diff --git a/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch b/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch
new file mode 100644
index 0000000..d274eb5
--- /dev/null
+++ b/SOURCES/pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch
@@ -0,0 +1,100 @@
+From 833c060b26756a17d0b85a19846888d71e4bdd5d Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 24 Jul 2019 17:46:30 -0500
+Subject: [PATCH] Fixed missing SAN extension for CA clone
+
+The CertUtil.buildSANSSLserverURLExtension() has been modified
+to include SAN parameters in the request to generate the SSL
+server certificate for CA clone.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1732637
+---
+ .../src/com/netscape/cms/servlet/csadmin/CertUtil.java | 16 +++++++---------
+ .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 16 ++++++++--------
+ 2 files changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+index 12d4ac1..e77be32 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+@@ -228,34 +228,32 @@ public class CertUtil {
+ // embed a certificate extension into
+ // a PKCS #10 certificate request.
+ //
+- public static String buildSANSSLserverURLExtension(IConfigStore config)
++ public static void buildSANSSLserverURLExtension(IConfigStore config, MultivaluedMap<String, String> content)
+ throws Exception {
+- String url = "";
+- String entries = "";
+
+ CMS.debug("CertUtil: buildSANSSLserverURLExtension() " +
+ "building SAN SSL Server Certificate URL extension . . .");
+- int i = 0;
++
+ if (config == null) {
+ throw new EBaseException("injectSANextensionIntoRequest: parameter config cannot be null");
+ }
++
+ String sanHostnames = config.getString("service.sslserver.san");
+ String sans[] = StringUtils.split(sanHostnames, ",");
++
++ int i = 0;
+ for (String san : sans) {
+ CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " +
+ "SAN hostname: " + san);
+ // Add the DNSName for all SANs
+- entries = entries +
+- "&req_san_pattern_" + i + "=" + san;
++ content.putSingle("req_san_pattern_" + i, san);
+ i++;
+ }
+
+- url = "&req_san_entries=" + i + entries;
++ content.putSingle("req_san_entries", "" + i);
+
+ CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " +
+ i + " SAN entries into SSL Server Certificate URL.");
+-
+- return url;
+ }
+
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index cc65c78..5395b06 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -2685,16 +2685,9 @@ public class ConfigurationUtils {
+ } catch (Exception ee) {
+ }
+
+- String sslserver_extension = "";
+- Boolean injectSAN = config.getBoolean("service.injectSAN", false);
+- CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN);
+-
+- if (certTag.equals("sslserver") && injectSAN == true) {
+- sslserver_extension = CertUtil.buildSANSSLserverURLExtension(config);
+- }
+-
+ MultivaluedMap<String, String> content = new MultivaluedHashMap<String, String>();
+ content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort);
++
+ //Get the correct profile id to send in case it's sslserver type:
+ CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId);
+ String actualProfileId = request.getSystemCertProfileID(certTag, profileId);
+@@ -2706,6 +2699,13 @@ public class ConfigurationUtils {
+ content.putSingle("xmlOutput", "true");
+ content.putSingle("sessionID", session_id);
+
++ Boolean injectSAN = config.getBoolean("service.injectSAN", false);
++ CMS.debug("ConfigurationUtils: injectSAN: " + injectSAN);
++
++ if (certTag.equals("sslserver") && injectSAN) {
++ CertUtil.buildSANSSLserverURLExtension(config, content);
++ }
++
+ cert = CertUtil.createRemoteCert(ca_hostname, ca_port, content, response);
+
+ if (cert == null) {
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch b/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch
new file mode 100644
index 0000000..24280bf
--- /dev/null
+++ b/SOURCES/pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch
@@ -0,0 +1,65 @@
+From b5655c1f309893919435766e0e17f8d811680abb Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
+Date: Fri, 6 Sep 2019 16:49:00 -0400
+Subject: [PATCH] Bug 1523330 - CC: missing audit event for CS acting as TLS
+ client
+
+This patch adds failed CLIENT_ACCESS_SESSION_ESTABLISH audit event for the case
+when internal ldap server goes down
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523330
+
+(cherry picked from commit 10d52dd0d6b562edc9e32c543017c67c1c0212a8)
+---
+ .../netscape/cmscore/ldapconn/PKISocketFactory.java | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+index e9f28c9..e992016 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+@@ -31,6 +31,9 @@ import org.mozilla.jss.ssl.SSLSocket;
+
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;
++import com.netscape.certsrv.logging.SignedAuditEvent;
++import com.netscape.cms.logging.SignedAuditLogger;
+
+ import netscape.ldap.LDAPException;
+ import netscape.ldap.LDAPSSLSocketFactoryExt;
+@@ -44,6 +47,8 @@ import org.dogtagpki.server.PKIClientSocketListener;
+ */
+ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
+
++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();
++
+ private boolean secure;
+ private String mClientAuthCertNickname;
+ private boolean mClientAuth;
+@@ -140,6 +145,22 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
+ s.setKeepAlive(keepAlive);
+
+ } catch (Exception e) {
++ // for auditing
++ String localIP = "localhost";
++ try {
++ localIP = InetAddress.getLocalHost().getHostAddress();
++ } catch (UnknownHostException e2) {
++ // default to "localhost";
++ }
++ SignedAuditEvent auditEvent;
++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
++ localIP,
++ host,
++ Integer.toString(port),
++ "SYSTEM",
++ "connect:" +e.toString());
++ signedAuditLogger.log(auditEvent);
++
+ CMS.debug(e);
+ if (s != null) {
+ try {
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index 5151a22..23f7248 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -65,22 +65,24 @@
Name: pki-core
%if 0%{?rhel}
Version: 10.5.16
-%define redhat_release 3
+%define redhat_release 5
%define redhat_stage 0
#%define default_release %{redhat_release}.%{redhat_stage}
%define default_release %{redhat_release}
%else
Version: 10.5.16
-%define fedora_release 4
+%define fedora_release 5
%define fedora_stage 0
#%define default_release %{fedora_release}.%{fedora_stage}
%define default_release %{fedora_release}
%endif
%if 0%{?use_pki_release}
-Release: %{pki_release}%{?dist}
+#Release: %{pki_release}%{?dist}
+Release: %{pki_release}.el7_7
%else
-Release: %{default_release}%{?dist}
+#Release: %{default_release}%{?dist}
+Release: %{default_release}.el7_7
%endif
Summary: Certificate System - PKI Core Components
@@ -208,6 +210,8 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
Patch0: pki-core-Add-Subject-Key-ID-to-CSR.patch
Patch1: pki-core-PKI-startup-init-LDAP-operation-attr-independence.patch
+Patch2: pki-core-Fixed-Missing-SAN-extension-for-CA-Clone.patch
+Patch3: pki-core-Internal-LDAP-Server-goes-down-Audit-Event.patch
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
#
@@ -803,6 +807,8 @@ This package is a part of the PKI Core used by the Certificate System.
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1339,6 +1345,30 @@ fi
%endif # %{with server}
%changelog
+* Mon Sep 9 2019 Dogtag Team <pki-devel@redhat.com> 10.5.16-5
+- ##########################################################################
+- # RHEL 7.7:
+- ##########################################################################
+- Bugzilla Bug #1750277 - CC: missing audit event for CS acting as TLS client
+ [rhel-7.7.z] (cfu)
+- ##########################################################################
+- # RHCS 9.5:
+- ##########################################################################
+- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
+ # pki-console to 10.5.16 in RHCS 9.5
+
+* Mon Aug 19 2019 Dogtag Team <pki-devel@redhat.com> 10.5.16-4
+- ##########################################################################
+- # RHEL 7.7:
+- ##########################################################################
+- Bugzilla Bug #1743122 - RHCS-9 CA clone SSL server cert not issued with its
+ custom SAN extension, RHEL-7.6 and HSM [rhel-7.7.z] (edewata)
+- ##########################################################################
+- # RHCS 9.5:
+- ##########################################################################
+- # Bugzilla Bug #1633423 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
+ # pki-console to 10.5.16 in RHCS 9.5
+
* Thu Jun 20 2019 Dogtag Team <pki-devel@redhat.com> 10.5.16-3
- ##########################################################################
- # RHEL 7.7: