diff --git a/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch b/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch
new file mode 100644
index 0000000..f4efa8e
--- /dev/null
+++ b/SOURCES/pki-core-KRA-external-CA-partial-cert-chain.patch
@@ -0,0 +1,34 @@
+From 1834a25a1982e2c2c49fde5998efdc7d10d3a29b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Thu, 6 Oct 2016 22:08:15 +0200
+Subject: [PATCH] Fixed ConfigurationUtils.importCertChain().
+
+The ConfigurationUtils.importCertChain() has been modified to
+ignore UNKNOWN_ISSUER error when connecting to a server that
+does not have the complete certificate chain.
+
+https://fedorahosted.org/pki/ticket/2497
+(cherry picked from commit 343a756bb93abf057f2999858ba9e170fa84f143)
+(cherry picked from commit 6e0e2afbbeb1bb7acdf402edf5ca426bfc01a433)
+---
+ .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 34500d0..ecf8157 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -261,8 +261,9 @@ public class ConfigurationUtils {
+
+ IConfigStore cs = CMS.getConfigStore();
+ ConfigCertApprovalCallback certApprovalCallback = new ConfigCertApprovalCallback();
+- // Ignore untrusted issuer to get cert chain.
++ // Ignore untrusted/unknown issuer to get cert chain.
+ certApprovalCallback.ignoreError(ValidityStatus.UNTRUSTED_ISSUER);
++ certApprovalCallback.ignoreError(ValidityStatus.UNKNOWN_ISSUER);
+ String c = get(host, port, true, serverPath, null, certApprovalCallback);
+
+ if (c != null) {
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch b/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
new file mode 100644
index 0000000..7919499
--- /dev/null
+++ b/SOURCES/pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
@@ -0,0 +1,191 @@
+From fdff7d618958162b3a30d63c9c50bd71faace530 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Sat, 29 Oct 2016 07:52:36 +0200
+Subject: [PATCH 1/2] Reformatted SecurityDataRecoveryService.serviceRequest().
+
+The code in SecurityDataRecoveryService.serviceRequest() has been
+reformatted for clarity.
+
+https://fedorahosted.org/pki/ticket/2500
+(cherry picked from commit 613d8e8281cc336d7e1c8291abedb4b2321f93ec)
+(cherry picked from commit ec165a0d6cd805d1b5d4fbd4fff44ff00bfcaee0)
+---
+ .../netscape/kra/SecurityDataRecoveryService.java | 30 ++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+index f12222b..478f7a8 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+@@ -24,6 +24,7 @@ import java.math.BigInteger;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+ import java.security.NoSuchAlgorithmException;
++import java.security.PublicKey;
+ import java.security.spec.AlgorithmParameterSpec;
+ import java.util.Arrays;
+ import java.util.Hashtable;
+@@ -31,9 +32,6 @@ import java.util.Random;
+
+ import javax.crypto.spec.RC2ParameterSpec;
+
+-import netscape.security.util.DerValue;
+-import netscape.security.x509.X509Key;
+-
+ import org.dogtagpki.server.kra.rest.KeyRequestService;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.OCTET_STRING;
+@@ -73,6 +71,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit;
+ import com.netscape.cmscore.dbs.KeyRecord;
+ import com.netscape.cmsutil.util.Utils;
+
++import netscape.security.util.DerValue;
++import netscape.security.x509.X509Key;
++
+ /**
+ * This implementation services SecurityData Recovery requests.
+ * <p>
+@@ -184,6 +185,7 @@ public class SecurityDataRecoveryService implements IService {
+ } catch (Exception e) {
+ iv = iv_default;
+ }
++
+ String ivStr = Utils.base64encode(iv);
+
+ KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno);
+@@ -200,20 +202,27 @@ public class SecurityDataRecoveryService implements IService {
+ if (allowEncDecrypt_recovery == true) {
+ CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true.");
+ unwrappedSecData = recoverSecurityData(keyRecord);
++
+ } else {
+ symKey = recoverSymKey(keyRecord);
+ }
+
+ } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
+ unwrappedSecData = recoverSecurityData(keyRecord);
++
+ } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+ try {
+ if (allowEncDecrypt_recovery == true) {
+ CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true.");
+ unwrappedSecData = recoverSecurityData(keyRecord);
++
+ } else {
+- privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(),
+- X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData())));
++
++ byte[] publicKeyData = keyRecord.getPublicKeyData();
++ byte[] privateKeyData = keyRecord.getPrivateKeyData();
++
++ PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
++ privateKey = mStorageUnit.unwrap(privateKeyData, publicKey);
+ }
+
+ } catch (IOException e) {
+@@ -244,22 +253,29 @@ public class SecurityDataRecoveryService implements IService {
+ passStr = null;
+
+ if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
++
+ CMS.debug("SecurityDataRecoveryService: wrap or encrypt stored symmetric key with transport passphrase");
+ if (allowEncDecrypt_recovery == true) {
+ CMS.debug("SecurityDataRecoveryServic: allowEncDecyypt_recovery: true, symmetric key: create blob with unwrapped key.");
+ pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
++
+ } else {
+ pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null,
+ pass);
+ }
++
+ } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
++
+ CMS.debug("SecurityDataRecoveryService: encrypt stored passphrase with transport passphrase");
+ pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null,
+ pass);
++
+ } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
++
+ if (allowEncDecrypt_recovery == true) {
+ CMS.debug("SecurityDataRecoveryService: allowEncDecyypt_recovery: true, asymmetric key: create blob with unwrapped key.");
+ pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
++
+ } else {
+ CMS.debug("SecurityDataRecoveryService: wrap stored private key with transport passphrase");
+ pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey,
+@@ -294,9 +310,11 @@ public class SecurityDataRecoveryService implements IService {
+ CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
+ unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
+ Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
++
+ if (encryptor != null) {
+ encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
+ key_data = encryptor.doFinal(unwrappedSecData);
++
+ } else {
+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
+ serialno.toString(), "Failed to create cipher encrypting symmetric key");
+@@ -344,9 +362,11 @@ public class SecurityDataRecoveryService implements IService {
+ CMS.debug("SecurityDataRecoveryService: encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
+ unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
+ Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
++
+ if (encryptor != null) {
+ encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
+ key_data = encryptor.doFinal(unwrappedSecData);
++
+ } else {
+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
+ serialno.toString(), "Failed to create cipher encrypting asymmetric key");
+--
+1.8.3.1
+
+
+From 7fe0c22d09017fc45b251fd4fb2dd5f5dd23c603 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 1 Nov 2016 22:49:22 +0100
+Subject: [PATCH 2/2] Fixed KRA key recovery via CLI in FIPS mode.
+
+Based on investigation and solution provided by cfu and jmagne,
+the SecurityDataRecoveryService.serviceRequest() has been modified
+to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
+FIPS mode.
+
+https://fedorahosted.org/pki/ticket/2500
+(cherry picked from commit 650b00dc57bb0c51c1e327ec3064531c26f80c43)
+(cherry picked from commit 8bef45df5e3d287111df8e0a33519a065e3e7b70)
+---
+ base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java | 3 +++
+ base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+index 23a1f77..575dda7 100644
+--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
++++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+@@ -142,6 +142,9 @@ public interface IEncryptionUnit extends IToken {
+ public SymmetricKey unwrap_sym(byte encSymmKey[],
+ SymmetricKey.Usage usage);
+
++ public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey)
++ throws EBaseException;
++
+ /**
+ * Unwraps data. This method rebuilds the private key by
+ * unwrapping the private key data.
+diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+index 478f7a8..83c1fb1 100644
+--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
++++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+@@ -222,7 +222,7 @@ public class SecurityDataRecoveryService implements IService {
+ byte[] privateKeyData = keyRecord.getPrivateKeyData();
+
+ PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
+- privateKey = mStorageUnit.unwrap(privateKeyData, publicKey);
++ privateKey = mStorageUnit.unwrap_temp(privateKeyData, publicKey);
+ }
+
+ } catch (IOException e) {
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch b/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch
new file mode 100644
index 0000000..9686063
--- /dev/null
+++ b/SOURCES/pki-core-compare-serial-DNs-host-authz-check.patch
@@ -0,0 +1,45 @@
+From bd7606fc9f2f7349ab33c0d9629667533a4fa7cd Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Thu, 22 Sep 2016 12:00:35 +1000
+Subject: [PATCH] Compare serialised DNs in host authority check
+
+CA startup creates an LWCA entry for the host authority if it
+determines that one has not already been created. It determines if
+an LWCA entry corresponds to the host CA by comparing the DN from
+LDAP with the DN from the host authority's certificate.
+
+If the DN from the host authority's certificate contains values
+encoded as PrintableString, it will compare unequal to the DN from
+LDAP, which parses to UTF8String AVA values. This causes the
+addition of a spurious host authority entry every time the server
+starts.
+
+Serialise DNs before comparing, to avoid these false negatives.
+
+Fixes: https://fedorahosted.org/pki/ticket/2475
+(cherry picked from commit 84606cc69390187b7f0f11fff41a372fd96f8f93)
+---
+ base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+index a4f1024..ae90d3a 100644
+--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+@@ -3256,7 +3256,12 @@ public class CertificateAuthority
+ if (descAttr != null)
+ desc = (String) descAttr.getStringValues().nextElement();
+
+- if (dn.equals(mName)) {
++ /* Determine if it is the host authority's entry, by
++ * comparing DNs. DNs must be serialised in case different
++ * encodings are used for AVA values, e.g. PrintableString
++ * from LDAP vs UTF8String in certificate.
++ */
++ if (dn.toString().equals(mName.toString())) {
+ CMS.debug("Found host authority");
+ foundHostAuthority = true;
+ this.authorityID = aid;
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch b/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch
new file mode 100644
index 0000000..a39457a
--- /dev/null
+++ b/SOURCES/pki-core-eliminate-duplicate-classes-in-jars.patch
@@ -0,0 +1,245 @@
+From 3c6aa16ac1e1350a9700d7a3f9e836a44c9a134e Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 5 Oct 2016 22:58:16 +0200
+Subject: [PATCH] Removed duplicate classes.
+
+The CMake scripts have been modified to store compiled Java classes
+in separate folders for each JAR files to avoid duplicates.
+
+https://fedorahosted.org/pki/ticket/2505
+(cherry picked from commit 0f9212ee0fee093be5e47afc15629d281984ec09)
+(cherry picked from commit 9bfe6101e82319d9f14edc0b0c1c16ca02a0f9a4)
+---
+ CMakeLists.txt | 1 -
+ base/ca/src/CMakeLists.txt | 4 ++--
+ base/common/src/CMakeLists.txt | 4 ++--
+ base/java-tools/src/CMakeLists.txt | 4 ++--
+ base/kra/src/CMakeLists.txt | 4 ++--
+ base/server/cms/src/CMakeLists.txt | 4 ++--
+ base/server/cmscore/src/CMakeLists.txt | 4 ++--
+ base/symkey/src/CMakeLists.txt | 4 ++--
+ base/symkey/src/com/netscape/symkey/CMakeLists.txt | 2 +-
+ base/util/src/CMakeLists.txt | 8 ++++----
+ 10 files changed, 19 insertions(+), 20 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index c746056..457e144 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -54,7 +54,6 @@ macro_ensure_out_of_source_build("${PROJECT_NAME} requires an out of source buil
+ include(MacroCopyFile)
+ include(Java)
+
+-file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/classes)
+ file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/dist)
+
+ # required for all PKI components
+diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
+index 854ce28..e612d72 100644
+--- a/base/ca/src/CMakeLists.txt
++++ b/base/ca/src/CMakeLists.txt
+@@ -96,7 +96,7 @@ javac(pki-ca-classes
+ ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR}
+ ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
+ )
+@@ -114,7 +114,7 @@ jar(pki-ca-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-ca.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/ca/*.class
+ org/dogtagpki/server/ca/*.class
+diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
+index ee41b2f..7ce833c 100644
+--- a/base/common/src/CMakeLists.txt
++++ b/base/common/src/CMakeLists.txt
+@@ -131,7 +131,7 @@ javac(pki-certsrv-classes
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
+ ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar pki-cmsutil-jar
+ )
+@@ -149,7 +149,7 @@ jar(pki-certsrv-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-certsrv.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/certsrv/*.class
+ org/dogtagpki/tps/*.class
+diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
+index e7ca5db..6753102 100644
+--- a/base/java-tools/src/CMakeLists.txt
++++ b/base/java-tools/src/CMakeLists.txt
+@@ -100,7 +100,7 @@ javac(pki-tools-classes
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+ ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar
+ )
+@@ -118,7 +118,7 @@ jar(pki-tools-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-tools.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/cmstools/*.class
+ DEPENDS
+diff --git a/base/kra/src/CMakeLists.txt b/base/kra/src/CMakeLists.txt
+index 400ec01..c04d7fe 100644
+--- a/base/kra/src/CMakeLists.txt
++++ b/base/kra/src/CMakeLists.txt
+@@ -118,7 +118,7 @@ javac(pki-kra-classes
+ ${PKI_CMSUTIL_JAR} ${PKI_NSUTIL_JAR}
+ ${PKI_CERTSRV_JAR} ${PKI_CMS_JAR} ${PKI_CMSCORE_JAR} ${TOMCAT_CATALINA_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ symkey-jar pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-cmscore-jar
+ )
+@@ -136,7 +136,7 @@ jar(pki-kra-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-kra.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/kra/*.class
+ org/dogtagpki/server/kra/*.class
+diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
+index 93f4a8a..447dcb1 100644
+--- a/base/server/cms/src/CMakeLists.txt
++++ b/base/server/cms/src/CMakeLists.txt
+@@ -133,7 +133,7 @@ javac(pki-cms-classes
+ ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+ ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_TOMCAT_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-tomcat-jar
+ )
+@@ -151,7 +151,7 @@ jar(pki-cms-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-cms.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/cms/*.class
+ org/dogtagpki/server/*.class
+diff --git a/base/server/cmscore/src/CMakeLists.txt b/base/server/cmscore/src/CMakeLists.txt
+index 32e4351..fe8dba2 100644
+--- a/base/server/cmscore/src/CMakeLists.txt
++++ b/base/server/cmscore/src/CMakeLists.txt
+@@ -133,7 +133,7 @@ javac(pki-cmscore-classes
+ ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}
+ ${NUXWDOG_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar pki-cmsutil-jar pki-certsrv-jar pki-cms-jar pki-tomcat-jar
+ )
+@@ -151,7 +151,7 @@ jar(pki-cmscore-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-cmscore.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/cmscore/*.class
+ DEPENDS
+diff --git a/base/symkey/src/CMakeLists.txt b/base/symkey/src/CMakeLists.txt
+index 9a4e10f..8455d59 100644
+--- a/base/symkey/src/CMakeLists.txt
++++ b/base/symkey/src/CMakeLists.txt
+@@ -15,14 +15,14 @@ javac(symkey-classes
+ CLASSPATH
+ ${JSS_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ )
+
+ jar(symkey-jar
+ CREATE
+ ${CMAKE_BINARY_DIR}/dist/symkey.jar
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/symkey/*.class
+ DEPENDS
+diff --git a/base/symkey/src/com/netscape/symkey/CMakeLists.txt b/base/symkey/src/com/netscape/symkey/CMakeLists.txt
+index 590a7d8..6915ee9 100644
+--- a/base/symkey/src/com/netscape/symkey/CMakeLists.txt
++++ b/base/symkey/src/com/netscape/symkey/CMakeLists.txt
+@@ -42,7 +42,7 @@ add_custom_command(
+ ${symkey_library_HDRS}
+ COMMAND
+ ${Java_JAVAH_EXECUTABLE}
+- -classpath ${CMAKE_BINARY_DIR}/classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar
++ -classpath ${CMAKE_CURRENT_BINARY_DIR}/../../../classes:${JAVA_LIB_INSTALL_DIR}/jss4.jar
+ -jni -d ${CMAKE_CURRENT_BINARY_DIR}
+ com.netscape.symkey.SessionKey
+ )
+diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt
+index f374c01..bf531d4 100644
+--- a/base/util/src/CMakeLists.txt
++++ b/base/util/src/CMakeLists.txt
+@@ -76,7 +76,7 @@ javac(pki-nsutil-classes
+ ${APACHE_COMMONS_LANG_JAR} ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ )
+
+ configure_file(
+@@ -92,7 +92,7 @@ jar(pki-nsutil-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-nsutil.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ netscape/*.class
+ DEPENDS
+@@ -118,7 +118,7 @@ javac(pki-cmsutil-classes
+ ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR}
+ ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR}
+ OUTPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ DEPENDS
+ pki-nsutil-jar
+ )
+@@ -136,7 +136,7 @@ jar(pki-cmsutil-jar
+ PARAMS
+ ${CMAKE_CURRENT_BINARY_DIR}/pki-cmsutil.mf
+ INPUT_DIR
+- ${CMAKE_BINARY_DIR}/classes
++ ${CMAKE_CURRENT_BINARY_DIR}/classes
+ FILES
+ com/netscape/cmsutil/*.class
+ DEPENDS
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-problems-with-FIPS-mode.patch b/SOURCES/pki-core-problems-with-FIPS-mode.patch
new file mode 100644
index 0000000..390c0e5
--- /dev/null
+++ b/SOURCES/pki-core-problems-with-FIPS-mode.patch
@@ -0,0 +1,82 @@
+From 78fa2f5955225cd38f3c5b996396453899017b31 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 12 Oct 2016 03:26:41 +0200
+Subject: [PATCH] Fixed CryptoUtil.getTokenName().
+
+The CryptoUtil.getTokenName() has been modified to check both the
+short name and full name of the internal token.
+
+The ConfigurationUtils.deleteCert() has also been modified to call
+CryptoUtil.getTokenName().
+
+https://fedorahosted.org/pki/ticket/2500
+(cherry picked from commit 5be68e38fd77f171331d27ca52a291f06f7c686c)
+(cherry picked from commit 42c52b18467212dde0cdebedca55ab22c4629cb5)
+---
+ .../cms/servlet/csadmin/ConfigurationUtils.java | 2 +-
+ .../com/netscape/cmsutil/crypto/CryptoUtil.java | 23 +++++++++++++---------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index ecf8157..afd8d28 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -3419,7 +3419,7 @@ public class ConfigurationUtils {
+ NoSuchTokenException, TokenException {
+
+ CryptoManager cm = CryptoManager.getInstance();
+- CryptoToken tok = cm.getTokenByName(tokenname);
++ CryptoToken tok = CryptoUtil.getTokenByName(tokenname);
+ CryptoStore store = tok.getCryptoStore();
+ String fullnickname = nickname;
+ if (!tokenname.equals("") &&
+diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+index b02c363..b6b5e6a 100644
+--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+@@ -135,6 +135,9 @@ import netscape.security.x509.X509Key;
+ @SuppressWarnings("serial")
+ public class CryptoUtil {
+
++ public final static String INTERNAL_TOKEN_NAME = "internal";
++ public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token";
++
+ public static final String CERTREQ_BEGIN_HEADING = "-----BEGIN CERTIFICATE REQUEST-----";
+ public static final String CERTREQ_END_HEADING = "-----END CERTIFICATE REQUEST-----";
+ public static final int LINE_COUNT = 76;
+@@ -472,21 +475,23 @@ public class CryptoUtil {
+ return true;
+ }
+
++ public static boolean isInternalToken(String name) {
++ return name.equalsIgnoreCase(INTERNAL_TOKEN_NAME) || name.equalsIgnoreCase(INTERNAL_TOKEN_FULL_NAME);
++ }
++
+ /**
+ * Retrieves handle to a JSS token.
+ */
+- public static CryptoToken getTokenByName(String token)
+- throws CryptoManager.NotInitializedException,
+- NoSuchTokenException {
++ public static CryptoToken getTokenByName(String name)
++ throws NotInitializedException, NoSuchTokenException {
++
+ CryptoManager cm = CryptoManager.getInstance();
+- CryptoToken t = null;
+
+- if (token.equals("internal")) {
+- t = cm.getInternalKeyStorageToken();
+- } else {
+- t = cm.getTokenByName(token);
++ if (isInternalToken(name)) {
++ return cm.getInternalKeyStorageToken();
+ }
+- return t;
++
++ return cm.getTokenByName(name);
+ }
+
+ /**
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch b/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch
new file mode 100644
index 0000000..dba4187
--- /dev/null
+++ b/SOURCES/pki-core-tps-token-setupSecureChannel-fips-mode.patch
@@ -0,0 +1,44 @@
+From eb106cb46aaea07ddc3c46db63f99ab41b2cd835 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
+Date: Thu, 20 Oct 2016 15:18:12 -0700
+Subject: [PATCH] TPS token enrollment fails to setupSecureChannel when TPS and
+ TKS security db is on fips mode.
+
+Ticket #2513.
+
+Simple fix allows the TPS and TKS the ability to obtain the proper internal token, even in FiPS mode.
+
+(cherry picked from commit cb2cc3c7fd93e1a0519a0b530cbc2edbab7741cc)
+(cherry picked from commit 7fae5790584855ea84b9c6ecf73058b6f0dfc1aa)
+---
+ .../cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+index db42cab..6dfd1d2 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+@@ -31,6 +31,7 @@ import sun.security.pkcs11.wrapper.PKCS11Constants;
+
+ import com.netscape.certsrv.apps.CMS;
+ import com.netscape.certsrv.base.EBaseException;
++import com.netscape.cmsutil.crypto.CryptoUtil;
+
+ public class SecureChannelProtocol {
+
+@@ -688,10 +689,11 @@ public class SecureChannelProtocol {
+
+ public CryptoToken returnTokenByName(String name, CryptoManager manager) throws NoSuchTokenException {
+
++ CMS.debug("returnTokenByName: requested name: " + name);
+ if (name == null || manager == null)
+ throw new NoSuchTokenException();
+
+- if (name.equals("internal") || name.equals("Internal KeyStorage Token")) {
++ if(CryptoUtil.isInternalToken(name)) {
+ return manager.getInternalKeyStorageToken();
+ } else {
+ return manager.getTokenByName(name);
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-two-step-external-CA-authorityID.patch b/SOURCES/pki-core-two-step-external-CA-authorityID.patch
new file mode 100644
index 0000000..41f54be
--- /dev/null
+++ b/SOURCES/pki-core-two-step-external-CA-authorityID.patch
@@ -0,0 +1,41 @@
+From 441e69f01d8acddef0659f10084fa07b8bff06e5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Wed, 21 Sep 2016 20:18:37 +1000
+Subject: [PATCH] Do not attempt LWCA key retrieval for host authority
+
+During two-step installation of externally-signed CA, installation
+can fail because host authority's private key cannot be located (a
+temporary condition), causing LWCA key replication to fire, which
+throws NullPointerException because the host authority's AuthorityID
+has not been set yet.
+
+Do not start key retrieval if the CA's AuthorityID is null (a
+condition which implies that the CA is the host authority).
+
+Fixes: https://fedorahosted.org/pki/ticket/2466
+(cherry picked from commit fca5fd053434d112998c814bc6d9424b6a5bac98)
+---
+ base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+index 1f77fd8..a4f1024 100644
+--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
++++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
+@@ -1569,7 +1569,12 @@ public class CertificateAuthority
+ CMS.debug("CA signing key and cert not (yet) present in NSSDB");
+ signingUnitException = e;
+ if (retrieveKeys == true) {
+- if (!keyRetrieverThreads.containsKey(authorityID)) {
++ if (authorityID == null) {
++ // Only the host authority should ever see a
++ // null authorityID, e.g. during two-step
++ // installation of externally-signed CA.
++ CMS.debug("null authorityID -> host authority; not starting KeyRetriever");
++ } else if (!keyRetrieverThreads.containsKey(authorityID)) {
+ CMS.debug("Starting KeyRetrieverRunner thread");
+ Thread t = new Thread(
+ new KeyRetrieverRunner(authorityID, mNickname, authorityKeyHosts),
+--
+1.8.3.1
+
diff --git a/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch b/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch
new file mode 100644
index 0000000..aac26c3
--- /dev/null
+++ b/SOURCES/pki-core-typo-in-UserPwdDirAuthentication.patch
@@ -0,0 +1,27 @@
+From 92372f653ca48d1de71de990fe3ef99ba1a83111 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Mon, 24 Oct 2016 18:30:55 +0200
+Subject: [PATCH] Fixed typo in UserPwdDirAuthentication.
+
+https://fedorahosted.org/pki/ticket/2460
+(cherry picked from commit 634da4e7ba6af5e799da300955a4730fa51be8f0)
+---
+ .../src/com/netscape/cms/authentication/UserPwdDirAuthentication.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
+index a95dd86..ead8650 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
+@@ -108,7 +108,7 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
+ }
+
+ /**
+- * Initializes the UdnPwdDirAuthentication auth manager.
++ * Initializes the UserPwdDirAuthentication auth manager.
+ * <p>
+ *
+ * @param name - The name for this authentication manager instance.
+--
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index c80dc4a..0b2b688 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -65,7 +65,8 @@
Name: pki-core
Version: 10.3.3
-Release: 10%{?dist}
+Release: 14.el7_3
+#Release: 14%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -221,6 +222,26 @@ Patch5: pki-core-snapshot-2.patch
Patch6: pki-core-snapshot-3.patch
## pki-core-10.3.3-10
Patch7: pki-core-snapshot-4.patch
+## pki-core-10.3.3-11
+#Patch8: pki-core-rhel-post-snapshot-1.patch
+## pki-core-10.3.3-12
+## RHEL 7.3.z Batch Update 1
+Patch9: pki-core-two-step-external-CA-authorityID.patch
+Patch10: pki-core-compare-serial-DNs-host-authz-check.patch
+Patch11: pki-core-KRA-external-CA-partial-cert-chain.patch
+Patch12: pki-core-problems-with-FIPS-mode.patch
+Patch13: pki-core-eliminate-duplicate-classes-in-jars.patch
+Patch14: pki-core-typo-in-UserPwdDirAuthentication.patch
+## RHCS 9.1.z Batch Update 1
+#Patch15: pki-core-token-format-external-reg.patch
+#Patch16: pki-core-encryption-cert-auto-recovery-damaged-token.patch
+#Patch17: pki-core-pin-reset-policy.patch
+Patch18: pki-core-tps-token-setupSecureChannel-fips-mode.patch
+## pki-core-10.3.3-13
+## RHCS 9.1.z Batch Update 1
+##Patch19: pki-core-target-agent-approve-list.patch
+## RHEL 7.3.z Batch Update 1
+Patch20: pki-core-KRA-key-recovery-via-CLI-in-FIPS-mode.patch
# Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
#
@@ -528,6 +549,7 @@ Requires: nuxwdog-client-java >= 1.0.3
Requires: policycoreutils
Requires: openldap-clients
+Requires: openssl
Requires: pki-base = %{version}-%{release}
Requires: pki-base-java = %{version}-%{release}
Requires: pki-tools = %{version}-%{release}
@@ -841,6 +863,19 @@ This package is a part of the PKI Core used by the Certificate System.
%patch5 -p1
%patch6 -p1
%patch7 -p1
+#%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+#%patch15 -p1
+#%patch16 -p1
+#%patch17 -p1
+%patch18 -p1
+##%patch19 -p1
+%patch20 -p1
%clean
%{__rm} -rf %{buildroot}
@@ -1341,9 +1376,78 @@ systemctl daemon-reload
%endif # %{with server}
%changelog
+* Tue Nov 8 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-14
+- Marked the following RHCS 9.1.z bug:
+ Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
+ when TPS and TKS security db is on fips mode. (jmagne)
+ as a duplicate of RHEL 7.3.z bug:
+ Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
+ and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.
+
+* Thu Nov 3 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-13
+- ## RHEL 7.3.z Batch Update 1
+- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
+ (added KRA key recovery via CLI in FIPS mode)
+- ## RHCS 9.1.z Batch Update 1
+- Reverted patches associated with
+ Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
+ not reflected in the TPS Web UI (edewata)
+
+* Mon Oct 31 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-12
+- ## RHEL 7.3.z Batch Update 1
+- Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does
+ not show proper error message (alee)
+- Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service
+ ("ipa-cacert-manage renew" failed?) (edewata)
+- Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as
+ a dependency package (mharmsen)
+- Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due
+ to missing AuthorityID (ftweedal)
+- Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal)
+- Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA
+ with partial certificate chain (edewata)
+- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
+- Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar
+ files (edewata)
+- Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java
+ (edewata)
+- ## RHCS 9.1.z Batch Update 1
+- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu)
+- Bugzilla Bug #1274096 - [BUG] Add ability to disallow TPS to enroll a
+ single user on multiple tokens. (jmagne)
+- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed
+ tokens (jmagne)
+- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working
+ when a token is physically damaged and a temporary token is issued (jmagne)
+- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial
+ number and key id on the ldap user mismatches
+- Bugzilla Bug #1381635 - Token format with external reg fails when
+ op.format.externalRegAddToToken.revokeCert=true (cfu)
+- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when
+ set on a token (jmagne)
+- Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
+ when TPS and TKS security db is on fips mode. (jmagne)
+- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
+ not reflected in the TPS Web UI (edewata)
+
+* Mon Oct 10 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-11
+- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu)
+- PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single
+ user on multiple tokens. (jmagne)
+- PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a
+ dependency package (mharmsen)
+- PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed
+ tokens (jmagne)
+- PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial
+ number and key id on the ldap user mismatches (cfu)
+- PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar
+ files (edewata)
+
* Fri Sep 9 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-10
- Revert Patch: PKI TRAC Ticket #2449 - Unable to create system certificates
in different tokens (edewata)
+- Resolves: rhbz #1374054 - ipa-replica-install fails setting up certificate
+- Restores: rhbz #1319557 - pkispawn KRA instance is failing server
- Removes from Errata: rhbz #1372041 - Unable to create system certificates
in different tokens