diff --git a/.gitignore b/.gitignore
index d9c4942..102e165 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/pki-10.11.0.tar.gz
+SOURCES/pki-10.12.0.tar.gz
diff --git a/.pki-core.metadata b/.pki-core.metadata
index e5fd7ce..78529e8 100644
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@@ -1 +1 @@
-f125333c7e88d7aae11f51527681018319bba19c SOURCES/pki-10.11.0.tar.gz
+14942c7bda42ccd0f57ea5b2e538eb13a559572f SOURCES/pki-10.12.0.tar.gz
diff --git a/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch b/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
deleted file mode 100644
index f0ec3e0..0000000
--- a/SOURCES/0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 63cf2895f5d5a37bb09f3e889b8584b0bb0dce06 Mon Sep 17 00:00:00 2001
-From: Christina Fu <cfu@redhat.com>
-Date: Wed, 11 Aug 2021 09:19:59 -0700
-Subject: [PATCH] Bug 1992337 - Double issuance of non-CA subsystem certs at
- installation
-
-This patch removes an extra profile.submit() call that was accidentally left
-off during manual cherry-picking of another bug (1905374):
-commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
-
-fixes https://bugzilla.redhat.com/show_bug.cgi?id=1905374
----
- .../main/java/com/netscape/cms/servlet/cert/CertProcessor.java | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
-index a5626d032..849d6b368 100644
---- a/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
-+++ b/base/ca/src/main/java/com/netscape/cms/servlet/cert/CertProcessor.java
-@@ -250,7 +250,6 @@ public class CertProcessor extends CAProcessor {
-
- logger.info("CertProcessor: Submitting certificate request to " + profile.getId() + " profile");
-
-- profile.submit(authToken, req);
- profile.submit(authToken, req, explicitApprovalRequired);
-
- req.setRequestStatus(RequestStatus.COMPLETE);
---
-2.31.1
-
diff --git a/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch
new file mode 100644
index 0000000..065a9d9
--- /dev/null
+++ b/SOURCES/0001-Fix-pki-healthcheck-for-clones.patch
@@ -0,0 +1,332 @@
+From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 25 Jan 2022 16:29:53 -0600
+Subject: [PATCH] Fix pki-healthcheck for clones
+
+Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
+was trying to check KRA clone status by retrieving a key using
+the subsystem cert. This operation did not work since the user
+associated with the cert did not have access to the keys. The
+code has been changed to get the status from GetStatus service
+instead. The original code might be moved into IPA later so it
+could run with IPA's RA agent credentials which would allow
+access to the keys.
+
+Previously the ClonesPlugin.contact_subsystem_using_sslget()
+used sslget to call GetStatus service and returned the entire
+output which was then incorrectly processed in XML format. The
+method has been renamed to get_status() and changed to use
+PKIConnection and process the response in either JSON or XML
+format, then only return the subsystem status. All callers
+have been updated accordingly.
+
+The ClonesPlugin.contact_subsystem_using_pki() is no longer
+used so it has been removed.
+---
+ .../clones/connectivity_and_data.py | 130 ++++++++----------
+ .../pki/server/healthcheck/clones/plugin.py | 75 ++++------
+ base/server/python/pki/server/__init__.py | 8 +-
+ 3 files changed, 91 insertions(+), 122 deletions(-)
+
+diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+index ca5d6dae48..d9bb480f7f 100644
+--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
++++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
+
+ def check_kra_clones(self):
+ for host in self.clone_kras:
+- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+- # Reach out and get some keys or requests , to serve as a data and connectivity check
++
++ url = 'https://' + host.Hostname + ':' + host.SecurePort
++
+ try:
+- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
+-
+- output = self.contact_subsystem_using_pki(
+- host.SecurePort, host.Hostname, client_nick,
+- self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
+-
+- # check to see if we either got a key or a key not found exception
+- # of which either will imply a successful connection
+- if output is not None:
+- key_found = output.find('Key ID:')
+- key_not_found = output.find('KeyNotFoundException:')
+- if key_found >= 0:
+- logger.info('Key material found from kra clone.')
+-
+- if key_not_found >= 0:
+- logger.info('key not found, possibly empty kra')
+-
+- if key_not_found == -1 and key_found == -1:
+- logger.info('Failure to get key material from kra')
+- raise BaseException('KRA clone problem detected ' + cur_clone_msg)
+- else:
+- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
++ status = self.get_status(
++ host.Hostname,
++ host.SecurePort,
++ '/kra/admin/kra/getStatus')
+
+- except BaseException as e:
+- logger.error("Internal error testing KRA clone. %s", e)
+- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
++ logger.info('KRA at %s is %s', url, status)
+
+- return
++ if status != 'running':
++ raise Exception('KRA at %s is %s' % (url, status))
++
++ except Exception as e:
++ logger.error('Unable to reach KRA at %s: %s', url, e)
++ raise Exception('Unable to reach KRA at %s: %s' % (url, e))
+
+ def check_ocsp_clones(self):
+ for host in self.clone_ocsps:
+- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+- # Reach out to the ocsp clones
++
++ url = 'https://' + host.Hostname + ':' + host.SecurePort
++
+ try:
+- output = self.contact_subsystem_using_sslget(
+- host.SecurePort, host.Hostname, None,
+- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
+-
+- good_status = output.find('<State>1</State>')
+- if good_status == -1:
+- raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
+- logger.info('good_status %s ', good_status)
+- except BaseException as e:
+- logger.error("Internal error testing OCSP clone. %s", e)
+- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
++ status = self.get_status(
++ host.Hostname,
++ host.SecurePort,
++ '/ocsp/admin/ocsp/getStatus')
+
+- return
++ logger.info('OCSP at %s is %s', url, status)
++
++ if status != 'running':
++ raise Exception('OCSP at %s is %s' % (url, status))
++
++ except Exception as e:
++ logger.error('Unable to reach OCSP at %s: %s', url, e)
++ raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
+
+ def check_tks_clones(self):
+ for host in self.clone_tkss:
+- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+- # Reach out to the tks clones
++
++ url = 'https://' + host.Hostname + ':' + host.SecurePort
++
+ try:
+- output = self.contact_subsystem_using_sslget(
+- host.SecurePort, host.Hostname, None,
+- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
+-
+- good_status = output.find('<State>1</State>')
+- if good_status == -1:
+- raise BaseException('TKS clone problem detected.' + cur_clone_msg)
+- logger.info('good_status %s ', good_status)
+- except BaseException as e:
+- logger.error("Internal error testing TKS clone. %s", e)
+- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
++ status = self.get_status(
++ host.Hostname,
++ host.SecurePort,
++ '/tks/admin/tks/getStatus')
+
+- return
++ logger.info('TKS at %s is %s', url, status)
++
++ if status != 'running':
++ raise Exception('TKS at %s is %s' % (url, status))
++
++ except Exception as e:
++ logger.error('Unable to reach TKS at %s: %s', url, e)
++ raise Exception('Unable to reach TKS at %s: %s' % (url, e))
+
+ def check_tps_clones(self):
+ for host in self.clone_tpss:
+- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+- # Reach out to the tps clones
++
++ url = 'https://' + host.Hostname + ':' + host.SecurePort
++
+ try:
+- output = self.contact_subsystem_using_sslget(
+- host.SecurePort, host.Hostname, None,
+- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
+-
+- good_status = output.find('<State>1</State>')
+- if good_status == -1:
+- raise BaseException('TPS clone problem detected.' + cur_clone_msg)
+- logger.info('good_status %s ', good_status)
+- except BaseException as e:
+- logger.error("Internal error testing TPS clone. %s", e)
+- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
+- return
++ status = self.get_status(
++ host.Hostname,
++ host.SecurePort,
++ '/tps/admin/tps/getStatus')
++
++ logger.info('TPS at %s is %s', url, status)
++
++ if status != 'running':
++ raise Exception('TPS at %s is %s' % (url, status))
++
++ except Exception as e:
++ logger.error('Unable to reach TPS at %s: %s', url, e)
++ raise Exception('Unable to reach TPS at %s: %s' % (url, e))
+
+ @duration
+ def check(self):
+diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+index 2472f35b5b..824c36a1a9 100644
+--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
++++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+@@ -6,6 +6,10 @@
+ # SPDX-License-Identifier: GPL-2.0-or-later
+ #
+
++import json
++import logging
++import xml.etree.ElementTree as ET
++
+ from ipahealthcheck.core.plugin import Plugin, Registry
+ from pki.server.instance import PKIInstance
+ from pki.client import PKIConnection
+@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
+
+ from pki.server.healthcheck.core.main import merge_dogtag_config
+
+-import logging
+-import subprocess
+-
+ logger = logging.getLogger(__name__)
+
+ # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
+@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
+
+ self.instance = PKIInstance(self.config.instance_name)
+
+- def contact_subsystem_using_pki(
+- self, subport, subhost, subsystemnick,
+- token_pwd, db_path, cmd, exts=None):
+- command = ["/usr/bin/pki",
+- "-p", str(subport),
+- "-h", subhost,
+- "-n", subsystemnick,
+- "-P", "https",
+- "-d", db_path,
+- "-c", token_pwd,
+- cmd]
+-
+- if exts is not None:
+- command.extend(exts)
+-
+- output = None
+- try:
+- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
+- except subprocess.CalledProcessError as e:
+- output = e.output.decode('utf-8')
+- return output
++ def get_status(self, host, port, path):
+
+- output = output.decode('utf-8')
++ self.instance.export_ca_cert()
+
+- return output
++ connection = PKIConnection(
++ protocol='https',
++ hostname=host,
++ port=port,
++ cert_paths=self.instance.ca_cert)
+
+- def contact_subsystem_using_sslget(
+- self, port, host, subsystemnick,
+- token_pwd, db_path, params, url):
++ response = connection.get(path)
+
+- command = ["/usr/bin/sslget"]
++ content_type = response.headers['Content-Type']
++ content = response.text
++ logger.info('Content:\n%s', content)
+
+- if subsystemnick is not None:
+- command.extend(["-n", subsystemnick])
++ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
++ if content_type == 'application/json':
++ json_response = json.loads(content)
++ status = json_response['Response']['Status']
+
+- command.extend(["-p", token_pwd, "-d", db_path])
+-
+- if params is not None:
+- command.extend(["-e", params])
+-
+- command.extend([
+- "-r", url, host + ":" + port])
+-
+- logger.info(' command : %s ', command)
+- output = None
+- try:
+- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
+- except subprocess.CalledProcessError as e:
+- output = e.output.decode('utf-8')
+- return output
++ elif content_type == 'application/xml':
++ root = ET.fromstring(content)
++ status = root.findtext('Status')
+
+- output = output.decode('utf-8')
++ else:
++ raise Exception('Unsupported content-type: %s' % content_type)
+
+- return output
++ logger.info('Status: %s', status)
++ return status
+
+ def get_security_domain_data(self, host, port):
+ domain_data = None
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 4fbb74684b..0515bbb197 100644
+--- a/base/server/python/pki/server/__init__.py
++++ b/base/server/python/pki/server/__init__.py
+@@ -241,6 +241,10 @@ class PKIServer(object):
+ def jss_conf(self):
+ return os.path.join(self.conf_dir, 'jss.conf')
+
++ @property
++ def ca_cert(self):
++ return os.path.join(self.nssdb_dir, 'ca.crt')
++
+ def is_valid(self):
+ return self.exists()
+
+@@ -259,8 +263,6 @@ class PKIServer(object):
+
+ def export_ca_cert(self):
+
+- ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
+-
+ token = pki.nssdb.INTERNAL_TOKEN_NAME
+ nickname = self.get_sslserver_cert_nickname()
+
+@@ -272,7 +274,7 @@ class PKIServer(object):
+ nssdb = self.open_nssdb(token=token)
+
+ try:
+- nssdb.extract_ca_cert(ca_path, nickname)
++ nssdb.extract_ca_cert(self.ca_cert, nickname)
+ finally:
+ nssdb.close()
+
+--
+2.33.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 0664616..de5664f 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -12,10 +12,11 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
-Version: 10.11.0
+Version: 10.12.0
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1
+
# To create a tarball from a version tag:
# $ git archive \
# --format=tar.gz \
@@ -30,7 +31,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# <version tag> \
# > pki-VERSION-RELEASE.patch
# Patch: pki-VERSION-RELEASE.patch
-Patch1: 0001-Bug-1992337-Double-issuance-of-non-CA-subsystem-cert.patch
+
+Patch: 0001-Fix-pki-healthcheck-for-clones.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@@ -356,6 +358,9 @@ symmetric key operations to Java programs.
Summary: PKI Base Package
BuildArch: noarch
+Obsoletes: pki-base < %{version}-%{release}
+Provides: pki-base = %{version}-%{release}
+
Requires: nss >= 3.36.1
Requires: python3-pki = %{version}-%{release}
@@ -380,6 +385,7 @@ BuildArch: noarch
Obsoletes: pki-base-python3 < %{version}
Provides: pki-base-python3 = %{version}-%{release}
+
%if 0%{?fedora} || 0%{?rhel} > 8
%{?python_provide:%python_provide python3-pki}
%endif
@@ -405,6 +411,9 @@ This package contains PKI client library for Python 3.
Summary: PKI Base Java Package
BuildArch: noarch
+Obsoletes: pki-base-java < %{version}-%{release}
+Provides: pki-base-java = %{version}-%{release}
+
Requires: %{java_headless}
Requires: apache-commons-cli
Requires: apache-commons-codec
@@ -473,6 +482,9 @@ Certificate System into a more complete and robust PKI solution.
Summary: PKI Server Package
BuildArch: noarch
+Obsoletes: pki-server < %{version}-%{release}
+Provides: pki-server = %{version}-%{release}
+
Requires: hostname
Requires: policycoreutils
@@ -726,6 +738,9 @@ smart card.
Summary: PKI Javadoc Package
BuildArch: noarch
+Obsoletes: pki-javadoc < %{version}-%{release}
+Provides: pki-javadoc = %{version}-%{release}
+
# Ensure we end up with a useful installation
Conflicts: pki-base < %{version}
Conflicts: pki-symkey < %{version}
@@ -746,6 +761,9 @@ This package contains PKI API documentation.
Summary: PKI Console Package
BuildArch: noarch
+Obsoletes: pki-console < %{version}-%{release}
+Provides: pki-console = %{version}-%{release}
+
BuildRequires: idm-console-framework >= 1.2.0
Requires: idm-console-framework >= 1.2.0
@@ -766,6 +784,7 @@ The PKI Console is a Java application used to administer PKI server.
Summary: %{brand} PKI Server Theme Package
BuildArch: noarch
+Obsoletes: pki-server-theme < %{version}-%{release}
Provides: pki-server-theme = %{version}-%{release}
# Ensure we end up with a useful installation
@@ -785,6 +804,7 @@ This PKI Server Theme Package contains
Summary: %{brand} PKI Console Theme Package
BuildArch: noarch
+Obsoletes: pki-console-theme < %{version}-%{release}
Provides: pki-console-theme = %{version}-%{release}
# Ensure we end up with a useful installation
@@ -1091,6 +1111,7 @@ fi
%license base/tools/LICENSE
%doc base/tools/doc/README
%{_bindir}/p7tool
+%{_bindir}/p12tool
%{_bindir}/pistool
%{_bindir}/pki
%{_bindir}/revoker
@@ -1362,6 +1383,17 @@ fi
################################################################################
%changelog
+* Thu Feb 03 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-2
+- Bug 2027470 - pki-healthcheck ClonesConnectivyAndDataCheck fails
+
+* Tue Nov 09 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.12.0-0.1
+- Rebase to PKI 10.12.0
+- Bug 1904112 - pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists
+- Bug 1984455 - [RFE] Date Format on the TPS Agent Page
+- Bug 1980378 - 'keyctl_search: Required key not available' message when running 'ipa-healthcheck'
+- Bug 2004084 - Reinstall of the same ipa-replica fails with 'RuntimeError: CA configuration failed.'
+- Bug 2006070 - Upgrades incorrectly add secret attribute to connectors
+
* Thu Aug 12 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-2
- Bug 1992337 - Double issuance of non-CA subsystem certs at installation