[pki-tks] - Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 - Bugzilla Bug #620925 - CC: auditor needs
kwright
kwright at fedoraproject.org
Tue Feb 8 00:43:46 UTC 2011
commit 5c2201e2508101d3e1a8f4b3d6dbfda9073c0915
Author: Kevin Wright <kwright at redhat.com>
Date: Mon Feb 7 16:43:43 2011 -0800
- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0
- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs
in the java subsystems
- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
as part of CC interface review
- Bugzilla Bug #583823 - CC: Auditing issues found as result of
CC - interface review
- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be
generated on TKS instead of TPS.
- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable
a CA that it serves
- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1
- Bugzilla Bug #637330 - CC feature: Key Management - provide signature
verification functions (JAVA subsystems)
- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and
port fowarding for agent services
- Bugzilla Bug #631179 - Administrator is not allowed to remove
ocsp signing certificate using console
- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of
signature algorithm; and for ECC curves
- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release --
DRM and TKS do not seem to have CRL checking enabled
- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help
correctly set up CC environment
- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports
to talk to CA and complete configuration in DonePanel
- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
- Bugzilla Bug #489385 - references to rhpki
- Bugzilla Bug #649910 - Console: an auditor or agent can be added to
an administrator group.
- Bugzilla Bug #632425 - Port to tomcat6
- Bugzilla Bug #638377 - Generate PKI UI components which exclude
a GUI interface
- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets
as expected
- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for
validity
- Bugzilla Bug #643206 - New CMake based build system for Dogtag
- Bugzilla Bug #499494 - change CA defaults to SHA2
- Bugzilla Bug #649343 - Publishing queue should recover from CA crash.
- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and
pkiCA, obsolete 2252 and 2256
- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source
repository
- Bugzilla Bug #663546 - Disable the functionalities that are not exposed
in the console
- Bugzilla Bug #656733 - Standardize jar install location and jar names
- Bugzilla Bug #661142 - Verification should fail when
a revoked certificate is added
- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time
interface is no longer available through console
- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During
CRL Generation
- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing
information
- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
as part of the CC interface review
- Bugzilla Bug #656665 - Please Update Spec File to use 'ghost' on files
in /var/run and /var/lock
- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem
instances
.gitignore | 1 +
clog | 61 ++++++++++++
pki-tks.spec | 291 ++++++++++++++++++++++++++++++++++++++++------------------
sources | 2 +-
4 files changed, 264 insertions(+), 91 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 9dcb1c2..505cf13 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
pki-tks-1.3.2.tar.gz
pki-tks-1.3.3.tar.gz
+/pki-tks-9.0.0.tar.gz
diff --git a/clog b/clog
new file mode 100644
index 0000000..b96e31b
--- /dev/null
+++ b/clog
@@ -0,0 +1,61 @@
+- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0
+- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs
+ in the java subsystems
+- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
+ as part of CC interface review
+- Bugzilla Bug #583823 - CC: Auditing issues found as result of
+ CC - interface review
+- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be
+ generated on TKS instead of TPS.
+- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable
+ a CA that it serves
+- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1
+- Bugzilla Bug #637330 - CC feature: Key Management - provide signature
+ verification functions (JAVA subsystems)
+- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and
+ port fowarding for agent services
+- Bugzilla Bug #631179 - Administrator is not allowed to remove
+ ocsp signing certificate using console
+- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of
+ signature algorithm; and for ECC curves
+- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release --
+ DRM and TKS do not seem to have CRL checking enabled
+- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help
+ correctly set up CC environment
+- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports
+ to talk to CA and complete configuration in DonePanel
+- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
+- Bugzilla Bug #489385 - references to rhpki
+- Bugzilla Bug #649910 - Console: an auditor or agent can be added to
+ an administrator group.
+- Bugzilla Bug #632425 - Port to tomcat6
+- Bugzilla Bug #638377 - Generate PKI UI components which exclude
+ a GUI interface
+- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets
+ as expected
+- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for
+ validity
+- Bugzilla Bug #643206 - New CMake based build system for Dogtag
+- Bugzilla Bug #499494 - change CA defaults to SHA2
+- Bugzilla Bug #649343 - Publishing queue should recover from CA crash.
+- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and
+ pkiCA, obsolete 2252 and 2256
+- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source
+ repository
+- Bugzilla Bug #663546 - Disable the functionalities that are not exposed
+ in the console
+- Bugzilla Bug #656733 - Standardize jar install location and jar names
+- Bugzilla Bug #661142 - Verification should fail when
+ a revoked certificate is added
+- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time
+ interface is no longer available through console
+- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During
+ CRL Generation
+- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing
+ information
+- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
+ as part of the CC interface review
+- Bugzilla Bug #656665 - Please Update Spec File to use 'ghost' on files
+ in /var/run and /var/lock
+- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem
+ instances
diff --git a/pki-tks.spec b/pki-tks.spec
index 8784ac8..07549aa 100644
--- a/pki-tks.spec
+++ b/pki-tks.spec
@@ -1,120 +1,229 @@
-Name: pki-tks
-Version: 1.3.3
-Release: 1%{?dist}
-Summary: Dogtag Certificate System - Token Key Service
-URL: http://pki.fedoraproject.org/
-License: GPLv2
-Group: System Environment/Daemons
-
-BuildArch: noarch
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-
-BuildRequires: ant
-BuildRequires: java-devel >= 1:1.6.0
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6
-BuildRequires: pki-common
-BuildRequires: pki-util
-BuildRequires: tomcatjss
-
-Requires: java >= 1:1.6.0
-Requires: pki-tks-ui
-Requires: pki-common
-Requires: pki-console
-Requires: pki-selinux
-Requires: pki-silent
-Requires(post): chkconfig
-Requires(preun): chkconfig
-Requires(preun): initscripts
-Requires(postun): initscripts
-
-Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz
+Name: pki-tks
+Version: 9.0.0
+Release: 1%{?dist}
+Summary: Certificate System - Token Key Service
+URL: http://pki.fedoraproject.org/
+License: GPLv2
+Group: System Environment/Daemons
+
+BuildArch: noarch
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildRequires: cmake
+BuildRequires: java-devel >= 1:1.6.0
+BuildRequires: jpackage-utils
+BuildRequires: jss >= 4.2.6-12
+BuildRequires: nspr-devel
+BuildRequires: nss-devel
+BuildRequires: pki-common
+BuildRequires: pki-util
+
+Requires: java >= 1:1.6.0
+Requires: pki-common
+Requires: pki-selinux
+Requires: pki-tks-theme
+Requires(post): chkconfig
+Requires(preun): chkconfig
+Requires(preun): initscripts
+Requires(postun): initscripts
+%if 0%{?fedora} >= 15
+# Details:
+#
+# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+Requires: initscripts
+%endif
+
+Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz
%description
-Dogtag Certificate System is an enterprise software system designed
+Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.
-The Dogtag Token Key Service is an optional PKI subsystem that
-manages the master key(s) and the transport key(s) required to generate and
-distribute keys for hardware tokens. Dogtag Token Key Service provides
-the security between tokens and an instance of Dogtag Token Processing System,
-where the security relies upon the relationship between the master key
-and the token keys. A Dogtag Token Processing System communicates with a
-Dogtag Token Key Service over SSL using client authentication.
+The Token Key Service (TKS) is an optional PKI subsystem that manages the
+master key(s) and the transport key(s) required to generate and distribute
+keys for hardware tokens. TKS provides the security between tokens and an
+instance of Token Processing System (TPS), where the security relies upon the
+relationship between the master key and the token keys. A TPS communicates
+with a TKS over SSL using client authentication.
+
+TKS helps establish a secure channel (signed and encrypted) between the token
+and the TPS, provides proof of presence of the security token during
+enrollment, and supports key changeover when the master key changes on the
+TKS. Tokens with older keys will get new token keys.
+
+Because of the sensitivity of the data that TKS manages, TKS should be set up
+behind the firewall with restricted access.
-Dogtag Token Key Service helps establish a secure channel (signed and
-encrypted) between the token and the Dogtag Token Processing System,
-provides proof of presence of the security token during enrollment, and
-supports key changeover when the master key changes on the
-Dogtag Token Key Service. Tokens with older keys will get new token keys.
+For deployment purposes, a TKS requires the following components from the PKI
+Core package:
+
+ * pki-setup
+ * pki-native-tools
+ * pki-util
+ * pki-java-tools
+ * pki-common
+ * pki-selinux
+
+and can also make use of the following optional components from the PKI Core
+package:
+
+ * pki-util-javadoc
+ * pki-java-tools-javadoc
+ * pki-common-javadoc
+ * pki-silent
+
+Additionally, Certificate System requires ONE AND ONLY ONE of the following
+"Mutually-Exclusive" PKI Theme packages:
+
+ * dogtag-pki-theme (Dogtag Certificate System deployments)
+ * redhat-pki-theme (Red Hat Certificate System deployments)
-Because of the sensitivity of the data that Dogtag Token Key Service manages,
-Dogtag Token Key Service should be set up behind the firewall with
-restricted access.
%prep
+
%setup -q
+
+%clean
+%{__rm} -rf %{buildroot}
+
+
%build
-ant \
- -Dinit.d="rc.d/init.d" \
- -Dproduct.ui.flavor.prefix="" \
- -Dproduct.prefix="pki" \
- -Dproduct="tks" \
- -Dversion="%{version}"
+%{__mkdir_p} build
+cd build
+%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TKS:BOOL=ON ..
+%{__make} VERBOSE=1 %{?_smp_mflags}
+
%install
-%define major_version %(echo `echo %{version} | awk -F. '{ print $1 }'`)
-%define minor_version %(echo `echo %{version} | awk -F. '{ print $2 }'`)
-%define patch_version %(echo `echo %{version} | awk -F. '{ print $3 }'`)
-
-rm -rf %{buildroot}
-cd dist/binary
-unzip %{name}-%{version}.zip -d %{buildroot}
-sed -i 's/^preop.product.version=.*$/preop.product.version=%{version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg
-sed -i 's/^cms.version=.*$/cms.version=%{major_version}.%{minor_version}/' %{buildroot}%{_datadir}/pki/tks/conf/CS.cfg
-mkdir -p %{buildroot}%{_localstatedir}/lock/pki/tks
-mkdir -p %{buildroot}%{_localstatedir}/run/pki/tks
-cd %{buildroot}%{_javadir}
-mv tks.jar tks-%{version}.jar
-ln -s tks-%{version}.jar tks.jar
-
-# supply convenience symlink(s) for backwards compatibility
-mkdir -p %{buildroot}%{_javadir}/pki/tks
-cd %{buildroot}%{_javadir}/pki/tks
-ln -s ../../tks.jar tks.jar
+%{__rm} -rf %{buildroot}
+cd build
+%{__make} install DESTDIR=%{buildroot} INSTALL="install -p"
+
+%if 0%{?fedora} >= 15
+# Details:
+#
+# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d
+# generate 'pki-tks.conf' under the 'tmpfiles.d' directory
+echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf
+%endif
-%clean
-rm -rf %{buildroot}
%post
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add pki-tksd || :
+
%preun
if [ $1 = 0 ] ; then
/sbin/service pki-tksd stop >/dev/null 2>&1
/sbin/chkconfig --del pki-tksd || :
fi
+
%postun
if [ "$1" -ge "1" ] ; then
/sbin/service pki-tksd condrestart >/dev/null 2>&1 || :
fi
+
%files
%defattr(-,root,root,-)
-%doc LICENSE
-%{_initrddir}/*
-%{_javadir}/*
-%{_datadir}/pki/
-%{_localstatedir}/lock/*
-%{_localstatedir}/run/*
+%doc base/tks/LICENSE
+%{_initrddir}/pki-tksd
+%{_javadir}/pki/pki-tks-%{version}.jar
+%{_javadir}/pki/pki-tks.jar
+%dir %{_datadir}/pki/tks
+%{_datadir}/pki/tks/conf/
+%{_datadir}/pki/tks/setup/
+%{_datadir}/pki/tks/webapps/
+%dir %{_localstatedir}/lock/pki/tks
+%dir %{_localstatedir}/run/pki/tks
+%if 0%{?fedora} >= 15
+# Details:
+#
+# * https://fedoraproject.org/wiki/Features/var-run-tmpfs
+# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
+#
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf
+%endif
+
%changelog
-* Wed Aug 4 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.3-1
+* Wed Dec 1 2010 Matthew Harmsen <mharmsen at redhat.com> 9.0.0-1
+- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0
+- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs
+ in the java subsystems
+- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
+ as part of CC interface review
+- Bugzilla Bug #583823 - CC: Auditing issues found as result of
+ CC - interface review
+- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be
+ generated on TKS instead of TPS.
+- Bugzilla Bug #630121 - OCSP responder lacking option to delete or disable
+ a CA that it serves
+- Bugzilla Bug #504061 - ECC: unable to install subsystems - phase 1
+- Bugzilla Bug #637330 - CC feature: Key Management - provide signature
+ verification functions (JAVA subsystems)
+- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and
+ port fowarding for agent services
+- Bugzilla Bug #631179 - Administrator is not allowed to remove
+ ocsp signing certificate using console
+- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection of
+ signature algorithm; and for ECC curves
+- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA release --
+ DRM and TKS do not seem to have CRL checking enabled
+- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help
+ correctly set up CC environment
+- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports
+ to talk to CA and complete configuration in DonePanel
+- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
+- Bugzilla Bug #489385 - references to rhpki
+- Bugzilla Bug #649910 - Console: an auditor or agent can be added to
+ an administrator group.
+- Bugzilla Bug #632425 - Port to tomcat6
+- Bugzilla Bug #638377 - Generate PKI UI components which exclude
+ a GUI interface
+- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets
+ as expected
+- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for
+ validity
+- Bugzilla Bug #643206 - New CMake based build system for Dogtag
+- Bugzilla Bug #499494 - change CA defaults to SHA2
+- Bugzilla Bug #649343 - Publishing queue should recover from CA crash.
+- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and
+ pkiCA, obsolete 2252 and 2256
+- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source
+ repository
+- Bugzilla Bug #663546 - Disable the functionalities that are not exposed
+ in the console
+- Bugzilla Bug #656733 - Standardize jar install location and jar names
+- Bugzilla Bug #661142 - Verification should fail when
+ a revoked certificate is added
+- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time
+ interface is no longer available through console
+- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory During
+ CRL Generation
+- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing
+ information
+- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
+ as part of the CC interface review
+- Bugzilla Bug #656665 - Please Update Spec File to use 'ghost' on files
+ in /var/run and /var/lock
+- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI subsystem
+ instances
+
+* Wed Aug 04 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.3-1
- Bugzilla Bug #606556 - Add known session key test to TKS self test set
- Bugzilla Bug #608086 - CC: CA, OCSP, and DRM need to add more audit calls
- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256
@@ -122,8 +231,8 @@ fi
- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing
algorithm
- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true
-- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn per
- RFC 2616
+- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn
+ per RFC 2616
- Bugzilla Bug #498299 - Should not be able to change the status manually
on a token marked as permanently lost or destroyed
- Bugzilla Bug #554892 - configurable frequency signed audit
@@ -153,20 +262,21 @@ fi
References Fedora
* Mon Apr 26 2010 Ade Lee <alee at redhat.com> 1.3.2-1
-- Bugzilla Bug 584917- Can not access CA Configuration Web UI after CA installation
+- Bugzilla Bug 584917- Can not access CA Configuration Web UI
+ after CA installation
* Tue Feb 16 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.1-2
-- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency
+- Bugzilla Bug #566059 - Add 'pki-console' as a runtime dependency
for CA, KRA, OCSP, and TKS . . .
-* Mon Feb 8 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.1-1
-- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards
+* Mon Feb 08 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.1-1
+- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards
compatibility (rename jar files as appropriate)
* Fri Jan 15 2010 Kevin Wright <kwright at redhat.com> 1.3.0-4
-- Removed BuildRequires: dogtag-pki-tks-ui
+- Removed BuildRequires: dogtag-pki-tks-ui
-* Fri Jan 8 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.0-3
+* Fri Jan 08 2010 Matthew Harmsen <mharmsen at redhat.com> 1.3.0-3
- Corrected "|| :" scriptlet logic (see Bugzilla Bug #475895)
- Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
- Bugzilla Bug #553847 - New Package for Dogtag PKI: pki-tks
@@ -176,3 +286,4 @@ fi
* Fri Oct 16 2009 Ade Lee <alee at redhat.com> 1.3.0-1
- Bugzilla Bug #X - Packaging for Fedora Dogtag
+
diff --git a/sources b/sources
index 087279b..4de7518 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-7c8630d83f6b5e353797f7497f75b52f pki-tks-1.3.3.tar.gz
+5de1136280f156638463f06870b51cc2 pki-tks-9.0.0.tar.gz
More information about the scm-commits
mailing list