PKI Open Source History 2016

From Dogtag
Revision as of 20:51, 22 September 2016 by Mharmsen (talk | contribs) (/* Dogtag Certificate Server 10.3.5                      [08/08/2016  08/22/2016  08/29/2016  09/07/2016  09/12/2016  09)

Jump to: navigation, search

Open Source History (2016)

Dogtag Certificate Server 10.3.0 (Alpha 1)       [03/07/2016]

Dogtag Certificate System 10.3.0.a1 represents the first alpha of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.0.a1

Releases:

  • [03/07/2016] Dogtag Certificate Server 10.3.0.a1 [32-bit & 64-bit Fedora 24]

Packages

  • Fedora 24
    • dogtag-pki-10.3.0.a1-1.fc24 [2016-03-08]
    • dogtag-pki-theme-10.3.0.a1-1.fc24 [2016-03-07]
    • pki-core-10.3.0.a1-2.fc24 [2016-03-23]
    • pki-console-10.3.0.a1-1.fc24 [2016-03-08]
  • Fedora 25
    • dogtag-pki-10.3.0.a1-1.fc25 [2016-03-08]
    • dogtag-pki-theme-10.3.0.a1-1.fc25 [2016-03-07]
    • pki-core-10.3.0.a1-2.fc25 [2016-03-23]
    • pki-console-10.3.0.a1-1.fc25 [2016-03-08]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.2 to 10.3.0.a1 are not supported.

Highlights since Dogtag 10.2.6

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.0.a1 - page 12 (15 tickets)
  • 10.3 - page 12 (64 tickets)

Detailed Changes since Dogtag 10.2.6

The following list of dependencies was gleaned from the following procedure (which includes tickets from the 10.3 and 10.3.0.a1 milestones):

   Dogtag 10_3:      [08/08/2015[ (master --> 10.3.0-0.1)
   Dogtag 10.3.0.a1: [03/07/2016] (master --> end of 10.3.0.a1)
   
   Run the following commands on the "master" branch:
   
       # git --no-pager log --since "08/08/2015" --until "03/07/2016" > ../history_10.3.0.a1
   
   and compose the following list.

Server Platforms:

Platform 10.3.0.a1
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.0 (Alpha 2)       [04/07/2016]

Dogtag Certificate System 10.3.0.a2 represents the second alpha of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.0.a2

Releases:

  • [04/07/2016] Dogtag Certificate Server 10.3.0.a2 [32-bit & 64-bit Fedora 24]

Packages

  • Fedora 24
    • dogtag-pki-10.3.0.a2-1.fc24 [2016-04-07]
    • dogtag-pki-theme-10.3.0.a2-1.fc24 [2016-04-07]
    • pki-core-10.3.0.a2-2.fc24 [2016-04-09]
    • pki-console-10.3.0.a2-1.fc24 [2016-04-08]
  • Fedora 25
    • dogtag-pki-10.3.0.a2-1.fc25 [2016-04-07]
    • dogtag-pki-theme-10.3.0.a2-1.fc25 [2016-04-07]
    • pki-core-10.3.0.a2-2.fc25 [2016-04-09]
    • pki-console-10.3.0.a2-1.fc25 [2016-04-08]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.2 or 10.3.0.a1 to 10.3.0.a2 are not supported.

Highlights since Dogtag 10.3.0.a1

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.0.a2 - pages 11-12 (16 tickets)

Detailed Changes since Dogtag 10.3.0.a1

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.0.a2: [03/08/2016] (master --> beginning of 10.3.0.a2)
                     [04/07/2016] (master --> end of 10.3.0.a2)
   
   Run the following commands on the "master" branch:
   
       # git --no-pager log --since "03/08/2016" --until "04/07/2016" > ../history_10.3.0.a2
   
   and compose the following list.

Server Platforms:

Platform 10.3.0.a2
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.0 (Beta 1)        [04/19/2016]

Dogtag Certificate System 10.3.0.b1 represents the first beta of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.0.b1

Releases:

  • [04/19/2016] Dogtag Certificate Server 10.3.0.b1 [32-bit & 64-bit Fedora 24]

Packages

  • Fedora 24
    • dogtag-pki-10.3.0.b1-1.fc24 [2016-04-18]
    • dogtag-pki-theme-10.3.0.b1-1.fc24 [2016-04-18]
    • pki-core-10.3.0.b1-1.fc24 [2016-04-19]
    • pki-console-10.3.0.b1-1.fc24 [2016-04-19]
  • Fedora 25
    • dogtag-pki-10.3.0.b1-1.fc25 [2016-04-18]
    • dogtag-pki-theme-10.3.0.b1-1.fc25 [2016-04-18]
    • pki-core-10.3.0.b1-1.fc25 [2016-04-19]
    • pki-console-10.3.0.b1-1.fc25 [2016-04-19]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.2, 10.3.0.a1, or 10.3.0.a2 to 10.3.0.b1 are not supported.

Highlights since Dogtag 10.2.6

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.0.b1 - page 11 (7 tickets)

Detailed Changes since Dogtag 10.3.0.a2

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.0.b1: [04/08/2016] (master --> start of 10.3.0.b1)
                     [04/19/2016] (master --> end of 10.3.0.b1)
   
   Run the following commands on the "master" branch:
   
       # git --no-pager log --since "04/08/2016" --until "04/19/2016" > ../history_10.3.0.b1
   
   and compose the following list.

Server Platforms:

Platform 10.3.0.b1
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.1                      [05/17/2016]

Dogtag Certificate System 10.3.1 represents the first release of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.1

Releases:

  • [05/17/2016] Dogtag Certificate Server 10.3.1 [32-bit & 64-bit Fedora 24]

Packages

  • Fedora 24
    • dogtag-pki-10.3.1-1.fc24 [2016-05-17]
    • dogtag-pki-theme-10.3.1-2.fc24 [2016-05-17]
    • pki-core-10.3.1-1.fc24 [2016-05-17]
    • pki-console-10.3.1-1.fc24 [2016-05-17]
  • Fedora 25
    • dogtag-pki-10.3.1-1.fc25 [2016-05-17]
    • dogtag-pki-theme-10.3.1-2.fc25 [2016-05-17]
    • pki-core-10.3.1-1.fc25 [2016-05-17]
    • pki-console-10.3.1-1.fc25 [2016-05-17]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.3.0.a1, 10.3.0.a2, or 10.3.0.b1 to 10.3.1 are not supported.

Highlights since Dogtag 10.3.0.b1

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.1 - page 11 (51 tickets)

Detailed Changes since Dogtag 10.3.0.b1

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.1:    [04/20/2016] (master --> start of 10.3.1)
                     [05/17/2016] (master --> end of 10.3.1)
   
   Run the following commands on the "master" branch:
   
       # cd pki
       
       # git --no-pager log --since "04/20/2016" --until "05/17/2016" > ../history_10.3.1
       
       # cd ..
       
       # grep "Author:" history_10.3.1 | sort -u
       Author: Ade Lee <alee@redhat.com>
       Author: Christina Fu <cfu@redhat.com>
       Author: Endi S. Dewata <edewata@redhat.com>
       Author: Fraser Tweedale <ftweedal@redhat.com>
       Author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
       Author: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
       Author: Matthew Harmsen <mharmsen@redhat.com>
       
       # vi 10.3.1.log
         * alee
         * cfu
         * edewata
         * ftweedal
         * jmagne
         * mharmsen
       
   From history_10.3.1, manually add tickets/check-ins per user to 10.3.1.log to compose the following list.
  • alee (7)
    • 1247 - Fix error output when request is rejected
    • 2041 - Add authz realm check for cert enrollment
    • 2041 - Add migration script for realm changes in registry.cfg
    • 2043 - Add CLI to check system certificate status
    • 2043 - Add validity check for the signing certificate in pkispawn
    • Fix existing ca setup to work with HSM
    • Fix problem in creating certificate requests
  • cfu (2)
    • 1508 - Missing token prefix for connectors in TPS Installation with HSM
    • 2303 - Key recovery fails with KRA on lunaSA
  • edewata (29)
    • 1290 - Updated default TPS token state transitions.
    • 1654 - Added log messages for pre-op mode.
    • 1667 - Renamed pki-server ca-db-upgrade to db-upgrade.
    • 1736 - Removed unused code for existing CA installation.
    • 2043 - Fixed pki-server subsystem-cert-validate command.
    • 2261 - Fixed TPS UI navigation.
    • 2262 - Fixed TPS UI navigation.
    • 2264 - Removed unused TPS user fields and group.
    • 2265 - Removed unused TPS user fields and group.
    • 2266 - Removed unused TPS user fields and group.
    • 2268 - Replaced TPS OP_DO_TOKEN activity.
    • 2278 - Renamed CS.cfg.in to CS.cfg.
               - Simplified slot substitution.
               - Added deployment parameters for number ranges.
    • 2286 - Refactored TokenStatus enumeration.
               - Renamed token status TEMP_LOST to SUSPENDED.
    • 2287 - Added token status UNFORMATTED.
               - Added warning message for token reuse.
    • 2288 - Renamed token status READY to FORMATTED.
               - Renamed token status UNINITIALIZED to READY.
    • 2296 - Fixed token status search filter.
    • 2304 - Removed default certificate validity delay.
    • 2312 - Fixed missing CSR extensions for external CA case.
    • Added TPSCertRecord.getSerialNumberInBigInteger().
    • Moved TPSTokendb.tdbGetTokenEntry() invocations.
    • Added TPSTokendb.revokeCert() and unrevokeCert().
    • Fixed activity logs for certificate revocations.
    • Updated TPS UI version number.
    • Removed unused variables in deployment scriptlets.
    • Fixed build issue with apache-commons-codec 1.8.
    • Fixed problem uninstalling standalone KRA.
    • Fixed duplicate executions of finalization scriptlet.
    • Fixed install-only message in external CA case.
    • Fixed error handling ConfigurationUtils.handleCertRequest().
  • ftweedal (8)
    • 1618 - Lightweight CAs: add issuer DN and serial to AuthorityData
    • 1625 - Lightweight CAs: fix bad import in key retriever script
               - Lightweight CAs: accept "host-authority" as valid parent
               - Lightweight CAs: allow specifying authority via ProfileSubmitServlet
               - Lightweight CAs: add IPACustodiaKeyRetriever
               - Lightweight CAs: add key retrieval framework
               - Add ca-authority-key-export command
               - Add method CryptoUtil.importPKIArchiveOptions
               - Lightweight CAs: authority schema changes
    • 1667 - Add pki-server ca-db-upgrade command
    • 2301 - Fix NSSDB certificate search method
    • 2317 - Reject cert request if resultant subject DN is invalid
    • 2321 - Support certificate search by issuer DN.
    • 2322 - Include issuer DN in CertDataInfo
    • Lightweight CAs: add missing authoritySerial attr to default schema
  • jmagne (3)
    • 1636 - TPS auth special characters fix.
    • 1921 - Update default values of connectionTimeout to format smart cards
    • Enhance tkstool for capabilities and security
  • mharmsen (6)
    • 856 - Fixed incorrect clone installation summary
    • 1669 - Fixed adminEnroll servlet browser import issue
    • 2248 - Removed pkidaemon support of apache instances
    • 2249 - fix bashisms
    • 2306 - Detect inability to submit ECC CSR on Chrome
    • 2323 - Added Chrome keygen warning

Server Platforms:

Platform 10.3.1
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.2                      [06/07/2016]

Dogtag Certificate System 10.3.2 represents the second release of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.2

Releases:

  • [06/07/2016] Dogtag Certificate Server 10.3.2 [32-bit & 64-bit Fedora 24]

Packages

  • Fedora 24
    • dogtag-pki-10.3.2-1.fc24 [2016-06-07]
    • dogtag-pki-theme-10.3.2-2.fc24 [2016-06-08]
    • pki-core-10.3.2-4.fc24 [2016-06-13]
    • pki-console-10.3.2-2.fc24 [2016-06-08]
  • Fedora 25
    • dogtag-pki-10.3.2-1.fc25 [2016-06-07]
    • dogtag-pki-theme-10.3.2-2.fc25 [2016-06-08]
    • pki-core-10.3.2-4.fc25 [2016-06-13]
    • pki-console-10.3.2-2.fc25 [2016-06-08]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.3.0.a1, 10.3.0.a2, or 10.3.0.b1, to 10.3.2 are not supported.

Highlights since Dogtag 10.3.1

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.2 - page 11 (43 tickets)

Detailed Changes since Dogtag 10.3.2

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.2:    [05/18/2016] (master --> start of 10.3.2)
                     [06/05/2016] (master --> end of 10.3.2)
   
   Run the following commands on the "master" branch:
   
       # cd pki
       
       # git --no-pager log --since "05/18/2016" --until "06/05/2016" > ../history_10.3.2
       
       # cd ..
       
       # grep "Author:" history_10.3.2 | sort -u
       Author: Ade Lee <alee@redhat.com>
       Author: Christina Fu <cfu@redhat.com>
       Author: Endi S. Dewata <edewata@redhat.com>
       Author: Fraser Tweedale <ftweedal@redhat.com>
       Author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
       Author: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
       Author: Matthew Harmsen <mharmsen@redhat.com>
       
       # vi 10.3.2.log
         * alee
         * cfu
         * edewata
         * ftweedal
         * jmagne
         * mharmsen
       
   From history_10.3.2, manually add tickets/check-ins per user to 10.3.2.log to compose the following list.
  • alee (7)
    • 1053 - Allow cert-find using revocation reasons
    • 1055 - Add revocation information to pki CLI output.
    • 1717 - Add option to modify ajp_host to pkispawn
    • 2254 - Add parameters to purge old published files
    • 2275 - Add parameters to disable cert or crl publishing
    • 2319 - Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex
    • 2320 - Add commands to db-server to help with DB related changes
               - Added pki-server db-schema-upgrade
               - New VLV indexes for KRA including realm
               - Fix legacy servlets to check realm when requesting recovery
               - Change legacy requests servlet to check realm
               - Fix old KRA servlets to check realm
  • cfu (4)
    • 1665 - Cert Revocation Reasons not being updated when on-hold
               - In the CA, when revokeCert is called, make it possible to move from
                 on_hold to revoke.
               - In the servlet that handles TPS revoke (DoRevokeTPS), make sure it
                 allows the on_hold cert to be put in the bucket to be revoked.
               - there are a few minor fixes such as typos and one have to do with
                 the populate method in SubjectDNInput.java needs better handling of
                 subject in case it's null.
               - Note: This patch does not make attempt to allow agents to revoke
                 certs that are on_hold from agent interface. The search
                 filter needs to be modified to allow that.
    • 2352 - This patch allows KRA agent to list netkeyKeyRecovery requests
    • 2271 - Part2:TMS:removing/reducing debug log printout of data
               - Fields are zeroed out before being deleted in KRA request records
    • 2298 - [non-TMS] for key archival/recovery, not to record certain data in
                 ldap and logs
  • edewata (12)
    •  850 - Updated system certificate selftests.
    •  999 - Fixed problem submitting renewal request.
               - Fixed error reporting in RenewalProcessor.getSerialNumberFromCert().
    • 1434 - Added TPS UI for managing user certificates.
    • 2267 - Added TPS UI for managing user roles.
    • 2299 - Fixed truncated token activity message in TPS UI.
    • 2308 - Fixed cert enrollment problem with empty rangeUnit in profile.
    • 2312 - Fixed support for generic CSR extensions.
    • 2314 - Ignoring blank and comment lines in configuration files.
    • 2326 - Fixed error handling in ProxyRealm.
    • 2334 - Added TPS token state transition validation.
    • 2342 - Fixed invalid TPS VLV indexes.
               - Fixed hard-coded database name for TPS VLV indexes.
    • 2344 - Removed selftest interface from TPS UI.
  • ftweedal (9)
    • 1073 - Include serial of revoked cert in CertRequestInfo
    • 1625 - Lightweight CAs: remove pki-ipa-retrieve-key script
               - Lightweight CAs: generalise subprocess-based key retrieval
    • 1640 - Lightweight CAs: remove redundant deletePrivateKey invocation
    • 2293 - Retry failed key retrieval with backoff
               - Don't update obsolete CertificateAuthority after key retrieval
               - Limit key retrieval to a single thread per CA
    • 2327 - Lightweight CAs: add method to renew certificate
               - Lightweight CAs: renew certs with same issuer
    • 2328 - Lightweight CAs: remove NSSDB material when processing deletion
    • 2332 - Return 410 Gone if target CA of request has been deleted
    • 2343 - Fix LDAP schema violation when instance name contains '_'
    • 2351 - Modify ExternalProcessKeyRetriever to read JSON
  • jmagne (2)
    • 1512 - Show KeyOwner info when viewing recovery requests.
    •  801 - Port symkey JNI to Java classes.
               - Merge pki-symkey into jss
  • mharmsen (1)
    • 1677 - Fix unknown TKS host and port connector error during TPS removal

Server Platforms:

Platform 10.3.2
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.3                      [06/21/2016]

Dogtag Certificate Server 10.3.4                     [07/05/2016]

Dogtag Certificate System 10.3.3 represents the third (and fourth) releases of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.3

Releases:

  • [06/21/2016] Dogtag Certificate Server 10.3.3 [32-bit & 64-bit Fedora 24]
  • [07/05/2016] Dogtag Certificate Server 10.3.4 [32-bit & 64-bit Fedora 24]

- The 10.3.4 Milestone changes were added as patches to 10.3.3.

Packages

  • Fedora 24
    • dogtag-pki-10.3.3-1.fc24 [2016-06-20]
    • dogtag-pki-theme-10.3.3-1.fc24 [2016-06-20]
    • pki-core-10.3.3-1.fc24 [2016-06-20]
    • pki-core-10.3.3-3.fc24 [2016-07-05]
    • pki-console-10.3.3-1.fc24 [2016-06-21]
  • Fedora 25
    • dogtag-pki-10.3.3-1.fc25 [2016-06-20]
    • dogtag-pki-theme-10.3.3-1.fc25 [2016-06-20]
    • pki-core-10.3.3-2.fc25 [2016-07-01]
    • pki-core-10.3.3-3.fc25 [2016-07-05]
    • pki-console-10.3.3-1.fc25 [2016-07-01]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.3.0.a1, 10.3.0.a2, or 10.3.0.b1, to 10.3.3 are not supported.

Highlights since Dogtag 10.3.2

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.3 - page 11 (27 tickets)
  • 10.3.4 - page 10-11 (28 tickets)

Detailed Changes since Dogtag 10.3.2

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.3:    [06/06/2016] (master --> start of 10.3.3)
                     [06/21/2016] (master --> end of 10.3.3)
   
   Run the following commands on the "master" branch:
   
       # cd pki
       
       # git --no-pager log --since "06/06/2016" --until "06/21/2016" > ../history_10.3.3
       
       # cd ..
       
       # grep "Author:" history_10.3.3 | sort -u
       Author: Ade Lee <alee@redhat.com>
       Author: Amol Kahat <akahat@redhat.com>
       Author: Asha Akkiangady <aakkiang@redhat.com>
       Author: Christina Fu <cfu@redhat.com>
       Author: Endi S. Dewata <edewata@redhat.com>
       Author: Fraser Tweedale <ftweedal@redhat.com>
       Author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
       Author: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
       Author: Matthew Harmsen <mharmsen@redhat.com>
       
       # vi 10.3.3.log
         * alee
         * akahat
         * aakkiang
         * cfu
         * edewata
         * ftweedal
         * jmagne
         * mharmsen
       
   From history_10.3.3, manually add tickets/check-ins per user to 10.3.3.log to compose the following list.
  • aakkiang (1)
    • 1579 - Removed test cases for authentication plugin UdnPwdDirAuth since this plugin will be removed from dogtag
  • akahat (3)
    • BZ 1339263 - Fixed --help option for instance-show, instance-start, instance-stop, instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable.
    • BZ 1341953 - Fixed pki-server instance-start <instance> command. Fixed pki-server instance-stop <instance> command.
    • Added entry of pki-server instance-cert command in man page.
  • alee (4)
    • 1563 - Fix name fields in man pages for correct man -k output
    • 2318 - Add man page info for number range parameters
    • 2339 - Add man page entry for pki-server instance-cert-export command
    • Add man page and clarify CLI for kra-connector
  • cfu (3)
    • 2298 - Part 2 - exclude some ldap record attributes with key archival
    •          - Part 3 - trim down debug log in non-TMS crmf enrollments
    • 2346 - add patch to support SHA384withRSA signing algorithm
  • edewata (12)
    • 1276 - Fixed REST response format.
    • 2263 - Added TPS VLV management CLI.
    •          - Fixed TPS VLV sort orders.
    • 2269 - Added TPS VLV management CLI.
    •          - Fixed TPS VLV sort orders.
    • 2300 - Updated instructions to customize TPS token lifecycle.
    • 2342 - Fixed VLV usage in TPS token and activity services.
    • 2354 - Added TPS VLV management CLI.
    •          - Updated KRA VLV management CLI.
    •          - Fixed TPS VLV filters.
    • 2363 - Fixed Java dependency.
    •          - Added upgrade script to fix JAVA_HOME.
    • Added debugging log in ClientCertImportCLI.
    • Added pki pkcs12-cert-mod command.
    • Fixed problem with headerless PKCS #7 data.
    • Refactored SystemConfigService.processCerts().
    • Removed unused Tomcat 6 files.
  • ftweedal (1)
    • 2359 - Do not attempt cert update unless signing key is present
  • jmagne (4)
    • 1199 - Fix coverity warnings for 'tkstool'
    • 1579 - UdnPwdDirAuth authentication plugin instance is not working.
    • 2340 - Revocation failure causes AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST
    • Comment server.xml about Enableocsp checking on KRA with CA's secure port shows self test failure.
  • mharmsen (1)
    • Spec file changes:
    • - Updated tomcat version dependencies
    • - Updated 'java', 'java-headless', and 'java-devel' dependencies to 1:1.8.0.
    • - Updated 'tomcatjss' dependencies
    • - Provided cleaner runtime dependency separation
    • - Updated resteasy packages for Fedora 25 and later

Detailed Dogtag 10.3.4 Milestone Changes to Dogtag 10.3.3

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.4:    [06/21/2016] (master --> start of 10.3.4)
                     [07/05/2016] (master --> end of 10.3.4)
   
   Run the following commands on the "master" branch:
   
       # cd pki
       
       # git --no-pager log --since "06/21/2016" --until "07/05/2016" > ../history_10.3.4
       
       # cd ..
       
       # grep "Author:" history_10.3.4 | sort -u
       Author: Abhijeet Kasurde <akasurde@redhat.com>
       Author: Amol Kahat <akahat@redhat.com>
       Author: Christina Fu <cfu@redhat.com>
       Author: Endi S. Dewata <edewata@redhat.com>
       Author: Fraser Tweedale <ftweedal@redhat.com>
       Author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
       Author: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
       Author: Matthew Harmsen <mharmsen@redhat.com>
 
       # vi 10.3.4.log
         * akasurde
         * akahat
         * cfu
         * edewata
         * ftweedal
         * jmagne
         * mharmsen
       
   From history_10.3.4, manually add tickets/check-ins per user to 10.3.4.log to compose the following list.
  • akahat (2)
    • 2368 - Fixes pki-server subsystem-* --help options.
    • 2380 - Fixes: Invalid instance exception issue.
  • akasurde (1)
    • 2390 - Updated notification message for DB subsystem command
    •          - Updated notification message for TPS subsystem command
    •          - Updated notification message for TKS subsystem command
    •          - Updated notification message for OCSP subsystem command
    •          - Updated notification message for kra-db-vlv* command
    •          - Updated notification message for kra-db-vlv-del command
    •          - Added condition for checking instance id in kra commands
    •          - Added fix for checking ldapmodify return code in db-schema-upgrade
    •          - Added condition to verify instance id in db-schema-upgrade
  • cfu (4)
    • BZ 1203407 - tomcatjss: missing ciphers
    • 1306 - config params: Add granularity to token termination in TPS
    • 1308 - Provide ability to perform off-card key generation for non-encryption token keys
    • 2389 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA
  • edewata (6)
    • 1711 - CLI :: pki-server ca-cert-request-find throws IOError
    • 2364 - Added instance and subsystem validation for pki-server ca-* commands.
    • 2374 - Fixed KRA cloning issue.
    • 2384 - Fixed problem reading HSM password from password file.
    • 2385 - Fixed pki-server subsystem-cert-update.
    • 2390 - Removed excessive error message in pki CLI.
  • ftweedal (4)
    • 2285 - Add profiles container to LDAP if missing
    • 2373 - Fix build on Fedora 25
    • 2387 - AuthInfoAccess: use default OCSP URI if configured
    • 2388 - Respond 400 if lightweight CA cert issuance fails
  • jmagne (3)
    • 1114 - Generating Symmetric key fails with key-generate when --usages verify is passed
    • 1664 - Add ability to disallow TPS to enroll a single user on multiple tokens.
    • 2349 - Separated TPS does not automatically receive shared secret from remote TKS.
  • mharmsen (4)
    • 1405 - [MAN] Add additional HSM details to 'pki_default.cfg' & 'pkispawn' man pages
    • 1607 - [MAN] Separate PKI Instances versus Shared PKI Instances (pkispawn man page)
    • 2228 - Added gcc-c++ as a build requirement.
    • 2311 - Normalize default softokn name

Server Platforms:

Platform 10.3.3
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X

Dogtag Certificate Server 10.3.5                      [08/08/2016  08/22/2016  08/29/2016  09/07/2016  09/12/2016  09/22/2016]

Dogtag Certificate System 10.3.5 represents the fifth release of Dogtag 10.3, and is associated with Fedora 24.

Project Name:

  • Dogtag Certificate System 10.3.5

Releases:

  • [08/08/2016] Dogtag Certificate Server 10.3.5 [32-bit & 64-bit Fedora 24]
  • [08/22/2016] update
  • [08/29/2016] update
  • [09/07/2016] update
  • [09/12/2016] update

Packages

  • Fedora 24
    • dogtag-pki-10.3.5-1.fc24 [2016-08-08]
    • dogtag-pki-theme-10.3.5-1.fc24 [2016-08-08]
    • pki-core-10.3.5-1.fc24 [2016-08-08]
    • pki-core-10.3.5-3.fc24 [2016-08-22]
    • pki-core-10.3.5-4.fc24 [2016-08-29]
    • pki-core-10.3.5-5.fc24 [2016-09-07]
    • pki-console-10.3.5-1.fc24 [2016-08-08]
  • Fedora 25
    • dogtag-pki-10.3.5-1.fc25 [2016-08-08]
    • dogtag-pki-theme-10.3.5-1.fc25 [2016-08-08]
    • pki-core-10.3.5-1.fc25 [2016-08-08]
    • pki-core-10.3.5-3.fc25 [2016-08-22]
    • pki-core-10.3.5-4.fc25 [2016-08-29]
    • pki-core-10.3.5-5.fc25 [2016-09-07]
    • pki-console-10.3.5-1.fc25 [2016-08-08]
  • Fedora 26
    • dogtag-pki-10.3.5-1.fc26 [2016-08-08]
    • dogtag-pki-theme-10.3.5-1.fc26 [2016-08-08]
    • pki-core-10.3.5-1.fc26 [2016-08-08]
    • pki-core-10.3.5-3.fc26 [2016-08-22]
    • pki-core-10.3.5-4.fc26 [2016-08-29]
    • pki-core-10.3.5-5.fc26 [2016-09-07]
    • pki-console-10.3.5-1.fc26 [2016-08-08]

Upgrade Notes:

After running fedup, simply use dnf (as necessary) to update existing packages.

PKI Instance updates from 10.3.0.a1, 10.3.0.a2, or 10.3.0.b1, to 10.3.3 are not supported.

Highlights since Dogtag 10.3.4

The primary purpose of Dogtag 10.3 was to continue adding features and stream-lining the java Tomcat-based TPS process that was created in Dogtag 10.2.

The numerous tickets fixed during this particular phase can be found in the specified milestones of the PKI TRAC Ticket Instance:

  • 10.3.5 - page 11 (27 tickets)

Detailed Changes since Dogtag 10.3.4

The following list of dependencies was gleaned from the following procedure:

   Dogtag 10.3.4:    [07/05/2016] (master --> start of 10.3.5)
                     [08/08/2016] (master --> end of 10.3.5)
   
   Run the following commands on the "master" branch:
   
       # cd pki
       
       # git --no-pager log --since "07/05/2016" --until "08/08/2016" > ../history_10.3.5
       
       # cd ..
       
       # grep "Author:" history_10.3.5 | sort -u
       Author: Abhijeet Kasurde <akasurde@redhat.com>
       Author: Ade Lee <alee@redhat.com>
       Author: bhavik bhavsar <bbhavsar@vm91.gsslab.pnq.redhat.com>
       Author: Christian Heimes <cheimes@redhat.com>
       Author: Christina Fu <cfu@dhcp-16-189.sjc.redhat.com>
       Author: Christina Fu <cfu@redhat.com>
       Author: Endi S. Dewata <edewata@redhat.com>
       Author: Fraser Tweedale <ftweedal@redhat.com>
       Author: Geetika Kapoor <gkapoor@redhat.com>
       Author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
       Author: Matthew Harmsen <mharmsen@redhat.com>
 
       # vi 10.3.5.log
         * akasurde
         * alee
         * bbhavsar
         * cfu
         * cheimes
         * edewata
         * ftweedal
         * gkapoor
         * jmagne
         * mharmsen
       
   From history_10.3.5, manually add tickets/check-ins per user to 10.3.5.log to compose the following list.
  • akasurde (1)
    • 2399 - Added check for Subsystem data and request in 'pki-server subsystem-cert-export'
    •          - Added instance and subsystem validation for pki-server subsystem-* commands.
  • alee (4)
    •  ???? - Add pkispawn option to disable Master CRL
    • 2412 - Fix client-cert-import to set provided trust bits
    • 2418 - Fix deployment issue
    •          - Do slot substitution for SERVER_KEYGEN
    • 2399 - Re-license the python client files to LGPLv3
  • bbhavsar (1)
    • 2249 - Fix 'bashisms' in tests
  • cheimes (1)
    • 2399 - Improve setup.py for standalone Dogtag client releases
  • cfu (4)
    • 978   - PPS connector man page: add revocation routing info
    • 2246 - [MAN] Man Page: AuditVerify
    • 2389 - fix for regular CA installation
    • 2428 - broken request links for CA's system certs in agent request viewing
    •          - part2 handle NullPointerException
  • edewata (8)
    • 2376 - Fixed cert usage list in pki client-cert-validate.
    • 2377 - Fixed CLI error message on connection problems
    • 2381 - Added general exception handling for pki-server CLI.
    • 2383 - Added validation for pki client-cert-request extractable parameter.
    •          - Added validation for pki client-cert-request sensitive parameter.
    • 2399 - Fixed exception chain in SigningUnit.init().
    •          - Fixed problem with pki pkcs12-import --no-trust-flags.
    •          - Fixed pki pkcs12-import output.
    •          - Fixed certificate validation error message.
    •          - Fixed cert usage list in pki client-cert-validate.
    •          - Removed redundant question in interactive pkispawn.
    •          - Fixed pkispawn installation summary.
    •          - Fixed error handling in SystemConfigService.
    •          - Fixed param substitution problem.
    •          - Added log message in PKIClient.
    •          - Improved SystemConfigService.configure() error message.
    • 2403 - Added CMake target dependencies.
    •          - Removed hard-coded paths in pki.policy.
    •          - Removed hard-coded paths in pki CLI.
    •          - RPM spec changes for removing hard-coded paths in pki CLI.
    •          - Removed hard-coded paths in deployment tool.
    •          - RPM spec changes for removing hard-coded paths in deployment tool.
    •          - Added upgrade scripts to fix server library.
    •          - Updated RESTEasy dependency on Fedora 24.
    •          - Fixed problem creating links to PKI JAR files.
    •          - Fixed RPM spec for client-only build.
    •          - Split link customization in RPM spec.
    •          - Moved upgrade scripts for RHEL.
    • 2421 - Fixed SELinux contexts.
    • 2424 - Added log messages for certificate validation.
    •          - Added log messages for certificate import during cloning.
    •          - Fixed PKCS #12 import for cloning.
  • ftweedal (2)
    • 2420 - Fix CA OCSP responder when LWCAs are not in use
    • 2433 - Fix lightweight CA PEM-encoded PKCS #7 cert chain retrieval
  • gkapoor (2)
    •  ???? - Fixed NumberFormatException in tps-cert-find
    • 1667 - Added fix for pki-server for db-update
  • jmagne (4)
    •  ???? - [MAN] Apply 'generateCRMFRequest() removed from Firefox' workarounds to appropriate 'pki' man page
    • 2399 - Stop using a java8 only constant. Will allow compilation with java7.
    • 2406 - Make starting CRL Number configurable.
    • 2430 - Fix to sort the output of a cert search by serialno.
  • mharmsen (5)
    • 690   - pki-tools man pages - AtoB, BtoA, DRMTool, KRATool, PrettyPrintCert, and PrettyPrintCrl
    • 2399 - Allow PrettyPrintCert to process HEADERs and TRAILERs.
    • 2401 - Added 'hostname' as a runtime requirement to pki-server
    • 2402 - Fix conflict in file ownership in pki-base and pki-server
    • 2431 - Added python-urllib3 dependency

Update [08/22/2016]:

  • cheimes (1)
    • 2431 - Applied minimum python-requests dependencies to account for IPA server upgrade
  • edewata (7)
    • 833   - modified LDAPExceptionConverter to wrap LDAPException with BadRequestException for invalid attribute syntax
    • 2429 - updated TPS Admin Guide regarding adding profile properties in bulk
    • 2431 - Applied minimum python-requests dependencies to account for IPA server upgrade
    • 2432 - Fixed KRA selftest behavior
    • 2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    •          - include JSS cert validation error message in selftest log
    •          - add debug messages to ConfigurationUtils.handleCerts()
    • 2437 - Removed PKCS #7 from TPS UI add user certificate dialog box
    • 2440 - Allow optional CA signing CSR
  • mharmsen (3)
    • 690   - pki-tools man pages - CMCEnroll
    • 2431 - Applied minimum python-requests dependencies to account for IPA server upgrade
    • 2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    •          - apply RFC 7468 Headers/Trailers to PKI tools

Update [08/29/2016]:

  • akasurde (1)
    • 2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    •          - added check for pki-server-nuxwdog parameter
  • edewata (2)
    • 2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value
    • 2439 - Outdated deployment descriptors in upgraded server
  • gkapoor (1)
    • 2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided
  • jmagne (1)
    • 1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working

Update [09/07/2016]:

  • alee (1)
    • 2447 - Fix CertRequestInfo URLs
  • cfu (1)
    • 2446 - pkispawn: make subject_dn defaults unique per instance name
  • edewata (2)
    • 2436 - Removed FixSELinuxContexts upgrade script.
    •          - Fixed debug log in UpdateNumberRange servlet.
    • 2449 - Added support to create system certificates in different tokens.
  • ftweedal (3)
    • 1638 - Revoke lightweight CA certificate on deletion
    • 2443 - Prevent deletion of host CA cert and key from NSSDB
    • 2444 - Accept LWCA entry with missing entryUSN if plugin enabled
    •          - Perform host authority check before entryUSN check

Update [09/12/2016]:

  • edewata (1)
    • 2449 - Reverted patch for 'Added support to create system certificates in different tokens.'

Update [09/22/2016]:

Server Platforms:

Platform 10.3.3
64-bit CentOS 7 (x86_64)
X
32-bit Fedora 24 (i686)
X
64-bit Fedora 24 (x86_64)
X
32-bit Fedora 25 (i686)
X
64-bit Fedora 25 (x86_64)
X
32-bit Fedora 26 (i686)
X
64-bit Fedora 26 (x86_64)
X