diff --git a/SOURCES/pki-core-10.5.1-batch-4.0.patch b/SOURCES/pki-core-10.5.1-batch-4.0.patch
new file mode 100644
index 0000000..8c32da6
--- /dev/null
+++ b/SOURCES/pki-core-10.5.1-batch-4.0.patch
@@ -0,0 +1,1145 @@
+From a44118f657f570493bbcc7af4ed347f638031905 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 12 Jul 2018 10:24:33 -0700
+Subject: [PATCH 1/9] Bugzilla 1548203 LDAP password from console update in
+ audit
+
+This patch replace ldap passwords with "(sensitive)" in audit log.
+
+fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203
+
+Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a
+(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1)
+---
+ .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+index 769e8e4..2b8cec7 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet {
+             if (name.equals(Constants.OP_TYPE)) continue;
+             if (name.equals(Constants.RS_ID)) continue;
+ 
+-            String value = req.getParameter(name);
++            String value = null;
++            if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD"))
++                value = "(sensitive)";
++            else
++                value = req.getParameter(name);
+             params.put(name, value);
+         }
+ 
+-- 
+1.8.3.1
+
+
+From 3210233343ae0d837855ac35884ea0d74450dc01 Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@redhat.com>
+Date: Mon, 15 Jan 2018 13:59:33 -0800
+Subject: [PATCH 2/9] Test fix for TPS server side key gen for only identity
+ cert problem.
+
+Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d
+(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39)
+(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8)
+---
+ .../server/tps/cms/TKSRemoteRequestHandler.java    | 26 +++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
+index 65d0ed0..8155f90 100644
+--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
++++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
+@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
+             String tokenType)
+             throws EBaseException {
+ 
+-        CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins.");
++        String method = "TKSRemoteRequestHandler: computeSessionKey(): ";
++        CMS.debug(method + " begins.");
+         if (cuid == null || kdd == null || keyInfo == null || card_challenge == null
+                 || card_cryptogram == null || host_challenge == null) {
+             throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null.");
+@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
+ 
+         IConfigStore conf = CMS.getConfigStore();
+ 
+-        boolean serverKeygen =
+-                conf.getBoolean("op.enroll." +
+-                        tokenType + ".keyGen.encryption.serverKeygen.enable",
+-                        false);
++        boolean serverKeygen = false;
++
++        //Try out all the currently supported cert types to see if we are doing server side keygen here
++        String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
++        for (String keygenString : keygenStrings) {
++            boolean enabled = conf.getBoolean("op.enroll." +
++                    tokenType + ".keyGen." +
++                    keygenString + ".serverKeygen.enable", false);
++
++            CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
++            if (enabled) {
++                serverKeygen = true;
++                break;
++            }
++        }
++
++
++
++
+         if (keySet == null)
+             keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
+ 
+-- 
+1.8.3.1
+
+
+From 6e4ad81a8f65c015f23cbd3716564c6755bbbdf1 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Mon, 30 Jul 2018 17:15:09 -0700
+Subject: [PATCH 4/9] Bug 1601071  Certificate generation happens with partial
+ attributes in CMCRequest file
+
+This patch addresses the issue where when a cmcSelfSisnged profile is used
+in a cmcUserSigned case, the certificate is issued.
+A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
+been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
+A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
+to verify.
+In additional, all profiles that authenticate through CMCUserSignedAuth are
+turned off by default to allow site administrators to make conscious decision
+on their own for these features.
+Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
+
+Change-Id: I275118d31b966494411888beb37032bb022c29ce
+(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536)
+---
+ base/ca/shared/conf/CS.cfg                         |   2 +-
+ base/ca/shared/conf/registry.cfg                   |   9 +-
+ .../profiles/ca/caECFullCMCSelfSignedCert.cfg      |   8 +-
+ .../profiles/ca/caECFullCMCUserSignedCert.cfg      |   2 +-
+ .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg |   8 +-
+ .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   2 +-
+ .../certsrv/authentication/IAuthToken.java         |   7 +-
+ .../com/netscape/cms/authentication/CMCAuth.java   |   5 +-
+ .../cms/authentication/CMCUserSignedAuth.java      |  16 ++-
+ .../netscape/cms/authentication/SharedSecret.java  |   4 +-
+ .../netscape/cms/profile/common/EnrollProfile.java |  18 +++
+ .../CMCSelfSignedSubjectNameConstraint.java        | 129 +++++++++++++++++++++
+ .../profile/def/AuthTokenSubjectNameDefault.java   |   2 +-
+ .../servlet/profile/ProfileSubmitCMCServlet.java   |  29 ++++-
+ base/server/cmsbundle/src/UserMessages.properties  |   3 +-
+ 15 files changed, 216 insertions(+), 28 deletions(-)
+ create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index 1d65835..fcd85a2 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
+ log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
+diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
+index 54e4d95..4fe6e93 100644
+--- a/base/ca/shared/conf/registry.cfg
++++ b/base/ca/shared/conf/registry.cfg
+@@ -1,5 +1,5 @@
+ types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
+-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+ constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
+ constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
+ constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
+@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
+ constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
+ constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
+ constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
+ constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
+-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
+-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
+ constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
+ constraintPolicy.validityConstraintImpl.desc=Validity Constraint
+ constraintPolicy.validityConstraintImpl.name=Validity Constraint
+diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+index 144c05c..48e6499 100644
+--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
+-enable=true
++enable=false
+ enableBy=admin
+ name=Self-Signed CMC User Certificate Enrollment
+ visible=false
+@@ -10,10 +10,8 @@ output.list=o1
+ output.o1.class_id=certOutputImpl
+ policyset.list=cmcUserCertSet
+ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+-policyset.cmcUserCertSet.1.constraint.params.accept=true
+-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
+ policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+ policyset.cmcUserCertSet.1.default.name=Subject Name Default
+ policyset.cmcUserCertSet.1.default.params.name=
+diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+index d2286de..e7b60ee 100644
+--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
+-enable=true
++enable=false
+ enableBy=admin
+ name=User-Signed CMC-Authenticated User Certificate Enrollment
+ visible=false
+diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+index bdcdc24..538b16a 100644
+--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
+-enable=true
++enable=false
+ enableBy=admin
+ name=Self-Signed CMC User Certificate Enrollment
+ visible=false
+@@ -10,10 +10,8 @@ output.list=o1
+ output.o1.class_id=certOutputImpl
+ policyset.list=cmcUserCertSet
+ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
+-policyset.cmcUserCertSet.1.constraint.params.accept=true
++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
++policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
+ policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+ policyset.cmcUserCertSet.1.default.name=Subject Name Default
+ policyset.cmcUserCertSet.1.default.params.name=
+diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+index 9b5d3e9..b0ff8af 100644
+--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+@@ -1,5 +1,5 @@
+ desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
+-enable=true
++enable=false
+ enableBy=admin
+ name=User-Signed CMC-Authenticated User Certificate Enrollment
+ visible=false
+diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+index 59c6af2..d5d03b4 100644
+--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
+@@ -44,9 +44,14 @@ public interface IAuthToken {
+     public static final String GROUP = "group";
+     public static final String GROUPS = "groups";
+ 
+-    /* Subject name of the certificate in the authenticating entry */
++    /* Subject name of the certificate request in the authenticating entry */
+     public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
+ 
++    /* Subject name of the authenticated cert */
++    public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject";
++    /* Subject DN of the Shared Token authenticated entry */
++    public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject";
++
+     /* NotBefore value of the certificate in the authenticating entry */
+     public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
+ 
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+index 86ffa2f..9b6a819 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                         IAuthToken tempToken = agentAuth.authenticate(agentCred);
+                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+-                        String ID = tempPrincipal.toString();
++                        String ID = tempPrincipal.getName();
+                         CMS.debug(method + " Principal name = " + ID);
++                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
+ 
+                         BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
+                         authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
+@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
+     public void populate(IAuthToken token, IRequest request)
+             throws EProfileException {
+         request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
++                token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT));
+     }
+ 
+     public boolean isSSLClientRequired() {
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index d5f6c34..a9a7ade 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                     if (requestCertSubject.equals("")) {
+                                         requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+                                     }
+-
+                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
+                                     auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
+                                     //authToken.set("uid", uid);
+@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+                         IAuthToken tempToken = new AuthToken(null);
+                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
+-                        String ID = tempPrincipal.toString(); //tempToken.get("userid");
++                        String ID = tempPrincipal.getName(); //tempToken.get("userid");
+                         CMS.debug(method + " Principal name = " + ID);
++                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
+ 
+                         BigInteger certSerial = x509Certs[0].getSerialNumber();
+                         CMS.debug(method + " verified cert serial=" + certSerial.toString());
+@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+ 
+     public void populate(IAuthToken token, IRequest request)
+             throws EProfileException {
+-        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
+-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
++        String method = "CMCUserSignedAuth: populate: ";
++        String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT);
++        if (authenticatedDN != null) {
++            request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
++                    authenticatedDN);
++            CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+
++                    authenticatedDN);
++        } else {
++            CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?");
++        }
+     }
+ 
+     public boolean isSSLClientRequired() {
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
+index 5ebc213..2d8679c 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
+@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey;
+ import org.mozilla.jss.pkix.cmc.PKIData;
+ 
+ import com.netscape.certsrv.apps.CMS;
+-import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.EInvalidCredentials;
+ import com.netscape.certsrv.authentication.IAuthCredentials;
++import com.netscape.certsrv.authentication.AuthToken;
+ import com.netscape.certsrv.authentication.IAuthToken;
+ import com.netscape.certsrv.authentication.ISharedToken;
+ import com.netscape.certsrv.base.EBaseException;
+@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication
+             }
+ 
+             CMS.debug(method + "found user ldap entry: userdn = " + userdn);
+-            authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
++            authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn);
+ 
+             res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
+                     "(objectclass=*)", new String[] { mShrTokAttr }, false);
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+index 929e629..f9903c6 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile
+ 
+             // catch for invalid request
+             cmc_msgs = parseCMC(locale, cert_request, donePOI);
++            SessionContext sessionContext = SessionContext.getContext();
++            String authenticatedSubject = 
++                    (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++
++            if (authenticatedSubject != null) {
++                ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject);
++            }
++
+             if (cmc_msgs == null) {
+                 CMS.debug(method + "parseCMC returns cmc_msgs null");
+                 return null;
+@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile
+                 auditSubjectID = ident_string;
+                 sessionContext.put(SessionContext.USER_ID, auditSubjectID);
+ 
++                // subjectdn from SharedSecret ldap auth
++                // set in context and authToken to be used by profile
++                // default and constraints plugins
++                authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
++                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++                authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT,
++                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++                sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
++                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
++
+                 auditMessage = CMS.getLogMessage(
+                         AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
+                         auditSubjectID,
+diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+new file mode 100644
+index 0000000..d4554ca
+--- /dev/null
++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
+@@ -0,0 +1,129 @@
++// --- BEGIN COPYRIGHT BLOCK ---
++// This program is free software; you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation; version 2 of the License.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License along
++// with this program; if not, write to the Free Software Foundation, Inc.,
++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++//
++// (C) 2013 Red Hat, Inc.
++// All rights reserved.
++// --- END COPYRIGHT BLOCK ---
++package com.netscape.cms.profile.constraint;
++
++import java.util.Locale;
++
++import com.netscape.certsrv.apps.CMS;
++import com.netscape.certsrv.authentication.IAuthToken;
++import com.netscape.certsrv.authentication.IAuthManager;
++import com.netscape.certsrv.base.IConfigStore;
++import com.netscape.certsrv.profile.EProfileException;
++import com.netscape.certsrv.profile.ERejectException;
++import com.netscape.certsrv.profile.IPolicyDefault;
++import com.netscape.certsrv.profile.IProfile;
++import com.netscape.certsrv.property.IDescriptor;
++import com.netscape.certsrv.request.IRequest;
++import com.netscape.cms.profile.common.EnrollProfile;
++import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault;
++
++import netscape.security.x509.CertificateSubjectName;
++import netscape.security.x509.X500Name;
++import netscape.security.x509.X509CertInfo;
++
++/**
++ * This class implements the user subject name constraint for self-signed cmc requests.
++ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match
++ *
++ * @author cfu
++ * @version $Revision$, $Date$
++ */
++public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint {
++
++    public CMCSelfSignedSubjectNameConstraint() {
++    }
++
++    public void init(IProfile profile, IConfigStore config)
++            throws EProfileException {
++        super.init(profile, config);
++    }
++
++    public IDescriptor getConfigDescriptor(Locale locale, String name) {
++        return null;
++    }
++
++    public String getDefaultConfig(String name) {
++        return null;
++    }
++
++    /**
++     * Validates the request. The request is not modified
++     * during the validation. User encoded subject name
++     * is copied into the certificate template.
++     */
++    public void validate(IRequest request, X509CertInfo info)
++            throws ERejectException {
++        String method = "CMCSelfSignedSubjectNameConstraint: ";
++        String msg = "";
++
++        CertificateSubjectName infoCertSN = null;
++        String authTokenSharedTokenSN = null;
++
++        try {
++            infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
++            if (infoCertSN == null) {
++                msg = method + "infoCertSN null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            CMS.debug(method + "validate user subject ="+
++                      infoCertSN.toString());
++            X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
++            if (infoCertName == null) {
++                msg = method + "infoCertName null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++
++            authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++            if (authTokenSharedTokenSN == null) {
++                msg = method + "authTokenSharedTokenSN null";
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++            if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) {
++                CMS.debug(method + "names matched");
++            } else {
++                msg = method + "names do not match; authTokenSharedTokenSN =" +
++                        authTokenSharedTokenSN;
++                CMS.debug(msg);
++                throw new Exception(msg);
++            }
++
++        } catch (Exception e) {
++            throw new ERejectException(
++                    CMS.getUserMessage(getLocale(request),
++                        "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
++        }
++    }
++
++    public String getText(Locale locale) {
++        return CMS.getUserMessage(locale,
++                   "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT");
++    }
++
++    public boolean isApplicable(IPolicyDefault def) {
++        String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: ";
++        if (def instanceof AuthTokenSubjectNameDefault) {
++            CMS.debug(method + "true");
++            return true;
++        }
++        CMS.debug(method + "false");
++        return false;
++    }
++}
+diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
+index e789625..85bf241 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
++++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
+@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault {
+             X500Name name = new X500Name(
+                     request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
+ 
+-            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
++            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName());
+             info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
+         } catch (Exception e) {
+             // failed to insert subject name
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+index 12fd294..03e94a8 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+             CMS.debug("ProfileSubmitCMCServlet: null it out");
+             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
+         }
++
+         String signingCertSerialS = null;
+         if (authToken != null) {
+             signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
+@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
+         }
+ 
++        String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++        if (tmpSharedTokenAuthenticatedCertSubject != null) {
++            // unlikely to happen, but do this just in case
++            CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
++            CMS.debug("ProfileSubmitCMCServlet: null it out");
++            ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
++        }
++
+         String errorCode = null;
+         String errorReason = null;
+         String auditRequesterID = ILogger.UNIDENTIFIED;
+@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
+ 
+                 tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
+                 if (tmpCertSerialS != null) {
+-                    // unlikely to happenm, but do this just in case
++                    // unlikely to happen, but do this just in case
+                     CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
+                     CMS.debug("ProfileSubmitCMCServlet: null it out");
+                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
+                 }
+                 // put CMCUserSignedAuth authToken in request
+                 if (signingCertSerialS != null) {
++                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
++                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
++                 }
++
++                tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++                if (tmpSharedTokenAuthenticatedCertSubject != null) {
++                    // unlikely to happen, but do this just in case
++                    CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
++                    CMS.debug("ProfileSubmitCMCServlet: null it out");
++                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
++                }
++                // put Shared Token authToken in request
++                String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
++                if (st_sbj != null) {
++                    CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth");
++                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj);
++                }
++                if (tmpSharedTokenAuthenticatedCertSubject != null) {
+                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
+                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
+                 }
+diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
+index 208632d..e5e6ecc 100644
+--- a/base/server/cmsbundle/src/UserMessages.properties
++++ b/base/server/cmsbundle/src/UserMessages.properties
+@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
+ CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
+ CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
+ CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
+-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
++CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only
++CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only
+ CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
+ CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
+ CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
+-- 
+1.8.3.1
+
+
+From cc94db7c4c960e2f752a3d1b8687d075187f4e3d Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 1 Aug 2018 13:35:53 -0700
+Subject: [PATCH 5/9] Bug 1593805  Better understanding of
+ NSS_USE_DECODED_CKA_EC_POINT for ECC
+
+This patch removes the outdated reference to EC environment variable
+NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
+
+More info in the usage are updated as well for correctness and clarity.
+
+Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9
+(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051)
+---
+ .../src/com/netscape/cmstools/HttpClient.java      | 32 ++++++++++++----------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+index fcaf210..28934ab 100644
+--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
++++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+@@ -251,43 +251,47 @@ public class HttpClient {
+         System.out.println("The configuration file should look like as follows:");
+         System.out.println("");
+         System.out.println("#host: host name for the http server");
+-        System.out.println("host=host1.a.com");
++        System.out.println("host=host.example.com");
+         System.out.println("");
+         System.out.println("#port: port number");
+-        System.out.println("port=1025");
++        System.out.println("port=8443");
+         System.out.println("");
+         System.out.println("#secure: true for secure connection, false for nonsecure connection");
+-        System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command");
+         System.out.println("secure=false");
+         System.out.println("");
+         System.out.println("#input: full path for the enrollment request, the content must be in binary format");
+-        System.out.println("input=/u/doc/cmcReqCRMFBin");
++        System.out.println("input=~/cmcReqCRMFBin");
+         System.out.println("");
+         System.out.println("#output: full path for the response in binary format");
+-        System.out.println("output=/u/doc/cmcResp");
++        System.out.println("#output could be parsed by running CMCResponse");
++        System.out.println("output=~/cmcResp");
+         System.out.println("");
+-        System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)");
++        System.out.println("#dbdir: directory for NSS certificate/key databases");
+         System.out.println("#This parameter will be ignored if secure=false");
+-        System.out.println("tokenname=hsmname");
++        System.out.println("dbdir=/.dogtag/nssdb");
+         System.out.println("");
+-        System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
++        System.out.println("#password: password for NSS database");
++        System.out.println("#This parameter will be ignored if secure=false and clientmode=false");
++        System.out.println("password=");
++        System.out.println("");
++        System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)");
+         System.out.println("#This parameter will be ignored if secure=false");
+-        System.out.println("dbdir=/u/smith/.netscape");
++        System.out.println("tokenname=internal");
+         System.out.println("");
+         System.out.println("#clientmode: true for client authentication, false for no client authentication");
+         System.out.println("#This parameter will be ignored if secure=false");
+         System.out.println("clientmode=false");
+         System.out.println("");
+-        System.out.println("#password: password for cert8.db");
+-        System.out.println("#This parameter will be ignored if secure=false and clientauth=false");
+-        System.out.println("password=");
+-        System.out.println("");
+         System.out.println("#nickname: nickname for client certificate");
+         System.out.println("#This parameter will be ignored if clientmode=false");
+         System.out.println("nickname=");
+         System.out.println("");
+         System.out.println("#servlet: target URL");
+-        System.out.println("#This parameter may include query parameters");
++        System.out.println("#This parameter may include query parameters;");
++        System.out.println("#  - reminder: profileId should be a profile that matches");
++        System.out.println("#    the intended certificate; for certificates intended");
++        System.out.println("#    for SSL (client or server), profiles should match");
++        System.out.println("#    the key type (RSA or EC) of the keys generated for CSR;");
+         System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert");
+         System.out.println("");
+         System.exit(0);
+-- 
+1.8.3.1
+
+
+From 70b933bc570ec288037c2b5e853dbe8f9ab83571 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 2 Aug 2018 10:33:08 +0300
+Subject: [PATCH 6/9] ConfigurationUtil: support new format for
+ nsds5replicaLastInitStatus value
+
+pkispawn is reading the attribute nsds5replicaLastInitStatus in
+cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping
+tree,cn=config in order to find the replication status.  The new format
+(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update
+succeeded" but pkispawn is expecting "0 Total update succeeded"
+
+389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629
+(cherry picked from commit 151ecf63106425cada104d141a81722570ba2b28)
+---
+ .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 7f5341a..d8b4965 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -2053,7 +2053,7 @@ public class ConfigurationUtils {
+             }
+ 
+             String status = replicationStatus(replicadn, masterConn, masterAgreementName);
+-            if (!status.startsWith("0 ")) {
++            if (!(status.startsWith("Error (0) ") || status.startsWith("0 "))) {
+                 CMS.debug("setupReplication: consumer initialization failed. " + status);
+                 throw new IOException("consumer initialization failed. " + status);
+             }
+-- 
+1.8.3.1
+
+
+From 3ad4c2b779a4bb9f993e6886597812904353d2b0 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 2 Aug 2018 09:31:50 -0700
+Subject: [PATCH 7/9] Bug1608375 - CMC Revocations throws exception with same
+ reqIssuer & certissuer
+
+This patch resolves the possible encoding mismatch between the actual CA cert
+and the X500Name gleaned from the CMC revocation request.
+
+Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
+(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248)
+---
+ .../cms/authentication/CMCUserSignedAuth.java       | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+index a9a7ade..97971dd 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException;
+ import com.netscape.certsrv.base.IConfigStore;
+ import com.netscape.certsrv.base.IExtendedPluginInfo;
+ import com.netscape.certsrv.base.SessionContext;
++import com.netscape.certsrv.ca.ICertificateAuthority;
+ import com.netscape.certsrv.logging.ILogger;
+ import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
+                                     // to CMCOutputTemplate so that we can
+                                     // have a chance to capture user identification info
+                                     if (issuerANY != null) {
++                                        // get CA signing cert
++                                        ICertificateAuthority ca = null;
++                                        ca = (ICertificateAuthority) CMS.getSubsystem("ca");
++                                        X500Name caName = ca.getX500Name();
++
+                                         try {
+                                             byte[] issuerBytes = issuerANY.getEncoded();
+-                                            X500Name issuerName = new X500Name(issuerBytes);
+-                                            CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
++                                            X500Name reqIssuerName = new X500Name(issuerBytes);
++                                            String reqIssuerNameStr = reqIssuerName.getName();
++                                            CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr);
++                                            if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) {
++                                                // making sure it's identical, even in encoding
++                                                reqIssuerName = caName;
++                                            } else {
++                                                // not this CA; will be bumped off later;
++                                                // make a note in debug anyway
++                                                CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;");
++                                            }
+                                             // capture issuer principal to be checked against
+                                             // cert issuer principal later in CMCOutputTemplate
+-                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
++                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName);
+                                         } catch (Exception e) {
+                                             CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
+                                         }
+-- 
+1.8.3.1
+
+
+From a1130e298048b106fb6febcfe9f88fea0d733e6a Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Wed, 8 Aug 2018 18:41:52 -0700
+Subject: [PATCH 8/9] Ticket #3041 Enable all config audit events
+
+This patch enables the audit events concerning role actions (mostly config)
+by default.
+
+Two additional minor issues are also addressed:
+1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
+   (bugzilla #1610718)
+2. removing unrecommended signing algorithms
+
+fixes: https://pagure.io/dogtagpki/issue/3041
+Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
+(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099)
+---
+ base/ca/shared/conf/CS.cfg                                        | 2 +-
+ base/ca/shared/profiles/ca/caDirUserCert.cfg                      | 2 +-
+ base/ca/shared/profiles/ca/caECDirUserCert.cfg                    | 2 +-
+ base/kra/shared/conf/CS.cfg                                       | 2 +-
+ base/ocsp/shared/conf/CS.cfg                                      | 2 +-
+ .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java    | 2 +-
+ .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java  | 2 +-
+ base/server/cmsbundle/src/LogMessages.properties                  | 2 +-
+ base/tks/shared/conf/CS.cfg                                       | 2 +-
+ base/tps/shared/conf/CS.cfg                                       | 2 +-
+ base/util/src/netscape/security/x509/AlgorithmId.java             | 8 ++++----
+ 11 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
+index fcd85a2..6158d5a 100644
+--- a/base/ca/shared/conf/CS.cfg
++++ b/base/ca/shared/conf/CS.cfg
+@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
+ log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+ log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
+diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
+index f12c7ed..0b7f6b7 100644
+--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
+@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
+ policyset.userCertSet.2.default.params.startTime=0
+ policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.userCertSet.3.constraint.name=Key Constraint
+-policyset.userCertSet.3.constraint.params.keyType=EC
++policyset.userCertSet.3.constraint.params.keyType=RSA
+ policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+ policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.userCertSet.3.default.name=Key Default
+diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+index 0663b40..b65999e 100644
+--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
+ policyset.userCertSet.2.default.params.startTime=0
+ policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.userCertSet.3.constraint.name=Key Constraint
+-policyset.userCertSet.3.constraint.params.keyType=-
++policyset.userCertSet.3.constraint.params.keyType=EC
+ policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+ policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.userCertSet.3.default.name=Key Default
+diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
+index f314234..878e5f8 100644
+--- a/base/kra/shared/conf/CS.cfg
++++ b/base/kra/shared/conf/CS.cfg
+@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
+ log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
+ log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
+ log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
+diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
+index dc993b0..b412e5e 100644
+--- a/base/ocsp/shared/conf/CS.cfg
++++ b/base/ocsp/shared/conf/CS.cfg
+@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.expirationTime=0
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
+index a1a83a4..2dcf9c1 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
+@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile
+         defConfig4
+                 .putString(
+                         "params.signingAlgsAllowed",
+-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
++                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+ 
+         IProfilePolicy policy5 =
+                 createProfilePolicy("set1", "p5",
+diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
+index 710a461..9b1eacb 100644
+--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
++++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
+@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile
+         defConfig4
+                 .putString(
+                         "params.signingAlgsAllowed",
+-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
++                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
+ 
+         IProfilePolicy policy5 =
+                 createProfilePolicy("set1", "p5",
+diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
+index 7963f6f..d534506 100644
+--- a/base/server/cmsbundle/src/LogMessages.properties
++++ b/base/server/cmsbundle/src/LogMessages.properties
+@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
+ #           and to be approved by an agent
+ # Op must be "approve" or "disapprove"
+ #
+-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
++LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
+ #
+ # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
+ # - used for proof of possession during certificate enrollment processing
+diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
+index d1da996..e9bf03e 100644
+--- a/base/tks/shared/conf/CS.cfg
++++ b/base/tks/shared/conf/CS.cfg
+@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.expirationTime=0
+diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
+index c44bc75..3671100 100644
+--- a/base/tps/shared/conf/CS.cfg
++++ b/base/tps/shared/conf/CS.cfg
+@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
+ log.instance.SignedAudit._006=##
+ log.instance.SignedAudit.bufferSize=512
+ log.instance.SignedAudit.enable=true
+-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
+ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+ log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
+diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
+index ae5975a..012575c 100644
+--- a/base/util/src/netscape/security/x509/AlgorithmId.java
++++ b/base/util/src/netscape/security/x509/AlgorithmId.java
+@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder {
+      * Supported signing algorithms for a RSA key.
+      */
+     public static final String[] RSA_SIGNING_ALGORITHMS = new String[]
+-    { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" };
++    { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" };
+ 
+     public static final String[] EC_SIGNING_ALGORITHMS = new String[]
+-    { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" };
++    { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
+ 
+     /**
+      * All supported signing algorithms.
+      */
+     public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
+     {
+-            "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC",
+-            "SHA256withEC", "SHA384withEC", "SHA512withEC" };
++            "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA",
++            "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
+ 
+ }
+-- 
+1.8.3.1
+
+
+From a7df5434dd8b32d549abff80173653350fd9a7c4 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Fri, 10 Aug 2018 14:04:14 -0700
+Subject: [PATCH 9/9] Ticket #2481 ECC keys not supported for signing audit
+ logs
+
+This patch addes support for ECC audit log signing key.
+All enrollment profiles for audit signing certificate are updated to allow that.
+
+fixes https://pagure.io/dogtagpki/issue/2481
+
+Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f
+(cherry picked from commit 435ede04d525d8816345271a887753a620795d56)
+---
+ base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg          | 4 ++--
+ base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++--
+ base/ca/shared/profiles/ca/caSignedLogCert.cfg                | 8 ++++----
+ base/java-tools/src/com/netscape/cmstools/AuditVerify.java    | 6 +++---
+ base/server/cms/src/com/netscape/cms/logging/LogFile.java     | 8 +++-----
+ 5 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+index ff4856c..642e67b 100644
+--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720
+ policyset.auditSigningCertSet.2.default.params.startTime=0
+ policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
+-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.auditSigningCertSet.3.constraint.params.keyType=-
++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.auditSigningCertSet.3.default.name=Key Default
+ policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+index b850f1c..4acaab7 100644
+--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
++++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
+ policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+ policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+ policyset.auditSigningCertSet.3.constraint.params.keyType=-
+-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+ policyset.auditSigningCertSet.3.default.name=Key Default
+ policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
+ policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
+ policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
+ policyset.auditSigningCertSet.9.constraint.name=No Constraint
+-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+ policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
+ policyset.auditSigningCertSet.9.default.name=Signing Alg
+ policyset.auditSigningCertSet.9.default.params.signingAlg=-
+diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
+index 6fdb8b5..c568572 100644
+--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
++++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
+@@ -3,7 +3,7 @@ visible=true
+ enable=true
+ enableBy=admin
+ auth.class_id=
+-name=Manual Log Signing Certificate Enrollment
++name=Manual Audit Log Signing Certificate Enrollment
+ input.list=i1,i2
+ input.i1.class_id=certReqInputImpl
+ input.i2.class_id=submitterInfoInputImpl
+@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720
+ policyset.caLogSigningSet.2.default.params.startTime=0
+ policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
+ policyset.caLogSigningSet.3.constraint.name=Key Constraint
+-policyset.caLogSigningSet.3.constraint.params.keyType=RSA
+-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096
++policyset.caLogSigningSet.3.constraint.params.keyType=-
++policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+ policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
+ policyset.caLogSigningSet.3.default.name=Key Default
+ policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
+@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul
+ policyset.caLogSigningSet.8.default.params.critical=false
+ policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
+ policyset.caLogSigningSet.9.constraint.name=No Constraint
+-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
++policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+ policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
+ policyset.caLogSigningSet.9.default.name=Signing Alg
+ policyset.caLogSigningSet.9.default.params.signingAlg=-
+diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+index 7693ba3..be9c0ed 100644
+--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
++++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+@@ -25,7 +25,6 @@ import java.io.FilenameFilter;
+ import java.io.IOException;
+ import java.security.PublicKey;
+ import java.security.Signature;
+-import java.security.interfaces.DSAPublicKey;
+ import java.security.interfaces.RSAPublicKey;
+ import java.util.List;
+ import java.util.StringTokenizer;
+@@ -34,6 +33,7 @@ import java.util.Vector;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+ import org.mozilla.jss.crypto.X509Certificate;
++import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+ 
+ import com.netscape.cmsutil.util.Utils;
+ 
+@@ -159,8 +159,8 @@ public class AuditVerify {
+         String sigAlgorithm = null;
+         if (pubk instanceof RSAPublicKey) {
+             sigAlgorithm = "SHA-256/RSA";
+-        } else if (pubk instanceof DSAPublicKey) {
+-            sigAlgorithm = "SHA-256/DSA";
++        } else if (pubk instanceof PK11ECPublicKey) {
++            sigAlgorithm = "SHA-256/EC";
+         } else {
+             throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm());
+         }
+diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+index 74a8ada..b04f70d 100644
+--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+@@ -41,8 +41,6 @@ import java.security.PrivateKey;
+ import java.security.Provider;
+ import java.security.Signature;
+ import java.security.SignatureException;
+-import java.security.interfaces.DSAPrivateKey;
+-import java.security.interfaces.RSAPrivateKey;
+ import java.text.ParseException;
+ import java.text.SimpleDateFormat;
+ import java.util.Date;
+@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
+             mSigningKey = cm.findPrivKeyByCert(cert);
+ 
+             String sigAlgorithm;
+-            if (mSigningKey instanceof RSAPrivateKey) {
++            if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) {
+                 sigAlgorithm = "SHA-256/RSA";
+-            } else if (mSigningKey instanceof DSAPrivateKey) {
+-                sigAlgorithm = "SHA-256/DSA";
++            } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) {
++                sigAlgorithm = "SHA-256/EC";
+             } else {
+                 throw new NoSuchAlgorithmException("Unknown private key type");
+             }
+-- 
+1.8.3.1
+
diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec
index f41db06..adf53aa 100644
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@@ -66,12 +66,12 @@
 Name:             pki-core
 %if 0%{?rhel}
 Version:                10.5.1
-%define redhat_release  14
+%define redhat_release  15
 %define redhat_stage    0
 #%define default_release %{redhat_release}.%{redhat_stage}
 %define default_release %{redhat_release}
 %else
-Version:                10.5.9
+Version:                10.5.12
 %define fedora_release  1
 %define fedora_stage    0
 #%define default_release %{fedora_release}.%{fedora_stage}
@@ -220,6 +220,7 @@ Patch8:           pki-core-10.5.1-batch-1.1.patch
 Patch9:           pki-core-10.5.1-batch-2.0.patch
 Patch10:          pki-core-10.5.1-batch-2.1.patch
 Patch11:          pki-core-10.5.1-batch-3.0.patch
+Patch12:          pki-core-10.5.1-batch-4.0.patch
 
 # Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
 #
@@ -832,6 +833,7 @@ This package is a part of the PKI Core used by the Certificate System.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1370,6 +1372,31 @@ fi
 %endif # %{with server}
 
 %changelog
+* Mon Aug 13 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-15
+- ##########################################################################
+- # RHEL 7.5:
+- ##########################################################################
+- Bugzilla Bug #1600905 - pki console configurations that involves ldap
+  passwords leave the plain text password in signed audit logs
+  [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1611245 - Certificate generation happens with partial
+  attributes in CMCRequest file [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1611250 - Better understanding of
+  NSS_USE_DECODED_CKA_EC_POINT for ECC [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1612880 - CMC Revocations throws exception with
+  same reqIssuer & certissuer [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1614837 - ipa-replica-install --setup-kra broken on
+  DL0 with latest version [rhel-7.5.z] (abokovoy)
+- Bugzilla Bug #1614839 - CC: Enable all config audit events
+  [rhel-7.5.z] (cfu)
+- Bugzilla Bug #1615266 - ECC keys not supported for signing audit
+  logs [rhel-7.5.z] (cfu)
+- ##########################################################################
+- # RHCS 9.3:
+- ##########################################################################
+- # Bugzilla Bug #1539933 - keyGen fails when only Identity
+  # certificate exists. [rhcs-9.3.z] (jmagne)
+
 * Mon Jul  2 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-14
 - Updated "jss" build and runtime requirements (mharmsen)
 - Updated "tomcatjss" build and runtime requirements (mharmsen)