import pki-core-11.0.0-0.6.beta1.el9_b

.gitignore

@@ -0,0 +1 @@
+SOURCES/pki-11.0.0-beta1.tar.gz

.pki-core.metadata

@@ -0,0 +1 @@
+16b25f34cfa3690f5f2601a0be841586ca410b75 SOURCES/pki-11.0.0-beta1.tar.gz

SOURCES/0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch

@@ -0,0 +1,70 @@
+From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
+From: jmagne <jmagne@redhat.com>
+Date: Thu, 16 Sep 2021 15:48:37 -0700
+Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
+ in FIPS mode (RHEL-8.5) (#3742)
+
+It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
+that runs before the server runs. In order for this command to succeed, we must alter the python script that
+runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
+
+This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
+fips mode.
+---
+ base/common/python/pki/cli/main.py | 11 ++++++++++-
+ base/common/share/etc/pki.conf     | 10 ++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
+index b0ae6c6fc..bc215aaa4 100644
+--- a/base/common/python/pki/cli/main.py
++++ b/base/common/python/pki/cli/main.py
+@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
+ 
+         java_path = os.getenv('PKI_JAVA_PATH')
+         java_home = os.getenv('JAVA_HOME')
++        java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
+         pki_lib = os.getenv('PKI_LIB')
+         logging_config = os.getenv('PKI_LOGGING_CONFIG')
+ 
+@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
+             cmd.extend(['/usr/bin/env', 'java'])
+ 
+         cmd.extend([
+-            '-cp', pki_lib + '/*',
++            '-cp', pki_lib + '/*'
++        ])
++
++        if java_fips_cmd is not None:
++            cmd.extend([
++                java_fips_cmd
++            ])
++
++        cmd.extend([
+             '-Djava.util.logging.config.file=' + logging_config,
+             'com.netscape.cmstools.cli.MainCLI'
+         ])
+diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
+index 17615b042..fd40ece3b 100644
+--- a/base/common/share/etc/pki.conf
++++ b/base/common/share/etc/pki.conf
+@@ -14,6 +14,16 @@ export JAVA_HOME
+ PKI_JAVA_PATH=${PKI_JAVA_PATH}
+ export PKI_JAVA_PATH
+ 
++# JVM options
++#
++# Command switch we want to tell java to observer fips mode
++# For the moment we want this to be false even if we really are
++# in fips mode, because we want the jss prover instead of the sun
++# fips provider to be selected.
++JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
++
++export JAVA_FIPS_ENABLED
++
+ # JNI jar file location
+ JNI_JAR_DIR=/usr/lib/java
+ export JNI_JAR_DIR
+-- 
+2.31.1
+

SOURCES/0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch

@@ -0,0 +1,26 @@
+From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001
+From: Jack Magne <jmagne@redhat.com>
+Date: Thu, 23 Sep 2021 13:50:41 -0400
+Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
+ in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
+ standalone java tools.
+
+---
+ base/tools/templates/pki_java_command_wrapper.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
+index 05650630d4..d68ed93a30 100644
+--- a/base/tools/templates/pki_java_command_wrapper.in
++++ b/base/tools/templates/pki_java_command_wrapper.in
+@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
+ 
+ ${JAVA} ${JAVA_OPTIONS} \
+   -cp "${PKI_LIB}/*" \
++  -Dcom.redhat.fips=false \
+   -Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
+   com.netscape.cmstools.${COMMAND} "$@"
+ 
+-- 
+2.31.1
+