenge;
+-        byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key;
+-        String auditMessage = null;
+-        String errorMsg = "";
+-        String badParams = "";
+-        String transportKeyName = "";
+-        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
+-
+-        String rKDD = req.getParameter("KDD");
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            // KDF phase1: default to rCUID if not present
+-            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
+-            rKDD = rCUID;
+-        }
+-
+-        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
+-        if (keySet == null || keySet.equals("")) {
+-            keySet = "defKeySet";
+-        }
+-        CMS.debug("keySet selected: " + keySet);
+-
+-        GPParams gp3Params = readGPSettings(keySet);
+-
+-        boolean serversideKeygen = false;
+-
+-        IConfigStore sconfig = CMS.getConfigStore();
+-        boolean isCryptoValidate = true;
+-        boolean missingParam = false;
+-
+-        Exception missingSetting_exception = null;
+-
+-        mac_session_key = null;
+-        kek_session_key = null;
+-        card_crypto = null;
+-        host_cryptogram = null;
+-        enc_session_key = null;
+-
+-        SessionContext sContext = SessionContext.getContext();
+-
+-        String agentId = "";
+-        if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
+-        }
+-
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
+-                rCUID,
+-                rKDD,
+-                ILogger.SUCCESS,
+-                agentId);
+-
+-        audit(auditMessage);
+-
+-        String kek_wrapped_desKeyString = null;
+-        String keycheck_s = null;
+-
+-        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
+-        if (!useSoftToken_s.equalsIgnoreCase("true"))
+-            useSoftToken_s = "false";
+-
+-        CMS.debug(method + " useSoftToken: " + useSoftToken_s);
+-
+-        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
+-        if (rServersideKeygen.equals("true")) {
+-
+-            serversideKeygen = true;
+-        }
+-
+-        CMS.debug(method + " serversideKeygen: " + serversideKeygen);
+-
+-        try {
+-            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
+-        } catch (EBaseException eee) {
+-        }
+-
+-        CMS.debug(method + " Do crypto validation: " + isCryptoValidate);
+-
+-        transportKeyName = getSharedSecretName(sconfig);
+-
+-        String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
+-        String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
+-        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
+-        String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM);
+-
+-        if ((rCUID == null) || (rCUID.equals(""))) {
+-            CMS.debug(method + " missing request parameter: CUID");
+-            badParams += " CUID,";
+-            missingParam = true;
+-        }
+-
+-        if ((rKDD == null) || (rKDD.length() == 0)) {
+-            CMS.debug(method + " missing request parameter: KDD");
+-            badParams += " KDD,";
+-            missingParam = true;
+-        }
+-
+-        if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
+-            badParams += " card_challenge,";
+-            CMS.debug(method + " missing request parameter: card challenge");
+-            missingParam = true;
+-        }
+-
+-        if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
+-            badParams += " host_challenge,";
+-            CMS.debug(method + " missing request parameter: host challenge");
+-            missingParam = true;
+-        }
+-
+-        if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) {
+-            badParams += " card_cryptogram,";
+-            CMS.debug(method + " missing request parameter: card_cryptogram");
+-            missingParam = true;
+-        }
+-
+-        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
+-            badParams += " KeyInfo,";
+-            CMS.debug(method + "missing request parameter: key info");
+-            missingParam = true;
+-        }
+-
+-        String selectedToken = null;
+-        String keyNickName = null;
+-        boolean sameCardCrypto = true;
+-
+-        xCUID = null;
+-        xKDD = null;
+-        xkeyInfo = null;
+-        xcard_challenge = null;
+-        xhost_challenge = null;
+-
+-        if (!missingParam) {
+-            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
+-            if (xCUID == null || xCUID.length != 10) {
+-                badParams += " CUID length,";
+-                CMS.debug("TokenServlet: Invalid CUID length");
+-                missingParam = true;
+-            }
+-
+-            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
+-            if (xKDD == null || xKDD.length != 10) {
+-                badParams += " KDD length,";
+-                CMS.debug("TokenServlet: Invalid KDD length");
+-                missingParam = true;
+-            }
+-
+-            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
+-            if (xkeyInfo == null || xkeyInfo.length != 3) {
+-                badParams += " KeyInfo length,";
+-                CMS.debug("TokenServlet: Invalid key info length.");
+-                missingParam = true;
+-            }
+-            xcard_challenge =
+-                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
+-            if (xcard_challenge == null || xcard_challenge.length != 8) {
+-                badParams += " card_challenge length,";
+-                CMS.debug("TokenServlet: Invalid card challenge length.");
+-                missingParam = true;
+-            }
+-
+-            xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
+-            if (xhost_challenge == null || xhost_challenge.length != 8) {
+-                badParams += " host_challenge length,";
+-                CMS.debug("TokenServlet: Invalid host challenge length");
+-                missingParam = true;
+-            }
+-        }
+-
+-        ArrayList<String> serverSideValues = null;
+-
+-        if (!missingParam) {
+-            card_challenge =
+-                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
+-
+-            host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
+-
+-            String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx
+-            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
+-
+-
+-            if (mappingValue == null) {
+-                selectedToken =
+-                        CMS.getConfigStore().getString("tks.defaultSlot", "internal");
+-                keyNickName = rKeyInfo;
+-            } else {
+-                StringTokenizer st = new StringTokenizer(mappingValue, ":");
+-                if (st.hasMoreTokens())
+-                    selectedToken = st.nextToken();
+-                if (st.hasMoreTokens())
+-                    keyNickName = st.nextToken();
+-            }
+-
+-            CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName );
+-
+-            SymmetricKey macSessionKey = null;
+-            SymmetricKey encSessionKey = null;
+-            SymmetricKey kekSessionKey = null;
+-
+-            if (selectedToken != null && keyNickName != null
+-                    && missingSetting_exception == null) {
+-
+-                try {
+-
+-                    byte macKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".mac_key"));
+-                    CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken="
+-                            + selectedToken + " keyNickName=" + keyNickName);
+-
+-                    SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE);
+-
+-                    macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo,
+-                            SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge,
+-                            transportKeyName,gp3Params);
+-
+-                    mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null);
+-
+-                    if (mac_session_key == null) {
+-                        CMS.debug(method + " Can't get mac session key bytes");
+-                        throw new Exception(method + " Can't get mac session key bytes");
+-
+-                    }
+-
+-                    byte encKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".auth_key"));
+-
+-                    encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo,
+-                            SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge,
+-                            transportKeyName,gp3Params);
+-
+-                    enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null);
+-
+-                    if (enc_session_key == null) {
+-                        CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL ");
+-                        throw new Exception("Can't compute enc session key!");
+-
+-                    }
+-
+-                    byte kekKeyArray[] =
+-                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                                    + keySet + ".kek_key"));
+-
+-                    kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo,
+-                            SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge,
+-                            xcard_challenge,
+-                            transportKeyName,gp3Params);
+-
+-                    kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null);
+-
+-
+-                    //Offload some of the tedious params gathering to another method
+-                    //ToDo, create a method that reads all this stuff at once for all major methods
+-                    if (serversideKeygen) {
+-                        try {
+-                            serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken,
+-                                    kekSessionKey, protocol);
+-                        } catch (EBaseException e) {
+-
+-                            CMS.debug(method + " Can't calcualte server side keygen required values...");
+-
+-                        }
+-                    }
+-
+-                    try {
+-                        isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
+-                    } catch (EBaseException eee) {
+-                    }
+-
+-                    ByteArrayOutputStream contextStream = new ByteArrayOutputStream();
+-                    try {
+-                        contextStream.write(host_challenge);
+-                        contextStream.write(card_challenge);
+-                    } catch (IOException e) {
+-                        throw new EBaseException(method + " Error calculating derivation data!");
+-                    }
+-
+-                    host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT);
+-                    SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length);
+-
+-
+-                   if( isCryptoValidate) {
+-                       if (rcard_cryptogram == null) {
+-                           CMS.debug(method + " missing card cryptogram");
+-                           throw new Exception(method + "Missing card cryptogram");
+-                       }
+-                       input_card_crypto =
+-                               com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram);
+-                       card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT);
+-                       SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: ");
+-                       SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: ");
+-
+-                       if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) {
+-                           throw new Exception(method + "Card cryptogram mismatch!");
+-                       }
+-
+-                   }
+-                } catch (Exception e) {
+-                    CMS.debug(e);
+-                    CMS.debug("TokenServlet Computing Session Key: " + e.toString());
+-                    if (isCryptoValidate)
+-                        sameCardCrypto = false;
+-                }
+-            }
+-        } // ! missingParam
+-
+-        String value = "";
+-
+-        resp.setContentType("text/html");
+-
+-        String encSessionKeyString = "";
+-        String macSessionKeyString = "";
+-        String kekSessionKeyString = "";
+-
+-        String drm_trans_wrapped_desKeyString = "";
+-        String cryptogram = "";
+-        String status = "0";
+-
+-        if (enc_session_key != null && enc_session_key.length > 0) {
+-            encSessionKeyString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
+-        } else {
+-            status = "1";
+-        }
+-
+-        if (mac_session_key != null && mac_session_key.length > 0) {
+-            macSessionKeyString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key);
+-        } else {
+-            status = "1";
+-        }
+-
+-        if (kek_session_key != null && kek_session_key.length > 0) {
+-            kekSessionKeyString =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key);
+-        } else {
+-            status = "1";
+-        }
+-
+-        if (serversideKeygen == true) {
+-            if (serverSideValues.size() == 3) {
+-                drm_trans_wrapped_desKeyString = serverSideValues.get(2);
+-                kek_wrapped_desKeyString = serverSideValues.get(0);
+-                keycheck_s = serverSideValues.get(1);
+-            }
+-            else {
+-                status = "1";
+-            }
+-        }
+-
+-        if (host_cryptogram != null && host_cryptogram.length > 0) {
+-            cryptogram =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
+-        } else {
+-            if (status.equals("0") == true) {
+-                status = "2";
+-            }
+-        }
+-
+-        if (selectedToken == null || keyNickName == null) {
+-            // AC: Bugfix: Don't override status's value if an error was already flagged
+-            if (status.equals("0") == true) {
+-                status = "4";
+-            }
+-        }
+-
+-        if (!sameCardCrypto) {
+-            if (status.equals("0") == true) {
+-                status = "5";
+-            }
+-        }
+-
+-        if (missingSetting_exception != null) {
+-            status = "6";
+-        }
+-
+-        if (missingParam) {
+-            status = "3";
+-        }
+-
+-        if (!status.equals("0")) {
+-
+-            if (status.equals("1")) {
+-                errorMsg = "Problem generating session key info.";
+-            }
+-
+-            if (status.equals("2")) {
+-                errorMsg = "Problem creating host_cryptogram.";
+-            }
+-
+-            if (status.equals("5")) {
+-                errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys.";
+-            }
+-
+-            if (status.equals("4")) {
+-                errorMsg = "Problem obtaining token information.";
+-            }
+-
+-            if (status.equals("6")) {
+-                errorMsg = "Problem reading required configuration value.";
+-            }
+-
+-            if (status.equals("3")) {
+-                if (badParams.endsWith(",")) {
+-                    badParams = badParams.substring(0, badParams.length() - 1);
+-                }
+-                errorMsg = "Missing input parameters :" + badParams;
+-            }
+-
+-            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
+-        } else {
+-            if (serversideKeygen == true) {
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "=");
+-                sb.append(macSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
+-                sb.append(cryptogram);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
+-                sb.append(encSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "=");
+-                sb.append(kekSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
+-                sb.append(kek_wrapped_desKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
+-                sb.append(keycheck_s);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
+-                sb.append(drm_trans_wrapped_desKeyString);
+-                value = sb.toString();
+-            } else {
+-                StringBuffer sb = new StringBuffer();
+-                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
+-                sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "=");
+-                sb.append(macSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
+-                sb.append(cryptogram);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
+-                sb.append(encSessionKeyString);
+-                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "=");
+-                value = sb.toString();
+-            }
+-
+-        }
+-        //CMS.debug(method + "outputString.encode " + value);
+-
+-        try {
+-            resp.setContentLength(value.length());
+-            CMS.debug("TokenServlet:outputString.length " + value.length());
+-            OutputStream ooss = resp.getOutputStream();
+-            ooss.write(value.getBytes());
+-            ooss.flush();
+-            mRenderResult = false;
+-        } catch (IOException e) {
+-            CMS.debug("TokenServlet: " + e.toString());
+-        }
+-
+-        if (status.equals("0")) {
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.SUCCESS, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+-                    logParams);
+-
+-        } else {
+-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+-                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
+-                    ILogger.FAILURE, // Outcome
+-                    status, // status
+-                    agentId, // AgentID
+-                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
+-                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
+-                    selectedToken, // SelectedToken
+-                    keyNickName, // KeyNickName
+-                    keySet, // TKSKeyset
+-                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+-                    errorMsg // Error
+-            };
+-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+-                    logParams);
+-
+-        }
+-
+-        audit(auditMessage);
+-
+-    }
+-
+-    /**
+-     * Serves HTTP admin request.
+-     *
+-     * @param req HTTP request
+-     * @param resp HTTP response
+-     */
+-    public void service(HttpServletRequest req, HttpServletResponse resp)
+-            throws ServletException, IOException {
+-        super.service(req, resp);
+-    }
+-
+-    private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException {
+-
+-        IConfigStore configStore = CMS.getConfigStore();
+-        String sharedSecretName = null;
+-        try {
+-
+-            sharedSecretName = getSharedSecretName(configStore);
+-
+-        } catch (EBaseException e) {
+-            throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: "
+-                    + e);
+-
+-        }
+-
+-        CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName);
+-
+-        String symmKeys = null;
+-        boolean keyPresent = false;
+-        try {
+-            symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME);
+-            CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys);
+-        } catch (Exception e) {
+-            // TODO Auto-generated catch block
+-            CMS.debug(e);
+-        }
+-
+-        for (String keyName : symmKeys.split(",")) {
+-            if (sharedSecretName.equals(keyName)) {
+-                CMS.debug("TokenServlet.getSharedSecret: shared secret key found!");
+-                keyPresent = true;
+-                break;
+-            }
+-
+-        }
+-
+-        if (!keyPresent) {
+-            throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!");
+-        }
+-
+-        // We know for now that shared secret is on this token
+-        String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME;
+-        PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName);
+-
+-        CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret);
+-
+-        return sharedSecret;
+-
+-    }
+-
+-    //returns ArrayList of following values
+-    // 0 : Kek wrapped des key
+-    // 1 : keycheck value
+-    // 2 : trans wrapped des key
+-    private ArrayList<String> calculateServerSideKeygenValues(String useSoftToken, String selectedToken,
+-            SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException {
+-
+-        SymmetricKey desKey = null;
+-        String method = "TokenServlet.calculateSErverSideKeygenValues: ";
+-        ArrayList<String> values = new ArrayList<String>();
+-
+-        /**
+-         * 0. generate des key
+-         * 1. encrypt des key with kek key
+-         * 2. encrypt des key with DRM transport key
+-         * These two wrapped items are to be sent back to
+-         * TPS. 2nd item is to DRM
+-         **/
+-        CMS.debug(method + " entering...");
+-
+-        // (1) generate DES key
+-        /* applet does not support DES3
+-        org.mozilla.jss.crypto.KeyGenerator kg =
+-            internalToken.getKeyGenerator(KeyGenAlgorithm.DES3);
+-            desKey = kg.generate();*/
+-
+-        /*
+-         * GenerateSymkey firt generates a 16 byte DES2 key.
+-         * It then pads it into a 24 byte key with last
+-         * 8 bytes copied from the 1st 8 bytes.  Effectively
+-         * making it a 24 byte DES2 key.  We need this for
+-         * wrapping private keys on DRM.
+-         */
+-        /*generate it on whichever token the master key is at*/
+-
+-        if (useSoftToken.equals("true")) {
+-            CMS.debug(method + " key encryption key generated on internal");
+-            desKey = protocol.generateSymKey("internal");
+-            //cfu audit here? sym key gen done
+-        } else {
+-            CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
+-            desKey = protocol.generateSymKey(selectedToken);
+-        }
+-        if (desKey == null) {
+-            throw new EBaseException(method + "can't generate key encryption key");
+-        }
+-
+-        /*
+-         * ECBencrypt actually takes the 24 byte DES2 key
+-         * and discard the last 8 bytes before it encrypts.
+-         * This is done so that the applet can digest it
+-         */
+-
+-
+-       // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey)
+-
+-        byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken);
+-
+-        String kek_wrapped_desKeyString =
+-                com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
+-
+-        CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString);
+-
+-        values.add(kek_wrapped_desKeyString);
+-
+-        // get keycheck
+-
+-        byte[] keycheck = null;
+-
+-        keycheck = protocol.computeKeyCheck(desKey, selectedToken);
+-
+-        String keycheck_s =
+-                com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
+-
+-        CMS.debug(method + "keycheck_s " + keycheck_s);
+-
+-        values.add(keycheck_s);
+-
+-        //use DRM transport cert to wrap desKey
+-        String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
+-
+-        if ((drmTransNickname == null) || (drmTransNickname == "")) {
+-            CMS.debug(method + " did not find DRM transport certificate nickname");
+-            throw new EBaseException(method + "can't find DRM transport certificate nickname");
+-        } else {
+-            CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname);
+-        }
+-
+-        X509Certificate drmTransCert = null;
+-        try {
+-
+-            drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
+-            // wrap kek session key with DRM transport public key
+-            CryptoToken token = null;
+-            if (useSoftToken.equals("true")) {
+-                //token = CryptoManager.getInstance().getTokenByName(selectedToken);
+-                token = CryptoManager.getInstance().getInternalCryptoToken();
+-            } else {
+-                token = CryptoManager.getInstance().getTokenByName(selectedToken);
+-            }
+-            PublicKey pubKey = drmTransCert.getPublicKey();
+-            String pubKeyAlgo = pubKey.getAlgorithm();
+-            CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo);
+-            KeyWrapper keyWrapper = null;
+-            //For wrapping symmetric keys don't need IV, use ECB
+-            if (pubKeyAlgo.equals("EC")) {
+-                keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
+-                keyWrapper.initWrap(pubKey, null);
+-            } else {
+-                keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
+-                keyWrapper.initWrap(pubKey, null);
+-            }
+-            CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName());
+-            byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
+-
+-            String drmWrappedDesStr =
+-                    com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
+-
+-            CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr);
+-            values.add(drmWrappedDesStr);
+-
+-        } catch (Exception e) {
+-            throw new EBaseException(e);
+-        }
+-
+-        return values;
+-    }
+-
+-    private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) {
+-        boolean sameCardCrypto = true;
+-
+-        if (original_cryptogram == null || calculated_cryptogram == null) {
+-            return false;
+-        }
+-        if (original_cryptogram.length == calculated_cryptogram.length) {
+-            for (int i = 0; i < original_cryptogram.length; i++) {
+-                if (original_cryptogram[i] != calculated_cryptogram[i]) {
+-                    sameCardCrypto = false;
+-                    break;
+-                }
+-            }
+-        } else {
+-            // different length; must be different
+-            sameCardCrypto = false;
+-        }
+-
+-        return sameCardCrypto;
+-    }
+-
+-  //For now only used for scp03
+-
+-    static GPParams readGPSettings(String keySet) {
+-        GPParams params = new GPParams();
+-
+-        String method = "TokenServlet.readGPSettings: ";
+-        String gp3Settings = "tks." + keySet + ".prot3";
+-
+-        String divers = "emv";
+-        try {
+-            divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv");
+-        } catch (EBaseException e) {
+-        }
+-
+-        params.setDiversificationScheme(divers);
+-
+-        CMS.debug(method + " Divers: " + divers);
+-
+-        String diversVer1Keys = "emv";
+-
+-        try {
+-            diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv");
+-        } catch (EBaseException e) {
+-        }
+-
+-        params.setVersion1DiversificationScheme(diversVer1Keys);
+-        CMS.debug(method + " Version 1 keys Divers: " + divers);
+-
+-        String keyType = null;
+-        try {
+-            keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3");
+-        } catch (EBaseException e) {
+-        }
+-
+-        CMS.debug(method + " devKeyType: " + keyType);
+-
+-        params.setDevKeyType(keyType);
+-
+-        try {
+-            keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3");
+-        } catch (EBaseException e) {
+-        }
+-
+-        params.setMasterKeyType(keyType);
+-
+-        CMS.debug(method + " masterKeyType: " + keyType);
+-
+-
+-        return params;
+-    }
+-
+-    private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException {
+-        byte devKeyArray[] = null;
+-        try {
+-            devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
+-                    + keySet + "." + keyType));
+-        } catch (Exception e) {
+-            throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType);
+-        }
+-
+-        return devKeyArray;
+-    }
+-
+-
+-}
+diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
+index 18c85a3..ddbea88 100644
+--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
++++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
+@@ -108,7 +108,7 @@
+ 
+    <servlet>
+       <servlet-name>  tksEncryptData  </servlet-name>
+-      <servlet-class> com.netscape.cms.servlet.tks.TokenServlet  </servlet-class>
++      <servlet-class> org.dogtagpki.server.tks.servlet.TokenServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+                          <param-value> true        </param-value> </init-param>
+              <init-param><param-name>  AuthzMgr    </param-name>
+@@ -125,7 +125,7 @@
+                                                                                 
+    <servlet>
+       <servlet-name>  tksCreateKeySetData  </servlet-name>
+-      <servlet-class> com.netscape.cms.servlet.tks.TokenServlet  </servlet-class>
++      <servlet-class> org.dogtagpki.server.tks.servlet.TokenServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+                          <param-value> true        </param-value> </init-param>
+              <init-param><param-name>  AuthzMgr    </param-name>
+@@ -142,7 +142,7 @@
+ 
+    <servlet>
+       <servlet-name>  tksSessionKey  </servlet-name>
+-      <servlet-class> com.netscape.cms.servlet.tks.TokenServlet  </servlet-class>
++      <servlet-class> org.dogtagpki.server.tks.servlet.TokenServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+                          <param-value> true        </param-value> </init-param>
+              <init-param><param-name>  AuthzMgr    </param-name>
+@@ -159,7 +159,7 @@
+ 
+    <servlet>
+       <servlet-name>  tksRandomData  </servlet-name>
+-      <servlet-class> com.netscape.cms.servlet.tks.TokenServlet  </servlet-class>
++      <servlet-class> org.dogtagpki.server.tks.servlet.TokenServlet  </servlet-class>
+              <init-param><param-name>  GetClientCert  </param-name>
+                          <param-value> true        </param-value> </init-param>
+              <init-param><param-name>  AuthzMgr    </param-name>
+diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+new file mode 100644
+index 0000000..c8150a9
+--- /dev/null
++++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+@@ -0,0 +1,3226 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2007 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package org.dogtagpki.server.tks.servlet;
++
++import java.io.ByteArrayOutputStream;
++import java.io.IOException;
++import java.io.OutputStream;
++import java.security.PublicKey;
++import java.security.SecureRandom;
++import java.util.ArrayList;
++import java.util.StringTokenizer;
++
++import javax.servlet.ServletConfig;
++import javax.servlet.ServletException;
++import javax.servlet.http.HttpServletRequest;
++import javax.servlet.http.HttpServletResponse;
++
++import org.dogtagpki.server.connector.IRemoteRequest;
++import org.mozilla.jss.CryptoManager;
++import org.mozilla.jss.CryptoManager.NotInitializedException;
++import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.KeyWrapAlgorithm;
++import org.mozilla.jss.crypto.KeyWrapper;
++import org.mozilla.jss.crypto.SymmetricKey;
++import org.mozilla.jss.crypto.X509Certificate;
++import org.mozilla.jss.pkcs11.PK11SymKey;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.authorization.AuthzToken;
++import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.base.IPrettyPrintFormat;
++import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++import com.netscape.cms.servlet.base.CMSServlet;
++import com.netscape.cms.servlet.common.CMSRequest;
++import com.netscape.cms.servlet.tks.GPParams;
++import com.netscape.cms.servlet.tks.NistSP800_108KDF;
++import com.netscape.cms.servlet.tks.SecureChannelProtocol;
++import com.netscape.cmsutil.crypto.CryptoUtil;
++import com.netscape.symkey.SessionKey;
++
++/**
++ * A class representings an administration servlet for Token Key
++ * Service Authority. This servlet is responsible to serve
++ * tks administrative operation such as configuration
++ * parameter updates.
++ *
++ * @version $Revision$, $Date$
++ */
++public class TokenServlet extends CMSServlet {
++    /**
++     *
++     */
++    private static final long serialVersionUID = 8687436109695172791L;
++    protected static final String PROP_ENABLED = "enabled";
++    protected static final String TRANSPORT_KEY_NAME = "sharedSecret";
++    private final static String INFO = "TokenServlet";
++    public static int ERROR = 1;
++    String mKeyNickName = null;
++    String mNewKeyNickName = null;
++    String mCurrentUID = null;
++    IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
++
++    // Derivation Constants for SCP02
++    public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 };
++    public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 };
++    public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 };
++    public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 };
++
++    /**
++     * Constructs tks servlet.
++     */
++    public TokenServlet() {
++        super();
++
++    }
++
++    public static String trim(String a) {
++        StringBuffer newa = new StringBuffer();
++        StringTokenizer tokens = new StringTokenizer(a, "\n");
++        while (tokens.hasMoreTokens()) {
++            newa.append(tokens.nextToken());
++        }
++        return newa.toString();
++    }
++
++    public void init(ServletConfig config) throws ServletException {
++        super.init(config);
++    }
++
++    /**
++     * Returns serlvet information.
++     *
++     * @return name of this servlet
++     */
++    public String getServletInfo() {
++        return INFO;
++    }
++
++    /**
++     * Process the HTTP request.
++     *
++     * @param s The URL to decode.
++     */
++    protected String URLdecode(String s) {
++        if (s == null)
++            return null;
++        ByteArrayOutputStream out = new ByteArrayOutputStream(s.length());
++
++        for (int i = 0; i < s.length(); i++) {
++            int c = s.charAt(i);
++
++            if (c == '+') {
++                out.write(' ');
++            } else if (c == '%') {
++                int c1 = Character.digit(s.charAt(++i), 16);
++                int c2 = Character.digit(s.charAt(++i), 16);
++
++                out.write((char) (c1 * 16 + c2));
++            } else {
++                out.write(c);
++            }
++        } // end for
++        return out.toString();
++    }
++
++    private void setDefaultSlotAndKeyName(HttpServletRequest req) {
++        try {
++
++            String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++            if (keySet == null || keySet.equals("")) {
++                keySet = "defKeySet";
++            }
++            CMS.debug("keySet selected: " + keySet);
++
++            String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null);
++            String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx
++            String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp;
++            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++            if (mappingValue != null) {
++                StringTokenizer st = new StringTokenizer(mappingValue, ":");
++                int tokenNumber = 0;
++                while (st.hasMoreTokens()) {
++
++                    String currentToken = st.nextToken();
++                    if (tokenNumber == 1)
++                        mKeyNickName = currentToken;
++                    tokenNumber++;
++
++                }
++            }
++            if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification
++            {
++                temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx
++                String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp;
++                String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null);
++                if (newMappingValue != null) {
++                    StringTokenizer st = new StringTokenizer(newMappingValue, ":");
++                    int tokenNumber = 0;
++                    while (st.hasMoreTokens()) {
++                        String currentToken = st.nextToken();
++                        if (tokenNumber == 1)
++                            mNewKeyNickName = currentToken;
++                        tokenNumber++;
++
++                    }
++                }
++            }
++
++            CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix);
++
++            SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix);
++            /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/
++
++        } catch (Exception e) {
++            e.printStackTrace();
++            CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName");
++        }
++
++    }
++
++    // AC: KDF SPEC CHANGE - read new setting value from config file
++    // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility)
++    // CAREFUL:  Result returned may be negative due to java's lack of unsigned types.
++    //           Negative values need to be treated as higher key numbers than positive key numbers.
++    private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception {
++        String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion";
++        // KDF phase1: default to 00
++        String nistSP800_108KdfOnKeyVersion_value =
++                CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/);
++        short nistSP800_108KdfOnKeyVersion_short = 0;
++        // if value does not exist in file
++        if (nistSP800_108KdfOnKeyVersion_value == null) {
++            // throw
++            //  (we want admins to pay attention to this configuration item rather than guessing for them)
++            throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map
++                    + "\" missing from configuration file.");
++        }
++        // convert setting value (in ASCII-hex) to short
++        try {
++            nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16);
++            if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) {
++                throw new Exception("Out of range.");
++            }
++        } catch (Throwable t) {
++            throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map
++                    + "\" is in incorrect format. " +
++                    "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map
++                    + "=xx\" where xx is key version specified in ASCII-HEX format.", t);
++        }
++        // convert to byte (anything higher than 0x7F is represented as a negative)
++        byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short;
++        return nistSP800_108KdfOnKeyVersion_byte;
++    }
++
++    // AC: KDF SPEC CHANGE - read new setting value from config file
++    // (This value allows configuration of the NIST SP800-108 KDF:
++    //   If "true" we use the CUID parameter within the NIST SP800-108 KDF.
++    //   If "false" we use the KDD parameter within the NIST SP800-108 KDF.
++    private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception {
++        String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd";
++        // KDF phase1: default to "false"
++        String setting_str =
++                CMS.getConfigStore().getString(setting_map, "false" /*null*/);
++        boolean setting_boolean = false;
++        // if value does not exist in file
++        if (setting_str == null) {
++            // throw
++            //  (we want admins to pay attention to this configuration item rather than guessing for them)
++            throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file.");
++        }
++        // convert setting value to boolean
++        try {
++            setting_boolean = Boolean.parseBoolean(setting_str);
++        } catch (Throwable t) {
++            throw new Exception("Configuration value \"" + setting_map
++                    + "\" is in incorrect format.  Should be either \"true\" or \"false\".", t);
++        }
++        return setting_boolean;
++    }
++
++    // AC: KDF SPEC CHANGE - Audit logging helper functions.
++    // Converts a byte array to an ASCII-hex string.
++    //   We implemented this ourselves rather than using this.pp.toHexArray() because
++    //   the team preferred CUID and KDD strings to be without ":" separators every byte.
++    final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray();
++
++    private String bytesToHex(byte[] bytes) {
++        char[] hexChars = new char[bytes.length * 2];
++        for (int i = 0; i < bytes.length; i++) {
++            int thisChar = bytes[i] & 0x000000FF;
++            hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16
++            hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F];
++        }
++        return new String(hexChars);
++    }
++
++    // AC: KDF SPEC CHANGE - Audit logging helper functions.
++    // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa
++    // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0].
++    //   Returns "null" if parameter is null.
++    //   Returns "invalid" if parameter.length < 1
++    private String log_string_from_keyInfo(byte[] xkeyInfo) {
++        return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x"
++                + Integer.toHexString((xkeyInfo[0]) & 0x000000FF));
++    }
++
++    // AC: KDF SPEC CHANGE - Audit logging helper functions.
++    // Safely converts a byte array containing specialDecoded information to an ASCII-hex string.
++    // Parameters:
++    //   specialDecoded - byte array containing data.  May be null.
++    // Returns:
++    //   if specialDecoded is blank, returns "null"
++    //   if specialDecoded != null, returns <ASCII-HEX string representation of specialDecoded>
++    private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) {
++        if (specialDecoded == null) {
++            return "null";
++        } else {
++            return bytesToHex(specialDecoded);
++        }
++    }
++
++    /* Compute Session Key for SCP02
++     *  For simplicity compute just one session key,unless it is the DEK key case.
++     */
++
++    private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException {
++
++        CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering..");
++        String auditMessage = null;
++        String errorMsg = "";
++        String badParams = "";
++        String transportKeyName = "";
++        boolean missingParam = false;
++        String selectedToken = null;
++        String keyNickName = null;
++        byte[] drm_trans_wrapped_desKey = null;
++
++        byte[] xKDD = null;
++        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
++        boolean nistSP800_108KdfUseCuidAsKdd = false;
++
++        IConfigStore sconfig = CMS.getConfigStore();
++
++        boolean isCryptoValidate = false;
++        byte[] keyInfo, xCUID = null, session_key = null;
++
++        Exception missingSettingException = null;
++
++        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
++
++        String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD);
++
++        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++
++        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
++            badParams += " KeyInfo,";
++            CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info");
++            missingParam = true;
++        }
++
++        keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++
++        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++
++        if (keySet == null || keySet.equals("")) {
++            keySet = "defKeySet";
++        }
++        CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo);
++
++        boolean serversideKeygen = false;
++
++        String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT);
++        String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER);
++
++        if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) {
++            badParams += " derivation_constant,";
++            CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant.");
++            missingParam = true;
++        }
++
++        if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) {
++            badParams += " sequence_counter,";
++            CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter.");
++            missingParam = true;
++        }
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        auditMessage = CMS.getLogMessage(
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
++                rCUID,
++                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
++                ILogger.SUCCESS,
++                agentId);
++
++        audit(auditMessage);
++
++        if (!missingParam) {
++            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
++
++            if (xCUID == null || xCUID.length != 10) {
++                badParams += " CUID length,";
++                CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length");
++                missingParam = true;
++            }
++
++            if ((rKDD == null) || (rKDD.length() == 0)) {
++                CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD");
++                badParams += " KDD,";
++                missingParam = true;
++            }
++
++            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
++            if (xKDD == null || xKDD.length != 10) {
++                badParams += " KDD length,";
++                CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length");
++                missingParam = true;
++            }
++
++            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++            if (keyInfo == null || keyInfo.length != 2) {
++                badParams += " KeyInfo length,";
++                CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length.");
++                missingParam = true;
++            }
++
++            try {
++                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
++                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
++
++                // log settings read in to debug log along with xkeyInfo
++                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  keyInfo[0] = 0x"
++                        + Integer.toHexString((keyInfo[0]) & 0x0000000FF)
++                        + ",  xkeyInfo[1] = 0x"
++                        + Integer.toHexString((keyInfo[1]) & 0x0000000FF)
++                        );
++                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF will be used for key versions >= 0x"
++                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
++                        );
++                if (nistSP800_108KdfUseCuidAsKdd == true) {
++                    CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
++                } else {
++                    CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Nist SP800-108 KDF (if used) will use KDD.");
++                }
++                // conform to the set-an-error-flag mentality
++            } catch (Exception e) {
++                missingSettingException = e;
++                CMS.debug("TokenServlet: ComputeSessionKeySCP02():  Exception reading Nist SP800-108 KDF config values: "
++                        + e.toString());
++            }
++
++        }
++
++        String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
++        String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++        if (mappingValue == null) {
++            selectedToken =
++                    CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++            keyNickName = rKeyInfo;
++        } else {
++            StringTokenizer st = new StringTokenizer(mappingValue, ":");
++            if (st.hasMoreTokens())
++                selectedToken = st.nextToken();
++            if (st.hasMoreTokens())
++                keyNickName = st.nextToken();
++        }
++
++        keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
++        try {
++            mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++        } catch (EBaseException e1) {
++
++            e1.printStackTrace();
++        }
++        if (mappingValue == null) {
++            try {
++                selectedToken =
++                        CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++            } catch (EBaseException e) {
++
++                e.printStackTrace();
++            }
++            keyNickName = rKeyInfo;
++        } else {
++            StringTokenizer st = new StringTokenizer(mappingValue, ":");
++            if (st.hasMoreTokens())
++                selectedToken = st.nextToken();
++            if (st.hasMoreTokens())
++                keyNickName = st.nextToken();
++        }
++
++        CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName);
++        String useSoftToken_s = null;
++        try {
++            useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
++        } catch (EBaseException e1) {
++            // TODO Auto-generated catch block
++            e1.printStackTrace();
++        }
++        if (!useSoftToken_s.equalsIgnoreCase("true"))
++            useSoftToken_s = "false";
++
++        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
++        if (rServersideKeygen.equals("true")) {
++            CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested");
++            serversideKeygen = true;
++        } else {
++            CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested");
++        }
++
++        transportKeyName = null;
++        try {
++            transportKeyName = getSharedSecretName(sconfig);
++        } catch (EBaseException e1) {
++            // TODO Auto-generated catch block
++            e1.printStackTrace();
++            CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!");
++
++        }
++
++        CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName);
++
++        try {
++            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
++        } catch (EBaseException eee) {
++        }
++
++        byte macKeyArray[] = null;
++        byte sequenceCounter[] = null;
++        byte derivationConstant[] = null;
++
++        boolean errorFound = false;
++
++        String dek_wrapped_desKeyString = null;
++        String keycheck_s = null;
++
++        if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) {
++            try {
++                macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                        + keySet + ".mac_key"));
++
++                sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter);
++                derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant);
++
++                //Use old style for the moment.
++                //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey
++                //Perform in next ticket to fully implement nistXP800
++
++                session_key = SessionKey.ComputeSessionKeySCP02(
++                        selectedToken, keyNickName,
++                        keyInfo,
++                        nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
++                        nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant,
++                        useSoftToken_s, keySet,
++                        transportKeyName);
++
++                if (session_key == null) {
++                    CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL ");
++                    throw new EBaseException("Can't compute session key for SCP02!");
++
++                }
++
++                //Only do this for the dekSessionKey and if we are in the server side keygen case.
++                if (derivationConstant[0] == DEKDerivationConstant[0]
++                        && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) {
++
++                    CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token.");
++
++                    /**
++                     * 0. generate des key
++                     * 1. encrypt des key with dek key
++                     * 2. encrypt des key with DRM transport key
++                     * These two wrapped items are to be sent back to
++                     * TPS. 2nd item is to DRM
++                     **/
++
++                    PK11SymKey desKey = null;
++                    PK11SymKey dekKey = null;
++
++                    /*generate it on whichever token the master key is at*/
++                    if (useSoftToken_s.equals("true")) {
++                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal");
++
++                        desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME);
++
++                    } else {
++                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on "
++                                + selectedToken);
++                        desKey = SessionKey.GenerateSymkey(selectedToken);
++                    }
++                    if (desKey != null)
++                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID);
++                    else {
++                        CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for "
++                                + rCUID);
++                        throw new EBaseException(
++                                "TokenServlet.computeSessionKeySCP02: can't generate key encryption key");
++                    }
++
++                    CryptoToken token = null;
++                    if (useSoftToken_s.equals("true")) {
++                        token = CryptoUtil.getCryptoToken(null);
++                    } else {
++                        token = CryptoUtil.getCryptoToken(selectedToken);
++                    }
++
++                    //Now we have to create a sym key object for the wrapped session_key (dekKey)
++                    // session_key wrapped by the shared Secret
++
++                    PK11SymKey sharedSecret = getSharedSecretKey();
++
++                    if (sharedSecret == null) {
++                        throw new EBaseException(
++                                "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!");
++                    }
++
++                    dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret,
++                            session_key);
++
++                    if (dekKey == null) {
++                        throw new EBaseException(
++                                "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!");
++                    }
++
++                    /*
++                     * ECBencrypt actually takes the 24 byte DES2 key
++                     * and discard the last 8 bytes before it encrypts.
++                     * This is done so that the applet can digest it
++                     */
++                    byte[] encDesKey =
++                            SessionKey.ECBencrypt(dekKey,
++                                    desKey);
++
++                    if (encDesKey == null) {
++                        throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!");
++                    }
++
++                    dek_wrapped_desKeyString =
++                            com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
++
++                    byte[] keycheck =
++                            SessionKey.ComputeKeyCheck(desKey);
++
++                    if (keycheck == null) {
++                        throw new EBaseException(
++                                "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!");
++                    }
++
++                    keycheck_s =
++                            com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
++
++                    //use DRM transport cert to wrap desKey
++                    String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
++
++                    if ((drmTransNickname == null) || (drmTransNickname == "")) {
++                        CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname");
++                        throw new EBaseException("can't find DRM transport certificate nickname");
++                    } else {
++                        CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname);
++                    }
++
++                    X509Certificate drmTransCert = null;
++                    drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
++                    // wrap kek session key with DRM transport public key
++
++                    PublicKey pubKey = drmTransCert.getPublicKey();
++                    String pubKeyAlgo = pubKey.getAlgorithm();
++
++                    KeyWrapper keyWrapper = null;
++                    //For wrapping symmetric keys don't need IV, use ECB
++                    if (pubKeyAlgo.equals("EC")) {
++                        keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
++                        keyWrapper.initWrap(pubKey, null);
++                    } else {
++                        keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
++                        keyWrapper.initWrap(pubKey, null);
++                    }
++
++                    drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
++                    CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key.");
++
++                    CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out.");
++
++                }
++
++            } catch (Exception e) {
++                CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString());
++                errorFound = true;
++
++            }
++
++        }
++
++        String status = "0";
++        String value = "";
++        String outputString = "";
++
++        boolean statusDeclared = false;
++
++        if (session_key != null && session_key.length > 0 && errorFound == false) {
++            outputString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
++        } else {
++
++            status = "1";
++            statusDeclared = true;
++        }
++
++        if (selectedToken == null || keyNickName == null) {
++            if (!statusDeclared) {
++                status = "4";
++                statusDeclared = true;
++            }
++        }
++
++        if (missingSettingException != null) {
++            if (!statusDeclared) {
++                status = "6";
++                statusDeclared = true;
++            }
++        }
++
++        if (missingParam) {
++            status = "3";
++        }
++
++        String drm_trans_wrapped_desKeyString = null;
++
++        if (!status.equals("0")) {
++            if (status.equals("1")) {
++                errorMsg = "Problem generating session key info.";
++            }
++
++            if (status.equals("4")) {
++                errorMsg = "Problem obtaining token information.";
++            }
++
++            if (status.equals("3")) {
++                if (badParams.endsWith(",")) {
++                    badParams = badParams.substring(0, badParams.length() - 1);
++                }
++                errorMsg = "Missing input parameters :" + badParams;
++            }
++
++            if (status.equals("6")) {
++                errorMsg = "Problem reading required configuration value.";
++            }
++
++        } else {
++
++            if (serversideKeygen == true) {
++
++                if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) {
++                    drm_trans_wrapped_desKeyString =
++                            com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
++                }
++
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
++                sb.append(outputString);
++
++                //Now add the trans wrapped des key
++
++                if (drm_trans_wrapped_desKeyString != null) {
++                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
++                    sb.append(drm_trans_wrapped_desKeyString);
++                }
++
++                if (dek_wrapped_desKeyString != null) {
++                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
++                    sb.append(dek_wrapped_desKeyString);
++                }
++
++                if (keycheck_s != null) {
++                    sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
++                    sb.append(keycheck_s);
++                }
++
++                value = sb.toString();
++            } else {
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
++                sb.append(outputString);
++                value = sb.toString();
++            }
++
++        }
++
++        //CMS.debug("TokenServlet:outputString.encode " + value);
++
++        try {
++            resp.setContentLength(value.length());
++            CMS.debug("TokenServlet:outputString.length " + value.length());
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (IOException e) {
++            CMS.debug("TokenServlet: " + e.toString());
++        }
++
++        if (status.equals("0")) {
++
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.SUCCESS, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++                    logParams);
++
++        } else {
++
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.FAILURE, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
++                    errorMsg // Error
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++                    logParams);
++        }
++
++        audit(auditMessage);
++
++    }
++
++    private void processComputeSessionKey(HttpServletRequest req,
++            HttpServletResponse resp) throws EBaseException {
++        byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
++
++        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
++        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
++        boolean nistSP800_108KdfUseCuidAsKdd = false;
++
++        byte[] card_crypto, host_cryptogram, input_card_crypto;
++        byte[] xcard_challenge, xhost_challenge;
++        byte[] enc_session_key, xkeyInfo;
++        String auditMessage = null;
++        String errorMsg = "";
++        String badParams = "";
++        String transportKeyName = "";
++        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        String rKDD = req.getParameter("KDD");
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            // KDF phase1: default to rCUID if not present
++            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
++            rKDD = rCUID;
++        }
++
++        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++        if (keySet == null || keySet.equals("")) {
++            keySet = "defKeySet";
++        }
++        CMS.debug("keySet selected: " + keySet);
++
++        boolean serversideKeygen = false;
++        byte[] drm_trans_wrapped_desKey = null;
++        SymmetricKey desKey = null;
++        //        PK11SymKey kek_session_key;
++        SymmetricKey kek_key;
++
++        IConfigStore sconfig = CMS.getConfigStore();
++        boolean isCryptoValidate = true;
++        boolean missingParam = false;
++
++        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
++        Exception missingSetting_exception = null;
++
++        session_key = null;
++        card_crypto = null;
++        host_cryptogram = null;
++        enc_session_key = null;
++        //        kek_session_key = null;
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
++        auditMessage = CMS.getLogMessage(
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
++                rCUID,
++                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
++                ILogger.SUCCESS,
++                agentId);
++
++        audit(auditMessage);
++
++        String kek_wrapped_desKeyString = null;
++        String keycheck_s = null;
++
++        CMS.debug("processComputeSessionKey:");
++        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
++        if (!useSoftToken_s.equalsIgnoreCase("true"))
++            useSoftToken_s = "false";
++
++        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
++        if (rServersideKeygen.equals("true")) {
++            CMS.debug("TokenServlet: serversideKeygen requested");
++            serversideKeygen = true;
++        } else {
++            CMS.debug("TokenServlet: serversideKeygen not requested");
++        }
++
++        try {
++            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
++        } catch (EBaseException eee) {
++        }
++
++        transportKeyName = getSharedSecretName(sconfig);
++
++        String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
++        String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
++        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++        String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM);
++        if ((rCUID == null) || (rCUID.equals(""))) {
++            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID");
++            badParams += " CUID,";
++            missingParam = true;
++        }
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD");
++            badParams += " KDD,";
++            missingParam = true;
++        }
++
++        if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
++            badParams += " card_challenge,";
++            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge");
++            missingParam = true;
++        }
++
++        if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
++            badParams += " host_challenge,";
++            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge");
++            missingParam = true;
++        }
++
++        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
++            badParams += " KeyInfo,";
++            CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info");
++            missingParam = true;
++        }
++
++        String selectedToken = null;
++        String keyNickName = null;
++        boolean sameCardCrypto = true;
++
++        // AC: KDF SPEC CHANGE
++        xCUID = null; // avoid errors about non-initialization
++        xKDD = null; // avoid errors about non-initialization
++        xkeyInfo = null; // avoid errors about non-initialization
++
++        if (!missingParam) {
++
++            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
++            if (xCUID == null || xCUID.length != 10) {
++                badParams += " CUID length,";
++                CMS.debug("TokenServlet: Invalid CUID length");
++                missingParam = true;
++            }
++
++            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
++            if (xKDD == null || xKDD.length != 10) {
++                badParams += " KDD length,";
++                CMS.debug("TokenServlet: Invalid KDD length");
++                missingParam = true;
++            }
++
++            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++            if (xkeyInfo == null || xkeyInfo.length != 2) {
++                badParams += " KeyInfo length,";
++                CMS.debug("TokenServlet: Invalid key info length.");
++                missingParam = true;
++            }
++            xcard_challenge =
++                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
++            if (xcard_challenge == null || xcard_challenge.length != 8) {
++                badParams += " card_challenge length,";
++                CMS.debug("TokenServlet: Invalid card challenge length.");
++                missingParam = true;
++            }
++
++            xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
++            if (xhost_challenge == null || xhost_challenge.length != 8) {
++                badParams += " host_challenge length,";
++                CMS.debug("TokenServlet: Invalid host challenge length");
++                missingParam = true;
++            }
++
++        }
++
++        if (!missingParam) {
++            card_challenge =
++                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
++
++            host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
++            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++
++            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey)
++            //ToDo: Will use these values after completing next ticket
++            try {
++                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
++                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
++
++                // log settings read in to debug log along with xkeyInfo
++                CMS.debug("TokenServlet: ComputeSessionKey():  xkeyInfo[0] = 0x"
++                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
++                        + ",  xkeyInfo[1] = 0x"
++                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
++                        );
++                CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF will be used for key versions >= 0x"
++                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
++                        );
++                if (nistSP800_108KdfUseCuidAsKdd == true) {
++                    CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
++                } else {
++                    CMS.debug("TokenServlet: ComputeSessionKey():  Nist SP800-108 KDF (if used) will use KDD.");
++                }
++                // conform to the set-an-error-flag mentality
++            } catch (Exception e) {
++                missingSetting_exception = e;
++                CMS.debug("TokenServlet: ComputeSessionKey():  Exception reading Nist SP800-108 KDF config values: "
++                        + e.toString());
++            }
++
++            String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx
++            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++            if (mappingValue == null) {
++                selectedToken =
++                        CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++                keyNickName = rKeyInfo;
++            } else {
++                StringTokenizer st = new StringTokenizer(mappingValue, ":");
++                if (st.hasMoreTokens())
++                    selectedToken = st.nextToken();
++                if (st.hasMoreTokens())
++                    keyNickName = st.nextToken();
++            }
++
++            if (selectedToken != null && keyNickName != null
++                    // AC: KDF SPEC CHANGE - check for error flag
++                    && missingSetting_exception == null) {
++
++                try {
++
++                    byte macKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".mac_key"));
++                    CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken="
++                            + selectedToken + " keyNickName=" + keyNickName);
++
++                    SecureChannelProtocol protocol = new SecureChannelProtocol();
++                    SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType,
++                            selectedToken,
++                            keyNickName, card_challenge,
++                            host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID,
++                            xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName);
++
++                    session_key = protocol.wrapSessionKey(selectedToken, macKey, null);
++
++                    if (session_key == null) {
++                        CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL ");
++                        throw new Exception("Can't compute session key!");
++
++                    }
++
++                    byte encKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".auth_key"));
++                    SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType,
++                            selectedToken,
++                            keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion,
++                            nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet,
++                            transportKeyName);
++
++                    enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null);
++
++                    if (enc_session_key == null) {
++                        CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL ");
++                        throw new Exception("Can't compute enc session key!");
++
++                    }
++
++                    if (serversideKeygen == true) {
++
++                        /**
++                         * 0. generate des key
++                         * 1. encrypt des key with kek key
++                         * 2. encrypt des key with DRM transport key
++                         * These two wrapped items are to be sent back to
++                         * TPS. 2nd item is to DRM
++                         **/
++                        CMS.debug("TokenServlet: calling ComputeKekKey");
++
++                        byte kekKeyArray[] =
++                                com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                        + keySet + ".kek_key"));
++
++                        kek_key = protocol.computeKEKKey_SCP01(selectedToken,
++                                keyNickName,
++                                keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd,
++                                xCUID,
++                                xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName);
++
++                        CMS.debug("TokenServlet: called ComputeKekKey");
++
++                        if (kek_key == null) {
++                            CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL ");
++                            throw new Exception("Can't compute kek key!");
++
++                        }
++                        // now use kek key to wrap kek session key..
++                        CMS.debug("computeSessionKey:kek key len =" +
++                                kek_key.getLength());
++
++                        // (1) generate DES key
++                        /* applet does not support DES3
++                        org.mozilla.jss.crypto.KeyGenerator kg =
++                            internalToken.getKeyGenerator(KeyGenAlgorithm.DES3);
++                            desKey = kg.generate();*/
++
++                        /*
++                         * GenerateSymkey firt generates a 16 byte DES2 key.
++                         * It then pads it into a 24 byte key with last
++                         * 8 bytes copied from the 1st 8 bytes.  Effectively
++                         * making it a 24 byte DES2 key.  We need this for
++                         * wrapping private keys on DRM.
++                         */
++                        /*generate it on whichever token the master key is at*/
++                        if (useSoftToken_s.equals("true")) {
++                            CMS.debug("TokenServlet: key encryption key generated on internal");
++                            //cfu audit here? sym key gen
++
++                            desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME);
++                            //cfu audit here? sym key gen done
++                        } else {
++                            CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
++                            desKey = protocol.generateSymKey(selectedToken);
++                        }
++                        if (desKey != null) {
++                            // AC: KDF SPEC CHANGE - Output using CUID and KDD
++                            CMS.debug("TokenServlet: key encryption key generated for CUID=" +
++                                    trim(pp.toHexString(xCUID)) +
++                                    ", KDD=" +
++                                    trim(pp.toHexString(xKDD)));
++                        } else {
++                            // AC: KDF SPEC CHANGE - Output using CUID and KDD
++                            CMS.debug("TokenServlet: key encryption key generation failed for CUID=" +
++                                    trim(pp.toHexString(xCUID)) +
++                                    ", KDD=" +
++                                    trim(pp.toHexString(xKDD)));
++
++                            throw new Exception("can't generate key encryption key");
++                        }
++
++                        /*
++                         * ECBencrypt actually takes the 24 byte DES2 key
++                         * and discard the last 8 bytes before it encrypts.
++                         * This is done so that the applet can digest it
++                         */
++
++                        byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken);
++
++                        /*
++                        CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length);
++                        CMS.debug(encDesKey);
++                        */
++
++                        kek_wrapped_desKeyString =
++                                com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
++
++                        // get keycheck
++
++                        byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken);
++                        /*
++                        CMS.debug("computeSessionKey:keycheck size = "+keycheck.length);
++                        CMS.debug(keycheck);
++                        */
++                        keycheck_s =
++                                com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
++
++                        //use DRM transport cert to wrap desKey
++                        String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
++
++                        if ((drmTransNickname == null) || (drmTransNickname == "")) {
++                            CMS.debug("TokenServlet:did not find DRM transport certificate nickname");
++                            throw new Exception("can't find DRM transport certificate nickname");
++                        } else {
++                            CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname);
++                        }
++
++                        X509Certificate drmTransCert = null;
++                        drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
++                        // wrap kek session key with DRM transport public key
++                        CryptoToken token = null;
++                        if (useSoftToken_s.equals("true")) {
++                            token = CryptoUtil.getCryptoToken(null);
++                        } else {
++                            token = CryptoUtil.getCryptoToken(selectedToken);
++                        }
++                        PublicKey pubKey = drmTransCert.getPublicKey();
++                        String pubKeyAlgo = pubKey.getAlgorithm();
++                        CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo);
++                        KeyWrapper keyWrapper = null;
++                        //For wrapping symmetric keys don't need IV, use ECB
++                        if (pubKeyAlgo.equals("EC")) {
++                            keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
++                            keyWrapper.initWrap(pubKey, null);
++                        } else {
++                            keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
++                            keyWrapper.initWrap(pubKey, null);
++                        }
++                        CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName());
++                        drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
++                        CMS.debug("computeSessionKey:desKey wrapped with drm transportation key.");
++
++                    } // if (serversideKeygen == true)
++
++                    byte authKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".auth_key"));
++
++                    host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge,
++                            host_challenge,
++                            xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM,
++                            authKeyArray, useSoftToken_s, keySet, transportKeyName);
++
++                    if (host_cryptogram == null) {
++                        CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL ");
++                        throw new Exception("Can't compute host cryptogram!");
++
++                    }
++
++                    card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge,
++                            host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd,
++                            xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName);
++
++                    if (card_crypto == null) {
++                        CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL ");
++                        throw new Exception("Can't compute card cryptogram!");
++
++                    }
++
++                    if (isCryptoValidate) {
++                        if (rcard_cryptogram == null) {
++                            CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram");
++                            throw new Exception("Missing card cryptogram");
++                        }
++                        input_card_crypto =
++                                com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram);
++
++                        //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto");
++                        //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto");
++
++                        if (card_crypto.length == input_card_crypto.length) {
++                            for (int i = 0; i < card_crypto.length; i++) {
++                                if (card_crypto[i] != input_card_crypto[i]) {
++                                    sameCardCrypto = false;
++                                    break;
++                                }
++                            }
++                        } else {
++                            // different length; must be different
++                            sameCardCrypto = false;
++                        }
++                    }
++
++                    // AC: KDF SPEC CHANGE - print both KDD and CUID
++                    CMS.getLogger().log(ILogger.EV_AUDIT,
++                            ILogger.S_TKS,
++                            ILogger.LL_INFO, "processComputeSessionKey for CUID=" +
++                                    trim(pp.toHexString(xCUID)) +
++                                    ", KDD=" +
++                                    trim(pp.toHexString(xKDD)));
++                } catch (Exception e) {
++                    CMS.debug(e);
++                    CMS.debug("TokenServlet Computing Session Key: " + e.toString());
++                    if (isCryptoValidate)
++                        sameCardCrypto = false;
++                }
++            }
++        } // ! missingParam
++
++        String value = "";
++
++        resp.setContentType("text/html");
++
++        String outputString = "";
++        String encSessionKeyString = "";
++        String drm_trans_wrapped_desKeyString = "";
++        String cryptogram = "";
++        String status = "0";
++        if (session_key != null && session_key.length > 0) {
++            outputString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(session_key);
++        } else {
++
++            status = "1";
++        }
++
++        if (enc_session_key != null && enc_session_key.length > 0) {
++            encSessionKeyString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
++        } else {
++            status = "1";
++        }
++
++        if (serversideKeygen == true) {
++            if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0)
++                drm_trans_wrapped_desKeyString =
++                        com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
++            else {
++                status = "1";
++            }
++        }
++
++        if (host_cryptogram != null && host_cryptogram.length > 0) {
++            cryptogram =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
++        } else {
++            // AC: Bugfix: Don't override status's value if an error was already flagged
++            if (status.equals("0") == true) {
++                status = "2";
++            }
++        }
++
++        if (selectedToken == null || keyNickName == null) {
++            // AC: Bugfix: Don't override status's value if an error was already flagged
++            if (status.equals("0") == true) {
++                status = "4";
++            }
++        }
++
++        if (!sameCardCrypto) {
++            // AC: Bugfix: Don't override status's value if an error was already flagged
++            if (status.equals("0") == true) {
++                // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues
++                status = "5";
++            }
++        }
++
++        // AC: KDF SPEC CHANGE - check for settings file issue (flag)
++        if (missingSetting_exception != null) {
++            // AC: Intentionally override previous errors if config file settings were missing.
++            status = "6";
++        }
++
++        if (missingParam) {
++            // AC: Intentionally override previous errors if parameters were missing.
++            status = "3";
++        }
++
++        if (!status.equals("0")) {
++
++            if (status.equals("1")) {
++                errorMsg = "Problem generating session key info.";
++            }
++
++            if (status.equals("2")) {
++                errorMsg = "Problem creating host_cryptogram.";
++            }
++
++            // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues
++            if (status.equals("5")) {
++                errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys.";
++            }
++
++            if (status.equals("4")) {
++                errorMsg = "Problem obtaining token information.";
++            }
++
++            // AC: KDF SPEC CHANGE - handle missing configuration item
++            if (status.equals("6")) {
++                errorMsg = "Problem reading required configuration value.";
++            }
++
++            if (status.equals("3")) {
++                if (badParams.endsWith(",")) {
++                    badParams = badParams.substring(0, badParams.length() - 1);
++                }
++                errorMsg = "Missing input parameters :" + badParams;
++            }
++
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        } else {
++            if (serversideKeygen == true) {
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
++                sb.append(outputString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
++                sb.append(cryptogram);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
++                sb.append(encSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
++                sb.append(kek_wrapped_desKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
++                sb.append(keycheck_s);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
++                sb.append(drm_trans_wrapped_desKeyString);
++                value = sb.toString();
++            } else {
++
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "=");
++                sb.append(outputString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
++                sb.append(cryptogram);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
++                sb.append(encSessionKeyString);
++                value = sb.toString();
++            }
++
++        }
++        //CMS.debug("TokenServlet:outputString.encode " + value);
++
++        try {
++            resp.setContentLength(value.length());
++            CMS.debug("TokenServlet:outputString.length " + value.length());
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (IOException e) {
++            CMS.debug("TokenServlet: " + e.toString());
++        }
++
++        if (status.equals("0")) {
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD.
++            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.SUCCESS, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++                    logParams);
++
++        } else {
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD
++            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.FAILURE, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
++                    errorMsg // Error
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++                    logParams);
++
++        }
++
++        audit(auditMessage);
++    }
++
++    // This method will return the shared secret name.  In new 10.1 subsystems, this
++    // name will be stored in tps.X.nickname.
++    //
++    // Until multiple TKS/TPS connections is fully supported, this method will just
++    // return the first shared secret nickname found, on the assumption that only
++    // one nickname will be configured.  This will have to be changed to return the correct
++    // key based on some parameter in the request in future.
++    //
++    // On legacy systems, this method just returns what was previously returned.
++    private String getSharedSecretName(IConfigStore cs) throws EBaseException {
++        boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false);
++
++        if (useNewNames) {
++            String tpsList = cs.getString("tps.list", "");
++            String firstSharedSecretName = null;
++            if (!tpsList.isEmpty()) {
++                for (String tpsID : tpsList.split(",")) {
++                    String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
++
++                    // This one will be a fall back in case we can't get a specific one
++                    if (firstSharedSecretName == null) {
++                        firstSharedSecretName = sharedSecretName;
++                    }
++
++                    if (!sharedSecretName.isEmpty()) {
++                        if (mCurrentUID != null) {
++                            String csUid = cs.getString("tps." + tpsID + ".userid", "");
++
++                            if (mCurrentUID.equalsIgnoreCase(csUid)) {
++                                CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid);
++                                return sharedSecretName;
++                            }
++                        }
++                    }
++                }
++
++                if (firstSharedSecretName != null) {
++                    //Return the first in the list if we couldn't isolate one
++                    return firstSharedSecretName;
++                }
++            }
++            CMS.debug("getSharedSecretName: no shared secret has been configured");
++            throw new EBaseException("No shared secret has been configured");
++        }
++
++        // legacy system - return as before
++        return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME);
++    }
++
++    //Accepts protocol param and supports scp03.
++    private void processDiversifyKey(HttpServletRequest req,
++            HttpServletResponse resp) throws EBaseException {
++
++        String method = "TokenServlet.processDiversifyKey: ";
++        byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
++
++        // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
++        String oldKeyNickName = null;
++        String newKeyNickName = null;
++
++        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
++        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
++        boolean nistSP800_108KdfUseCuidAsKdd = false;
++
++        // AC: BUGFIX for key versions higher than 09:  We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey.
++        byte[] xkeyInfo = null, xnewkeyInfo = null;
++
++        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
++        Exception missingSetting_exception = null;
++
++        boolean missingParam = false;
++        String errorMsg = "";
++        String badParams = "";
++        byte[] xWrappedDekKey = null;
++
++        IConfigStore sconfig = CMS.getConfigStore();
++        String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO);
++        String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO);
++        String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        String rKDD = req.getParameter("KDD");
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            // temporarily make it friendly before TPS change
++            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
++            rKDD = rCUID;
++        }
++
++        String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
++        String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY);
++
++        CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey);
++
++        int protocol = 1;
++        String auditMessage = "";
++
++        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++        if (keySet == null || keySet.equals("")) {
++            keySet = "defKeySet";
++        }
++        CMS.debug("keySet selected: " + keySet);
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
++        auditMessage = CMS.getLogMessage(
++                AuditEvent.DIVERSIFY_KEY_REQUEST,
++                rCUID,
++                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
++                ILogger.SUCCESS,
++                agentId,
++                oldMasterKeyName,
++                newMasterKeyName);
++
++        audit(auditMessage);
++
++        if ((rCUID == null) || (rCUID.equals(""))) {
++            badParams += " CUID,";
++            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID");
++            missingParam = true;
++        }
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD");
++            badParams += " KDD,";
++            missingParam = true;
++        }
++
++        if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) {
++            badParams += " newKeyInfo,";
++            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo");
++            missingParam = true;
++        }
++        if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) {
++            badParams += " KeyInfo,";
++            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo");
++            missingParam = true;
++        }
++
++        // AC: KDF SPEC CHANGE
++        xCUID = null; // avoid errors about non-initialization
++        xKDD = null; // avoid errors about non-initialization
++        xkeyInfo = null; // avoid errors about non-initialization
++        xnewkeyInfo = null; // avoid errors about non-initialization
++
++        if (!missingParam) {
++            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName);
++            if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) {
++                badParams += " KeyInfo length,";
++                CMS.debug("TokenServlet: Invalid key info length");
++                missingParam = true;
++            }
++            xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName);
++            if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) {
++                badParams += " NewKeyInfo length,";
++                CMS.debug("TokenServlet: Invalid new key info length");
++                missingParam = true;
++            }
++
++            if (rProtocol != null) {
++                try {
++                    protocol = Integer.parseInt(rProtocol);
++                } catch (NumberFormatException e) {
++                    protocol = 1;
++                }
++            }
++            CMS.debug("process DiversifyKey: protocol value: " + protocol);
++
++            if (protocol == 2) {
++                if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) {
++                    badParams += " WrappedDekKey,";
++                    CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02.");
++                    missingParam = true;
++                } else {
++
++                    CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey);
++                    xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey);
++                }
++
++            }
++        }
++        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
++        if (!useSoftToken_s.equalsIgnoreCase("true"))
++            useSoftToken_s = "false";
++
++        KeySetData = null;
++        if (!missingParam) {
++            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
++            if (xCUID == null || xCUID.length != 10) {
++                badParams += " CUID length,";
++                CMS.debug("TokenServlet: Invalid CUID length");
++                missingParam = true;
++            }
++
++            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
++            if (xKDD == null || xKDD.length != 10) {
++                badParams += " KDD length,";
++                CMS.debug("TokenServlet: Invalid KDD length");
++                missingParam = true;
++            }
++        }
++        if (!missingParam) {
++            // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing.
++
++            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey)
++
++            //ToDo: Refactor this, this same block occurs several times in the file
++            try {
++                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
++                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
++
++                // log settings read in to debug log along with xkeyInfo and xnewkeyInfo
++                CMS.debug("TokenServlet: processDiversifyKey():  xkeyInfo[0] (old) = 0x"
++                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
++                        + ",  xkeyInfo[1] (old) = 0x"
++                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
++                        + ",  xnewkeyInfo[0] = 0x"
++                        + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF)
++                        + ",  xnewkeyInfo[1] = 0x"
++                        + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF)
++                        );
++                CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF will be used for key versions >= 0x"
++                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
++                        );
++                if (nistSP800_108KdfUseCuidAsKdd == true) {
++                    CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
++                } else {
++                    CMS.debug("TokenServlet: processDiversifyKey():  Nist SP800-108 KDF (if used) will use KDD.");
++                }
++                // conform to the set-an-error-flag mentality
++            } catch (Exception e) {
++                missingSetting_exception = e;
++                CMS.debug("TokenServlet: processDiversifyKey():  Exception reading Nist SP800-108 KDF config values: "
++                        + e.toString());
++            }
++
++            if (mKeyNickName != null)
++                oldMasterKeyName = mKeyNickName;
++            if (mNewKeyNickName != null)
++                newMasterKeyName = mNewKeyNickName;
++
++            String tokKeyInfo =  req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++
++            // Get the first 6 characters, since scp03 gives us extra characters.
++            tokKeyInfo = tokKeyInfo.substring(0,6);
++            String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx
++            CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap);
++            String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null);
++            String oldSelectedToken = null;
++            if (oldMappingValue == null) {
++                oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++                oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++            } else {
++                StringTokenizer st = new StringTokenizer(oldMappingValue, ":");
++                oldSelectedToken = st.nextToken();
++                oldKeyNickName = st.nextToken();
++            }
++
++
++            String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx
++            CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap);
++            String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null);
++            String newSelectedToken = null;
++            if (newMappingValue == null) {
++                newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++                newKeyNickName = rnewKeyInfo;
++            } else {
++                StringTokenizer st = new StringTokenizer(newMappingValue, ":");
++                newSelectedToken = st.nextToken();
++                newKeyNickName = st.nextToken();
++            }
++
++            CMS.debug("process DiversifyKey for oldSelectedToke=" +
++                    oldSelectedToken + " newSelectedToken=" + newSelectedToken +
++                    " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" +
++                    newKeyNickName);
++
++            byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet);
++            byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet);
++            byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet);
++
++            //        com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
++
++            //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset
++            // passed down to the SecureChannelProtocol functions that deal with SCP03
++
++            GPParams gp3Params = readGPSettings(keySet);
++
++            SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol);
++            // AC: KDF SPEC CHANGE - check for error reading settings
++            if (missingSetting_exception == null) {
++                if (protocol == 1 || protocol == 3) {
++                   KeySetData = secProtocol.diversifyKey(oldSelectedToken,
++                            newSelectedToken, oldKeyNickName,
++                            newKeyNickName,
++                            xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use
++                            xnewkeyInfo, // AC: BUGFIX for key versions higher than 09:  We need to specialDecode keyInfo parameters before sending them into symkey!  This means the parameters must be byte[]
++                            nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
++                            nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value
++                            xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID'
++                            xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use
++                            kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params);
++
++                } else if (protocol == 2) {
++                    KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName,
++                            newKeyNickName, xkeyInfo,
++                            xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD,
++                            (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol);
++                }
++                //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: ");
++                CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained");
++
++                if (KeySetData == null || KeySetData.length <= 1) {
++                    CMS.getLogger().log(ILogger.EV_AUDIT,
++                            ILogger.S_TKS,
++                            ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot");
++                }
++
++                CMS.getLogger().log(ILogger.EV_AUDIT,
++                        ILogger.S_TKS,
++                        ILogger.LL_INFO,
++                        "process DiversifyKey for CUID=" +
++                                trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE:  Log both CUID and KDD
++                                ", KDD=" +
++                                trim(pp.toHexString(xKDD))
++                                + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName
++                                + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName);
++
++                resp.setContentType("text/html");
++
++            } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file
++
++        } // ! missingParam
++
++        String value = "";
++        String status = "0";
++
++        if (KeySetData != null && KeySetData.length > 1) {
++            value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" +
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData);
++            //CMS.debug("TokenServlet:process DiversifyKey.encode " + value);
++            CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData");
++            // AC: KDF SPEC CHANGE - check for settings file issue (flag)
++        } else if (missingSetting_exception != null) {
++            status = "6";
++            errorMsg = "Problem reading required configuration value.";
++            value = "status=" + status;
++        } else if (missingParam) {
++            status = "3";
++            if (badParams.endsWith(",")) {
++                badParams = badParams.substring(0, badParams.length() - 1);
++            }
++            errorMsg = "Missing input parameters: " + badParams;
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        } else {
++            errorMsg = "Problem diversifying key data.";
++            status = "1";
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        }
++
++        resp.setContentLength(value.length());
++        CMS.debug("TokenServlet:outputString.length " + value.length());
++
++        try {
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (Exception e) {
++            CMS.debug("TokenServlet:process DiversifyKey: " + e.toString());
++        }
++
++        if (status.equals("0")) {
++
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD
++            //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.SUCCESS, // Outcome
++                    status, // status
++                    agentId, // AgentID
++
++                    // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
++                    oldKeyNickName, // oldMasterKeyName
++                    newKeyNickName, // newMasterKeyName
++
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion
++                    log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
++        } else {
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD
++            //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.FAILURE, // Outcome
++                    status, // status
++                    agentId, // AgentID
++
++                    // AC: BUGFIX:  Record the actual parameters to DiversifyKey in the audit log.
++                    oldKeyNickName, // oldMasterKeyName
++                    newKeyNickName, // newMasterKeyName
++
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion
++                    log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
++                    errorMsg // Error
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
++        }
++
++        audit(auditMessage);
++    }
++
++    private void processEncryptData(HttpServletRequest req,
++            HttpServletResponse resp) throws EBaseException {
++        byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD
++
++        // AC: KDF SPEC CHANGE - new config file values (needed for symkey)
++        byte nistSP800_108KdfOnKeyVersion = (byte) 0xff;
++        boolean nistSP800_108KdfUseCuidAsKdd = false;
++
++        // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting
++        Exception missingSetting_exception = null;
++
++        boolean missingParam = false;
++        byte[] data = null;
++        boolean isRandom = true; // randomly generate the data to be encrypted
++
++        String errorMsg = "";
++        String badParams = "";
++        IConfigStore sconfig = CMS.getConfigStore();
++        encryptedData = null;
++        String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA);
++        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
++
++        String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        String rKDD = req.getParameter("KDD");
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            // temporarily make it friendly before TPS change
++            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
++            rKDD = rCUID;
++        }
++
++        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++        if (keySet == null || keySet.equals("")) {
++            keySet = "defKeySet";
++        }
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        CMS.debug("keySet selected: " + keySet);
++
++        String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true");
++        if (s_isRandom.equalsIgnoreCase("false")) {
++            CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated");
++            isRandom = false;
++        } else {
++            CMS.debug("TokenServlet: processEncryptData(): Random number generation required");
++            isRandom = true;
++        }
++
++        // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
++        String auditMessage = CMS.getLogMessage(
++                AuditEvent.ENCRYPT_DATA_REQUEST,
++                rCUID,
++                rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
++                ILogger.SUCCESS,
++                agentId,
++                s_isRandom);
++        audit(auditMessage);
++
++        GPParams gp3Params = readGPSettings(keySet);
++
++        if (isRandom) {
++            if ((rdata == null) || (rdata.equals(""))) {
++                CMS.debug("TokenServlet: processEncryptData(): no data in request.  Generating random number as data");
++            } else {
++                CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating...");
++            }
++            try {
++                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++                data = new byte[16];
++                random.nextBytes(data);
++            } catch (Exception e) {
++                CMS.debug("TokenServlet: processEncryptData():" + e.toString());
++                badParams += " Random Number,";
++                missingParam = true;
++            }
++        } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) {
++            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data.");
++            badParams += " data,";
++            missingParam = true;
++        }
++
++        if ((rCUID == null) || (rCUID.equals(""))) {
++            badParams += " CUID,";
++            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID");
++            missingParam = true;
++        }
++
++        // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD");
++            badParams += " KDD,";
++            missingParam = true;
++        }
++
++        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
++            badParams += " KeyInfo,";
++            CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info");
++            missingParam = true;
++        }
++
++        // AC: KDF SPEC CHANGE
++        xCUID = null; // avoid errors about non-initialization
++        xKDD = null; // avoid errors about non-initialization
++        xkeyInfo = null; // avoid errors about non-initialization
++
++        if (!missingParam) {
++            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
++            if (xCUID == null || xCUID.length != 10) {
++                badParams += " CUID length,";
++                CMS.debug("TokenServlet: Invalid CUID length");
++                missingParam = true;
++            }
++
++            // AC: KDF SPEC CHANGE - read new KDD parameter from TPS
++            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
++            if (xKDD == null || xKDD.length != 10) {
++                badParams += " KDD length,";
++                CMS.debug("TokenServlet: Invalid KDD length");
++                missingParam = true;
++            }
++
++            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++            if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) {
++                badParams += " KeyInfo length,";
++                CMS.debug("TokenServlet: Invalid key info length");
++                missingParam = true;
++            }
++        }
++
++        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
++        if (!useSoftToken_s.equalsIgnoreCase("true"))
++            useSoftToken_s = "false";
++
++        String selectedToken = null;
++        String keyNickName = null;
++        if (!missingParam) {
++
++            // AC: KDF SPEC CHANGE - read new config file values (needed for symkey
++            try {
++                nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet);
++                nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet);
++
++                // log settings read in to debug log along with xkeyInfo
++                CMS.debug("TokenServlet: processEncryptData():  xkeyInfo[0] = 0x"
++                        + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF)
++                        + ",  xkeyInfo[1] = 0x"
++                        + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF)
++                        );
++                CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF will be used for key versions >= 0x"
++                        + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF)
++                        );
++                if (nistSP800_108KdfUseCuidAsKdd == true) {
++                    CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF (if used) will use CUID instead of KDD.");
++                } else {
++                    CMS.debug("TokenServlet: processEncryptData():  Nist SP800-108 KDF (if used) will use KDD.");
++                }
++                // conform to the set-an-error-flag mentality
++            } catch (Exception e) {
++                missingSetting_exception = e;
++                CMS.debug("TokenServlet: processEncryptData():  Exception reading Nist SP800-108 KDF config values: "
++                        + e.toString());
++            }
++
++            if (!isRandom)
++                data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
++            keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++
++            String keyInfoMap = "tks." + keySet + ".mk_mappings." +  rKeyInfo.substring(0,6);
++            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++            if (mappingValue == null) {
++                selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME);
++                keyNickName = rKeyInfo;
++            } else {
++                StringTokenizer st = new StringTokenizer(mappingValue, ":");
++                selectedToken = st.nextToken();
++                keyNickName = st.nextToken();
++            }
++
++
++            //calculate the protocol
++
++            int protocolInt = SecureChannelProtocol.PROTOCOL_ONE;
++            try
++            {
++                 protocolInt = Integer.parseInt(protocolValue);
++            }
++            catch (NumberFormatException nfe)
++            {
++                protocolInt = SecureChannelProtocol.PROTOCOL_ONE;
++            }
++
++            CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt);
++
++            //Check for reasonable sanity, leave room for future versions
++            if(protocolInt <= 0 || protocolInt > 20) {
++                CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1.");
++                protocolInt = 1;
++
++            }
++
++            byte kekKeyArray[] =
++                    com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
++            // AC: KDF SPEC CHANGE - check for error reading settings
++            if (missingSetting_exception == null) {
++
++
++                SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt);
++
++                if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) {
++
++                    encryptedData = protocol.encryptData(
++                            selectedToken, keyNickName, data, keyInfo,
++                            nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value
++                            nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value
++                            xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID'
++                            xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use
++                            kekKeyArray, useSoftToken_s, keySet);
++
++                } else {
++
++                    encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo,
++                            nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray,
++                            useSoftToken_s, keySet,gp3Params);
++
++                }
++
++                SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: ");
++
++                // AC: KDF SPEC CHANGE - Log both CUID and KDD
++
++                CMS.getLogger().log(ILogger.EV_AUDIT,
++                        ILogger.S_TKS,
++                        ILogger.LL_INFO, "process EncryptData for CUID=" +
++                                trim(pp.toHexString(xCUID)) +
++                                ", KDD=" +
++                                trim(pp.toHexString(xKDD)));
++
++            } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file
++
++        } // !missingParam
++
++        resp.setContentType("text/html");
++
++        String value = "";
++        String status = "0";
++        if (encryptedData != null && encryptedData.length > 0) {
++            // sending both the pre-encrypted and encrypted data back
++            value = IRemoteRequest.RESPONSE_STATUS + "=0&"
++                    + IRemoteRequest.TOKEN_DATA + "=" +
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(data) +
++                    "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" +
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData);
++            // AC: KDF SPEC CHANGE - check for settings file issue (flag)
++        } else if (missingSetting_exception != null) {
++            status = "6";
++            errorMsg = "Problem reading required configuration value.";
++            value = "status=" + status;
++        } else if (missingParam) {
++            if (badParams.endsWith(",")) {
++                badParams = badParams.substring(0, badParams.length() - 1);
++            }
++            errorMsg = "Missing input parameters: " + badParams;
++            status = "3";
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        } else {
++            errorMsg = "Problem encrypting data.";
++            status = "1";
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        }
++
++        //CMS.debug("TokenServlet:process EncryptData.encode " + value);
++
++        try {
++            resp.setContentLength(value.length());
++            CMS.debug("TokenServlet:outputString.lenght " + value.length());
++
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (Exception e) {
++            CMS.debug("TokenServlet: " + e.toString());
++        }
++
++        if (status.equals("0")) {
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD
++            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.SUCCESS, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    s_isRandom, // isRandom
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
++        } else {
++            // AC: KDF SPEC CHANGE - Log both CUID and KDD
++            //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
++            //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.FAILURE, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    s_isRandom, // isRandom
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++                    "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
++                    Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
++                    errorMsg // Error
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
++        }
++
++        audit(auditMessage);
++    }
++
++    /*
++     *   For EncryptData:
++     *   data=value1
++     *   CUID=value2 // missing from RA
++     *   versionID=value3  // missing from RA
++     *
++     *   For ComputeSession:
++     *   card_challenge=value1
++     *   host_challenge=value2
++
++     *   For DiversifyKey:
++     *   new_master_key_index
++     *   master_key_index
++     */
++
++    private void processComputeRandomData(HttpServletRequest req,
++            HttpServletResponse resp) throws EBaseException {
++
++        byte[] randomData = null;
++        String status = "0";
++        String errorMsg = "";
++        String badParams = "";
++        boolean missingParam = false;
++        int dataSize = 0;
++
++        CMS.debug("TokenServlet::processComputeRandomData");
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES);
++
++        if (sDataSize == null || sDataSize.equals("")) {
++            CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes");
++            badParams += " Random Data size, ";
++            missingParam = true;
++            status = "1";
++        } else {
++            try {
++                dataSize = Integer.parseInt(sDataSize.trim());
++            } catch (NumberFormatException nfe) {
++                CMS.debug("TokenServlet::processComputeRandomData invalid data size input!");
++                badParams += " Random Data size, ";
++                missingParam = true;
++                status = "1";
++            }
++
++        }
++
++        CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize);
++
++        String auditMessage = CMS.getLogMessage(
++                AuditEvent.COMPUTE_RANDOM_DATA_REQUEST,
++                ILogger.SUCCESS,
++                agentId);
++
++        audit(auditMessage);
++
++        if (!missingParam) {
++            try {
++                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++                randomData = new byte[dataSize];
++                random.nextBytes(randomData);
++            } catch (Exception e) {
++                CMS.debug("TokenServlet::processComputeRandomData:" + e.toString());
++                errorMsg = "Can't generate random data!";
++                status = "2";
++            }
++        }
++
++        String randomDataOut = "";
++        if (status.equals("0")) {
++            if (randomData != null && randomData.length == dataSize) {
++                randomDataOut =
++                        com.netscape.cmsutil.util.Utils.SpecialEncode(randomData);
++            } else {
++                status = "2";
++                errorMsg = "Can't convert random data!";
++            }
++        }
++
++        if (status.equals("1") && missingParam) {
++
++            if (badParams.endsWith(",")) {
++                badParams = badParams.substring(0, badParams.length() - 1);
++            }
++            errorMsg = "Missing input parameters :" + badParams;
++        }
++
++        resp.setContentType("text/html");
++        String value = "";
++
++        value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        if (status.equals("0")) {
++            value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut;
++        }
++
++        try {
++            resp.setContentLength(value.length());
++            CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length());
++
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (Exception e) {
++            CMS.debug("TokenServlet::processComputeRandomData " + e.toString());
++        }
++
++        if (status.equals("0")) {
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
++                    ILogger.SUCCESS,
++                    status,
++                    agentId);
++        } else {
++            auditMessage = CMS.getLogMessage(
++                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
++                    ILogger.FAILURE,
++                    status,
++                    agentId,
++                    errorMsg);
++        }
++
++        audit(auditMessage);
++    }
++
++    public void process(CMSRequest cmsReq) throws EBaseException {
++        HttpServletRequest req = cmsReq.getHttpReq();
++        HttpServletResponse resp = cmsReq.getHttpResp();
++
++        IAuthToken authToken = authenticate(cmsReq);
++        AuthzToken authzToken = null;
++
++        mCurrentUID = (String) authToken.get(IAuthToken.UID) ;
++
++        try {
++            authzToken = authorize(mAclMethod, authToken,
++                    mAuthzResourceName, "execute");
++        } catch (Exception e) {
++        }
++
++        if (authzToken == null) {
++
++            try {
++                resp.setContentType("text/html");
++                String value = "unauthorized=";
++                CMS.debug("TokenServlet: Unauthorized");
++
++                resp.setContentLength(value.length());
++                OutputStream ooss = resp.getOutputStream();
++                ooss.write(value.getBytes());
++                ooss.flush();
++                mRenderResult = false;
++            } catch (Exception e) {
++                CMS.debug("TokenServlet: " + e.toString());
++            }
++
++            //       cmsReq.setStatus(CMSRequest.UNAUTHORIZED);
++            return;
++        }
++
++        String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
++        String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL);
++        String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT);
++        //CMS.debug("Protocol: " + protocol + " temp: " + temp);
++
++        setDefaultSlotAndKeyName(req);
++        if (temp != null && protocol == null) {
++            processComputeSessionKey(req, resp);
++        } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) {
++            processEncryptData(req, resp);
++        } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) {
++            processDiversifyKey(req, resp);
++        } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) {
++            processComputeRandomData(req, resp);
++        } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) {
++            //SCP02 compute one session key.
++            processComputeSessionKeySCP02(req, resp);
++
++        }  else if (protocol != null && protocol.contains("3") ) {
++            processComputeSessionKeysSCP03(req,resp);
++        } else {
++            throw new EBaseException("Process: Can't decide upon function to call!");
++        }
++    }
++
++    //Create all the session keys for scp03 at once and return.
++    //ToDo: calcualte the optional rmac key
++    private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException {
++        String method = "processComputeSessionKeysSCP03:";
++        CMS.debug(method + " entering ...");
++
++        byte[] card_challenge, host_challenge, xCUID, xKDD;
++        byte[] card_crypto, host_cryptogram, input_card_crypto;
++        byte[] xcard_challenge, xhost_challenge;
++        byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key;
++        String auditMessage = null;
++        String errorMsg = "";
++        String badParams = "";
++        String transportKeyName = "";
++        String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID);
++
++        String rKDD = req.getParameter("KDD");
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            // KDF phase1: default to rCUID if not present
++            CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change");
++            rKDD = rCUID;
++        }
++
++        String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET);
++        if (keySet == null || keySet.equals("")) {
++            keySet = "defKeySet";
++        }
++        CMS.debug("keySet selected: " + keySet);
++
++        GPParams gp3Params = readGPSettings(keySet);
++
++        boolean serversideKeygen = false;
++
++        IConfigStore sconfig = CMS.getConfigStore();
++        boolean isCryptoValidate = true;
++        boolean missingParam = false;
++
++        Exception missingSetting_exception = null;
++
++        mac_session_key = null;
++        kek_session_key = null;
++        card_crypto = null;
++        host_cryptogram = null;
++        enc_session_key = null;
++
++        SessionContext sContext = SessionContext.getContext();
++
++        String agentId = "";
++        if (sContext != null) {
++            agentId =
++                    (String) sContext.get(SessionContext.USER_ID);
++        }
++
++        auditMessage = CMS.getLogMessage(
++                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
++                rCUID,
++                rKDD,
++                ILogger.SUCCESS,
++                agentId);
++
++        audit(auditMessage);
++
++        String kek_wrapped_desKeyString = null;
++        String keycheck_s = null;
++
++        String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true");
++        if (!useSoftToken_s.equalsIgnoreCase("true"))
++            useSoftToken_s = "false";
++
++        CMS.debug(method + " useSoftToken: " + useSoftToken_s);
++
++        String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN);
++        if (rServersideKeygen.equals("true")) {
++
++            serversideKeygen = true;
++        }
++
++        CMS.debug(method + " serversideKeygen: " + serversideKeygen);
++
++        try {
++            isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
++        } catch (EBaseException eee) {
++        }
++
++        CMS.debug(method + " Do crypto validation: " + isCryptoValidate);
++
++        transportKeyName = getSharedSecretName(sconfig);
++
++        String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
++        String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
++        String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
++        String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM);
++
++        if ((rCUID == null) || (rCUID.equals(""))) {
++            CMS.debug(method + " missing request parameter: CUID");
++            badParams += " CUID,";
++            missingParam = true;
++        }
++
++        if ((rKDD == null) || (rKDD.length() == 0)) {
++            CMS.debug(method + " missing request parameter: KDD");
++            badParams += " KDD,";
++            missingParam = true;
++        }
++
++        if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
++            badParams += " card_challenge,";
++            CMS.debug(method + " missing request parameter: card challenge");
++            missingParam = true;
++        }
++
++        if ((rhost_challenge == null) || (rhost_challenge.equals(""))) {
++            badParams += " host_challenge,";
++            CMS.debug(method + " missing request parameter: host challenge");
++            missingParam = true;
++        }
++
++        if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) {
++            badParams += " card_cryptogram,";
++            CMS.debug(method + " missing request parameter: card_cryptogram");
++            missingParam = true;
++        }
++
++        if ((rKeyInfo == null) || (rKeyInfo.equals(""))) {
++            badParams += " KeyInfo,";
++            CMS.debug(method + "missing request parameter: key info");
++            missingParam = true;
++        }
++
++        String selectedToken = null;
++        String keyNickName = null;
++        boolean sameCardCrypto = true;
++
++        xCUID = null;
++        xKDD = null;
++        xkeyInfo = null;
++        xcard_challenge = null;
++        xhost_challenge = null;
++
++        if (!missingParam) {
++            xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
++            if (xCUID == null || xCUID.length != 10) {
++                badParams += " CUID length,";
++                CMS.debug("TokenServlet: Invalid CUID length");
++                missingParam = true;
++            }
++
++            xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD);
++            if (xKDD == null || xKDD.length != 10) {
++                badParams += " KDD length,";
++                CMS.debug("TokenServlet: Invalid KDD length");
++                missingParam = true;
++            }
++
++            xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
++            if (xkeyInfo == null || xkeyInfo.length != 3) {
++                badParams += " KeyInfo length,";
++                CMS.debug("TokenServlet: Invalid key info length.");
++                missingParam = true;
++            }
++            xcard_challenge =
++                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
++            if (xcard_challenge == null || xcard_challenge.length != 8) {
++                badParams += " card_challenge length,";
++                CMS.debug("TokenServlet: Invalid card challenge length.");
++                missingParam = true;
++            }
++
++            xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
++            if (xhost_challenge == null || xhost_challenge.length != 8) {
++                badParams += " host_challenge length,";
++                CMS.debug("TokenServlet: Invalid host challenge length");
++                missingParam = true;
++            }
++        }
++
++        ArrayList<String> serverSideValues = null;
++
++        if (!missingParam) {
++            card_challenge =
++                    com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
++
++            host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge);
++
++            String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx
++            String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null);
++
++
++            if (mappingValue == null) {
++                selectedToken =
++                        CMS.getConfigStore().getString("tks.defaultSlot", "internal");
++                keyNickName = rKeyInfo;
++            } else {
++                StringTokenizer st = new StringTokenizer(mappingValue, ":");
++                if (st.hasMoreTokens())
++                    selectedToken = st.nextToken();
++                if (st.hasMoreTokens())
++                    keyNickName = st.nextToken();
++            }
++
++            CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName );
++
++            SymmetricKey macSessionKey = null;
++            SymmetricKey encSessionKey = null;
++            SymmetricKey kekSessionKey = null;
++
++            if (selectedToken != null && keyNickName != null
++                    && missingSetting_exception == null) {
++
++                try {
++
++                    byte macKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".mac_key"));
++                    CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken="
++                            + selectedToken + " keyNickName=" + keyNickName);
++
++                    SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE);
++
++                    macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo,
++                            SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge,
++                            transportKeyName,gp3Params);
++
++                    mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null);
++
++                    if (mac_session_key == null) {
++                        CMS.debug(method + " Can't get mac session key bytes");
++                        throw new Exception(method + " Can't get mac session key bytes");
++
++                    }
++
++                    byte encKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".auth_key"));
++
++                    encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo,
++                            SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge,
++                            transportKeyName,gp3Params);
++
++                    enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null);
++
++                    if (enc_session_key == null) {
++                        CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL ");
++                        throw new Exception("Can't compute enc session key!");
++
++                    }
++
++                    byte kekKeyArray[] =
++                            com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                                    + keySet + ".kek_key"));
++
++                    kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo,
++                            SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge,
++                            xcard_challenge,
++                            transportKeyName,gp3Params);
++
++                    kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null);
++
++
++                    //Offload some of the tedious params gathering to another method
++                    //ToDo, create a method that reads all this stuff at once for all major methods
++                    if (serversideKeygen) {
++                        try {
++                            serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken,
++                                    kekSessionKey, protocol);
++                        } catch (EBaseException e) {
++
++                            CMS.debug(method + " Can't calcualte server side keygen required values...");
++
++                        }
++                    }
++
++                    try {
++                        isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true);
++                    } catch (EBaseException eee) {
++                    }
++
++                    ByteArrayOutputStream contextStream = new ByteArrayOutputStream();
++                    try {
++                        contextStream.write(host_challenge);
++                        contextStream.write(card_challenge);
++                    } catch (IOException e) {
++                        throw new EBaseException(method + " Error calculating derivation data!");
++                    }
++
++                    host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT);
++                    SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length);
++
++
++                   if( isCryptoValidate) {
++                       if (rcard_cryptogram == null) {
++                           CMS.debug(method + " missing card cryptogram");
++                           throw new Exception(method + "Missing card cryptogram");
++                       }
++                       input_card_crypto =
++                               com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram);
++                       card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT);
++                       SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: ");
++                       SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: ");
++
++                       if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) {
++                           throw new Exception(method + "Card cryptogram mismatch!");
++                       }
++
++                   }
++                } catch (Exception e) {
++                    CMS.debug(e);
++                    CMS.debug("TokenServlet Computing Session Key: " + e.toString());
++                    if (isCryptoValidate)
++                        sameCardCrypto = false;
++                }
++            }
++        } // ! missingParam
++
++        String value = "";
++
++        resp.setContentType("text/html");
++
++        String encSessionKeyString = "";
++        String macSessionKeyString = "";
++        String kekSessionKeyString = "";
++
++        String drm_trans_wrapped_desKeyString = "";
++        String cryptogram = "";
++        String status = "0";
++
++        if (enc_session_key != null && enc_session_key.length > 0) {
++            encSessionKeyString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key);
++        } else {
++            status = "1";
++        }
++
++        if (mac_session_key != null && mac_session_key.length > 0) {
++            macSessionKeyString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key);
++        } else {
++            status = "1";
++        }
++
++        if (kek_session_key != null && kek_session_key.length > 0) {
++            kekSessionKeyString =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key);
++        } else {
++            status = "1";
++        }
++
++        if (serversideKeygen == true) {
++            if (serverSideValues.size() == 3) {
++                drm_trans_wrapped_desKeyString = serverSideValues.get(2);
++                kek_wrapped_desKeyString = serverSideValues.get(0);
++                keycheck_s = serverSideValues.get(1);
++            }
++            else {
++                status = "1";
++            }
++        }
++
++        if (host_cryptogram != null && host_cryptogram.length > 0) {
++            cryptogram =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram);
++        } else {
++            if (status.equals("0") == true) {
++                status = "2";
++            }
++        }
++
++        if (selectedToken == null || keyNickName == null) {
++            // AC: Bugfix: Don't override status's value if an error was already flagged
++            if (status.equals("0") == true) {
++                status = "4";
++            }
++        }
++
++        if (!sameCardCrypto) {
++            if (status.equals("0") == true) {
++                status = "5";
++            }
++        }
++
++        if (missingSetting_exception != null) {
++            status = "6";
++        }
++
++        if (missingParam) {
++            status = "3";
++        }
++
++        if (!status.equals("0")) {
++
++            if (status.equals("1")) {
++                errorMsg = "Problem generating session key info.";
++            }
++
++            if (status.equals("2")) {
++                errorMsg = "Problem creating host_cryptogram.";
++            }
++
++            if (status.equals("5")) {
++                errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys.";
++            }
++
++            if (status.equals("4")) {
++                errorMsg = "Problem obtaining token information.";
++            }
++
++            if (status.equals("6")) {
++                errorMsg = "Problem reading required configuration value.";
++            }
++
++            if (status.equals("3")) {
++                if (badParams.endsWith(",")) {
++                    badParams = badParams.substring(0, badParams.length() - 1);
++                }
++                errorMsg = "Missing input parameters :" + badParams;
++            }
++
++            value = IRemoteRequest.RESPONSE_STATUS + "=" + status;
++        } else {
++            if (serversideKeygen == true) {
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "=");
++                sb.append(macSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
++                sb.append(cryptogram);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
++                sb.append(encSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "=");
++                sb.append(kekSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "=");
++                sb.append(kek_wrapped_desKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "=");
++                sb.append(keycheck_s);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "=");
++                sb.append(drm_trans_wrapped_desKeyString);
++                value = sb.toString();
++            } else {
++                StringBuffer sb = new StringBuffer();
++                sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&");
++                sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "=");
++                sb.append(macSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "=");
++                sb.append(cryptogram);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "=");
++                sb.append(encSessionKeyString);
++                sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "=");
++                value = sb.toString();
++            }
++
++        }
++        //CMS.debug(method + "outputString.encode " + value);
++
++        try {
++            resp.setContentLength(value.length());
++            CMS.debug("TokenServlet:outputString.length " + value.length());
++            OutputStream ooss = resp.getOutputStream();
++            ooss.write(value.getBytes());
++            ooss.flush();
++            mRenderResult = false;
++        } catch (IOException e) {
++            CMS.debug("TokenServlet: " + e.toString());
++        }
++
++        if (status.equals("0")) {
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.SUCCESS, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
++                    logParams);
++
++        } else {
++            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
++                    log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
++                    ILogger.FAILURE, // Outcome
++                    status, // status
++                    agentId, // AgentID
++                    isCryptoValidate ? "true" : "false", // IsCryptoValidate
++                    serversideKeygen ? "true" : "false", // IsServerSideKeygen
++                    selectedToken, // SelectedToken
++                    keyNickName, // KeyNickName
++                    keySet, // TKSKeyset
++                    log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
++                    errorMsg // Error
++            };
++            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
++                    logParams);
++
++        }
++
++        audit(auditMessage);
++
++    }
++
++    /**
++     * Serves HTTP admin request.
++     *
++     * @param req HTTP request
++     * @param resp HTTP response
++     */
++    public void service(HttpServletRequest req, HttpServletResponse resp)
++            throws ServletException, IOException {
++        super.service(req, resp);
++    }
++
++    private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException {
++
++        IConfigStore configStore = CMS.getConfigStore();
++        String sharedSecretName = null;
++        try {
++
++            sharedSecretName = getSharedSecretName(configStore);
++
++        } catch (EBaseException e) {
++            throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: "
++                    + e);
++
++        }
++
++        CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName);
++
++        String symmKeys = null;
++        boolean keyPresent = false;
++        try {
++            symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME);
++            CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys);
++        } catch (Exception e) {
++            // TODO Auto-generated catch block
++            CMS.debug(e);
++        }
++
++        for (String keyName : symmKeys.split(",")) {
++            if (sharedSecretName.equals(keyName)) {
++                CMS.debug("TokenServlet.getSharedSecret: shared secret key found!");
++                keyPresent = true;
++                break;
++            }
++
++        }
++
++        if (!keyPresent) {
++            throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!");
++        }
++
++        // We know for now that shared secret is on this token
++        String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME;
++        PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName);
++
++        CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret);
++
++        return sharedSecret;
++
++    }
++
++    //returns ArrayList of following values
++    // 0 : Kek wrapped des key
++    // 1 : keycheck value
++    // 2 : trans wrapped des key
++    private ArrayList<String> calculateServerSideKeygenValues(String useSoftToken, String selectedToken,
++            SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException {
++
++        SymmetricKey desKey = null;
++        String method = "TokenServlet.calculateSErverSideKeygenValues: ";
++        ArrayList<String> values = new ArrayList<String>();
++
++        /**
++         * 0. generate des key
++         * 1. encrypt des key with kek key
++         * 2. encrypt des key with DRM transport key
++         * These two wrapped items are to be sent back to
++         * TPS. 2nd item is to DRM
++         **/
++        CMS.debug(method + " entering...");
++
++        // (1) generate DES key
++        /* applet does not support DES3
++        org.mozilla.jss.crypto.KeyGenerator kg =
++            internalToken.getKeyGenerator(KeyGenAlgorithm.DES3);
++            desKey = kg.generate();*/
++
++        /*
++         * GenerateSymkey firt generates a 16 byte DES2 key.
++         * It then pads it into a 24 byte key with last
++         * 8 bytes copied from the 1st 8 bytes.  Effectively
++         * making it a 24 byte DES2 key.  We need this for
++         * wrapping private keys on DRM.
++         */
++        /*generate it on whichever token the master key is at*/
++
++        if (useSoftToken.equals("true")) {
++            CMS.debug(method + " key encryption key generated on internal");
++            desKey = protocol.generateSymKey("internal");
++            //cfu audit here? sym key gen done
++        } else {
++            CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
++            desKey = protocol.generateSymKey(selectedToken);
++        }
++        if (desKey == null) {
++            throw new EBaseException(method + "can't generate key encryption key");
++        }
++
++        /*
++         * ECBencrypt actually takes the 24 byte DES2 key
++         * and discard the last 8 bytes before it encrypts.
++         * This is done so that the applet can digest it
++         */
++
++
++       // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey)
++
++        byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken);
++
++        String kek_wrapped_desKeyString =
++                com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey);
++
++        CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString);
++
++        values.add(kek_wrapped_desKeyString);
++
++        // get keycheck
++
++        byte[] keycheck = null;
++
++        keycheck = protocol.computeKeyCheck(desKey, selectedToken);
++
++        String keycheck_s =
++                com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
++
++        CMS.debug(method + "keycheck_s " + keycheck_s);
++
++        values.add(keycheck_s);
++
++        //use DRM transport cert to wrap desKey
++        String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
++
++        if ((drmTransNickname == null) || (drmTransNickname == "")) {
++            CMS.debug(method + " did not find DRM transport certificate nickname");
++            throw new EBaseException(method + "can't find DRM transport certificate nickname");
++        } else {
++            CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname);
++        }
++
++        X509Certificate drmTransCert = null;
++        try {
++
++            drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
++            // wrap kek session key with DRM transport public key
++            CryptoToken token = null;
++            if (useSoftToken.equals("true")) {
++                //token = CryptoManager.getInstance().getTokenByName(selectedToken);
++                token = CryptoManager.getInstance().getInternalCryptoToken();
++            } else {
++                token = CryptoManager.getInstance().getTokenByName(selectedToken);
++            }
++            PublicKey pubKey = drmTransCert.getPublicKey();
++            String pubKeyAlgo = pubKey.getAlgorithm();
++            CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo);
++            KeyWrapper keyWrapper = null;
++            //For wrapping symmetric keys don't need IV, use ECB
++            if (pubKeyAlgo.equals("EC")) {
++                keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
++                keyWrapper.initWrap(pubKey, null);
++            } else {
++                keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
++                keyWrapper.initWrap(pubKey, null);
++            }
++            CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName());
++            byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
++
++            String drmWrappedDesStr =
++                    com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey);
++
++            CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr);
++            values.add(drmWrappedDesStr);
++
++        } catch (Exception e) {
++            throw new EBaseException(e);
++        }
++
++        return values;
++    }
++
++    private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) {
++        boolean sameCardCrypto = true;
++
++        if (original_cryptogram == null || calculated_cryptogram == null) {
++            return false;
++        }
++        if (original_cryptogram.length == calculated_cryptogram.length) {
++            for (int i = 0; i < original_cryptogram.length; i++) {
++                if (original_cryptogram[i] != calculated_cryptogram[i]) {
++                    sameCardCrypto = false;
++                    break;
++                }
++            }
++        } else {
++            // different length; must be different
++            sameCardCrypto = false;
++        }
++
++        return sameCardCrypto;
++    }
++
++  //For now only used for scp03
++
++    static GPParams readGPSettings(String keySet) {
++        GPParams params = new GPParams();
++
++        String method = "TokenServlet.readGPSettings: ";
++        String gp3Settings = "tks." + keySet + ".prot3";
++
++        String divers = "emv";
++        try {
++            divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv");
++        } catch (EBaseException e) {
++        }
++
++        params.setDiversificationScheme(divers);
++
++        CMS.debug(method + " Divers: " + divers);
++
++        String diversVer1Keys = "emv";
++
++        try {
++            diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv");
++        } catch (EBaseException e) {
++        }
++
++        params.setVersion1DiversificationScheme(diversVer1Keys);
++        CMS.debug(method + " Version 1 keys Divers: " + divers);
++
++        String keyType = null;
++        try {
++            keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3");
++        } catch (EBaseException e) {
++        }
++
++        CMS.debug(method + " devKeyType: " + keyType);
++
++        params.setDevKeyType(keyType);
++
++        try {
++            keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3");
++        } catch (EBaseException e) {
++        }
++
++        params.setMasterKeyType(keyType);
++
++        CMS.debug(method + " masterKeyType: " + keyType);
++
++
++        return params;
++    }
++
++    private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException {
++        byte devKeyArray[] = null;
++        try {
++            devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks."
++                    + keySet + "." + keyType));
++        } catch (Exception e) {
++            throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType);
++        }
++
++        return devKeyArray;
++    }
++
++
++}
+-- 
+1.8.3.1
+
+
+From fd149624a7ace41c75c5034345503c0d412f7aa3 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 23 May 2017 22:25:32 +0200
+Subject: [PATCH 11/38] Updated log messages in OCSPProcessor.
+
+The OCSPProcessor has been modified to log the OCSP response to
+help troubleshooting.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f
+---
+ base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java
+index 3b72130..c7a40f7 100644
+--- a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java
++++ b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java
+@@ -134,8 +134,8 @@ public class OCSPProcessor {
+             byte[] requestData = os.toByteArray();
+ 
+             if (verbose) {
+-                System.out.println("Data Length: " + requestData.length);
+-                System.out.println("Data: " + Utils.base64encode(requestData));
++                System.out.println("Request Length: " + requestData.length);
++                System.out.println("Request: " + Utils.base64encode(requestData));
+             }
+ 
+             ByteArrayEntity requestEntity = new ByteArrayEntity(requestData);
+@@ -156,8 +156,16 @@ public class OCSPProcessor {
+                 }
+ 
+                 // construct OCSP response
++
++                byte[] responseData = buffer.toByteArray();
++
++                if (verbose) {
++                    System.out.println("Response Length: " + responseData.length);
++                    System.out.println("Response: " + Utils.base64encode(responseData));
++                }
++
+                 return (OCSPResponse)OCSPResponse.getTemplate().decode(
+-                        new ByteArrayInputStream(buffer.toByteArray()));
++                        new ByteArrayInputStream(responseData));
+ 
+             } finally {
+                 EntityUtils.consume(responseEntity);
+-- 
+1.8.3.1
+
+
+From b9f906eb1f26cf3d82262bc9894785742f451cd9 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 23 May 2017 11:12:06 -0400
+Subject: [PATCH 12/38] Fix failing audit log
+
+As currently written, the audit log for completing the cert
+processing on the KRA will always fail because the cert is not
+yet issued.  The cert is only issued after the key is archived.
+
+Basically, though, this particular log is only suppposed to be
+written to the CA audit log.  Rather than adding a subsystem check,
+the simplest solution is to not expose this event on the KRA.
+
+Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
+---
+ base/kra/shared/conf/CS.cfg | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 4b6ff74..69d9382 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+-- 
+1.8.3.1
+
+
+From de9f890133e3acc660b985e8ef5950507d341a03 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 23 May 2017 12:14:06 -0400
+Subject: [PATCH 13/38] Make sure archivalID is passed through archival
+
+There was some confusion in the previous commit for archival
+logging.  The archivalID is the id provided by the CA for the archival
+and is its requestID.  This allows the cert request operation
+to be tracked through the archival.
+
+Made sure therefore, that we have two fields - one for the archivalID
+and one for the requestId (which is the KRA archival request ID)
+
+In addition, some of the archival events occur in the CA component
+just before the request id sent to the KRA.  These events will not
+be displayed unless the audit event is added to the CA CS.cfg.
+
+Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
+---
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ base/ca/src/com/netscape/ca/CAService.java         | 22 +++++++--
+ .../logging/event/SecurityDataArchivalEvent.java   | 16 +------
+ .../event/SecurityDataArchivalProcessedEvent.java  |  2 +
+ .../src/com/netscape/kra/EnrollmentService.java    | 53 ++++++++++++++++------
+ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +++--
+ .../src/com/netscape/kra/NetkeyKeygenService.java  |  5 +-
+ .../com/netscape/kra/SecurityDataProcessor.java    |  1 +
+ .../server/kra/rest/KeyRequestService.java         |  1 +
+ .../cms/profile/common/CAEnrollProfile.java        | 23 +++++++---
+ base/server/cmsbundle/src/LogMessages.properties   | 16 +++++--
+ 11 files changed, 104 insertions(+), 50 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 8f9af5c..4e881dc 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
+index 45fae66..c9eacfe 100644
+--- a/base/ca/src/com/netscape/ca/CAService.java
++++ b/base/ca/src/com/netscape/ca/CAService.java
+@@ -58,6 +58,7 @@ import com.netscape.certsrv.profile.IProfile;
+ import com.netscape.certsrv.profile.IProfileSubsystem;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.cmscore.base.SubsystemRegistry;
+ import com.netscape.cmscore.connector.HttpConnector;
+ import com.netscape.cmscore.connector.LocalConnector;
+@@ -371,6 +372,7 @@ public class CAService implements ICAService, IService {
+     public boolean serviceRequest(IRequest request) {
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
++        RequestId requestId = request.getRequestId();
+ 
+         boolean completed = false;
+ 
+@@ -422,7 +424,9 @@ public class CAService implements ICAService, IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 boolean sendStatus = mKRAConnector.send(request);
+ 
+@@ -437,7 +441,9 @@ public class CAService implements ICAService, IService {
+                         audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID));
++                                auditRequesterID,
++                                requestId,
++                                null));
+ 
+                         return true;
+                     } else {
+@@ -451,7 +457,9 @@ public class CAService implements ICAService, IService {
+                         audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID));
++                                auditRequesterID,
++                                requestId,
++                                null));
+ 
+                         return true;
+                     }
+@@ -474,7 +482,9 @@ public class CAService implements ICAService, IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+             }
+ 
+             return true;
+@@ -490,7 +500,9 @@ public class CAService implements ICAService, IService {
+             audit(new SecurityDataArchivalEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
+-                    auditRequesterID));
++                    auditRequesterID,
++                    requestId,
++                    null));
+         }
+ 
+         return completed;
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
+index 43f7525..adc8d5b 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java
+@@ -30,6 +30,7 @@ public class SecurityDataArchivalEvent extends AuditEvent {
+     public SecurityDataArchivalEvent(
+             String subjectID,
+             String outcome,
++            String archivalID,
+             RequestId requestID,
+             String clientKeyID) {
+ 
+@@ -38,22 +39,9 @@ public class SecurityDataArchivalEvent extends AuditEvent {
+         setParameters(new Object[] {
+                 subjectID,
+                 outcome,
++                archivalID,
+                 requestID,
+                 clientKeyID
+         });
+     }
+-
+-    public SecurityDataArchivalEvent(
+-            String subjectID,
+-            String outcome,
+-            String requestID) {
+-        super(LOGGING_PROPERTY);
+-
+-        setParameters(new Object[] {
+-                subjectID,
+-                outcome,
+-                requestID,
+-                null
+-        });
+-    }
+ }
+\ No newline at end of file
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+index eb4f6b3..0ec21ae 100644
+--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
+@@ -30,6 +30,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent {
+     public SecurityDataArchivalProcessedEvent(
+             String subjectID,
+             String outcome,
++            String archivalRequestId,
+             RequestId requestID,
+             String clientKeyID,
+             KeyId keyID,
+@@ -41,6 +42,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent {
+         setParameters(new Object[] {
+                 subjectID,
+                 outcome,
++                archivalRequestId,
+                 requestID,
+                 clientKeyID,
+                 keyID,
+diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
+index b28fbc6..4cf36d1 100644
+--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
++++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
+@@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.certsrv.util.IStatsSubsystem;
+@@ -158,6 +159,7 @@ public class EnrollmentService implements IService {
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID();
+         String auditPublicKey = ILogger.UNIDENTIFIED;
++        RequestId requestId = request.getRequestId();
+ 
+         if (CMS.debugOn())
+             CMS.debug("EnrollmentServlet: KRA services enrollment request");
+@@ -198,7 +200,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+@@ -243,7 +247,9 @@ public class EnrollmentService implements IService {
+                     audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID));
++                            auditRequesterID,
++                            requestId,
++                            null));
+ 
+                     throw new EKRAException(
+                             CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+@@ -276,7 +282,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+@@ -315,7 +323,9 @@ public class EnrollmentService implements IService {
+                     audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID));
++                            auditRequesterID,
++                            requestId,
++                            null));
+ 
+                     throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e);
+                 }
+@@ -333,7 +343,9 @@ public class EnrollmentService implements IService {
+                     audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                     throw new EKRAException(
+                         CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+@@ -355,7 +367,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+             }
+@@ -387,7 +401,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+             }
+@@ -411,7 +427,9 @@ public class EnrollmentService implements IService {
+                     audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                     throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+                 }
+@@ -458,7 +476,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+@@ -477,7 +497,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+@@ -492,7 +514,9 @@ public class EnrollmentService implements IService {
+                 audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+                 throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+             }
+@@ -546,14 +570,17 @@ public class EnrollmentService implements IService {
+             audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        requestId,
++                        null));
+ 
+             // store a message in the signed audit log file
+             auditPublicKey = auditPublicKey(rec);
+             audit(new SecurityDataArchivalProcessedEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        request.getRequestId(),
++                        auditRequesterID,
++                        requestId,
+                         null,
+                         new KeyId(rec.getSerialNumber()),
+                         null,
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index 3c29bbf..ed20394 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -766,18 +766,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+ 
+             r = queue.newRequest(KRAService.ENROLLMENT);
+ 
+-            // store a message in the signed audit log file
+             audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.SUCCESS,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        r.getRequestId(),
++                        null));
+ 
+         } catch (EBaseException eAudit1) {
+             // store a message in the signed audit log file
+             audit(new SecurityDataArchivalEvent(
+                         auditSubjectID,
+                         ILogger.FAILURE,
+-                        auditRequesterID));
++                        auditRequesterID,
++                        null /* requestId */,
++                        null /*clientKeyId */));
+             throw eAudit1;
+         }
+ 
+@@ -792,6 +795,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             audit(new SecurityDataArchivalProcessedEvent(
+                     auditSubjectID,
+                     ILogger.SUCCESS,
++                    auditRequesterID,
+                     r.getRequestId(),
+                     null,
+                     new KeyId(rec.getSerialNumber()),
+@@ -801,6 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+             audit(new SecurityDataArchivalProcessedEvent(
+                     auditSubjectID,
+                     ILogger.FAILURE,
++                    auditRequesterID,
+                     r.getRequestId(),
+                     null,
+                     new KeyId(rec.getSerialNumber()),
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index df42a4f..947377a 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -397,7 +397,9 @@ public class NetkeyKeygenService implements IService {
+                     audit( new SecurityDataArchivalEvent(
+                             agentId,
+                             ILogger.SUCCESS,
+-                            auditSubjectID));
++                            auditSubjectID,
++                            request.getRequestId(),
++                            null));
+ 
+                     CMS.debug("KRA encrypts private key to put on internal ldap db");
+                     byte privateKeyData[] = null;
+@@ -487,6 +489,7 @@ public class NetkeyKeygenService implements IService {
+                     audit(new SecurityDataArchivalProcessedEvent(
+                             agentId,
+                             ILogger.SUCCESS,
++                            auditSubjectID,
+                             request.getRequestId(),
+                             null,
+                             new KeyId(serialNo),
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index a44eb2f..326630c 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -873,6 +873,7 @@ public class SecurityDataProcessor {
+         audit(new SecurityDataArchivalProcessedEvent(
+                 subjectID,
+                 status,
++                null,
+                 requestID,
+                 clientKeyID,
+                 keyID,
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index 12040e0..8ec69a7 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -357,6 +357,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+         audit(new SecurityDataArchivalEvent(
+                 getRequestor(),
+                 status,
++                null,
+                 requestId,
+                 clientKeyID));
+     }
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+index 85db2cb..ec9f86b 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+@@ -36,6 +36,7 @@ import com.netscape.certsrv.profile.EProfileException;
+ import com.netscape.certsrv.profile.ERejectException;
+ import com.netscape.certsrv.profile.IProfileUpdater;
+ import com.netscape.certsrv.request.IRequest;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestStatus;
+ 
+ import netscape.security.x509.X500Name;
+@@ -82,10 +83,10 @@ public class CAEnrollProfile extends EnrollProfile {
+ 
+         String auditSubjectID = auditSubjectID();
+         String auditRequesterID = auditRequesterID(request);
+-        String id = request.getRequestId().toString();
++        RequestId requestId = request.getRequestId();
+ 
+ 
+-        CMS.debug("CAEnrollProfile: execute request ID " + id);
++        CMS.debug("CAEnrollProfile: execute request ID " + requestId.toString());
+ 
+         ICertificateAuthority ca = (ICertificateAuthority) getAuthority();
+ 
+@@ -115,7 +116,9 @@ public class CAEnrollProfile extends EnrollProfile {
+                         audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.FAILURE,
+-                                auditRequesterID));
++                                auditRequesterID,
++                                requestId,
++                                null));
+                     } else {
+                         CMS.debug("CAEnrollProfile: execute send request");
+                         kraConnector.send(request);
+@@ -125,7 +128,9 @@ public class CAEnrollProfile extends EnrollProfile {
+                             audit(new SecurityDataArchivalEvent(
+                                     auditSubjectID,
+                                     ILogger.FAILURE,
+-                                    auditRequesterID));
++                                    auditRequesterID,
++                                    requestId,
++                                    null));
+ 
+                             if (request.getError(getLocale(request)) != null &&
+                                 (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) {
+@@ -140,7 +145,9 @@ public class CAEnrollProfile extends EnrollProfile {
+                         audit(new SecurityDataArchivalEvent(
+                                 auditSubjectID,
+                                 ILogger.SUCCESS,
+-                                auditRequesterID));
++                                auditRequesterID,
++                                requestId,
++                                null));
+                     }
+                 } catch (Exception e) {
+ 
+@@ -153,7 +160,9 @@ public class CAEnrollProfile extends EnrollProfile {
+                     audit(new SecurityDataArchivalEvent(
+                             auditSubjectID,
+                             ILogger.FAILURE,
+-                            auditRequesterID));
++                            auditRequesterID,
++                            requestId,
++                            null));
+ 
+                     throw new EProfileException(e);
+                 }
+@@ -179,7 +188,7 @@ public class CAEnrollProfile extends EnrollProfile {
+         X509CertImpl theCert;
+         try {
+             theCert = caService.issueX509Cert(
+-                aid, info, getId() /* profileId */, id /* requestId */);
++                aid, info, getId() /* profileId */, requestId.toString());
+         } catch (EBaseException e) {
+             CMS.debug(e);
+             throw new EProfileException(e);
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 44eec23..66a7fd0 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2414,17 +2414,23 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEv
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
+ # - used when user security data archive request is processed
+ #    this is when DRM receives and processed the request
+-# Client ID must be the user supplied client ID associated with
++# ArchivalRequestID is the requestID provided by the CA through the connector
++#    It is used to track the request through from CA to KRA.
++# RequestId is the KRA archival request ID
++# ClientKeyID must be the user supplied client ID associated with
+ #    the security data to be archived
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}][KeyID={5}][FailureReason={6}][PubKey={7}] security data archival request processed
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST
+ # - used when security data recovery request is made
+-# RecoveryID must be the recovery request ID
+-# CientID is the ID of the security data to be archived
++# ArchivalRequestID is the requestID provided by the CA through the connector
++#    It is used to track the request through from CA to KRA.
++# RequestId is the KRA archival request ID
++# ClientKeyID must be the user supplied client ID associated with
++#    the security data to be archived
+ #
+-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made
++LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}] security data archival request made
+ #
+ #
+ # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
+-- 
+1.8.3.1
+
+
+From 1d6860b20970dae43b81e9f943fb49575f377099 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 24 May 2017 11:15:03 -0400
+Subject: [PATCH 14/38] Simplify recovery audit logging
+
+Currently, when we use the retrieveKey() REST interface, there are
+two logs generated for the processing of a recovery request.  To
+rectify this, logging has been removed from the lower level in the
+SecurityDataProcessor and is delegated to the higher level.
+
+This necessitated adding audit logging to the SecurityDataRecoveryService,
+which processes recovery events asynchronously.
+
+In addition, the logging in retrieveKey() has been pushed down to
+the retrieveKeyImpl, because there is at least one success exit point in
+retrieveKeyImpl where a recovery request is created, but no key is exported.
+Hence in this case, a KeyRetrieve success event is not warranted.
+
+Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87
+---
+ .../com/netscape/kra/SecurityDataProcessor.java    | 32 -----------
+ .../netscape/kra/SecurityDataRecoveryService.java  | 67 +++++++++++++++++++++-
+ .../org/dogtagpki/server/kra/rest/KeyService.java  | 11 ++--
+ 3 files changed, 72 insertions(+), 38 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 326630c..2899f32 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -42,7 +42,6 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+-import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.RequestId;
+@@ -322,20 +321,13 @@ public class SecurityDataProcessor {
+             throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+         }
+ 
+-        String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+-        String auditSubjectID = requestor;
+-
+         Hashtable<String, Object> params = kra.getVolatileRequest(
+                 request.getRequestId());
+         KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO));
+         request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger());
+-        RequestId requestID = request.getRequestId();
+-        String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
+ 
+         if (params == null) {
+             CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params.");
+-            auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
+-                    "cannot get volatile params", approvers);
+             throw new EBaseException("Can't obtain volatile params!");
+         }
+ 
+@@ -457,8 +449,6 @@ public class SecurityDataProcessor {
+                     iv != null? new IVParameterSpec(iv): null,
+                     iv_wrap != null? new IVParameterSpec(iv_wrap): null);
+             } catch (Exception e) {
+-                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
+-                        "Cannot generate wrapping params", approvers);
+                 throw new EBaseException("Cannot generate wrapping params: " + e, e);
+             }
+         }
+@@ -514,8 +504,6 @@ public class SecurityDataProcessor {
+                 params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData);
+ 
+             } catch (Exception e) {
+-                auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
+-                        "Cannot unwrap passphrase", approvers);
+                 throw new EBaseException("Cannot unwrap passphrase: " + e, e);
+ 
+             } finally {
+@@ -556,8 +544,6 @@ public class SecurityDataProcessor {
+                     }
+ 
+                 } catch (Exception e) {
+-                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
+-                            "Cannot wrap symmetric key", approvers);
+                     throw new EBaseException("Cannot wrap symmetric key: " + e, e);
+                 }
+ 
+@@ -574,8 +560,6 @@ public class SecurityDataProcessor {
+                             wrapParams.getPayloadEncryptionAlgorithm(),
+                             wrapParams.getPayloadEncryptionIV());
+                 } catch (Exception e) {
+-                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
+-                            keyId, "Cannot encrypt passphrase", approvers);
+                     throw new EBaseException("Cannot encrypt passphrase: " + e, e);
+                 }
+ 
+@@ -606,8 +590,6 @@ public class SecurityDataProcessor {
+                     }
+ 
+                 } catch (Exception e) {
+-                    auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId,
+-                            "Cannot wrap private key", approvers);
+                     throw new EBaseException("Cannot wrap private key: " + e, e);
+                 }
+             }
+@@ -640,9 +622,6 @@ public class SecurityDataProcessor {
+         }
+ 
+         params.put(IRequest.SECURITY_DATA_TYPE, dataType);
+-
+-        auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId,
+-                null, approvers);
+         request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+ 
+         return false; //return true ? TODO
+@@ -857,17 +836,6 @@ public class SecurityDataProcessor {
+         audit(message);
+     }
+ 
+-    private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
+-            KeyId keyID, String reason, String recoveryAgents) {
+-        audit(new SecurityDataRecoveryProcessedEvent(
+-                subjectID,
+-                status,
+-                requestID,
+-                keyID,
+-                reason,
+-                recoveryAgents));
+-    }
+-
+     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+             KeyId keyID, String reason) {
+         audit(new SecurityDataArchivalProcessedEvent(
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+index 0c7b4b7..da82e97 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+@@ -19,9 +19,14 @@ package com.netscape.kra;
+ 
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
++import com.netscape.certsrv.request.RequestId;
+ 
+ import netscape.security.util.DerValue;
+ import netscape.security.x509.X509Key;
+
+ /**
+  * This implementation services SecurityData Recovery requests.
+@@ -33,6 +38,7 @@ public class SecurityDataRecoveryService implements IService {
+ 
+     private IKeyRecoveryAuthority kra = null;
+     private SecurityDataProcessor processor = null;
++    private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+ 
+     public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) {
+         this.kra = kra;
+@@ -57,8 +63,65 @@ public class SecurityDataRecoveryService implements IService {
+             throws EBaseException {
+ 
+         CMS.debug("SecurityDataRecoveryService.serviceRequest()");
+-        processor.recover(request);
+-        kra.getRequestQueue().updateRequest(request);
++
++        // parameters for auditing
++        String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
++        KeyId keyId = new KeyId(request.getExtDataInBigInteger("serialNumber"));
++        RequestId requestID = request.getRequestId();
++        String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
++
++        try {
++            processor.recover(request);
++            kra.getRequestQueue().updateRequest(request);
++            auditRecoveryRequestProcessed(
++                    auditSubjectID,
++                    ILogger.SUCCESS,
++                    requestID,
++                    keyId,
++                    null,
++                    approvers);
++        } catch (EBaseException e) {
++            auditRecoveryRequestProcessed(
++                    auditSubjectID,
++                    ILogger.FAILURE,
++                    requestID,
++                    keyId,
++                    e.getMessage(),
++                    approvers);
++            throw e;
++        }
+         return false;  //TODO: return true?
+     }
++
++    private void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
++    private void audit(String msg) {
++        if (signedAuditLogger == null)
++            return;
++
++        signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
++                null,
++                ILogger.S_SIGNED_AUDIT,
++                ILogger.LL_SECURITY,
++                msg);
++    }
++
++    private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
++            KeyId keyID, String reason, String recoveryAgents) {
++        audit(new SecurityDataRecoveryProcessedEvent(
++                subjectID,
++                status,
++                requestID,
++                keyID,
++                reason,
++                recoveryAgents));
++    }
+ }
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index 52799e6..8edb928 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -117,13 +117,10 @@ public class KeyService extends SubsystemService implements KeyResource {
+     public Response retrieveKey(KeyRecoveryRequest data) {
+         try {
+             Response response = retrieveKeyImpl(data);
+-            auditRetrieveKey(ILogger.SUCCESS);
+             return response;
+         } catch(RuntimeException e) {
+-            auditRetrieveKeyError(e.getMessage());
+             throw e;
+         } catch (Exception e) {
+-            auditRetrieveKeyError(e.getMessage());
+             throw new PKIException(e.getMessage(), e);
+         }
+     }
+@@ -137,6 +134,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+         CMS.debug(auditInfo);
+ 
+         if (data == null) {
++            auditRetrieveKeyError("Bad Request: Missing key Recovery Request");
+             throw new BadRequestException("Missing key Recovery Request");
+         }
+ 
+@@ -152,10 +150,12 @@ public class KeyService extends SubsystemService implements KeyResource {
+             try {
+                 request = queue.findRequest(requestId);
+             } catch (EBaseException e) {
++                auditRetrieveKeyError(e.getMessage());
+                 throw new PKIException(e.getMessage(), e);
+             }
+ 
+             if (request == null) {
++                auditRetrieveKeyError("Bad Request: No request found");
+                 throw new BadRequestException("No request found");
+             }
+ 
+@@ -166,7 +166,8 @@ public class KeyService extends SubsystemService implements KeyResource {
+         } else {
+             keyId = data.getKeyId();
+             if (keyId == null) {
+-                throw new BadRequestException("Missing key Recovery Request");
++                auditRetrieveKeyError("Bad Request: Missing key recovery request and key_id");
++                throw new BadRequestException("Missing recovery request and key id");
+             }
+ 
+             auditInfo += ";keyID=" + keyId.toString();
+@@ -186,6 +187,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+                 request = reqDAO.createRecoveryRequest(data, uriInfo, getRequestor(),
+                         getAuthToken(), ephemeral);
+             } catch (EBaseException e) {
++                auditRetrieveKeyError("Unable to create recovery request: " + e.getMessage());
+                 throw new PKIException(e.getMessage(), e);
+             }
+ 
+@@ -248,6 +250,7 @@ public class KeyService extends SubsystemService implements KeyResource {
+         auditRecoveryRequestProcessed(ILogger.SUCCESS, null);
+ 
+         CMS.debug("KeyService: key retrieved");
++        auditRetrieveKey(ILogger.SUCCESS);
+         return createOKResponse(keyData);
+     }
+ 
+-- 
+1.8.3.1
+
+
+From f6cc8db2fbd9ab509c4285e944306b31cf068a5f Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 May 2017 06:38:50 +0200
+Subject: [PATCH 15/38] Cleaned up DefStore.processRequest() (part 1).
+
+An if-statement in DefStore.processRequest() has been modified
+to return early for clarity. The code indentation has been adjusted
+accordingly.
+
+https://pagure.io/dogtagpki/issue/2652
+
+Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0
+---
+ .../cms/src/com/netscape/cms/ocsp/DefStore.java    | 121 +++++++++++----------
+ 1 file changed, 62 insertions(+), 59 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+index 217c568..9882acd 100644
+--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+@@ -27,11 +27,6 @@ import java.util.Hashtable;
+ import java.util.Locale;
+ import java.util.Vector;
+ 
+-import netscape.security.x509.RevokedCertificate;
+-import netscape.security.x509.X509CRLImpl;
+-import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509Key;
+-
+ import org.mozilla.jss.asn1.ASN1Util;
+ import org.mozilla.jss.asn1.GeneralizedTime;
+ import org.mozilla.jss.asn1.INTEGER;
+@@ -73,6 +68,11 @@ import com.netscape.cmsutil.ocsp.SingleResponse;
+ import com.netscape.cmsutil.ocsp.TBSRequest;
+ import com.netscape.cmsutil.ocsp.UnknownInfo;
+ 
++import netscape.security.x509.RevokedCertificate;
++import netscape.security.x509.X509CRLImpl;
++import netscape.security.x509.X509CertImpl;
++import netscape.security.x509.X509Key;
++
+ /**
+  * This is the default OCSP store that stores revocation information
+  * as certificate record (CMS internal data structure).
+@@ -481,77 +481,80 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                 incReqCount(theRec.getId());
+             }
+ 
++            if (theCert == null) {
++                return null;
++            }
++
+             // check the serial number
+-            if (theCert != null) {
+-                INTEGER serialNo = cid.getSerialNumber();
++            INTEGER serialNo = cid.getSerialNumber();
+ 
+-                log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16));
+-                CMS.debug("DefStore: process request 0x" + serialNo.toString(16));
+-                CertStatus certStatus = null;
+-                GeneralizedTime thisUpdate = null;
++            log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16));
++            CMS.debug("DefStore: process request 0x" + serialNo.toString(16));
++            CertStatus certStatus = null;
++            GeneralizedTime thisUpdate = null;
+ 
++            if (theRec == null) {
++                thisUpdate = new GeneralizedTime(CMS.getCurrentDate());
++            } else {
++                thisUpdate = new GeneralizedTime(
++                            theRec.getThisUpdate());
++            }
++            GeneralizedTime nextUpdate = null;
++
++            if (includeNextUpdate()) {
++                // this is an optional field
+                 if (theRec == null) {
+-                    thisUpdate = new GeneralizedTime(CMS.getCurrentDate());
++                    nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
+                 } else {
+-                    thisUpdate = new GeneralizedTime(
+-                                theRec.getThisUpdate());
+-                }
+-                GeneralizedTime nextUpdate = null;
+-
+-                if (includeNextUpdate()) {
+-                    // this is an optional field
+-                    if (theRec == null) {
+-                        nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
+-                    } else {
+-                        nextUpdate = new GeneralizedTime(
+-                                    theRec.getNextUpdate());
+-                    }
++                    nextUpdate = new GeneralizedTime(
++                                theRec.getNextUpdate());
+                 }
++            }
+ 
+-                if (theCRL == null) {
+-                    certStatus = new UnknownInfo();
+-
+-                    // if crl is not available, we can try crl cache
+-                    if (theRec != null) {
+-                        CMS.debug("DefStore: evaluating crl cache");
+-                        Hashtable<BigInteger, RevokedCertificate> cache = theRec.getCRLCacheNoClone();
+-                        if (cache != null) {
+-                            RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString()));
+-                            if (rc == null) {
+-                                if (isNotFoundGood()) {
+-                                    certStatus = new GoodInfo();
+-                                } else {
+-                                    certStatus = new UnknownInfo();
+-                                }
++            if (theCRL == null) {
++                certStatus = new UnknownInfo();
++
++                // if crl is not available, we can try crl cache
++                if (theRec != null) {
++                    CMS.debug("DefStore: evaluating crl cache");
++                    Hashtable<BigInteger, RevokedCertificate> cache = theRec.getCRLCacheNoClone();
++                    if (cache != null) {
++                        RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString()));
++                        if (rc == null) {
++                            if (isNotFoundGood()) {
++                                certStatus = new GoodInfo();
+                             } else {
+-
+-                                certStatus = new RevokedInfo(
+-                                        new GeneralizedTime(
+-                                                rc.getRevocationDate()));
++                                certStatus = new UnknownInfo();
+                             }
++                        } else {
++
++                            certStatus = new RevokedInfo(
++                                    new GeneralizedTime(
++                                            rc.getRevocationDate()));
+                         }
+                     }
++                }
+ 
+-                } else {
+-                    CMS.debug("DefStore: evaluating x509 crl impl");
+-                    X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString()));
++            } else {
++                CMS.debug("DefStore: evaluating x509 crl impl");
++                X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString()));
+ 
+-                    if (crlentry == null) {
+-                        // good or unknown
+-                        if (isNotFoundGood()) {
+-                            certStatus = new GoodInfo();
+-                        } else {
+-                            certStatus = new UnknownInfo();
+-                        }
++                if (crlentry == null) {
++                    // good or unknown
++                    if (isNotFoundGood()) {
++                        certStatus = new GoodInfo();
+                     } else {
+-                        certStatus = new RevokedInfo(new GeneralizedTime(
+-                                        crlentry.getRevocationDate()));
+-
++                        certStatus = new UnknownInfo();
+                     }
++                } else {
++                    certStatus = new RevokedInfo(new GeneralizedTime(
++                                    crlentry.getRevocationDate()));
++
+                 }
+-                return new SingleResponse(cid, certStatus, thisUpdate,
+-                        nextUpdate);
+             }
++            return new SingleResponse(cid, certStatus, thisUpdate,
++                    nextUpdate);
++
+         } catch (Exception e) {
+             // error log
+             CMS.debug("DefStore: failed processing request e=" + e);
+-- 
+1.8.3.1
+
+
+From 4511646ecec5b99dfb0ab31fc604a8765313941e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 May 2017 06:48:58 +0200
+Subject: [PATCH 16/38] Cleaned up DefStore.processRequest() (part 2).
+
+An if-statement in DefStore.processRequest() has been modified
+to return early for clarity. The code indentation has been adjusted
+accordingly.
+
+https://pagure.io/dogtagpki/issue/2652
+
+Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3
+---
+ .../cms/src/com/netscape/cms/ocsp/DefStore.java    | 31 ++++++++++++----------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+index 9882acd..0b29b08 100644
+--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+@@ -535,23 +535,26 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                     }
+                 }
+ 
+-            } else {
+-                CMS.debug("DefStore: evaluating x509 crl impl");
+-                X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString()));
+-
+-                if (crlentry == null) {
+-                    // good or unknown
+-                    if (isNotFoundGood()) {
+-                        certStatus = new GoodInfo();
+-                    } else {
+-                        certStatus = new UnknownInfo();
+-                    }
+-                } else {
+-                    certStatus = new RevokedInfo(new GeneralizedTime(
+-                                    crlentry.getRevocationDate()));
++                return new SingleResponse(cid, certStatus, thisUpdate,
++                        nextUpdate);
++            }
++
++            CMS.debug("DefStore: evaluating x509 crl impl");
++            X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString()));
+ 
++            if (crlentry == null) {
++                // good or unknown
++                if (isNotFoundGood()) {
++                    certStatus = new GoodInfo();
++                } else {
++                    certStatus = new UnknownInfo();
+                 }
++            } else {
++                certStatus = new RevokedInfo(new GeneralizedTime(
++                                crlentry.getRevocationDate()));
++
+             }
++
+             return new SingleResponse(cid, certStatus, thisUpdate,
+                     nextUpdate);
+ 
+-- 
+1.8.3.1
+
+
+From 7d39f6ecfe4c29c14948e4b5d30fde93d7f0f8e6 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 May 2017 18:07:42 +0200
+Subject: [PATCH 17/38] Cleaned up DefStore.processRequest() (part 3).
+
+Some nested if-statements in DefStore.processRequest() has been
+merged for clarity.
+
+https://pagure.io/dogtagpki/issue/2652
+
+Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d
+---
+ .../cms/src/com/netscape/cms/ocsp/DefStore.java      | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+index 0b29b08..676257b 100644
+--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+@@ -499,16 +499,18 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                 thisUpdate = new GeneralizedTime(
+                             theRec.getThisUpdate());
+             }
+-            GeneralizedTime nextUpdate = null;
+ 
+-            if (includeNextUpdate()) {
+-                // this is an optional field
+-                if (theRec == null) {
+-                    nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
+-                } else {
+-                    nextUpdate = new GeneralizedTime(
+-                                theRec.getNextUpdate());
+-                }
++            // this is an optional field
++            GeneralizedTime nextUpdate;
++
++            if (!includeNextUpdate()) {
++                nextUpdate = null;
++
++            } else if (theRec == null) {
++                nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
++
++            } else {
++                nextUpdate = new GeneralizedTime(theRec.getNextUpdate());
+             }
+ 
+             if (theCRL == null) {
+-- 
+1.8.3.1
+
+
+From 9d74c8f2f6291e9bac433c950168d68fa5fc90c8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 May 2017 05:06:31 +0200
+Subject: [PATCH 18/38] Updated OCSP log messages.
+
+Some log messages in OCSP-related code have been updated for
+clarity.
+
+https://pagure.io/dogtagpki/issue/2652
+
+Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
+---
+ base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 10 +++++---
+ .../cms/src/com/netscape/cms/ocsp/DefStore.java    | 27 ++++++++++++++++------
+ .../com/netscape/cms/servlet/ocsp/OCSPServlet.java |  7 ++++--
+ 3 files changed, 32 insertions(+), 12 deletions(-)
+
+diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
+index 09b85b4..14dd338 100644
+--- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
++++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java
+@@ -415,6 +415,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
+      */
+     public BasicOCSPResponse sign(ResponseData rd)
+             throws EBaseException {
++
+         try (DerOutputStream out = new DerOutputStream()) {
+             DerOutputStream tmp = new DerOutputStream();
+ 
+@@ -424,9 +425,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
+             if (rd_data != null) {
+                 mTotalData += rd_data.length;
+             }
++
+             rd.encode(tmp);
+             AlgorithmId.get(algname).encode(tmp);
+-            CMS.debug("adding signature");
++
++            CMS.debug("OCSPAuthority: adding signature");
+             byte[] signature = mSigningUnit.sign(rd_data, algname);
+ 
+             tmp.putBitString(signature);
+@@ -440,6 +443,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
+             for (int i = 0; i < chains.length; i++) {
+                 tmpChain.putDerValue(new DerValue(chains[i].getEncoded()));
+             }
++
+             tmp1.write(DerValue.tag_Sequence, tmpChain);
+             tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0),
+                     tmp1);
+@@ -449,9 +453,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem,
+             BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray());
+ 
+             return response;
++
+         } catch (Exception e) {
+-            e.printStackTrace();
+-            // error e
++            CMS.debug(e);
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString()));
+             return null;
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+index 676257b..ea095ba 100644
+--- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
++++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java
+@@ -409,8 +409,9 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+             long endTime = CMS.getCurrentDate().getTime();
+             mOCSPAuthority.incTotalTime(endTime - startTime);
+             return response;
++
+         } catch (Exception e) {
+-            CMS.debug("DefStore: validation failed " + e.toString());
++            CMS.debug(e);
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString()));
+             return null;
+         }
+@@ -449,6 +450,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                         log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CERT", e.toString()));
+                         return null;
+                     }
++
+                     MessageDigest md = MessageDigest.getInstance(cid.getDigestName());
+                     X509Key key = (X509Key) cert.getPublicKey();
+                     byte digest[] = md.digest(key.getKey());
+@@ -474,6 +476,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                         break;
+                     }
+                 }
++
+             } else {
+                 theCert = matched.getX509CertImpl();
+                 theRec = matched.getCRLIssuingPointRecord();
+@@ -490,16 +493,19 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+ 
+             log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16));
+             CMS.debug("DefStore: process request 0x" + serialNo.toString(16));
+-            CertStatus certStatus = null;
+-            GeneralizedTime thisUpdate = null;
++
++            GeneralizedTime thisUpdate;
+ 
+             if (theRec == null) {
+                 thisUpdate = new GeneralizedTime(CMS.getCurrentDate());
+             } else {
+-                thisUpdate = new GeneralizedTime(
+-                            theRec.getThisUpdate());
++                Date d = theRec.getThisUpdate();
++                CMS.debug("DefStore: CRL record this update: " + d);
++                thisUpdate = new GeneralizedTime(d);
+             }
+ 
++            CMS.debug("DefStore: this update: " + thisUpdate.toDate());
++
+             // this is an optional field
+             GeneralizedTime nextUpdate;
+ 
+@@ -510,9 +516,15 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                 nextUpdate = new GeneralizedTime(CMS.getCurrentDate());
+ 
+             } else {
+-                nextUpdate = new GeneralizedTime(theRec.getNextUpdate());
++                Date d = theRec.getNextUpdate();
++                CMS.debug("DefStore: CRL record next update: " + d);
++                nextUpdate = new GeneralizedTime(d);
+             }
+ 
++            CMS.debug("DefStore: next update: " + (nextUpdate == null ? null : nextUpdate.toDate()));
++
++            CertStatus certStatus;
++
+             if (theCRL == null) {
+                 certStatus = new UnknownInfo();
+ 
+@@ -551,10 +563,10 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+                 } else {
+                     certStatus = new UnknownInfo();
+                 }
++
+             } else {
+                 certStatus = new RevokedInfo(new GeneralizedTime(
+                                 crlentry.getRevocationDate()));
+-
+             }
+ 
+             return new SingleResponse(cid, certStatus, thisUpdate,
+@@ -564,6 +576,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo {
+             // error log
+             CMS.debug("DefStore: failed processing request e=" + e);
+         }
++
+         return null;
+     }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
+index 940bf65..5fde89d 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java
+@@ -198,16 +198,19 @@ public class OCSPServlet extends CMSServlet {
+                     throw new Exception("OCSPServlet: OCSP request is "
+                                        + "empty or malformed");
+                 }
++
+                 ocspReq = (OCSPRequest) reqTemplate.decode(is);
++
+                 if ((ocspReq == null) ||
+                         (ocspReq.toString().equals(""))) {
+                     throw new Exception("OCSPServlet: Decoded OCSP request "
+                                        + "is empty or malformed");
+                 }
++
+                 response = ((IOCSPService) mAuthority).validate(ocspReq);
++
+             } catch (Exception e) {
+-                ;
+-                CMS.debug("OCSPServlet: " + e.toString());
++                CMS.debug(e);
+             }
+ 
+             if (response != null) {
+-- 
+1.8.3.1
+
+
+From 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Mon Sep 17 00:00:00 2001
 From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Tue, 16 Aug 2016 16:58:49 -0700
-Subject: [PATCH 1/7] Authentication Instance Id PinDirEnrollment with authType
- value as SslclientAuth is not working.
+Date: Mon, 10 Apr 2017 11:27:12 -0700
+Subject: [PATCH 19/38] Now the program can create and import shared secret
+ keys while under FIPS mode.
+
+---
+ base/native-tools/src/tkstool/key.c     | 102 ++++++++++++++++++++++++++------
+ base/native-tools/src/tkstool/tkstool.c |   4 +-
+ base/native-tools/src/tkstool/tkstool.h |   3 +-
+ 3 files changed, 87 insertions(+), 22 deletions(-)
+
+diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c
+index 4fd3796..e63da93 100644
+--- a/base/native-tools/src/tkstool/key.c
++++ b/base/native-tools/src/tkstool/key.c
+@@ -19,6 +19,11 @@
+ 
+ #include "tkstool.h"
+ 
++secuPWData    pwdata = { PW_NONE,
++                              0 };
++
++
++
+ /*******************************/
+ /**  local private functions  **/
+ /*******************************/
+@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8    *newKey,
+             goto done;
+         }
+ 
+-        key = PK11_ImportSymKeyWithFlags(
+-              /* slot           */        slot,
+-              /* mechanism type */        CKM_DES3_ECB,
+-              /* origin         */        PK11_OriginGenerated,
+-              /* operation      */        CKA_ENCRYPT,
+-              /* key            */        &keyItem,
+-              /* flags          */        CKF_ENCRYPT,
+-              /* isPerm         */        PR_FALSE,
+-              /* wincx          */        0 );
++        key =  TKS_ImportSymmetricKey( NULL,
++                        slot,
++                        CKM_DES3_ECB,
++                        CKA_ENCRYPT,
++                        &keyItem,
++                        &pwdata, PR_FALSE );
++
++
+ 
++
++     /*   key = PK11_ImportSymKeyWithFlags(
++                      slot,
++                      CKM_DES3_ECB,
++                      PK11_OriginGenerated,
++                      CKA_ENCRYPT,
++                      &keyItem,
++                      CKF_ENCRYPT,
++                      PR_FALSE,
++                      0 );
++     */
+         if( ! key ) {
+             PR_fprintf( PR_STDERR,
+                         "ERROR:  Failed to import %s key!\n\n\n",
+@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char              *symmetricKeyName,
+                         CK_MECHANISM_TYPE  mechanism,
+                         CK_ATTRIBUTE_TYPE  operation,
+                         SECItem           *sessionKeyShare,
+-                        secuPWData        *pwdata )
++                        secuPWData        *pwdata, PRBool isPerm )
+ {
+     PK11Origin  origin = PK11_OriginGenerated;
+     PK11SymKey *symKey = NULL;
++    PK11SymKey *sessKey = NULL;
++    PK11Context *context = NULL;
++    static SECItem noParams = { siBuffer, NULL, 0 };
++    SECItem wrappeditem = { siBuffer, NULL, 0 };
++
++    int len = 0;
++    unsigned char wrappedkey[DES_LENGTH * 3];
++    SECStatus s = SECSuccess;
+ 
+     if( slot == NULL ) {
+         return NULL;
+@@ -1077,15 +1100,56 @@ TKS_ImportSymmetricKey( char              *symmetricKeyName,
+                 "Generating %s symmetric key . . .\n\n",
+                 symmetricKeyName );
+ 
+-    symKey = PK11_ImportSymKeyWithFlags( 
+-             /* slot           */        slot,
+-             /* mechanism type */        mechanism,
+-             /* origin         */        origin,
+-             /* operation      */        operation,
+-             /* key            */        sessionKeyShare,
+-             /* flags          */        0,
+-             /* isPerm         */        PR_FALSE,
+-             /* wincx          */        pwdata );
++    sessKey =  PK11_TokenKeyGenWithFlags(slot,               // slot handle
++                   CKM_DES3_KEY_GEN,   // mechanism type
++                   NULL,               // pointer to params (SECItem structure)
++                   0,                  // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms)
++                   0,                  // pointer to keyid (SECItem structure)
++                   CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags
++                   PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set)
++                   NULL);
++
++    if( sessKey == NULL ) {
++        goto cleanup;
++    }
++
++    // Import the key onto the token using the temp session key and the key data.
++    //
++    
++    context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT,
++        sessKey,
++        &noParams);
++
++    if (context == NULL) {
++        goto cleanup;
++    }
++
++    len = sessionKeyShare->len;
++    /* encrypt the key with the master key */
++    s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 );
++    if (s != SECSuccess)
++    {
++        goto cleanup;
++    }
++
++    wrappeditem.data = wrappedkey;
++    wrappeditem.len = len;
++
++    symKey = PK11_UnwrapSymKeyWithFlagsPerm(sessKey, CKM_DES3_ECB, &noParams,
++        &wrappeditem, CKM_DES3_KEY_GEN, CKA_DECRYPT, DES_LENGTH * 3,
++        (CKA_ENCRYPT | CKA_DECRYPT) & CKF_KEY_OPERATION_FLAGS, isPerm );
++
++cleanup:
++    if( sessKey != NULL) {
++        PK11_FreeSymKey( sessKey );
++        sessKey = NULL;
++    }
++
++    if( context ) {
++        PK11_DestroyContext(
++        /* context */        context,
++        /* free it */        PR_TRUE );
++    }
+     return symKey;
+ }
+ 
+diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c
+index 6fd2a97..53781e4 100644
+--- a/base/native-tools/src/tkstool/tkstool.c
++++ b/base/native-tools/src/tkstool/tkstool.c
+@@ -1417,14 +1417,14 @@ main( int argc, char **argv )
+                                                     CKM_DES3_KEY_GEN,
+                                                     CKA_ENCRYPT,
+                                                     &paddedFirstSessionKeyShare,
+-                                                    &pwdata );
++                                                    &pwdata, PR_FALSE );
+ #else
+         firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY,
+                                                     internalSlot,
+                                                     CKM_DES2_KEY_GEN,
+                                                     CKA_ENCRYPT,
+                                                     &firstSessionKeyShare,
+-                                                    &pwdata );
++                                                    &pwdata , PR_FALSE );
+ #endif
+         if( firstSymmetricKey == NULL ) {
+             PR_fprintf( PR_STDERR,
+diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h
+index 4c276b0..80fdafd 100644
+--- a/base/native-tools/src/tkstool/tkstool.h
++++ b/base/native-tools/src/tkstool/tkstool.h
+@@ -124,6 +124,7 @@
+                                                "and press enter to continue " \
+                                                "(or ^C to break):  "
+ 
++#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+ 
+ /**************************************/
+ /**  external function declarations  **/
+@@ -222,7 +223,7 @@ TKS_ImportSymmetricKey( char              *symmetricKeyName,
+                         CK_MECHANISM_TYPE  mechanism,
+                         CK_ATTRIBUTE_TYPE  operation,
+                         SECItem           *sessionKeyShare,
+-                        secuPWData        *pwdata );
++                        secuPWData        *pwdata, PRBool isPerm );
+ 
+ PK11SymKey *
+ TKS_DeriveSymmetricKey( char              *symmetricKeyName,
+-- 
+1.8.3.1
+
+
+From 3ddc916954d712f6fe25497789925fecebef20fc Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 24 May 2017 12:31:45 -0400
+Subject: [PATCH 20/38] Encapsulate symmetric and asymmetric keygen audit
+ events
+
+Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  8 ----
+ .../logging/event/AsymKeyGenerationEvent.java      | 45 +++++++++++++++++++
+ .../event/AsymKeyGenerationProcessedEvent.java     | 51 ++++++++++++++++++++++
+ .../logging/event/SymKeyGenerationEvent.java       | 45 +++++++++++++++++++
+ .../event/SymKeyGenerationProcessedEvent.java      | 50 +++++++++++++++++++++
+ .../src/com/netscape/kra/AsymKeyGenService.java    | 20 ++++-----
+ .../kra/src/com/netscape/kra/SymKeyGenService.java | 16 +++----
+ .../server/kra/rest/KeyRequestService.java         | 19 ++++----
+ base/server/cmsbundle/src/LogMessages.properties   |  8 ++--
+ 9 files changed, 221 insertions(+), 41 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 891398d..beedb9f 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -166,14 +166,6 @@ public class AuditEvent implements IBundleLogEvent {
+ 
+     public final static String KEY_STATUS_CHANGE =
+             "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+-    public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6";
+-    public static final String SYMKEY_GENERATION_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4";
+-    public static final String ASYMKEY_GENERATION_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4";
+-    public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED =
+-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
+ 
+     public final static String TOKEN_CERT_ENROLLMENT =
+             "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java
+new file mode 100644
+index 0000000..f3236d6
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java
+@@ -0,0 +1,45 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class AsymKeyGenerationEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST";
++
++    public AsymKeyGenerationEvent(
++            String subjectID,
++            String outcome,
++            RequestId requestID,
++            String clientKeyID) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID
++        });
++    }
++}
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java
+new file mode 100644
+index 0000000..ba242de
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java
+@@ -0,0 +1,51 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class AsymKeyGenerationProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED";
++
++    public AsymKeyGenerationProcessedEvent(
++            String subjectID,
++            String outcome,
++            RequestId requestID,
++            String clientKeyID,
++            KeyId keyID,
++            String failureReason) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID,
++                keyID,
++                failureReason
++        });
++    }
++}
++
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java
+new file mode 100644
+index 0000000..c1b8652
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java
+@@ -0,0 +1,45 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SymKeyGenerationEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST";
++
++    public SymKeyGenerationEvent(
++            String subjectID,
++            String outcome,
++            RequestId requestID,
++            String clientKeyID) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java
+new file mode 100644
+index 0000000..ad36d44
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java
+@@ -0,0 +1,50 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class SymKeyGenerationProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED";
++
++    public SymKeyGenerationProcessedEvent(
++            String subjectID,
++            String outcome,
++            RequestId requestID,
++            String clientKeyID,
++            KeyId keyID,
++            String failureReason) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                requestID,
++                clientKeyID,
++                keyID,
++                failureReason
++        });
++    }
++}
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index cfee504..ea1d0cc 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -28,11 +28,13 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.key.AsymKeyGenerationRequest;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AsymKeyGenerationProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.request.RequestId;
+@@ -144,8 +146,8 @@ public class AsymKeyGenService implements IService {
+         } catch (EBaseException e) {
+             CMS.debugStackTrace();
+             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+-                    clientKeyId, null, "Failed to generate Asymmetric key");
+-            throw new EBaseException("Errors in generating Asymmetric key: " + e);
++                    clientKeyId, null, "Failed to generate asymmetric key: " + e.getMessage());
++            throw new EBaseException("Errors in generating Asymmetric key: " + e, e);
+         }
+ 
+         if (kp == null) {
+@@ -205,7 +207,7 @@ public class AsymKeyGenService implements IService {
+         storage.addKeyRecord(record);
+ 
+         auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(),
+-                clientKeyId, serialNo.toString(), "None");
++                clientKeyId, new KeyId(serialNo), "None");
+         request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+         kra.getRequestQueue().updateRequest(request);
+         return true;
+@@ -234,15 +236,13 @@ public class AsymKeyGenService implements IService {
+ 
+     private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID,
+             String clientKeyID,
+-            String keyID, String reason) {
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED,
++            KeyId keyID, String reason) {
++        audit(new AsymKeyGenerationProcessedEvent(
+                 subjectID,
+                 status,
+-                requestID.toString(),
++                requestID,
+                 clientKeyID,
+-                keyID != null ? keyID : "None",
+-                reason);
+-        audit(auditMessage);
++                keyID,
++                reason));
+     }
+ }
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index bf350d5..a4613c2 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -32,11 +32,13 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
++import com.netscape.certsrv.dbs.keydb.KeyId;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.key.SymKeyGenerationRequest;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.SymKeyGenerationProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
+ import com.netscape.certsrv.request.RequestId;
+@@ -232,7 +234,7 @@ public class SymKeyGenService implements IService {
+         storage.addKeyRecord(rec);
+ 
+         auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(),
+-                clientKeyId, serialNo.toString(), "None");
++                clientKeyId, new KeyId(serialNo), "None");
+ 
+         request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+         mKRA.getRequestQueue().updateRequest(request);
+@@ -262,15 +264,13 @@ public class SymKeyGenService implements IService {
+     }
+ 
+     private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
+-            String keyID, String reason) {
+-        String auditMessage = CMS.getLogMessage(
+-                AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED,
++            KeyId keyID, String reason) {
++        audit(new SymKeyGenerationProcessedEvent(
+                 subjectID,
+                 status,
+-                requestID.toString(),
++                requestID,
+                 clientKeyID,
+-                keyID != null ? keyID : "None",
+-                reason);
+-        audit(auditMessage);
++                keyID,
++                reason));
+     }
+ }
+\ No newline at end of file
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+index 8ec69a7..4e21f12 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+@@ -48,11 +48,12 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection;
+ import com.netscape.certsrv.key.KeyRequestResource;
+ import com.netscape.certsrv.key.KeyRequestResponse;
+ import com.netscape.certsrv.key.SymKeyGenerationRequest;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.AsymKeyGenerationEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent;
++import com.netscape.certsrv.logging.event.SymKeyGenerationEvent;
+ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestNotFoundException;
+ import com.netscape.cms.realm.PKIPrincipal;
+@@ -363,23 +364,19 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
+     }
+ 
+     public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.SYMKEY_GENERATION_REQUEST,
++        audit(new SymKeyGenerationEvent(
+                 getRequestor(),
+                 status,
+-                requestId != null ? requestId.toString() : "null",
+-                clientKeyID);
+-        auditor.log(msg);
++                requestId,
++                clientKeyID));
+     }
+ 
+     public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.ASYMKEY_GENERATION_REQUEST,
++        audit(new AsymKeyGenerationEvent(
+                 getRequestor(),
+                 status,
+-                requestId != null ? requestId.toString() : "null",
+-                clientKeyID);
+-        auditor.log(msg);
++                requestId,
++                clientKeyID));
+     }
+ 
+     @Override
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 66a7fd0..4a44134 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2492,22 +2492,22 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=<type=KEY_STATUS_CHANGE>:[AuditEvent=KE
+ # Client ID must be the user supplied client ID associated with
+ #    the symmetric key to be generated and archived
+ #
+-LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed
++LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed
+ #
+ # LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST
+ # - used when symmetric key generation request is made
+ # ClientKeyID is the ID of the symmetirc key to be generated and archived
+ #
+-LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made
++LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made
+ #
+ # LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST
+ # - used when asymmetric key generation request is made
+-LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made
++LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made
+ #
+ # LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED
+ # - used when a request to generate asymmetric keys received by the DRM
+ #   is processed.
+-LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed
++LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed
+ #
+ # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT
+ # - used for TPS when token certificate enrollment request is made
+-- 
+1.8.3.1
+
+
+From 468cacf6d6ec4f46bd4e60255105da3a585c4f6d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 01:28:06 +0200
+Subject: [PATCH 21/38] Replaced random number generator in
+ SecurityDataProcessor.
+
+The SecurityDataProcessor has been modified to use the random
+number generator provided by JssSubsystem.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189
+---
+ .../com/netscape/kra/SecurityDataProcessor.java    | 25 ++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+index 2899f32..ec848be 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+@@ -48,6 +48,7 @@ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cmscore.dbs.KeyRecord;
++import com.netscape.cmscore.security.JssSubsystem;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.cmsutil.util.Utils;
+ 
+@@ -640,7 +641,7 @@ public class SecurityDataProcessor {
+      *                   (ie. algorithm is unknown)
+      */
+     private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception {
+-        int numBytes = 0;
++
+         EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)):
+             defaultAlg;
+ 
+@@ -651,8 +652,14 @@ public class SecurityDataProcessor {
+         if (alg.getParameterClasses() == null)
+             return null;
+ 
+-        numBytes = alg.getIVLength();
+-        return (new SecureRandom()).generateSeed(numBytes);
++        int numBytes = alg.getIVLength();
++        byte[] bytes = new byte[numBytes];
++
++        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
++        random.nextBytes(bytes);
++
++        return bytes;
+     }
+ 
+     /***
+@@ -668,7 +675,7 @@ public class SecurityDataProcessor {
+      *                   (ie. algorithm is unknown)
+      */
+     private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception {
+-        int numBytes = 0;
++
+         KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) :
+             defaultAlg;
+ 
+@@ -679,8 +686,14 @@ public class SecurityDataProcessor {
+         if (alg.getParameterClasses() == null)
+             return null;
+ 
+-        numBytes = alg.getBlockSize();
+-        return (new SecureRandom()).generateSeed(numBytes);
++        int numBytes = alg.getBlockSize();
++        byte[] bytes = new byte[numBytes];
++
++        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
++        random.nextBytes(bytes);
++
++        return bytes;
+     }
+ 
+     public SymmetricKey recoverSymKey(KeyRecord keyRecord)
+-- 
+1.8.3.1
+
+
+From eed550a9a7330d707f35ce8a9946573df68ff01b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 01:40:18 +0200
+Subject: [PATCH 22/38] Replaced random number generator in RequestQueue.
+
+The RequestQueue has been modified to use the random number
+generator provided by JssSubsystem.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e
+---
+ .../cmscore/src/com/netscape/cmscore/request/RequestQueue.java   | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java
+index d7e7c6e..cd0f890 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java
+@@ -42,6 +42,7 @@ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.request.RequestStatus;
+ import com.netscape.certsrv.request.ldap.IRequestMod;
+ import com.netscape.cmscore.dbs.DBSubsystem;
++import com.netscape.cmscore.security.JssSubsystem;
+ import com.netscape.cmscore.util.Debug;
+ 
+ public class RequestQueue
+@@ -60,9 +61,11 @@ public class RequestQueue
+     }
+ 
+     protected RequestId newEphemeralRequestId() {
+-        long id = System.currentTimeMillis() * 10000 + new SecureRandom().nextInt(10000);
+-        RequestId rid = new RequestId(id);
+-        return rid;
++        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
++
++        long id = System.currentTimeMillis() * 10000 + random.nextInt(10000);
++        return new RequestId(id);
+     }
+ 
+     protected IRequest readRequest(RequestId id) {
+-- 
+1.8.3.1
+
+
+From 14e4e7a992c9537b9bf0403e6d94f316009923d0 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 May 2017 20:25:54 +0200
+Subject: [PATCH 23/38] Added CRLIssuingPoint.generateCRLExtensions().
+
+The code that generates CRLExtensions in updateCRLNow()
+in CRLIssuingPoint has been refactored into a separate
+generateCRLExtensions() method for clarity.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 45 ++++++++++++------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index 64101d7..de733eb 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -2630,17 +2630,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+ 
+                 mLastCRLNumber = mCRLNumber;
+ 
+-                CRLExtensions ext = new CRLExtensions();
+-                Vector<String> extNames = mCMSCRLExtensions.getCRLExtensionNames();
++                CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME);
+ 
+-                for (int i = 0; i < extNames.size(); i++) {
+-                    String extName = extNames.elementAt(i);
+-
+-                    if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) &&
+-                            (!extName.equals(FreshestCRLExtension.NAME))) {
+-                        mCMSCRLExtensions.addToCRLExtensions(ext, extName, null);
+-                    }
+-                }
+                 mSplits[1] += System.currentTimeMillis();
+ 
+                 X509CRLImpl newX509DeltaCRL = null;
+@@ -2791,20 +2782,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+                 mNextCRLNumber = mNextDeltaCRLNumber;
+             }
+ 
+-            CRLExtensions ext = null;
+-
++            CRLExtensions ext;
+             if (mAllowExtensions) {
+-                ext = new CRLExtensions();
+-                Vector<String> extNames = mCMSCRLExtensions.getCRLExtensionNames();
+-
+-                for (int i = 0; i < extNames.size(); i++) {
+-                    String extName = extNames.elementAt(i);
+-
+-                    if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) &&
+-                            (!extName.equals(DeltaCRLIndicatorExtension.NAME))) {
+-                        mCMSCRLExtensions.addToCRLExtensions(ext, extName, null);
+-                    }
+-                }
++                ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME);
++            } else {
++                ext = null;
+             }
+             mSplits[6] += System.currentTimeMillis();
+             // for audit log
+@@ -2965,6 +2947,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         notifyAll();
+     }
+ 
++    CRLExtensions generateCRLExtensions(String excludedExtension) {
++
++        CRLExtensions ext = new CRLExtensions();
++        Vector<String> extNames = mCMSCRLExtensions.getCRLExtensionNames();
++
++        for (int i = 0; i < extNames.size(); i++) {
++            String extName = extNames.elementAt(i);
++
++            if (extName.equals(excludedExtension)) continue;
++            if (!mCMSCRLExtensions.isCRLExtensionEnabled(extName)) continue;
++
++            mCMSCRLExtensions.addToCRLExtensions(ext, extName, null);
++        }
++
++        return ext;
++    }
++
+     /**
+      * publish CRL. called from updateCRLNow() and init().
+      */
+-- 
+1.8.3.1
+
+
+From 9af1f0d3b48d6dd358a4c63f938f2c5d0e119d7a Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 25 May 2017 00:36:45 +0200
+Subject: [PATCH 24/38] Added CRLIssuingPoint.generateDeltaCRL().
+
+The code that generates delta CRL in updateCRLNow()
+in CRLIssuingPoint has been refactored into a separate
+generateDeltaCRL() method for clarity.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 160 +++++++++++++----------
+ 1 file changed, 93 insertions(+), 67 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index de733eb..317294b 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -2634,73 +2634,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+ 
+                 mSplits[1] += System.currentTimeMillis();
+ 
+-                X509CRLImpl newX509DeltaCRL = null;
+-
+-                try {
+-                    mSplits[2] -= System.currentTimeMillis();
+-                    byte[] newDeltaCRL;
+-
+-                    // #56123 - dont generate CRL if no revoked certificates
+-                    if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
+-                        if (deltaCRLCerts.size() == 0) {
+-                            CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated");
+-                            throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+-                                    "No Revoked Certificates"));
+-                        }
+-                    }
+-                    X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(),
+-                            AlgorithmId.get(signingAlgorithm),
+-                            thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext);
+-
+-                    newX509DeltaCRL = mCA.sign(crl, signingAlgorithm);
+-                    newDeltaCRL = newX509DeltaCRL.getEncoded();
+-                    mSplits[2] += System.currentTimeMillis();
+-
+-                    mSplits[3] -= System.currentTimeMillis();
+-                    mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber,
+-                              Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL);
+-                    mSplits[3] += System.currentTimeMillis();
+-
+-                    mDeltaCRLSize = deltaCRLCerts.size();
+-
+-                    long totalTime = 0;
+-                    StringBuffer splitTimes = new StringBuffer("  (");
+-                    for (int i = 1; i < mSplits.length && i < 5; i++) {
+-                        totalTime += mSplits[i];
+-                        if (i > 1)
+-                            splitTimes.append(",");
+-                        splitTimes.append(String.valueOf(mSplits[i]));
+-                    }
+-                    splitTimes.append(")");
+-                    mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+-                            AuditFormat.LEVEL,
+-                            CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"),
+-                            new Object[] {
+-                                    getId(),
+-                                    getNextCRLNumber(),
+-                                    getCRLNumber(),
+-                                    getLastUpdate(),
+-                                    getNextDeltaUpdate(),
+-                                    Long.toString(mDeltaCRLSize),
+-                                    Long.toString(totalTime) + splitTimes.toString()
+-                            }
+-                            );
+-                } catch (EBaseException e) {
+-                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString()));
+-                    mDeltaCRLSize = -1;
+-                } catch (NoSuchAlgorithmException e) {
+-                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-                    mDeltaCRLSize = -1;
+-                } catch (CRLException e) {
+-                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-                    mDeltaCRLSize = -1;
+-                } catch (X509ExtensionException e) {
+-                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-                    mDeltaCRLSize = -1;
+-                } catch (OutOfMemoryError e) {
+-                    log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-                    mDeltaCRLSize = -1;
+-                }
++                X509CRLImpl newX509DeltaCRL = generateDeltaCRL(
++                        deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext);
+ 
+                 try {
+                     mSplits[4] -= System.currentTimeMillis();
+@@ -2964,6 +2899,97 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         return ext;
+     }
+ 
++    X509CRLImpl generateDeltaCRL(
++            Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts,
++            String signingAlgorithm,
++            Date thisUpdate,
++            Date nextDeltaUpdate,
++            CRLExtensions ext) {
++
++        X509CRLImpl newX509DeltaCRL = null;
++
++        try {
++            mSplits[2] -= System.currentTimeMillis();
++
++            // #56123 - dont generate CRL if no revoked certificates
++            if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
++                if (deltaCRLCerts.size() == 0) {
++                    CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated");
++                    throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
++                            "No Revoked Certificates"));
++                }
++            }
++
++            X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(),
++                    AlgorithmId.get(signingAlgorithm),
++                    thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext);
++
++            newX509DeltaCRL = mCA.sign(crl, signingAlgorithm);
++
++            byte[] newDeltaCRL = newX509DeltaCRL.getEncoded();
++
++            mSplits[2] += System.currentTimeMillis();
++
++            mSplits[3] -= System.currentTimeMillis();
++            mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber,
++                      Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL);
++            mSplits[3] += System.currentTimeMillis();
++
++            mDeltaCRLSize = deltaCRLCerts.size();
++
++            long totalTime = 0;
++            StringBuffer splitTimes = new StringBuffer("  (");
++            for (int i = 1; i < mSplits.length && i < 5; i++) {
++                totalTime += mSplits[i];
++                if (i > 1)
++                    splitTimes.append(",");
++                splitTimes.append(String.valueOf(mSplits[i]));
++            }
++            splitTimes.append(")");
++
++            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
++                    AuditFormat.LEVEL,
++                    CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"),
++                    new Object[] {
++                            getId(),
++                            getNextCRLNumber(),
++                            getCRLNumber(),
++                            getLastUpdate(),
++                            getNextDeltaUpdate(),
++                            Long.toString(mDeltaCRLSize),
++                            Long.toString(totalTime) + splitTimes.toString()
++                    }
++            );
++
++        } catch (EBaseException e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString()));
++            mDeltaCRLSize = -1;
++
++        } catch (NoSuchAlgorithmException e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
++            mDeltaCRLSize = -1;
++
++        } catch (CRLException e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
++            mDeltaCRLSize = -1;
++
++        } catch (X509ExtensionException e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
++            mDeltaCRLSize = -1;
++
++        } catch (OutOfMemoryError e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
++            mDeltaCRLSize = -1;
++        }
++
++        return newX509DeltaCRL;
++    }
++
+     /**
+      * publish CRL. called from updateCRLNow() and init().
+      */
+-- 
+1.8.3.1
+
+
+From f3cc4462e3fd353a78c6a174c93ef3f81c014ce8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 25 May 2017 00:58:03 +0200
+Subject: [PATCH 25/38] Added CRLIssuingPoint.generateFullCRL().
+
+The code that generates full CRL in updateCRLNow()
+in CRLIssuingPoint has been refactored into a separate
+generateFullCRL() method for clarity.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 254 ++++++++++++-----------
+ 1 file changed, 134 insertions(+), 120 deletions(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index 317294b..3764adf 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -2726,126 +2726,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             mSplits[6] += System.currentTimeMillis();
+             // for audit log
+ 
+-            X509CRLImpl newX509CRL;
+-
+-            try {
+-                byte[] newCRL;
+-
+-                CMS.debug("Making CRL with algorithm " +
+-                        signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm));
+-
+-                mSplits[7] -= System.currentTimeMillis();
+-
+-                // #56123 - dont generate CRL if no revoked certificates
+-                if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
+-                    if (mCRLCerts.size() == 0) {
+-                        CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated");
+-                        throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+-                                "No Revoked Certificates"));
+-                    }
+-                }
+-                CMS.debug("before new X509CRLImpl");
+-                X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(),
+-                        AlgorithmId.get(signingAlgorithm),
+-                        thisUpdate, nextUpdate, mCRLCerts, ext);
+-
+-                CMS.debug("before sign");
+-                newX509CRL = mCA.sign(crl, signingAlgorithm);
+-
+-                CMS.debug("before getEncoded()");
+-                newCRL = newX509CRL.getEncoded();
+-                CMS.debug("after getEncoded()");
+-                mSplits[7] += System.currentTimeMillis();
+-
+-                mSplits[8] -= System.currentTimeMillis();
+-
+-                Date nextUpdateDate = mNextUpdate;
+-                if (isDeltaCRLEnabled() && (mUpdateSchema > 1 ||
+-                        (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) {
+-                    nextUpdateDate = mNextDeltaUpdate;
+-                }
+-                if (mSaveMemory) {
+-                    mCRLRepository.updateCRLIssuingPointRecord(
+-                            mId, newCRL, thisUpdate, nextUpdateDate,
+-                            mNextCRLNumber, Long.valueOf(mCRLCerts.size()));
+-                    updateCRLCacheRepository();
+-                } else {
+-                    mCRLRepository.updateCRLIssuingPointRecord(
+-                            mId, newCRL, thisUpdate, nextUpdateDate,
+-                            mNextCRLNumber, Long.valueOf(mCRLCerts.size()),
+-                            mRevokedCerts, mUnrevokedCerts, mExpiredCerts);
+-                    mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE;
+-                }
+-
+-                mSplits[8] += System.currentTimeMillis();
+-
+-                mCRLSize = mCRLCerts.size();
+-                mCRLNumber = mNextCRLNumber;
+-                mDeltaCRLNumber = mCRLNumber;
+-                mNextCRLNumber = mCRLNumber.add(BigInteger.ONE);
+-                mNextDeltaCRLNumber = mNextCRLNumber;
+-
+-                CMS.debug("Logging CRL Update to transaction log");
+-                long totalTime = 0;
+-                long crlTime = 0;
+-                long deltaTime = 0;
+-                StringBuilder splitTimes = new StringBuilder("  (");
+-                for (int i = 0; i < mSplits.length; i++) {
+-                    totalTime += mSplits[i];
+-                    if (i > 0 && i < 5) {
+-                        deltaTime += mSplits[i];
+-                    } else {
+-                        crlTime += mSplits[i];
+-                    }
+-                    if (i > 0)
+-                        splitTimes.append(",");
+-                    splitTimes.append(mSplits[i]);
+-                }
+-                splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime));
+-                mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
+-                            AuditFormat.LEVEL,
+-                            CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"),
+-                            new Object[] {
+-                                    getId(),
+-                                    getCRLNumber(),
+-                                    getLastUpdate(),
+-                                    getNextUpdate(),
+-                                    Long.toString(mCRLSize),
+-                                    Long.toString(totalTime),
+-                                    Long.toString(crlTime),
+-                                    Long.toString(deltaTime) + splitTimes
+-                            }
+-                           );
+-                CMS.debug("Finished Logging CRL Update to transaction log");
+-
+-            } catch (EBaseException e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                if (Debug.on())
+-                    Debug.printStackTrace(e);
+-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString()));
+-                throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-            } catch (NoSuchAlgorithmException e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-                throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-            } catch (CRLException e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-                throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-            } catch (X509ExtensionException e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-                throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-            } catch (OutOfMemoryError e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-                throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-            }
++            X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext);
+ 
+             try {
+                 mSplits[9] -= System.currentTimeMillis();
+@@ -2990,6 +2871,139 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         return newX509DeltaCRL;
+     }
+ 
++    X509CRLImpl generateFullCRL(
++            String signingAlgorithm,
++            Date thisUpdate,
++            Date nextUpdate,
++            CRLExtensions ext) throws EBaseException {
++
++        try {
++            CMS.debug("Making CRL with algorithm " +
++                    signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm));
++
++            mSplits[7] -= System.currentTimeMillis();
++
++            // #56123 - dont generate CRL if no revoked certificates
++            if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
++                if (mCRLCerts.size() == 0) {
++                    CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated");
++                    throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
++                            "No Revoked Certificates"));
++                }
++            }
++
++            CMS.debug("CRLIssuingPoint: creating CRL object");
++            X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(),
++                    AlgorithmId.get(signingAlgorithm),
++                    thisUpdate, nextUpdate, mCRLCerts, ext);
++
++            CMS.debug("CRLIssuingPoint: signing CRL");
++            X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm);
++
++            CMS.debug("CRLIssuingPoint: encoding CRL");
++            byte[] newCRL = newX509CRL.getEncoded();
++
++            mSplits[7] += System.currentTimeMillis();
++
++            mSplits[8] -= System.currentTimeMillis();
++
++            Date nextUpdateDate = mNextUpdate;
++            if (isDeltaCRLEnabled() && (mUpdateSchema > 1 ||
++                    (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) {
++                nextUpdateDate = mNextDeltaUpdate;
++            }
++
++            if (mSaveMemory) {
++                mCRLRepository.updateCRLIssuingPointRecord(
++                        mId, newCRL, thisUpdate, nextUpdateDate,
++                        mNextCRLNumber, Long.valueOf(mCRLCerts.size()));
++                updateCRLCacheRepository();
++
++            } else {
++                mCRLRepository.updateCRLIssuingPointRecord(
++                        mId, newCRL, thisUpdate, nextUpdateDate,
++                        mNextCRLNumber, Long.valueOf(mCRLCerts.size()),
++                        mRevokedCerts, mUnrevokedCerts, mExpiredCerts);
++                mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE;
++            }
++
++            mSplits[8] += System.currentTimeMillis();
++
++            mCRLSize = mCRLCerts.size();
++            mCRLNumber = mNextCRLNumber;
++            mDeltaCRLNumber = mCRLNumber;
++            mNextCRLNumber = mCRLNumber.add(BigInteger.ONE);
++            mNextDeltaCRLNumber = mNextCRLNumber;
++
++            CMS.debug("CRLIssuingPoint: Logging CRL Update to transaction log");
++            long totalTime = 0;
++            long crlTime = 0;
++            long deltaTime = 0;
++            StringBuilder splitTimes = new StringBuilder("  (");
++            for (int i = 0; i < mSplits.length; i++) {
++                totalTime += mSplits[i];
++                if (i > 0 && i < 5) {
++                    deltaTime += mSplits[i];
++                } else {
++                    crlTime += mSplits[i];
++                }
++                if (i > 0)
++                    splitTimes.append(",");
++                splitTimes.append(mSplits[i]);
++            }
++            splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime));
++
++            mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER,
++                        AuditFormat.LEVEL,
++                        CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"),
++                        new Object[] {
++                                getId(),
++                                getCRLNumber(),
++                                getLastUpdate(),
++                                getNextUpdate(),
++                                Long.toString(mCRLSize),
++                                Long.toString(totalTime),
++                                Long.toString(crlTime),
++                                Long.toString(deltaTime) + splitTimes
++                        }
++            );
++
++            CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log");
++
++            return newX509CRL;
++
++        } catch (EBaseException e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++
++        } catch (NoSuchAlgorithmException e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++
++        } catch (CRLException e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++
++        } catch (X509ExtensionException e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++
++        } catch (OutOfMemoryError e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++        }
++    }
++
+     /**
+      * publish CRL. called from updateCRLNow() and init().
+      */
+-- 
+1.8.3.1
+
+
+From c88ad697138778c597cf8ce361f8ee1761bee0ab Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 24 May 2017 22:49:24 -0400
+Subject: [PATCH 26/38] Encapsulate key status change audit logs
+
+Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  3 --
+ .../event/SecurityDataStatusChangeEvent.java       | 49 ++++++++++++++++++++++
+ .../org/dogtagpki/server/kra/rest/KeyService.java  | 16 ++++---
+ base/server/cmsbundle/src/LogMessages.properties   |  2 +-
+ 4 files changed, 57 insertions(+), 13 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index beedb9f..348ea09 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -164,9 +164,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String CONFIG_SERIAL_NUMBER =
+             "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+ 
+-    public final static String KEY_STATUS_CHANGE =
+-            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+-
+     public final static String TOKEN_CERT_ENROLLMENT =
+             "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+     public final static String TOKEN_CERT_RENEWAL =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java
+new file mode 100644
+index 0000000..082516c
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java
+@@ -0,0 +1,49 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.dbs.keydb.KeyId;
++import com.netscape.certsrv.logging.AuditEvent;
++
++public class SecurityDataStatusChangeEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE";
++
++    public SecurityDataStatusChangeEvent(
++            String subjectID,
++            String outcome,
++            KeyId keyID,
++            String oldStatus,
++            String newStatus,
++            String info) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                keyID,
++                oldStatus,
++                newStatus,
++                info
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+index 8edb928..642367c 100644
+--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
++++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+@@ -60,12 +60,12 @@ import com.netscape.certsrv.key.KeyRecoveryRequest;
+ import com.netscape.certsrv.key.KeyResource;
+ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+ import com.netscape.certsrv.kra.IKeyService;
+-import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataInfoEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
++import com.netscape.certsrv.logging.event.SecurityDataStatusChangeEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+ import com.netscape.certsrv.request.RequestId;
+@@ -657,17 +657,15 @@ public class KeyService extends SubsystemService implements KeyResource {
+         auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message);
+     }
+ 
+-    public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus,
++    public void auditKeyStatusChange(String status, KeyId keyID, String oldKeyStatus,
+             String newKeyStatus, String info) {
+-        String msg = CMS.getLogMessage(
+-                AuditEvent.KEY_STATUS_CHANGE,
++        audit(new SecurityDataStatusChangeEvent(
+                 servletRequest.getUserPrincipal().getName(),
+                 status,
+                 keyID,
+                 oldKeyStatus,
+                 newKeyStatus,
+-                info);
+-        auditor.log(msg);
++                info));
+     }
+ 
+     public void auditRecoveryRequest(String status) {
+@@ -809,20 +807,20 @@ public class KeyService extends SubsystemService implements KeyResource {
+             mods.add(IKeyRecord.ATTR_STATUS, Modification.MOD_REPLACE,
+                     status);
+             repo.modifyKeyRecord(keyId.toBigInteger(), mods);
+-            auditKeyStatusChange(ILogger.SUCCESS, keyId.toString(),
++            auditKeyStatusChange(ILogger.SUCCESS, keyId,
+                     (info!=null)?info.getStatus():null, status, auditInfo);
+ 
+             return createNoContentResponse();
+         } catch (EDBRecordNotFoundException e) {
+             auditInfo = auditInfo + ":" + e.getMessage();
+             CMS.debug(auditInfo);
+-            auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
++            auditKeyStatusChange(ILogger.FAILURE, keyId,
+                     (info!=null)?info.getStatus():null, status, auditInfo);
+             throw new KeyNotFoundException(keyId, "key not found to modify", e);
+         } catch (Exception e) {
+             auditInfo = auditInfo + ":" + e.getMessage();
+             CMS.debug(auditInfo);
+-            auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
++            auditKeyStatusChange(ILogger.FAILURE, keyId,
+                     (info!=null)?info.getStatus():null, status, auditInfo);
+             e.printStackTrace();
+             throw new PKIException(e.getMessage(), e);
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 4a44134..3ac23d5 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2484,7 +2484,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SE
+ # oldStatus is the old status to change from
+ # newStatus is the new status to change to
+ #
+-LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change
++LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change
+ #
+ # LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED
+ # - used when symmetric key generation request is processed
+-- 
+1.8.3.1
+
+
+From 2a947446b81d21758ffadbae905a49e8c4e900ef Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 24 May 2017 23:42:41 -0400
+Subject: [PATCH 27/38] Encapsulate server side keygen audit events
+
+This encapsulates key gen events for the token servlets.
+Consolidated the success and failure cases.  Note that this
+event can likely later be replaced with security_data_keygen
+events.  Leaving separate for now.
+
+Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
+---
+ .../com/netscape/certsrv/logging/AuditEvent.java   |  6 ---
+ .../logging/event/ServerSideKeyGenEvent.java       | 45 +++++++++++++++++++++
+ .../event/ServerSideKeyGenProcessedEvent.java      | 47 ++++++++++++++++++++++
+ base/kra/shared/conf/CS.cfg                        |  4 +-
+ .../src/com/netscape/kra/NetkeyKeygenService.java  | 34 +++++++---------
+ base/server/cmsbundle/src/LogMessages.properties   | 14 ++-----
+ 6 files changed, 113 insertions(+), 37 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java
+
+diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+index 348ea09..1d94dad 100644
+--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
++++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+@@ -72,12 +72,6 @@ public class AuditEvent implements IBundleLogEvent {
+     public final static String LOG_PATH_CHANGE =
+             "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+ 
+-    public final static String SERVER_SIDE_KEYGEN_REQUEST =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
+-    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+-    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+     public final static String KEY_RECOVERY_AGENT_LOGIN =
+             "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+     public final static String KEY_GEN_ASYMMETRIC =
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java
+new file mode 100644
+index 0000000..0894716
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java
+@@ -0,0 +1,45 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class ServerSideKeyGenEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST";
++
++    public ServerSideKeyGenEvent(
++            String subjectID,
++            String outcome,
++            String entityID,
++            RequestId requestID) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                entityID,
++                requestID
++        });
++    }
++}
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java
+new file mode 100644
+index 0000000..71ed3ed
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java
+@@ -0,0 +1,47 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.request.RequestId;
++
++public class ServerSideKeyGenProcessedEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    private static final String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED";
++
++    public ServerSideKeyGenProcessedEvent(
++            String subjectID,
++            String outcome,
++            String entityID,
++            RequestId requestID,
++            String pubKey) {
++
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                outcome,
++                entityID,
++                requestID,
++                pubKey
++        });
++    }
++}
+\ No newline at end of file
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index 69d9382..c08e56e 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 947377a..e54c58a 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -53,8 +53,11 @@ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+ import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
++import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent;
++import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IService;
++import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cms.servlet.key.KeyRecordParser;
+@@ -144,7 +147,6 @@ public class NetkeyKeygenService implements IService {
+      */
+     public boolean serviceRequest(IRequest request)
+             throws EBaseException {
+-        String auditMessage = null;
+         String auditSubjectID = null;
+         byte[] wrapped_des_key;
+ 
+@@ -180,23 +182,21 @@ public class NetkeyKeygenService implements IService {
+         String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID);
+         String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID);
+         String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE);
++        RequestId requestId = request.getRequestId();
+ 
+         auditSubjectID = rCUID + ":" + rUserid;
+ 
+         SessionContext sContext = SessionContext.getContext();
+         String agentId = "";
+         if (sContext != null) {
+-            agentId =
+-                    (String) sContext.get(SessionContext.USER_ID);
++            agentId = (String) sContext.get(SessionContext.USER_ID);
+         }
+ 
+-        auditMessage = CMS.getLogMessage(
+-                AuditEvent.SERVER_SIDE_KEYGEN_REQUEST,
++        audit(new ServerSideKeyGenEvent(
+                 agentId,
+                 ILogger.SUCCESS,
+-                auditSubjectID);
+-
+-        audit(auditMessage);
++                auditSubjectID,
++                requestId));
+ 
+         String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY);
+         // the request reocrd field delayLDAPCommit == "true" will cause
+@@ -262,13 +262,12 @@ public class NetkeyKeygenService implements IService {
+                 CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid);
+                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
++                audit(new ServerSideKeyGenProcessedEvent(
+                         agentId,
+                         ILogger.FAILURE,
+-                        auditSubjectID);
+-
+-                audit(auditMessage);
++                        auditSubjectID,
++                        requestId,
++                        null));
+ 
+                 return false;
+             }
+@@ -294,14 +293,12 @@ public class NetkeyKeygenService implements IService {
+                     request.setExtData("public_key", PubKey);
+                 }
+ 
+-                auditMessage = CMS.getLogMessage(
+-                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
++                audit(new ServerSideKeyGenProcessedEvent(
+                         agentId,
+                         ILogger.SUCCESS,
+                         auditSubjectID,
+-                        PubKey);
+-
+-                audit(auditMessage);
++                        requestId,
++                        PubKey));
+ 
+                 //...extract the private key handle (not privatekeydata)
+                 java.security.PrivateKey privKey =
+@@ -365,7 +362,6 @@ public class NetkeyKeygenService implements IService {
+                             "NetkeyKeygenService: failed generating wrapped private key",
+                             PubKey));
+ 
+-                    audit(auditMessage);
+                     return false;
+                 } else {
+                     request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 3ac23d5..fc4e946 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -1947,21 +1947,15 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
+ # - used when server-side key generation request is made
+ #    This is for tokenkeys
+ # EntityID must be the representation of the subject that will be on the certificate when issued
+-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed
++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}] server-side key generation request
+ #
+-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
+-# - used when server-side key generation request has been processed with success
++# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
++# - used when server-side key generation request has been processed.
+ #    This is for tokenkeys
+ # EntityID must be the representation of the subject that will be on the certificate when issued
+ # PubKey must be the base-64 encoded public key associated with
+ #    the private key to be archived
+-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] server-side key generation request processed with success
+-#
+-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
+-# - used when server-side key generation request has been processed with failure
+-#    This is for tokenkeys
+-# EntityID must be the representation of the subject that will be on the certificate when issued
+-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed with failure
++LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}][[PubKey={4}] server-side key generation request processed
+ #
+ # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST
+ # - used when key recovery request is made
+-- 
+1.8.3.1
+
+
+From 8aa94e1ca017e54454f6f6f6ebb4ee254062e822 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 20 May 2017 01:49:36 +0200
+Subject: [PATCH 28/38] Replaced SHA1-based random number generators.
+
+The SHA1-based random number generators in some classes have been
+replaced with the random number generator provided by JssSubsystem.
+
+https://pagure.io/dogtagpki/issue/2695
+
+Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514
+---
+ base/kra/src/com/netscape/kra/NetkeyKeygenService.java          | 5 ++++-
+ base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java      | 5 ++++-
+ base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java | 7 +++++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index e54c58a..8383e89 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -62,6 +62,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cms.servlet.key.KeyRecordParser;
+ import com.netscape.cmscore.dbs.KeyRecord;
++import com.netscape.cmscore.security.JssSubsystem;
+ import com.netscape.cmscore.util.Debug;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ 
+@@ -153,10 +154,12 @@ public class NetkeyKeygenService implements IService {
+         byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+         String iv_s = "";
+         try {
+-            SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++            JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++            SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+             random.nextBytes(iv);
+         } catch (Exception e) {
+             CMS.debug("NetkeyKeygenService.serviceRequest:  " + e.toString());
++            throw new EBaseException(e);
+         }
+ 
+         IVParameterSpec algParam = new IVParameterSpec(iv);
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index 2519a4d..c0b5cdd 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -56,6 +56,7 @@ import com.netscape.certsrv.request.RequestId;
+ import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cmscore.dbs.KeyRecord;
++import com.netscape.cmscore.security.JssSubsystem;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.cmsutil.util.Cert;
+ 
+@@ -203,10 +204,12 @@ public class TokenKeyRecoveryService implements IService {
+ 
+         byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+         try {
+-            SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++            JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++            SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+             random.nextBytes(iv);
+         } catch (Exception e) {
+             CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString());
++            throw new EBaseException(e);
+         }
+ 
+         RequestId auditRequestID = request.getRequestId();
+diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+index c8150a9..5b8b1dd 100644
+--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
++++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+@@ -54,6 +54,7 @@ import com.netscape.cms.servlet.common.CMSRequest;
+ import com.netscape.cms.servlet.tks.GPParams;
+ import com.netscape.cms.servlet.tks.NistSP800_108KDF;
+ import com.netscape.cms.servlet.tks.SecureChannelProtocol;
++import com.netscape.cmscore.security.JssSubsystem;
+ import com.netscape.cmsutil.crypto.CryptoUtil;
+ import com.netscape.symkey.SessionKey;
+ 
+@@ -1996,7 +1997,8 @@ public class TokenServlet extends CMSServlet {
+                 CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating...");
+             }
+             try {
+-                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++                JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++                SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+                 data = new byte[16];
+                 random.nextBytes(data);
+             } catch (Exception e) {
+@@ -2320,7 +2322,8 @@ public class TokenServlet extends CMSServlet {
+ 
+         if (!missingParam) {
+             try {
+-                SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
++                JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
++                SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+                 randomData = new byte[dataSize];
+                 random.nextBytes(randomData);
+             } catch (Exception e) {
+-- 
+1.8.3.1
 
-Ticket #1578
 
-The fixing of this problem required the following:
+From 5ce1212159f8055ab7534887542e1d8cb41eb15d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 25 May 2017 19:35:36 +0200
+Subject: [PATCH 29/38] Refactored CRLIssuingPoint.generateDeltaCRL().
+
+The code related to delta CRL generation has been moved into
+generateDeltaCRL().
 
-1. Hook up a java callback that is designed to allow the selection of a candidate
-client auth cert to be sent to Ldap in the LdapSSLSocket factory object.
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26
+---
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 102 ++++++++++++-----------
+ 1 file changed, 54 insertions(+), 48 deletions(-)
 
-Previously we simply manually set the desired client auth cert nickname, which is provided
-by the console interface when cofiguring the "removePin" portion of the UidPinDir Authentication method.
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index 3764adf..feca02a 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -2607,51 +2607,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             mSplits[5] += System.currentTimeMillis();
+         } else {
+             if (isDeltaCRLEnabled()) {
+-                mSplits[1] -= System.currentTimeMillis();
+-                @SuppressWarnings("unchecked")
+-                Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts =
+-                        (Hashtable<BigInteger, RevokedCertificate>) clonedRevokedCerts.clone();
+ 
+-                deltaCRLCerts.putAll(clonedUnrevokedCerts);
+-                if (mIncludeExpiredCertsOneExtraTime) {
+-                    if (!clonedExpiredCerts.isEmpty()) {
+-                        for (Enumeration<BigInteger> e = clonedExpiredCerts.keys(); e.hasMoreElements();) {
+-                            BigInteger serialNumber = e.nextElement();
+-                            if ((mLastFullUpdate != null &&
+-                                    mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) ||
+-                                    mLastFullUpdate == null) {
+-                                deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber));
+-                            }
+-                        }
+-                    }
+-                } else {
+-                    deltaCRLCerts.putAll(clonedExpiredCerts);
+-                }
+-
+-                mLastCRLNumber = mCRLNumber;
+-
+-                CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME);
+-
+-                mSplits[1] += System.currentTimeMillis();
++                generateDeltaCRL(
++                        clonedRevokedCerts,
++                        clonedUnrevokedCerts,
++                        clonedExpiredCerts,
++                        signingAlgorithm,
++                        thisUpdate,
++                        nextDeltaUpdate);
+ 
+-                X509CRLImpl newX509DeltaCRL = generateDeltaCRL(
+-                        deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext);
+-
+-                try {
+-                    mSplits[4] -= System.currentTimeMillis();
+-                    publishCRL(newX509DeltaCRL, true);
+-                    mSplits[4] += System.currentTimeMillis();
+-                } catch (EBaseException e) {
+-                    newX509DeltaCRL = null;
+-                    if (Debug.on())
+-                        Debug.printStackTrace(e);
+-                    log(ILogger.LL_FAILURE,
+-                            CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
+-                } catch (OutOfMemoryError e) {
+-                    newX509DeltaCRL = null;
+-                    log(ILogger.LL_FAILURE,
+-                            CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
+-                }
+             } else {
+                 mDeltaCRLSize = -1;
+             }
+@@ -2780,12 +2744,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         return ext;
+     }
+ 
+-    X509CRLImpl generateDeltaCRL(
+-            Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts,
++    void generateDeltaCRL(
++            Hashtable<BigInteger, RevokedCertificate> clonedRevokedCerts,
++            Hashtable<BigInteger, RevokedCertificate> clonedUnrevokedCerts,
++            Hashtable<BigInteger, RevokedCertificate> clonedExpiredCerts,
+             String signingAlgorithm,
+             Date thisUpdate,
+-            Date nextDeltaUpdate,
+-            CRLExtensions ext) {
++            Date nextDeltaUpdate) {
++
++        mSplits[1] -= System.currentTimeMillis();
++
++        @SuppressWarnings("unchecked")
++        Hashtable<BigInteger, RevokedCertificate> deltaCRLCerts =
++                (Hashtable<BigInteger, RevokedCertificate>) clonedRevokedCerts.clone();
++
++        deltaCRLCerts.putAll(clonedUnrevokedCerts);
++
++        if (mIncludeExpiredCertsOneExtraTime) {
++
++            for (Enumeration<BigInteger> e = clonedExpiredCerts.keys(); e.hasMoreElements();) {
++                BigInteger serialNumber = e.nextElement();
++                if (mLastFullUpdate == null ||
++                    mLastFullUpdate.after(mExpiredCerts.get(serialNumber).getRevocationDate())) {
++                    deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber));
++                }
++            }
++
++        } else {
++            deltaCRLCerts.putAll(clonedExpiredCerts);
++        }
++
++        mLastCRLNumber = mCRLNumber;
++
++        CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME);
++
++        mSplits[1] += System.currentTimeMillis();
+ 
+         X509CRLImpl newX509DeltaCRL = null;
+ 
+@@ -2868,7 +2861,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             mDeltaCRLSize = -1;
+         }
+ 
+-        return newX509DeltaCRL;
++        try {
++            mSplits[4] -= System.currentTimeMillis();
++            publishCRL(newX509DeltaCRL, true);
++            mSplits[4] += System.currentTimeMillis();
++
++        } catch (EBaseException e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE,
++                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
++        } catch (OutOfMemoryError e) {
++            CMS.debug(e);
++            log(ILogger.LL_FAILURE,
++                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
++        }
+     }
+ 
+     X509CRLImpl generateFullCRL(
+-- 
+1.8.3.1
 
-Doing it this way has the benefit of giving us some logging to show when the actual client auth cert is being
-requested by the server. We get to see the list of candidate certs and when we match one of those with the requested
-cert name, established by the console.
 
-This client auth problem applies ONLY to the connection pool that is used to remove the pin attribute from
-an external authentication directory.
+From 5e0cb550236c5bb06baa4b3a94558407a53c92ea Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 25 May 2017 21:22:50 +0200
+Subject: [PATCH 30/38] Refactored CRLIssuingPoint.generateFullCRL().
 
-2. Previously the code, when setting up client auth for "removePin", would make one single call to create the SSL socket
-to connect to ldap over client auth. Now, based on some code I saw in the JSS test suite, the socket is constructed in two
-steps. Doing this causes things to work. Further investigation down the line could figure out what is going on at the lower level.
+The code related to full CRL generation has been moved into
+generateFullCRL().
 
-3. Was able to test this to work with the reported problem directory server provided by QE. Note: for pin removal to work, we must also
-make sure that the user we authenticating to (through client auth) has the power to actually remove the pin attribute from various users.
+https://pagure.io/dogtagpki/issue/2651
 
-(cherry picked from commit a4d726098458225a0605faca9f11ebaa4dab036f)
-(cherry picked from commit ab570231ef3f63712cf7404ca2171cbea0ae0f92)
+Change-Id: I6a23c97255ba7095e168e927621f0503923251c2
 ---
- .../cmscore/ldapconn/LdapJssSSLSocketFactory.java  | 70 ++++++++++++++++++++--
- 1 file changed, 65 insertions(+), 5 deletions(-)
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 80 ++++++++++++------------
+ 1 file changed, 40 insertions(+), 40 deletions(-)
 
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-index 182812c..b54d1e2 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java
-@@ -18,9 +18,16 @@
- package com.netscape.cmscore.ldapconn;
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index feca02a..cbcdc69 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -2676,39 +2676,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         clonedExpiredCerts = null;
  
- import java.io.IOException;
-+import java.net.InetAddress;
- import java.net.Socket;
- import java.net.UnknownHostException;
-+import java.util.Iterator;
-+import java.util.Vector;
- 
-+import netscape.ldap.LDAPException;
-+import netscape.ldap.LDAPSSLSocketFactoryExt;
-+
-+import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
- import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
- import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
- import org.mozilla.jss.ssl.SSLSocket;
-@@ -28,9 +35,6 @@ import org.mozilla.jss.ssl.SSLSocket;
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.logging.ILogger;
+         if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) {
+-            mSplits[6] -= System.currentTimeMillis();
+-            if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) {
+-                mNextCRLNumber = mNextDeltaCRLNumber;
+-            }
+-
+-            CRLExtensions ext;
+-            if (mAllowExtensions) {
+-                ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME);
+-            } else {
+-                ext = null;
+-            }
+-            mSplits[6] += System.currentTimeMillis();
+-            // for audit log
  
--import netscape.ldap.LDAPException;
--import netscape.ldap.LDAPSSLSocketFactoryExt;
+-            X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext);
 -
- /**
-  * Uses HCL ssl socket.
-  *
-@@ -54,7 +58,22 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
-             /*
-              * let inherit TLS range and cipher settings
-              */
--            s = new SSLSocket(host, port);
+-            try {
+-                mSplits[9] -= System.currentTimeMillis();
+-                mUpdatingCRL = CRL_PUBLISHING_STARTED;
+-                publishCRL(newX509CRL);
+-                newX509CRL = null;
+-                mSplits[9] += System.currentTimeMillis();
+-            } catch (EBaseException e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE,
+-                        CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
+-            } catch (OutOfMemoryError e) {
+-                newX509CRL = null;
+-                mUpdatingCRL = CRL_UPDATE_DONE;
+-                log(ILogger.LL_FAILURE,
+-                        CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
+-            }
++            generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate);
+         }
+ 
+         if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) {
+@@ -2877,11 +2846,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+         }
+     }
+ 
+-    X509CRLImpl generateFullCRL(
++    void generateFullCRL(
+             String signingAlgorithm,
+             Date thisUpdate,
+-            Date nextUpdate,
+-            CRLExtensions ext) throws EBaseException {
++            Date nextUpdate) throws EBaseException {
 +
-+            if (mClientAuthCertNickname == null) {
-+                s = new SSLSocket(host, port);
-+            }
-+            else {
-+                //Let's create a selection callback in the case the client auth
-+                //No longer manually set the cert name.
-+                //This two step process, used in the JSS client auth test suite,
-+                //appears to be needed to get this working.
++        mSplits[6] -= System.currentTimeMillis();
++        if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) {
++            mNextCRLNumber = mNextDeltaCRLNumber;
++        }
 +
-+                Socket js = new Socket(InetAddress.getByName(host), port);
-+                s = new SSLSocket(js, host,
-+                        null,
-+                        new SSLClientCertificateSelectionCB(mClientAuthCertNickname));
-+            }
++        CRLExtensions ext;
++        if (mAllowExtensions) {
++            ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME);
++        } else {
++            ext = null;
++        }
++        mSplits[6] += System.currentTimeMillis();
 +
-             s.setUseClientMode(true);
-             s.enableV2CompatibleHello(false);
++        X509CRLImpl newX509CRL = null;
+ 
+         try {
+             CMS.debug("Making CRL with algorithm " +
+@@ -2904,7 +2887,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+                     thisUpdate, nextUpdate, mCRLCerts, ext);
+ 
+             CMS.debug("CRLIssuingPoint: signing CRL");
+-            X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm);
++            newX509CRL = mCA.sign(crl, signingAlgorithm);
+ 
+             CMS.debug("CRLIssuingPoint: encoding CRL");
+             byte[] newCRL = newX509CRL.getEncoded();
+@@ -2914,8 +2897,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             mSplits[8] -= System.currentTimeMillis();
+ 
+             Date nextUpdateDate = mNextUpdate;
+-            if (isDeltaCRLEnabled() && (mUpdateSchema > 1 ||
+-                    (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) {
++            if (isDeltaCRLEnabled()
++                    && (mUpdateSchema > 1 || mEnableDailyUpdates && mExtendedTimeList)
++                    && mNextDeltaUpdate != null) {
+                 nextUpdateDate = mNextDeltaUpdate;
+             }
+ 
+@@ -2976,8 +2960,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
  
-@@ -67,7 +86,9 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
-                 mClientAuth = true;
-                 CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
-                         mClientAuthCertNickname);
--                s.setClientCertNickname(mClientAuthCertNickname);
+             CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log");
+ 
+-            return newX509CRL;
+-
+         } catch (EBaseException e) {
+             CMS.debug(e);
+             mUpdatingCRL = CRL_UPDATE_DONE;
+@@ -3008,6 +2990,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+             throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+         }
++
++        try {
++            mSplits[9] -= System.currentTimeMillis();
++            mUpdatingCRL = CRL_PUBLISHING_STARTED;
++            publishCRL(newX509CRL);
++            mSplits[9] += System.currentTimeMillis();
 +
-+                //We have already established the manual cert selection callback
-+                //Doing it this way will provide some debugging info on the candidate certs
++        } catch (EBaseException e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE,
++                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
++        } catch (OutOfMemoryError e) {
++            CMS.debug(e);
++            mUpdatingCRL = CRL_UPDATE_DONE;
++            log(ILogger.LL_FAILURE,
++                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
++        }
+     }
+ 
+     /**
+-- 
+1.8.3.1
+
+
+From 64233b8f26a3f87786fa0e0d641a5a02116ebece Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 26 May 2017 00:13:49 +0200
+Subject: [PATCH 31/38] Updated ECAException constructor.
+
+The ECAException constructor has been modified to accept a more
+generic Throwable instead of Exception.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee
+---
+ base/common/src/com/netscape/certsrv/ca/ECAException.java | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java
+index 01c601e..814219f 100644
+--- a/base/common/src/com/netscape/certsrv/ca/ECAException.java
++++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java
+@@ -51,10 +51,10 @@ public class ECAException extends EBaseException {
+      * <P>
+      *
+      * @param msgFormat constant from CAResources.
+-     * @param e embedded exception.
++     * @param cause cause of this exception.
+      */
+-    public ECAException(String msgFormat, Exception e) {
+-        super(msgFormat, e);
++    public ECAException(String msgFormat, Throwable cause) {
++        super(msgFormat, cause);
+     }
+ 
+     /**
+-- 
+1.8.3.1
+
+
+From 5438e24e022c4c169ff9b5c6325e5ec0023d4caa Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 25 May 2017 16:31:45 -0400
+Subject: [PATCH 32/38] Set encryption flag for generated keys
+
+The key record for keys generated in the keygen servlets
+was not updated to reflect whether or not the server was set up
+to do encryption/key wrapping.  This patch corrects this
+oversight.
+
+Bugzilla BZ# 1455617
+
+Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024
+---
+ base/kra/src/com/netscape/kra/AsymKeyGenService.java   | 2 +-
+ base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 2 +-
+ base/kra/src/com/netscape/kra/SymKeyGenService.java    | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+index ea1d0cc..1e38b48 100644
+--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+@@ -197,7 +197,7 @@ public class AsymKeyGenService implements IService {
+         }
+ 
+         try {
+-            record.setWrappingParams(params, false);
++            record.setWrappingParams(params, allowEncDecrypt_archival);
+         } catch (Exception e) {
+             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+                     clientKeyId, null, "Failed to store wrapping params");
+diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+index 8383e89..96d7aae 100644
+--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
++++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+@@ -477,7 +477,7 @@ public class NetkeyKeygenService implements IService {
+                         return false;
+                     }
+ 
+-                    rec.setWrappingParams(params, false);
++                    rec.setWrappingParams(params, allowEncDecrypt_archival);
+ 
+                     CMS.debug("NetkeyKeygenService: before addKeyRecord");
+                     rec.set(KeyRecord.ATTR_ID, serialNo);
+diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+index a4613c2..578b1ff 100644
+--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
++++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
+@@ -221,7 +221,7 @@ public class SymKeyGenService implements IService {
+         }
+ 
+         try {
+-            rec.setWrappingParams(params, false);
++            rec.setWrappingParams(params, allowEncDecrypt_archival);
+         } catch (Exception e) {
+             mKRA.log(ILogger.LL_FAILURE,
+                     "Failed to store wrapping parameters: " + e);
+-- 
+1.8.3.1
+
+
+From 2866f6195eb49012cf7c42089a9fbf1be819129a Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 26 May 2017 17:47:14 +1000
+Subject: [PATCH 33/38] Fix NPE in lightweight CA creation
+
+Fixes: https://pagure.io/dogtagpki/issue/2711
+---
+ .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java    | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+index 908cbe4..4b0f68c 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+@@ -148,7 +148,9 @@ public class EnrollmentProcessor extends CertProcessor {
+             IProfileContext ctx = profile.createContext();
+ 
+             // set arbitrary user data into request, if any
+-            String userData = request.getParameter("user-data");
++            String userData = null;
++            if (request != null)
++                userData = request.getParameter("user-data");
+             if (userData != null)
+                 ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData);
+ 
+-- 
+1.8.3.1
+
+
+From e3f64ea8ca4ec231a954076a7f6b05dfc626ff1b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 18 May 2017 19:38:20 +0200
+Subject: [PATCH 34/38] Added DELTA_CRL_GENERATION audit event.
+
+A new DELTA_CRL_GENERATION audit event has been added which will
+be generated when delta CRL generation is complete.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
+---
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java   | 69 ++++++++++++-----
+ .../logging/event/DeltaCRLGenerationEvent.java     | 86 ++++++++++++++++++++++
+ base/server/cmsbundle/src/LogMessages.properties   |  6 ++
+ 4 files changed, 145 insertions(+), 20 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 4e881dc..7377561 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index cbcdc69..ff157b5 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -51,8 +51,10 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+ import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
+ import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+ import com.netscape.certsrv.dbs.crldb.ICRLRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent;
+ import com.netscape.certsrv.publish.ILdapRule;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+@@ -2758,8 +2760,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
+                 if (deltaCRLCerts.size() == 0) {
+                     CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated");
+-                    throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+-                            "No Revoked Certificates"));
++                    mDeltaCRLSize = -1;
++                    audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates"));
++                    return;
+                 }
              }
-             s.forceHandshake();
  
-@@ -114,4 +135,43 @@ public class LdapJssSSLSocketFactory implements LDAPSSLSocketFactoryExt {
-             CMS.debug("SSL handshake happened");
+@@ -2804,30 +2807,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+                     }
+             );
+ 
++            audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber));
++
+         } catch (EBaseException e) {
+             CMS.debug(e);
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString()));
+             mDeltaCRLSize = -1;
++            audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage()));
++            return;
+ 
+-        } catch (NoSuchAlgorithmException e) {
+-            CMS.debug(e);
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-            mDeltaCRLSize = -1;
+-
+-        } catch (CRLException e) {
+-            CMS.debug(e);
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-            mDeltaCRLSize = -1;
+-
+-        } catch (X509ExtensionException e) {
+-            CMS.debug(e);
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+-            mDeltaCRLSize = -1;
+-
+-        } catch (OutOfMemoryError e) {
++        } catch (Throwable e) {
+             CMS.debug(e);
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString()));
+             mDeltaCRLSize = -1;
++            audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage()));
++            return;
+         }
+ 
+         try {
+@@ -3186,6 +3180,45 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             }
          }
      }
 +
-+    static class SSLClientCertificateSelectionCB implements SSLClientCertificateSelectionCallback {
-+        String desiredCertName = null;
++    String getAuditSubjectID() {
 +
-+        public SSLClientCertificateSelectionCB(String clientAuthCertNickname) {
-+            CMS.debug("SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname);
-+            desiredCertName = clientAuthCertNickname;
++        SessionContext context = SessionContext.getExistingContext();
++
++        if (context == null) {
++            return ILogger.UNIDENTIFIED;
 +        }
 +
-+        @Override
-+        public String select(Vector certs) {
++        String subjectID = (String)context.get(SessionContext.USER_ID);
 +
-+            CMS.debug("SSLClientCertificatSelectionCB: Entering!");
++        if (subjectID == null) {
++            if (Thread.currentThread() == mUpdateThread) {
++                return ILogger.SYSTEM_UID;
 +
-+            if(desiredCertName == null) {
-+                return null;
++            } else {
++                return ILogger.NONROLEUSER;
 +            }
++        }
 +
-+            @SuppressWarnings("unchecked")
-+            Iterator<String> itr = certs.iterator();
-+            String selection = null;
++        return subjectID.trim();
++    }
 +
-+            while(itr.hasNext()){
-+                String candidate = itr.next();
-+                CMS.debug("Candidate cert: " + candidate);
-+                if(desiredCertName.equalsIgnoreCase(candidate)) {
-+                    selection = candidate;
-+                    CMS.debug("SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName);
-+                    break;
-+                }
-+            }
++    void audit(AuditEvent event) {
 +
-+            CMS.debug("SSLClientCertificateSelectionCB: returning: " + selection);
-+            return selection;
++        ILogger logger = CMS.getSignedAuditLogger();
++        if (logger == null) return;
 +
-+        }
++        String messageID = event.getMessage();
++        Object[] params = event.getParameters();
 +
-+    }
++        String message = CMS.getLogMessage(messageID, params);
 +
++        logger.log(ILogger.EV_SIGNED_AUDIT,
++                null,
++                ILogger.S_SIGNED_AUDIT,
++                ILogger.LL_SECURITY,
++                message);
++    }
  }
+ 
+ class CertRecProcessor implements IElementProcessor {
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java
+new file mode 100644
+index 0000000..ba04a33
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java
+@@ -0,0 +1,86 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import java.math.BigInteger;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++
++public class DeltaCRLGenerationEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION";
++
++    public DeltaCRLGenerationEvent() {
++        super(LOGGING_PROPERTY);
++    }
++
++    public static DeltaCRLGenerationEvent createSuccessEvent(
++            String subjectID,
++            BigInteger crlNumber) {
++
++        DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent();
++
++        event.setAttribute("CRLnum", crlNumber);
++
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                event.getAttributeList()
++        });
++
++        return event;
++    }
++
++    public static DeltaCRLGenerationEvent createSuccessEvent(
++            String subjectID,
++            String info) {
++
++        DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent();
++
++        event.setAttribute("Info", info);
++
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                event.getAttributeList()
++        });
++
++        return event;
++    }
++
++    public static DeltaCRLGenerationEvent createFailureEvent(
++            String subjectID,
++            String reason) {
++
++        DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent();
++
++        event.setAttribute("FailureReason", reason);
++
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.FAILURE,
++                event.getAttributeList()
++        });
++
++        return event;
++    }
++}
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index fc4e946..30b8e2a 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICA
+ #
+ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
+ #
++# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION
++# - used when delta CRL generation is complete
++# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
++#
++LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation
++#
+ # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+ # - used when CRLs are retrieved by the OCSP Responder
+ # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 -- 
 1.8.3.1
 
 
-From a4ebeb1fa880e53d87c39757c8c2dd40aef0a7ce Mon Sep 17 00:00:00 2001
+From 4d5ecb5dd3e1f4eabbe29ab2ddbfeb825f9f4233 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 24 Aug 2016 18:42:05 +0200
-Subject: [PATCH 2/7] Added upgrade script to fix deployment descriptors.
+Date: Thu, 25 May 2017 22:53:03 +0200
+Subject: [PATCH 35/38] Added DELTA_CRL_PUBLISHING audit event.
 
-An upgrade script has been added to fix missing deployment
-descriptors or deployment descriptors that are pointing to
-non-existent or empty folders.
+A new DELTA_CRL_PUBLISHING audit event has been added which will
+be generated when delta CRL publishing is complete.
 
-https://fedorahosted.org/pki/ticket/2439
-(cherry picked from commit b8094e82c46f8d5f18d362404582304ad28407da)
-(cherry picked from commit b6a038a81c6f69e636822d7615e97d591c244aa1)
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
 ---
- .../upgrade/10.3.5/03-FixDeploymentDescriptor      | 110 +++++++++++++++++++++
- 1 file changed, 110 insertions(+)
- create mode 100644 base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java   | 10 ++--
+ .../logging/event/DeltaCRLPublishingEvent.java     | 63 ++++++++++++++++++++++
+ base/server/cmsbundle/src/LogMessages.properties   |  6 +++
+ 4 files changed, 76 insertions(+), 7 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java
 
-diff --git a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 7377561..867e4cb 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index ff157b5..9fd8c49 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent;
++import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent;
+ import com.netscape.certsrv.publish.ILdapRule;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+@@ -2829,14 +2830,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             publishCRL(newX509DeltaCRL, true);
+             mSplits[4] += System.currentTimeMillis();
+ 
+-        } catch (EBaseException e) {
+-            CMS.debug(e);
+-            log(ILogger.LL_FAILURE,
+-                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
+-        } catch (OutOfMemoryError e) {
++            audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber));
++
++        } catch (Throwable e) {
+             CMS.debug(e);
+             log(ILogger.LL_FAILURE,
+                     CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString()));
++            audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage()));
+         }
+     }
+ 
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java
 new file mode 100644
-index 0000000..27c8959
+index 0000000..d6521d7
 --- /dev/null
-+++ b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
-@@ -0,0 +1,110 @@
-+#!/usr/bin/python
-+# Authors:
-+#     Endi S. Dewata <edewata@redhat.com>
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; version 2 of the License.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License along
-+# with this program; if not, write to the Free Software Foundation, Inc.,
-+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+#
-+# Copyright (C) 2016 Red Hat, Inc.
-+# All rights reserved.
++++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java
+@@ -0,0 +1,63 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
 +
-+from __future__ import absolute_import
-+from lxml import etree
-+import os
-+import shutil
++import java.math.BigInteger;
 +
-+import pki.server.upgrade
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
 +
++public class DeltaCRLPublishingEvent extends AuditEvent {
 +
-+class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
++    private static final long serialVersionUID = 1L;
 +
-+    def __init__(self):
-+        super(FixDeploymentDescriptor, self).__init__()
-+        self.message = 'Fix deployment descriptor'
-+        self.parser = etree.XMLParser(remove_blank_text=True)
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING";
 +
-+    def upgrade_instance(self, instance):
++    public DeltaCRLPublishingEvent(
++            String subjectID,
++            BigInteger crlNumber) {
 +
-+        self.fix_webapp(instance, 'ROOT.xml')
-+        self.fix_webapp(instance, 'pki#admin.xml')
-+        self.fix_webapp(instance, 'pki#js.xml')
++        super(LOGGING_PROPERTY);
 +
-+        self.fix_theme(instance, 'pki.xml')
++        setAttribute("CRLnum", crlNumber);
 +
-+    def fix_webapp(self, instance, context_xml):
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                getAttributeList()
++        });
++    }
 +
-+        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
-+        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
++    public DeltaCRLPublishingEvent(
++            String subjectID,
++            BigInteger crlNumber,
++            String reason) {
 +
-+        # if deployment descriptor doesn't exist, install the default
-+        if not os.path.exists(target_xml):
-+            self.copy_file(instance, source_xml, target_xml)
-+            return
++        super(LOGGING_PROPERTY);
 +
-+        # get docBase from deployment descriptor
-+        document = etree.parse(target_xml, self.parser)
-+        context = document.getroot()
-+        docBase = context.get('docBase')
++        setAttribute("CRLnum", crlNumber);
++        setAttribute("FailureReason", reason);
 +
-+        # if docBase is absolute and pointing to non-empty folder, ignore
-+        if docBase.startswith('/') and \
-+                os.path.exists(docBase) and \
-+                os.listdir(docBase):
-+            return
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.FAILURE,
++                getAttributeList()
++        });
++    }
++}
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 30b8e2a..c35d605 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2128,6 +2128,12 @@ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[A
+ #
+ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation
+ #
++# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING
++# - used when delta CRL publishing is complete
++# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
++#
++LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing
++#
+ # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+ # - used when CRLs are retrieved by the OCSP Responder
+ # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
+-- 
+1.8.3.1
+
+
+From 37e6ba6d1fb24694c2744adbc27c78b749d7e35d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 26 May 2017 00:13:10 +0200
+Subject: [PATCH 36/38] Added FULL_CRL_GENERATION audit event.
+
+A new FULL_CRL_GENERATION audit event has been added which will
+be generated when full CRL generation is complete.
+
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
+---
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java   | 36 +++------
+ .../logging/event/FullCRLGenerationEvent.java      | 86 ++++++++++++++++++++++
+ base/server/cmsbundle/src/LogMessages.properties   |  6 ++
+ 4 files changed, 104 insertions(+), 28 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 867e4cb..3daac8b 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index 9fd8c49..9583f50 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -19,8 +19,6 @@ package com.netscape.ca;
+ 
+ import java.io.IOException;
+ import java.math.BigInteger;
+-import java.security.NoSuchAlgorithmException;
+-import java.security.cert.CRLException;
+ import java.util.Date;
+ import java.util.Enumeration;
+ import java.util.Hashtable;
+@@ -56,6 +54,7 @@ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent;
+ import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent;
++import com.netscape.certsrv.logging.event.FullCRLGenerationEvent;
+ import com.netscape.certsrv.publish.ILdapRule;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+@@ -84,7 +83,6 @@ import netscape.security.x509.RevokedCertImpl;
+ import netscape.security.x509.RevokedCertificate;
+ import netscape.security.x509.X509CRLImpl;
+ import netscape.security.x509.X509CertImpl;
+-import netscape.security.x509.X509ExtensionException;
+ 
+ /**
+  * This class encapsulates CRL issuing mechanism. CertificateAuthority
+@@ -2870,8 +2868,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) {
+                 if (mCRLCerts.size() == 0) {
+                     CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated");
+-                    throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR",
+-                            "No Revoked Certificates"));
++                    audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates"));
++                    return;
+                 }
+             }
+ 
+@@ -2954,35 +2952,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+ 
+             CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log");
+ 
++            audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber));
 +
-+        # if docBase is relative and pointing to non-empty folder, ignore
-+        if not docBase.startswith('/') and \
-+                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
-+                os.listdir(instance.base_dir + '/webapps/' + docBase):
-+            return
+         } catch (EBaseException e) {
+             CMS.debug(e);
+             mUpdatingCRL = CRL_UPDATE_DONE;
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString()));
+-            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++            audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e);
+ 
+-        } catch (NoSuchAlgorithmException e) {
+-            CMS.debug(e);
+-            mUpdatingCRL = CRL_UPDATE_DONE;
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-
+-        } catch (CRLException e) {
+-            CMS.debug(e);
+-            mUpdatingCRL = CRL_UPDATE_DONE;
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-
+-        } catch (X509ExtensionException e) {
+-            CMS.debug(e);
+-            mUpdatingCRL = CRL_UPDATE_DONE;
+-            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
+-
+-        } catch (OutOfMemoryError e) {
++        } catch (Throwable e) {
+             CMS.debug(e);
+             mUpdatingCRL = CRL_UPDATE_DONE;
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString()));
+-            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()));
++            audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage()));
++            throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e);
+         }
+ 
+         try {
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java
+new file mode 100644
+index 0000000..9dd47dd
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java
+@@ -0,0 +1,86 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
 +
-+        # docBase is pointing to non-existent/empty folder, replace with default
-+        self.copy_file(instance, source_xml, target_xml)
++import java.math.BigInteger;
 +
-+    def fix_theme(self, instance, context_xml):
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
 +
-+        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
-+        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
++public class FullCRLGenerationEvent extends AuditEvent {
 +
-+        # if deployment descriptor doesn't exist, ignore (no theme)
-+        if not os.path.exists(target_xml):
-+            return
++    private static final long serialVersionUID = 1L;
 +
-+        # get docBase from deployment descriptor
-+        document = etree.parse(target_xml, self.parser)
-+        context = document.getroot()
-+        docBase = context.get('docBase')
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION";
 +
-+        # if docBase is absolute and pointing to non-empty folder, ignore
-+        if docBase.startswith('/') and \
-+                os.path.exists(docBase) and \
-+                os.listdir(docBase):
-+            return
++    public FullCRLGenerationEvent() {
++        super(LOGGING_PROPERTY);
++    }
 +
-+        # if docBase is relative and pointing to non-empty folder, ignore
-+        if not docBase.startswith('/') and \
-+                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
-+                os.listdir(instance.base_dir + '/webapps/' + docBase):
-+            return
++    public static FullCRLGenerationEvent createSuccessEvent(
++            String subjectID,
++            BigInteger crlNumber) {
++
++        FullCRLGenerationEvent event = new FullCRLGenerationEvent();
++
++        event.setAttribute("CRLnum", crlNumber);
++
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                event.getAttributeList()
++        });
++
++        return event;
++    }
++
++    public static FullCRLGenerationEvent createSuccessEvent(
++            String subjectID,
++            String info) {
++
++        FullCRLGenerationEvent event = new FullCRLGenerationEvent();
++
++        event.setAttribute("Info", info);
++
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                event.getAttributeList()
++        });
++
++        return event;
++    }
++
++    public static FullCRLGenerationEvent createFailureEvent(
++            String subjectID,
++            String reason) {
 +
-+        # docBase is pointing to non-existent/empty folder
++        FullCRLGenerationEvent event = new FullCRLGenerationEvent();
 +
-+        # if theme package is installed, replace deployment descriptor
-+        if os.path.exists(pki.SHARE_DIR + '/common-ui'):
-+            self.copy_file(instance, source_xml, target_xml)
++        event.setAttribute("FailureReason", reason);
 +
-+    def copy_file(self, instance, source, target):
++        event.setParameters(new Object[] {
++                subjectID,
++                ILogger.FAILURE,
++                event.getAttributeList()
++        });
 +
-+        self.backup(target)
-+        shutil.copyfile(source, target)
-+        os.chown(target, instance.uid, instance.gid)
++        return event;
++    }
++}
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index c35d605..f5ae7bb 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2134,6 +2134,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEven
+ #
+ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing
+ #
++# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION
++# - used when full CRL generation is complete
++# Outcome is "success" when full CRL is generated successfully, "failure" otherwise
++#
++LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation
++#
+ # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+ # - used when CRLs are retrieved by the OCSP Responder
+ # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 -- 
 1.8.3.1
 
 
-From c7aa56ee7df2052deff23190912f86b42042cd59 Mon Sep 17 00:00:00 2001
-From: Abhijeet Kasurde <akasurde@redhat.com>
-Date: Wed, 10 Aug 2016 11:58:49 +0530
-Subject: [PATCH 4/7] Added check for pki-server-nuxwdog parameter
+From 33838ebaffcdf121c4167379f0c917b5b5b67d0e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 26 May 2017 00:46:53 +0200
+Subject: [PATCH 37/38] Added FULL_CRL_PUBLISHING audit event.
+
+A new FULL_CRL_PUBLISHING audit event has been added which will
+be generated when full CRL publishing is complete.
 
-Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
+https://pagure.io/dogtagpki/issue/2651
 
-Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
-(cherry picked from commit c79371fdc667e6acfcae7255f144e63cd60bf0f9)
-(cherry picked from commit b4d5fcc5a30a11ed5e84ca835aea733a5d5bbfb6)
+Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
 ---
- base/server/sbin/pki-server-nuxwdog | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ base/ca/src/com/netscape/ca/CRLIssuingPoint.java   | 16 +++---
+ .../logging/event/FullCRLPublishingEvent.java      | 63 ++++++++++++++++++++++
+ base/server/cmsbundle/src/LogMessages.properties   |  6 +++
+ 4 files changed, 79 insertions(+), 10 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java
 
-diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
-index 31fff5e..ead9253 100755
---- a/base/server/sbin/pki-server-nuxwdog
-+++ b/base/server/sbin/pki-server-nuxwdog
-@@ -1,8 +1,18 @@
- #!/bin/sh
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 3daac8b..fc21295 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+index 9583f50..be6ffa8 100644
+--- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
++++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent;
+ import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent;
+ import com.netscape.certsrv.logging.event.FullCRLGenerationEvent;
++import com.netscape.certsrv.logging.event.FullCRLPublishingEvent;
+ import com.netscape.certsrv.publish.ILdapRule;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.request.IRequest;
+@@ -2975,16 +2976,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
+             publishCRL(newX509CRL);
+             mSplits[9] += System.currentTimeMillis();
  
-+if [ "$#" -ne 1 ]; then
-+    echo "ERROR: $0 requires parameter"
-+    exit 1
-+fi
+-        } catch (EBaseException e) {
+-            CMS.debug(e);
+-            mUpdatingCRL = CRL_UPDATE_DONE;
+-            log(ILogger.LL_FAILURE,
+-                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
+-        } catch (OutOfMemoryError e) {
++            audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber));
 +
- . /etc/tomcat/tomcat.conf
- NAME=$1
--. /etc/sysconfig/$NAME
-+if [ -f /etc/sysconfig/$NAME ]; then
-+    . /etc/sysconfig/$NAME
-+else
-+    echo "ERROR: Unable to find /etc/sysconfig/$NAME file"
-+    exit 1
-+fi
- . /usr/libexec/tomcat/preamble
- 
- NUXWDOG_PID=${CATALINA_BASE}/logs/wd-$NAME.pid
--- 
-1.8.3.1
-
-
-From caa7ef990bc5e45ce0aba29acb4f9ddec66e7551 Mon Sep 17 00:00:00 2001
-From: Geetika Kapoor <gkapoor@redhat.com>
-Date: Fri, 12 Aug 2016 05:35:58 -0400
-Subject: [PATCH 5/7] Fix for BZ 1358462
-
-(cherry picked from commit 4b48187b744f1cff2a64c4c5eb00866875a1f99d)
-(cherry picked from commit 92b6378053ef427b3a73866dbee415f7ee32d5ae)
----
- base/util/src/netscape/security/pkcs/PKCS12.java | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
-index 6c7880a..e05d4b5 100644
---- a/base/util/src/netscape/security/pkcs/PKCS12.java
-+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
-@@ -192,10 +192,14 @@ public class PKCS12 {
-         return result;
++        } catch (Throwable e) {
+             CMS.debug(e);
+             mUpdatingCRL = CRL_UPDATE_DONE;
+-            log(ILogger.LL_FAILURE,
+-                    CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()));
++            String message = CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString());
++            log(ILogger.LL_FAILURE, message);
++            audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage()));
++            throw new ECAException(message, e);
+         }
      }
  
--    public void removeCertInfoByNickname(String nickname) {
-+    public void removeCertInfoByNickname(String nickname) throws Exception {
- 
-         Collection<PKCS12CertInfo> result = getCertInfosByNickname(nickname);
- 
-+        if (result.isEmpty()) {
-+            throw new Exception("Certificate not found: " + nickname);
-+        }
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java
+new file mode 100644
+index 0000000..a3764c0
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java
+@@ -0,0 +1,63 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import java.math.BigInteger;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++
++public class FullCRLPublishingEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING";
++
++    public FullCRLPublishingEvent(
++            String subjectID,
++            BigInteger crlNumber) {
++
++        super(LOGGING_PROPERTY);
++
++        setAttribute("CRLnum", crlNumber);
++
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                getAttributeList()
++        });
++    }
++
++    public FullCRLPublishingEvent(
++            String subjectID,
++            BigInteger crlNumber,
++            String reason) {
 +
-         for (PKCS12CertInfo certInfo : result) {
-             // remove cert and key
-             certInfosByID.remove(certInfo.getID());
++        super(LOGGING_PROPERTY);
++
++        setAttribute("CRLnum", crlNumber);
++        setAttribute("FailureReason", reason);
++
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.FAILURE,
++                getAttributeList()
++        });
++    }
++}
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index f5ae7bb..689d7bc 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2140,6 +2140,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEven
+ #
+ LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation
+ #
++# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING
++# - used when full  CRL publishing is complete
++# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
++#
++LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Full CRL publishing
++#
+ # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+ # - used when CRLs are retrieved by the OCSP Responder
+ # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 -- 
 1.8.3.1
 
 
-From 40509684cb71d3863d150a2844e02a7b9321f5d8 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sun, 28 Aug 2016 20:38:48 +0200
-Subject: [PATCH 6/7] Fixed default token name for system certificates.
-
-Previously when installing with HSM the token name has to be
-specified for each system certificate in the pki_<cert>_token
-parameters. The deployment tool has been modified such that by
-default it will use the token name specified in pki_token_name.
-
-https://fedorahosted.org/pki/ticket/2423
-(cherry picked from commit 389420ad4ea9994fb54132454a14abbb83c2c35d)
-(cherry picked from commit f4f62162f16da41a74328889bf2e0d17c223d48d)
----
- base/server/etc/default.cfg                        | 16 +++++------
- .../python/pki/server/deployment/pkiparser.py      | 33 ++++++++++++++++++++--
- 2 files changed, 38 insertions(+), 11 deletions(-)
-
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 79e5545..51357e6 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -78,7 +78,7 @@ pki_audit_signing_key_algorithm=SHA256withRSA
- pki_audit_signing_key_size=2048
- pki_audit_signing_key_type=rsa
- pki_audit_signing_signing_algorithm=SHA256withRSA
--pki_audit_signing_token=Internal Key Storage Token
-+pki_audit_signing_token=
- pki_backup_keys=False
- pki_backup_password=
- pki_ca_hostname=%(pki_security_domain_hostname)s
-@@ -125,13 +125,13 @@ pki_ssl_server_key_size=2048
- pki_ssl_server_key_type=rsa
- pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
- pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
--pki_ssl_server_token=Internal Key Storage Token
-+pki_ssl_server_token=
- pki_subsystem_key_algorithm=SHA256withRSA
- pki_subsystem_key_size=2048
- pki_subsystem_key_type=rsa
- pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
- pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
--pki_subsystem_token=Internal Key Storage Token
-+pki_subsystem_token=
- pki_theme_enable=True
- pki_theme_server_dir=/usr/share/pki/common-ui
- pki_token_name=internal
-@@ -293,7 +293,7 @@ pki_ca_signing_key_type=rsa
- pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
- pki_ca_signing_signing_algorithm=SHA256withRSA
- pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
--pki_ca_signing_token=Internal Key Storage Token
-+pki_ca_signing_token=
- pki_ca_signing_csr_path=
- pki_ca_signing_cert_path=
- pki_ca_starting_crl_number=0
-@@ -317,7 +317,7 @@ pki_ocsp_signing_key_type=rsa
- pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
- pki_ocsp_signing_signing_algorithm=SHA256withRSA
- pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
--pki_ocsp_signing_token=Internal Key Storage Token
-+pki_ocsp_signing_token=
- pki_profiles_in_ldap=False
- pki_random_serial_numbers_enable=False
- pki_subordinate=False
-@@ -410,14 +410,14 @@ pki_storage_key_type=rsa
- pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
- pki_storage_signing_algorithm=SHA256withRSA
- pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
--pki_storage_token=Internal Key Storage Token
-+pki_storage_token=
- pki_transport_key_algorithm=SHA256withRSA
- pki_transport_key_size=2048
- pki_transport_key_type=rsa
- pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
- pki_transport_signing_algorithm=SHA256withRSA
- pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
--pki_transport_token=Internal Key Storage Token
-+pki_transport_token=
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-@@ -479,7 +479,7 @@ pki_ocsp_signing_key_type=rsa
- pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
- pki_ocsp_signing_signing_algorithm=SHA256withRSA
- pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
--pki_ocsp_signing_token=Internal Key Storage Token
-+pki_ocsp_signing_token=
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
-diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
-index 115f3ca..6e922cf 100644
---- a/base/server/python/pki/server/deployment/pkiparser.py
-+++ b/base/server/python/pki/server/deployment/pkiparser.py
-@@ -564,6 +564,24 @@ class PKIConfigParser:
-         root = ET.fromstring(response)
-         return root.findtext("Status")
- 
-+    def normalize_cert_token(self, name):
-+
-+        # get cert token
-+        token = self.mdict.get(name)
-+
-+        # if not specified, get default token name
-+        if not token:
-+            token = self.mdict.get('pki_token_name')
-+
-+        # normalize internal token name
-+        if not token or \
-+                token.lower() == 'internal' or \
-+                token.lower() == 'internal key storage token':
-+            token = 'Internal Key Storage Token'
-+
-+        # update cert token
-+        self.mdict[name] = token
-+
-     def compose_pki_master_dictionary(self):
-         """
-         Create a single master PKI dictionary from the
-@@ -595,11 +613,11 @@ class PKIConfigParser:
-             instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
-             instance.load()
- 
--            internal_password = self.mdict['pki_self_signed_token']
-+            internal_token = self.mdict['pki_self_signed_token']
- 
-             # if instance already exists and has password, reuse the password
--            if internal_password in instance.passwords:
--                self.mdict['pki_pin'] = instance.passwords.get(internal_password)
-+            if internal_token in instance.passwords:
-+                self.mdict['pki_pin'] = instance.passwords.get(internal_token)
- 
-             # otherwise, use user-provided password if specified
-             elif 'pki_pin' in self.mdict:
-@@ -1207,6 +1225,15 @@ class PKIConfigParser:
-                 # always normalize 'default' softokn name
-                 self.mdict['pki_token_name'] = "internal"
- 
-+            # normalize cert tokens
-+            self.normalize_cert_token('pki_audit_signing_token')
-+            self.normalize_cert_token('pki_ssl_server_token')
-+            self.normalize_cert_token('pki_subsystem_token')
-+            self.normalize_cert_token('pki_ca_signing_token')
-+            self.normalize_cert_token('pki_ocsp_signing_token')
-+            self.normalize_cert_token('pki_storage_token')
-+            self.normalize_cert_token('pki_transport_token')
-+
-             # if security domain user is not defined
-             if not len(self.mdict['pki_security_domain_user']):
- 
--- 
-1.8.3.1
-
-
-From d5d19fc9b4d4d92c02fe2e75626f69c124ecd040 Mon Sep 17 00:00:00 2001
+From c9a9fe6e31d860c089dd2b2ee584dd0d4a9b2174 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Sat, 27 Aug 2016 00:07:08 +0200
-Subject: [PATCH 7/7] Moved subsystem initialization after database
- initialization.
+Date: Fri, 19 May 2017 00:33:26 +0200
+Subject: [PATCH 38/38] Added SCHEDULE_CRL_GENERATION audit event.
 
-Previously issues with system certificates that happen during
-subsystem initialization were reported as database initialization
-error. Database initialization actually does not depend on
-subsystem initialization, so to avoid confusion and to simplify the
-code the reInitSubsystem() in SystemConfigService is now invoked
-after the initializeDatabase() is complete.
+A new SCHEDULE_CRL_GENERATION audit event has been added which
+will be generated when CRL generation is scheduled manually.
 
-https://fedorahosted.org/pki/ticket/2423
-(cherry picked from commit 9f954fda5fdeda229662a466e645561639ac8402)
-(cherry picked from commit 465bf002c0671e7251738ce9a4e54bba9853780a)
+https://pagure.io/dogtagpki/issue/2651
+
+Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
 ---
- base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ base/ca/shared/conf/CS.cfg                         |  4 +-
+ .../logging/event/ScheduleCRLGenerationEvent.java  | 56 ++++++++++++++++++++++
+ .../com/netscape/cms/servlet/cert/UpdateCRL.java   | 16 +++++--
+ base/server/cmsbundle/src/LogMessages.properties   |  6 +++
+ 4 files changed, 77 insertions(+), 5 deletions(-)
+ create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java
 
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-index 95afa4c..9d7c176 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-@@ -178,6 +178,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-         }
-         initializeDatabase(data);
- 
-+        ConfigurationUtils.reInitSubsystem(csType);
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index fc21295..d1bf7db 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
+ log.instance.SignedAudit._002=##
+ log.instance.SignedAudit._003=##
+ log.instance.SignedAudit._004=## Available Audit events:
+-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
++log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST
+ log.instance.SignedAudit.expirationTime=0
+ log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
+ log.instance.SignedAudit.flushInterval=5
+diff --git a/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java
+new file mode 100644
+index 0000000..5b2a461
+--- /dev/null
++++ b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java
+@@ -0,0 +1,56 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2017 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.certsrv.logging.event;
++
++import com.netscape.certsrv.logging.AuditEvent;
++import com.netscape.certsrv.logging.ILogger;
++
++public class ScheduleCRLGenerationEvent extends AuditEvent {
++
++    private static final long serialVersionUID = 1L;
++
++    public final static String LOGGING_PROPERTY =
++            "LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION";
++
++    public ScheduleCRLGenerationEvent(
++            String subjectID) {
 +
-         configureCACertChain(data, domainXML);
++        super(LOGGING_PROPERTY);
++
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.SUCCESS,
++                getAttributeList()
++        });
++    }
++
++    public ScheduleCRLGenerationEvent(
++            String subjectID,
++            Exception e) {
++
++        super(LOGGING_PROPERTY);
++
++        setAttribute("FailureReason", e.getMessage());
++
++        setParameters(new Object[] {
++                subjectID,
++                ILogger.FAILURE,
++                getAttributeList()
++        });
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+index b4d9d29..a9a2cd2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java
+@@ -45,6 +45,7 @@ import com.netscape.certsrv.common.ICMSRequest;
+ import com.netscape.certsrv.ldap.ELdapException;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.ScheduleCRLGenerationEvent;
+ import com.netscape.certsrv.publish.ILdapRule;
+ import com.netscape.certsrv.publish.IPublisherProcessor;
+ import com.netscape.certsrv.util.IStatsSubsystem;
+@@ -375,9 +376,18 @@ public class UpdateCRL extends CMSServlet {
  
-         Collection<Cert> certs = new ArrayList<Cert>();
-@@ -777,7 +779,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-                     ConfigurationUtils.setupReplication();
-                 }
+             } else {
  
--                ConfigurationUtils.reInitSubsystem(csType);
-                 ConfigurationUtils.populateDBManager();
-                 ConfigurationUtils.populateVLVIndexes();
+-                CMS.debug("UpdateCRL: scheduling CRL update");
+-                crlIssuingPoint.setManualUpdate(signatureAlgorithm);
+-                header.addStringValue("crlUpdate", "Scheduled");
++                try {
++                    CMS.debug("UpdateCRL: scheduling CRL update");
++
++                    crlIssuingPoint.setManualUpdate(signatureAlgorithm);
++                    header.addStringValue("crlUpdate", "Scheduled");
++
++                    audit(new ScheduleCRLGenerationEvent(auditSubjectID()));
++
++                } catch (Exception e) {
++                    audit(new ScheduleCRLGenerationEvent(auditSubjectID(), e));
++                    throw e;
++                }
              }
+ 
+             return;
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 689d7bc..9490098 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICA
+ #
+ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
+ #
++# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION
++# - used when CRL generation is scheduled
++# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
++#
++LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} schedule for CRL generation
++#
+ # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION
+ # - used when delta CRL generation is complete
+ # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
 -- 
 1.8.3.1
 
diff --git a/SOURCES/pki-core-snapshot-3.patch b/SOURCES/pki-core-snapshot-3.patch
index f02f47e..ac2099b 100644
--- a/SOURCES/pki-core-snapshot-3.patch
+++ b/SOURCES/pki-core-snapshot-3.patch
@@ -1,992 +1,1192 @@
-From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001
+From 14e44691ef0b61220d390afb745496b7d62945ee Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 31 Aug 2016 16:15:19 +0200
-Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet.
+Date: Tue, 30 May 2017 21:15:44 +0200
+Subject: [PATCH 04/27] Added pkispawn options for two-step installation.
 
-To help troubleshooting the debug log in UpdateNumberRange servlet
-has been modified to show the exception stack trace.
+New --skip-configuration and --skip-installation options have
+been added to pkispawn to provide a mechanism to set the
+pki_skip_configuration and pki_skip_installation parameters
+without changing the deployment configuration file.
 
-https://fedorahosted.org/pki/ticket/2436
-(cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9)
-(cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091)
+https://pagure.io/dogtagpki/issue/2707
+
+Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de
 ---
- .../cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java    | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ base/server/sbin/pkispawn | 40 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 34 insertions(+), 6 deletions(-)
 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
-index b99a298..e068bd4 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
-@@ -247,7 +247,8 @@ public class UpdateNumberRange extends CMSServlet {
-             audit(auditMessage);
+diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
+index 9e2ebc8..742f579 100755
+--- a/base/server/sbin/pkispawn
++++ b/base/server/sbin/pkispawn
+@@ -91,6 +91,18 @@ def main(argv):
+         dest='precheck', action='store_true',
+         help='Execute pre-checks and exit')
  
-         } catch (Exception e) {
--            CMS.debug("UpdateNumberRange: Failed to update number range. Exception: " + e.toString());
-+            CMS.debug("UpdateNumberRange: Failed to update number range: " + e);
-+            CMS.debug(e);
++    parser.optional.add_argument(
++        '--skip-configuration',
++        dest='skip_configuration',
++        action='store_true',
++        help='skip configuration step')
++
++    parser.optional.add_argument(
++        '--skip-installation',
++        dest='skip_installation',
++        action='store_true',
++        help='skip installation step')
++
+     args = parser.process_command_line_arguments()
  
-             auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
--- 
-1.8.3.1
-
-
-From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
-Date: Wed, 31 Aug 2016 14:03:02 -0700
-Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique
- per instance name (for shared HSM) When installing multiple instances on the
- same host sharing the same HSM, if subject_dn's are not specifically spelled
- out with unique names for each instance, installation will fail with
- complaints that same subject name and serial number already exist. This
- happens in the scenario if you are creating a subordinate CA, for example,
- that's in the same domain name as the root CA. It is very inconvenient that
- you are expected to spell out subject dn's of all system certs in the
- pkispawn config file. This patch changes default.cfg so that the instance
- name is in the default subject dn, e.g. adding it as an "ou" component:
- ou=%(pki_instance_name)s
-
-(cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce)
-(cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674)
----
- base/server/etc/default.cfg | 34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
-index 51357e6..6e9b074 100644
---- a/base/server/etc/default.cfg
-+++ b/base/server/etc/default.cfg
-@@ -124,13 +124,13 @@ pki_ssl_server_key_algorithm=SHA256withRSA
- pki_ssl_server_key_size=2048
- pki_ssl_server_key_type=rsa
- pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
--pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s
-+pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ssl_server_token=
- pki_subsystem_key_algorithm=SHA256withRSA
- pki_subsystem_key_size=2048
- pki_subsystem_key_type=rsa
- pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
--pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s
-+pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_subsystem_token=
- pki_theme_enable=True
- pki_theme_server_dir=/usr/share/pki/common-ui
-@@ -292,7 +292,7 @@ pki_ca_signing_key_size=2048
- pki_ca_signing_key_type=rsa
- pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
- pki_ca_signing_signing_algorithm=SHA256withRSA
--pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s
-+pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ca_signing_token=
- pki_ca_signing_csr_path=
- pki_ca_signing_cert_path=
-@@ -316,7 +316,7 @@ pki_ocsp_signing_key_size=2048
- pki_ocsp_signing_key_type=rsa
- pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
- pki_ocsp_signing_signing_algorithm=SHA256withRSA
--pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s
-+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ocsp_signing_token=
- pki_profiles_in_ldap=False
- pki_random_serial_numbers_enable=False
-@@ -326,10 +326,10 @@ pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
--pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_admin_uid=caadmin
- pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
--pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s
-+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ds_base_dn=o=%(pki_instance_name)s-CA
- pki_ds_database=%(pki_instance_name)s-CA
- pki_ds_hostname=%(pki_hostname)s
-@@ -409,22 +409,22 @@ pki_storage_key_size=2048
- pki_storage_key_type=rsa
- pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
- pki_storage_signing_algorithm=SHA256withRSA
--pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s
-+pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_storage_token=
- pki_transport_key_algorithm=SHA256withRSA
- pki_transport_key_size=2048
- pki_transport_key_type=rsa
- pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
- pki_transport_signing_algorithm=SHA256withRSA
--pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s
-+pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_transport_token=
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
--pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_admin_uid=kraadmin
- pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
--pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s
-+pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ds_base_dn=o=%(pki_instance_name)s-KRA
- pki_ds_database=%(pki_instance_name)s-KRA
- pki_ds_hostname=%(pki_hostname)s
-@@ -478,15 +478,15 @@ pki_ocsp_signing_key_size=2048
- pki_ocsp_signing_key_type=rsa
- pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
- pki_ocsp_signing_signing_algorithm=SHA256withRSA
--pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s
-+pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ocsp_signing_token=
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
--pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_admin_uid=ocspadmin
- pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
--pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s
-+pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
- pki_ds_database=%(pki_instance_name)s-OCSP
- pki_ds_hostname=%(pki_hostname)s
-@@ -515,10 +515,10 @@ pki_import_admin_cert=True
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
--pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_admin_uid=tksadmin
- pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
--pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s
-+pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ds_base_dn=o=%(pki_instance_name)s-TKS
- pki_ds_database=%(pki_instance_name)s-TKS
- pki_ds_hostname=%(pki_hostname)s
-@@ -537,10 +537,10 @@ pki_import_admin_cert=True
- pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
- pki_admin_name=%(pki_admin_uid)s
- pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
--pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s
-+pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_admin_uid=tpsadmin
- pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
--pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s
-+pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
- pki_ds_base_dn=o=%(pki_instance_name)s-TPS
- pki_ds_database=%(pki_instance_name)s-TPS
- pki_ds_hostname=%(pki_hostname)s
+     config.default_deployment_cfg = \
+@@ -475,6 +487,24 @@ def main(argv):
+         sys.exit(1)
+ 
+     start_logging()
++
++    # Read the specified PKI configuration file.
++    rv = parser.read_pki_configuration_file()
++    if rv != 0:
++        config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
++                             extra=config.PKI_INDENTATION_LEVEL_0)
++        sys.exit(1)
++
++    # --skip-configuration
++    if args.skip_configuration:
++        parser.set_property(deployer.subsystem_name,
++                            'pki_skip_configuration', 'True')
++
++    # --skip-installation
++    if args.skip_installation:
++        parser.set_property(deployer.subsystem_name,
++                            'pki_skip_installation', 'True')
++
+     create_master_dictionary(parser)
+ 
+     if not interactive and \
+@@ -635,23 +665,21 @@ def start_logging():
+ 
+ 
+ def create_master_dictionary(parser):
+-    # Read the specified PKI configuration file.
+-    rv = parser.read_pki_configuration_file()
+-    if rv != 0:
+-        config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
+-                             extra=config.PKI_INDENTATION_LEVEL_0)
+-        sys.exit(1)
+ 
+     # Read in the PKI slots configuration file.
+     parser.compose_pki_slots_dictionary()
++
+     config.pki_log.debug(log.PKI_DICTIONARY_SLOTS,
+                          extra=config.PKI_INDENTATION_LEVEL_0)
+     config.pki_log.debug(pkilogging.log_format(parser.slots_dict),
+                          extra=config.PKI_INDENTATION_LEVEL_0)
++
+     # Combine the various sectional dictionaries into a PKI master dictionary
+     parser.compose_pki_master_dictionary()
++
+     parser.mdict['pki_spawn_log'] = \
+         config.pki_log_dir + "/" + config.pki_log_name
++
+     config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
+                          extra=config.PKI_INDENTATION_LEVEL_0)
+     config.pki_log.debug(pkilogging.log_format(parser.mdict),
 -- 
 1.8.3.1
 
 
-From f142e739d0296e29914a39c1591a5f1681f0ac31 Mon Sep 17 00:00:00 2001
+From 9af1746463bec2e62c990279d857635f693cfac7 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 29 Aug 2016 08:33:05 +0200
-Subject: [PATCH 3/9] Added support to create system certificates in different
- tokens.
-
-Previously all system certificates were always created in the same
-token specified in the pki_token_name parameter.
+Date: Tue, 30 May 2017 21:07:59 +0200
+Subject: [PATCH 05/27] Fixed two-step subordinate CA installation.
 
-To allow creating system certificates in different tokens, the
-configuration.py has been modified to store the system certificate
-token names specified in pki_<cert>_token parameters into the
-CS.cfg before the server is started.
+The initialization scriptlet has been fixed to verify the subsystem
+existence properly when running the second step of the two-step
+subordinate CA installation.
 
-After the server is started, the configuration servlet will read
-the token names from the CS.cfg and create the certificates in the
-appropriate token.
+https://pagure.io/dogtagpki/issue/2707
 
-https://fedorahosted.org/pki/ticket/2449
-(cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3)
-(cherry picked from commit 261e550a25ced3c61fc0c3afeb910d17b7472a3c)
+Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8
 ---
- .../cms/servlet/csadmin/ConfigurationUtils.java    | 18 +++++++----
- .../dogtagpki/server/rest/SystemConfigService.java |  9 ++----
- .../src/com/netscape/cmscore/apps/CMSEngine.java   |  4 +--
- .../server/deployment/scriptlets/configuration.py  | 37 +++++++++++++++++++---
- 4 files changed, 49 insertions(+), 19 deletions(-)
+ .../pki/server/deployment/scriptlets/initialization.py       | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 34500d0..3e638ad 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
-         }
- 
-         config.putString(subsystem + "." + certTag + ".nickname", nickname);
--        config.putString(subsystem + "." + certTag + ".tokenname", token);
+diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+index 4dc4e9a..1ae77e4 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
+@@ -54,13 +54,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+         else:
+             config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
+                                 extra=config.PKI_INDENTATION_LEVEL_1)
 +
-         if (certTag.equals("audit_signing")) {
-             if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
-                 config.putString("log.instance.SignedAudit.signedAuditCertNickname",
-@@ -3325,14 +3325,15 @@ public class ConfigurationUtils {
-         return 0;
-     }
- 
--    public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
-+    public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
-             ObjectNotFoundException, TokenException {
-+
-+        String tag = cert.getCertTag();
-         if (tag.equals("signing") || tag.equals("external_signing"))
-             return;
- 
--        IConfigStore cs = CMS.getConfigStore();
--        String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
--        String tokenname = cs.getString("preop.module.token", "");
-+        String nickname = cert.getNickname();
-+        String tokenname = cert.getTokenname();
-         if (!tokenname.equals("Internal Key Storage Token"))
-             nickname = tokenname + ":" + nickname;
- 
-@@ -4554,9 +4555,11 @@ public class ConfigurationUtils {
- 
-     public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
-             TokenException, CertificateEncodingException, IOException {
-+
-         IConfigStore cs = CMS.getConfigStore();
--        String nickname = cs.getString("preop.cert.subsystem.nickname", "");
--        String tokenname = cs.getString("preop.module.token", "");
-+        String subsystem = cs.getString("cs.type").toLowerCase();
-+        String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
-+        String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
- 
-         if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
-                 && !tokenname.equals("")) {
-@@ -4571,6 +4574,7 @@ public class ConfigurationUtils {
-             CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
-             return null;
-         }
++            # Verify that the subsystem already exists for the following cases:
++            # - External CA (Step 2)
++            # - Stand-alone PKI (Step 2)
++            # - Two-step installation (Step 2)
 +
-         byte[] bytes = cert.getEncoded();
-         String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
-         return s;
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-index 9d7c176..5cc6f63 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-             try {
-                 CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
-                 ret = ConfigurationUtils.handleCerts(cert);
--                ConfigurationUtils.setCertPermissions(cert.getCertTag());
-+                ConfigurationUtils.setCertPermissions(cert);
-                 CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
-             } catch (Exception e) {
-                 CMS.debug(e);
-@@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
- 
-                 processCert(
-                         request,
--                        token,
-                         certList,
-                         certs,
-                         hasSigningCert,
-@@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
- 
-     public void processCert(
-             ConfigurationRequest request,
--            String token,
-             Collection<String> certList,
-             Collection<Cert> certs,
-             MutableBoolean hasSigningCert,
-@@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-                 String curvename = certData.getKeyCurveName() != null ?
-                         certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
-                 cs.putString("preop.cert." + tag + ".curvename.name", curvename);
--                ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
-+                ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
- 
-             } else {
-                 String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
-                         .getString("keys.rsa.keysize.default");
-                 cs.putString("preop.cert." + tag + ".keysize.size", keysize);
--                ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
-+                ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
-             }
- 
-         } else {
-@@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-         }
- 
-         cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
--        cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
-         cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
-         cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
-         cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-index c62087e..a334824 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
-             // get SSL server nickname
-             IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
-             if (serverCertStore != null && serverCertStore.size() > 0) {
--                String nickName = serverCertStore.getString("nickname");
--                String tokenName = serverCertStore.getString("tokenname");
-+                String nickName = serverCertStore.getString("nickname", null);
-+                String tokenName = serverCertStore.getString("tokenname", null);
-                 if (tokenName != null && tokenName.length() > 0 &&
-                         nickName != null && nickName.length() > 0) {
-                     CMS.setServerCertNickname(tokenName, nickName);
-diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-index 64ee4e5..97f6d3e 100644
---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-@@ -39,6 +39,31 @@ import pki.util
- # PKI Deployment Configuration Scriptlet
- class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- 
-+    def store_cert_tokens(self, subsystem, deployer):
-+
-+        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
-+            deployer.mdict['pki_audit_signing_token'])
-+        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
-+            deployer.mdict['pki_ssl_server_token'])
-+        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
-+            deployer.mdict['pki_subsystem_token'])
-+
-+        if subsystem.name == 'ca':
-+            subsystem.config['ca.signing.tokenname'] = (
-+                deployer.mdict['pki_ca_signing_token'])
-+            subsystem.config['ca.ocsp_signing.tokenname'] = (
-+                deployer.mdict['pki_ocsp_signing_token'])
-+
-+        elif subsystem.name == 'kra':
-+            subsystem.config['kra.storage.tokenname'] = (
-+                deployer.mdict['pki_storage_token'])
-+            subsystem.config['kra.transport.tokenname'] = (
-+                deployer.mdict['pki_transport_token'])
-+
-+        elif subsystem.name == 'ocsp':
-+            subsystem.config['ocsp.signing.tokenname'] = (
-+                deployer.mdict['pki_ocsp_signing_token'])
-+
-     def spawn(self, deployer):
- 
-         if config.str2bool(deployer.mdict['pki_skip_configuration']):
-@@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     nickname=signing_nickname,
-                     output_format='base64')
-                 subsystem.config['ca.signing.nickname'] = signing_nickname
--                subsystem.config['ca.signing.tokenname'] = (
--                    deployer.mdict['pki_ca_signing_token'])
-                 subsystem.config['ca.signing.cert'] = signing_cert_data
-                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
-                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
-                     deployer.mdict['pki_ca_signing_signing_algorithm'])
- 
-+                # Store cert tokens in CS.cfg.
-+                self.store_cert_tokens(subsystem, deployer)
-+
-                 subsystem.save()
- 
-                 # verify the signing certificate
-@@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     instance, 'ca')
-                 verifier.verify_certificate('signing')
- 
--            else:  # self-signed CA
-+            else:  # other installation types
- 
-                 # To be implemented in ticket #1692.
- 
-@@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 # Self sign CA cert.
-                 # Import self-signed CA cert into NSS database.
- 
--                pass
-+                # Store cert tokens in CS.cfg.
-+                self.store_cert_tokens(subsystem, deployer)
-+
-+                subsystem.save()
- 
-         finally:
-             nssdb.close()
+             if (deployer.mdict['pki_subsystem'] == "CA" or
+                 config.str2bool(deployer.mdict['pki_standalone'])) and \
+-                    config.str2bool(deployer.mdict['pki_external_step_two']):
+-                # verify that this External CA (Step 2), or Stand-alone PKI
+-                # (Step 2) currently EXISTS for this "instance"
++                    config.str2bool(deployer.mdict['pki_external_step_two']) or \
++               config.str2bool(deployer.mdict['pki_skip_installation']):
+                 deployer.instance.verify_subsystem_exists()
+                 deployer.mdict['pki_skip_installation'] = "True"
++
+             else:
+                 # verify that this type of "subsystem" does NOT yet
+                 # exist for this "instance"
 -- 
 1.8.3.1
 
 
-From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001
+From 0984d8a114b326a75b2c32cd9da2b7dee23920bb Mon Sep 17 00:00:00 2001
 From: Ade Lee <alee@redhat.com>
-Date: Fri, 2 Sep 2016 16:08:02 -0400
-Subject: [PATCH 4/9] Fix CertRequestInfo URLs
+Date: Fri, 26 May 2017 22:57:07 -0400
+Subject: [PATCH 07/27] Convert CMC code to use AES
 
-The URLs were generated by a UriBuilder that referred to the resource's
-annotated path.  This top-level path changed though, even if the underlying
-paths did not.  Replace this with a reference to the getX methods instead.
+* Switched out CrytoUtil calls that use DES and replaced them
+  with AES equivalents.  Removed these now unneeded methods.
+* Added 16 byte constant IV for AES operations.  This must be
+  replaced by a randomly generated IV.  Added TODOs where IVs
+  should be replaced.
+* Corrected misspellings of "enreypted" in both request fields
+  and variable names
+* Removed some code from null checks where the result could
+  never be null.  These cases were flagged in eclipse as dead
+  code.
 
-Also fixed a few eclipse flagged warnings (unused imports etc).
-
-Ticket 2447
-
-(cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2)
-(cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b)
+Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
 ---
- .../com/netscape/ca/ExternalProcessKeyRetriever.java    |  7 +------
- .../src/com/netscape/cmstools/HttpClient.java           |  2 --
- .../com/netscape/cms/servlet/cert/CertRequestDAO.java   | 17 ++++++++++++++---
- .../cms/servlet/cert/CertRequestInfoFactory.java        | 15 ++++++++-------
- .../src/com/netscape/cms/servlet/cert/DoRevokeTPS.java  | 15 +++++++--------
- .../cms/servlet/profile/ProfileReviewServlet.java       |  1 -
- .../dogtagpki/server/tps/rest/TPSInstallerService.java  |  2 +-
- 7 files changed, 31 insertions(+), 28 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
-index a1b7748..736d870 100644
---- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
-+++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java
-@@ -20,16 +20,11 @@ package com.netscape.ca;
- 
- import java.io.IOException;
- import java.io.InputStream;
--import java.lang.Process;
--import java.lang.ProcessBuilder;
- import java.util.Collection;
- import java.util.Stack;
+ .../src/com/netscape/cmstools/CMCRequest.java      |  18 +++-
+ .../netscape/cms/profile/common/EnrollProfile.java | 111 ++++++++++++++-------
+ .../cms/servlet/common/CMCOutputTemplate.java      |  40 ++++----
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java    |  84 ++--------------
+ 4 files changed, 113 insertions(+), 140 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index 9c41403..8d49b20 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -52,6 +52,9 @@ import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.asn1.UTF8String;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.DigestAlgorithm;
++import org.mozilla.jss.crypto.EncryptionAlgorithm;
++import org.mozilla.jss.crypto.IVParameterSpec;
++import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+ import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.crypto.Signature;
+@@ -1718,19 +1721,30 @@ public class CMCRequest {
+             CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
+             SymmetricKey symKey = CryptoUtil.unwrap(
+                     token,
++                    SymmetricKey.AES,
++                    128,
+                     SymmetricKey.Usage.DECRYPT,
+                     privKey,
+-                    recipient.getEncryptedKey().toByteArray());
++                    recipient.getEncryptedKey().toByteArray(),
++                    KeyWrapAlgorithm.RSA);
++
+             if (symKey == null) {
+                 System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!");
+                 System.exit(1);
+             }
+             System.out.println(method + "symKey unwrapped.");
  
--import org.apache.commons.io.IOUtils;
--import org.apache.commons.lang.ArrayUtils;
--
--import org.codehaus.jackson.map.ObjectMapper;
- import org.codehaus.jackson.JsonNode;
-+import org.codehaus.jackson.map.ObjectMapper;
- 
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
-diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
-index 432be9c..594ec69 100644
---- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
-+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
-@@ -126,8 +126,6 @@ public class HttpClient {
-                 Password pass = new Password(password.toCharArray());
-                 token.login(pass);
- 
--                int i;
--
-                 SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
-                 org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
-                     new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
-index 6fbcd3c..306fbf5 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java
-@@ -197,8 +197,13 @@ public class CertRequestDAO extends CMSRequestDAO {
- 
-         IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS);
-         for (IRequest req : reqs) {
--            CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
--            ret.addEntry(info);
-+            try {
-+                CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo);
-+                ret.addEntry(info);
-+            } catch (NoSuchMethodException e) {
-+                CMS.debug("Error in creating certrequestinfo - no such method");
-+                e.printStackTrace();
-+            }
-         }
++            // TODO(alee) The code below should be replaced by code that generates a random IV
++            byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
++            IVParameterSpec default_iv = new IVParameterSpec(iv);
++
+             byte challenge[] = CryptoUtil.decryptUsingSymmetricKey(
+                     token,
++                    default_iv,
+                     encCI.getEncryptedContent().toByteArray(),
+-                    symKey);
++                    symKey,
++                    EncryptionAlgorithm.AES_128_CBC);
++
+             if (challenge == null) {
+                 System.out
+                         .println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!");
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 1443a0a..12fb736 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.asn1.UTF8String;
+ import org.mozilla.jss.crypto.CryptoToken;
+ import org.mozilla.jss.crypto.DigestAlgorithm;
++import org.mozilla.jss.crypto.EncryptionAlgorithm;
+ import org.mozilla.jss.crypto.HMACAlgorithm;
++import org.mozilla.jss.crypto.IVParameterSpec;
++import org.mozilla.jss.crypto.KeyGenAlgorithm;
++import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+ import org.mozilla.jss.crypto.PrivateKey;
+ import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.pkcs10.CertificationRequest;
+@@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile
+                 String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME);
+                 token = CryptoUtil.getCryptoToken(tokenName);
  
-         ret.setTotal(ret.getEntries().size());
-@@ -221,7 +226,13 @@ public class CertRequestDAO extends CMSRequestDAO {
++                // TODO(alee) Replace the IV definition with a call that generates a random IV of  the correct length
++                byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
++                IVParameterSpec ivps = new IVParameterSpec(iv);
++
+                 PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data));
+                 if (userPubKey == null) {
+                     msg = method + "userPubKey null after X509Key.parsePublicKey";
+@@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile
+                     throw new EBaseException(msg);
+                 }
  
-     @Override
-     public CertRequestInfo createCMSRequestInfo(IRequest request, UriInfo uriInfo) {
--        return CertRequestInfoFactory.create(request, uriInfo);
-+        try {
-+            return CertRequestInfoFactory.create(request, uriInfo);
-+        } catch (NoSuchMethodException e) {
-+            CMS.debug("Error in creating certrequestinfo - no such method");
-+            e.printStackTrace();
-+        }
-+        return null;
-     }
+-                SymmetricKey symKey = CryptoUtil.generateKey(token);
+-                byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey(
+-                        token, symKey, challenge);
+-                if (pop_encreyptedData == null) {
+-                    msg = method + "pop_encreyptedData null";
++                SymmetricKey symKey = CryptoUtil.generateKey(
++                        token,
++                        KeyGenAlgorithm.AES,
++                        128,
++                        null,
++                        true);
++
++                byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey(
++                        token,
++                        symKey,
++                        challenge,
++                        EncryptionAlgorithm.AES_128_CBC,
++                        ivps);
++
++                if (pop_encryptedData == null) {
++                    msg = method + "pop_encryptedData null";
+                     CMS.debug(msg);
+                     throw new EBaseException(msg);
+                 }
  
- }
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
-index 68f65bc..e8c44b3 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java
-@@ -37,7 +37,7 @@ import netscape.security.x509.X509CertImpl;
+-                byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
+-                        token, issuanceProtPubKey, symKey);
+-                if (pop_sysPubEncreyptedSession == null) {
+-                    msg = method + "pop_sysPubEncreyptedSession null";
++                byte[] pop_sysPubEncryptedSession =  CryptoUtil.wrapUsingPublicKey(
++                        token,
++                        issuanceProtPubKey,
++                        symKey,
++                        KeyWrapAlgorithm.RSA);
++
++                if (pop_sysPubEncryptedSession == null) {
++                    msg = method + "pop_sysPubEncryptedSession null";
+                     CMS.debug(msg);
+                     throw new EBaseException(msg);
+                 }
  
- public class CertRequestInfoFactory {
+-                byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
+-                        token, userPubKey, symKey);
+-                if (pop_userPubEncreyptedSession == null) {
+-                    msg = method + "pop_userPubEncreyptedSession null";
++
++                byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey(
++                        token,
++                        userPubKey,
++                        symKey,
++                        KeyWrapAlgorithm.RSA);
++
++                if (pop_userPubEncryptedSession == null) {
++                    msg = method + "pop_userPubEncryptedSession null";
+                     CMS.debug(msg);
+                     throw new EBaseException(msg);
+                 }
+                 CMS.debug(method + "POP challenge fields generated successfully...setting request extData");
  
--    public static CertRequestInfo create(IRequest request, UriInfo uriInfo) {
-+    public static CertRequestInfo create(IRequest request, UriInfo uriInfo) throws SecurityException, NoSuchMethodException {
+-                req.setExtData("pop_encreyptedData", pop_encreyptedData);
++                req.setExtData("pop_encryptedData", pop_encryptedData);
  
-         CertRequestInfo info = new CertRequestInfo();
+-                req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession);
++                req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession);
  
-@@ -49,12 +49,12 @@ public class CertRequestInfoFactory {
+-                req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession);
++                req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession);
  
-         info.setCertRequestType(request.getExtDataInString("cert_request_type"));
+                 // now compute and set witness
+                 CMS.debug(method + "now compute and set witness");
+@@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile
+         }
  
--        Path certRequestPath = CertRequestResource.class.getAnnotation(Path.class);
-+        Path certRequestPath = CertRequestResource.class.getMethod("getRequestInfo", RequestId.class ).getAnnotation(Path.class);
-         RequestId requestId = request.getRequestId();
+         // now verify the POP witness
+-        byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
+-        if (pop_encreyptedData == null) {
++        byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
++        if (pop_encryptedData == null) {
+             msg = method +
+-                    "pop_encreyptedData not found in request:" +
++                    "pop_encryptedData not found in request:" +
+                     reqId.toString();
+             CMS.debug(msg);
+             return null;
+         }
  
-         UriBuilder reqBuilder = uriInfo.getBaseUriBuilder();
--        reqBuilder.path(certRequestPath.value() + "/" + requestId);
--        info.setRequestURL(reqBuilder.build().toString());
-+        reqBuilder.path(certRequestPath.value());
-+        info.setRequestURL(reqBuilder.build(requestId).toString());
+-        byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
+-        if (pop_sysPubEncreyptedSession == null) {
++        byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
++        if (pop_sysPubEncryptedSession == null) {
+             msg = method +
+-                    "pop_sysPubEncreyptedSession not found in request:" +
++                    "pop_sysPubEncryptedSession not found in request:" +
+                     reqId.toString();
+             CMS.debug(msg);
+             return null;
+@@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile
  
-         Integer result = request.getExtDataInInteger(IRequest.RESULT);
-         if (result == null || result.equals(IRequest.RES_SUCCESS)) {
-@@ -84,11 +84,12 @@ public class CertRequestInfoFactory {
-         BigInteger serialNo = impl.getSerialNumber();
-         info.setCertId(new CertId(serialNo));
+             SymmetricKey symKey = CryptoUtil.unwrap(
+                     token,
++                    SymmetricKey.AES,
++                    128,
+                     SymmetricKey.Usage.DECRYPT,
+                     issuanceProtPrivKey,
+-                    pop_sysPubEncreyptedSession);
++                    pop_sysPubEncryptedSession,
++                    KeyWrapAlgorithm.RSA);
++
+             if (symKey == null) {
+                 msg = "symKey null after CryptoUtil.unwrap returned";
+                 CMS.debug(msg);
+                 return null;
+             }
  
--        Path certPath = CertResource.class.getAnnotation(Path.class);
++            // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request
++            // This IV is supposed to be random
++            byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
++            IVParameterSpec default_iv = new IVParameterSpec(iv);
++
+             byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey(
+-                    token, pop_encreyptedData, symKey);
++                    token,
++                    default_iv,
++                    pop_encryptedData,
++                    symKey,
++                    EncryptionAlgorithm.AES_128_CBC);
 +
-+        Path certPath = CertResource.class.getMethod("getCert", CertId.class).getAnnotation(Path.class);
-         UriBuilder certBuilder = uriInfo.getBaseUriBuilder();
--        certBuilder.path(certPath.value() + "/" + serialNo);
-+        certBuilder.path(certPath.value());
+             if (challenge_b == null) {
+                 msg = method + "challenge_b null after decryptUsingSymmetricKey returned";
+                 CMS.debug(msg);
+@@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile
+                     witness_bytes,
+                     hashAlg, macAlg);
  
--        info.setCertURL(certBuilder.build().toString());
-+        info.setCertURL(certBuilder.build(serialNo).toString());
+-            String authMgrID =
+-                    (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID);
+             String auditSubjectID = null;
  
-         return info;
-     }
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
-index 30bd2cd..79eba99 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
-@@ -30,12 +30,7 @@ import javax.servlet.ServletException;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- 
--import netscape.security.x509.CRLExtensions;
--import netscape.security.x509.CRLReasonExtension;
--import netscape.security.x509.InvalidityDateExtension;
--import netscape.security.x509.RevocationReason;
--import netscape.security.x509.RevokedCertImpl;
--import netscape.security.x509.X509CertImpl;
-+import org.dogtagpki.server.connector.IRemoteRequest;
- 
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.authentication.AuthToken;
-@@ -51,7 +46,6 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
- import com.netscape.certsrv.common.ICMSRequest;
- import com.netscape.certsrv.dbs.certdb.ICertRecord;
- import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
--import com.netscape.certsrv.dbs.certdb.IRevocationInfo;
- import com.netscape.certsrv.logging.AuditFormat;
- import com.netscape.certsrv.logging.ILogger;
- import com.netscape.certsrv.publish.IPublisherProcessor;
-@@ -64,7 +58,12 @@ import com.netscape.cms.servlet.common.CMSTemplate;
- import com.netscape.cms.servlet.common.CMSTemplateParams;
- import com.netscape.cms.servlet.common.ECMSGWException;
- 
--import org.dogtagpki.server.connector.IRemoteRequest;
-+import netscape.security.x509.CRLExtensions;
-+import netscape.security.x509.CRLReasonExtension;
-+import netscape.security.x509.InvalidityDateExtension;
-+import netscape.security.x509.RevocationReason;
-+import netscape.security.x509.RevokedCertImpl;
-+import netscape.security.x509.X509CertImpl;
- 
- /**
-  * Revoke a Certificate
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-index 0073bd2..dc6560d 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java
-@@ -43,7 +43,6 @@ import com.netscape.certsrv.profile.IProfileInput;
- import com.netscape.certsrv.profile.IProfileOutput;
- import com.netscape.certsrv.profile.IProfilePolicy;
- import com.netscape.certsrv.profile.IProfileSubsystem;
--import com.netscape.certsrv.property.EPropertyException;
- import com.netscape.certsrv.property.IDescriptor;
- import com.netscape.certsrv.request.IRequest;
- import com.netscape.certsrv.request.IRequestQueue;
-diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-index 068293e..8fd24c8 100644
---- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java
-@@ -50,7 +50,7 @@ public class TPSInstallerService extends SystemConfigService  {
- 
-         // get token prefix, if applicable
-         String tokPrefix = "";
--        if (!request.getToken().equals(request.TOKEN_DEFAULT) &&
-+        if (!request.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT) &&
-                 !request.getToken().equals("internal")) {
-             tokPrefix = request.getToken() + ":";
-         }
--- 
-1.8.3.1
-
-
-From 647388e39ccb69e3d8cadcc1d0a21c4ac6d83363 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Thu, 25 Aug 2016 12:55:14 +1000
-Subject: [PATCH 5/9] Revoke lightweight CA certificate on deletion
-
-Fixes: https://fedorahosted.org/pki/ticket/1638
-(cherry picked from commit af8ff4a7c36614c1b41338f9e32a83462d4163be)
-(cherry picked from commit 71bd236572968bdb1b8cb0c4c9a370c689a64687)
----
- .../src/com/netscape/ca/CertificateAuthority.java  | 39 +++++++++++++++++++++-
- .../dogtagpki/server/ca/rest/AuthorityService.java |  2 +-
- .../netscape/certsrv/ca/ICertificateAuthority.java |  2 +-
- 3 files changed, 40 insertions(+), 3 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index a5397da..ab48409 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem;
- import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory;
- import com.netscape.cms.servlet.cert.EnrollmentProcessor;
- import com.netscape.cms.servlet.cert.RenewalProcessor;
-+import com.netscape.cms.servlet.cert.RevocationProcessor;
- import com.netscape.cms.servlet.processors.CAProcessor;
- import com.netscape.cmscore.base.ArgBlock;
- import com.netscape.cmscore.dbs.CRLRepository;
-@@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain;
- import netscape.security.x509.CertificateIssuerName;
- import netscape.security.x509.CertificateSubjectName;
- import netscape.security.x509.CertificateVersion;
-+import netscape.security.x509.RevocationReason;
- import netscape.security.x509.X500Name;
- import netscape.security.x509.X500Signer;
- import netscape.security.x509.X509CRLImpl;
-@@ -2964,7 +2966,8 @@ public class CertificateAuthority
-         authorityKeyHosts.add(thisClone);
-     }
+             if (verified) {
+-                // update auditSubjectID
+-                if (sessionContext != null) {
+-                    auditSubjectID = (String)
+-                            sessionContext.get(SessionContext.USER_ID);
+-                    CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
+-                    CMS.debug(method + "identity verified. Updating auditSubjectID");
+-                    CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
+-                    auditSubjectID = ident_string;
+-                    sessionContext.put(SessionContext.USER_ID, auditSubjectID);
+-                } else { //very unlikely
+-                    CMS.debug(method + "sessionContext null; cannot update auditSubjectID");
+-                }
++                auditSubjectID = (String)
++                        sessionContext.get(SessionContext.USER_ID);
++                CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
++                CMS.debug(method + "identity verified. Updating auditSubjectID");
++                CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
++                auditSubjectID = ident_string;
++                sessionContext.put(SessionContext.USER_ID, auditSubjectID);
  
--    public synchronized void deleteAuthority() throws EBaseException {
-+    public synchronized void deleteAuthority(HttpServletRequest httpReq)
-+            throws EBaseException {
-         if (isHostAuthority())
-             throw new CATypeException("Cannot delete the host CA");
+                 auditMessage = CMS.getLogMessage(
+                         AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+index c130a1e..8e47298 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+@@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE;
+ import org.mozilla.jss.asn1.SET;
+ import org.mozilla.jss.asn1.UTF8String;
+ import org.mozilla.jss.crypto.DigestAlgorithm;
++import org.mozilla.jss.crypto.EncryptionAlgorithm;
+ import org.mozilla.jss.crypto.SignatureAlgorithm;
+ import org.mozilla.jss.pkcs11.PK11PubKey;
+ import org.mozilla.jss.pkix.cert.Certificate;
+@@ -433,10 +434,7 @@ public class CMCOutputTemplate {
  
-@@ -2984,10 +2987,44 @@ public class CertificateAuthority
+             ResponseBody respBody = new ResponseBody(controlSeq,
+                     cmsSeq, otherMsgSeq);
+-            if (respBody != null)
+-                CMS.debug(method + " after new ResponseBody, respBody not null");
+-            else
+-                CMS.debug(method + " after new ResponseBody, respBody null");
++            CMS.debug(method + " after new ResponseBody, respBody not null");
  
-         shutdown();
+             ContentInfo contentInfo = getContentInfo(respBody, certs);
+             ByteArrayOutputStream fos = new ByteArrayOutputStream();
+@@ -489,30 +487,25 @@ public class CMCOutputTemplate {
+         CMS.debug(method + "popChallengeRequired true");
  
-+        revokeAuthority(httpReq);
-         deleteAuthorityEntry(authorityID);
-         deleteAuthorityNSSDB();
-     }
+         byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST);
+-        byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
++        byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
+         //don't need this for encryptedPOP, but need to check for existence anyway
+-        byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
+-        byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession");
+-        if ((pop_encreyptedData != null) &&
+-                (pop_sysPubEncreyptedSession != null) &&
+-                (pop_userPubEncreyptedSession != null)) {
++        byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
++        byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession");
++        if ((pop_encryptedData != null) &&
++                (pop_sysPubEncryptedSession != null) &&
++                (pop_userPubEncryptedSession != null)) {
+             // generate encryptedPOP here
+             // algs are hard-coded for now
  
-+    /** Revoke the authority's certificate
-+     *
-+     * TODO: revocation reason, invalidity date parameters
-+     */
-+    private void revokeAuthority(HttpServletRequest httpReq)
-+            throws EBaseException {
-+        CMS.debug("revokeAuthority: checking serial " + authoritySerial);
-+        ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial);
-+        String curStatus = certRecord.getStatus();
-+        CMS.debug("revokeAuthority: current cert status: " + curStatus);
-+        if (curStatus.equals(CertRecord.STATUS_REVOKED)
-+                || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) {
-+            return;  // already revoked
-+        }
+             try {
+                 EnvelopedData envData = CryptoUtil.createEnvelopedData(
+-                        pop_encreyptedData,
+-                        pop_userPubEncreyptedSession);
++                        pop_encryptedData,
++                        pop_userPubEncryptedSession);
+                 if (envData == null) {
+                     msg = "envData null returned by createEnvelopedData";
+                     throw new EBaseException(method + msg);
+                 }
+                 ContentInfo ci = new ContentInfo(envData);
+-                if (ci == null) {
+-                    msg = "ci null from new ContentInfo";
+-                    CMS.debug(msg);
+-                    throw new EBaseException(method + msg);
+-                }
+                 CMS.debug(method + "now we can compose encryptedPOP");
+ 
+                 TaggedRequest.Template tReqTemplate = new TaggedRequest.Template();
+@@ -524,17 +517,18 @@ public class CMCOutputTemplate {
+                     throw new EBaseException(method + msg);
+                 }
+ 
++                // TODO(alee) The code below should be replaced by code that generates a random IV
++                byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
 +
-+        CMS.debug("revokeAuthority: revoking cert");
-+        RevocationProcessor processor = new RevocationProcessor(
-+                "CertificateAuthority.revokeAuthority", httpReq.getLocale());
-+        processor.setSerialNumber(new CertId(authoritySerial));
-+        processor.setRevocationReason(RevocationReason.UNSPECIFIED);
-+        processor.setAuthority(this);
-+        try {
-+            processor.createCRLExtension();
-+        } catch (IOException e) {
-+            throw new ECAException("Unable to create CRL extensions", e);
-+        }
-+        processor.addCertificateToRevoke(mCaCert);
-+        processor.createRevocationRequest();
-+        processor.auditChangeRequest(ILogger.SUCCESS);
-+        processor.processRevocationRequest();
-+        processor.auditChangeRequestProcessed(ILogger.SUCCESS);
-+    }
++                OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
++                AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
 +
-     /** Delete keys and certs of this authority from NSSDB.
-      */
-     private void deleteAuthorityNSSDB() throws ECAException {
-diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-index 246a3f0..584ab6e 100644
---- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
-@@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource {
-         Map<String, String> auditParams = new LinkedHashMap<>();
+                 encPop = new EncryptedPOP(
+                         tReq,
+                         ci,
+-                        CryptoUtil.getDefaultEncAlg(),
++                        aid,
+                         CryptoUtil.getDefaultHashAlg(),
+                         new OCTET_STRING(req.getExtDataInByteArray("pop_witness")));
+-                if (encPop == null) {
+-                    msg = "encPop null returned by new EncryptedPOP";
+-                    CMS.debug(msg);
+-                    throw new EBaseException(method + msg);
+-                }
  
-         try {
--            ca.deleteAuthority();
-+            ca.deleteAuthority(servletRequest);
-             audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null);
-             return createNoContentResponse();
-         } catch (CATypeException e) {
-diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
-index 308bfba..5218a4c 100644
---- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
-+++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java
-@@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem {
-     /**
-      * Delete this lightweight CA.
+             } catch (Exception e) {
+                 CMS.debug(method + " excepton:" + e);
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 8b8c443..95b8f81 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -2572,15 +2572,15 @@ public class CryptoUtil {
+             throw new Exception(method + msg);
+         }
+ 
++        // TODO(alee) Replace the below with a random IV that is likely passed in
++        byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
++        OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
++        AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
++
+         EncryptedContentInfo encCInfo = new EncryptedContentInfo(
+                 ContentInfo.DATA,
+-                getDefaultEncAlg(),
++                aid,
+                 new OCTET_STRING(encContent));
+-        if (encCInfo == null) {
+-            msg = method + "encCInfo null from new EncryptedContentInfo";
+-            System.out.println(msg);
+-            throw new Exception(method + msg);
+-        }
+ 
+         Name name = new Name();
+         name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP
+@@ -2589,11 +2589,6 @@ public class CryptoUtil {
+                 new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed
+                 new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()),
+                 new OCTET_STRING(encSymKey));
+-        if (recipient == null) {
+-            msg = method + "recipient null from new RecipientInfo";
+-            System.out.println(msg);
+-            throw new Exception(method + msg);
+-        }
+ 
+         SET recipients = new SET();
+         recipients.addElement(recipient);
+@@ -2615,77 +2610,14 @@ public class CryptoUtil {
+      * the defaults
       */
--    public void deleteAuthority()
-+    public void deleteAuthority(HttpServletRequest httpReq)
-         throws EBaseException;
- }
--- 
-1.8.3.1
-
-
-From 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 24 Aug 2016 14:40:46 +1000
-Subject: [PATCH 6/9] Prevent deletion of host CA cert and key from NSSDB
-
-If authorityMonitor observes the deletion of the host CA's authority
-entry, it will treat it the same as any other lightweight CA and
-delete the signing cert AND KEY from the NSSDB. Because the database
-is replicated, the change would be observed and deletion immediately
-effected on all running clones.  Unless the main CA private key is
-backed up somewhere there is no way to recover from this.
-
-Although this scenario does not arise in normal operation, the
-impact is severe so add a check that prevents cert and key deletion
-for host authority.
-
-Fixes: https://fedorahosted.org/pki/ticket/2443
-(cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1)
-(cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e)
----
- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index ab48409..bea129d 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -3028,6 +3028,13 @@ public class CertificateAuthority
-     /** Delete keys and certs of this authority from NSSDB.
+ 
+-    private static byte default_iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-    private static IVParameterSpec default_IV = new IVParameterSpec(default_iv);
+-
+-    // this generates a temporary 128 bit AES symkey with defaults
+-    public static SymmetricKey generateKey(CryptoToken token) throws Exception {
+-        return generateKey(token,
+-//TODO:                KeyGenAlgorithm.AES, 128,
+-                KeyGenAlgorithm.DES3, 128 /*unused*/,
+-                null, true);
+-    }
+-
+-    // decryptUsingSymmetricKey with default algorithms
+-    public static byte[] decryptUsingSymmetricKey(CryptoToken token, byte[] encryptedData, SymmetricKey wrappingKey) throws Exception {
+-        return decryptUsingSymmetricKey(token, default_IV, encryptedData,
+-                wrappingKey,
+-                EncryptionAlgorithm.DES3_CBC_PAD);
+-//TODO:                EncryptionAlgorithm.AES_128_CBC);
+-    }
+-
+-    // encryptUsingSymmetricKey with default algorithms
+-    public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data) throws Exception {
+-        return encryptUsingSymmetricKey(
+-                token,
+-                wrappingKey,
+-                data,
+-                EncryptionAlgorithm.DES3_CBC_PAD,
+-//TODO:                EncryptionAlgorithm.AES_128_CBC,
+-                default_IV);
+-    }
+-
+-    // wrapUsingPublicKey using default algorithm
+-    public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data) throws Exception {
+-        return wrapUsingPublicKey(token, wrappingKey, data, KeyWrapAlgorithm.RSA);
+-    }
+-
+-    // unwrap sym key using default algorithms
+-    public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Usage usage, PrivateKey wrappingKey, byte[] wrappedSymKey) throws Exception {
+-        return unwrap(
+-               token,
+-//TODO:               SymmetricKey.AES,
+-               SymmetricKey.DES3,
+-               0,
+-               usage,
+-               wrappingKey,
+-               wrappedSymKey,
+-               getDefaultKeyWrapAlg());
+-    }
+-
+-    public static AlgorithmIdentifier getDefaultEncAlg()
+-           throws Exception {
+-        OBJECT_IDENTIFIER oid =
+-                EncryptionAlgorithm.DES3_CBC.toOID();
+-//TODO:                EncryptionAlgorithm.AES_128_CBC.toOID();
+-
+-        AlgorithmIdentifier aid =
+-                new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
+-        return aid;
+-    }
+-
+     public static String getDefaultHashAlgName() {
+         return ("SHA-256");
+     }
+ 
+-    public static KeyWrapAlgorithm getDefaultKeyWrapAlg() {
+-        return KeyWrapAlgorithm.RSA;
+-    }
+-
+     public static AlgorithmIdentifier getDefaultHashAlg()
+            throws Exception {
+         AlgorithmIdentifier hashAlg;
+-            hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID("SHA-256"));
++            hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID(getDefaultHashAlgName()));
+         return hashAlg;
+     }
+ 
+@@ -2768,8 +2700,6 @@ public class CryptoUtil {
       */
-     private void deleteAuthorityNSSDB() throws ECAException {
-+        if (isHostAuthority()) {
-+            String msg = "Attempt to delete host authority signing key; not proceeding";
-+            log(ILogger.LL_WARN, msg);
-+            CMS.debug(msg);
-+            return;
-+        }
-+
-         CryptoManager cryptoManager;
-         try {
-             cryptoManager = CryptoManager.getInstance();
+     public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai)
+            throws NoSuchAlgorithmException {
+-        OBJECT_IDENTIFIER oid = null;
+-
+         System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString());
+         if (ai != null) {
+             if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) {
 -- 
 1.8.3.1
 
 
-From 06a85c76938211d6ecf2b49ac72b168e9f6e7fdd Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <frase@frase.id.au>
-Date: Tue, 23 Aug 2016 14:50:03 +1000
-Subject: [PATCH 7/9] Accept LWCA entry with missing entryUSN if plugin enabled
-
-Currently we abort adding a lightweight CA if its entry does not
-have an 'entryUSN' attribute, and log a failure, even if the USN
-plugin is enabled.  But if the plugin is enabled, it's fine to
-proceed.
+From 772e05e746570c13afeb60516c07a3fb95ca3e78 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 1 Jun 2017 23:38:04 +0200
+Subject: [PATCH 10/27] Removed superfluous deployment configuration backup.
 
-Update the authority monitor to check if the USN plugin is enabled
-and only log the failure if it is not.  Clarify the log message
-accordingly.
+The pkispawn has been modified to generate a temporary backup
+file (instead of permanent and timestamped backup files) of the
+deployment configuration file before normalizing its content.
+The temporary backup will be removed automatically when the
+normalization is complete.
 
-Part of: https://fedorahosted.org/pki/ticket/2444
+https://pagure.io/dogtagpki/issue/2674
 
-(cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe)
-(cherry picked from commit 21e268ae6d5f9c2f93d4d80a6285e453974b5c07)
+Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047
 ---
- .../src/com/netscape/ca/CertificateAuthority.java  | 46 ++++++++++++++++++----
- 1 file changed, 38 insertions(+), 8 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index bea129d..aab9651 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -679,6 +679,24 @@ public class CertificateAuthority
-         }
-     }
+ base/server/sbin/pkispawn | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
+index 742f579..1aa7079 100755
+--- a/base/server/sbin/pkispawn
++++ b/base/server/sbin/pkispawn
+@@ -34,8 +34,6 @@ try:
+     import ldap
+     import os
+     import requests
+-    import time
+-    from time import strftime as date
+     import traceback
+     import pki
+     from pki.server.deployment import pkiconfig as config
+@@ -610,12 +608,9 @@ def main(argv):
  
-+    private boolean entryUSNPluginEnabled() {
-+        try {
-+            LDAPConnection conn = dbFactory.getConn();
-+            try {
-+                LDAPSearchResults results = conn.search(
-+                    "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE,
-+                    "(nsslapd-pluginEnabled=on)", null, false);
-+                return results != null && results.hasMoreElements();
-+            } catch (LDAPException e) {
-+                return false;
-+            } finally {
-+                dbFactory.returnConn(conn);
-+            }
-+        } catch (ELdapException e) {
-+            return false;  // oh well
-+        }
-+    }
-+
-     private void initCRLPublisher() throws EBaseException {
-         // instantiate CRL publisher
-         if (!isHostAuthority()) {
-@@ -3221,17 +3239,29 @@ public class CertificateAuthority
-         AuthorityID aid = new AuthorityID((String)
-             aidAttr.getStringValues().nextElement());
- 
--        LDAPAttribute entryUSN = entry.getAttribute("entryUSN");
--        if (entryUSN == null) {
--            log(ILogger.LL_FAILURE, "Authority entry has no entryUSN.  " +
--                "This is likely because the USN plugin is not enabled in the database");
--            return;
-+        Integer newEntryUSN = null;
-+        LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
-+        if (entryUSNAttr == null) {
-+            CMS.debug("readAuthority: no entryUSN");
-+            if (!entryUSNPluginEnabled()) {
-+                CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry");
-+                log(ILogger.LL_FAILURE, "Lightweight authority entry has no"
-+                        + " entryUSN attribute and USN plugin not enabled;"
-+                        + " skipping.  Enable dirsrv USN plugin.");
-+                return;
-+            } else {
-+                CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing");
-+                // entryUSN plugin is enabled, but no entryUSN attribute. We
-+                // can proceed because future modifications will result in the
-+                // entryUSN attribute being added.
-+            }
-+        } else {
-+            newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
-+            CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
-         }
  
--        Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]);
--        CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
-         Integer knownEntryUSN = entryUSNs.get(aid);
--        if (knownEntryUSN != null) {
-+        if (newEntryUSN != null && knownEntryUSN != null) {
-             CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
-             if (newEntryUSN <= knownEntryUSN) {
-                 CMS.debug("readAuthority: data is current");
+ def sanitize_user_deployment_cfg(cfg):
+-    # Generate a timestamp
+-    ticks = time.time()
+-    timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks))
+ 
+     # Correct any section headings in the user's configuration file
+-    for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp):
++    for line in fileinput.FileInput(cfg, inplace=1):
+         # Remove extraneous leading and trailing whitespace from all lines
+         line = line.strip()
+         # Normalize section headings to match '/etc/pki/default.cfg'
 -- 
 1.8.3.1
 
 
-From 8e0235adccb11868f0036d48d2b52230c82b3e6b Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 24 Aug 2016 14:10:55 +1000
-Subject: [PATCH 8/9] Perform host authority check before entryUSN check
-
-When processing lightweight CAs, currently we perform the entryUSN
-check before the host authority check.  If the entry does not have
-an entryUSN attribute, and if the DS USN plugin is not enabled, the
-entry gets skipped and we do not reach the host authority check.
-This causes the CA to believe that it has not seen the host
-authority entry, and results in additional entries being added.
-
-Move the host authority check before the entryUSN check to avoid
-this scenario.
-
-Fixes: https://fedorahosted.org/pki/ticket/2444
-(cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611)
-(cherry picked from commit 3a97c5fc0df7015a7e19236778089c67441a1499)
+From f7b6305396581f5916498cc4ea8247596bf39aaf Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Fri, 2 Jun 2017 02:10:02 +0200
+Subject: [PATCH 11/27] Fixed pylint issues
+
+- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
 ---
- .../src/com/netscape/ca/CertificateAuthority.java  | 41 +++++++++++-----------
- 1 file changed, 21 insertions(+), 20 deletions(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index aab9651..1f77fd8 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -3239,6 +3239,27 @@ public class CertificateAuthority
-         AuthorityID aid = new AuthorityID((String)
-             aidAttr.getStringValues().nextElement());
- 
-+        X500Name dn = null;
-+        try {
-+            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
-+        } catch (IOException e) {
-+            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
-+        }
-+
-+        String desc = null;
-+        LDAPAttribute descAttr = entry.getAttribute("description");
-+        if (descAttr != null)
-+            desc = (String) descAttr.getStringValues().nextElement();
-+
-+        if (dn.equals(mName)) {
-+            CMS.debug("Found host authority");
-+            foundHostAuthority = true;
-+            this.authorityID = aid;
-+            this.authorityDescription = desc;
-+            caMap.put(aid, this);
-+            return;
-+        }
-+
-         Integer newEntryUSN = null;
-         LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
-         if (entryUSNAttr == null) {
-@@ -3269,26 +3290,6 @@ public class CertificateAuthority
-             }
-         }
+ base/common/python/pki/cli/pkcs12.py           |  4 ++--
+ base/common/python/pki/encoder.py              | 12 ++++++------
+ base/server/python/pki/server/cli/audit.py     |  8 ++++----
+ base/server/python/pki/server/cli/ca.py        | 16 ++++++++--------
+ base/server/python/pki/server/cli/db.py        |  8 ++++----
+ base/server/python/pki/server/cli/kra.py       | 20 ++++++++++----------
+ base/server/python/pki/server/cli/ocsp.py      |  4 ++--
+ base/server/python/pki/server/cli/subsystem.py |  4 ++--
+ base/server/python/pki/server/cli/tks.py       |  4 ++--
+ base/server/python/pki/server/cli/tps.py       | 20 ++++++++++----------
+ base/server/python/pki/server/upgrade.py       |  3 ---
+ 11 files changed, 50 insertions(+), 53 deletions(-)
+
+diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
+index 8934d33..6b99fcf 100644
+--- a/base/common/python/pki/cli/pkcs12.py
++++ b/base/common/python/pki/cli/pkcs12.py
+@@ -62,10 +62,10 @@ class PKCS12ImportCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
  
--        X500Name dn = null;
--        try {
--            dn = new X500Name((String) dnAttr.getStringValues().nextElement());
--        } catch (IOException e) {
--            CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN());
--        }
--
--        String desc = null;
--        LDAPAttribute descAttr = entry.getAttribute("description");
--        if (descAttr != null)
--            desc = (String) descAttr.getStringValues().nextElement();
--
--        if (dn.equals(mName)) {
--            foundHostAuthority = true;
--            this.authorityID = aid;
--            this.authorityDescription = desc;
--            caMap.put(aid, this);
--            return;
--        }
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'v', [
++            opts, _ = getopt.gnu_getopt(argv, 'v', [
+                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
+                 'verbose', 'debug', 'help'])
+diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
+index 8485ab8..d3298bc 100644
+--- a/base/common/python/pki/encoder.py
++++ b/base/common/python/pki/encoder.py
+@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder):
+     """
+     # pylint: disable=E0202
+ 
+-    def default(self, obj):
++    def default(self, o):
+         for k, v in iteritems(TYPES):
+-            if isinstance(obj, v):
+-                return {k: obj.__dict__}
++            if isinstance(o, v):
++                return {k: o.__dict__}
+         for t in itervalues(NOTYPES):
+-            if isinstance(obj, t):
+-                return self.attr_name_conversion(obj.__dict__, type(obj))
+-        return json.JSONEncoder.default(self, obj)
++            if isinstance(o, t):
++                return self.attr_name_conversion(o.__dict__, type(o))
++        return json.JSONEncoder.default(self, o)
+ 
+     @staticmethod
+     def attr_name_conversion(attr_dict, object_class):
+diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
+index 0833ca8..a19ca8c 100644
+--- a/base/server/python/pki/server/cli/audit.py
++++ b/base/server/python/pki/server/cli/audit.py
+@@ -56,10 +56,10 @@ class AuditFileFindCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=',
+                 'verbose', 'help'])
+ 
+@@ -129,10 +129,10 @@ class AuditFileVerifyCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=',
+                 'verbose', 'help'])
+ 
+diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
+index 550e511..48c7dba 100644
+--- a/base/server/python/pki/server/cli/ca.py
++++ b/base/server/python/pki/server/cli/ca.py
+@@ -78,10 +78,10 @@ class CACertChainExportCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+@@ -190,10 +190,10 @@ class CACertRequestFindCLI(pki.cli.CLI):
+         print('      --help                      Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'cert=', 'cert-file=',
+                 'verbose', 'help'])
+ 
+@@ -268,10 +268,10 @@ class CACertRequestShowCLI(pki.cli.CLI):
+         print('      --help                      Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, args = getopt.gnu_getopt(args, 'i:v', [
++            opts, args = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'output-file=',
+                 'verbose', 'help'])
+ 
+@@ -356,10 +356,10 @@ class CAClonePrepareCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
+index 17b1a2f..3df911c 100644
+--- a/base/server/python/pki/server/cli/db.py
++++ b/base/server/python/pki/server/cli/db.py
+@@ -58,10 +58,10 @@ class DBSchemaUpgrade(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=',
++                argv, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=',
+                                   'verbose', 'help'])
+ 
+         except getopt.GetoptError as e:
+@@ -150,10 +150,10 @@ class DBUpgrade(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args, 'i:v', ['instance=', 'verbose', 'help'])
++                argv, 'i:v', ['instance=', 'verbose', 'help'])
+ 
+         except getopt.GetoptError as e:
+             print('ERROR: ' + str(e))
+diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
+index 3724014..6c1ade9 100644
+--- a/base/server/python/pki/server/cli/kra.py
++++ b/base/server/python/pki/server/cli/kra.py
+@@ -81,10 +81,10 @@ class KRAClonePrepareCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+@@ -203,10 +203,10 @@ class KRADBVLVFindCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -315,10 +315,10 @@ class KRADBVLVAddCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -421,10 +421,10 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -543,10 +543,10 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
+index 3e9b6aa..b3e4e45 100644
+--- a/base/server/python/pki/server/cli/ocsp.py
++++ b/base/server/python/pki/server/cli/ocsp.py
+@@ -67,10 +67,10 @@ class OCSPClonePrepareCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
+index 8395bd2..10af8ca 100644
+--- a/base/server/python/pki/server/cli/subsystem.py
++++ b/base/server/python/pki/server/cli/subsystem.py
+@@ -66,10 +66,10 @@ class SubsystemFindCLI(pki.cli.CLI):
+         print('      --help                      Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=',
+                 'verbose', 'help'])
+ 
+diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
+index 0e6a998..0bfaca1 100644
+--- a/base/server/python/pki/server/cli/tks.py
++++ b/base/server/python/pki/server/cli/tks.py
+@@ -67,10 +67,10 @@ class TKSClonePrepareCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
+index 03df8de..a34bbd9 100644
+--- a/base/server/python/pki/server/cli/tps.py
++++ b/base/server/python/pki/server/cli/tps.py
+@@ -76,10 +76,10 @@ class TPSClonePrepareCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+ 
+         try:
+-            opts, _ = getopt.gnu_getopt(args, 'i:v', [
++            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
+                 'verbose', 'help'])
+ 
+@@ -195,10 +195,10 @@ class TPSDBVLVFindCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -306,10 +306,10 @@ class TPSDBVLVAddCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -419,10 +419,10 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+@@ -554,10 +554,10 @@ class TPSDBVLVReindexCLI(pki.cli.CLI):
+         print('      --help                         Show help message.')
+         print()
+ 
+-    def execute(self, args):
++    def execute(self, argv):
+         try:
+             opts, _ = getopt.gnu_getopt(
+-                args,
++                argv,
+                 'i:D:w:x:g:v',
+                 ['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
+                  'verbose', 'help']
+diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
+index 2c72e48..926c683 100644
+--- a/base/server/python/pki/server/upgrade.py
++++ b/base/server/python/pki/server/upgrade.py
+@@ -38,9 +38,6 @@ SUBSYSTEM_TRACKER = '%s/CS.cfg'
+ 
+ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
+ 
+-    def __init__(self):
+-        super(PKIServerUpgradeScriptlet, self).__init__()
 -
-         @SuppressWarnings("unused")
-         X500Name parentDN = null;
-         if (parentDNAttr != null) {
+     def get_backup_dir(self):
+         return BACKUP_DIR + '/' + str(self.version) + '/' + str(self.index)
+ 
 -- 
 1.8.3.1
 
 
-From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001
+From b3d851b864dc986a9af8ffcb1962f8e7b4de3114 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 7 Sep 2016 00:35:40 +0200
-Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script.
+Date: Thu, 1 Jun 2017 04:54:05 +0200
+Subject: [PATCH 12/27] Added upgrade script for keepAliveTimeout.
 
-The FixSELinuxContexts upgrade script has been removed temporarily
-due to a problem importing selinux library during RPM upgrade.
+An upgrade script has been added to set the keepAliveTimeout
+attribute for the Secure connector in the server.xml.
 
-The FixDeploymentDescriptor script number has been changed
-accordingly.
+https://pagure.io/dogtagpki/issue/2687
 
-https://fedorahosted.org/pki/ticket/2452
-(cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d)
-(cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e)
+Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d
 ---
- .../upgrade/10.3.5/02-FixDeploymentDescriptor      | 110 +++++++++++++++++++++
- base/server/upgrade/10.3.5/02-FixSELinuxContexts   |  36 -------
- .../upgrade/10.3.5/03-FixDeploymentDescriptor      | 110 ---------------------
- 3 files changed, 110 insertions(+), 146 deletions(-)
- create mode 100644 base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
- delete mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts
- delete mode 100644 base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
-
-diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
+ base/common/upgrade/10.4.1/.gitignore              |  4 ++
+ base/common/upgrade/10.4.2/.gitignore              |  4 ++
+ base/common/upgrade/10.4.3/.gitignore              |  4 ++
+ base/common/upgrade/10.4.4/.gitignore              |  4 ++
+ base/common/upgrade/10.4.5/.gitignore              |  4 ++
+ base/common/upgrade/10.4.6/.gitignore              |  4 ++
+ base/server/upgrade/10.4.3/.gitignore              |  4 ++
+ base/server/upgrade/10.4.4/.gitignore              |  4 ++
+ base/server/upgrade/10.4.5/.gitignore              |  4 ++
+ .../upgrade/10.4.6/01-UpdateKeepAliveTimeout       | 59 ++++++++++++++++++++++
+ 10 files changed, 95 insertions(+)
+ create mode 100644 base/common/upgrade/10.4.1/.gitignore
+ create mode 100644 base/common/upgrade/10.4.2/.gitignore
+ create mode 100644 base/common/upgrade/10.4.3/.gitignore
+ create mode 100644 base/common/upgrade/10.4.4/.gitignore
+ create mode 100644 base/common/upgrade/10.4.5/.gitignore
+ create mode 100644 base/common/upgrade/10.4.6/.gitignore
+ create mode 100644 base/server/upgrade/10.4.3/.gitignore
+ create mode 100644 base/server/upgrade/10.4.4/.gitignore
+ create mode 100644 base/server/upgrade/10.4.5/.gitignore
+ create mode 100755 base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
+
+diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.1/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.2/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.3/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.4/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.5/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/common/upgrade/10.4.6/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/server/upgrade/10.4.3/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore
+new file mode 100644
+index 0000000..5e7d273
+--- /dev/null
++++ b/base/server/upgrade/10.4.4/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore
 new file mode 100644
-index 0000000..27c8959
+index 0000000..5e7d273
 --- /dev/null
-+++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor
-@@ -0,0 +1,110 @@
++++ b/base/server/upgrade/10.4.5/.gitignore
+@@ -0,0 +1,4 @@
++# Ignore everything in this directory
++*
++# Except this file
++!.gitignore
+diff --git a/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
+new file mode 100755
+index 0000000..31c4d1b
+--- /dev/null
++++ b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
+@@ -0,0 +1,59 @@
 +#!/usr/bin/python
 +# Authors:
 +#     Endi S. Dewata <edewata@redhat.com>
@@ -1004,257 +1204,1174 @@ index 0000000..27c8959
 +# with this program; if not, write to the Free Software Foundation, Inc.,
 +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 +#
-+# Copyright (C) 2016 Red Hat, Inc.
++# Copyright (C) 2017 Red Hat, Inc.
 +# All rights reserved.
++#
 +
 +from __future__ import absolute_import
-+from lxml import etree
 +import os
-+import shutil
++from lxml import etree
 +
-+import pki.server.upgrade
++import pki
 +
 +
-+class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
++class UpdateKeepAliveTimeout(
++        pki.server.upgrade.PKIServerUpgradeScriptlet):
 +
 +    def __init__(self):
-+        super(FixDeploymentDescriptor, self).__init__()
-+        self.message = 'Fix deployment descriptor'
++        super(UpdateKeepAliveTimeout, self).__init__()
++        self.message = 'Update keepAliveTimeout parameter'
++
 +        self.parser = etree.XMLParser(remove_blank_text=True)
 +
 +    def upgrade_instance(self, instance):
 +
-+        self.fix_webapp(instance, 'ROOT.xml')
-+        self.fix_webapp(instance, 'pki#admin.xml')
-+        self.fix_webapp(instance, 'pki#js.xml')
-+
-+        self.fix_theme(instance, 'pki.xml')
-+
-+    def fix_webapp(self, instance, context_xml):
-+
-+        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
-+        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
-+
-+        # if deployment descriptor doesn't exist, install the default
-+        if not os.path.exists(target_xml):
-+            self.copy_file(instance, source_xml, target_xml)
-+            return
-+
-+        # get docBase from deployment descriptor
-+        document = etree.parse(target_xml, self.parser)
-+        context = document.getroot()
-+        docBase = context.get('docBase')
-+
-+        # if docBase is absolute and pointing to non-empty folder, ignore
-+        if docBase.startswith('/') and \
-+                os.path.exists(docBase) and \
-+                os.listdir(docBase):
-+            return
-+
-+        # if docBase is relative and pointing to non-empty folder, ignore
-+        if not docBase.startswith('/') and \
-+                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
-+                os.listdir(instance.base_dir + '/webapps/' + docBase):
-+            return
-+
-+        # docBase is pointing to non-existent/empty folder, replace with default
-+        self.copy_file(instance, source_xml, target_xml)
-+
-+    def fix_theme(self, instance, context_xml):
-+
-+        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
-+        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
-+
-+        # if deployment descriptor doesn't exist, ignore (no theme)
-+        if not os.path.exists(target_xml):
-+            return
-+
-+        # get docBase from deployment descriptor
-+        document = etree.parse(target_xml, self.parser)
-+        context = document.getroot()
-+        docBase = context.get('docBase')
-+
-+        # if docBase is absolute and pointing to non-empty folder, ignore
-+        if docBase.startswith('/') and \
-+                os.path.exists(docBase) and \
-+                os.listdir(docBase):
-+            return
-+
-+        # if docBase is relative and pointing to non-empty folder, ignore
-+        if not docBase.startswith('/') and \
-+                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
-+                os.listdir(instance.base_dir + '/webapps/' + docBase):
-+            return
-+
-+        # docBase is pointing to non-existent/empty folder
-+
-+        # if theme package is installed, replace deployment descriptor
-+        if os.path.exists(pki.SHARE_DIR + '/common-ui'):
-+            self.copy_file(instance, source_xml, target_xml)
-+
-+    def copy_file(self, instance, source, target):
-+
-+        self.backup(target)
-+        shutil.copyfile(source, target)
-+        os.chown(target, instance.uid, instance.gid)
-diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
-deleted file mode 100644
-index f3d981e..0000000
---- a/base/server/upgrade/10.3.5/02-FixSELinuxContexts
-+++ /dev/null
-@@ -1,36 +0,0 @@
--#!/usr/bin/python
--# Authors:
--#     Endi S. Dewata <edewata@redhat.com>
--#
--# This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
--#
--# Copyright (C) 2016 Red Hat, Inc.
--# All rights reserved.
--
--from __future__ import absolute_import
--import selinux
--import pki.server.upgrade
--
--
--class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
--
--    def __init__(self):
--        super(FixSELinuxContexts, self).__init__()
--        self.message = 'Fix SELinux contexts'
--
--    def upgrade_instance(self, instance):
--
--        selinux.restorecon(instance.base_dir, True)
--        selinux.restorecon(instance.conf_dir, True)
--        selinux.restorecon(instance.log_dir, True)
-diff --git a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
-deleted file mode 100644
-index 27c8959..0000000
---- a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor
-+++ /dev/null
-@@ -1,110 +0,0 @@
--#!/usr/bin/python
--# Authors:
--#     Endi S. Dewata <edewata@redhat.com>
--#
--# This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; version 2 of the License.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License along
--# with this program; if not, write to the Free Software Foundation, Inc.,
--# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
--#
--# Copyright (C) 2016 Red Hat, Inc.
--# All rights reserved.
--
--from __future__ import absolute_import
--from lxml import etree
--import os
--import shutil
--
--import pki.server.upgrade
--
--
--class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet):
--
--    def __init__(self):
--        super(FixDeploymentDescriptor, self).__init__()
--        self.message = 'Fix deployment descriptor'
--        self.parser = etree.XMLParser(remove_blank_text=True)
--
--    def upgrade_instance(self, instance):
--
--        self.fix_webapp(instance, 'ROOT.xml')
--        self.fix_webapp(instance, 'pki#admin.xml')
--        self.fix_webapp(instance, 'pki#js.xml')
--
--        self.fix_theme(instance, 'pki.xml')
--
--    def fix_webapp(self, instance, context_xml):
--
--        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
--        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
--
--        # if deployment descriptor doesn't exist, install the default
--        if not os.path.exists(target_xml):
--            self.copy_file(instance, source_xml, target_xml)
--            return
--
--        # get docBase from deployment descriptor
--        document = etree.parse(target_xml, self.parser)
--        context = document.getroot()
--        docBase = context.get('docBase')
--
--        # if docBase is absolute and pointing to non-empty folder, ignore
--        if docBase.startswith('/') and \
--                os.path.exists(docBase) and \
--                os.listdir(docBase):
--            return
--
--        # if docBase is relative and pointing to non-empty folder, ignore
--        if not docBase.startswith('/') and \
--                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
--                os.listdir(instance.base_dir + '/webapps/' + docBase):
--            return
--
--        # docBase is pointing to non-existent/empty folder, replace with default
--        self.copy_file(instance, source_xml, target_xml)
--
--    def fix_theme(self, instance, context_xml):
--
--        source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml
--        target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml
--
--        # if deployment descriptor doesn't exist, ignore (no theme)
--        if not os.path.exists(target_xml):
--            return
--
--        # get docBase from deployment descriptor
--        document = etree.parse(target_xml, self.parser)
--        context = document.getroot()
--        docBase = context.get('docBase')
++        server_xml = os.path.join(instance.conf_dir, 'server.xml')
++        self.backup(server_xml)
++
++        document = etree.parse(server_xml, self.parser)
++
++        server = document.getroot()
++        connectors = server.findall('.//Connector')
++
++        for connector in connectors:
++
++            # find the Secure connector
++            name = connector.get('name')
++            if name != 'Secure':
++                continue
++
++            # set the keepAliveTimeout parameter to 5 minutes
++            connector.set('keepAliveTimeout', '300000')
++
++        with open(server_xml, 'wb') as f:
++            document.write(f, pretty_print=True, encoding='utf-8')
+-- 
+1.8.3.1
+
+
+From 03235ab51d102ba722e71adf00d2f721c77cd222 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 1 Jun 2017 21:02:41 +0200
+Subject: [PATCH 15/27] Fixed random password generator.
+
+The equal sign is no longer used to generate random password
+since it's already used as token name and password delimiter in
+password.conf.
+
+https://pagure.io/dogtagpki/issue/2556
+
+Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84
+---
+ base/common/python/pki/__init__.py | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
+index 1fc5385..0478b32 100644
+--- a/base/common/python/pki/__init__.py
++++ b/base/common/python/pki/__init__.py
+@@ -45,6 +45,11 @@ PACKAGE_VERSION = SHARE_DIR + '/VERSION'
+ CERT_HEADER = "-----BEGIN CERTIFICATE-----"
+ CERT_FOOTER = "-----END CERTIFICATE-----"
+ 
++# Valid punctuation characters for random password.
++# This is identical to string.punctuation minus the equal
++# sign since it's used as delimiter in password.conf.
++PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~'
++
+ 
+ def read_text(message,
+               options=None, default=None, delimiter=':',
+@@ -139,7 +144,7 @@ def generate_password():
+      * digits (string.digits)
+      * ASCII lowercase letters (string.ascii_lowercase)
+      * ASCII uppercase letters (string.ascii_uppercase)
+-     * ASCII non-alphanumeric characters (string.punctuation)
++     * ASCII non-alphanumeric characters (PUNCTUATIONS)
+      * non-ASCII characters
+ 
+     If an ASCII uppercase letter is the first character of the password,
+@@ -159,7 +164,7 @@ def generate_password():
+     valid_chars = string.digits +\
+         string.ascii_lowercase +\
+         string.ascii_uppercase +\
+-        string.punctuation
++        PUNCTUATIONS
+ 
+     chars = []
+ 
+@@ -168,7 +173,7 @@ def generate_password():
+     chars.append(rnd.choice(string.digits))
+     chars.append(rnd.choice(string.ascii_lowercase))
+     chars.append(rnd.choice(string.ascii_uppercase))
+-    chars.append(rnd.choice(string.punctuation))
++    chars.append(rnd.choice(PUNCTUATIONS))
+ 
+     # add 6 additional random chars
+     chars.extend(rnd.choice(valid_chars) for i in range(6))
+-- 
+1.8.3.1
+
+
+From 08bf26f786b8d233382c6fedfad5d33d8c11d78f Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 1 Jun 2017 17:46:27 -0400
+Subject: [PATCH 16/27] Fix NPE in audit log invocation
+
+Some audit log objects take a RequestId or KeyId, on which we call
+toString().  In some cases, we were creating a KeyId or RequestId
+with null values, resulting in an NPE.  We fix these in this patch.
+
+Bugzilla BZ# 1458043
+
+Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db
+---
+ base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java        | 3 ++-
+ base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java     | 4 ++--
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+index ed20394..5e3b8a9 100644
+--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
++++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+@@ -1128,7 +1128,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
+         r = queue.findRequest(new RequestId(reqID));
+ 
+         auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
+-        keyID = new KeyId(r.getExtDataInBigInteger("serialNumber"));
++        BigInteger serialNumber = r.getExtDataInBigInteger("serialNumber");
++        keyID = serialNumber != null? new KeyId(serialNumber) : null;
+ 
+         // set transient parameters
+         params = createVolatileRequest(r.getRequestId());
+diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+index c0b5cdd..891b083 100644
+--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+@@ -283,7 +283,7 @@ public class TokenKeyRecoveryService implements IService {
+         // retrieve based on Certificate
+         String cert_s = request.getExtDataInString(ATTR_USER_CERT);
+         String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID);
+-        KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID));
++        KeyId keyId = keyid_s != null ? new KeyId(keyid_s): null;
+         /* have to have at least one */
+         if ((cert_s == null) && (keyid_s == null)) {
+             CMS.debug("TokenKeyRecoveryService: not receive cert or keyid");
+@@ -593,7 +593,7 @@ public class TokenKeyRecoveryService implements IService {
+             return true;
+ 
+         } catch (Exception e) {
+-            CMS.debug("TokenKeyRecoveryService: " + e.toString());
++            CMS.debug(e);
+             request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+         }
+ 
+-- 
+1.8.3.1
+
+
+From 29dbed75f1c214a065cd3bcc438d0584fd980d4f Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 2 Jun 2017 18:46:01 +0200
+Subject: [PATCH 17/27] Excluded backslash from random password.
+
+The backslash is no longer used for generating random password
+since it's causing SSL hanshake failure.
+
+https://pagure.io/dogtagpki/issue/2676
+
+Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411
+---
+ base/common/python/pki/__init__.py | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
+index 0478b32..1a6f5c2 100644
+--- a/base/common/python/pki/__init__.py
++++ b/base/common/python/pki/__init__.py
+@@ -46,9 +46,10 @@ CERT_HEADER = "-----BEGIN CERTIFICATE-----"
+ CERT_FOOTER = "-----END CERTIFICATE-----"
+ 
+ # Valid punctuation characters for random password.
+-# This is identical to string.punctuation minus the equal
+-# sign since it's used as delimiter in password.conf.
+-PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~'
++# This is based on string.punctuation except:
++#  - equal sign since it's used as delimiter in password.conf
++#  - backslash since it's causing SSL handshake failure
++PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~'
+ 
+ 
+ def read_text(message,
+-- 
+1.8.3.1
+
+
+From a614eb15476adb00df571d3ea05fdd8ea282141d Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Fri, 2 Jun 2017 15:40:52 -0700
+Subject: [PATCH 18/27] Resolve  #1663 Add SCP03 support .
+
+This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
+---
+ base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java  | 7 ++++---
+ base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 4 ++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+index 5e5646b..3b80f27 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
++++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+@@ -421,10 +421,11 @@ public class SecureChannel {
+                 throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL);
+             }
+ 
+-            CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() );
++            if(cardCryptogram != null)
++                CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
+ 
+-            CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
+-            CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
++            if(calculatedCardCryptogram != null)
++                CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
+ 
+             ExternalAuthenticateAPDUGP211 externalAuth = new ExternalAuthenticateAPDUGP211(hostCryptogram,
+                     /* secLevel */secLevelGP211);
+diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+index 0f96915..e1a5748 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
++++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+@@ -957,6 +957,10 @@ public class TPSProcessor {
+                 kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
+                         kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+ 
++            CMS.debug(" encSessionKeySCP03 " + encSessionKeySCP03);
++            CMS.debug(" macSessionKeySCP03 " + macSessionKeySCP03);
++            CMS.debug(" kekSessionKeySCP03 " + kekSessionKeySCP03);
++
+             channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,
+                     drmDesKeyBuff, kekDesKeyBuff,
+                     keyCheckBuff, keyDiversificationData, cardChallenge,
+-- 
+1.8.3.1
+
+
+From af41896f083e1101b1ba62f6cc8c9be6064c6786 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 02:07:04 +0200
+Subject: [PATCH 19/27] Refactored MainCLI.loadPassword() (part 1).
+
+The method that loads password from a file in MainCLI has been
+renamed into loadPassword() and modified to return early for
+clarity.
+
+https://pagure.io/dogtagpki/issue/2717
+
+Change-Id: I9b031c31040c2d00f04d9997abcdae38163bf6d5
+---
+ .../src/com/netscape/cmstools/cli/MainCLI.java     | 24 ++++++++++++----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+index 1b9c569..2402196 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+@@ -229,7 +229,7 @@ public class MainCLI extends CLI {
+         options.addOption(null, "version", false, "Show version number.");
+     }
+ 
+-    public String[] readPlaintextPasswordFromFile(String pwfile) throws Exception {
++    public String[] loadPassword(String pwfile) throws Exception {
+         String[] tokenPassword = { null, null };
+         BufferedReader br = null;
+         String delimiter = "=";
+@@ -238,11 +238,16 @@ public class MainCLI extends CLI {
+             br = new BufferedReader(new FileReader(pwfile));
+ 
+             String line = br.readLine();
+-            if (line != null) {
+-                if (line.isEmpty()) {
+-                    throw new Exception("File '" + pwfile + "' does not define a token or a password!");
+ 
+-                } else if (line.contains(delimiter)) {
++            if (line == null) {
++                throw new Exception("File '" + pwfile + "' is empty!");
++            }
++
++            if (line.isEmpty()) {
++                throw new Exception("File '" + pwfile + "' does not define a token or a password!");
++            }
++
++                if (line.contains(delimiter)) {
+                     // Process 'token=password' format:
+                     //
+                     //     Token:     tokenPassword[0]
+@@ -270,10 +275,7 @@ public class MainCLI extends CLI {
+                     // Set simple 'password' (do not trim leading/trailing whitespace)
+                     tokenPassword[1] = line;
+                 }
+-            } else {
+-                // Case of an empty password file
+-                throw new Exception("File '" + pwfile + "' is empty!");
+-            }
++
+         } finally {
+             if (br != null) {
+                 br.close();
+@@ -397,7 +399,7 @@ public class MainCLI extends CLI {
+ 
+         if (certPasswordFile != null) {
+             // read client security database password from specified file
+-            tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile);
++            tokenPasswordPair = loadPassword(certPasswordFile);
+             // XXX TBD set client security database token
+ 
+             certPassword = tokenPasswordPair[1];
+@@ -411,7 +413,7 @@ public class MainCLI extends CLI {
+ 
+         if (passwordFile != null) {
+             // read user password from specified file
+-            tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile);
++            tokenPasswordPair = loadPassword(passwordFile);
+             // XXX TBD set user token
+ 
+             password = tokenPasswordPair[1];
+-- 
+1.8.3.1
+
+
+From 9741b7873005419b922ba79c61ef98ae17cb58be Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 02:03:32 +0200
+Subject: [PATCH 20/27] Refactored MainCLI.loadPassword() (part 2).
+
+The MainCLI.loadPassword() has been modified to fix the code
+indentation.
+
+https://pagure.io/dogtagpki/issue/2717
+
+Change-Id: I7d208f1f4568f2fb1323ab206f45af5c0338b53f
+---
+ .../src/com/netscape/cmstools/cli/MainCLI.java     | 49 +++++++++++-----------
+ 1 file changed, 25 insertions(+), 24 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+index 2402196..2b6b173 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+@@ -247,35 +247,36 @@ public class MainCLI extends CLI {
+                 throw new Exception("File '" + pwfile + "' does not define a token or a password!");
+             }
+ 
+-                if (line.contains(delimiter)) {
+-                    // Process 'token=password' format:
+-                    //
+-                    //     Token:     tokenPassword[0]
+-                    //     Password:  tokenPassword[1]
+-                    //
+-                    tokenPassword = line.split(delimiter, 2);
+-
+-                    // Always trim leading/trailing whitespace from 'token'
+-                    tokenPassword[0] = tokenPassword[0].trim();
+-
+-                    // Check for undefined 'token'
+-                    if (tokenPassword[0].isEmpty()) {
+-                        // Set default 'token'
+-                        tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
+-                    }
+-
+-                    // Check for undefined 'password'
+-                    if (tokenPassword[1].isEmpty()) {
+-                        throw new Exception("File '" + pwfile + "' does not define a password!");
+-                    }
+-                } else {
++            if (line.contains(delimiter)) {
++                // Process 'token=password' format:
++                //
++                //     Token:     tokenPassword[0]
++                //     Password:  tokenPassword[1]
++                //
++                tokenPassword = line.split(delimiter, 2);
++
++                // Always trim leading/trailing whitespace from 'token'
++                tokenPassword[0] = tokenPassword[0].trim();
++
++                // Check for undefined 'token'
++                if (tokenPassword[0].isEmpty()) {
+                     // Set default 'token'
+                     tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
++                }
+ 
+-                    // Set simple 'password' (do not trim leading/trailing whitespace)
+-                    tokenPassword[1] = line;
++                // Check for undefined 'password'
++                if (tokenPassword[1].isEmpty()) {
++                    throw new Exception("File '" + pwfile + "' does not define a password!");
+                 }
+ 
++            } else {
++                // Set default 'token'
++                tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
++
++                // Set simple 'password' (do not trim leading/trailing whitespace)
++                tokenPassword[1] = line;
++            }
++
+         } finally {
+             if (br != null) {
+                 br.close();
+-- 
+1.8.3.1
+
+
+From 729468e46612569da4c93b15bc0d674099003aba Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 02:28:00 +0200
+Subject: [PATCH 21/27] Refactored MainCLI.loadPassword() (part 3).
+
+The MainCLI.loadPassword() has been modified to use try-with-
+resources. Some log messages have been added for clarity.
+
+https://pagure.io/dogtagpki/issue/2717
+
+Change-Id: Ic4950ba677613565f548b51d1f985177c6726510
+---
+ .../src/com/netscape/cmstools/cli/MainCLI.java      | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+index 2b6b173..dcc60e2 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+@@ -230,12 +230,11 @@ public class MainCLI extends CLI {
+     }
+ 
+     public String[] loadPassword(String pwfile) throws Exception {
++
+         String[] tokenPassword = { null, null };
+-        BufferedReader br = null;
+         String delimiter = "=";
+ 
+-        try {
+-            br = new BufferedReader(new FileReader(pwfile));
++        try (BufferedReader br = new BufferedReader(new FileReader(pwfile))) {
+ 
+             String line = br.readLine();
+ 
+@@ -276,11 +275,6 @@ public class MainCLI extends CLI {
+                 // Set simple 'password' (do not trim leading/trailing whitespace)
+                 tokenPassword[1] = line;
+             }
+-
+-        } finally {
+-            if (br != null) {
+-                br.close();
+-            }
+         }
+ 
+         return tokenPassword;
+@@ -399,7 +393,7 @@ public class MainCLI extends CLI {
+         config.setCertNickname(certNickname);
+ 
+         if (certPasswordFile != null) {
+-            // read client security database password from specified file
++            if (verbose) System.out.println("Loading NSS password from " + certPasswordFile);
+             tokenPasswordPair = loadPassword(certPasswordFile);
+             // XXX TBD set client security database token
+ 
+@@ -413,7 +407,7 @@ public class MainCLI extends CLI {
+         config.setUsername(username);
+ 
+         if (passwordFile != null) {
+-            // read user password from specified file
++            if (verbose) System.out.println("Loading user password from " + passwordFile);
+             tokenPasswordPair = loadPassword(passwordFile);
+             // XXX TBD set user token
+ 
+@@ -494,15 +488,18 @@ public class MainCLI extends CLI {
+ 
+         // If password is specified, use password to access security token
+         if (config.getCertPassword() != null) {
+-            if (verbose) System.out.println("Logging into security token");
++
+             try {
+                 CryptoManager manager = CryptoManager.getInstance();
+ 
+                 String tokenName = config.getTokenName();
+-                CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
++                if (verbose) System.out.println("Getting " + (tokenName == null ? "internal" : tokenName) + " token");
+ 
++                CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
+                 manager.setThreadToken(token);
+ 
++                if (verbose) System.out.println("Logging into " + token.getName());
++
+                 Password password = new Password(config.getCertPassword().toCharArray());
+                 token.login(password);
+ 
+-- 
+1.8.3.1
+
+
+From d4e5176702b3a08a67233e069ac211e95e01b228 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 01:32:37 +0200
+Subject: [PATCH 22/27] Refactored CLI.runExternal().
+
+The methods for running external commands in various CLI classes
+have been merged into CLI.runExternal().
+
+https://pagure.io/dogtagpki/issue/2717
+
+Change-Id: I5b6d136db699d3bb48e4f36f7f187d0240bbbf62
+---
+ .../src/com/netscape/cmstools/cli/CLI.java         | 35 ++++++++++++++++++++++
+ .../src/com/netscape/cmstools/cli/MainCLI.java     | 10 +++----
+ .../cmstools/client/ClientCertImportCLI.java       | 23 ++------------
+ .../cmstools/client/ClientCertModifyCLI.java       | 35 +++++-----------------
+ .../cmstools/client/ClientCertRequestCLI.java      | 10 +++----
+ .../cmstools/client/ClientCertShowCLI.java         | 27 +++--------------
+ .../netscape/cmstools/client/ClientInitCLI.java    | 25 ++++++----------
+ 7 files changed, 65 insertions(+), 100 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
+index 4911b8a..60db7a1 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
+@@ -18,6 +18,7 @@
+ 
+ package com.netscape.cmstools.cli;
+ 
++import java.io.IOException;
+ import java.util.ArrayList;
+ import java.util.Collection;
+ import java.util.LinkedHashMap;
+@@ -351,4 +352,38 @@ public class CLI {
+     public static void setVerbose(boolean verbose) {
+         CLI.verbose = verbose;
+     }
++
++    public void runExternal(List<String> command) throws CLIException, IOException, InterruptedException {
++        String[] array = command.toArray(new String[command.size()]);
++        runExternal(array);
++    }
++
++    public void runExternal(String[] command) throws CLIException, IOException, InterruptedException {
++
++        if (verbose) {
++
++            System.out.print("External command:");
++
++           for (String c : command) {
++
++               boolean quote = c.contains(" ");
++
++               System.out.print(" ");
++
++               if (quote) System.out.print("\"");
++               System.out.print(c);
++               if (quote) System.out.print("\"");
++           }
++
++           System.out.println();
++        }
++
++        Runtime rt = Runtime.getRuntime();
++        Process p = rt.exec(command);
++        int rc = p.waitFor();
++
++        if (rc != 0) {
++            throw new CLIException("External command failed. RC: " + rc, rc);
++        }
++    }
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+index dcc60e2..51861b5 100644
+--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+@@ -473,12 +473,10 @@ public class MainCLI extends CLI {
+                     "--empty-password"
+             };
+ 
+-            Runtime rt = Runtime.getRuntime();
+-            Process p = rt.exec(commands);
+-
+-            int rc = p.waitFor();
+-            if (rc != 0) {
+-                throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")");
++            try {
++                runExternal(commands);
++            } catch (Exception e) {
++                throw new Exception("Unable to create security database", e);
+             }
+         }
+ 
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+index 9cb3e67..687dfc4 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+@@ -21,14 +21,12 @@ package com.netscape.cmstools.client;
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.FileWriter;
+-import java.io.IOException;
+ import java.io.PrintWriter;
+ import java.net.URI;
+ import java.util.Arrays;
+ 
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+-import org.apache.commons.lang.StringUtils;
+ 
+ import com.netscape.certsrv.cert.CertClient;
+ import com.netscape.certsrv.cert.CertData;
+@@ -283,8 +281,7 @@ public class ClientCertImportCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
+-
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to import certificate file", e);
+         }
+@@ -305,25 +302,9 @@ public class ClientCertImportCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
+-
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to import PKCS #12 file", e);
+         }
+     }
+-
+-    public void run(String[] command) throws IOException, InterruptedException {
+-
+-        if (verbose) {
+-           System.out.println("Command: " + StringUtils.join(command, " "));
+-        }
+-
+-        Runtime rt = Runtime.getRuntime();
+-        Process p = rt.exec(command);
+-        int rc = p.waitFor();
+-
+-        if (rc != 0) {
+-            throw new IOException("Command failed. RC: " + rc);
+-        }
+-    }
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
+index f229e67..8ae7c6d 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
+@@ -18,8 +18,6 @@
+ 
+ package com.netscape.cmstools.client;
+ 
+-import java.io.IOException;
+-
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+ 
+@@ -75,38 +73,19 @@ public class ClientCertModifyCLI extends CLI {
+ 
+         String trustAttributes = cmd.getOptionValue("trust", "u,u,u");
+ 
+-        int rc = modifyCert(
+-                mainCLI.certDatabase.getAbsolutePath(),
+-                nickname,
+-                trustAttributes);
+-
+-        if (rc != 0) {
+-            MainCLI.printMessage("Modified failed");
+-            return;
+-        }
+-
+-        MainCLI.printMessage("Modified certificate \"" + nickname + "\"");
+-    }
+-
+-    public int modifyCert(
+-            String dbPath,
+-            String nickname,
+-            String trustAttributes) throws IOException, InterruptedException {
+-
+         String[] command = {
+                 "/usr/bin/certutil", "-M",
+-                "-d", dbPath,
++                "-d", mainCLI.certDatabase.getAbsolutePath(),
+                 "-n", nickname,
+                 "-t", trustAttributes
+         };
+ 
+-        return run(command);
+-    }
 -
--        # if docBase is absolute and pointing to non-empty folder, ignore
--        if docBase.startswith('/') and \
--                os.path.exists(docBase) and \
--                os.listdir(docBase):
--            return
+-    public int run(String[] command) throws IOException, InterruptedException {
++        try {
++            runExternal(command);
++        } catch (Exception e) {
++            throw new Exception("Unable to modify certificate", e);
++        }
+ 
+-        Runtime rt = Runtime.getRuntime();
+-        Process p = rt.exec(command);
+-        return p.waitFor();
++        MainCLI.printMessage("Modified certificate \"" + nickname + "\"");
+     }
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+index 696ab8b..a14bb24 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+@@ -386,12 +386,10 @@ public class ClientCertRequestCLI extends CLI {
+                 "-n", subjectDN
+         };
+ 
+-        Runtime rt = Runtime.getRuntime();
+-        Process p = rt.exec(commands);
 -
--        # if docBase is relative and pointing to non-empty folder, ignore
--        if not docBase.startswith('/') and \
--                os.path.exists(instance.base_dir + '/webapps/' + docBase) and \
--                os.listdir(instance.base_dir + '/webapps/' + docBase):
--            return
+-        int rc = p.waitFor();
+-        if (rc != 0) {
+-            throw new Exception("CSR generation failed");
++        try {
++            runExternal(commands);
++        } catch (Exception e) {
++            throw new Exception("CSR generation failed", e);
+         }
+ 
+         if (verbose) {
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
+index 2242b37..bb60fbf 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
+@@ -20,13 +20,11 @@ package com.netscape.cmstools.client;
+ 
+ import java.io.File;
+ import java.io.FileWriter;
+-import java.io.IOException;
+ import java.io.PrintWriter;
+ 
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+ import org.apache.commons.lang.RandomStringUtils;
+-import org.apache.commons.lang.StringUtils;
+ import org.mozilla.jss.crypto.X509Certificate;
+ 
+ import com.netscape.certsrv.client.PKIClient;
+@@ -192,8 +190,7 @@ public class ClientCertShowCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
 -
--        # docBase is pointing to non-existent/empty folder
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to export PKCS #12 file", e);
+         }
+@@ -215,8 +212,7 @@ public class ClientCertShowCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
 -
--        # if theme package is installed, replace deployment descriptor
--        if os.path.exists(pki.SHARE_DIR + '/common-ui'):
--            self.copy_file(instance, source_xml, target_xml)
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to export certificate", e);
+         }
+@@ -238,8 +234,7 @@ public class ClientCertShowCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
+-
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to export private key", e);
+         }
+@@ -261,23 +256,9 @@ public class ClientCertShowCLI extends CLI {
+         };
+ 
+         try {
+-            run(command);
+-
++            runExternal(command);
+         } catch (Exception e) {
+             throw new Exception("Unable to export client certificate and private key", e);
+         }
+     }
+-
+-    public void run(String[] command) throws IOException, InterruptedException {
+-
+-        if (verbose) System.out.println("Command: " + StringUtils.join(command, " "));
+-
+-        Runtime rt = Runtime.getRuntime();
+-        Process p = rt.exec(command);
+-        int rc = p.waitFor();
+-
+-        if (rc != 0) {
+-            throw new IOException("Command failed. RC: " + rc);
+-        }
+-    }
+ }
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
+index 893b40b..7e018de 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
+@@ -95,12 +95,11 @@ public class ClientInitCLI extends CLI {
+         File passwordFile = new File(certDatabase, "password.txt");
+ 
+         try {
+-            String[] commands = {
+-                    "/usr/bin/certutil", "-N",
+-                    "-d", certDatabase.getAbsolutePath(),
+-            };
+-
+-            List<String> list = new ArrayList<>(Arrays.asList(commands));
++            List<String> list = new ArrayList<>();
++            list.add("/usr/bin/certutil");
++            list.add("-N");
++            list.add("-d");
++            list.add(certDatabase.getAbsolutePath());
+ 
+             if (mainCLI.config.getCertPassword() == null) {
+                 list.add("--empty-password");
+@@ -114,16 +113,10 @@ public class ClientInitCLI extends CLI {
+                 list.add(passwordFile.getAbsolutePath());
+             }
+ 
+-            commands = new String[list.size()];
+-            list.toArray(commands);
 -
--    def copy_file(self, instance, source, target):
+-            Runtime rt = Runtime.getRuntime();
+-            Process p = rt.exec(commands);
 -
--        self.backup(target)
--        shutil.copyfile(source, target)
--        os.chown(target, instance.uid, instance.gid)
+-            int rc = p.waitFor();
+-            if (rc != 0) {
+-                MainCLI.printMessage("Client initialization failed");
+-                return;
++            try {
++                runExternal(list);
++            } catch (Exception e) {
++                throw new Exception("Client initialization failed", e);
+             }
+ 
+             MainCLI.printMessage("Client initialized");
+-- 
+1.8.3.1
+
+
+From 3ef47867df74eb9dce408b88756ccce7d7438da5 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 00:29:29 +0200
+Subject: [PATCH 23/27] Fixed pki client-cert-import CLI.
+
+The pki client-cert-import CLI has been modified to provide a
+password file when invoking the certutil -A command.
+
+https://pagure.io/dogtagpki/issue/2717
+
+Change-Id: If32f9eeb39d140aaef38c9bc1933f3ae0f57a5a2
+---
+ .../cmstools/client/ClientCertImportCLI.java       | 94 +++++++++++++++-------
+ 1 file changed, 66 insertions(+), 28 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+index 687dfc4..1c67f99 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+@@ -23,7 +23,9 @@ import java.io.FileOutputStream;
+ import java.io.FileWriter;
+ import java.io.PrintWriter;
+ import java.net.URI;
++import java.util.ArrayList;
+ import java.util.Arrays;
++import java.util.List;
+ 
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+@@ -128,6 +130,20 @@ public class ClientCertImportCLI extends CLI {
+         String serialNumber = cmd.getOptionValue("serial");
+         String trustAttributes = cmd.getOptionValue("trust");
+ 
++        File nssdbPasswordFile = null;
++
++        if (mainCLI.config.getCertPassword() != null) {
++
++            // store NSS database password in a temporary file
++
++            nssdbPasswordFile = File.createTempFile("pki-client-cert-import-", ".nssdb-pwd");
++            nssdbPasswordFile.deleteOnExit();
++
++            try (PrintWriter out = new PrintWriter(new FileWriter(nssdbPasswordFile))) {
++                out.print(mainCLI.config.getCertPassword());
++            }
++        }
++
+         // load the certificate
+         if (certPath != null) {
+ 
+@@ -137,7 +153,8 @@ public class ClientCertImportCLI extends CLI {
+                 trustAttributes = "u,u,u";
+ 
+             importCert(
+-                    mainCLI.certDatabase.getAbsolutePath(),
++                    mainCLI.certDatabase,
++                    nssdbPasswordFile,
+                     certPath,
+                     nickname,
+                     trustAttributes);
+@@ -150,7 +167,8 @@ public class ClientCertImportCLI extends CLI {
+                 trustAttributes = "CT,c,";
+ 
+             importCert(
+-                    mainCLI.certDatabase.getAbsolutePath(),
++                    mainCLI.certDatabase,
++                    nssdbPasswordFile,
+                     caCertPath,
+                     nickname,
+                     trustAttributes);
+@@ -164,7 +182,7 @@ public class ClientCertImportCLI extends CLI {
+ 
+             } else if (pkcs12Password != null) {
+                 // store password into a temporary file
+-                File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pwd");
++                File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pkcs12-pwd");
+                 pkcs12PasswordFile.deleteOnExit();
+ 
+                 try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) {
+@@ -182,8 +200,8 @@ public class ClientCertImportCLI extends CLI {
+ 
+             // import certificates and private key into PKCS #12 file
+             importPKCS12(
+-                    mainCLI.certDatabase.getAbsolutePath(),
+-                    mainCLI.config.getCertPassword(),
++                    mainCLI.certDatabase,
++                    nssdbPasswordFile,
+                     pkcs12Path,
+                     pkcs12PasswordPath);
+ 
+@@ -212,7 +230,8 @@ public class ClientCertImportCLI extends CLI {
+                 trustAttributes = "CT,c,";
+ 
+             importCert(
+-                    mainCLI.certDatabase.getAbsolutePath(),
++                    mainCLI.certDatabase,
++                    nssdbPasswordFile,
+                     certFile.getAbsolutePath(),
+                     nickname,
+                     trustAttributes);
+@@ -245,7 +264,8 @@ public class ClientCertImportCLI extends CLI {
+                 trustAttributes = "u,u,u";
+ 
+             importCert(
+-                    mainCLI.certDatabase.getAbsolutePath(),
++                    mainCLI.certDatabase,
++                    nssdbPasswordFile,
+                     certFile.getAbsolutePath(),
+                     nickname,
+                     trustAttributes);
+@@ -263,8 +283,9 @@ public class ClientCertImportCLI extends CLI {
+     }
+ 
+     public void importCert(
+-            String dbPath,
+-            String certPath,
++            File dbPath,
++            File dbPasswordFile,
++            String certFile,
+             String nickname,
+             String trustAttributes) throws Exception {
+ 
+@@ -272,13 +293,23 @@ public class ClientCertImportCLI extends CLI {
+             throw new Exception("Missing certificate nickname.");
+         }
+ 
+-        String[] command = {
+-                "/bin/certutil", "-A",
+-                "-d", dbPath,
+-                "-i", certPath,
+-                "-n", nickname,
+-                "-t", trustAttributes
+-        };
++        List<String> command = new ArrayList<>();
++        command.add("/bin/certutil");
++        command.add("-A");
++        command.add("-d");
++        command.add(dbPath.getAbsolutePath());
++
++        if (dbPasswordFile != null) {
++            command.add("-f");
++            command.add(dbPasswordFile.getAbsolutePath());
++        }
++
++        command.add("-i");
++        command.add(certFile);
++        command.add("-n");
++        command.add(nickname);
++        command.add("-t");
++        command.add(trustAttributes);
+ 
+         try {
+             runExternal(command);
+@@ -288,18 +319,25 @@ public class ClientCertImportCLI extends CLI {
+     }
+ 
+     public void importPKCS12(
+-            String dbPath,
+-            String dbPassword,
+-            String pkcs12Path,
+-            String pkcs12PasswordPath) throws Exception {
+-
+-        String[] command = {
+-                "/bin/pk12util",
+-                "-d", dbPath,
+-                "-K", dbPassword,
+-                "-i", pkcs12Path,
+-                "-w", pkcs12PasswordPath
+-        };
++            File dbPath,
++            File dbPasswordFile,
++            String pkcs12File,
++            String pkcs12PasswordFile) throws Exception {
++
++        List<String> command = new ArrayList<>();
++        command.add("/bin/pk12util");
++        command.add("-d");
++        command.add(dbPath.getAbsolutePath());
++
++        if (dbPasswordFile != null) {
++            command.add("-k");
++            command.add(dbPasswordFile.getAbsolutePath());
++        }
++
++        command.add("-i");
++        command.add(pkcs12File);
++        command.add("-w");
++        command.add(pkcs12PasswordFile);
+ 
+         try {
+             runExternal(command);
+-- 
+1.8.3.1
+
+
+From 64b7b7abfed29b6a520be66414139364d713461e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 3 Jun 2017 03:52:09 +0200
+Subject: [PATCH 24/27] Fixed default CA cert trust flags in pki CLI.
+
+The pki CLI has been modified to use CT,C,C as the default trust
+flags for CA certificate import operations.
+
+https://pagure.io/dogtagpki/issue/2726
+
+Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
+---
+ base/common/python/pki/cli/pkcs12.py                                  | 2 +-
+ .../src/com/netscape/cmstools/client/ClientCertImportCLI.java         | 4 ++--
+ .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java  | 1 +
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
+index 6b99fcf..2f8aabf 100644
+--- a/base/common/python/pki/cli/pkcs12.py
++++ b/base/common/python/pki/cli/pkcs12.py
+@@ -237,7 +237,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
+                         trust_flags = cert_info['trust_flags']
+                     else:
+                         # default trust flags for CA certificates
+-                        trust_flags = 'CT,c,c'
++                        trust_flags = 'CT,C,C'
+ 
+                     if main_cli.verbose:
+                         print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+index 1c67f99..844453e 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+@@ -164,7 +164,7 @@ public class ClientCertImportCLI extends CLI {
+             if (verbose) System.out.println("Importing CA certificate from " + caCertPath + ".");
+ 
+             if (trustAttributes == null)
+-                trustAttributes = "CT,c,";
++                trustAttributes = "CT,C,C";
+ 
+             importCert(
+                     mainCLI.certDatabase,
+@@ -227,7 +227,7 @@ public class ClientCertImportCLI extends CLI {
+             }
+ 
+             if (trustAttributes == null)
+-                trustAttributes = "CT,c,";
++                trustAttributes = "CT,C,C";
+ 
+             importCert(
+                     mainCLI.certDatabase,
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index c9a375f..ebade36 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -1113,6 +1113,7 @@ public class ConfigurationUtils {
+                             | InternalCertificate.VALID_CA);
+ 
+                 } else if (isAuditSigningCert(name)) {
++                    // set trust flags to u,u,Pu
+                     icert.setObjectSigningTrust(InternalCertificate.USER
+                             | InternalCertificate.VALID_PEER
+                             | InternalCertificate.TRUSTED_PEER);
+-- 
+1.8.3.1
+
+
+From c0b2daef934a8f5ac1c61d673865348aa2a0f702 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 25 May 2017 15:32:14 +1000
+Subject: [PATCH 25/27] Improve exception message for null
+ AuthorityKeyIdentifier
+
+When the Authority Key Identifier extension cannot be instantiated,
+we currently fail with a generic "extension not found" error
+message.  Throw a better exception for this case in particular, and
+improve the exception message for the general case of attempting to
+add a null exception.
+
+Fixes: https://pagure.io/dogtagpki/issue/2705
+Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd
+---
+ .../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java    | 4 ++++
+ base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java   | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
+index 42931de..f8d8b44 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
+@@ -183,6 +183,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault {
+         } catch (EBaseException e) {
+             throw new EProfileException(e);
+         }
++        if (ext == null) {
++            throw new EProfileException(
++                "Could not instantiate AuthorityKeyIdentifier extension.");
++        }
+         addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info);
+     }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+index 1d5bfc4..6192888 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+@@ -367,7 +367,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
+     protected void addExtension(String name, Extension ext, X509CertInfo info)
+             throws EProfileException {
+         if (ext == null) {
+-            throw new EProfileException("extension not found");
++            throw new EProfileException("addExtension: extension '" + name + "' is null");
+         }
+         CertificateExtensions exts = null;
+ 
 -- 
 1.8.3.1
 
diff --git a/SOURCES/pki-core-snapshot-4.patch b/SOURCES/pki-core-snapshot-4.patch
index 5507209..fa0082b 100644
--- a/SOURCES/pki-core-snapshot-4.patch
+++ b/SOURCES/pki-core-snapshot-4.patch
@@ -1,220 +1,3667 @@
-From b2b617c1372559d03de582c66687df248e77fa7b Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 8 Sep 2016 20:06:19 +0200
-Subject: [PATCH] Removed support for creating system certificates in different
- tokens.
-
-The patch that added the support for creating system certificates
-in different tokens causes issues in certain cases, so for now it
-has been reverted.
-
-https://fedorahosted.org/pki/ticket/2449
-(cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)
-(cherry picked from commit 744c506e41f33c7532c0ce8ab08f12bc75d79506)
+From aa39354dbbf9df404f6ad374c837db0c421f2705 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 5 Jun 2017 08:50:25 -0700
+Subject: [PATCH 01/14] Ticket #2617 part2: add revocation check to signing
+ cert
+
+---
+ .../cms/authentication/CMCUserSignedAuth.java         | 19 +++++++++++++++++++
+ .../authentication/CertUserDBAuthentication.java      |  2 +-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index 2128c1e..a18c25e 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream;
+ import java.io.ByteArrayOutputStream;
+ import java.io.IOException;
+ import java.math.BigInteger;
++import java.security.cert.CertificateExpiredException;
+ import java.security.MessageDigest;
+ import java.security.PublicKey;
+ import java.util.Enumeration;
+@@ -1076,7 +1077,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                             si.verify(digest, id, pubK);
+                         }
+                         CMS.debug(method + "finished checking signature");
++
+                         // verify signer's certificate using the revocator
++                        // ...or not;  I think it just checks usage and
++                        // validity, but not revocation status
+                         if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
+                             CMS.debug(method + "CMC signature failed to be verified");
+                             s.close();
+@@ -1086,6 +1090,21 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         }
+                         // At this point, the signature has been verified;
+ 
++                        // now check revocation status of the cert
++                        if (CMS.isRevoked(x509Certs)) {
++                            CMS.debug(method + "CMC signing cert is a revoked certificate");
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                        }
++                        try { //do this again anyways
++                            cert.checkValidity();
++                        } catch (CertificateExpiredException e) {
++                            CMS.debug(method + "CMC signing cert is an expired certificate");
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                        } catch (Exception e) {
++                            CMS.debug(method + e.toString());
++                            throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
++                        }
++
+                         IAuthToken tempToken = new AuthToken(null);
+ /*
+                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
+index 998d7e2..ae450fa 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
+@@ -168,7 +168,7 @@ public class CertUserDBAuthentication implements IAuthManager, ICertUserDBAuthen
+         try {
+             user = (User) mCULocator.locateUser(certs);
+         } catch (EUsrGrpException e) {
+-            CMS.debug("CertUserDBAuthentication: cannot map certificate to any user");
++            CMS.debug("CertUserDBAuthentication: cannot map certificate to any user" + e);
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_AGENT_AUTH_FAILED", x509Certs[0].getSerialNumber()
+                     .toString(16), x509Certs[0].getSubjectDN().toString(), e.toString()));
+             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+-- 
+1.8.3.1
+
+
+From 30fb7bf49ce0f4c726f937b3984a4e27abb39959 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Tue, 6 Jun 2017 16:16:32 -0700
+Subject: [PATCH 04/14] Minor fix to already fixed issue:
+
+The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue.
 ---
- .../cms/servlet/csadmin/ConfigurationUtils.java    | 18 ++++-------
- .../dogtagpki/server/rest/SystemConfigService.java |  9 ++++--
- .../src/com/netscape/cmscore/apps/CMSEngine.java   |  4 +--
- .../server/deployment/scriptlets/configuration.py  | 37 +++-------------------
- 4 files changed, 19 insertions(+), 49 deletions(-)
+ base/native-tools/src/tkstool/key.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c
+index e63da93..f208cbd 100644
+--- a/base/native-tools/src/tkstool/key.c
++++ b/base/native-tools/src/tkstool/key.c
+@@ -1219,13 +1219,14 @@ TKS_StoreSymmetricKeyAndNameIt( char              *symmetricKeyName,
+     rvExtractSymmetricKey = PK11_ExtractKeyValue( /* symmetric key */ symKey );
+     if( rvExtractSymmetricKey != SECSuccess ) {
+         PR_fprintf( PR_STDERR,
+-                    "ERROR:  Failed to extract the %s key!\n\n",
++                    "ERROR:  Failed to extract the %s key for final display, OK if in FIPs mode!\n\n",
+                     symmetricKeyName );
+-        goto destroyHexSymmetricKey;
+-    }
++        symmetricKey = NULL;
++    } else {
+ 
+-    /* If present, retrieve the raw key data */
+-    symmetricKey = PK11_GetKeyData( /* symmetric key */  symKey );
++        /* If present, retrieve the raw key data */
++        symmetricKey = PK11_GetKeyData( /* symmetric key */  symKey );
++    }
+ 
+ #if defined(DEBUG)
+     /* For convenience, display the final symmetric key and */
+-- 
+1.8.3.1
 
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index 3e638ad..34500d0 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -2826,7 +2826,7 @@ public class ConfigurationUtils {
+
+From 38df4274214938ceece85627abb6d4fe77b960ff Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Fri, 26 May 2017 13:06:18 -0400
+Subject: [PATCH 06/14] Refactor client to not use keysets
+
+It is simpler to simply tell the client which
+algorithm to use for key wrapping and encryption, rather
+than use key sets.  Therefore:
+
+* KRAInfo and CAInfo are refactored to provide the
+  algorithms required for key wrapping and encryption.
+
+* Client is modified to use these parameters to determine
+  which algorithms to use.
+
+* We specify the OIDs that will be used in the PKIARchiveOptions
+  more correctly.  The options are basically:
+  AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
+
+Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
+---
+ base/common/src/org/dogtagpki/common/CAInfo.java   |  34 +++--
+ base/common/src/org/dogtagpki/common/KRAInfo.java  |  34 +++++
+ .../src/com/netscape/cmstools/CRMFPopClient.java   | 153 ++++++++++-----------
+ .../cmstools/client/ClientCertRequestCLI.java      |  34 +----
+ .../org/dogtagpki/server/rest/CAInfoService.java   |  18 +--
+ .../org/dogtagpki/server/rest/KRAInfoService.java  |  40 +++++-
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java    |  22 +++
+ 7 files changed, 206 insertions(+), 129 deletions(-)
+
+diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
+index f21dcd0..0f68c7a 100644
+--- a/base/common/src/org/dogtagpki/common/CAInfo.java
++++ b/base/common/src/org/dogtagpki/common/CAInfo.java
+@@ -54,7 +54,8 @@ public class CAInfo extends ResourceMessage {
+     }
+ 
+     String archivalMechanism;
+-    String wrappingKeySet;
++    String encryptAlgorithm;
++    String keyWrapAlgorithm;
+ 
+     @XmlElement(name="ArchivalMechanism")
+     public String getArchivalMechanism() {
+@@ -65,13 +66,20 @@ public class CAInfo extends ResourceMessage {
+         this.archivalMechanism = archivalMechanism;
+     }
+ 
+-    @XmlElement(name="WrappingKeySet")
+-    public String getWrappingKeySet() {
+-        return wrappingKeySet;
++    public String getEncryptAlgorithm() {
++        return encryptAlgorithm;
+     }
+ 
+-    public void setWrappingKeySet(String wrappingKeySet) {
+-        this.wrappingKeySet = wrappingKeySet;
++    public void setEncryptAlgorithm(String encryptAlgorithm) {
++        this.encryptAlgorithm = encryptAlgorithm;
++    }
++
++    public String getKeyWrapAlgorithm() {
++        return keyWrapAlgorithm;
++    }
++
++    public void setKeyWrapAlgorithm(String keyWrapAlgorithm) {
++        this.keyWrapAlgorithm = keyWrapAlgorithm;
+     }
+ 
+     @Override
+@@ -79,7 +87,8 @@ public class CAInfo extends ResourceMessage {
+         final int prime = 31;
+         int result = super.hashCode();
+         result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
+-        result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode());
++        result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode());
++        result = prime * result + ((keyWrapAlgorithm == null) ? 0 : keyWrapAlgorithm.hashCode());
+         return result;
+     }
+ 
+@@ -97,10 +106,15 @@ public class CAInfo extends ResourceMessage {
+                 return false;
+         } else if (!archivalMechanism.equals(other.archivalMechanism))
+             return false;
+-        if (wrappingKeySet == null) {
+-            if (other.wrappingKeySet != null)
++        if (encryptAlgorithm == null) {
++            if (other.encryptAlgorithm != null)
++                return false;
++        } else if (!encryptAlgorithm.equals(other.encryptAlgorithm))
++            return false;
++        if (keyWrapAlgorithm == null) {
++            if (other.keyWrapAlgorithm != null)
+                 return false;
+-        } else if (!wrappingKeySet.equals(other.wrappingKeySet))
++        } else if (!keyWrapAlgorithm.equals(other.keyWrapAlgorithm))
+             return false;
+         return true;
+     }
+diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java
+index e17bd64..66fb992 100644
+--- a/base/common/src/org/dogtagpki/common/KRAInfo.java
++++ b/base/common/src/org/dogtagpki/common/KRAInfo.java
+@@ -55,6 +55,8 @@ public class KRAInfo extends ResourceMessage {
+ 
+     String archivalMechanism;
+     String recoveryMechanism;
++    String encryptAlgorithm;
++    String wrapAlgorithm;
+ 
+     @XmlElement(name="ArchivalMechanism")
+     public String getArchivalMechanism() {
+@@ -74,12 +76,32 @@ public class KRAInfo extends ResourceMessage {
+         this.recoveryMechanism = recoveryMechanism;
+     }
+ 
++    @XmlElement(name="EncryptAlgorithm")
++    public String getEncryptAlgorithm() {
++        return encryptAlgorithm;
++    }
++
++    public void setEncryptAlgorithm(String encryptAlgorithm) {
++        this.encryptAlgorithm = encryptAlgorithm;
++    }
++
++    @XmlElement(name="WrapAlgorithm")
++    public String getWrapAlgorithm() {
++        return wrapAlgorithm;
++    }
++
++    public void setWrapAlgorithm(String wrapAlgorithm) {
++        this.wrapAlgorithm = wrapAlgorithm;
++    }
++
+     @Override
+     public int hashCode() {
+         final int prime = 31;
+         int result = super.hashCode();
+         result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
++        result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode());
+         result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode());
++        result = prime * result + ((wrapAlgorithm == null) ? 0 : wrapAlgorithm.hashCode());
+         return result;
+     }
+ 
+@@ -97,11 +119,21 @@ public class KRAInfo extends ResourceMessage {
+                 return false;
+         } else if (!archivalMechanism.equals(other.archivalMechanism))
+             return false;
++        if (encryptAlgorithm == null) {
++            if (other.encryptAlgorithm != null)
++                return false;
++        } else if (!encryptAlgorithm.equals(other.encryptAlgorithm))
++            return false;
+         if (recoveryMechanism == null) {
+             if (other.recoveryMechanism != null)
+                 return false;
+         } else if (!recoveryMechanism.equals(other.recoveryMechanism))
+             return false;
++        if (wrapAlgorithm == null) {
++            if (other.wrapAlgorithm != null)
++                return false;
++        } else if (!wrapAlgorithm.equals(other.wrapAlgorithm))
++            return false;
+         return true;
+     }
+ 
+@@ -125,6 +157,8 @@ public class KRAInfo extends ResourceMessage {
+         KRAInfo before = new KRAInfo();
+         before.setArchivalMechanism("encrypt");
+         before.setRecoveryMechanism("keywrap");
++        before.setEncryptAlgorithm("AES/CBC/Pad");
++        before.setWrapAlgorithm("AES KeyWrap/Padding");
+ 
+         String string = before.toString();
+         System.out.println(string);
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 0057a1d..b06faa6 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -190,11 +190,7 @@ public class CRMFPopClient {
+         option.setArgName("extractable");
+         options.addOption(option);
+ 
+-        option = new Option("g", true, "KeyWrap");
+-        option.setArgName("keyWrap");
+-        options.addOption(option);
+-
+-        option = new Option("w", true, "Wrapping Keyset");
++        option = new Option("w", true, "Algorithm to be used for key wrapping");
+         option.setArgName("keySet");
+         options.addOption(option);
+ 
+@@ -231,10 +227,7 @@ public class CRMFPopClient {
+         System.out.println("                               - POP_NONE: without POP");
+         System.out.println("                               - POP_SUCCESS: with valid POP");
+         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");
+-        System.out.println("  -g <true|false>              Use KeyWrapping to wrap private key (default: true)");
+-        System.out.println("                               - true: use a key wrapping algorithm");
+-        System.out.println("                               - false: use an encryption algorithm");
+-        System.out.println("  -w <keyset_id>               Key set ID to use when wrapping the private key");
++        System.out.println("  -w <keywrap algorithm>       Algorithm to use for key wrapping");
+         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
+         System.out.println("  -v, --verbose                Run in verbose mode.");
+         System.out.println("      --help                   Show help message.");
+@@ -329,20 +322,17 @@ public class CRMFPopClient {
+ 
+         boolean self_sign = cmd.hasOption("y");
+ 
+-        // get the key wrapping mechanism
+-        boolean keyWrap = true;
+-        if (cmd.hasOption("g")) {
+-            keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
++        // get the keywrap algorithm
++        KeyWrapAlgorithm keyWrapAlgorithm = null;
++        String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();
++        if (cmd.hasOption("w")) {
++            kwAlg = cmd.getOptionValue("w");
+         } else {
+-            String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+-            if (useKeyWrap != null) {
+-                keyWrap = Boolean.parseBoolean(useKeyWrap);
++            String alg = System.getenv("KEY_ARCHIVAL_KEYWRAP_ALGORITHM");
++            if (alg != null) {
++                kwAlg = alg;
+             }
          }
+-        String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
+-            KRAInfoResource.ENCRYPT_MECHANISM;
+-
+-        String wrappingKeySet = cmd.getOptionValue("w");
+ 
+         String output = cmd.getOptionValue("o");
+ 
+@@ -351,12 +341,11 @@ public class CRMFPopClient {
+         String requestor = cmd.getOptionValue("r");
  
-         config.putString(subsystem + "." + certTag + ".nickname", nickname);
+         if (hostPort != null) {
+-            if (cmd.hasOption("g") || cmd.hasOption("w")) {
+-                printError("Wrapping Key Set (-g) and keywrap (-w) options should " +
+-                        "not be specified when hostport is specified.  " +
+-                        "CRMFPopClient will contact the server to " +
+-                        "determine the correct values for these parameters");
+-                System.exit(1);
++            if (cmd.hasOption("w")) {
++                printError("Any value specified for the key wrap parameter (-w) " +
++                        "will be overriden.  CRMFPopClient will contact the " +
++                        "CA to determine the supported algorithm when " +
++                        "hostport is specified");
+             }
+         }
+ 
+@@ -493,9 +482,9 @@ public class CRMFPopClient {
+             System.out.println("Keypair private key id: " + kid);
+ 
+             if (hostPort != null) {
+-                // check the CA for the required keyset and archival mechanism
++                // check the CA for the required key wrap algorithm
+                 // if found, override whatever has been set by the command line
+-                // options or environment for archivalMechanism and wrappingKeySet
++                // options for the key wrap algorithm
+ 
+                 ClientConfig config = new ClientConfig();
+                 String host = hostPort.substring(0, hostPort.indexOf(':'));
+@@ -503,31 +492,17 @@ public class CRMFPopClient {
+                 config.setServerURL("http", host, port);
+ 
+                 PKIClient pkiclient = new PKIClient(config);
 -
-+        config.putString(subsystem + "." + certTag + ".tokenname", token);
-         if (certTag.equals("audit_signing")) {
-             if (!token.equals("Internal Key Storage Token") && !token.equals("")) {
-                 config.putString("log.instance.SignedAudit.signedAuditCertNickname",
-@@ -3325,15 +3325,14 @@ public class ConfigurationUtils {
-         return 0;
+-                // get archival mechanism
+-                CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
+-                try {
+-                    CAInfo info = infoClient.getInfo();
+-                    archivalMechanism = info.getArchivalMechanism();
+-                    wrappingKeySet = info.getWrappingKeySet();
+-                } catch (PKIException e) {
+-                    if (e.getCode() == 404) {
+-                        // assume this is an older server,
+-                        archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+-                        wrappingKeySet = "0";
+-                    } else {
+-                        throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+-                    }
+-                } catch (Exception e) {
+-                    throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+-                }
++                kwAlg = getKeyWrapAlgotihm(pkiclient);
+             }
+ 
++            if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg);
++            keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg);
++
+             if (verbose) System.out.println("Creating certificate request");
+             CertRequest certRequest = client.createCertRequest(
+                     self_sign,
+                     token, transportCert, algorithm, keyPair,
+-                    subject, archivalMechanism, wrappingKeySet);
++                    subject, keyWrapAlgorithm);
+ 
+             ProofOfPossession pop = null;
+ 
+@@ -592,6 +567,36 @@ public class CRMFPopClient {
+         }
+     }
+ 
++    public static String getKeyWrapAlgotihm(PKIClient pkiclient)
++            throws Exception {
++        String kwAlg = null;
++        CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
++        String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++
++        try {
++            CAInfo info = infoClient.getInfo();
++            archivalMechanism = info.getArchivalMechanism();
++            kwAlg = info.getKeyWrapAlgorithm();
++        } catch (PKIException e) {
++            if (e.getCode() == 404) {
++                // assume this is an older server,
++                archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
++                kwAlg = KeyWrapAlgorithm.DES3_CBC_PAD.toString();
++            } else {
++                throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
++            }
++        } catch (Exception e) {
++            throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
++        }
++
++        if (!archivalMechanism.equals(KRAInfoResource.KEYWRAP_MECHANISM)) {
++            // new server with encryption set.  Use something we know will
++            // work.  AES-128-CBC
++            kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();
++        }
++        return kwAlg;
++    }
++
+     public void setVerbose(boolean verbose) {
+         this.verbose = verbose;
+     }
+@@ -637,10 +642,9 @@ public class CRMFPopClient {
+             String algorithm,
+             KeyPair keyPair,
+             Name subject,
+-            String archivalMechanism,
+-            String wrappingKeySet) throws Exception {
++            KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
+         return createCertRequest(false, token, transportCert, algorithm, keyPair,
+-            subject, archivalMechanism, wrappingKeySet);
++            subject, keyWrapAlgorithm);
      }
  
--    public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException,
-+    public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException,
-             ObjectNotFoundException, TokenException {
+     public CertRequest createCertRequest(
+@@ -650,24 +654,15 @@ public class CRMFPopClient {
+             String algorithm,
+             KeyPair keyPair,
+             Name subject,
+-            String archivalMechanism,
+-            String wrappingKeySet) throws Exception {
+-        EncryptionAlgorithm encryptAlg = null;
 -
--        String tag = cert.getCertTag();
-         if (tag.equals("signing") || tag.equals("external_signing"))
-             return;
+-        if (wrappingKeySet == null) {
+-            wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET");
++            KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
++        byte[] iv = null;
++        if (keyWrapAlgorithm.getParameterClasses() != null) {
++            iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
+         }
++        OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
+ 
+-        if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) {
+-            // talking to an old server?
+-            encryptAlg = EncryptionAlgorithm.DES3_CBC;
+-        } else {
+-            encryptAlg = EncryptionAlgorithm.AES_128_CBC;
+-        }
+-
+-        byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
+-        AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+-        WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism);
++        AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
++        WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
+ 
+         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
+                 token,
+@@ -698,29 +693,21 @@ public class CRMFPopClient {
+         return new CertRequest(new INTEGER(1), certTemplate, seq);
+     }
+ 
+-    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV,
+-            String archivalMechanism) throws Exception {
+-        if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
+-            KeyWrapAlgorithm wrapAlg = null;
+-            IVParameterSpec wrapIVS = null;
+-            if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) {
+-                // We will use AES_CBC_PAD as the a key wrap mechanism.  This
+-                // can be decrypted using the same mechanism on the server.
+-                wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
+-                wrapIVS = new IVParameterSpec(wrapIV);
+-            } else {
+-                wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+-            }
++    private WrappingParams getWrappingParams(KeyWrapAlgorithm kwAlg, byte[] iv) throws Exception {
++        IVParameterSpec ivps = iv != null ? new IVParameterSpec(iv): null;
++
++        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD ||
++            kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
+             return new WrappingParams(
+                 SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+-                KeyWrapAlgorithm.RSA, encryptAlg,
+-                wrapAlg, wrapIVS, wrapIVS);
+-        } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
++                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_128_CBC_PAD,
++                kwAlg, ivps, ivps);
++        } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) {
+             return new WrappingParams(
+                     SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+                     KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+                     KeyWrapAlgorithm.DES3_CBC_PAD,
+-                    new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV));
++                    ivps, ivps);
+         } else {
+             throw new Exception("Invalid encryption algorithm");
+         }
+diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+index a14bb24..9a0cfcc 100644
+--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+@@ -29,18 +29,15 @@ import java.util.Vector;
+ import org.apache.commons.cli.CommandLine;
+ import org.apache.commons.cli.Option;
+ import org.apache.commons.io.FileUtils;
+-import org.dogtagpki.common.CAInfo;
+-import org.dogtagpki.common.CAInfoClient;
+-import org.dogtagpki.common.KRAInfoResource;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+ import org.mozilla.jss.crypto.Signature;
+ import org.mozilla.jss.crypto.X509Certificate;
+ import org.mozilla.jss.pkix.crmf.CertRequest;
+ import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+ import org.mozilla.jss.pkix.primitive.Name;
+ 
+-import com.netscape.certsrv.base.PKIException;
+ import com.netscape.certsrv.cert.CertClient;
+ import com.netscape.certsrv.cert.CertEnrollmentRequest;
+ import com.netscape.certsrv.cert.CertRequestInfos;
+@@ -249,29 +246,13 @@ public class ClientCertRequestCLI extends CLI {
+             CryptoManager manager = CryptoManager.getInstance();
+             X509Certificate transportCert = manager.importCACertPackage(transportCertData);
+ 
+-            // get archival mechanism
+-            CAInfoClient infoClient = new CAInfoClient(client, "ca");
+-            String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+-            String wrappingKeySet = "1";
+-            try {
+-                CAInfo info = infoClient.getInfo();
+-                archivalMechanism = info.getArchivalMechanism();
+-                wrappingKeySet = info.getWrappingKeySet();
+-            } catch (PKIException e) {
+-                if (e.getCode() == 404) {
+-                    // assume this is an older server,
+-                    archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+-                    wrappingKeySet = "0";
+-                } else {
+-                    throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+-                }
+-            } catch (Exception e) {
+-                throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+-            }
++            // get archival and key wrap mechanisms from CA
++            String kwAlg = CRMFPopClient.getKeyWrapAlgotihm(client);
++            KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg);
+ 
+             csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
+                     algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
+-                    archivalMechanism, wrappingKeySet);
++                    keyWrapAlgorithm);
  
--        String nickname = cert.getNickname();
--        String tokenname = cert.getTokenname();
+         } else {
+             throw new Exception("Unknown request type: " + requestType);
+@@ -411,8 +392,7 @@ public class ClientCertRequestCLI extends CLI {
+             int sensitive,
+             int extractable,
+             boolean withPop,
+-            String archivalMechanism,
+-            String wrappingKeySet
++            KeyWrapAlgorithm keyWrapAlgorithm
+             ) throws Exception {
+ 
+         CryptoManager manager = CryptoManager.getInstance();
+@@ -434,7 +414,7 @@ public class ClientCertRequestCLI extends CLI {
+         }
+ 
+         CertRequest certRequest = client.createCertRequest(
+-                token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet);
++                token, transportCert, algorithm, keyPair, subject, keyWrapAlgorithm);
+ 
+         ProofOfPossession pop = null;
+         if (withPop) {
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+index 398f499..52c9ca0 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+@@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo;
+ import org.dogtagpki.common.CAInfoResource;
+ import org.dogtagpki.common.KRAInfo;
+ import org.dogtagpki.common.KRAInfoClient;
++import org.mozilla.jss.crypto.EncryptionAlgorithm;
++import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+@@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+     // KRA-related fields (the initial values are only used if we
+     // did not yet receive authoritative info from KRA)
+     private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM;
+-    private static String wrappingKeySet = "0";
++    private static String encryptAlgorithm;
++    private static String keyWrapAlgorithm;
+ 
+     @Override
+     public Response getInfo() throws Exception {
+@@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+             }
+ 
+             info.setArchivalMechanism(archivalMechanism);
+-            info.setWrappingKeySet(wrappingKeySet);
++            info.setEncryptAlgorithm(encryptAlgorithm);
++            info.setKeyWrapAlgorithm(keyWrapAlgorithm);
+         }
+     }
+ 
+@@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+             KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();
+ 
+             archivalMechanism = kraInfo.getArchivalMechanism();
+-
+-            // request succeeded; the KRA is 10.4 or higher,
+-            // therefore supports key set v1
+-            wrappingKeySet = "1";
++            encryptAlgorithm = kraInfo.getEncryptAlgorithm();
++            keyWrapAlgorithm = kraInfo.getWrapAlgorithm();
+ 
+             // mark info as authoritative
+             kraInfoAuthoritative = true;
+@@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
+                 // The KRAInfoResource was added in 10.4,
+                 // so we are talking to a pre-10.4 KRA
+ 
+-                // pre-10.4 only supports key set v0
+-                wrappingKeySet = "0";
++                encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString();
++                keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString();
+ 
+                 // pre-10.4 KRA does not advertise the archival
+                 // mechanism; look for the old knob in CA's config
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+index c4b3252..a9c3cdf 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+@@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory;
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
++import com.netscape.certsrv.security.IStorageKeyUnit;
+ import com.netscape.cms.servlet.base.PKIService;
+ 
++import netscape.security.util.WrappingParams;
++
+ /**
+  * @author Ade Lee
+  */
+ public class KRAInfoService extends PKIService implements KRAInfoResource {
+ 
+     private static Logger logger = LoggerFactory.getLogger(InfoService.class);
++    private IKeyRecoveryAuthority kra;
++    private IStorageKeyUnit storageUnit;
++
++    public KRAInfoService() {
++        kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra");
++        storageUnit = kra.getStorageKeyUnit();
++    }
+ 
+     @Override
+     public Response getInfo() throws Exception {
+@@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
+         KRAInfo info = new KRAInfo();
+         info.setArchivalMechanism(getArchivalMechanism());
+         info.setRecoveryMechanism(getRecoveryMechanism());
+-
++        info.setEncryptAlgorithm(getEncryptAlgorithm());
++        info.setArchivalMechanism(getWrapAlgorithm());
+ 
+         return createOKResponse(info);
+     }
+@@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
+         boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false);
+         return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
+     }
++
++    String getWrapAlgorithm() throws EBaseException {
++        IConfigStore cs = CMS.getConfigStore();
++        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++        WrappingParams params = null;
++        try {
++            params = storageUnit.getWrappingParams(encrypt_archival);
++        } catch (Exception e) {
++            // return something that should always work
++            return "AES/CBC/Padding";
++        }
++        return params.getPayloadWrapAlgorithm().toString();
++    }
++
++    String getEncryptAlgorithm() throws EBaseException {
 +        IConfigStore cs = CMS.getConfigStore();
-+        String nickname = cs.getString("preop.cert." + tag + ".nickname", "");
-+        String tokenname = cs.getString("preop.module.token", "");
-         if (!tokenname.equals("Internal Key Storage Token"))
-             nickname = tokenname + ":" + nickname;
- 
-@@ -4555,11 +4554,9 @@ public class ConfigurationUtils {
- 
-     public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException,
-             TokenException, CertificateEncodingException, IOException {
--
-         IConfigStore cs = CMS.getConfigStore();
--        String subsystem = cs.getString("cs.type").toLowerCase();
--        String nickname = cs.getString(subsystem + ".subsystem.nickname", "");
--        String tokenname = cs.getString(subsystem + ".subsystem.tokenname", "");
-+        String nickname = cs.getString("preop.cert.subsystem.nickname", "");
-+        String tokenname = cs.getString("preop.module.token", "");
- 
-         if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token")
-                 && !tokenname.equals("")) {
-@@ -4574,7 +4571,6 @@ public class ConfigurationUtils {
-             CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null");
-             return null;
-         }
--
-         byte[] bytes = cert.getEncoded();
-         String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes));
-         return s;
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-index 5cc6f63..9d7c176 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
-@@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
++        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
++        WrappingParams params = null;
++        try {
++            params = storageUnit.getWrappingParams(encrypt_archival);
++        } catch (Exception e) {
++            // return something that should always work
++            return "AES/CBC/Padding";
++        }
++        return params.getPayloadEncryptionAlgorithm().toString();
++    }
+ }
+ 
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 95b8f81..84e4a65 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -2713,6 +2713,28 @@ public class CryptoUtil {
+         throw new NoSuchAlgorithmException();
+     }
+ 
++    /*
++     * Useful method to map KeyWrap algorithms to an OID.
++     * This is not yet defined within JSS, although it will be valuable to do
++     * so.  The hard thing though is that the KeyWrapAlgorithms in JSS do not take
++     * KEK key size into account for algorithms like AES.  We assume 128 bits in
++     * this case.
++     *
++     * This is used in the generation of CRMF requests, and will be correlated to
++     * the subsequent reverse mapping method below.
++     */
++    public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException {
++        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD)
++            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8");
++        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD)
++            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
++        if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) ||
++            (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD))
++            return new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
++
++        throw new NoSuchAlgorithmException();
++    }
++
+ }
+ 
+ // START ENABLE_ECC
+-- 
+1.8.3.1
+
+
+From d5c331a42955365b76a1549aec047e613d3185dc Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Tue, 6 Jun 2017 16:16:40 -0400
+Subject: [PATCH 07/14] Server side changes to correctly parse the new
+ PKIArchiveOptions
+
+The server is modified to read the new OIDs in the PKIArchiveOptions
+and handle them correctly.
+
+Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
+---
+ base/common/src/org/dogtagpki/common/CAInfo.java   |  2 +
+ .../src/com/netscape/cmstools/CRMFPopClient.java   | 20 ++++++--
+ .../kra/src/com/netscape/kra/TransportKeyUnit.java | 21 ++++-----
+ .../org/dogtagpki/server/rest/KRAInfoService.java  |  2 +-
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 34 ++++++++++---
+ .../src/netscape/security/util/WrappingParams.java | 55 ++++++++++++++++++++++
+ 6 files changed, 109 insertions(+), 25 deletions(-)
+
+diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
+index 0f68c7a..ada8098 100644
+--- a/base/common/src/org/dogtagpki/common/CAInfo.java
++++ b/base/common/src/org/dogtagpki/common/CAInfo.java
+@@ -66,6 +66,7 @@ public class CAInfo extends ResourceMessage {
+         this.archivalMechanism = archivalMechanism;
+     }
+ 
++    @XmlElement(name="EncryptAlgorithm")
+     public String getEncryptAlgorithm() {
+         return encryptAlgorithm;
+     }
+@@ -74,6 +75,7 @@ public class CAInfo extends ResourceMessage {
+         this.encryptAlgorithm = encryptAlgorithm;
+     }
+ 
++    @XmlElement(name="WrapAlgorithm")
+     public String getKeyWrapAlgorithm() {
+         return keyWrapAlgorithm;
+     }
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index b06faa6..25de2dd 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -191,7 +191,7 @@ public class CRMFPopClient {
+         options.addOption(option);
+ 
+         option = new Option("w", true, "Algorithm to be used for key wrapping");
+-        option.setArgName("keySet");
++        option.setArgName("keywrap algorithm");
+         options.addOption(option);
+ 
+         options.addOption("y", false, "for Self-signed cmc.");
+@@ -655,13 +655,23 @@ public class CRMFPopClient {
+             KeyPair keyPair,
+             Name subject,
+             KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
+-        byte[] iv = null;
+-        if (keyWrapAlgorithm.getParameterClasses() != null) {
+-            iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
+-        }
++        byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
+         OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
+ 
++        /* TODO(alee)
++         *
++         * HACK HACK!
++         * algorithms like AES KeyWrap do not require an IV, but we need to include one
++         * in the AlgorithmIdentifier above, or the creation and parsing of the
++         * PKIArchiveOptions options will fail.  So we include an IV in aid, but null it
++         * later to correctly encrypt the data
++         */
+         AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
++
++        Class[] iv_classes = keyWrapAlgorithm.getParameterClasses();
++        if (iv_classes == null || iv_classes.length == 0)
++            iv = null;
++
+         WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
+ 
+         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
+diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+index d0ad8b3..91af7cf 100644
+--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
++++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+@@ -267,7 +267,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
+      * Decrypts the user private key.  This is called on the transport unit.
+      */
+     public byte[] decryptExternalPrivate(byte encSymmKey[],
+-            String symmAlgOID, byte symmAlgParams[], byte encValue[],
++            String wrapOID, byte wrapIV[], byte encValue[],
+             org.mozilla.jss.crypto.X509Certificate transCert)
+             throws Exception {
+ 
+@@ -279,12 +279,10 @@ public class TransportKeyUnit extends EncryptionUnit implements
+         CryptoToken token = getToken(transCert);
+         PrivateKey wrappingKey = getPrivateKey(transCert);
+         String priKeyAlgo = wrappingKey.getAlgorithm();
+-        WrappingParams params = new WrappingParams(
+-                symmAlgOID,
+-                null,
++        WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions(
++                wrapOID,
+                 priKeyAlgo,
+-                new IVParameterSpec(symmAlgParams),
+-                null);
++                new IVParameterSpec(wrapIV));
+ 
+         SymmetricKey sk = CryptoUtil.unwrap(
+                 token,
+@@ -303,6 +301,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
+                 params.getPayloadEncryptionAlgorithm());
+     }
+ 
++
+     /**
+      * External unwrapping. Unwraps the symmetric key using
+      * the transport private key.
+@@ -342,19 +341,17 @@ public class TransportKeyUnit extends EncryptionUnit implements
+      * the transport private key.
+      */
+     public PrivateKey unwrap(byte encSymmKey[],
+-            String symmAlgOID, byte symmAlgParams[],
++            String wrapOID, byte wrapIV[],
+             byte encValue[], PublicKey pubKey,
+             org.mozilla.jss.crypto.X509Certificate transCert)
+             throws Exception {
+         CryptoToken token = getToken(transCert);
+         PrivateKey wrappingKey = getPrivateKey(transCert);
+         String priKeyAlgo = wrappingKey.getAlgorithm();
+-        WrappingParams params = new WrappingParams(
+-                symmAlgOID,
+-                null,
++        WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions(
++                wrapOID,
+                 priKeyAlgo,
+-                new IVParameterSpec(symmAlgParams),
+-                new IVParameterSpec(symmAlgParams));
++                new IVParameterSpec(wrapIV));
+ 
+         // (1) unwrap the session key
+         SymmetricKey sk = CryptoUtil.unwrap(
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+index a9c3cdf..c855b22 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+@@ -59,7 +59,7 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
+         info.setArchivalMechanism(getArchivalMechanism());
+         info.setRecoveryMechanism(getRecoveryMechanism());
+         info.setEncryptAlgorithm(getEncryptAlgorithm());
+-        info.setArchivalMechanism(getWrapAlgorithm());
++        info.setWrapAlgorithm(getWrapAlgorithm());
+ 
+         return createOKResponse(info);
+     }
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index 84e4a65..eca8ddd 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -2713,6 +2713,10 @@ public class CryptoUtil {
+         throw new NoSuchAlgorithmException();
+     }
+ 
++    public static final OBJECT_IDENTIFIER KW_AES_KEY_WRAP_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8");
++    public static final OBJECT_IDENTIFIER KW_AES_CBC_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
++    public static final OBJECT_IDENTIFIER KW_DES_CBC_PAD = new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
++
+     /*
+      * Useful method to map KeyWrap algorithms to an OID.
+      * This is not yet defined within JSS, although it will be valuable to do
+@@ -2724,13 +2728,29 @@ public class CryptoUtil {
+      * the subsequent reverse mapping method below.
+      */
+     public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException {
+-        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD)
+-            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8");
+-        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD)
+-            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
+-        if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) ||
+-            (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD))
+-            return new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
++        String name = kwAlg.toString();
++        if (name.equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString()))
++            return KW_AES_KEY_WRAP_PAD;
++        if (name.equals(KeyWrapAlgorithm.AES_CBC_PAD.toString()))
++            return KW_AES_CBC_PAD;
++        if (name.equals(KeyWrapAlgorithm.DES3_CBC_PAD.toString()))
++            return KW_DES_CBC_PAD;
++        if (name.equals(KeyWrapAlgorithm.DES_CBC_PAD.toString()))
++            return KW_DES_CBC_PAD;
++
++        throw new NoSuchAlgorithmException();
++    }
++
++    public static KeyWrapAlgorithm getKeyWrapAlgorithmFromOID(String wrapOID) throws NoSuchAlgorithmException {
++        OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
++        if (oid.equals(KW_AES_KEY_WRAP_PAD))
++            return KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
++
++        if (oid.equals(KW_AES_CBC_PAD))
++            return KeyWrapAlgorithm.AES_CBC_PAD;
++
++        if (oid.equals(KW_DES_CBC_PAD))
++            return KeyWrapAlgorithm.DES3_CBC_PAD;
+ 
+         throw new NoSuchAlgorithmException();
+     }
+diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
+index 8fe5df6..cda8870 100644
+--- a/base/util/src/netscape/security/util/WrappingParams.java
++++ b/base/util/src/netscape/security/util/WrappingParams.java
+@@ -10,6 +10,8 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+ import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.crypto.SymmetricKey.Type;
+ 
++import com.netscape.cmsutil.crypto.CryptoUtil;
++
+ public class WrappingParams {
+     // session key attributes
+     SymmetricKey.Type skType;
+@@ -123,6 +125,59 @@ public class WrappingParams {
+         }
+     }
+ 
++    private WrappingParams(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV)
++            throws NumberFormatException, NoSuchAlgorithmException {
++        KeyWrapAlgorithm kwAlg = CryptoUtil.getKeyWrapAlgorithmFromOID(wrapOID);
++
++        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) {
++            skType = SymmetricKey.AES;
++            skKeyGenAlgorithm = KeyGenAlgorithm.AES;
++            payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
++            payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
++            skLength = 128;
++        }
++
++        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
++            skType = SymmetricKey.AES;
++            skKeyGenAlgorithm = KeyGenAlgorithm.AES;
++            payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD;
++            payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
++            skLength = 128;
++        }
++
++        if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
++            skType = SymmetricKey.DES;
++            skKeyGenAlgorithm = KeyGenAlgorithm.DES;
++            skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
++            payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
++            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
++            skLength = 0;
++        }
++
++        if (priKeyAlgo.equals("EC")) {
++            skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB;
++        } else {
++            skWrapAlgorithm = KeyWrapAlgorithm.RSA;
++        }
++
++        // set the IVs
++        payloadEncryptionIV = wrapIV;
++
++        if (payloadWrapAlgorithm == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) {
++            // TODO(alee) Hack -- if we pass in null for the iv in the
++            // PKIArchiveOptions, we fail to decode correctly when parsing a
++            // CRMFPopClient request.
++            payloadWrappingIV = null;
++        } else {
++            payloadWrappingIV = wrapIV;
++        }
++    }
++
++    public static WrappingParams getWrappingParamsFromArchiveOptions(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV)
++            throws NumberFormatException, NoSuchAlgorithmException {
++        return new WrappingParams(wrapOID, priKeyAlgo, wrapIV);
++    }
++
+     public SymmetricKey.Type getSkType() {
+         return skType;
+     }
+-- 
+1.8.3.1
+
+
+From 5bf30f2f6a52b7164ba31ab12ed2317b2c572610 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 8 Jun 2017 16:08:30 -0400
+Subject: [PATCH 10/14] Stop using hardcoded IV in CMC
+
+Bugzilla #BZ 1458055
+
+Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82
+---
+ base/java-tools/src/com/netscape/cmstools/CMCRequest.java   | 13 ++++++++-----
+ .../src/com/netscape/cms/profile/common/EnrollProfile.java  | 13 ++++++-------
+ .../com/netscape/cms/servlet/common/CMCOutputTemplate.java  |  8 +++-----
+ 3 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index 8d49b20..4adf22b 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -40,6 +40,7 @@ import java.util.StringTokenizer;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ANY;
+ import org.mozilla.jss.asn1.ASN1Util;
++import org.mozilla.jss.asn1.ASN1Value;
+ import org.mozilla.jss.asn1.BIT_STRING;
+ import org.mozilla.jss.asn1.ENUMERATED;
+ import org.mozilla.jss.asn1.GeneralizedTime;
+@@ -1708,6 +1709,12 @@ public class CMCRequest {
+         try {
+             TaggedRequest request = encryptedPop.getRequest();
+             AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID();
++
++            ASN1Value v = thePOPAlgID.getParameters();
++            v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
++            byte iv[] = ((OCTET_STRING) v).toByteArray();
++            IVParameterSpec ivps = new IVParameterSpec(iv);
++
+             AlgorithmIdentifier witnessAlgID = encryptedPop.getWitnessAlgID();
+             OCTET_STRING witness = encryptedPop.getWitness();
+             ContentInfo cms = encryptedPop.getContentInfo();
+@@ -1734,13 +1741,9 @@ public class CMCRequest {
+             }
+             System.out.println(method + "symKey unwrapped.");
+ 
+-            // TODO(alee) The code below should be replaced by code that generates a random IV
+-            byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-            IVParameterSpec default_iv = new IVParameterSpec(iv);
+-
+             byte challenge[] = CryptoUtil.decryptUsingSymmetricKey(
+                     token,
+-                    default_iv,
++                    ivps,
+                     encCI.getEncryptedContent().toByteArray(),
+                     symKey,
+                     EncryptionAlgorithm.AES_128_CBC);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 12fb736..2591ace 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -403,8 +403,7 @@ public abstract class EnrollProfile extends BasicProfile
+                 String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME);
+                 token = CryptoUtil.getCryptoToken(tokenName);
+ 
+-                // TODO(alee) Replace the IV definition with a call that generates a random IV of  the correct length
+-                byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
++                byte[] iv = CryptoUtil.getNonceData(EncryptionAlgorithm.AES_128_CBC.getIVLength());
+                 IVParameterSpec ivps = new IVParameterSpec(iv);
+ 
+                 PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data));
+@@ -466,6 +465,8 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+                 req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession);
+ 
++                req.setExtData("pop_encryptedDataIV", iv);
++
+                 // now compute and set witness
+                 CMS.debug(method + "now compute and set witness");
+                 String hashName = CryptoUtil.getDefaultHashAlgName();
+@@ -1123,14 +1124,12 @@ public abstract class EnrollProfile extends BasicProfile
+                 return null;
+             }
+ 
+-            // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request
+-            // This IV is supposed to be random
+-            byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-            IVParameterSpec default_iv = new IVParameterSpec(iv);
++            byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV");
++            IVParameterSpec ivps = new IVParameterSpec(iv);
+ 
+             byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey(
+                     token,
+-                    default_iv,
++                    ivps,
+                     pop_encryptedData,
+                     symKey,
+                     EncryptionAlgorithm.AES_128_CBC);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+index 8e47298..8d6c37f 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+@@ -491,6 +491,7 @@ public class CMCOutputTemplate {
+         //don't need this for encryptedPOP, but need to check for existence anyway
+         byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
+         byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession");
++        byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV");
+         if ((pop_encryptedData != null) &&
+                 (pop_sysPubEncryptedSession != null) &&
+                 (pop_userPubEncryptedSession != null)) {
+@@ -517,11 +518,8 @@ public class CMCOutputTemplate {
+                     throw new EBaseException(method + msg);
+                 }
+ 
+-                // TODO(alee) The code below should be replaced by code that generates a random IV
+-                byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+-
+                 OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
+-                AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
++                AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv));
+ 
+                 encPop = new EncryptedPOP(
+                         tReq,
+@@ -532,7 +530,7 @@ public class CMCOutputTemplate {
+ 
+             } catch (Exception e) {
+                 CMS.debug(method + " excepton:" + e);
+-                throw new EBaseException(method + " excepton:" + e);
++                throw new EBaseException(method + " exception:" + e);
+             }
+ 
+         } else {
+-- 
+1.8.3.1
+
+
+From 698192f4f62c55142a557f6489ed2323e17401b0 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Tue, 30 May 2017 14:12:06 -0700
+Subject: [PATCH 11/14] Ticket #2619 Allow CA to process user-signed CMC
+ revocation requests
+
+First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth.  It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken).
+
+One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.
+
+This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.
+
+On the client side:
+
+CMCRequest
+
+- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.
+
+- removed the revRequest.nickname parameter from the configuration.  From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request.  The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject.  By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial.  It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db.  In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.
+
+- added support for unsigned data in support of shared secret in both CMCRequest and server;  The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.
+
+CMCRevoke
+
+- The original code assumed that the nss db password is the same as Shared Secret (!!).  This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.
+
+- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out.  Both are unusable directly.  This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet);  Again, this is not RFC conforming, but I fixed it anyways;
+
+- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)
+
+- This code still requires the signer certificate nickname to run, making the shared secret method moot.  Since CMCRequest has been updated to work properly, we can leave this for now.
+
+On the server side.
+
+CMCUserSignedAuth has been updated to handle unsigned DATA;  Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests).  This addition is important to support shared secrets properly.
+
+Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth.  The original code did not do that, I think it is because it always checks if it's an agent or not.
+
+Something that could be improved on is to have its own servlet.  However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.
+
+The shared secret handling is left in the CMCOutputTemplate for now.  Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement.   Shared Token plugin implementation will be added in later ticket as well.
+
+Previously missed signing cert validation is also added for more complete check.
+Some SHA1 are turned into SHA2
+
+Finally, some auditing are added, but it is not finalized.  It will be done in the next ticket(s).
+---
+ base/common/src/com/netscape/certsrv/apps/CMS.java |  10 +
+ .../src/com/netscape/certsrv/apps/ICMSEngine.java  |   8 +
+ .../com/netscape/certsrv/base/SessionContext.java  |   5 +
+ .../src/com/netscape/cmstools/CMCRequest.java      | 251 ++++++++-----
+ .../src/com/netscape/cmstools/CMCRevoke.java       | 133 +++----
+ .../com/netscape/cms/authentication/CMCAuth.java   |  19 +-
+ .../cms/authentication/CMCUserSignedAuth.java      | 198 +++++-----
+ .../netscape/cms/profile/common/EnrollProfile.java |  80 ++--
+ .../cms/servlet/cert/CMCRevReqServlet.java         |   4 +-
+ .../com/netscape/cms/servlet/cert/ListCerts.java   |  10 +-
+ .../cms/servlet/common/CMCOutputTemplate.java      | 407 +++++++++++++++------
+ .../servlet/common/GenPendingTemplateFiller.java   |  15 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |  12 +-
+ .../src/com/netscape/cmscore/apps/CMSEngine.java   |  33 ++
+ .../netscape/cmscore/app/CMSEngineDefaultStub.java |   5 +
+ base/util/src/com/netscape/cmsutil/util/Utils.java |   5 +
+ 16 files changed, 769 insertions(+), 426 deletions(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
+index cc634cc..9df99ab 100644
+--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
+@@ -36,6 +36,7 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig;
+ import org.mozilla.jss.CryptoManager.CertificateUsage;
+ import org.mozilla.jss.util.PasswordCallback;
+ 
++import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.acls.EACLsException;
+ import com.netscape.certsrv.acls.IACL;
+ import com.netscape.certsrv.authentication.IAuthSubsystem;
+@@ -1575,6 +1576,15 @@ public final class CMS {
+     }
+ 
+     /**
++     * Retrieves the SharedToken class.
++     *
++     * @return named SharedToken class
++     */
++    public static ISharedToken getSharedTokenClass(String configName) {
++        return _engine.getSharedTokenClass(configName);
++    }
++
++    /**
+      * Puts a password entry into the single-sign on cache.
+      *
+      * @param tag password tag
+diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+index 3655b03..563b7c9 100644
+--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
++++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+@@ -38,6 +38,7 @@ import org.mozilla.jss.util.PasswordCallback;
+ 
+ import com.netscape.certsrv.acls.EACLsException;
+ import com.netscape.certsrv.acls.IACL;
++import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+@@ -681,6 +682,13 @@ public interface ICMSEngine extends ISubsystem {
+     public ILdapConnFactory getLdapAnonConnFactory(String id) throws ELdapException;
+ 
+     /**
++     * Retrieves the named SharedToken class
++     *
++     * @return named shared token class
++     */
++    public ISharedToken getSharedTokenClass(String configName);
++
++    /**
+      * Retrieves the password check.
+      *
+      * @return default password checker
+diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java
+index 81debae..8bcb3c1 100644
+--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java
++++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java
+@@ -53,6 +53,11 @@ public class SessionContext extends Hashtable<Object, Object> {
+     public static final String AUTH_MANAGER_ID = "authManagerId"; // String
+ 
+     /**
++     * Principal name object of the signed CMC request
++     */
++    public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal";
++
++    /**
+      * User object of the authenticated user in the current thread.
+      */
+     public static final String USER = "user"; // IUser
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+index 4adf22b..00e03a7 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+@@ -72,15 +72,14 @@ import org.mozilla.jss.pkix.cmc.GetCert;
+ import org.mozilla.jss.pkix.cmc.IdentityProofV2;
+ import org.mozilla.jss.pkix.cmc.LraPopWitness;
+ import org.mozilla.jss.pkix.cmc.OtherInfo;
+-import org.mozilla.jss.pkix.cmc.OtherMsg;
+ import org.mozilla.jss.pkix.cmc.PKIData;
+ import org.mozilla.jss.pkix.cmc.PendInfo;
+ import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2;
+ import org.mozilla.jss.pkix.cmc.ResponseBody;
++import org.mozilla.jss.pkix.cmc.RevokeRequest;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
+ import org.mozilla.jss.pkix.cmc.TaggedRequest;
+-import org.mozilla.jss.pkix.cmmf.RevRequest;
+ import org.mozilla.jss.pkix.cms.ContentInfo;
+ import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
+ import org.mozilla.jss.pkix.cms.EncryptedContentInfo;
+@@ -374,14 +373,30 @@ public class CMCRequest {
+ 
+     /**
+      * getCMCBlob create and return the enrollment request.
+-     *
++     * It now handles two types of data input:
++     *  - SignedData (which is for signed data)
++     *  - data (which is for unsigned data)
+      * @return the CMC enrollment request encoded in base64
+      *
+      */
+-    static ContentInfo getCMCBlob(SignedData req) {
++    static ContentInfo getCMCBlob(SignedData signedData, byte[] data) {
+         String method = "getCMCBlob: ";
+         System.out.println(method + "begins");
+-        ContentInfo fullEnrollmentReq = new ContentInfo(req);
++        ContentInfo fullEnrollmentReq = null;
++        if (signedData != null && data == null) {
++            System.out.println("getCMCBlob: generating signed data");
++            fullEnrollmentReq = new ContentInfo(signedData);
++        } else if (data != null && signedData == null) {
++            System.out.println("getCMCBlob: generating unsigned data");
++            fullEnrollmentReq = new ContentInfo(data);
++        } else if (signedData == null && data == null) {
++             System.out.println("getCMCBlob: both params are null");
++             System.exit(1);
++        } else {
++             System.out.println("getCMCBlob: both params are not null; only one of them can be used, the other must be null");
++             System.exit(1);
++        }
++
+         try {
+             ByteArrayOutputStream bs = new ByteArrayOutputStream();
+             PrintStream ps = new PrintStream(bs);
+@@ -768,29 +783,32 @@ public class CMCRequest {
+         System.out.println("");
+         System.out.println("#input: full path for the PKCS10 request or CRMF request,");
+         System.out.println("#the content must be in Base-64 encoded format");
+-        System.out.println("#Multiple files are supported. They must be separated by space.");
++//        System.out.println("#Multiple files are supported. They must be separated by space.");
++        System.out.println("# in case of revocation, input will be ignored");
+         System.out.println("input=crmf.req");
+         System.out.println("");
+         System.out.println("#output: full path for the CMC request in binary format");
+         System.out.println("output=cmc.req");
+         System.out.println("");
+-        System.out.println("#tokenname: name of token where agent signing cert can be found (default is internal)");
++        System.out.println("#tokenname: name of token where user signing cert can be found (default is internal)");
+         System.out.println("tokenname=internal");
+         System.out.println("");
+-        System.out.println("#nickname: nickname for agent certificate which will be used");
+-        System.out.println("#to sign the CMC full request.");
++        System.out.println("#nickname: nickname for user certificate which will be used");
++        System.out.println("#to sign the CMC full request (enrollment or revocation).");
++        System.out.println("");
+         System.out.println("#selfSign: if selfSign is true, the CMC request will be");
+-        System.out.println("#signed with the pairing private key of the request;");
++        System.out.println("#signed with the pairing private key of the enrollment request;");
+         System.out.println("#and in which case the nickname will be ignored");
+-        System.out.println("nickname=CMS Agent Certificate");
++        System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored.");
++        System.out.println("nickname=CMS User Signing Certificate");
+         System.out.println("");
+         System.out.println("selfSign=false");
+         System.out.println("");
+         System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
+         System.out.println("dbdir=./");
+         System.out.println("");
+-        System.out.println("#password: password for cert8.db which stores the agent");
+-        System.out.println("#certificate");
++        System.out.println("#password: password for cert8.db which stores the user signing");
++        System.out.println("#certificate and keys");
+         System.out.println("password=pass");
+         System.out.println("");
+         System.out.println("#format: request format, either pkcs10 or crmf");
+@@ -844,13 +862,19 @@ public class CMCRequest {
+         System.out.println("#control. Otherwise, false.");
+         System.out.println("revRequest.enable=false");
+         System.out.println("");
++/*
+         System.out.println("#revRequest.nickname: The nickname for the revoke certificate");
+         System.out.println("revRequest.nickname=newuser's 102504a ID");
+         System.out.println("");
++*/
+         System.out.println("#revRequest.issuer: The issuer name for the certificate being");
+-        System.out.println("#revoked.");
++        System.out.println("#revoked. It only needs to be specified when the request is unsigned,;");
++        System.out.println("#as in the case when sharedSecret is used;");
+         System.out.println("revRequest.issuer=cn=Certificate Manager,c=us");
+         System.out.println("");
++        System.out.println("#revRequest.sharedSecret: The sharedSecret");
++        System.out.println("revRequest.sharedSecret=");
++        System.out.println("");
+         System.out.println("#revRequest.serial: The serial number for the certificate being");
+         System.out.println("#revoked.");
+         System.out.println("revRequest.serial=61");
+@@ -861,9 +885,6 @@ public class CMCRequest {
+         System.out.println("#                   certificateHold, removeFromCRL");
+         System.out.println("revRequest.reason=unspecified");
+         System.out.println("");
+-        System.out.println("#revRequest.sharedSecret: The sharedSecret");
+-        System.out.println("revRequest.sharedSecret=");
+-        System.out.println("");
+         System.out.println("#revRequest.comment: The human readable comment");
+         System.out.println("revRequest.comment=");
+         System.out.println("");
+@@ -972,27 +993,27 @@ public class CMCRequest {
+ 
+     private static ENUMERATED toCRLReason(String str) {
+         if (str.equalsIgnoreCase("unspecified")) {
+-            return RevRequest.unspecified;
++            return RevokeRequest.unspecified;
+         } else if (str.equalsIgnoreCase("keyCompromise")) {
+-            return RevRequest.keyCompromise;
++            return RevokeRequest.keyCompromise;
+         } else if (str.equalsIgnoreCase("caCompromise")) {
+-            return RevRequest.cACompromise;
++            return RevokeRequest.cACompromise;
+         } else if (str.equalsIgnoreCase("affiliationChanged")) {
+-            return RevRequest.affiliationChanged;
++            return RevokeRequest.affiliationChanged;
+         } else if (str.equalsIgnoreCase("superseded")) {
+-            return RevRequest.superseded;
++            return RevokeRequest.superseded;
+         } else if (str.equalsIgnoreCase("cessationOfOperation")) {
+-            return RevRequest.cessationOfOperation;
++            return RevokeRequest.cessationOfOperation;
+         } else if (str.equalsIgnoreCase("certificateHold")) {
+-            return RevRequest.certificateHold;
++            return RevokeRequest.certificateHold;
+         } else if (str.equalsIgnoreCase("removeFromCRL")) {
+-            return RevRequest.removeFromCRL;
++            return RevokeRequest.removeFromCRL;
+         }
+ 
+         System.out.println("Unrecognized CRL reason");
+         System.exit(1);
+ 
+-        return RevRequest.unspecified;
++        return RevokeRequest.unspecified;
+     }
+ 
+     /**
+@@ -1119,42 +1140,84 @@ public class CMCRequest {
+         return bpid;
+     }
+ 
+-    private static int addRevRequestAttr(int bpid, SEQUENCE seq, SEQUENCE otherMsgSeq, CryptoToken token, String tokenName, String nickname,
++    /*
++    * addRevRequestAttr adds the RevokeRequest control
++    * If sharedSecret exist, issuer name needs to be supplied;
++    * else signing cert is needed to extract issuerName
++    */
++    private static int addRevRequestAttr(int bpid, SEQUENCE seq,
++            CryptoToken token, X509Certificate revokeSignCert,
+             String revRequestIssuer, String revRequestSerial, String revRequestReason,
+             String revRequestSharedSecret, String revRequestComment, String invalidityDatePresent,
+             CryptoManager manager) {
++
++        String method = "addRevRequestAttr: ";
+         try {
+-            if (nickname.length() <= 0) {
+-                System.out.println("The nickname for the certificate being revoked is null");
+-                System.exit(1);
+-            }
+-            String nickname1 = nickname;
+             UTF8String comment = null;
+             OCTET_STRING sharedSecret = null;
+             GeneralizedTime d = null;
+-            X500Name subjectname = new X500Name(revRequestIssuer);
++            X500Name issuerName = null;
++
++            if ((revRequestSerial == null) || (revRequestSerial.length() <= 0)) {
++                System.out.println(method + "revocation serial number must be supplied");
++                System.exit(1);
++            }
++            if ((revRequestReason == null) || (revRequestReason.length() <= 0)) {
++                System.out.println(method + "revocation reason must be supplied");
++                System.exit(1);
++            }
+             INTEGER snumber = new INTEGER(revRequestSerial);
+             ENUMERATED reason = toCRLReason(revRequestReason);
+-            if (revRequestSharedSecret.length() > 0)
++
++            if ((revRequestSharedSecret != null) && (revRequestSharedSecret.length() > 0)) {
+                 sharedSecret = new OCTET_STRING(revRequestSharedSecret.getBytes());
+-            if (revRequestComment.length() > 0)
++                // in case of sharedSecret,
++                // issuer name will have to be provided;
++                // revokeSignCert is ignored;
++                if (revRequestIssuer == null) {
++                    System.out.println(method + "issuer name must be supplied when shared secret is used");
++                    System.exit(1);
++                }
++                issuerName = new X500Name(revRequestIssuer);
++            } else { // signing case; revokeSignCert is required
++                if (revokeSignCert == null) {
++                    System.out.println(method + "revokeSignCert must be supplied in the signing case");
++                    System.exit(1);
++                }
++            }
++
++            if (revRequestComment != null && revRequestComment.length() > 0)
+                 comment = new UTF8String(revRequestComment);
+             if (invalidityDatePresent.equals("true"))
+                 d = new GeneralizedTime(new Date());
+-            RevRequest revRequest =
+-                    new RevRequest(new ANY(subjectname.getEncoded()), snumber,
+-                            reason, d, sharedSecret, comment);
+-            int revokeBpid = bpid;
++
++            if (sharedSecret == null) {
++                System.out.println(method + "no sharedSecret found; request will be signed;");
++
++                // getting issuerName from revokeSignCert
++                byte[] certB = revokeSignCert.getEncoded();
++                X509CertImpl impl = new X509CertImpl(certB);
++                issuerName = (X500Name) impl.getIssuerDN();
++            } else {
++                System.out.println(method + "sharedSecret found; request will be unsigned;");
++            }
++
++            RevokeRequest revRequest = new RevokeRequest(new ANY(issuerName.getEncoded()), snumber,
++                    reason, d, sharedSecret, comment);
++
+             TaggedAttribute revRequestControl = new TaggedAttribute(
+                     new INTEGER(bpid++),
+                     OBJECT_IDENTIFIER.id_cmc_revokeRequest, revRequest);
+             seq.addElement(revRequestControl);
++            System.out.println(method + "RevokeRequest control created.");
+ 
+-            if (sharedSecret != null) {
+-                System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1));
+-                System.out.println("");
+-                return bpid;
+-            }
++            return bpid;
++/*
++ * Constructing OtherMsg to include the SignerInfo makes no sense here
++ * as the outer layer SignedData would have SignerInfo.
++ * It is possibly done because the original code assumed a self-signed
++ * revocation request that is subsequently signed by an agent...
++ * which is not conforming to the RFC.
+ 
+             EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo(
+                     OBJECT_IDENTIFIER.id_cct_PKIData, revRequestControl);
+@@ -1241,6 +1304,7 @@ public class CMCRequest {
+             otherMsgSeq.addElement(otherMsg);
+             System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1));
+             System.out.println("");
++*/
+         } catch (Exception e) {
+             System.out.println("Error in creating revRequest control. Check the parameters. Exception="+ e.toString());
+             System.exit(1);
+@@ -1346,9 +1410,9 @@ public class CMCRequest {
+             String salt = "lala123" + date.toString();
+ 
              try {
-                 CMS.debug("Processing '" + cert.getCertTag() + "' certificate:");
-                 ret = ConfigurationUtils.handleCerts(cert);
--                ConfigurationUtils.setCertPermissions(cert);
-+                ConfigurationUtils.setCertPermissions(cert.getCertTag());
-                 CMS.debug("Processed '" + cert.getCertTag() + "' certificate.");
+-                MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
++                MessageDigest SHA256Digest = MessageDigest.getInstance("SHA256");
+ 
+-                dig = SHA1Digest.digest(salt.getBytes());
++                dig = SHA256Digest.digest(salt.getBytes());
+             } catch (NoSuchAlgorithmException ex) {
+                 dig = salt.getBytes();
+             }
+@@ -1825,7 +1889,6 @@ public class CMCRequest {
+         String dataReturnEnable = "false", dataReturnData = null;
+         String transactionMgtEnable = "false", transactionMgtId = null;
+         String senderNonceEnable = "false", senderNonce = null;
+-        String revCertNickname = "";
+         String revRequestEnable = "false", revRequestIssuer = null, revRequestSerial = null;
+         String revRequestReason = null, revRequestSharedSecret = null, revRequestComment = null;
+         String revRequestInvalidityDatePresent = "false";
+@@ -1941,8 +2004,6 @@ public class CMCRequest {
+                         revRequestComment = val;
+                     } else if (name.equals("revRequest.invalidityDatePresent")) {
+                         revRequestInvalidityDatePresent = val;
+-                    } else if (name.equals("revRequest.nickname")) {
+-                        revCertNickname = val;
+                     } else if (name.equals("identification.enable")) {
+                         identificationEnable = val;
+                     } else if (name.equals("identification")) {
+@@ -1985,7 +2046,8 @@ public class CMCRequest {
+             printUsage();
+         }
+ 
+-        if (!selfSign.equals("true") && nickname == null) {
++        if ((!selfSign.equals("true") && (revRequestSharedSecret == null))
++                && nickname == null) {
+             System.out.println("Missing nickname.");
+             printUsage();
+         }
+@@ -2031,11 +2093,12 @@ public class CMCRequest {
+                 certname.append(tokenName);
+                 certname.append(":");
+             }
+-            if (!selfSign.equals("true") && nickname != null) {
++            if ((!selfSign.equals("true") || (revRequestSharedSecret == null))
++                    && nickname != null) {
+                 certname.append(nickname);
+                 signerCert = cm.findCertByNickname(certname.toString());
+                 if (signerCert != null) {
+-                    System.out.println("got signerCert: "+ certname.toString());
++                    System.out.println("got signerCert: " + certname.toString());
+                 }
+             }
+ 
+@@ -2065,6 +2128,7 @@ public class CMCRequest {
+                 }
+             }
+ 
++            boolean isSharedSecretRevoke = false;
+             if (decryptedPopEnable.equalsIgnoreCase("true")) {
+                 if (encryptedPopResponseFile == null) {
+                     System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified.");
+@@ -2091,7 +2155,7 @@ public class CMCRequest {
+                 }
+             } else { // !decryptedPopEnable
+ 
+-                if (ifilename == null) {
++                if (!revRequestEnable.equalsIgnoreCase("true") && ifilename == null) {
+                     System.out.println("Missing input filename for PKCS10 or CRMF.");
+                     printUsage();
+                 }
+@@ -2109,14 +2173,17 @@ public class CMCRequest {
+                     }
+                 }
+ 
+-                StringTokenizer tokenizer = new StringTokenizer(ifilename, " ");
+-                String[] ifiles = new String[num];
+-                for (int i = 0; i < num; i++) {
+-                    String ss = tokenizer.nextToken();
+-                    ifiles[i] = ss;
+-                    if (ss == null) {
+-                        System.out.println("Missing input file for the request.");
+-                        System.exit(1);
++                String[] ifiles = null;
++                if (revRequestEnable.equalsIgnoreCase("false")) {
++                    StringTokenizer tokenizer = new StringTokenizer(ifilename, " ");
++                    ifiles = new String[num];
++                    for (int i = 0; i < num; i++) {
++                        String ss = tokenizer.nextToken();
++                        ifiles[i] = ss;
++                        if (ss == null) {
++                            System.out.println("Missing input file for the request.");
++                            System.exit(1);
++                        }
+                     }
+                 }
+ 
+@@ -2126,11 +2193,12 @@ public class CMCRequest {
+                 }
+ 
+                 if (format == null) {
+-                    System.out.println("Missing format.");
+-                    printUsage();
++                    System.out.println("Missing format..assume revocation");
++                    //printUsage();
+                 }
++
+                 String[] requests = new String[num];
+-                for (int i = 0; i < num; i++) {
++                for (int i = 0; i < num && revRequestEnable.equalsIgnoreCase("false") ; i++) {
+                     BufferedReader inputBlob = null;
+                     try {
+                         inputBlob = new BufferedReader(new InputStreamReader(
+@@ -2222,20 +2290,20 @@ public class CMCRequest {
+ 
+                 SEQUENCE otherMsgSeq = new SEQUENCE();
+                 if (revRequestEnable.equalsIgnoreCase("true")) {
+-                    if (revRequestIssuer.length() == 0 || revRequestSerial.length() == 0 ||
+-                            revRequestReason.length() == 0) {
+-                        System.out.println("Illegal parameters for revRequest control");
+-                        printUsage();
+-                        System.exit(1);
++                    if ((revRequestSharedSecret!= null)
++                             && (revRequestSharedSecret.length() > 0)) {
++                        isSharedSecretRevoke = true;
++                        //this will result in unsigned data
+                     }
+ 
+-                    bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname,
++                    bpid = addRevRequestAttr(bpid, controlSeq, token, signerCert,
+                             revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret,
+                             revRequestComment, revRequestInvalidityDatePresent, cm);
+-                }
++                    pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE());
++                } else {
+ 
+-                // create the request PKIData
+-                pkidata = createPKIData(
++                    // create the request PKIData
++                    pkidata = createPKIData(
+                         selfSign,
+                         requests,
+                         format, transactionMgtEnable, transactionMgtId,
+@@ -2248,6 +2316,7 @@ public class CMCRequest {
+                         popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg,
+                         controlSeq, otherMsgSeq, bpid,
+                         token, privk);
++                }
+ 
+                 if (pkidata == null) {
+                     System.out.println("pkidata null after createPKIData(). Exiting with error");
+@@ -2255,22 +2324,30 @@ public class CMCRequest {
+                 }
+             }
+ 
+-            // sign the request
+-            SignedData signedData = null;
+-            if (selfSign.equalsIgnoreCase("true")) {
+-                // selfSign signs with private key
+-                System.out.println("selfSign is true...");
+-                signedData = signData(privk, pkidata);
++            if (isSharedSecretRevoke) {
++                cmcblob = getCMCBlob(null,
++                        ASN1Util.encode(pkidata));
+             } else {
+-                // none selfSign signs with  existing cert
+-                System.out.println("selfSign is false...");
+-                signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
+-            }
+-            if (signedData == null) {
+-                System.out.println("signData() returns null. Exiting with error");
+-                System.exit(1);
++
++                SignedData signedData = null;
++
++                // sign the request
++                if (selfSign.equalsIgnoreCase("true")) {
++                    // selfSign signs with private key
++                    System.out.println("selfSign is true...");
++                    signedData = signData(privk, pkidata);
++                } else {
++                    // none selfSign signs with  existing cert
++                    System.out.println("selfSign is false...");
++                    signedData = signData(signerCert, tokenName, nickname, cm, pkidata);
++                }
++                if (signedData == null) {
++                    System.out.println("signData() returns null. Exiting with error");
++                    System.exit(1);
++                }
++                cmcblob = getCMCBlob(signedData, null);
+             }
+-            cmcblob = getCMCBlob(signedData);
++
+             if (cmcblob == null) {
+                 System.out.println("getCMCBlob() returns null. Exiting with error");
+                 System.exit(1);
+diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
+index c2572e6..e46e883 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
++++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
+@@ -75,6 +75,7 @@ public class CMCRevoke {
+     public static final String RFC7468_TRAILER = "-----END CERTIFICATE REQUEST-----";
+     static String dValue = null, nValue = null, iValue = null, sValue = null, mValue = null, hValue = null,
+             pValue = null, cValue = null;
++    static String tValue = null;
+ 
+     public static final String CMS_BASE_CA_SIGNINGCERT_NOT_FOUND = "CA signing certificate not found";
+     public static final String PR_REQUEST_CMC = "CMC";
+@@ -109,8 +110,9 @@ public class CMCRevoke {
+                     "-d<dir to cert8.db, key3.db> " +
+                     "-n<nickname> " +
+                     "-i<issuerName> " +
+-                    "-s<serialName> " +
++                    "-s<serialNumber> " +
+                     "-m<reason to revoke> " +
++                    "-t<shared secret> " +
+                     "-p<password to db> " +
+                     "-h<tokenname> " +
+                     "-c<comment> ");
+@@ -135,6 +137,8 @@ public class CMCRevoke {
+                     mValue = cleanArgs(s[i].substring(2));
+                 } else if (s[i].startsWith("-p")) {
+                     pValue = cleanArgs(s[i].substring(2));
++                } else if (s[i].startsWith("-t")) {
++                    tValue = cleanArgs(s[i].substring(2));
+                 } else if (s[i].startsWith("-h")) {
+                     hValue = cleanArgs(s[i].substring(2));
+                 } else if (s[i].startsWith("-c")) {
+@@ -143,8 +147,6 @@ public class CMCRevoke {
+ 
+             }
+             // optional parameters
+-            if (cValue == null)
+-                cValue = "";
+             if (hValue == null)
+                 hValue = "";
+ 
+@@ -160,7 +162,7 @@ public class CMCRevoke {
+                         "-d<dir to cert8.db, key3.db> " +
+                         "-n<nickname> " +
+                         "-i<issuerName> " +
+-                        "-s<serialName> " +
++                        "-s<serialNumber> " +
+                         "-m<reason to revoke> " +
+                         "-p<password to db> " +
+                         "-h<tokenname> " +
+@@ -191,9 +193,9 @@ public class CMCRevoke {
+ 
+                 token.login(pass);
+                 X509Certificate signerCert = getCertificate(cm, hValue, nValue);
+-                String outBlob = createRevokeReq(hValue, signerCert, cm);
++                ContentInfo fullEnrollmentRequest = createRevokeReq(hValue, signerCert, cm);
+ 
+-                printCMCRevokeRequest(outBlob);
++                printCMCRevokeRequest(fullEnrollmentRequest);
              } catch (Exception e) {
-                 CMS.debug(e);
-@@ -386,6 +386,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
- 
-                 processCert(
-                         request,
-+                        token,
-                         certList,
-                         certs,
-                         hasSigningCert,
-@@ -414,6 +415,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
- 
-     public void processCert(
-             ConfigurationRequest request,
-+            String token,
-             Collection<String> certList,
-             Collection<Cert> certs,
-             MutableBoolean hasSigningCert,
-@@ -458,13 +460,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
-                 String curvename = certData.getKeyCurveName() != null ?
-                         certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default");
-                 cs.putString("preop.cert." + tag + ".curvename.name", curvename);
--                ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag);
-+                ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag);
+                 e.printStackTrace();
+                 System.exit(1);
+@@ -209,29 +211,48 @@ public class CMCRevoke {
+      *
+      * @param asciiBASE64Blob the ascii string of the request
+      */
+-    static void printCMCRevokeRequest(String asciiBASE64Blob) {
++    static void printCMCRevokeRequest(ContentInfo fullEnrollmentReq) {
++        String method = "printCMCRevokeRequest: ";
+ 
+-        // (6) Finally, print the actual CMCSigning blob to the
++        ByteArrayOutputStream os = new ByteArrayOutputStream();
++        ByteArrayOutputStream bs = new ByteArrayOutputStream();
++        PrintStream ps = new PrintStream(bs);
++
++        if (fullEnrollmentReq == null) {
++            System.out.println(method + "param fullEnrollmentRequest is null");
++            System.exit(1);
++        }
++        // format is PR_REQUEST_CMC
++        try {
++            fullEnrollmentReq.encode(os);
++        } catch (IOException e) {
++            System.out.println("CMCSigning:  I/O error " +
++                    "encountered during write():\n" +
++                    e);
++            System.exit(1);
++        }
++        //ps.print(Utils.base64encode(os.toByteArray()));
++        // no line breaks for ease of copy/paste for CA acceptance
++        System.out.println(RFC7468_HEADER);
++        ps.print(Utils.base64encodeSingleLine(os.toByteArray()));
++        ////fullEnrollmentReq.print(ps); // no header/trailer
++
++        String asciiBASE64Blob = bs.toString();
++        System.out.println(asciiBASE64Blob + "\n" + RFC7468_TRAILER);
++
++        // (6) Finally, print the actual CMCSigning binary blob to the
+         //     specified output file
+         FileOutputStream outputBlob = null;
+ 
+         try {
+             outputBlob = new FileOutputStream("CMCRevoke.out");
++            fullEnrollmentReq.encode(outputBlob);
+         } catch (IOException e) {
+             System.out.println("CMCSigning:  unable to open file CMCRevoke.out for writing:\n" + e);
+             return;
+         }
+ 
+-        System.out.println(RFC7468_HEADER);
+-        System.out.println(asciiBASE64Blob + RFC7468_TRAILER);
+-        try {
+-            asciiBASE64Blob = RFC7468_HEADER + "\n" + asciiBASE64Blob + RFC7468_TRAILER;
+-            outputBlob.write(asciiBASE64Blob.getBytes());
+-        } catch (IOException e) {
+-            System.out.println("CMCSigning:  I/O error " +
+-                    "encountered during write():\n" +
+-                    e);
+-        }
++        System.out.println("\nCMC revocation binary blob written to CMCRevoke.out\n");
+ 
+         try {
+             outputBlob.close();
+@@ -280,12 +301,11 @@ public class CMCRevoke {
+      * @param manager the crypto manger.
+      * @return the CMC revocation request encoded in base64
+      */
+-    static String createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) {
++    static ContentInfo createRevokeReq(String tokenname, X509Certificate signerCert, CryptoManager manager) {
+ 
+         java.security.PrivateKey privKey = null;
+         SignerIdentifier si = null;
+         ContentInfo fullEnrollmentReq = null;
+-        String asciiBASE64Blob = null;
+ 
+         try {
+ 
+@@ -305,8 +325,8 @@ public class CMCRevoke {
+ 
+             if (privKey == null) {
+                 System.out.println("CMCRevoke::createRevokeReq() - " +
+-                                    "privKey is null!");
+-                return "";
++                        "privKey is null!");
++                return null;
+             }
+ 
+             int bpid = 1;
+@@ -319,65 +339,64 @@ public class CMCRevoke {
+             byte[] dig;
+ 
+             try {
+-                MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
++                MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256");
+ 
+-                dig = SHA1Digest.digest(salt.getBytes());
++                dig = SHA2Digest.digest(salt.getBytes());
+             } catch (NoSuchAlgorithmException ex) {
+                 dig = salt.getBytes();
+             }
+             String sn = Utils.base64encode(dig);
+ 
+-            TaggedAttribute senderNonce =
+-                    new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce,
+-                            new OCTET_STRING(sn.getBytes()));
++            TaggedAttribute senderNonce = new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_senderNonce,
++                    new OCTET_STRING(sn.getBytes()));
+ 
+             controlSeq.addElement(senderNonce);
+ 
+             Name subjectName = new Name();
+ 
+             subjectName.addCommonName(iValue);
+-            org.mozilla.jss.pkix.cmmf.RevRequest lRevokeRequest =
+-                    new org.mozilla.jss.pkix.cmmf.RevRequest(new ANY((new X500Name(iValue)).getEncoded()),
+-                            new INTEGER(sValue),
+-                            //org.mozilla.jss.pkix.cmmf.RevRequest.unspecified,
+-                            new ENUMERATED((new Integer(mValue)).longValue()),
+-                            null,
+-                            new OCTET_STRING(pValue.getBytes()),
+-                            new UTF8String(cValue.toCharArray()));
++            org.mozilla.jss.pkix.cmc.RevokeRequest lRevokeRequest = new org.mozilla.jss.pkix.cmc.RevokeRequest(
++                    new ANY((new X500Name(iValue)).getEncoded()),
++                    new INTEGER(sValue),
++                    //org.mozilla.jss.pkix.cmc.RevokeRequest.unspecified,
++                    new ENUMERATED((new Integer(mValue)).longValue()),
++                    null,
++                    (tValue != null) ? new OCTET_STRING(tValue.getBytes()) : null,
++                    (cValue != null) ? new UTF8String(cValue.toCharArray()) : null);
+             //byte[] encoded = ASN1Util.encode(lRevokeRequest);
+-            //org.mozilla.jss.asn1.ASN1Template template = new  org.mozilla.jss.pkix.cmmf.RevRequest.Template();
+-            //org.mozilla.jss.pkix.cmmf.RevRequest revRequest = (org.mozilla.jss.pkix.cmmf.RevRequest)
++            //org.mozilla.jss.asn1.ASN1Template template = new  org.mozilla.jss.pkix.cmc.RevokeRequest.Template();
++            //org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest)
+             //                                                               template.decode(new java.io.ByteArrayInputStream(
+             //                                                               encoded));
+ 
+-            ByteArrayOutputStream os = new ByteArrayOutputStream();
+-            //lRevokeRequest.encode(os); // khai
+-            TaggedAttribute revokeRequestTag =
+-                    new TaggedAttribute(new INTEGER(bpid++), OBJECT_IDENTIFIER.id_cmc_revokeRequest,
+-                            lRevokeRequest);
++            TaggedAttribute revokeRequestTag = new TaggedAttribute(new INTEGER(bpid++),
++                    OBJECT_IDENTIFIER.id_cmc_revokeRequest,
++                    lRevokeRequest);
+ 
+             controlSeq.addElement(revokeRequestTag);
+             PKIData pkidata = new PKIData(controlSeq, new SEQUENCE(), new SEQUENCE(), new SEQUENCE());
+ 
+             EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
+-            // SHA1 is the default digest Alg for now.
+             DigestAlgorithm digestAlg = null;
+             SignatureAlgorithm signAlg = null;
+-            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey).getType();
++            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey)
++                    .getType();
+             if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) {
+-                signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;
++                signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
+             } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) {
+-                signAlg = SignatureAlgorithm.ECSignatureWithSHA1Digest;
+-            } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) {
+-                signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest;
++                signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
++            } else {
++                System.out.println("Algorithm not supported:" +
++                        signingKeyType);
++                return null;
+             }
+ 
+             MessageDigest SHADigest = null;
+             byte[] digest = null;
+ 
+             try {
+-                SHADigest = MessageDigest.getInstance("SHA1");
+-                digestAlg = DigestAlgorithm.SHA1;
++                SHADigest = MessageDigest.getInstance("SHA256");
++                digestAlg = DigestAlgorithm.SHA256;
+ 
+                 ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+ 
+@@ -411,21 +430,11 @@ public class CMCRevoke {
+ 
+             fullEnrollmentReq = new ContentInfo(req);
+ 
+-            ByteArrayOutputStream bs = new ByteArrayOutputStream();
+-            PrintStream ps = new PrintStream(bs);
+-
+-            if (fullEnrollmentReq != null) {
+-                // format is PR_REQUEST_CMC
+-                fullEnrollmentReq.encode(os);
+-                ps.print(Utils.base64encode(os.toByteArray()));
+-                ////fullEnrollmentReq.print(ps); // no header/trailer
+-            }
+-
+-            asciiBASE64Blob = bs.toString();
+         } catch (Exception e) {
+             e.printStackTrace();
+             System.exit(1);
+         }
+-        return asciiBASE64Blob;
++
++        return fullEnrollmentReq;
+     }
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+index b898353..9441167 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+@@ -237,6 +237,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+      */
+     public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredential, EInvalidCredentials,
+             EBaseException {
++        String method = "CMCAuth: authenticate: ";
++        String msg = "";
++
+         String auditMessage = null;
+         String auditSubjectID = auditSubjectID();
+         String auditReqType = ILogger.UNIDENTIFIED;
+@@ -261,7 +264,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+             }
+             String cmc = (String) returnVal;
+             if (cmc == null) {
+-                CMS.debug("CMCAuth: Authentication failed. Missing CMC.");
++                CMS.debug(method + "Authentication failed. Missing CMC.");
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -279,8 +282,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+             }
+ 
+             if (cmc.equals("")) {
+-                log(ILogger.LL_FAILURE,
+-                        "cmc : attempted login with empty CMC.");
++                msg = "attempted login with empty CMC";
++                CMS.debug(method + msg);
++                log(ILogger.LL_FAILURE, method + msg);
+ 
+                 // store a message in the signed audit log file
+                 auditMessage = CMS.getLogMessage(
+@@ -331,6 +335,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                 if (!cmcReq.getContentType().equals(
+                         org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) ||
+                         !cmcReq.hasContent()) {
++                    CMS.debug(method + "malformed cmc: either not ContentInfo.SIGNED_DATA or cmcReq has no content");
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+                             AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+@@ -358,13 +363,13 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                 if (checkSignerInfo) {
+                     IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq);
+                     if (agentToken == null) {
+-                        CMS.debug("CMCAuth: authenticate() agentToken null");
++                        CMS.debug(method + "agentToken null");
+                         throw new EBaseException("CMCAuth: agent verifySignerInfo failure");
+                     }
+                     userid = agentToken.getInString("userid");
+                     uid = agentToken.getInString("cn");
+                 } else {
+-                    CMS.debug("CMCAuth: authenticate() signerInfo verification bypassed");
++                    CMS.debug(method + "signerInfo verification bypassed");
+                 }
+                 // reset value of auditSignerInfo
+                 if (uid != null) {
+@@ -377,6 +382,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                 if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
+                         !ci.hasContent()) {
++                    msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData";
++                    CMS.debug( method + msg);
+                     // store a message in the signed audit log file
+                     auditMessage = CMS.getLogMessage(
+                             AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
+@@ -406,6 +413,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                 if (numReqs == 0) {
+                     // revocation request
++                    CMS.debug(method + "numReqs 0, assume revocation request");
+ 
+                     // reset value of auditReqType
+                     auditReqType = SIGNED_AUDIT_REVOCATION_REQUEST_TYPE;
+@@ -476,6 +484,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+                     }
+                 } else {
+                     // enrollment request
++                    CMS.debug(method + "numReqs not 0, assume enrollment request");
+ 
+                     // reset value of auditReqType
+                     auditReqType = SIGNED_AUDIT_ENROLLMENT_REQUEST_TYPE;
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index a18c25e..2e4d6dc 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -29,9 +29,9 @@ import java.io.ByteArrayInputStream;
+ import java.io.ByteArrayOutputStream;
+ import java.io.IOException;
+ import java.math.BigInteger;
+-import java.security.cert.CertificateExpiredException;
+ import java.security.MessageDigest;
+ import java.security.PublicKey;
++import java.security.cert.CertificateExpiredException;
+ import java.util.Enumeration;
+ import java.util.Hashtable;
+ import java.util.Locale;
+@@ -323,85 +323,90 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                 byte[] cmcBlob = CMS.AtoB(asciiBASE64Blob);
+                 ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(cmcBlob);
+ 
+-                org.mozilla.jss.pkix.cms.ContentInfo cmcReq =
+-                        (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
++                org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
+                         .getTemplate().decode(
+                                 cmcBlobIn);
+ 
+-                if (!cmcReq.getContentType().equals(
+-                        org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA) ||
+-                        !cmcReq.hasContent()) {
+-
+-                    cmcBlobIn.close();
+-                    msg = "cmc rquest content type is not ContentInfo.SIGNED_DATA";
+-                    CMS.debug(msg);
+-                    throw new EBaseException(msg);
+-                }
+-
+-                SignedData cmcFullReq = (SignedData) cmcReq.getInterpretedContent();
+-
+                 String userid = ILogger.UNIDENTIFIED;
+                 String uid = ILogger.UNIDENTIFIED;
+ 
+-                IConfigStore cmc_config = CMS.getConfigStore();
+-                boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true);
+-                if (checkSignerInfo) {
+-                    // selfSigned will be set in verifySignerInfo if applicable
+-                    IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq);
+-                    if (userToken == null) {
+-                        msg = "userToken null; verifySignerInfo failure";
+-                        CMS.debug(method + msg);
+-                        throw new EBaseException(msg);
+-                    } else {
+-                        if (selfSigned) {
+-                            CMS.debug(method
+-                                    + " self-signed cmc request will not have user identification info at this point.");
+-                            auditSignerInfo = "selfSigned";
++                SignedData cmcFullReq = null;
++                OCTET_STRING content = null;
++                OBJECT_IDENTIFIER id = null;
++                org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo = null;
++                if (cmcReq.getContentType().equals(
++                        org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) {
++                    CMS.debug(method + "cmc request content is signed data");
++                    cmcFullReq = (SignedData) cmcReq.getInterpretedContent();
++
++                    IConfigStore cmc_config = CMS.getConfigStore();
++                    boolean checkSignerInfo = cmc_config.getBoolean("cmc.signerInfo.verify", true);
++                    if (checkSignerInfo) {
++                        // selfSigned will be set in verifySignerInfo if applicable
++                        IAuthToken userToken = verifySignerInfo(auditContext, authToken, cmcFullReq);
++                        if (userToken == null) {
++                            msg = "userToken null; verifySignerInfo failure";
++                            CMS.debug(method + msg);
++                            throw new EBaseException(msg);
+                         } else {
+-                            CMS.debug(method + "signed with user cert");
+-                            userid = userToken.getInString("userid");
+-                            uid = userToken.getInString("cn");
+-                            if (userid == null && uid == null) {
+-                                msg = " verifySignerInfo failure... missing userid and cn";
+-                                CMS.debug(method + msg);
+-                                throw new EBaseException(msg);
+-                            }
+-                            // reset value of auditSignerInfo
+-                            if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) {
+-                                CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim());
+-                                auditSignerInfo = uid.trim();
+-                                auditSubjectID = uid.trim();
+-                                authToken.set(IAuthToken.USER_ID, auditSubjectID);
+-                            } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) {
+-                                CMS.debug(method + "setting auditSignerInfo to userid:" + userid);
+-                                auditSignerInfo = userid.trim();
+-                                auditSubjectID = userid.trim();
+-                                authToken.set(IAuthToken.USER_ID, auditSubjectID);
++                            if (selfSigned) {
++                                CMS.debug(method
++                                        + " self-signed cmc request will not have user identification info at this point.");
++                                auditSignerInfo = "selfSigned";
++                            } else {
++                                CMS.debug(method + "signed with user cert");
++                                userid = userToken.getInString("userid");
++                                uid = userToken.getInString("cn");
++                                if (userid == null && uid == null) {
++                                    msg = " verifySignerInfo failure... missing userid and cn";
++                                    CMS.debug(method + msg);
++                                    throw new EBaseException(msg);
++                                }
++                                // reset value of auditSignerInfo
++                                if (uid != null && !uid.equals(ILogger.UNIDENTIFIED)) {
++                                    CMS.debug(method + "setting auditSignerInfo to uid:" + uid.trim());
++                                    auditSignerInfo = uid.trim();
++                                    auditSubjectID = uid.trim();
++                                    authToken.set(IAuthToken.USER_ID, auditSubjectID);
++                                } else if (userid != null && !userid.equals(ILogger.UNIDENTIFIED)) {
++                                    CMS.debug(method + "setting auditSignerInfo to userid:" + userid);
++                                    auditSignerInfo = userid.trim();
++                                    auditSubjectID = userid.trim();
++                                    authToken.set(IAuthToken.USER_ID, auditSubjectID);
++                                }
+                             }
+                         }
++                    } else {
++                        CMS.debug(method + " signerInfo verification bypassed");
+                     }
+-                } else {
+-                    CMS.debug(method + " signerInfo verification bypassed");
+-                }
+ 
+-                EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+-                SET sis = cmcFullReq.getSignerInfos();
+-                // only one SignerInfo for selfSigned
+-                org.mozilla.jss.pkix.cms.SignerInfo selfsign_signerInfo =
+-                        (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0);
++                    EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
++                    SET sis = cmcFullReq.getSignerInfos();
++                    // only one SignerInfo for selfSigned
++                    selfsign_signerInfo = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(0);
+ 
+-                OBJECT_IDENTIFIER id = ci.getContentType();
++                    id = ci.getContentType();
+ 
+-                if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
+-                        !ci.hasContent()) {
+-                    msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData";
+-                    CMS.debug(method + msg);
++                    if (!id.equals(OBJECT_IDENTIFIER.id_cct_PKIData) ||
++                            !ci.hasContent()) {
++                        msg = "request EncapsulatedContentInfo content type not OBJECT_IDENTIFIER.id_cct_PKIData";
++                        CMS.debug(method + msg);
++
++                        throw new EBaseException(msg);
++                    }
+ 
++                    content = ci.getContent();
++                } else if (cmcReq.getContentType().equals( //unsigned
++                        org.mozilla.jss.pkix.cms.ContentInfo.DATA)) {
++                    CMS.debug(method + "cmc request content is unsigned data...verifySignerInfo will not be called;");
++                    content = (OCTET_STRING) cmcReq.getInterpretedContent();
++                } else {
++                    cmcBlobIn.close();
++                    msg = "unsupported cmc rquest content type; must be either ContentInfo.SIGNED_DATA or ContentInfo.DATA;";
++                    CMS.debug(msg);
+                     throw new EBaseException(msg);
+                 }
+ 
+-                OCTET_STRING content = ci.getContent();
+-
+                 ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+                 PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
+ 
+@@ -426,7 +431,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                             if (type.equals(
+                                     OBJECT_IDENTIFIER.id_cmc_revokeRequest)) {
+-                                /* TODO: user-signed revocation to be handled in next ticket
++                                //further checks and actual revocation happen in CMCOutputTemplate
++
+                                 // if( i ==1 ) {
+                                 //     taggedAttribute.getType() ==
+                                 //       OBJECT_IDENTIFIER.id_cmc_revokeRequest
+@@ -440,25 +446,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 for (int j = 0; j < numVals; j++) {
+                                     // serialNumber    INTEGER
+ 
+-                                    // SEQUENCE RevRequest = (SEQUENCE)
++                                    // SEQUENCE RevokeRequest = (SEQUENCE)
+                                     //     values.elementAt(j);
+                                     byte[] encoded = ASN1Util.encode(
+                                             values.elementAt(j));
+-                                    org.mozilla.jss.asn1.ASN1Template template = new
+-                                            org.mozilla.jss.pkix.cmmf.RevRequest.Template();
+-                                    org.mozilla.jss.pkix.cmmf.RevRequest revRequest =
+-                                            (org.mozilla.jss.pkix.cmmf.RevRequest)
+-                                            ASN1Util.decode(template, encoded);
++                                    org.mozilla.jss.asn1.ASN1Template template = new org.mozilla.jss.pkix.cmc.RevokeRequest.Template();
++                                    org.mozilla.jss.pkix.cmc.RevokeRequest revRequest = (org.mozilla.jss.pkix.cmc.RevokeRequest) ASN1Util
++                                            .decode(template, encoded);
+ 
+-                                    // SEQUENCE RevRequest = (SEQUENCE)
++                                    // SEQUENCE RevokeRequest = (SEQUENCE)
+                                     //     ASN1Util.decode(
+                                     //         SEQUENCE.getTemplate(),
+                                     //         ASN1Util.encode(
+                                     //         values.elementAt(j)));
+ 
+-                                    // SEQUENCE RevRequest =
++                                    // SEQUENCE RevokeRequest =
+                                     //     values.elementAt(j);
+-                                    // int revReqSize = RevRequest.size();
++                                    // int revReqSize = RevokeRequest.size();
+                                     // if( revReqSize > 3 ) {
+                                     //     INTEGER serialNumber =
+                                     //         new INTEGER((long)0);
+@@ -473,13 +477,10 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                     Integer IntObject = Integer.valueOf((int) reasonCode);
+                                     authToken.set(REASON_CODE, IntObject);
+ 
+-
+                                     //authToken.set("uid", uid);
+                                     //authToken.set("userid", userid);
+ 
+                                 }
+-                                */
+-
+                             }
+                         }
+ 
+@@ -648,8 +649,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                 certInfoArray[i] = certInfo;
+ 
+                                 if (selfSigned) {
+-                                    selfsign_skiExtn =
+-                                            (SubjectKeyIdentifierExtension) CryptoUtil
++                                    selfsign_skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil
+                                             .getExtensionFromCertTemplate(template, PKIXExtensions.SubjectKey_Id);
+                                     if (selfsign_skiExtn != null) {
+                                         CMS.debug(method +
+@@ -702,16 +702,24 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                 throw new EInvalidCredentials(e.toString());
+             }
+ 
+-            // store a message in the signed audit log file
+-            auditMessage = CMS.getLogMessage(
+-                    AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,
+-                    auditSubjectID,
+-                    ILogger.SUCCESS,
+-                    auditReqType,
+-                    auditCertSubject,
+-                    auditSignerInfo);
+-
+-            audit(auditMessage);
++            // For accuracy, make sure revocation by shared secret doesn't
++            // log CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS
++            if (authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT) != null ||
++                    authToken.get(IAuthManager.CRED_CMC_SELF_SIGNED) != null) {
++                // store a message in the signed audit log file
++                auditMessage = CMS.getLogMessage(
++                        AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,
++                        auditSubjectID,
++                        ILogger.SUCCESS,
++                        auditReqType,
++                        auditCertSubject,
++                        auditSignerInfo);
++
++                audit(auditMessage);
++            } else {
++                CMS.debug(method
++                        + "audit event CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS not logged due to unsigned data for revocation with shared secret.");
++            }
+ 
+             CMS.debug(method + "ends successfully; returning authToken");
+             return authToken;
+@@ -1029,10 +1037,15 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         } else {
+                             CMS.debug(method + "found signing cert... verifying");
+ 
+-                            //capture auditSubjectID first in case of failure
+-                            netscape.security.x509.X500Name tempPrincipal =
++                            // capture auditSubjectID first in case of failure
++                            netscape.security.x509.X500Name principal =
+                                     (X500Name) x509Certs[0].getSubjectDN();
+-                            CN = tempPrincipal.getCommonName(); //tempToken.get("userid");
++
++                            // capture signer principal to be checked against
++                            // cert subject principal later in CMCOutputTemplate
++                            // in case of user signed revocation
++                            auditContext.put(SessionContext.CMC_SIGNER_PRINCIPAL, principal);
++                            CN = principal.getCommonName(); //tempToken.get("userid");
+                             CMS.debug(method + " Principal name = " + CN);
+                             auditContext.put(SessionContext.USER_ID, CN);
+ 
+@@ -1093,15 +1106,18 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                         // now check revocation status of the cert
+                         if (CMS.isRevoked(x509Certs)) {
+                             CMS.debug(method + "CMC signing cert is a revoked certificate");
++                            s.close();
+                             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                         }
+                         try { //do this again anyways
+                             cert.checkValidity();
+                         } catch (CertificateExpiredException e) {
+                             CMS.debug(method + "CMC signing cert is an expired certificate");
++                            s.close();
+                             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                         } catch (Exception e) {
+                             CMS.debug(method + e.toString());
++                            s.close();
+                             throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
+                         }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 2591ace..74da8e7 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -588,16 +588,25 @@ public abstract class EnrollProfile extends BasicProfile
+         try {
+             byte data[] = CMS.AtoB(creq);
+             ByteArrayInputStream cmcBlobIn = new ByteArrayInputStream(data);
++            PKIData pkiData = null;
+ 
+             org.mozilla.jss.pkix.cms.ContentInfo cmcReq = (org.mozilla.jss.pkix.cms.ContentInfo) org.mozilla.jss.pkix.cms.ContentInfo
+                     .getTemplate().decode(cmcBlobIn);
+-            org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq
+-                    .getInterpretedContent();
+-            org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
+-            OCTET_STRING content = ci.getContent();
+-
++            OCTET_STRING content = null;
++            if (cmcReq.getContentType().equals(
++                    org.mozilla.jss.pkix.cms.ContentInfo.SIGNED_DATA)) {
++                CMS.debug(method + "cmc request content is signed data");
++                org.mozilla.jss.pkix.cms.SignedData cmcFullReq = (org.mozilla.jss.pkix.cms.SignedData) cmcReq
++                        .getInterpretedContent();
++                org.mozilla.jss.pkix.cms.EncapsulatedContentInfo ci = cmcFullReq.getContentInfo();
++                content = ci.getContent();
++
++            } else { // for unsigned revocation requests (using shared secret)
++                CMS.debug(method + "cmc request content is unsigned data");
++                content = (OCTET_STRING) cmcReq.getInterpretedContent();
++            }
+             ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+-            PKIData pkiData = (PKIData) (new PKIData.Template()).decode(s);
++            pkiData = (PKIData) (new PKIData.Template()).decode(s);
+ 
+             mCMCData = pkiData;
+             //PKIData pkiData = (PKIData)
+@@ -708,6 +717,8 @@ public abstract class EnrollProfile extends BasicProfile
+             byte randomSeed[] = null;
+             UTF8String ident_s = null;
+             SessionContext context = SessionContext.getContext();
++
++            boolean id_cmc_revokeRequest = false;
+             if (!context.containsKey("numOfControls")) {
+                 CMS.debug(method + "numcontrols="+ numcontrols);
+                 if (numcontrols > 0) {
+@@ -735,7 +746,13 @@ public abstract class EnrollProfile extends BasicProfile
+                     for (int i = 0; i < numcontrols; i++) {
+                         attributes[i] = (TaggedAttribute) controlSeq.elementAt(i);
+                         OBJECT_IDENTIFIER oid = attributes[i].getType();
+-                        if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) {
++                        if (oid.equals(OBJECT_IDENTIFIER.id_cmc_revokeRequest)) {
++                            id_cmc_revokeRequest = true;
++                            // put in context for processing in 
++                            // CMCOutputTemplate.java later
++                            context.put(OBJECT_IDENTIFIER.id_cmc_revokeRequest,
++                                    attributes[i]);
++                        } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_decryptedPOP)) {
+                             CMS.debug(method + " id_cmc_decryptedPOP found");
+                             id_cmc_decryptedPOP = true;
+                             decPopVals = attributes[i].getValues();
+@@ -766,6 +783,10 @@ public abstract class EnrollProfile extends BasicProfile
+                      */
+                     CMS.debug(method + "processing controls...");
+ 
++                    if (id_cmc_revokeRequest) {
++                        CMS.debug(method + "revocation control");
++                    }
++
+                     if (id_cmc_identification) {
+                         if (ident == null) {
+                             msg = "id_cmc_identification contains null attribute value";
+@@ -801,7 +822,7 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+                     // checking Proof Of Identity, if not pre-signed
+ 
+-                    if (donePOI) {
++                    if (donePOI || id_cmc_revokeRequest) {
+                         // for logging purposes
+                         if (id_cmc_identityProofV2) {
+                             CMS.debug(method
+@@ -921,6 +942,7 @@ public abstract class EnrollProfile extends BasicProfile
+             SEQUENCE otherMsgSeq = pkiData.getOtherMsgSequence();
+             int numOtherMsgs = otherMsgSeq.size();
+             if (!context.containsKey("numOfOtherMsgs")) {
++                CMS.debug(method + "found numOfOtherMsgs: " + numOtherMsgs);
+                 context.put("numOfOtherMsgs", Integer.valueOf(numOtherMsgs));
+                 for (int i = 0; i < numOtherMsgs; i++) {
+                     OtherMsg omsg = (OtherMsg) (ASN1Util.decode(OtherMsg.getTemplate(),
+@@ -959,6 +981,8 @@ public abstract class EnrollProfile extends BasicProfile
+                 boolean valid = true;
+                 for (int i = 0; i < nummsgs; i++) {
+                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
++                    if (id_cmc_revokeRequest)
++                        continue;
+                     if (popLinkWitnessRequired &&
+                             !context.containsKey("POPLinkWitnessV2") &&
+                             !context.containsKey("POPLinkWitness")) {
+@@ -1271,7 +1295,7 @@ public abstract class EnrollProfile extends BasicProfile
+         boolean sharedSecretFound = true;
+         String configName = "cmc.sharedSecret.class";
+         String sharedSecret = null;
+-        ISharedToken tokenClass = getSharedTokenClass(configName);
++        ISharedToken tokenClass = CMS.getSharedTokenClass(configName);
+         if (tokenClass == null) {
+             CMS.debug(method + " Failed to retrieve shared secret plugin class");
+             sharedSecretFound = false;
+@@ -1498,40 +1522,6 @@ public abstract class EnrollProfile extends BasicProfile
+         return bpids;
+     }
+ 
+-
+-    ISharedToken getSharedTokenClass(String configName) {
+-        String method = "EnrollProfile: getSharedTokenClass: ";
+-        ISharedToken tokenClass = null;
+-
+-        String name = null;
+-        try {
+-            CMS.debug(method + "getting :" + configName);
+-            name = CMS.getConfigStore().getString(configName);
+-            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
+-                    name);
+-        } catch (Exception e) {
+-            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
+-            return null;
+-        }
+-
+-        try {
+-            tokenClass = (ISharedToken) Class.forName(name).newInstance();
+-            CMS.debug(method + "Shared Secret plugin class retrieved");
+-        } catch (ClassNotFoundException e) {
+-            CMS.debug(method + " Failed to find class name: " + name);
+-            return null;
+-        } catch (InstantiationException e) {
+-            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+-            return null;
+-        } catch (IllegalAccessException e) {
+-            CMS.debug(method + " Illegal access: " + name);
+-            return null;
+-        }
+-
+-        return tokenClass;
+-    }
+-
+-
+     /**
+      * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272
+      *
+@@ -1577,7 +1567,7 @@ public abstract class EnrollProfile extends BasicProfile
+         }
  
+         String configName = "cmc.sharedSecret.class";
+-        ISharedToken tokenClass = getSharedTokenClass(configName);
++        ISharedToken tokenClass = CMS.getSharedTokenClass(configName);
+ 
+         if (tokenClass == null) {
+             msg = " Failed to retrieve shared secret plugin class";
+@@ -1681,7 +1671,7 @@ public abstract class EnrollProfile extends BasicProfile
+             return false;
+ 
+         String configName = "cmc.sharedSecret.class";
+-            ISharedToken tokenClass = getSharedTokenClass(configName);
++            ISharedToken tokenClass = CMS.getSharedTokenClass(configName);
+         if (tokenClass == null) {
+             CMS.debug(method + " Failed to retrieve shared secret plugin class");
+             return false;
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+index 24ba494..a66cd95 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+@@ -142,6 +142,8 @@ public class CMCRevReqServlet extends CMSServlet {
+      * @param cmsReq the object holding the request and response information
+      */
+     protected void process(CMSRequest cmsReq) throws EBaseException {
++        String method = "CMCRevReqServlet: process: ";
++        CMS.debug(method + "begins");
+ 
+         String cmcAgentSerialNumber = null;
+         IArgBlock httpParams = cmsReq.getHttpParams();
+@@ -151,7 +153,7 @@ public class CMCRevReqServlet extends CMSServlet {
+         CMSTemplate form = null;
+         Locale[] locale = new Locale[1];
+ 
+-        CMS.debug("**** mFormPath = " + mFormPath);
++        CMS.debug(method + "**** mFormPath = " + mFormPath);
+         try {
+             form = getTemplate(mFormPath, req, locale);
+         } catch (IOException e) {
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java
+index 3794f10..01c4b6a 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/ListCerts.java
+@@ -461,11 +461,11 @@ public class ListCerts extends CMSServlet {
+                 ICertRecord rec = e.nextElement();
+ 
+                 if (rec == null) {
+-                    CMS.debug("ListCerts: * record " + count + " is null");
++                    //CMS.debug("ListCerts: * record " + count + " is null");
+                     break;
+                 }
+                 curSerial = rec.getSerialNumber();
+-                CMS.debug("ListCerts: * record " + count + ": " + curSerial);
++                //CMS.debug("ListCerts: * record " + count + ": " + curSerial);
+ 
+                 if (count == 0) {
+                     firstSerial = curSerial;
+@@ -493,11 +493,11 @@ public class ListCerts extends CMSServlet {
+                 }
+ 
+                 if (mReverse) {
+-                    CMS.debug("ListCerts: returning with rcount: " + rcount);
++                    //CMS.debug("ListCerts: returning with rcount: " + rcount);
+                     recs[rcount++] = rec;
+ 
+                 } else {
+-                    CMS.debug("ListCerts: returning with arg block");
++                    //CMS.debug("ListCerts: returning with arg block");
+                     IArgBlock rarg = CMS.createArgBlock();
+                     fillRecordIntoArg(rec, rarg);
+                     argSet.addRepeatRecord(rarg);
+@@ -514,7 +514,7 @@ public class ListCerts extends CMSServlet {
+             CMS.debug("ListCerts: fill records into arg block and argSet");
+             for (int ii = rcount - 1; ii >= 0; ii--) {
+                 if (recs[ii] != null) {
+-                    CMS.debug("ListCerts: processing recs[" + ii + "]");
++                    //CMS.debug("ListCerts: processing recs[" + ii + "]");
+                     IArgBlock rarg = CMS.createArgBlock();
+                     // CMS.debug("item " + ii + " is serial #" + recs[ii].getSerialNumber());
+                     fillRecordIntoArg(recs[ii], rarg);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+index 8d6c37f..067dce7 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+@@ -25,6 +25,7 @@ import java.math.BigInteger;
+ import java.security.MessageDigest;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.PublicKey;
++import java.security.cert.CertificateExpiredException;
+ import java.util.Date;
+ import java.util.Hashtable;
+ 
+@@ -55,9 +56,9 @@ import org.mozilla.jss.pkix.cmc.OtherInfo;
+ import org.mozilla.jss.pkix.cmc.OtherMsg;
+ import org.mozilla.jss.pkix.cmc.PendInfo;
+ import org.mozilla.jss.pkix.cmc.ResponseBody;
++import org.mozilla.jss.pkix.cmc.RevokeRequest;
+ import org.mozilla.jss.pkix.cmc.TaggedAttribute;
+ import org.mozilla.jss.pkix.cmc.TaggedRequest;
+-import org.mozilla.jss.pkix.cmmf.RevRequest;
+ import org.mozilla.jss.pkix.cms.ContentInfo;
+ import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
+ import org.mozilla.jss.pkix.cms.EnvelopedData;
+@@ -76,8 +77,10 @@ import com.netscape.certsrv.base.SessionContext;
+ import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.dbs.certdb.ICertRecord;
+ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
++import com.netscape.certsrv.logging.AuditEvent;
+ import com.netscape.certsrv.logging.AuditFormat;
+ import com.netscape.certsrv.logging.ILogger;
++import com.netscape.certsrv.logging.event.CertStatusChangeRequestProcessedEvent;
+ import com.netscape.certsrv.profile.IEnrollProfile;
+ import com.netscape.certsrv.request.IRequest;
+ import com.netscape.certsrv.request.IRequestQueue;
+@@ -101,6 +104,8 @@ import netscape.security.x509.X509Key;
+  * @version $ $, $Date$
+  */
+ public class CMCOutputTemplate {
++    protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
++
+     public CMCOutputTemplate() {
+     }
+ 
+@@ -212,14 +217,12 @@ public class CMCOutputTemplate {
+                     }
+                 }
              } else {
-                 String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs
-                         .getString("keys.rsa.keysize.default");
-                 cs.putString("preop.cert." + tag + ".keysize.size", keysize);
--                ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag);
-+                ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag);
+-                CMS.debug(method + " reqs null.  why?");
++                CMS.debug(method + " reqs null. could be revocation");
              }
  
-         } else {
-@@ -598,6 +600,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+             TaggedAttribute tagattr = null;
+             CMCStatusInfo cmcStatusInfo = null;
+ 
+-//cfu
+-
+             SEQUENCE decryptedPOPBpids = (SEQUENCE) context.get("decryptedPOP");
+             if (decryptedPOPBpids != null && decryptedPOPBpids.size() > 0) {
+                 OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
+@@ -880,8 +883,8 @@ public class CMCOutputTemplate {
+                 String salt = "lala123" + date.toString();
+                 byte[] dig;
+                 try {
+-                    MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
+-                    dig = SHA1Digest.digest(salt.getBytes());
++                    MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256");
++                    dig = SHA2Digest.digest(salt.getBytes());
+                 } catch (NoSuchAlgorithmException ex) {
+                     dig = salt.getBytes();
+                 }
+@@ -920,22 +923,59 @@ public class CMCOutputTemplate {
+     private int processRevokeRequestControl(TaggedAttribute attr,
+             SEQUENCE controlSeq, int bpid) throws InvalidBERException, EBaseException,
+             IOException {
++        String method = "CMCOutputTemplate: processRevokeRequestControl: ";
++        String msg = "";
++        CMS.debug(method + "begins");
+         boolean revoke = false;
+         SessionContext context = SessionContext.getContext();
++        String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID);
++        if (authManagerId == null) {
++            CMS.debug(method + "authManagerId null.????");
++            //unlikely, but...
++            authManagerId = "none";
++        } else {
++            CMS.debug(method + "authManagerId =" + authManagerId);
++        }
++
++        // in case of CMCUserSignedAuth,
++        // for matching signer and revoked cert principal
++        X500Name signerPrincipal = null;
++
++        // for auditing
++        String auditRequesterID = null;
++        auditRequesterID = (String) context.get(SessionContext.USER_ID);
++
++        if (auditRequesterID != null) {
++            auditRequesterID = auditRequesterID.trim();
++        } else {
++            auditRequesterID = ILogger.NONROLEUSER;
++        }
++        signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL);
++        String auditSubjectID = null;
++        String auditRequestType = "revoke";
++        String auditSerialNumber = null;
++        String auditReasonNum = null;
++        RequestStatus auditApprovalStatus = RequestStatus.REJECTED;
++
+         if (attr != null) {
+             INTEGER attrbpid = attr.getBodyPartID();
+             CMCStatusInfo cmcStatusInfo = null;
+             SET vals = attr.getValues();
+             if (vals.size() > 0) {
+-                RevRequest revRequest =
+-                        (RevRequest) (ASN1Util.decode(new RevRequest.Template(),
+-                                ASN1Util.encode(vals.elementAt(0))));
+-                OCTET_STRING str = revRequest.getSharedSecret();
++                RevokeRequest revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(),
++                        ASN1Util.encode(vals.elementAt(0))));
++                OCTET_STRING reqSecret = revRequest.getSharedSecret();
+                 INTEGER pid = attr.getBodyPartID();
+                 TaggedAttribute tagattr = null;
+                 INTEGER revokeCertSerial = revRequest.getSerialNumber();
++                ENUMERATED n = revRequest.getReason();
++                RevocationReason reason = toRevocationReason(n);
++                auditReasonNum = reason.toString();
+                 BigInteger revokeSerial = new BigInteger(revokeCertSerial.toByteArray());
+-                if (str == null) {
++                auditSerialNumber = revokeSerial.toString();
++
++                if (reqSecret == null) {
++                    CMS.debug(method + "no shared secret in request; Checking signature;");
+                     boolean needVerify = true;
+                     try {
+                         needVerify = CMS.getConfigStore().getBoolean("cmc.revokeCert.verify", true);
+@@ -943,67 +983,75 @@ public class CMCOutputTemplate {
+                     }
+ 
+                     if (needVerify) {
+-                        Integer num1 = (Integer) context.get("numOfOtherMsgs");
+-                        int num = num1.intValue();
+-                        for (int i = 0; i < num; i++) {
+-                            OtherMsg data = (OtherMsg) context.get("otherMsg" + i);
+-                            INTEGER dpid = data.getBodyPartID();
+-                            if (pid.longValue() == dpid.longValue()) {
+-                                ANY msgValue = data.getOtherMsgValue();
+-                                SignedData msgData =
+-                                        (SignedData) msgValue.decodeWith(SignedData.getTemplate());
+-                                if (!verifyRevRequestSignature(msgData)) {
+-                                    OtherInfo otherInfo =
+-                                            new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK),
+-                                                    null);
+-                                    SEQUENCE failed_bpids = new SEQUENCE();
+-                                    failed_bpids.addElement(attrbpid);
+-                                    cmcStatusInfo =
+-                                            new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null,
+-                                                    otherInfo);
+-                                    tagattr = new TaggedAttribute(
+-                                            new INTEGER(bpid++),
+-                                            OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+-                                    controlSeq.addElement(tagattr);
+-                                    return bpid;
++                        if (authManagerId.equals("CMCUserSignedAuth")) {
++                            if (signerPrincipal == null) {
++                                CMS.debug(method + "missing CMC signer principal");
++                                OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
++                                        new INTEGER(OtherInfo.BAD_MESSAGE_CHECK),
++                                        null);
++                                SEQUENCE failed_bpids = new SEQUENCE();
++                                failed_bpids.addElement(attrbpid);
++                                cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null,
++                                        otherInfo);
++                                tagattr = new TaggedAttribute(
++                                        new INTEGER(bpid++),
++                                        OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
++                                controlSeq.addElement(tagattr);
++                                return bpid;
++                            }
++                        } else { // !CMCUserSignedAuth
++
++                            // this code is making the assumption that OtherMsg
++                            // is used for signer info in signed cmc revocation,
++                            // when in fact the signer info is
++                            // in the outer layer and should have already been
++                            // verified in the auth manager;
++                            // Left here for possible legacy client(s)
++
++                            Integer num1 = (Integer) context.get("numOfOtherMsgs");
++                            CMS.debug(method + "found numOfOtherMsgs =" + num1.toString());
++                            int num = num1.intValue();
++                            for (int i = 0; i < num; i++) {
++                                OtherMsg data = (OtherMsg) context.get("otherMsg" + i);
++                                INTEGER dpid = data.getBodyPartID();
++                                if (pid.longValue() == dpid.longValue()) {
++                                    CMS.debug(method + "body part id match;");
++                                    ANY msgValue = data.getOtherMsgValue();
++                                    SignedData msgData = (SignedData) msgValue.decodeWith(SignedData.getTemplate());
++                                    if (!verifyRevRequestSignature(msgData)) {
++                                        OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
++                                                new INTEGER(OtherInfo.BAD_MESSAGE_CHECK),
++                                                null);
++                                        SEQUENCE failed_bpids = new SEQUENCE();
++                                        failed_bpids.addElement(attrbpid);
++                                        cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids,
++                                                (String) null,
++                                                otherInfo);
++                                        tagattr = new TaggedAttribute(
++                                                new INTEGER(bpid++),
++                                                OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
++                                        controlSeq.addElement(tagattr);
++                                        return bpid;
++                                    }
++                                } else {
++                                    CMS.debug(method + "body part id do not match;");
+                                 }
+                             }
+                         }
+                     }
+ 
+                     revoke = true;
++                } else { //use shared secret; request unsigned
++                    CMS.debug(method + "checking shared secret");
+                     // check shared secret
+-                } else {
+-                    ISharedToken tokenClass = null;
+-                    boolean sharedSecretFound = true;
+-                    String name = null;
+-                    try {
+-                        name = CMS.getConfigStore().getString("cmc.revokeCert.sharedSecret.class");
+-                    } catch (EPropertyNotFound e) {
+-                        CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+-                        sharedSecretFound = false;
+-                    } catch (EBaseException e) {
+-                        CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
+-                        sharedSecretFound = false;
+-                    }
+-
+-                    try {
+-                        tokenClass = (ISharedToken) Class.forName(name).newInstance();
+-                    } catch (ClassNotFoundException e) {
+-                        CMS.debug("EnrollProfile: Failed to find class name: " + name);
+-                        sharedSecretFound = false;
+-                    } catch (InstantiationException e) {
+-                        CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+-                        sharedSecretFound = false;
+-                    } catch (IllegalAccessException e) {
+-                        CMS.debug("EnrollProfile: Illegal access: " + name);
+-                        sharedSecretFound = false;
+-                    }
+-
+-                    if (!sharedSecretFound) {
+-                        CMS.debug("CMCOutputTemplate: class for shared secret was not found.");
+-                        OtherInfo otherInfo =
+-                                new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null);
++                    //TODO: remember to provide one-time-use when working
++                    //      on shared token
++                    ISharedToken tokenClass =
++                            CMS.getSharedTokenClass("cmc.revokeCert.sharedSecret.class");
++                    if (tokenClass == null) {
++                        CMS.debug(method + " Failed to retrieve shared secret plugin class");
++                        OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR),
++                                null);
+                         SEQUENCE failed_bpids = new SEQUENCE();
+                         failed_bpids.addElement(attrbpid);
+                         cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo);
+@@ -1014,15 +1062,13 @@ public class CMCOutputTemplate {
+                         return bpid;
+                     }
+ 
+-                    String sharedSecret = null;
+-                    if (tokenClass != null) {
+-                        sharedSecret = tokenClass.getSharedToken(revokeSerial);
+-                    }
++                    String sharedSecret = 
++                            sharedSecret = tokenClass.getSharedToken(revokeSerial);
+ 
+                     if (sharedSecret == null) {
+-                        CMS.debug("CMCOutputTemplate: class for shared secret was not found.");
+-                        OtherInfo otherInfo =
+-                                new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR), null);
++                        CMS.debug("CMCOutputTemplate: shared secret not found.");
++                        OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.INTERNAL_CA_ERROR),
++                                null);
+                         SEQUENCE failed_bpids = new SEQUENCE();
+                         failed_bpids.addElement(attrbpid);
+                         cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo);
+@@ -1033,15 +1079,17 @@ public class CMCOutputTemplate {
+                         return bpid;
+                     }
+ 
+-                    byte[] strb = str.toByteArray();
+-                    String clientSC = new String(strb);
++                    byte[] reqSecretb = reqSecret.toByteArray();
++                    String clientSC = new String(reqSecretb);
+                     if (clientSC.equals(sharedSecret)) {
+-                        CMS.debug("CMCOutputTemplate: Both client and server shared secret are the same, can go ahead to revoke certificate.");
++                        CMS.debug(method
++                                + " Client and server shared secret are the same, can go ahead and revoke certificate.");
+                         revoke = true;
+                     } else {
+-                        CMS.debug("CMCOutputTemplate: Both client and server shared secret are not the same, cant revoke certificate.");
+-                        OtherInfo otherInfo =
+-                                new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null);
++                        CMS.debug(method
++                                + " Client and server shared secret are not the same, cannot revoke certificate.");
++                        OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK),
++                                null);
+                         SEQUENCE failed_bpids = new SEQUENCE();
+                         failed_bpids.addElement(attrbpid);
+                         cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo);
+@@ -1049,6 +1097,16 @@ public class CMCOutputTemplate {
+                                 new INTEGER(bpid++),
+                                 OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+                         controlSeq.addElement(tagattr);
++
++                        audit(new CertStatusChangeRequestProcessedEvent(
++                                auditSubjectID,
++                                ILogger.FAILURE,
++                                auditRequesterID,
++                                auditSerialNumber,
++                                auditRequestType,
++                                auditReasonNum,
++                                auditApprovalStatus));
++
+                         return bpid;
+                     }
+                 }
+@@ -1060,11 +1118,11 @@ public class CMCOutputTemplate {
+                     try {
+                         record = repository.readCertificateRecord(revokeSerial);
+                     } catch (EBaseException ee) {
+-                        CMS.debug("CMCOutputTemplate: Exception: " + ee.toString());
++                        CMS.debug(method + "Exception: " + ee.toString());
+                     }
+ 
+                     if (record == null) {
+-                        CMS.debug("CMCOutputTemplate: The certificate is not found");
++                        CMS.debug(method + " The certificate is not found");
+                         OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null);
+                         SEQUENCE failed_bpids = new SEQUENCE();
+                         failed_bpids.addElement(attrbpid);
+@@ -1088,11 +1146,46 @@ public class CMCOutputTemplate {
+                         controlSeq.addElement(tagattr);
+                         return bpid;
+                     }
++
+                     X509CertImpl impl = record.getCertificate();
++
++                    X500Name certPrincipal = (X500Name) impl.getSubjectDN();
++                    auditSubjectID = certPrincipal.getCommonName();
++
++                    // in case of user-signed request, check if signer
++                    // principal matches that of the revoking cert
++                    if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) {
++                        if (!certPrincipal.equals(signerPrincipal)) {
++                            msg = "certificate principal and signer do not match";
++                            CMS.debug(method + msg);
++                            OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
++                                    null);
++                            SEQUENCE failed_bpids = new SEQUENCE();
++                            failed_bpids.addElement(attrbpid);
++                            cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, msg,
++                                    otherInfo);
++                            tagattr = new TaggedAttribute(
++                                    new INTEGER(bpid++),
++                                    OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
++                            controlSeq.addElement(tagattr);
++
++                            audit(new CertStatusChangeRequestProcessedEvent(
++                                    auditSubjectID,
++                                    ILogger.FAILURE,
++                                    auditRequesterID,
++                                    auditSerialNumber,
++                                    auditRequestType,
++                                    auditReasonNum,
++                                    auditApprovalStatus));
++
++                            return bpid;
++                        } else {
++                            CMS.debug(method + "certificate principal and signer match");
++                        }
++                    }
++
+                     X509CertImpl[] impls = new X509CertImpl[1];
+                     impls[0] = impl;
+-                    ENUMERATED n = revRequest.getReason();
+-                    RevocationReason reason = toRevocationReason(n);
+                     CRLReasonExtension crlReasonExtn = new CRLReasonExtension(reason);
+                     CRLExtensions entryExtn = new CRLExtensions();
+                     GeneralizedTime t = revRequest.getInvalidityDate();
+@@ -1105,8 +1198,8 @@ public class CMCOutputTemplate {
+                         entryExtn.set(crlReasonExtn.getName(), crlReasonExtn);
+                     }
+ 
+-                    RevokedCertImpl revCertImpl =
+-                            new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(), entryExtn);
++                    RevokedCertImpl revCertImpl = new RevokedCertImpl(impl.getSerialNumber(), CMS.getCurrentDate(),
++                            entryExtn);
+                     RevokedCertImpl[] revCertImpls = new RevokedCertImpl[1];
+                     revCertImpls[0] = revCertImpl;
+                     IRequestQueue queue = ca.getRequestQueue();
+@@ -1122,20 +1215,30 @@ public class CMCOutputTemplate {
+                     RequestStatus stat = revReq.getRequestStatus();
+                     if (stat == RequestStatus.COMPLETE) {
+                         Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
+-                        CMS.debug("CMCOutputTemplate: revReq result = " + result);
++                        CMS.debug(method + " revReq result = " + result);
+                         if (result.equals(IRequest.RES_ERROR)) {
+                             CMS.debug("CMCOutputTemplate: revReq exception: " +
+                                     revReq.getExtDataInString(IRequest.ERROR));
+-                            OtherInfo otherInfo =
+-                                    new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), null);
++                            OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST),
++                                    null);
+                             SEQUENCE failed_bpids = new SEQUENCE();
+                             failed_bpids.addElement(attrbpid);
+-                            cmcStatusInfo =
+-                                    new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null, otherInfo);
++                            cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED, failed_bpids, (String) null,
++                                    otherInfo);
+                             tagattr = new TaggedAttribute(
+                                     new INTEGER(bpid++),
+                                     OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+                             controlSeq.addElement(tagattr);
++
++                            audit(new CertStatusChangeRequestProcessedEvent(
++                                    auditSubjectID,
++                                    ILogger.FAILURE,
++                                    auditRequesterID,
++                                    auditSerialNumber,
++                                    auditRequestType,
++                                    auditReasonNum,
++                                    auditApprovalStatus));
++
+                             return bpid;
+                         }
+                     }
+@@ -1148,7 +1251,7 @@ public class CMCOutputTemplate {
+                                     impl.getSubjectDN(),
+                                     impl.getSerialNumber().toString(16),
+                                     reason.toString() });
+-                    CMS.debug("CMCOutputTemplate: Certificate get revoked.");
++                    CMS.debug(method + " Certificate revoked.");
+                     SEQUENCE success_bpids = new SEQUENCE();
+                     success_bpids.addElement(attrbpid);
+                     cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.SUCCESS,
+@@ -1157,6 +1260,16 @@ public class CMCOutputTemplate {
+                             new INTEGER(bpid++),
+                             OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+                     controlSeq.addElement(tagattr);
++
++                    auditApprovalStatus = RequestStatus.COMPLETE;
++                    audit(new CertStatusChangeRequestProcessedEvent(
++                            auditSubjectID,
++                            ILogger.SUCCESS,
++                            auditRequesterID,
++                            auditSerialNumber,
++                            auditRequestType,
++                            auditReasonNum,
++                            auditApprovalStatus));
+                     return bpid;
+                 } else {
+                     OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), null);
+@@ -1167,6 +1280,16 @@ public class CMCOutputTemplate {
+                             new INTEGER(bpid++),
+                             OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+                     controlSeq.addElement(tagattr);
++
++                    audit(new CertStatusChangeRequestProcessedEvent(
++                            auditSubjectID,
++                            ILogger.FAILURE,
++                            auditRequesterID,
++                            auditSerialNumber,
++                            auditRequestType,
++                            auditReasonNum,
++                            auditApprovalStatus));
++
+                     return bpid;
+                 }
+             }
+@@ -1175,54 +1298,81 @@ public class CMCOutputTemplate {
+         return bpid;
+     }
+ 
++    protected void audit(AuditEvent event) {
++
++        String template = event.getMessage();
++        Object[] params = event.getParameters();
++
++        String message = CMS.getLogMessage(template, params);
++
++        audit(message);
++    }
++
++    protected void audit(String msg) {
++        // in this case, do NOT strip preceding/trailing whitespace
++        // from passed-in String parameters
++
++        if (mSignedAuditLogger == null) {
++            return;
++        }
++
++        mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
++                null,
++                ILogger.S_SIGNED_AUDIT,
++                ILogger.LL_SECURITY,
++                msg);
++    }
++
+     private RevocationReason toRevocationReason(ENUMERATED n) {
+         long code = n.getValue();
+-        if (code == RevRequest.aACompromise.getValue())
++        if (code == RevokeRequest.aACompromise.getValue())
+             return RevocationReason.UNSPECIFIED;
+-        else if (code == RevRequest.affiliationChanged.getValue())
++        else if (code == RevokeRequest.affiliationChanged.getValue())
+             return RevocationReason.AFFILIATION_CHANGED;
+-        else if (code == RevRequest.cACompromise.getValue())
++        else if (code == RevokeRequest.cACompromise.getValue())
+             return RevocationReason.CA_COMPROMISE;
+-        else if (code == RevRequest.certificateHold.getValue())
++        else if (code == RevokeRequest.certificateHold.getValue())
+             return RevocationReason.CERTIFICATE_HOLD;
+-        else if (code == RevRequest.cessationOfOperation.getValue())
++        else if (code == RevokeRequest.cessationOfOperation.getValue())
+             return RevocationReason.CESSATION_OF_OPERATION;
+-        else if (code == RevRequest.keyCompromise.getValue())
++        else if (code == RevokeRequest.keyCompromise.getValue())
+             return RevocationReason.KEY_COMPROMISE;
+-        else if (code == RevRequest.privilegeWithdrawn.getValue())
++        else if (code == RevokeRequest.privilegeWithdrawn.getValue())
+             return RevocationReason.UNSPECIFIED;
+-        else if (code == RevRequest.removeFromCRL.getValue())
++        else if (code == RevokeRequest.removeFromCRL.getValue())
+             return RevocationReason.REMOVE_FROM_CRL;
+-        else if (code == RevRequest.superseded.getValue())
++        else if (code == RevokeRequest.superseded.getValue())
+             return RevocationReason.SUPERSEDED;
+-        else if (code == RevRequest.unspecified.getValue())
++        else if (code == RevokeRequest.unspecified.getValue())
+             return RevocationReason.UNSPECIFIED;
+         return RevocationReason.UNSPECIFIED;
+     }
+ 
+     private boolean verifyRevRequestSignature(SignedData msgData) {
++        String method = "CMCOutputTemplate: verifyRevRequestSignature: ";
++        CMS.debug(method + "begins");
+         try {
+             EncapsulatedContentInfo ci = msgData.getContentInfo();
+             OCTET_STRING content = ci.getContent();
+             ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray());
+             TaggedAttribute tattr = (TaggedAttribute) (new TaggedAttribute.Template()).decode(s);
+             SET values = tattr.getValues();
+-            RevRequest revRequest = null;
+-            if (values != null && values.size() > 0)
+-                revRequest =
+-                        (RevRequest) (ASN1Util.decode(new RevRequest.Template(),
+-                                ASN1Util.encode(values.elementAt(0))));
++            RevokeRequest revRequest = null;
++            if (values != null && values.size() > 0) {
++                revRequest = (RevokeRequest) (ASN1Util.decode(new RevokeRequest.Template(),
++                        ASN1Util.encode(values.elementAt(0))));
++            } else {
++                CMS.debug(method + "attribute null");
++                return false;
++            }
+ 
+             SET dias = msgData.getDigestAlgorithmIdentifiers();
+             int numDig = dias.size();
+             Hashtable<String, byte[]> digs = new Hashtable<String, byte[]>();
+             for (int i = 0; i < numDig; i++) {
+-                AlgorithmIdentifier dai =
+-                        (AlgorithmIdentifier) dias.elementAt(i);
+-                String name =
+-                        DigestAlgorithm.fromOID(dai.getOID()).toString();
+-                MessageDigest md =
+-                        MessageDigest.getInstance(name);
++                AlgorithmIdentifier dai = (AlgorithmIdentifier) dias.elementAt(i);
++                String name = DigestAlgorithm.fromOID(dai.getOID()).toString();
++                MessageDigest md = MessageDigest.getInstance(name);
+                 byte[] digest = md.digest(content.toByteArray());
+                 digs.put(name, digest);
+             }
+@@ -1230,8 +1380,7 @@ public class CMCOutputTemplate {
+             SET sis = msgData.getSignerInfos();
+             int numSis = sis.size();
+             for (int i = 0; i < numSis; i++) {
+-                org.mozilla.jss.pkix.cms.SignerInfo si =
+-                        (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
++                org.mozilla.jss.pkix.cms.SignerInfo si = (org.mozilla.jss.pkix.cms.SignerInfo) sis.elementAt(i);
+                 String name = si.getDigestAlgorithm().toString();
+                 byte[] digest = digs.get(name);
+                 if (digest == null) {
+@@ -1242,17 +1391,15 @@ public class CMCOutputTemplate {
+                 }
+                 SignerIdentifier sid = si.getSignerIdentifier();
+                 if (sid.getType().equals(SignerIdentifier.ISSUER_AND_SERIALNUMBER)) {
+-                    org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber =
+-                            sid.getIssuerAndSerialNumber();
++                    org.mozilla.jss.pkix.cms.IssuerAndSerialNumber issuerAndSerialNumber = sid
++                            .getIssuerAndSerialNumber();
+                     java.security.cert.X509Certificate cert = null;
+                     if (msgData.hasCertificates()) {
+                         SET certs = msgData.getCertificates();
+                         int numCerts = certs.size();
+                         for (int j = 0; j < numCerts; j++) {
+-                            org.mozilla.jss.pkix.cert.Certificate certJss =
+-                                    (Certificate) certs.elementAt(j);
+-                            org.mozilla.jss.pkix.cert.CertificateInfo certI =
+-                                    certJss.getInfo();
++                            org.mozilla.jss.pkix.cert.Certificate certJss = (Certificate) certs.elementAt(j);
++                            org.mozilla.jss.pkix.cert.CertificateInfo certI = certJss.getInfo();
+                             Name issuer = certI.getIssuer();
+                             byte[] issuerB = ASN1Util.encode(issuer);
+                             INTEGER sn = certI.getSerialNumber();
+@@ -1268,11 +1415,33 @@ public class CMCOutputTemplate {
+                     }
+ 
+                     if (cert != null) {
++                        CMS.debug(method + "found cert");
+                         PublicKey pbKey = cert.getPublicKey();
+                         PK11PubKey pubK = PK11PubKey.fromSPKI(((X509Key) pbKey).getKey());
+                         si.verify(digest, ci.getContentType(), pubK);
++
++                        // now check validity of the cert
++                        java.security.cert.X509Certificate[] x509Certs = new java.security.cert.X509Certificate[1];
++                        x509Certs[0] = cert;
++                        if (CMS.isRevoked(x509Certs)) {
++                            CMS.debug(method + "CMC signing cert is a revoked certificate");
++                            return false;
++                        }
++                        try {
++                            cert.checkValidity();
++                        } catch (CertificateExpiredException e) {
++                            CMS.debug(method + "CMC signing cert is an expired certificate");
++                            return false;
++                        } catch (Exception e) {
++                            return false;
++                        }
++
+                         return true;
++                    } else {
++                        CMS.debug(method + "cert not found");
+                     }
++                } else {
++                    CMS.debug(method + "unsupported SignerIdentifier for CMC revocation");
+                 }
+             }
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java
+index 83a2d8c..4578a98 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/common/GenPendingTemplateFiller.java
+@@ -158,9 +158,9 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller {
+                 byte[] dig;
+ 
+                 try {
+-                    MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
++                    MessageDigest SHA2Digest = MessageDigest.getInstance("SHA256");
+ 
+-                    dig = SHA1Digest.digest(salt.getBytes());
++                    dig = SHA2Digest.digest(salt.getBytes());
+                 } catch (NoSuchAlgorithmException ex) {
+                     dig = salt.getBytes();
+                 }
+@@ -199,16 +199,15 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller {
+                     SignerIdentifier si = new
+                             SignerIdentifier(SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null);
+ 
+-                    // SHA1 is the default digest Alg for now.
+                     DigestAlgorithm digestAlg = null;
+                     SignatureAlgorithm signAlg = null;
+                     org.mozilla.jss.crypto.PrivateKey privKey = CryptoManager.getInstance().findPrivKeyByCert(x509cert);
+                     org.mozilla.jss.crypto.PrivateKey.Type keyType = privKey.getType();
+ 
+                     if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.RSA)) {
+-                        signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest;
+-                    } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.DSA)) {
+-                        signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest;
++                        signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
++                    } else if (keyType.equals(org.mozilla.jss.crypto.PrivateKey.EC)) {
++                        signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
+                     } else {
+                         CMS.debug("GenPendingTemplateFiller::getTemplateParams() - "
+                                  + "keyType " + keyType.toString()
+@@ -220,8 +219,8 @@ public class GenPendingTemplateFiller implements ICMSTemplateFiller {
+                     byte[] digest = null;
+ 
+                     try {
+-                        SHADigest = MessageDigest.getInstance("SHA1");
+-                        digestAlg = DigestAlgorithm.SHA1;
++                        SHADigest = MessageDigest.getInstance("SHA256");
++                        digestAlg = DigestAlgorithm.SHA256;
+ 
+                         ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 93039a4..330b5ff 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -413,7 +413,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
          }
  
-         cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname());
-+        cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken());
-         cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest());
-         cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert());
-         cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN());
+         setInputsIntoContext(request, profile, ctx);
+-        CMS.debug("ProfileSubmistServlet: set Inputs into Context");
++        CMS.debug("ProfileSubmitCMCServlet: set Inputs into Context");
+ 
+         // before creating the request, authenticate the request
+ 
+@@ -560,9 +560,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         // In case of decryptedPOP, request already exists, find it and
+         // put in provedReq.
+         IRequest provedReq = null;
++        boolean isRevoke = false;
+         if (reqs == null) {
+             // handling DecryptedPOP request here
+             Integer reqID = (Integer) context.get("cmcDecryptedPopReqId");
++            if (reqID == null) {
++                CMS.debug("ProfileSubmitCMCServlet: revocation request");
++                isRevoke = true;
++            } else {
+             provedReq = profile.getRequestQueue().findRequest(new RequestId(reqID.toString()));
+             if (provedReq == null) {
+ 
+@@ -584,6 +589,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+             } else {
+                 CMS.debug("ProfileSubmitCMCServlet: provedReq not null");
+             }
++            }
+         }
+ 
+         String errorCode = null;
+@@ -592,7 +598,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+         ///////////////////////////////////////////////
+         // populate request
+         ///////////////////////////////////////////////
+-        for (int k = 0; (provedReq == null) &&(k < reqs.length); k++) {
++        for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) {
+             // adding parameters to request
+             setInputsIntoRequest(request, profile, reqs[k]);
+ 
+@@ -712,7 +718,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+             if (reqs != null && reqs.length > 0)
+                 error_codes = new int[reqs.length];
+ 
+-            for (int k = 0; (provedReq == null) && (k < reqs.length); k++) {
++            for (int k = 0; (!isRevoke) && (provedReq == null) && (k < reqs.length); k++) {
+                 try {
+                     // reset the "auditRequesterID"
+                     auditRequesterID = auditRequesterID(reqs[k]);
 diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-index a334824..c62087e 100644
+index 94a0783..b111f71 100644
 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
 +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
-@@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine {
-             // get SSL server nickname
-             IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver");
-             if (serverCertStore != null && serverCertStore.size() > 0) {
--                String nickName = serverCertStore.getString("nickname", null);
--                String tokenName = serverCertStore.getString("tokenname", null);
-+                String nickName = serverCertStore.getString("nickname");
-+                String tokenName = serverCertStore.getString("tokenname");
-                 if (tokenName != null && tokenName.length() > 0 &&
-                         nickName != null && nickName.length() > 0) {
-                     CMS.setServerCertNickname(tokenName, nickName);
-diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-index 97f6d3e..64ee4e5 100644
---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
-+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
-@@ -39,31 +39,6 @@ import pki.util
- # PKI Deployment Configuration Scriptlet
- class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
- 
--    def store_cert_tokens(self, subsystem, deployer):
--
--        subsystem.config[subsystem.name + '.audit_signing.tokenname'] = (
--            deployer.mdict['pki_audit_signing_token'])
--        subsystem.config[subsystem.name + '.sslserver.tokenname'] = (
--            deployer.mdict['pki_ssl_server_token'])
--        subsystem.config[subsystem.name + '.subsystem.tokenname'] = (
--            deployer.mdict['pki_subsystem_token'])
--
--        if subsystem.name == 'ca':
--            subsystem.config['ca.signing.tokenname'] = (
--                deployer.mdict['pki_ca_signing_token'])
--            subsystem.config['ca.ocsp_signing.tokenname'] = (
--                deployer.mdict['pki_ocsp_signing_token'])
--
--        elif subsystem.name == 'kra':
--            subsystem.config['kra.storage.tokenname'] = (
--                deployer.mdict['pki_storage_token'])
--            subsystem.config['kra.transport.tokenname'] = (
--                deployer.mdict['pki_transport_token'])
--
--        elif subsystem.name == 'ocsp':
--            subsystem.config['ocsp.signing.tokenname'] = (
--                deployer.mdict['pki_ocsp_signing_token'])
--
-     def spawn(self, deployer):
- 
-         if config.str2bool(deployer.mdict['pki_skip_configuration']):
-@@ -290,14 +265,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     nickname=signing_nickname,
-                     output_format='base64')
-                 subsystem.config['ca.signing.nickname'] = signing_nickname
-+                subsystem.config['ca.signing.tokenname'] = (
-+                    deployer.mdict['pki_ca_signing_token'])
-                 subsystem.config['ca.signing.cert'] = signing_cert_data
-                 subsystem.config['ca.signing.cacertnickname'] = signing_nickname
-                 subsystem.config['ca.signing.defaultSigningAlgorithm'] = (
-                     deployer.mdict['pki_ca_signing_signing_algorithm'])
- 
--                # Store cert tokens in CS.cfg.
--                self.store_cert_tokens(subsystem, deployer)
--
-                 subsystem.save()
- 
-                 # verify the signing certificate
-@@ -308,7 +282,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                     instance, 'ca')
-                 verifier.verify_certificate('signing')
- 
--            else:  # other installation types
-+            else:  # self-signed CA
- 
-                 # To be implemented in ticket #1692.
- 
-@@ -316,10 +290,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
-                 # Self sign CA cert.
-                 # Import self-signed CA cert into NSS database.
- 
--                # Store cert tokens in CS.cfg.
--                self.store_cert_tokens(subsystem, deployer)
--
--                subsystem.save()
-+                pass
- 
-         finally:
-             nssdb.close()
+@@ -62,6 +62,7 @@ import org.mozilla.jss.util.PasswordCallback;
+ import org.w3c.dom.Element;
+ import org.w3c.dom.NodeList;
+ 
++import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.acls.ACL;
+ import com.netscape.certsrv.acls.ACLEntry;
+ import com.netscape.certsrv.acls.EACLsException;
+@@ -1912,6 +1913,38 @@ public class CMSEngine implements ICMSEngine {
+         }
+     }
+ 
++    public ISharedToken getSharedTokenClass(String configName) {
++        String method = "CMSEngine: getSharedTokenClass: ";
++        ISharedToken tokenClass = null;
++
++        String name = null;
++        try {
++            CMS.debug(method + "getting :" + configName);
++            name = CMS.getConfigStore().getString(configName);
++            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
++                    name);
++        } catch (Exception e) {
++            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
++            return null;
++        }
++
++        try {
++            tokenClass = (ISharedToken) Class.forName(name).newInstance();
++            CMS.debug(method + "Shared Secret plugin class retrieved");
++        } catch (ClassNotFoundException e) {
++            CMS.debug(method + " Failed to find class name: " + name);
++            return null;
++        } catch (InstantiationException e) {
++            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
++            return null;
++        } catch (IllegalAccessException e) {
++            CMS.debug(method + " Illegal access: " + name);
++            return null;
++        }
++
++        return tokenClass;
++    }
++
+     public ILogger getLogger() {
+         return Logger.getLogger();
+     }
+diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+index dd28adb..b314dac 100644
+--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
++++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+@@ -23,6 +23,7 @@ import com.netscape.certsrv.acls.EACLsException;
+ import com.netscape.certsrv.acls.IACL;
+ import com.netscape.certsrv.apps.ICMSEngine;
+ import com.netscape.certsrv.apps.ICommandQueue;
++import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.authority.IAuthority;
+ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IArgBlock;
+@@ -370,6 +371,10 @@ public class CMSEngineDefaultStub implements ICMSEngine {
+         return null;
+     }
+ 
++    public ISharedToken getSharedTokenClass(String configName) {
++        return null;
++    }
++
+     public void putPasswordCache(String tag, String pw) {
+     }
+ 
+diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java
+index 98becdc..933432d 100644
+--- a/base/util/src/com/netscape/cmsutil/util/Utils.java
++++ b/base/util/src/com/netscape/cmsutil/util/Utils.java
+@@ -285,6 +285,11 @@ public class Utils {
+         return string;
+     }
+ 
++    public static String base64encodeSingleLine(byte[] bytes) {
++        String string = new Base64().encodeToString(bytes);
++        return string;
++    }
++ 
+     public static byte[] base64decode(String string) {
+         byte[] bytes = Base64.decodeBase64(string);
+         return bytes;
+-- 
+1.8.3.1
+
+
+From 4328b770f8cbbb4c85919bc50201dff2e230dcc3 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 8 Jun 2017 21:14:00 -0400
+Subject: [PATCH 12/14] Add possible keywrap algorithms to usage
+
+Added possible key wrap algorithms to the CRMFPopClient
+usage statement to make it clear what options are available.
+
+Part of BZ #1458047
+
+Change-Id: Ie49ec9cd9bbb5c112668469f701363b967695ef3
+---
+ base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 25de2dd..0aaec28 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -228,6 +228,8 @@ public class CRMFPopClient {
+         System.out.println("                               - POP_SUCCESS: with valid POP");
+         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");
+         System.out.println("  -w <keywrap algorithm>       Algorithm to use for key wrapping");
++        System.out.println("                               - default: \"AES KeyWrap/Padding\"");
++        System.out.println("                               - \"AES/CBC/PKCS5Padding\"");
+         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
+         System.out.println("  -v, --verbose                Run in verbose mode.");
+         System.out.println("      --help                   Show help message.");
+-- 
+1.8.3.1
+
+
+From 9edd684fef78845acee95a766f34a9c57a1ab604 Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Thu, 8 Jun 2017 22:08:01 -0400
+Subject: [PATCH 13/14] Add one more possible keywrap algorithm to usage
+
+Added one more key wrap algorithms to the CRMFPopClient
+usage statement.
+
+Part of BZ #1458047
+
+Change-Id: Ic52410a6a23f850944a6b96385b26a9bba12b51a
+---
+ base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+index 0aaec28..66453c3 100644
+--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+@@ -230,6 +230,7 @@ public class CRMFPopClient {
+         System.out.println("  -w <keywrap algorithm>       Algorithm to use for key wrapping");
+         System.out.println("                               - default: \"AES KeyWrap/Padding\"");
+         System.out.println("                               - \"AES/CBC/PKCS5Padding\"");
++        System.out.println("                               - \"DES3/CBC/Pad\"");
+         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
+         System.out.println("  -v, --verbose                Run in verbose mode.");
+         System.out.println("      --help                   Show help message.");
+-- 
+1.8.3.1
+
+
+From 53564487e46040a9115fba51c8403ecacb50187e Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 8 Jun 2017 14:25:23 +1000
+Subject: [PATCH 14/14] KRA PKCS #12 export: add config to use 3DES PBE
+ encryption
+
+Restore the 3DES PKCS #12 key recovery code path, alongside the new
+AES variant, which is broken on Thales nethsm.  Add the
+'kra.legacyPKCS12' config for selecting which version to use, with
+the default value of 'true' (i.e., use 3DES).
+
+Part of: https://pagure.io/dogtagpki/issue/2728
+
+Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360
+---
+ base/kra/src/com/netscape/kra/RecoveryService.java | 43 ++++++++++++++++------
+ 1 file changed, 32 insertions(+), 11 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
+index eee800a..023eb80 100644
+--- a/base/kra/src/com/netscape/kra/RecoveryService.java
++++ b/base/kra/src/com/netscape/kra/RecoveryService.java
+@@ -487,19 +487,40 @@ public class RecoveryService implements IService {
+             PasswordConverter passConverter = new
+                     PasswordConverter();
+ 
+-            byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo(
+-                /* NSS has a bug that causes any AES CBC encryption
+-                 * to use AES-256, but AlgorithmID contains chosen
+-                 * alg.  To avoid mismatch, use AES_256_CBC. */
+-                passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey);
+-            CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned");
+-            if (epkiBytes == null) {
+-                CMS.debug("RecoverService: createPFX() epkiBytes null");
+-                throw new EBaseException("getEncryptedPrivateKeyInfo returned null");
++            boolean legacyP12 =
++                CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true);
++
++            ASN1Value key;
++            if (legacyP12) {
++                Random ran = new SecureRandom();
++                byte[] salt = new byte[20];
++                ran.nextBytes(salt);
++
++                key = EncryptedPrivateKeyInfo.createPBE(
++                        PBEAlgorithm.PBE_SHA1_DES3_CBC,
++                        pass, salt, 1, passConverter, priKey, ct);
++                CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned");
++                if (key == null) {
++                    CMS.debug("RecoverService: createPFX() key null");
++                    throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed");
++                } else {
++                    CMS.debug("RecoverService: createPFX() key not null");
++                }
+             } else {
+-                CMS.debug("RecoverService: createPFX() epkiBytes not null");
++                byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo(
++                    /* NSS has a bug that causes any AES CBC encryption
++                     * to use AES-256, but AlgorithmID contains chosen
++                     * alg.  To avoid mismatch, use AES_256_CBC. */
++                    passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey);
++                CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned");
++                if (epkiBytes == null) {
++                    CMS.debug("RecoverService: createPFX() epkiBytes null");
++                    throw new EBaseException("getEncryptedPrivateKeyInfo returned null");
++                } else {
++                    CMS.debug("RecoverService: createPFX() epkiBytes not null");
++                }
++                key = new ANY(epkiBytes);
+             }
+-            ASN1Value key = new ANY(epkiBytes);
+ 
+             SET keyAttrs = createBagAttrs(
+                     x509cert.getSubjectDN().toString(),
 -- 
 1.8.3.1
 
diff --git a/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch b/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch
deleted file mode 100644
index 1b3ba6d..0000000
--- a/SOURCES/pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch
+++ /dev/null
@@ -1,199 +0,0 @@
-From ea4121886b2f8d9f2de34edcb20b1a9caae9c2c5 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Tue, 15 Nov 2016 21:32:53 +0100
-Subject: [PATCH 1/2] Fixed problem installing subordinate CA with HSM in FIPS
- mode.
-
-Due to certutil issue (bug #1393668) the installation code has
-been modified to import certificates into the NSS database in
-two steps. This workaround is needed to install subordinate CA
-with HSM in FIPS mode.
-
-First, the certificate will be imported into the HSM using the
-HSM password without the trust attributes. Then, the certificate
-will be imported into the internal token using the internal token
-password with the trust attributes.
-
-https://fedorahosted.org/pki/ticket/2543
-(cherry picked from commit 0bef3bbcc5c5cb2d6fb3f0d231c4f5b7fac5ca3b)
-(cherry picked from commit b058ded6f9708edc601041077339947f0f87c19f)
----
- base/common/python/pki/nssdb.py           | 51 ++++++++++++++++++++++++-------
- base/server/python/pki/server/__init__.py |  3 +-
- 2 files changed, 42 insertions(+), 12 deletions(-)
-
-diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
-index 736efca..0a674c0 100644
---- a/base/common/python/pki/nssdb.py
-+++ b/base/common/python/pki/nssdb.py
-@@ -99,7 +99,8 @@ def get_file_type(filename):
- 
- class NSSDatabase(object):
- 
--    def __init__(self, directory=None, token=None, password=None, password_file=None):
-+    def __init__(self, directory=None, token=None, password=None, password_file=None,
-+                 internal_password=None, internal_password_file=None):
- 
-         if not directory:
-             directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb')
-@@ -124,25 +125,53 @@ class NSSDatabase(object):
-         else:
-             raise Exception('Missing NSS database password')
- 
-+        if internal_password:
-+            # Store the specified internal token into password file.
-+            self.internal_password_file = os.path.join(self.tmpdir, 'internal_password.txt')
-+            with open(self.internal_password_file, 'w') as f:
-+                f.write(internal_password)
-+
-+        elif internal_password_file:
-+            # Use the specified internal token password file.
-+            self.internal_password_file = internal_password_file
-+
-+        else:
-+            # By default use the same password for both internal token and HSM.
-+            self.internal_password_file = self.password_file
-+
-     def close(self):
-         shutil.rmtree(self.tmpdir)
- 
-     def add_cert(self, nickname, cert_file, trust_attributes=',,'):
--        cmd = [
--            'certutil',
--            '-A',
--            '-d', self.directory
--        ]
- 
-+        # Add cert in two steps due to bug #1393668.
-+
-+        # First, import cert into HSM without trust attributes.
-         if self.token:
--            cmd.extend(['-h', self.token])
-+            cmd = [
-+                'certutil',
-+                '-A',
-+                '-d', self.directory,
-+                '-h', self.token,
-+                '-f', self.password_file,
-+                '-n', nickname,
-+                '-i', cert_file,
-+                '-t', ''
-+            ]
- 
--        cmd.extend([
--            '-f', self.password_file,
-+            # Ignore return code due to bug #1393668.
-+            subprocess.call(cmd)
-+
-+        # Then, import cert into internal token with trust attributes.
-+        cmd = [
-+            'certutil',
-+            '-A',
-+            '-d', self.directory,
-+            '-f', self.internal_password_file,
-             '-n', nickname,
-             '-i', cert_file,
-             '-t', trust_attributes
--        ])
-+        ]
- 
-         subprocess.check_call(cmd)
- 
-@@ -584,7 +613,7 @@ class NSSDatabase(object):
-                 else:
-                     n = '%s #%d' % (nickname, counter)
- 
--                self.add_cert(n, cert_file, trust_attributes)
-+                self.add_cert(n, cert_file, trust_attributes=trust_attributes)
-                 nicks.append(n)
- 
-                 counter += 1
-diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
-index 13b3258..d556312 100644
---- a/base/server/python/pki/server/__init__.py
-+++ b/base/server/python/pki/server/__init__.py
-@@ -654,7 +654,8 @@ class PKIInstance(object):
-         return pki.nssdb.NSSDatabase(
-             directory=self.nssdb_dir,
-             token=token,
--            password=self.get_token_password(token))
-+            password=self.get_token_password(token),
-+            internal_password=self.get_token_password())
- 
-     def external_cert_exists(self, nickname, token):
-         for cert in self.external_certs:
--- 
-1.8.3.1
-
-
-From de51508e2262cf98de4360c92af69249e2ef0876 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 16 Nov 2016 03:42:49 +0100
-Subject: [PATCH 2/2] Fixed hanging subordinate CA with HSM installation in
- FIPS mode.
-
-When installing subordinate CA with HSM, the installer calls the
-pki CLI (which is implemented using JSS) to validate the imported
-CA certificate in HSM. Normally, the HSM password is specified as
-CLI parameter, but in FIPS mode JSS requires both the HSM and the
-internal token passwords. Since the CLI only takes one password,
-JSS will prompt for the missing one on the console causing the
-installation to hang.
-
-As a temporary solution, the pki-server subsystem-cert-validate
-command has been modified to validate certificates stored in the
-internal token only and it will use the internal token password,
-so only a single password is required. Further investigation in
-CLI/JSS/NSS is needed to support validating certificates in HSM
-without password prompts.
-
-https://fedorahosted.org/pki/ticket/2543
-(cherry picked from commit 65013d222a9e612aaaaf49ee03ceed5d6c154f59)
-(cherry picked from commit c8553a5308e23b66cee7fc1a357042f99d07b0c7)
----
- base/server/python/pki/server/cli/subsystem.py | 21 ++++++++-------------
- 1 file changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
-index 42da26e..04461f2 100644
---- a/base/server/python/pki/server/cli/subsystem.py
-+++ b/base/server/python/pki/server/cli/subsystem.py
-@@ -951,11 +951,8 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
- 
-         print('  Token: %s' % token)
- 
--        if token and token.lower() in ['internal', 'internal key storage token']:
--            token = None
--
--        # get token password and store in temporary file
--        passwd = instance.get_token_password(token)
-+        # get internal token password and store in temporary file
-+        passwd = instance.get_token_password()
- 
-         pwfile_handle, pwfile_path = mkstemp()
-         os.write(pwfile_handle, passwd)
-@@ -964,15 +961,13 @@ class SubsystemCertValidateCLI(pki.cli.CLI):
-         try:
-             cmd = ['pki',
-                    '-d', instance.nssdb_dir,
--                   '-C', pwfile_path]
--
--            if token:
--                cmd.extend(['--token', token])
-+                   '-C', pwfile_path,
-+                   'client-cert-validate',
-+                   nickname,
-+                   '--certusage', usage]
- 
--            cmd.extend(['client-cert-validate',
--                        nickname,
--                        '--certusage', usage
--                       ])
-+            if self.verbose:
-+                print('Command: %s' % cmd)
- 
-             subprocess.check_output(cmd, stderr=subprocess.STDOUT)
-             print('  Status: VALID')
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch b/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch
deleted file mode 100644
index dba4187..0000000
--- a/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From eb106cb46aaea07ddc3c46db63f99ab41b2cd835 Mon Sep 17 00:00:00 2001
-From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
-Date: Thu, 20 Oct 2016 15:18:12 -0700
-Subject: [PATCH] TPS token enrollment fails to setupSecureChannel when TPS and
- TKS security db is on fips mode.
-
-Ticket #2513.
-
-Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
-
-(cherry picked from commit cb2cc3c7fd93e1a0519a0b530cbc2edbab7741cc)
-(cherry picked from commit 7fae5790584855ea84b9c6ecf73058b6f0dfc1aa)
----
- .../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java   | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-index db42cab..6dfd1d2 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
-@@ -31,6 +31,7 @@ import sun.security.pkcs11.wrapper.PKCS11Constants;
- 
- import com.netscape.certsrv.apps.CMS;
- import com.netscape.certsrv.base.EBaseException;
-+import com.netscape.cmsutil.crypto.CryptoUtil;
- 
- public class SecureChannelProtocol {
- 
-@@ -688,10 +689,11 @@ public class SecureChannelProtocol {
- 
-     public CryptoToken returnTokenByName(String name, CryptoManager manager) throws NoSuchTokenException {
- 
-+        CMS.debug("returnTokenByName: requested name: " + name);
-         if (name == null || manager == null)
-             throw new NoSuchTokenException();
- 
--        if (name.equals("internal") || name.equals("Internal KeyStorage Token")) {
-+        if(CryptoUtil.isInternalToken(name)) {
-             return manager.getInternalKeyStorageToken();
-         } else {
-             return manager.getTokenByName(name);
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-two-step-external-CA-authorityID.patch b/SOURCES/pki-core-two-step-external-CA-authorityID.patch
deleted file mode 100644
index 41f54be..0000000
--- a/SOURCES/pki-core-two-step-external-CA-authorityID.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 441e69f01d8acddef0659f10084fa07b8bff06e5 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Wed, 21 Sep 2016 20:18:37 +1000
-Subject: [PATCH] Do not attempt LWCA key retrieval for host authority
-
-During two-step installation of externally-signed CA, installation
-can fail because host authority's private key cannot be located (a
-temporary condition), causing LWCA key replication to fire, which
-throws NullPointerException because the host authority's AuthorityID
-has not been set yet.
-
-Do not start key retrieval if the CA's AuthorityID is null (a
-condition which implies that the CA is the host authority).
-
-Fixes: https://fedorahosted.org/pki/ticket/2466
-(cherry picked from commit fca5fd053434d112998c814bc6d9424b6a5bac98)
----
- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index 1f77fd8..a4f1024 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -1569,7 +1569,12 @@ public class CertificateAuthority
-                 CMS.debug("CA signing key and cert not (yet) present in NSSDB");
-                 signingUnitException = e;
-                 if (retrieveKeys == true) {
--                    if (!keyRetrieverThreads.containsKey(authorityID)) {
-+                    if (authorityID == null) {
-+                        // Only the host authority should ever see a
-+                        // null authorityID, e.g. during two-step
-+                        // installation of externally-signed CA.
-+                        CMS.debug("null authorityID -> host authority; not starting KeyRetriever");
-+                    } else if (!keyRetrieverThreads.containsKey(authorityID)) {
-                         CMS.debug("Starting KeyRetrieverRunner thread");
-                         Thread t = new Thread(
-                             new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts),
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch b/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch
deleted file mode 100644
index aac26c3..0000000
--- a/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 92372f653ca48d1de71de990fe3ef99ba1a83111 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Mon, 24 Oct 2016 18:30:55 +0200
-Subject: [PATCH] Fixed typo in UserPwdDirAuthentication.
-
-https://fedorahosted.org/pki/ticket/2460
-(cherry picked from commit 634da4e7ba6af5e799da300955a4730fa51be8f0)
----
- .../src/com/netscape/cms/authentication/UserPwdDirAuthentication.java   | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
-index a95dd86..ead8650 100644
---- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
-+++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
-@@ -108,7 +108,7 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
-     }
- 
-     /**
--     * Initializes the UdnPwdDirAuthentication auth manager.
-+     * Initializes the UserPwdDirAuthentication auth manager.
-      * <p>
-      *
-      * @param name - The name for this authentication manager instance.
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-updated-account-info.patch b/SOURCES/pki-core-updated-account-info.patch
deleted file mode 100644
index f4d1a22..0000000
--- a/SOURCES/pki-core-updated-account-info.patch
+++ /dev/null
@@ -1,170 +0,0 @@
-From ebe79a4db05662091bd15efc860ef6923beff2aa Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Thu, 20 Oct 2016 00:54:47 +0200
-Subject: [PATCH] Updated AccountInfo.
-
-The AccountInfo has been changed to extend the ResourceMessage
-such that it can be used to pass the list of accessible
-components as an attribute.
-
-https://fedorahosted.org/pki/ticket/2523
-(cherry picked from commit 6d5d15edebeb1ba113e4f3d5b2bb1ba93a92ce1d)
-(cherry picked from commit 388e443b99999dd2aa0832aaed0cdf43ee260b81)
----
- .../com/netscape/certsrv/account/AccountInfo.java  |  8 ++--
- .../com/netscape/certsrv/base/ResourceMessage.java | 11 +++++-
- .../org/dogtagpki/server/rest/AccountService.java  | 46 ++++++++--------------
- 3 files changed, 31 insertions(+), 34 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/account/AccountInfo.java b/base/common/src/com/netscape/certsrv/account/AccountInfo.java
-index 7943d22..3310bf0 100644
---- a/base/common/src/com/netscape/certsrv/account/AccountInfo.java
-+++ b/base/common/src/com/netscape/certsrv/account/AccountInfo.java
-@@ -33,11 +33,13 @@ import javax.xml.bind.annotation.XmlRootElement;
- import javax.xml.bind.annotation.adapters.XmlAdapter;
- import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
- 
-+import com.netscape.certsrv.base.ResourceMessage;
-+
- /**
-  * @author Endi S. Dewata
-  */
- @XmlRootElement(name="Account")
--public class AccountInfo {
-+public class AccountInfo extends ResourceMessage {
- 
-     public static Marshaller marshaller;
-     public static Unmarshaller unmarshaller;
-@@ -98,7 +100,7 @@ public class AccountInfo {
-     @Override
-     public int hashCode() {
-         final int prime = 31;
--        int result = 1;
-+        int result = super.hashCode();
-         result = prime * result + ((email == null) ? 0 : email.hashCode());
-         result = prime * result + ((fullName == null) ? 0 : fullName.hashCode());
-         result = prime * result + ((id == null) ? 0 : id.hashCode());
-@@ -110,7 +112,7 @@ public class AccountInfo {
-     public boolean equals(Object obj) {
-         if (this == obj)
-             return true;
--        if (obj == null)
-+        if (!super.equals(obj))
-             return false;
-         if (getClass() != obj.getClass())
-             return false;
-diff --git a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
-index 1214b45..85d0d07 100644
---- a/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
-+++ b/base/common/src/com/netscape/certsrv/base/ResourceMessage.java
-@@ -26,6 +26,7 @@ import javax.xml.bind.annotation.XmlValue;
- import javax.xml.bind.annotation.adapters.XmlAdapter;
- import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
- 
-+import com.netscape.certsrv.account.AccountInfo;
- import com.netscape.certsrv.key.AsymKeyGenerationRequest;
- import com.netscape.certsrv.key.KeyArchivalRequest;
- import com.netscape.certsrv.key.KeyRecoveryRequest;
-@@ -35,8 +36,14 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest;
-  * @author Ade Lee
-  */
- @XmlRootElement(name = "ResourceMessage")
--@XmlSeeAlso({ KeyArchivalRequest.class, KeyRecoveryRequest.class, SymKeyGenerationRequest.class,
--        PKIException.Data.class, AsymKeyGenerationRequest.class })
-+@XmlSeeAlso({
-+    AccountInfo.class,
-+    KeyArchivalRequest.class,
-+    KeyRecoveryRequest.class,
-+    SymKeyGenerationRequest.class,
-+    PKIException.Data.class,
-+    AsymKeyGenerationRequest.class
-+})
- @XmlAccessorType(XmlAccessType.NONE)
- public class ResourceMessage {
- 
-diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
-index 827e99e..673db45 100644
---- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
-+++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
-@@ -21,13 +21,8 @@ package org.dogtagpki.server.rest;
- import java.security.Principal;
- import java.util.Arrays;
- 
--import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpSession;
--import javax.ws.rs.core.Context;
--import javax.ws.rs.core.HttpHeaders;
--import javax.ws.rs.core.Request;
- import javax.ws.rs.core.Response;
--import javax.ws.rs.core.UriInfo;
- 
- import org.apache.catalina.realm.GenericPrincipal;
- import org.apache.commons.lang.StringUtils;
-@@ -43,47 +38,40 @@ import com.netscape.cms.servlet.base.PKIService;
-  */
- public class AccountService extends PKIService implements AccountResource {
- 
--    @Context
--    private UriInfo uriInfo;
--
--    @Context
--    private HttpHeaders headers;
--
--    @Context
--    private Request request;
--
--    @Context
--    private HttpServletRequest servletRequest;
--
--    @Override
--    public Response login() {
--        HttpSession session = servletRequest.getSession();
--        System.out.println("Creating session "+session.getId());
--
-+    protected AccountInfo createAccountInfo() {
-         Principal principal = servletRequest.getUserPrincipal();
--        System.out.println("Principal: "+principal);
-+        System.out.println("Principal: " + principal);
- 
--        AccountInfo response = new AccountInfo();
-+        AccountInfo accountInfo = new AccountInfo();
-         String name = principal.getName();
--        response.setID(name);
-+        accountInfo.setID(name);
- 
-         if (principal instanceof PKIPrincipal) {
-             PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
-             IUser user = pkiPrincipal.getUser();
- 
-             String fullName = user.getFullName();
--            if (!StringUtils.isEmpty(fullName)) response.setFullName(fullName);
-+            if (!StringUtils.isEmpty(fullName)) accountInfo.setFullName(fullName);
- 
-             String email = user.getEmail();
--            if (!StringUtils.isEmpty(email)) response.setEmail(email);
-+            if (!StringUtils.isEmpty(email)) accountInfo.setEmail(email);
-         }
- 
-         if (principal instanceof GenericPrincipal) {
-             String[] roles = ((GenericPrincipal) principal).getRoles();
--            response.setRoles(Arrays.asList(roles));
-+            accountInfo.setRoles(Arrays.asList(roles));
-         }
- 
--        return createOKResponse(response);
-+        return accountInfo;
-+    }
-+
-+    @Override
-+    public Response login() {
-+        HttpSession session = servletRequest.getSession();
-+        System.out.println("Creating session " + session.getId());
-+
-+        AccountInfo accountInfo = createAccountInfo();
-+        return createOKResponse(accountInfo);
-     }
- 
-     @Override
--- 
-1.8.3.1
-
diff --git a/SOURCES/pki-core-use-BigInteger-for-entryUSN.patch b/SOURCES/pki-core-use-BigInteger-for-entryUSN.patch
deleted file mode 100644
index a4a3e19..0000000
--- a/SOURCES/pki-core-use-BigInteger-for-entryUSN.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-commit d37d1cb1a2d33d17f15cbf9565a4bba99050e59a
-Author: Fraser Tweedale <ftweedal@redhat.com>
-Date:   Mon Jan 23 17:11:26 2017 +1000
-
-    Use BigInteger for entryUSN
-    
-    Currently we try to parse the entryUSN into an Integer, which wraps
-    the 'int' primitive type.  If entryUSN value is too large to fit in
-    'int', NumberFormatException is raised.
-    
-    Change LDAPProfileSubsystem and CertificateAuthority to use
-    BigInteger for entryUSN values.
-    
-    Fixes: https://fedorahosted.org/pki/ticket/2579
-    (cherry picked from commit 79c6d70a8434cf52f9bac8bfa0367876baccb054)
-    (cherry picked from commit 7727940c7f43161d5a7597756cf01f159b2a72d8)
-
-diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-index ae90d3a..9b2ba03 100644
---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
-+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
-@@ -333,7 +333,7 @@ public class CertificateAuthority
- 
-     /* Maps and sets of entryUSNs and nsUniqueIds for avoiding race
-      * conditions and unnecessary reloads related to replication */
--    private static TreeMap<AuthorityID,Integer> entryUSNs = new TreeMap<>();
-+    private static TreeMap<AuthorityID,BigInteger> entryUSNs = new TreeMap<>();
-     private static TreeMap<AuthorityID,String> nsUniqueIds = new TreeMap<>();
-     private static TreeSet<String> deletedNsUniqueIds = new TreeSet<>();
- 
-@@ -2904,7 +2904,7 @@ public class CertificateAuthority
- 
-         LDAPAttribute attr = entry.getAttribute("entryUSN");
-         if (attr != null) {
--            Integer entryUSN = new Integer(attr.getStringValueArray()[0]);
-+            BigInteger entryUSN = new BigInteger(attr.getStringValueArray()[0]);
-             entryUSNs.put(aid, entryUSN);
-             CMS.debug("postCommit: new entryUSN = " + entryUSN);
-         }
-@@ -3270,7 +3270,7 @@ public class CertificateAuthority
-             return;
-         }
- 
--        Integer newEntryUSN = null;
-+        BigInteger newEntryUSN = null;
-         LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN");
-         if (entryUSNAttr == null) {
-             CMS.debug("readAuthority: no entryUSN");
-@@ -3287,14 +3287,14 @@ public class CertificateAuthority
-                 // entryUSN attribute being added.
-             }
-         } else {
--            newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]);
-+            newEntryUSN = new BigInteger(entryUSNAttr.getStringValueArray()[0]);
-             CMS.debug("readAuthority: new entryUSN = " + newEntryUSN);
-         }
- 
--        Integer knownEntryUSN = entryUSNs.get(aid);
-+        BigInteger knownEntryUSN = entryUSNs.get(aid);
-         if (newEntryUSN != null && knownEntryUSN != null) {
-             CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN);
--            if (newEntryUSN <= knownEntryUSN) {
-+            if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
-                 CMS.debug("readAuthority: data is current");
-                 return;
-             }
-diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-index 6dea1a0..348a9ab 100644
---- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
-@@ -19,6 +19,7 @@ package com.netscape.cmscore.profile;
- 
- import java.io.ByteArrayInputStream;
- import java.io.InputStream;
-+import java.math.BigInteger;
- import java.util.Arrays;
- import java.util.Hashtable;
- import java.util.LinkedHashMap;
-@@ -64,7 +65,7 @@ public class LDAPProfileSubsystem
- 
-     /* Map of profileId -> entryUSN for the most recent view
-      * of the profile entry that this instance has seen */
--    private TreeMap<String,Integer> entryUSNs;
-+    private TreeMap<String,BigInteger> entryUSNs;
- 
-     private TreeMap<String,String> nsUniqueIds;
- 
-@@ -149,14 +150,14 @@ public class LDAPProfileSubsystem
-         }
-         profileId = LDAPDN.explodeDN(dn, true)[0];
- 
--        Integer newEntryUSN = new Integer(
-+        BigInteger newEntryUSN = new BigInteger(
-                 ldapProfile.getAttribute("entryUSN").getStringValueArray()[0]);
-         CMS.debug("readProfile: new entryUSN = " + newEntryUSN);
- 
--        Integer knownEntryUSN = entryUSNs.get(profileId);
-+        BigInteger knownEntryUSN = entryUSNs.get(profileId);
-         if (knownEntryUSN != null) {
-             CMS.debug("readProfile: known entryUSN = " + knownEntryUSN);
--            if (newEntryUSN <= knownEntryUSN) {
-+            if (newEntryUSN.compareTo(knownEntryUSN) <= 0) {
-                 CMS.debug("readProfile: data is current");
-                 return;
-             }
-@@ -327,10 +328,10 @@ public class LDAPProfileSubsystem
-                 return;
-             }
- 
--            Integer entryUSN = null;
-+            BigInteger entryUSN = null;
-             LDAPAttribute attr = entry.getAttribute("entryUSN");
-             if (attr != null)
--                entryUSN = new Integer(attr.getStringValueArray()[0]);
-+                entryUSN = new BigInteger(attr.getStringValueArray()[0]);
-             entryUSNs.put(id, entryUSN);
-             CMS.debug("commitProfile: new entryUSN = " + entryUSN);
- 
diff --git a/SOURCES/pki-core-user-cert-add-authentication-failure.patch b/SOURCES/pki-core-user-cert-add-authentication-failure.patch
deleted file mode 100644
index 6f8d4be..0000000
--- a/SOURCES/pki-core-user-cert-add-authentication-failure.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From b408cbc053d02f462b87fc3648b181ce318a5b0a Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 23 Nov 2016 04:30:00 +0100
-Subject: [PATCH 1/2] Refactored PKIConnection.get().
-
-The PKIConnection has been modified to provide two get() methods:
-one returning a generic Response object wnd the other returning an
-object with the specified type. The ConfigurationUtils has been
-modified accordingly.
-
-https://fedorahosted.org/pki/ticket/1517
-(cherry picked from commit 20656a1a0bb3fa402494fb5c1374c2b14dd29f2d)
----
- base/common/src/com/netscape/certsrv/client/PKIConnection.java    | 8 ++++++--
- .../src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java  | 2 +-
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
-index 88a2089..301c4c6 100644
---- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
-+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
-@@ -458,13 +458,17 @@ public class PKIConnection {
-         }
-     }
- 
--    public String get(String path) throws Exception {
-+    public Response get(String path) throws Exception {
-+        return get(path, Response.class);
-+    }
-+
-+    public <T> T get(String path, Class<T> responseType) throws Exception {
-         String uri = config.getServerURI().toString();
-         if (path != null) {
-             uri += path;
-         }
-         ResteasyWebTarget target = resteasyClient.target(uri);
--        return target.request().get(String.class);
-+        return target.request().get(responseType);
-     }
- 
-     public String post(String path, MultivaluedMap<String, String> content) throws Exception {
-diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-index afd8d28..bc6431c 100644
---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
-@@ -234,7 +234,7 @@ public class ConfigurationUtils {
-         PKIConnection connection = new PKIConnection(config);
-         if (certApprovalCallback == null) certApprovalCallback = ConfigurationUtils.certApprovalCallback;
-         connection.setCallback(certApprovalCallback);
--        return connection.get(path);
-+        return connection.get(path, String.class);
-     }
- 
-     public static String post(String hostname, int port, boolean secure,
--- 
-1.8.3.1
-
-
-From 222fd9bd489dbf6605c228353ac7c5bbef0eb5f7 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 23 Nov 2016 05:17:43 +0100
-Subject: [PATCH 2/2] Fixed problem with pki user-cert-add.
-
-Previously the pki user-cert-add fails to check whether the server
-has a CA subsystem when it's invoked over SSL. That is because the
-CLI tries to establish a new but improperly set up SSL connection.
-Now the CLI has been modified to use the existing server
-connection.
-
-https://fedorahosted.org/pki/ticket/1517
-(cherry picked from commit 2cc925cad40b5ec65e4c1c553c25e4165ee955f4)
----
- .../netscape/certsrv/client/SubsystemClient.java   | 26 +++++-----------------
- 1 file changed, 6 insertions(+), 20 deletions(-)
-
-diff --git a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java
-index 3d44bce..bf329af 100644
---- a/base/common/src/com/netscape/certsrv/client/SubsystemClient.java
-+++ b/base/common/src/com/netscape/certsrv/client/SubsystemClient.java
-@@ -17,12 +17,9 @@
- // --- END COPYRIGHT BLOCK ---
- package com.netscape.certsrv.client;
- 
--import java.net.URI;
- import java.net.URISyntaxException;
- 
--import org.apache.http.HttpResponse;
--import org.apache.http.client.methods.HttpGet;
--import org.apache.http.impl.client.DefaultHttpClient;
-+import javax.ws.rs.core.Response;
- 
- import com.netscape.certsrv.account.AccountClient;
- 
-@@ -51,23 +48,12 @@ public class SubsystemClient extends Client {
- 
-     public boolean exists() throws Exception {
- 
--        ClientConfig config = client.getConfig();
--        URI serverURI = config.getServerURI();
- 
--        URI subsystemURI = new URI(
--                serverURI.getScheme(),
--                null,
--                serverURI.getHost(),
--                serverURI.getPort(),
--                "/" + name,
--                null,
--                null);
-+        PKIConnection connection = client.getConnection();
-+        Response response = connection.get("/" + name);
- 
--        DefaultHttpClient client = new DefaultHttpClient();
--        HttpGet method = new HttpGet(subsystemURI);
-         try {
--            HttpResponse response = client.execute(method);
--            int code = response.getStatusLine().getStatusCode();
-+            int code = response.getStatus();
- 
-             if (code == 200) {
-                 return true;
-@@ -76,11 +62,11 @@ public class SubsystemClient extends Client {
-                 return false;
- 
-             } else {
--                throw new Exception("Error: " + response.getStatusLine());
-+                throw new Exception("Error: " + response.getStatusInfo());
-             }
- 
-         } finally {
--            method.releaseConnection();
-+            response.close();
-         }
-     }
- 
--- 
-1.8.3.1
-
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index bcaa4c3..37526ca 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -13,7 +13,7 @@
 %global package_rhel_packages 1
 # Package RHCS-specific RPMS Only
 %global package_rhcs_packages 0
-%define pki_core_rhel_version 10.3.3
+%define pki_core_rhel_version 10.4.1
 %else
 # 0%{?fedora}
 # Fedora always packages all RPMS
@@ -64,9 +64,13 @@
 %define pki_homedir /usr/share/pki
 
 Name:             pki-core
-Version:          10.3.3
-#Release:          19%{?dist}
-Release:          19.el7_3
+%if 0%{?rhel}
+Version:          10.4.1
+Release:          11%{?dist}
+%else
+Version:          10.4.8
+Release:          1%{?dist}
+%endif
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -85,8 +89,20 @@ BuildRequires:    apache-commons-codec
 BuildRequires:    apache-commons-io
 BuildRequires:    apache-commons-lang
 BuildRequires:    jakarta-commons-httpclient
+BuildRequires:    slf4j
+%if ! 0%{?rhel}
+BuildRequires:    slf4j-jdk14
+%endif
 BuildRequires:    nspr-devel
-BuildRequires:    nss-devel >= 3.14.3
+%if 0%{?rhel}
+BuildRequires:    nss-devel >= 3.28.3
+%else
+%if 0%{?fedora} >= 25
+BuildRequires:    nss-devel >= 3.28.3
+%else
+BuildRequires:    nss-devel >= 3.27.0
+%endif
+%endif
 
 %if 0%{?rhel}
 BuildRequires:    nuxwdog-client-java >= 1.0.1-11
@@ -154,6 +170,7 @@ BuildRequires:    python3-flake8
 %endif
 %endif
 
+BuildRequires:    python2-cryptography
 BuildRequires:    python-nss
 BuildRequires:    python-requests >= 2.6.0
 BuildRequires:    python-six
@@ -165,22 +182,31 @@ BuildRequires:    policycoreutils-python-utils
 BuildRequires:    python-ldap
 BuildRequires:    junit
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
-BuildRequires:    jss >= 4.2.6-40
+%if 0%{?rhel}
+BuildRequires:    jss >= 4.4.0-7
+%else
+%if 0%{?fedora} >= 25
+BuildRequires:    jss >= 4.4.2-2
+%else
+BuildRequires:    jss >= 4.2.6-44
+%endif
+%endif
 BuildRequires:    systemd-units
-
 %if 0%{?rhel}
-BuildRequires:    tomcatjss >= 7.1.2-2
+BuildRequires:    tomcatjss >= 7.2.1-4
 %else
-%if 0%{?fedora} >= 23
-BuildRequires:    tomcatjss >= 7.1.3
+%if 0%{?fedora} >= 25
+BuildRequires:    tomcatjss >= 7.2.3
 %else
-BuildRequires:    tomcatjss >= 7.1.2-2
+BuildRequires:    tomcatjss >= 7.1.3
 %endif
 %endif
 
 %if 0%{?with_python3}
+BuildRequires:  python3-cryptography
 BuildRequires:  python3-devel
 BuildRequires:  python3-nss
+BuildRequires:  python3-pyldap
 BuildRequires:  python3-requests >= 2.6.0
 BuildRequires:  python3-six
 %endif  # with_python3
@@ -209,106 +235,52 @@ Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
 %endif
 
 #######################
-## pki-core-10.3.3-2
-#######################
-Patch1:           pki-core-Fix-build-on-Fedora-25.patch
-#######################
-## pki-core-10.3.3-3
-#######################
-Patch2:           pki-core-post-re-base.patch
-#######################
-## pki-core-10.3.3-5
-#######################
-Patch3:           pki-core-beta.patch
+## pki-core-10.4.1-2
 #######################
-## pki-core-10.3.3-7
+Patch0:           pki-core-alpha.patch
 #######################
-Patch4:           pki-core-snapshot-1.patch
+## pki-core-10.4.1-3
 #######################
-## pki-core-10.3.3-8
+Patch1:           pki-core-beta.patch
 #######################
-Patch5:           pki-core-snapshot-2.patch
-#######################
-## pki-core-10.3.3-9
-#######################
-Patch6:           pki-core-snapshot-3.patch
+## pki-core-10.4.1-4
 #######################
-## pki-core-10.3.3-10
+Patch2:           pki-core-post-beta.patch
 #######################
-Patch7:           pki-core-snapshot-4.patch
+## pki-core-10.4.1-5
 #######################
-## pki-core-10.3.3-11
+Patch3:           pki-core-snapshot-1.patch
 #######################
-#Patch8:           pki-core-rhel-post-snapshot-1.patch
+## pki-core-10.4.1-6
 #######################
-## pki-core-10.3.3-12
+Patch4:           pki-core-Always-check-FIPS-mode-at-installation-time.patch
 #######################
-## RHEL 7.3.z Batch Update 1
-Patch9:           pki-core-two-step-external-CA-authorityID.patch
-Patch10:          pki-core-compare-serial-DNs-host-authz-check.patch
-Patch11:          pki-core-KRA-external-CA-partial-cert-chain.patch
-Patch12:          pki-core-problems-with-FIPS-mode.patch
-Patch13:          pki-core-eliminate-duplicate-classes-in-jars.patch
-Patch14:          pki-core-typo-in-UserPwdDirAuthentication.patch
-## RHCS 9.1 (async) Batch Update 1
-#Patch15:          pki-core-token-format-external-reg.patch
-#Patch16:          pki-core-encryption-cert-auto-recovery-damaged-token.patch
-#Patch17:          pki-core-pin-reset-policy.patch
-## RHEL 7.3.z Batch Update 1
-Patch18:          pki-core-tps-token-setupSecureChannel-fips-mode.patch
+## pki-core-10.4.1-7
 #######################
-## pki-core-10.3.3-13
-#######################
-## RHCS 9.1 (async) Batch Update 1
-##Patch19:          pki-core-target-agent-approve-list.patch
-## RHEL 7.3.z Batch Update 1
-Patch20:          pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
-#######################
-## pki-core-10.3.3-15
-#######################
-## RHEL 7.3.z Batch Update 2
-Patch21:          pki-core-user-cert-add-authentication-failure.patch
-Patch22:          pki-core-ca-cert-request-submit-missing-authentication.patch
-Patch23:          pki-core-updated-account-info.patch
-Patch24:          pki-core-subordinate-CA-in-HSM-in-FIPS-mode.patch
-Patch25:          pki-core-pkispawn-ecc-key-size-change.patch
-Patch26:          pki-core-log-properties-and-man-pages.patch
-## RHCS 9.1 (async) Batch Update 2
-#Patch27:          pki-core-TPS-UI-target-agent-approve-list.patch
-#Patch28:          pki-core-TPS-tokendb-encryption-cert-automatic-recovery.patch
+Patch5:           pki-core-snapshot-2.patch
 #######################
-## pki-core-10.3.3-16
+## pki-core-10.4.1-8
 #######################
-## RHCS 9.1 (async) Batch Update 2
-#Patch29:          pki-core-TPS-format-G-and-D-cards.patch
-#Patch30:          pki-core-RHCS-log-properties.patch
-## RHEL 7.3.z Batch Update 2
-Patch31:          pki-core-BASE-format-G-and-D-cards.patch
+Patch6:           pki-core-snapshot-3.patch
+Patch7:           pki-core-SecurityDataRecoveryService.patch
 #######################
-## pki-core-10.3.3-17
+## pki-core-10.4.1-9
 #######################
-## RHEL 7.3.z Batch Update 3
-Patch32:          pki-core-replace-default-AJP-hostname-with-localhost.patch
-Patch33:          pki-core-added-global-TCP-Keep-Alive-option.patch
-Patch34:          pki-core-added-upgrade-script-to-update-AJP-localhost.patch
-Patch35:          pki-core-fixed-problem-searching-for-latest-cert-req.patch
-Patch36:          pki-core-omit-parameter-field-from-ECDSA-certs-Alg-IDs.patch
-Patch37:          pki-core-added-option-to-remove-signing-cert-entry.patch
-Patch38:          pki-core-use-BigInteger-for-entryUSN.patch
-Patch39:          pki-core-slf4j-api.patch
-Patch40:          pki-core-javadoc-special-characters.patch
-## RHCS 9.1 (async) Batch Update 3
-#Patch41:          pki-core-reset-cert-status-after-successful-unrevoke.patch
+Patch8:           pki-core-snapshot-4.patch
 #######################
-## pki-core-10.3.3-18
+## pki-core-10.4.1-10
+## (pki-core-snapshot-5.patch)
 #######################
-## RHEL 7.3.z Batch Update 4
-Patch42:          pki-core-add-profile-component-that-copies-CN-to-SAN.patch
+Patch9:           pki-core-Fix-3DES-archival.patch
+Patch10:          pki-core-Fix-token-enrollment-and-recovery-ivs.patch
+Patch11:          pki-core-CMC-check-HTTPS-client-authentication-cert.patch
+Patch12:          pki-core-Fix-regression-in-pkcs12-key-bag-creation.patch
 #######################
-## pki-core-10.3.3-19
+## pki-core-10.4.1-11
 #######################
-## RHEL 7.3.z Batch Update 6
-Patch43:          pki-core-CA-certificate-profiles-startTime-param.patch
+Patch13:          pki-core-cmc-plugin-default-change.patch
+
+
 
 # Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
 #
@@ -407,9 +379,25 @@ Summary:          Symmetric Key JNI Package
 Group:            System Environment/Libraries
 
 Requires:         java-1.8.0-openjdk-headless
-Requires:         nss
+%if 0%{?rhel}
+Requires:         nss >= 3.28.3
+%else
+%if 0%{?fedora} >= 25
+Requires:         nss >= 3.28.3
+%else
+Requires:         nss >= 3.27.0
+%endif
+%endif
 Requires:         jpackage-utils >= 0:1.7.5-10
-Requires:         jss >= 4.2.6-40
+%if 0%{?rhel}
+Requires:         jss >= 4.4.0-7
+%else
+%if 0%{?fedora} >= 25
+Requires:         jss >= 4.4.2-2
+%else
+Requires:         jss >= 4.2.6-44
+%endif
+%endif
 
 Provides:         symkey = %{version}-%{release}
 
@@ -455,6 +443,17 @@ Obsoletes:        pki-common < %{version}-%{release}
 Obsoletes:        pki-util < %{version}-%{release}
 
 Conflicts:        freeipa-server < 3.0.0
+
+%if 0%{?rhel}
+Requires:         nss >= 3.28.3
+%else
+%if 0%{?fedora} >= 25
+Requires:         nss >= 3.28.3
+%else
+Requires:         nss >= 3.27.0
+%endif
+%endif
+Requires:         python2-cryptography
 Requires:         python-nss
 Requires:         python-requests >= 2.6.0
 Requires:         python-six
@@ -471,16 +470,28 @@ Summary:          Certificate System - Java Framework
 Group:            System Environment/Base
 BuildArch:        noarch
 
+Requires:         java-1.8.0-openjdk-headless
 Requires:         apache-commons-cli
 Requires:         apache-commons-codec
 Requires:         apache-commons-io
 Requires:         apache-commons-lang
 Requires:         apache-commons-logging
 Requires:         jakarta-commons-httpclient
-Requires:         java-1.8.0-openjdk-headless
+Requires:         slf4j
+%if ! 0%{?rhel}
+Requires:         slf4j-jdk14
+%endif
 Requires:         javassist
 Requires:         jpackage-utils >= 0:1.7.5-10
-Requires:         jss >= 4.2.6-40
+%if 0%{?rhel}
+Requires:         jss >= 4.4.0-7
+%else
+%if 0%{?fedora} >= 25
+Requires:         jss >= 4.4.2-2
+%else
+Requires:         jss >= 4.2.6-44
+%endif
+%endif
 Requires:         ldapjdk
 Requires:         pki-base = %{version}-%{release}
 
@@ -541,6 +552,7 @@ BuildArch:        noarch
 
 Requires:         pki-base = %{version}-%{release}
 
+Requires:         python3-cryptography
 Requires:         python3-nss
 Requires:         python3-requests >= 2.6.0
 Requires:         python3-six
@@ -565,8 +577,15 @@ Obsoletes:        pki-native-tools < %{version}-%{release}
 Obsoletes:        pki-java-tools < %{version}-%{release}
 
 Requires:         openldap-clients
-Requires:         nss
-Requires:         nss-tools
+%if 0%{?rhel}
+Requires:         nss-tools >= 3.28.3
+%else
+%if 0%{?fedora} >= 25
+Requires:         nss-tools >= 3.28.3
+%else
+Requires:         nss-tools >= 3.27.0
+%endif
+%endif
 Requires:         java-1.8.0-openjdk-headless
 Requires:         pki-base = %{version}-%{release}
 Requires:         pki-base-java = %{version}-%{release}
@@ -615,6 +634,7 @@ Requires:    nuxwdog-client-java >= 1.0.3
 %endif
 
 Requires:         policycoreutils
+Requires:         procps-ng
 Requires:         openldap-clients
 Requires:         openssl
 Requires:         pki-base = %{version}-%{release}
@@ -628,12 +648,7 @@ Requires:         policycoreutils-python
 Requires:         policycoreutils-python-utils
 %endif
 
-%if 0%{?fedora} >= 21
-Requires:         selinux-policy-targeted >= 3.13.1-9
-%else
-# 0%{?rhel} || 0%{?fedora} < 21
-Requires:         selinux-policy-targeted >= 3.12.1-153
-%endif
+Requires:         selinux-policy-targeted >= 3.13.1-159
 Obsoletes:        pki-selinux
 
 %if 0%{?rhel}
@@ -656,14 +671,13 @@ Requires(post):   systemd-units
 Requires(preun):  systemd-units
 Requires(postun): systemd-units
 Requires(pre):    shadow-utils
-
 %if 0%{?rhel}
-Requires:         tomcatjss >= 7.1.2-2
+Requires:         tomcatjss >= 7.2.1-4
 %else
-%if 0%{?fedora} >= 23
-Requires:         tomcatjss >= 7.1.3
+%if 0%{?fedora} >= 25
+Requires:         tomcatjss >= 7.2.3
 %else
-Requires:         tomcatjss >= 7.1.2-2
+Requires:         tomcatjss >= 7.1.3
 %endif
 %endif
 
@@ -864,8 +878,16 @@ Requires(postun): systemd-units
 
 # additional runtime requirements needed to run native 'tpsclient'
 # REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app
-Requires:         nss >= 3.14.3
-Requires:         nss-tools >= 3.14.3
+
+%if 0%{?rhel}
+Requires:         nss-tools >= 3.28.3
+%else
+%if 0%{?fedora} >= 25
+Requires:         nss-tools >= 3.28.3
+%else
+Requires:         nss-tools >= 3.27.0
+%endif
+%endif
 Requires:         openldap-clients
 %if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
 Requires:         pki-symkey = %{version}-%{release}
@@ -923,6 +945,7 @@ This package is a part of the PKI Core used by the Certificate System.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerel}
+%patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
@@ -930,42 +953,12 @@ This package is a part of the PKI Core used by the Certificate System.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
-#%patch8 -p1
+%patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
-%patch14 -p1
-#%patch15 -p1
-#%patch16 -p1
-#%patch17 -p1
-%patch18 -p1
-##%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-#%patch27 -p1
-#%patch28 -p1
-#%patch29 -p1
-#%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-#%patch41 -p1
-%patch42 -p1
-%patch43 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1015,18 +1008,6 @@ for subsystem in ca kra ocsp tks; do
     ln -s %{_datadir}/pki/server/webapps/pki/admin/console %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/admin
 done
 
-# Create symlinks for subsystem libraries
-for subsystem in ca kra ocsp tks tps; do
-    %{__mkdir_p} %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-nsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-cmsutil.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-certsrv.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-cms.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-cmscore.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-cmsbundle.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-    ln -s %{_javadir}/pki/pki-$subsystem.jar %{buildroot}%{_datadir}/pki/$subsystem/webapps/$subsystem/WEB-INF/lib
-done
-
 # Create compatibility symlink for DRMTool -> KRATool
 ln -s %{_bindir}/KRATool %{buildroot}%{_bindir}/DRMTool
 # Create compatibility symlink for DRMTool.cfg -> KRATool.cfg
@@ -1036,8 +1017,17 @@ ln -s %{_mandir}/man1/KRATool.1.gz %{buildroot}%{_mandir}/man1/DRMTool.1.gz
 
 # Customize system upgrade scripts in /usr/share/pki/upgrade
 %if 0%{?rhel}
+
+# merge newer upgrade scripts into 10.3.3 for RHEL
 /bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.4
 /bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.3.5
+
+# merge newer upgrade scripts into 10.4.1 for RHEL
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.2
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.3
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.4
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.5
+/bin/rm -rf %{buildroot}%{_datadir}/pki/upgrade/10.4.6
 %endif
 
 # Customize client library links in /usr/share/pki/lib
@@ -1068,10 +1058,28 @@ fi
 
 # Customize server upgrade scripts in /usr/share/pki/server/upgrade
 %if 0%{?rhel}
-mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary
-mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixDeploymentDescriptor %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixDeploymentDescriptor
+
+# merge newer upgrade scripts into 10.3.3 for RHEL
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/01-FixServerLibrary \
+   %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/02-FixServerLibrary
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5/02-FixDeploymentDescriptor \
+   %{buildroot}%{_datadir}/pki/server/upgrade/10.3.3/03-FixDeploymentDescriptor
 /bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.4
 /bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.3.5
+
+# merge newer upgrade scripts into 10.4.1 for RHEL
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/01-AddSessionAuthenticationPlugin \
+   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/01-AddSessionAuthenticationPlugin
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2/02-AddKRAWrappingParams \
+   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/02-AddKRAWrappingParams
+mv %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout \
+   %{buildroot}%{_datadir}/pki/server/upgrade/10.4.1/03-UpdateKeepAliveTimeout
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.2
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.3
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.4
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.5
+/bin/rm -rf %{buildroot}%{_datadir}/pki/server/upgrade/10.4.6
+
 %endif
 
 # Customize server library links in /usr/share/pki/server/common/lib
@@ -1217,7 +1225,11 @@ echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 /sbin/pki-server migrate >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 
-systemctl daemon-reload
+# Reload systemd daemons on upgrade only
+if [ "$1" == "2" ]
+then
+    systemctl daemon-reload
+fi
 
 ## %preun -n pki-server
 ## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
@@ -1266,6 +1278,7 @@ systemctl daemon-reload
 
 %if 0%{?package_fedora_packages} || 0%{?package_rhel_packages}
 %files -n pki-base-java
+%{_datadir}/pki/examples/java/
 %{_datadir}/pki/lib/
 %dir %{_javadir}/pki
 %{_javadir}/pki/pki-cmsutil.jar
@@ -1471,10 +1484,309 @@ systemctl daemon-reload
 %endif # %{with server}
 
 %changelog
-* Fri May 19 2017 Dogtag Team <pki-devel@redhat.com> 10.3.3-19
-- ## RHEL 7.3.z Batch Update 6
-- Bugzilla Bug #1447095 - RHCS 9.1 RC5 CA in the certificate profiles the
+* Mon Jul 17 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-11
+- Resolves: rhbz #1469432
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1469432 - CMC plugin default change
+- Resolves CVE-2017-7537
+- Fixes BZ #1470948
+
+* Mon Jun 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-10
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1458043 - Key recovery on token fails with
+  invalid public key error on KRA (alee)
+- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client
+  authentication cert against CMC signer (cfu)
+- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after
+  deleting the any of the subsystem certs from it (ftweedal)
+
+* Mon Jun 12 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-9
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
+  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
+- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC
+  non-signing certificate requests (cfu)
+- Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC
+   revocation non-signing cert requests (cfu)
+- Bugzilla Bug #1458047 - change the way aes clients refer to
+  aes keysets (alee)
+- Bugzilla Bug #1458055 - dont reuse IVs in the CMC code
+  (alee)
+- Bugzilla Bug #1460028 - In keywrap mode, key recovery on
+  KRA with HSM causes KRA to crash (ftweedal)
+
+* Mon Jun  5 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-8
+- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement
+- Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
+  enabled system (edewata)
+- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
+  creation (edewata)
+- Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure
+  ACCESS_SESSION_ESTABLISH_FAILURE (edewata)
+- Bugzilla Bug #1454450 - SubCA installation failure with 2 step
+  installation in fips enabled mode (edewata)
+- Bugzilla Bug #1456597 - Certificate import using pki client-cert-import
+  is asking for password when already provided (edewata)
+- Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes)
+- Bugzilla Bug #1458043 - Key recovery using externalReg fails
+  with java null pointer exception on KRA (alee)
+- Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter
+  (edewata)
+- Bugzilla Bug #1458429 - client-cert-import --ca-cert should
+  import CA cert with trust bits "CT,C,C" (edewata)
+- ##########################################################################
+- RHCS 9.2:
+- ##########################################################################
+- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)
+
+* Tue May 30 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-7
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
+  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
+- Bugzilla Bug #1445519 - CA Server installation with HSM fails
+  (jmagne)
+- Bugzilla Bug #1452617 - Unable to create IPA Sub CA
+  (ftweedal)
+- Bugzilla Bug #1454471 - Enabling all subsystems on startup
+  (edewata)
+- Bugzilla Bug #1455617 - Key recovery on token fails because
+  key record is not marked encrypted (alee)
+
+* Tue May 23 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-6
+- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
+  (mharmsen)
+
+* Mon May 22 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-5
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal
+  non-signing cert requests (cfu)
+- Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed)
+  CMC with identity proof (cfu)
+- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
+  creation (mharmsen)
+- Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when
+  defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata)
+- Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne)
+- Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen)
+- Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in
+  ConnectorServlet. (edewata)
+- Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata)
+- Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED
+  audit event. (edewata)
+
+* Tue May  9 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-4
+- ##########################################################################
+- RHEL 7.4:
+- ##########################################################################
+- Bugzilla Bug #1386303 - cannot extract generated private key from KRA when
+  HSM is used. (alee)
+- Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes)
+- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause
+  error (cfu)
+- Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from
+  the KRA (ftweedal)
+- Bugzilla Bug #1448204 - pkispawn of clone install fails with
+  InvalidBERException (ftweedal)
+- Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on
+  thales hsm (alee)
+- Updated "jss" build and runtime requirements (mharmsen)
+- ##########################################################################
+- RHCS 9.2:
+- ##########################################################################
+- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)
+
+* Mon May  1 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-3
+- ############################################################################
+- RHEL 7.4:
+- ############################################################################
+- Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in
+  conjuction with FreeIPA (ftweedal)
+- Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the
   startTime parameter is not working as expected. (jmagne)
+- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing
+  certificate requests (cfu)
+- Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal)
+- Bugzilla Bug #1445088 - profile modification cannot remove existing config
+  parameters (ftweedal)
+- Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption)
+  (RHEL) (alee)
+- Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when
+  pki CLI terminates SSL connection (edewata)
+- Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata)
+- ############################################################################
+- RHCS 9.2:
+- ############################################################################
+- Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption)
+  (RHCS) (alee)
+
+* Mon Apr 17 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-2
+- ############################################################################
+- RHEL 7.4:
+- ############################################################################
+- Bugzilla Bug #1282504 - Installing pki-server in container reports
+  scriptlet failed, exit status 1 (jpazdziora)
+- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
+  enabled system (edewata)
+- Bugzilla Bug #1410650 - [RFE] Add SCP03 support
+  for sc 7 g & d cards (RHEL) (jmagne)
+- Bugzilla Bug #1437591 - cli authentication using expired cert throws an
+  exception (edewata)
+- Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a
+  request (edewata)
+- ############################################################################
+- RHCS 9.2:
+- ############################################################################
+- Bugzilla Bug #1274086 - [RFE] Add SCP03 support
+  for sc 7 g & d cards (RHCS) (jmagne)
+- ############################################################################
+- Common Criteria
+- ############################################################################
+- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures
+  (edewata)
+- Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata)
+- Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature
+  implementation (cfu)
+
+* Mon Mar 27 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-1
+- Require "nss >= 3.28.3" as a build and runtime requirement
+- Require "jss >= 4.4.0-4" as a build and runtime requirement
+- Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement
+- dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find
+  failure (edewata)
+- ############################################################################
+- Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4
+- Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
+  pki-console to 10.4.x
+- ############################################################################
+- RHEL 7.4:
+- ############################################################################
+- ############################################################################
+- RHCS 9.2:
+- ############################################################################
+- ############################################################################
+- Common Criteria
+- ############################################################################
+- Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature
+  implementation (cfu)
+- Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption
+  cert requests (cfu)
+- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures
+  (edewata)
+- Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance
+  protection cert mechanism (cfu)
+
+* Tue Mar 14 2017 Dogtag Team <pki-devel@redhat.com> 10.4.0-1
+- Require "jss >= 4.4.0-1" as a build and runtime requirement
+- Require "tomcatjss >= 7.2.1-1" as a build and runtime requirement
+- ############################################################################
+- Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4
+- Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
+  pki-console to 10.4.x
+- ############################################################################
+- RHEL 7.4:
+- ############################################################################
+- Bugzilla Bug #1222557 - ECDSA Certificates Generated by Certificate System
+  8.1 fail NIST validation test with parameter field. (cfu)
+- Bugzilla Bug #1238684 - Generting Symmetric key fails with key-generate
+  when --usages verify (vakwetu)
+- Bugzilla Bug #1246635 - user-cert-add --serial CLI request to secure port
+  with remote CA shows authentication failure (edewata)
+- Bugzilla Bug #1249400 - CA EE: Submit caUserCert request without uid does
+  not show proper error message (vakwetu)
+- Bugzilla Bug #1305993 - Add profile component that copies CN to SAN
+  (ftweedal)
+- Bugzilla Bug #1316653 - pki ca-cert-request-submit fails presumably because
+  of missing authentication even if it should not require any (edewata)
+- Bugzilla Bug #1325071 - add options to enable/disable cert or crl
+  publishing. (vakwetu)
+- Bugzilla Bug #1330800 - Failed to start pki-tomcatd Service
+  ("ipa-cacert-manage renew" failed?) (edewata)
+- Bugzilla Bug #1368410 - Misleading Logging for HSM (edewata)
+- Bugzilla Bug #1372052 - Unable to search certificate requests using the
+  latest request ID (edewata)
+- Bugzilla Bug #1375347 - Typo in comment line of
+  UserPwdDirAuthentication.java (edewata)
+- Bugzilla Bug #1376226 - IPA replica-prepare failed with error
+  "Profile caIPAserviceCert Not Found" (ftweedal)
+- Bugzilla Bug #1376488 - pkispawn fails as it is not able to find openssl as
+  a dependency package (mharmsen)
+- Bugzilla Bug #1378275 - two-step externally-signed CA installation fails due
+  to missing AuthorityID (ftweedal)
+- Bugzilla Bug #1378277 - Spurious host authority entries created (ftweedal)
+- Bugzilla Bug #1378527 - Miscellaneous Minor Changes (edewata)
+- Bugzilla Bug #1381084 - KRA installation failed against externally-signed CA
+  with partial certificate chain (edewata)
+- Bugzilla Bug #1382066 - Problems with FIPS mode (edewata)
+- Bugzilla Bug #1386371 - Remove xenroll.dll from pki-core (mharmsen)
+- Bugzilla Bug #1386424 - Fix packaging duplicates of classes in multiple jar
+  files (edewata)
+- Bugzilla Bug #1391737 - Changes to target.agent.approve.list parameter is
+  not reflected in the TPS Web UI (RHEL 7) (edewata)
+- Bugzilla Bug #1392068 - [RFE] add express archivals and retrievals from KRA
+  (vakwetu)
+- Bugzilla Bug #1395817 - Unable to install subordinate CA with HSM in FIPS
+  mode (edewata)
+- Bugzilla Bug #1397200 - pkispawn does not change default ecc key size from
+  nistp256 when nistp384 is specified in spawn config (jmagne)
+- Bugzilla Bug #1399862 - Dogtag 10.3.9 Man Pages (edewata)
+- Bugzilla Bug #1404881 - TPS throws "err=6" when attempting to format and
+  enroll G&D Cards (jmagne)
+- Bugzilla Bug #1405654 - Token memory not wiped after key deletion (RHEL)
+  (jmagne)
+- Bugzilla Bug #1409946 - Request ID undefined for CA signing certificate
+  (vakwetu)
+- Bugzilla Bug #1409949 - CA Certificate Issuance Date displayed on CA website
+  incorrect (vakwetu)
+- Bugzilla Bug #1410650 - [RFE] Add SCP03 support (RHEL) (jmagne)
+- Bugzilla Bug #1411428 - Unable to create a CA clone in FIPS (edewata)
+- Bugzilla Bug #1412211 - Unable to set up KRA in FIPS (edewata)
+- Bugzilla Bug #1412681 - update to 7.3 IPA with otpd bugfixes, tomcat will
+  not finish start, hangs (ftweedal)
+- Bugzilla Bug #1413132 - pki-tomcat for 10+ minutes before generating cert
+  (edewata)
+- Bugzilla Bug #1413136 - Problem with default AJP hostname in IPv6
+  environment. (edewata)
+- ############################################################################
+- RHCS 9.2:
+- ############################################################################
+- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1 (cfu)
+- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)
+- Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a single
+  user on multiple tokens. (jmagne)
+- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed
+  tokens (jmagne)
+- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working
+  when a token is physically damaged and a temporary token is issued (jmagne)
+- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial
+  number and key id on the ldap user mismatches (cfu)
+- Bugzilla Bug #1381635 - Token format with external reg fails when
+  op.format.externalRegAddToToken.revokeCert=true (cfu)
+- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when
+  set on a token (jmagne)
+- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
+  not reflected in the TPS Web UI (RHCS 9) (edewata)
+- Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS
+  tokendb shows different certificate status (cfu)
+- Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and
+  enroll G&D Cards (RHCS) (jmagne)
+- Bugzilla Bug #1404900 - Dogtag 10.3.9 logging properties (edewata)
+- Bugzilla Bug #1405655 - Token memory not wiped after key deletion (RHCS)
+  (jmagne)
+- ############################################################################
 
 * Mon Mar  6 2017 Dogtag Team <pki-devel@redhat.com> 10.3.3-18
 - ## RHEL 7.3.z Batch Update 4