parent
db5622a428
commit
c494b62b47
|
@ -82,3 +82,4 @@
|
|||
/pki-10.10.5.tar.gz
|
||||
/pki-10.11.0-alpha1.tar.gz
|
||||
/pki-11.0.0-alpha1.tar.gz
|
||||
/pki-11.0.0-beta1.tar.gz
|
||||
|
|
|
@ -0,0 +1,70 @@
|
|||
From 1a7e9b493fc3cfbbd74ab9009fa840c5dcb55c8c Mon Sep 17 00:00:00 2001
|
||||
From: jmagne <jmagne@redhat.com>
|
||||
Date: Thu, 16 Sep 2021 15:48:37 -0700
|
||||
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
|
||||
in FIPS mode (RHEL-8.5) (#3742)
|
||||
|
||||
It looks like this is an issue in FIPS mode because when we restart the subsystem, there is a pki command
|
||||
that runs before the server runs. In order for this command to succeed, we must alter the python script that
|
||||
runs pki commands to add the following switch to turn off fips mode in java: "-Dcom.redhat.fips=false".
|
||||
|
||||
This allows the JSS proivder to be selected instead of a differnt one which doesn't work for us, when we are in
|
||||
fips mode.
|
||||
---
|
||||
base/common/python/pki/cli/main.py | 11 ++++++++++-
|
||||
base/common/share/etc/pki.conf | 10 ++++++++++
|
||||
2 files changed, 20 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py
|
||||
index b0ae6c6fc..bc215aaa4 100644
|
||||
--- a/base/common/python/pki/cli/main.py
|
||||
+++ b/base/common/python/pki/cli/main.py
|
||||
@@ -98,6 +98,7 @@ class PKICLI(pki.cli.CLI):
|
||||
|
||||
java_path = os.getenv('PKI_JAVA_PATH')
|
||||
java_home = os.getenv('JAVA_HOME')
|
||||
+ java_fips_cmd = os.getenv('JAVA_FIPS_ENABLED')
|
||||
pki_lib = os.getenv('PKI_LIB')
|
||||
logging_config = os.getenv('PKI_LOGGING_CONFIG')
|
||||
|
||||
@@ -113,7 +114,15 @@ class PKICLI(pki.cli.CLI):
|
||||
cmd.extend(['/usr/bin/env', 'java'])
|
||||
|
||||
cmd.extend([
|
||||
- '-cp', pki_lib + '/*',
|
||||
+ '-cp', pki_lib + '/*'
|
||||
+ ])
|
||||
+
|
||||
+ if java_fips_cmd is not None:
|
||||
+ cmd.extend([
|
||||
+ java_fips_cmd
|
||||
+ ])
|
||||
+
|
||||
+ cmd.extend([
|
||||
'-Djava.util.logging.config.file=' + logging_config,
|
||||
'com.netscape.cmstools.cli.MainCLI'
|
||||
])
|
||||
diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
|
||||
index 17615b042..fd40ece3b 100644
|
||||
--- a/base/common/share/etc/pki.conf
|
||||
+++ b/base/common/share/etc/pki.conf
|
||||
@@ -14,6 +14,16 @@ export JAVA_HOME
|
||||
PKI_JAVA_PATH=${PKI_JAVA_PATH}
|
||||
export PKI_JAVA_PATH
|
||||
|
||||
+# JVM options
|
||||
+#
|
||||
+# Command switch we want to tell java to observer fips mode
|
||||
+# For the moment we want this to be false even if we really are
|
||||
+# in fips mode, because we want the jss prover instead of the sun
|
||||
+# fips provider to be selected.
|
||||
+JAVA_FIPS_ENABLED="-Dcom.redhat.fips=false" # Disable FIPS mode
|
||||
+
|
||||
+export JAVA_FIPS_ENABLED
|
||||
+
|
||||
# JNI jar file location
|
||||
JNI_JAR_DIR=/usr/lib/java
|
||||
export JNI_JAR_DIR
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
From 115778bf20812b271c81f19806332f14151dcb7d Mon Sep 17 00:00:00 2001
|
||||
From: Jack Magne <jmagne@redhat.com>
|
||||
Date: Thu, 23 Sep 2021 13:50:41 -0400
|
||||
Subject: [PATCH] Fix Bug 2001576 - pki instance creation fails for IPA server
|
||||
in FIPS mode (RHEL-8.5). Additional fix to this issue to account for our
|
||||
standalone java tools.
|
||||
|
||||
---
|
||||
base/tools/templates/pki_java_command_wrapper.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/base/tools/templates/pki_java_command_wrapper.in b/base/tools/templates/pki_java_command_wrapper.in
|
||||
index 05650630d4..d68ed93a30 100644
|
||||
--- a/base/tools/templates/pki_java_command_wrapper.in
|
||||
+++ b/base/tools/templates/pki_java_command_wrapper.in
|
||||
@@ -90,6 +90,7 @@ JAVA_OPTIONS=""
|
||||
|
||||
${JAVA} ${JAVA_OPTIONS} \
|
||||
-cp "${PKI_LIB}/*" \
|
||||
+ -Dcom.redhat.fips=false \
|
||||
-Djava.util.logging.config.file=${PKI_LOGGING_CONFIG} \
|
||||
com.netscape.cmstools.${COMMAND} "$@"
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
413
pki-core.spec
413
pki-core.spec
|
@ -2,10 +2,13 @@
|
|||
Name: pki-core
|
||||
################################################################################
|
||||
|
||||
%global vendor_id redhat
|
||||
%global brand Red Hat
|
||||
%global product_name PKI
|
||||
%global product_id pki
|
||||
|
||||
Summary: %{brand} PKI Core Package
|
||||
# NOTE: Do not specify the theme for pki-core
|
||||
# global theme dogtag
|
||||
|
||||
Summary: %{product_name} Core Package
|
||||
URL: https://www.dogtagpki.org
|
||||
# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
|
||||
License: GPLv2 and LGPLv2
|
||||
|
@ -13,8 +16,8 @@ License: GPLv2 and LGPLv2
|
|||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
Version: 11.0.0
|
||||
Release: 0.5.alpha1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
%global _phase -alpha1
|
||||
Release: 0.6.beta1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
%global _phase -beta1
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
# $ git archive \
|
||||
|
@ -31,7 +34,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
|||
# > pki-VERSION-RELEASE.patch
|
||||
# Patch: pki-VERSION-RELEASE.patch
|
||||
|
||||
Patch1: admin-cert-p12.patch
|
||||
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
|
||||
Patch2: 0002-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
|
@ -88,8 +92,7 @@ ExcludeArch: i686
|
|||
# If --with pkgs option is specified, only packages specified with
|
||||
# --with <package> will be built (inclusion method).
|
||||
|
||||
# bcond_with pkgs
|
||||
%global with_pkgs 1
|
||||
%bcond_with pkgs
|
||||
|
||||
# Define package_option macro to wrap bcond_with or bcond_without macro
|
||||
# depending on package selection method.
|
||||
|
@ -103,16 +106,13 @@ ExcludeArch: i686
|
|||
# Define --with <package> or --without <package> options depending on
|
||||
# package selection method.
|
||||
|
||||
# package_option base
|
||||
%global with_base 1
|
||||
# package_option server
|
||||
%global with_server 1
|
||||
# package_option acme
|
||||
%global with_acme 1
|
||||
# package_option ca
|
||||
%global with_ca 1
|
||||
# package_option kra
|
||||
%global with_kra 1
|
||||
%package_option base
|
||||
%package_option server
|
||||
%package_option acme
|
||||
%package_option ca
|
||||
%package_option kra
|
||||
|
||||
# NOTE: Do not build the following packages for pki-core
|
||||
# package_option ocsp
|
||||
# package_option tks
|
||||
# package_option tps
|
||||
|
@ -120,7 +120,6 @@ ExcludeArch: i686
|
|||
# package_option theme
|
||||
# package_option meta
|
||||
# package_option tests
|
||||
%global with_tests 1
|
||||
# package_option debug
|
||||
|
||||
%if ! %{with debug}
|
||||
|
@ -248,13 +247,13 @@ BuildRequires: nss-tools
|
|||
BuildRequires: openssl
|
||||
|
||||
# description for top-level package (if there is a separate meta package)
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
%description
|
||||
|
||||
%{brand} PKI is an enterprise software system designed
|
||||
%{product_name} is an enterprise software system designed
|
||||
to manage enterprise Public Key Infrastructure deployments.
|
||||
|
||||
PKI consists of the following components:
|
||||
%{product_name} consists of the following components:
|
||||
|
||||
* Automatic Certificate Management Environment (ACME) Responder
|
||||
* Certificate Authority (CA)
|
||||
|
@ -266,36 +265,32 @@ PKI consists of the following components:
|
|||
%endif
|
||||
|
||||
%if %{with meta}
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki
|
||||
%package -n %{product_id}
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Package
|
||||
Summary: %{product_name} Package
|
||||
%endif
|
||||
|
||||
Obsoletes: pki-console < %{version}
|
||||
Obsoletes: pki-console-theme < %{version}
|
||||
Obsoletes: idm-console-framework < 2.0
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI theme packages
|
||||
Requires: %{vendor_id}-pki-server-theme = %{version}
|
||||
%if %{with console}
|
||||
Requires: %{vendor_id}-pki-console-theme = %{version}
|
||||
%endif
|
||||
Requires: %{product_id}-server-theme = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI core packages
|
||||
Requires: pki-acme = %{version}
|
||||
Requires: pki-ca = %{version}
|
||||
Requires: pki-kra = %{version}
|
||||
Requires: pki-ocsp = %{version}
|
||||
Requires: pki-tks = %{version}
|
||||
Requires: pki-tps = %{version}
|
||||
Requires: %{product_id}-acme = %{version}-%{release}
|
||||
Requires: %{product_id}-ca = %{version}-%{release}
|
||||
Requires: %{product_id}-kra = %{version}-%{release}
|
||||
Requires: %{product_id}-ocsp = %{version}-%{release}
|
||||
Requires: %{product_id}-tks = %{version}-%{release}
|
||||
Requires: %{product_id}-tps = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of PKI console
|
||||
%if %{with console}
|
||||
Requires: pki-console = %{version}
|
||||
%endif
|
||||
Requires: pki-javadoc = %{version}
|
||||
Requires: %{product_id}-javadoc = %{version}-%{release}
|
||||
|
||||
# Make certain that this 'meta' package requires the latest version(s)
|
||||
# of ALL PKI clients -- except for s390/s390x where 'esc' is not built
|
||||
|
@ -304,16 +299,16 @@ Requires: esc >= 1.1.1
|
|||
%endif
|
||||
|
||||
# description for top-level package (unless there is a separate meta package)
|
||||
%if "%{name}" == "%{vendor_id}-pki"
|
||||
%if "%{name}" == "%{product_id}"
|
||||
%description
|
||||
%else
|
||||
%description -n %{vendor_id}-pki
|
||||
%description -n %{product_id}
|
||||
%endif
|
||||
|
||||
%{brand} PKI is an enterprise software system designed
|
||||
%{product_name} is an enterprise software system designed
|
||||
to manage enterprise Public Key Infrastructure deployments.
|
||||
|
||||
PKI consists of the following components:
|
||||
%{product_name} consists of the following components:
|
||||
|
||||
* Automatic Certificate Management Environment (ACME) Responder
|
||||
* Certificate Authority (CA)
|
||||
|
@ -327,10 +322,13 @@ PKI consists of the following components:
|
|||
|
||||
%if %{with base}
|
||||
################################################################################
|
||||
%package -n pki-symkey
|
||||
%package -n %{product_id}-symkey
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Symmetric Key Package
|
||||
Summary: %{product_name} Symmetric Key Package
|
||||
|
||||
Obsoletes: pki-symkey < %{version}-%{release}
|
||||
Provides: pki-symkey = %{version}-%{release}
|
||||
|
||||
Requires: %{java_headless}
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
|
@ -341,21 +339,20 @@ Requires: nss >= 3.38.0
|
|||
Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
%if %{with console}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
%endif
|
||||
|
||||
%description -n pki-symkey
|
||||
The PKI Symmetric Key Java Package supplies various native
|
||||
symmetric key operations to Java programs.
|
||||
%description -n %{product_id}-symkey
|
||||
This package provides library for symmetric key operations.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-base
|
||||
%package -n %{product_id}-base
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Base Package
|
||||
Summary: %{product_name} Base Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base < %{version}-%{release}
|
||||
Provides: pki-base = %{version}-%{release}
|
||||
|
||||
Requires: nss >= 3.36.1
|
||||
|
||||
Requires: python3-pki = %{version}-%{release}
|
||||
|
@ -365,28 +362,28 @@ Requires(post): python3-pki = %{version}-%{release}
|
|||
Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
%if %{with console}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
%endif
|
||||
|
||||
%description -n pki-base
|
||||
The PKI Base Package contains the common and client libraries and utilities
|
||||
written in Python.
|
||||
%description -n %{product_id}-base
|
||||
This package provides default configuration files for %{product_name} client.
|
||||
|
||||
################################################################################
|
||||
%package -n python3-pki
|
||||
%package -n python3-%{product_id}
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Python 3 Package
|
||||
Summary: %{product_name} Python 3 Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base-python3 < %{version}
|
||||
Provides: pki-base-python3 = %{version}
|
||||
Obsoletes: python3-pki < %{version}-%{release}
|
||||
Provides: python3-pki = %{version}-%{release}
|
||||
|
||||
Obsoletes: pki-base-python3 < %{version}-%{release}
|
||||
Provides: pki-base-python3 = %{version}-%{release}
|
||||
|
||||
%if 0%{?fedora} || 0%{?rhel} > 8
|
||||
%{?python_provide:%python_provide python3-pki}
|
||||
%endif
|
||||
|
||||
Requires: pki-base = %{version}-%{release}
|
||||
Requires: %{product_id}-base = %{version}-%{release}
|
||||
Requires: python3 >= 3.5
|
||||
Requires: python3-cryptography
|
||||
Requires: python3-ldap
|
||||
|
@ -394,16 +391,19 @@ Requires: python3-lxml
|
|||
Requires: python3-requests >= 2.6.0
|
||||
Requires: python3-six
|
||||
|
||||
%description -n python3-pki
|
||||
This package contains PKI client library for Python 3.
|
||||
%description -n python3-%{product_id}
|
||||
This package provides common and client library for Python 3.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-base-java
|
||||
%package -n %{product_id}-base-java
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Base Java Package
|
||||
Summary: %{product_name} Base Java Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-base-java < %{version}-%{release}
|
||||
Provides: pki-base-java = %{version}-%{release}
|
||||
|
||||
Requires: %{java_headless}
|
||||
Requires: apache-commons-cli
|
||||
Requires: apache-commons-codec
|
||||
|
@ -416,13 +416,12 @@ Requires: slf4j-jdk14
|
|||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 5.0.0
|
||||
Requires: ldapjdk >= 5.0.0
|
||||
Requires: pki-base = %{version}-%{release}
|
||||
Requires: %{product_id}-base = %{version}-%{release}
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
Requires: resteasy >= 3.0.26
|
||||
%else
|
||||
Requires: resteasy-client >= 3.0.17-1
|
||||
Requires: resteasy-jaxb-provider >= 3.0.17-1
|
||||
Requires: resteasy-core >= 3.0.17-1
|
||||
Requires: resteasy-jackson2-provider >= 3.0.17-1
|
||||
%endif
|
||||
|
@ -431,48 +430,53 @@ Requires: xalan-j2
|
|||
Requires: xerces-j2
|
||||
Requires: xml-commons-resolver
|
||||
|
||||
%description -n pki-base-java
|
||||
The PKI Base Java Package contains the common and client libraries and utilities
|
||||
written in Java.
|
||||
%description -n %{product_id}-base-java
|
||||
This package provides common and client libraries for Java.
|
||||
|
||||
################################################################################
|
||||
%package -n pki-tools
|
||||
%package -n %{product_id}-tools
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Tools Package
|
||||
Summary: %{product_name} Tools Package
|
||||
|
||||
Obsoletes: pki-tools < %{version}-%{release}
|
||||
Provides: pki-tools = %{version}-%{release}
|
||||
|
||||
Requires: openldap-clients
|
||||
Requires: nss-tools >= 3.36.1
|
||||
Requires: pki-base-java = %{version}-%{release}
|
||||
Requires: %{product_id}-base-java = %{version}-%{release}
|
||||
Requires: p11-kit-trust
|
||||
|
||||
# PKICertImport depends on certutil and openssl
|
||||
Requires: nss-tools
|
||||
Requires: openssl
|
||||
|
||||
%description -n pki-tools
|
||||
This package contains PKI executables that can be used to help make
|
||||
Certificate System into a more complete and robust PKI solution.
|
||||
%description -n %{product_id}-tools
|
||||
This package provides tools that can be used to help make
|
||||
%{product_name} into a more complete and robust PKI solution.
|
||||
|
||||
# with base
|
||||
%endif
|
||||
|
||||
%if %{with server}
|
||||
################################################################################
|
||||
%package -n pki-server
|
||||
%package -n %{product_id}-server
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Server Package
|
||||
Summary: %{product_name} Server Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-server < %{version}-%{release}
|
||||
Provides: pki-server = %{version}-%{release}
|
||||
|
||||
Requires: hostname
|
||||
|
||||
Requires: policycoreutils
|
||||
Requires: procps-ng
|
||||
Requires: openldap-clients
|
||||
Requires: openssl
|
||||
Requires: pki-symkey = %{version}-%{release}
|
||||
Requires: pki-tools = %{version}-%{release}
|
||||
Requires: %{product_id}-symkey = %{version}-%{release}
|
||||
Requires: %{product_id}-tools = %{version}-%{release}
|
||||
|
||||
Requires: keyutils
|
||||
|
||||
|
@ -492,7 +496,6 @@ Requires: tomcat >= 1:9.0.7
|
|||
|
||||
Requires: systemd
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
Requires(pre): shadow-utils
|
||||
Requires: tomcatjss >= 8.0.0
|
||||
|
@ -518,25 +521,27 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7
|
|||
Provides: bundled(js-patternfly) = 3.59.2
|
||||
Provides: bundled(js-underscore) = 1.9.2
|
||||
|
||||
%description -n pki-server
|
||||
The PKI Server Package contains libraries and utilities needed by other
|
||||
PKI subsystems.
|
||||
%description -n %{product_id}-server
|
||||
This package provides libraries and utilities needed by %{product_name} services.
|
||||
|
||||
# with server
|
||||
%endif
|
||||
|
||||
%if %{with acme}
|
||||
################################################################################
|
||||
%package -n pki-acme
|
||||
%package -n %{product_id}-acme
|
||||
################################################################################
|
||||
|
||||
Summary: PKI ACME Package
|
||||
Summary: %{product_name} ACME Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-acme < %{version}-%{release}
|
||||
Provides: pki-acme = %{version}-%{release}
|
||||
|
||||
%description -n pki-acme
|
||||
The PKI ACME responder is a service that provides an automatic certificate
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
|
||||
%description -n %{product_id}-acme
|
||||
%{product_name} ACME responder is a service that provides an automatic certificate
|
||||
management via ACME v2 protocol defined in RFC 8555.
|
||||
|
||||
# with acme
|
||||
|
@ -544,19 +549,21 @@ management via ACME v2 protocol defined in RFC 8555.
|
|||
|
||||
%if %{with ca}
|
||||
################################################################################
|
||||
%package -n pki-ca
|
||||
%package -n %{product_id}-ca
|
||||
################################################################################
|
||||
|
||||
Summary: PKI CA Package
|
||||
Summary: %{product_name} CA Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-ca < %{version}-%{release}
|
||||
Provides: pki-ca = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-ca
|
||||
The Certificate Authority (CA) is a required PKI subsystem which issues,
|
||||
%description -n %{product_id}-ca
|
||||
%{product_name} Certificate Authority (CA) is a required subsystem which issues,
|
||||
renews, revokes, and publishes certificates as well as compiling and
|
||||
publishing Certificate Revocation Lists (CRLs).
|
||||
|
||||
|
@ -569,19 +576,21 @@ where it obtains its own signing certificate from a public CA.
|
|||
|
||||
%if %{with kra}
|
||||
################################################################################
|
||||
%package -n pki-kra
|
||||
%package -n %{product_id}-kra
|
||||
################################################################################
|
||||
|
||||
Summary: PKI KRA Package
|
||||
Summary: %{product_name} KRA Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}-%{release}
|
||||
Obsoletes: pki-kra < %{version}-%{release}
|
||||
Provides: pki-kra = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-kra
|
||||
The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
|
||||
%description -n %{product_id}-kra
|
||||
%{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act
|
||||
as a key archival facility. When configured in conjunction with the
|
||||
Certificate Authority (CA), the KRA stores private encryption keys as part of
|
||||
the certificate enrollment process. The key archival mechanism is triggered
|
||||
|
@ -600,19 +609,21 @@ since such archival would undermine non-repudiation properties of signing keys.
|
|||
|
||||
%if %{with ocsp}
|
||||
################################################################################
|
||||
%package -n pki-ocsp
|
||||
%package -n %{product_id}-ocsp
|
||||
################################################################################
|
||||
|
||||
Summary: PKI OCSP Package
|
||||
Summary: %{product_name} OCSP Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}
|
||||
Obsoletes: pki-ocsp < %{version}-%{release}
|
||||
Provides: pki-ocsp = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-ocsp
|
||||
The Online Certificate Status Protocol (OCSP) Manager is an optional PKI
|
||||
%description -n %{product_id}-ocsp
|
||||
%{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional
|
||||
subsystem that can act as a stand-alone OCSP service. The OCSP Manager
|
||||
performs the task of an online certificate validation authority by enabling
|
||||
OCSP-compliant clients to do real-time verification of certificates. Note
|
||||
|
@ -638,19 +649,21 @@ whenever they are issued or updated.
|
|||
|
||||
%if %{with tks}
|
||||
################################################################################
|
||||
%package -n pki-tks
|
||||
%package -n %{product_id}-tks
|
||||
################################################################################
|
||||
|
||||
Summary: PKI TKS Package
|
||||
Summary: %{product_name} TKS Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: pki-server = %{version}
|
||||
Obsoletes: pki-tks < %{version}-%{release}
|
||||
Provides: pki-tks = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
%description -n pki-tks
|
||||
The Token Key Service (TKS) is an optional PKI subsystem that manages the
|
||||
%description -n %{product_id}-tks
|
||||
%{product_name} Token Key Service (TKS) is an optional subsystem that manages the
|
||||
master key(s) and the transport key(s) required to generate and distribute
|
||||
keys for hardware tokens. TKS provides the security between tokens and an
|
||||
instance of Token Processing System (TPS), where the security relies upon the
|
||||
|
@ -670,14 +683,16 @@ behind the firewall with restricted access.
|
|||
|
||||
%if %{with tps}
|
||||
################################################################################
|
||||
%package -n pki-tps
|
||||
%package -n %{product_id}-tps
|
||||
################################################################################
|
||||
|
||||
Summary: PKI TPS Package
|
||||
Summary: %{product_name} TPS Package
|
||||
|
||||
Requires: pki-server = %{version}
|
||||
Obsoletes: pki-tps < %{version}-%{release}
|
||||
Provides: pki-tps = %{version}-%{release}
|
||||
|
||||
Requires: %{product_id}-server = %{version}-%{release}
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
# additional runtime requirements needed to run native 'tpsclient'
|
||||
|
@ -686,8 +701,8 @@ Requires(postun): systemd-units
|
|||
Requires: nss-tools >= 3.36.1
|
||||
Requires: openldap-clients
|
||||
|
||||
%description -n pki-tps
|
||||
The Token Processing System (TPS) is an optional PKI subsystem that acts
|
||||
%description -n %{product_id}-tps
|
||||
%{product_name} Token Processing System (TPS) is an optional subsystem that acts
|
||||
as a Registration Authority (RA) for authenticating and processing
|
||||
enrollment requests, PIN reset requests, and formatting requests from
|
||||
the Enterprise Security Client (ESC).
|
||||
|
@ -711,77 +726,78 @@ smart card.
|
|||
|
||||
%if %{with javadoc}
|
||||
################################################################################
|
||||
%package -n pki-javadoc
|
||||
%package -n %{product_id}-javadoc
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Javadoc Package
|
||||
Summary: %{product_name} Javadoc Package
|
||||
BuildArch: noarch
|
||||
|
||||
Obsoletes: pki-javadoc < %{version}-%{release}
|
||||
Provides: pki-javadoc = %{version}-%{release}
|
||||
|
||||
# Ensure we end up with a useful installation
|
||||
Conflicts: pki-base < %{version}
|
||||
Conflicts: pki-symkey < %{version}
|
||||
Conflicts: pki-server-theme < %{version}
|
||||
%if %{with console}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
%endif
|
||||
|
||||
%description -n pki-javadoc
|
||||
This package contains PKI API documentation.
|
||||
%description -n %{product_id}-javadoc
|
||||
This package provides %{product_name} API documentation.
|
||||
|
||||
# with javadoc
|
||||
%endif
|
||||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%package -n pki-console
|
||||
%package -n %{product_id}-console
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Console Package
|
||||
Summary: %{product_name} Console Package
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: idm-console-framework >= 1.2.0
|
||||
BuildRequires: idm-console-framework >= 2.0
|
||||
|
||||
Requires: idm-console-framework >= 1.2.0
|
||||
Requires: pki-base-java = %{version}
|
||||
Requires: pki-console-theme = %{version}
|
||||
Obsoletes: pki-console < %{version}-%{release}
|
||||
Provides: pki-console = %{version}-%{release}
|
||||
|
||||
%description -n pki-console
|
||||
The PKI Console is a Java application used to administer PKI server.
|
||||
Requires: idm-console-framework >= 2.0
|
||||
Requires: %{product_id}-base-java = %{version}-%{release}
|
||||
Requires: %{product_id}-console-theme = %{version}-%{release}
|
||||
|
||||
%description -n %{product_id}-console
|
||||
%{product_name} Console is a Java application used to administer %{product_name} Server.
|
||||
|
||||
# with console
|
||||
%endif
|
||||
|
||||
%if %{with theme}
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki-server-theme
|
||||
%package -n %{product_id}-server-theme
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Server Theme Package
|
||||
Summary: %{product_name} Server Theme Package
|
||||
BuildArch: noarch
|
||||
|
||||
Provides: pki-server-theme = %{version}
|
||||
Obsoletes: pki-server-theme < %{version}-%{release}
|
||||
Provides: pki-server-theme = %{version}-%{release}
|
||||
|
||||
# Ensure we end up with a useful installation
|
||||
Conflicts: pki-base < %{version}
|
||||
Conflicts: pki-symkey < %{version}
|
||||
%if %{with console}
|
||||
Conflicts: pki-console-theme < %{version}
|
||||
%endif
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
|
||||
%description -n %{vendor_id}-pki-server-theme
|
||||
This PKI Server Theme Package contains
|
||||
%{brand} textual and graphical user interface for PKI Server.
|
||||
%description -n %{product_id}-server-theme
|
||||
This package provides theme files for %{product_name} Server.
|
||||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%package -n %{vendor_id}-pki-console-theme
|
||||
%package -n %{product_id}-console-theme
|
||||
################################################################################
|
||||
|
||||
Summary: %{brand} PKI Console Theme Package
|
||||
Summary: %{product_name} Console Theme Package
|
||||
BuildArch: noarch
|
||||
|
||||
Provides: pki-console-theme = %{version}
|
||||
Obsoletes: pki-console-theme < %{version}-%{release}
|
||||
Provides: pki-console-theme = %{version}-%{release}
|
||||
|
||||
# Ensure we end up with a useful installation
|
||||
Conflicts: pki-base < %{version}
|
||||
|
@ -789,9 +805,8 @@ Conflicts: pki-symkey < %{version}
|
|||
Conflicts: pki-server-theme < %{version}
|
||||
Conflicts: pki-javadoc < %{version}
|
||||
|
||||
%description -n %{vendor_id}-pki-console-theme
|
||||
This PKI Console Theme Package contains
|
||||
%{brand} textual and graphical user interface for PKI Console.
|
||||
%description -n %{product_id}-console-theme
|
||||
This package provides theme files for %{product_name} Console.
|
||||
|
||||
# with console
|
||||
%endif
|
||||
|
@ -801,14 +816,20 @@ This PKI Console Theme Package contains
|
|||
|
||||
%if %{with tests}
|
||||
################################################################################
|
||||
%package -n pki-tests
|
||||
%package -n %{product_id}-tests
|
||||
################################################################################
|
||||
|
||||
Summary: PKI Tests
|
||||
Summary: %{product_name} Tests
|
||||
BuildArch: noarch
|
||||
|
||||
%description -n pki-tests
|
||||
This package contains PKI test suite.
|
||||
Obsoletes: pki-tests < %{version}-%{release}
|
||||
Provides: pki-tests = %{version}-%{release}
|
||||
|
||||
Requires: python3-pylint
|
||||
Requires: python3-flake8
|
||||
|
||||
%description -n %{product_id}-tests
|
||||
This package provides test suite for %{product_name}.
|
||||
|
||||
# with tests
|
||||
%endif
|
||||
|
@ -866,7 +887,7 @@ cd build
|
|||
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
|
||||
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
|
||||
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
|
||||
-DTHEME=%{?with_theme:%{vendor_id}} \
|
||||
-DTHEME=%{?with_theme:%{theme}} \
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
..
|
||||
%else
|
||||
|
@ -913,7 +934,7 @@ ctest --output-on-failure
|
|||
|
||||
cat > %{buildroot}%{_datadir}/doc/pki/README << EOF
|
||||
This package is a "meta-package" whose dependencies pull in all of the
|
||||
packages comprising the %{brand} Public Key Infrastructure (PKI) Suite.
|
||||
packages comprising the %{product_name} Suite.
|
||||
EOF
|
||||
|
||||
# with meta
|
||||
|
@ -953,7 +974,7 @@ fi
|
|||
|
||||
%if %{with server}
|
||||
|
||||
%pre -n pki-server
|
||||
%pre -n %{product_id}-server
|
||||
getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
|
||||
if ! getent passwd %{pki_username} >/dev/null ; then
|
||||
useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
|
||||
|
@ -965,7 +986,7 @@ exit 0
|
|||
|
||||
%if %{with base}
|
||||
|
||||
%post -n pki-base
|
||||
%post -n %{product_id}-base
|
||||
|
||||
if [ $1 -eq 1 ]
|
||||
then
|
||||
|
@ -979,7 +1000,7 @@ else
|
|||
echo >> /var/log/pki/pki-upgrade-%{version}.log
|
||||
fi
|
||||
|
||||
%postun -n pki-base
|
||||
%postun -n %{product_id}-base
|
||||
|
||||
if [ $1 -eq 0 ]
|
||||
then
|
||||
|
@ -992,11 +1013,7 @@ fi
|
|||
|
||||
%if %{with server}
|
||||
|
||||
%post -n pki-server
|
||||
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
|
||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||
## PKI deployment process
|
||||
|
||||
%post -n %{product_id}-server
|
||||
# CVE-2021-3551
|
||||
# Remove world access from existing installation logs
|
||||
find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
|
||||
|
@ -1007,24 +1024,13 @@ then
|
|||
systemctl daemon-reload
|
||||
fi
|
||||
|
||||
## preun -n pki-server
|
||||
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
|
||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||
## PKI deployment process
|
||||
|
||||
|
||||
## postun -n pki-server
|
||||
## NOTE: At this time, NO attempt has been made to update ANY PKI subsystem
|
||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||
## PKI deployment process
|
||||
|
||||
# with server
|
||||
%endif
|
||||
|
||||
%if %{with meta}
|
||||
%if "%{name}" != "%{vendor_id}-pki"
|
||||
%if "%{name}" != "%{product_id}"
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki
|
||||
%files -n %{product_id}
|
||||
################################################################################
|
||||
%else
|
||||
%files
|
||||
|
@ -1037,7 +1043,7 @@ fi
|
|||
|
||||
%if %{with base}
|
||||
################################################################################
|
||||
%files -n pki-symkey
|
||||
%files -n %{product_id}-symkey
|
||||
################################################################################
|
||||
|
||||
%license base/symkey/LICENSE
|
||||
|
@ -1045,7 +1051,7 @@ fi
|
|||
%{_libdir}/symkey/
|
||||
|
||||
################################################################################
|
||||
%files -n pki-base
|
||||
%files -n %{product_id}-base
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
|
@ -1071,7 +1077,7 @@ fi
|
|||
%{_mandir}/man8/pki-upgrade.8.gz
|
||||
|
||||
################################################################################
|
||||
%files -n pki-base-java
|
||||
%files -n %{product_id}-base-java
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
|
@ -1083,7 +1089,7 @@ fi
|
|||
%{_javadir}/pki/pki-certsrv.jar
|
||||
|
||||
################################################################################
|
||||
%files -n python3-pki
|
||||
%files -n python3-%{product_id}
|
||||
################################################################################
|
||||
|
||||
%license base/common/LICENSE
|
||||
|
@ -1094,12 +1100,13 @@ fi
|
|||
%{python3_sitelib}/pki
|
||||
|
||||
################################################################################
|
||||
%files -n pki-tools
|
||||
%files -n %{product_id}-tools
|
||||
################################################################################
|
||||
|
||||
%license base/tools/LICENSE
|
||||
%doc base/tools/doc/README
|
||||
%{_bindir}/p7tool
|
||||
%{_bindir}/p12tool
|
||||
%{_bindir}/pistool
|
||||
%{_bindir}/pki
|
||||
%{_bindir}/revoker
|
||||
|
@ -1168,7 +1175,7 @@ fi
|
|||
|
||||
%if %{with server}
|
||||
################################################################################
|
||||
%files -n pki-server
|
||||
%files -n %{product_id}-server
|
||||
################################################################################
|
||||
|
||||
%license base/common/THIRD_PARTY_LICENSES
|
||||
|
@ -1229,7 +1236,7 @@ fi
|
|||
|
||||
%if %{with acme}
|
||||
################################################################################
|
||||
%files -n pki-acme
|
||||
%files -n %{product_id}-acme
|
||||
################################################################################
|
||||
|
||||
%{_javadir}/pki/pki-acme.jar
|
||||
|
@ -1240,7 +1247,7 @@ fi
|
|||
|
||||
%if %{with ca}
|
||||
################################################################################
|
||||
%files -n pki-ca
|
||||
%files -n %{product_id}-ca
|
||||
################################################################################
|
||||
|
||||
%license base/ca/LICENSE
|
||||
|
@ -1252,7 +1259,7 @@ fi
|
|||
|
||||
%if %{with kra}
|
||||
################################################################################
|
||||
%files -n pki-kra
|
||||
%files -n %{product_id}-kra
|
||||
################################################################################
|
||||
|
||||
%license base/kra/LICENSE
|
||||
|
@ -1264,7 +1271,7 @@ fi
|
|||
|
||||
%if %{with ocsp}
|
||||
################################################################################
|
||||
%files -n pki-ocsp
|
||||
%files -n %{product_id}-ocsp
|
||||
################################################################################
|
||||
|
||||
%license base/ocsp/LICENSE
|
||||
|
@ -1276,7 +1283,7 @@ fi
|
|||
|
||||
%if %{with tks}
|
||||
################################################################################
|
||||
%files -n pki-tks
|
||||
%files -n %{product_id}-tks
|
||||
################################################################################
|
||||
|
||||
%license base/tks/LICENSE
|
||||
|
@ -1288,7 +1295,7 @@ fi
|
|||
|
||||
%if %{with tps}
|
||||
################################################################################
|
||||
%files -n pki-tps
|
||||
%files -n %{product_id}-tps
|
||||
################################################################################
|
||||
|
||||
%license base/tps/LICENSE
|
||||
|
@ -1310,17 +1317,17 @@ fi
|
|||
|
||||
%if %{with javadoc}
|
||||
################################################################################
|
||||
%files -n pki-javadoc
|
||||
%files -n %{product_id}-javadoc
|
||||
################################################################################
|
||||
|
||||
%{_javadocdir}/pki-%{version}/
|
||||
%{_javadocdir}/pki/
|
||||
|
||||
# with javadoc
|
||||
%endif
|
||||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%files -n pki-console
|
||||
%files -n %{product_id}-console
|
||||
################################################################################
|
||||
|
||||
%license base/console/LICENSE
|
||||
|
@ -1332,10 +1339,10 @@ fi
|
|||
|
||||
%if %{with theme}
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki-server-theme
|
||||
%files -n %{product_id}-server-theme
|
||||
################################################################################
|
||||
|
||||
%license themes/%{vendor_id}/common-ui/LICENSE
|
||||
%license themes/%{theme}/common-ui/LICENSE
|
||||
%dir %{_datadir}/pki
|
||||
%{_datadir}/pki/CS_SERVER_VERSION
|
||||
%{_datadir}/pki/common-ui/
|
||||
|
@ -1351,10 +1358,10 @@ fi
|
|||
|
||||
%if %{with console}
|
||||
################################################################################
|
||||
%files -n %{vendor_id}-pki-console-theme
|
||||
%files -n %{product_id}-console-theme
|
||||
################################################################################
|
||||
|
||||
%license themes/%{vendor_id}/console-ui/LICENSE
|
||||
%license themes/%{theme}/console-ui/LICENSE
|
||||
%{_javadir}/pki/pki-console-theme.jar
|
||||
|
||||
# with console
|
||||
|
@ -1365,7 +1372,7 @@ fi
|
|||
|
||||
%if %{with tests}
|
||||
################################################################################
|
||||
%files -n pki-tests
|
||||
%files -n %{product_id}-tests
|
||||
################################################################################
|
||||
|
||||
%{_datadir}/pki/tests/
|
||||
|
@ -1375,6 +1382,10 @@ fi
|
|||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Thu Sep 30 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.6.beta1
|
||||
- Rebase to PKI 11.0.0-beta1
|
||||
- Bug #1999052 - pki instance creation fails for IPA server
|
||||
|
||||
* Thu Sep 09 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.5.alpha1
|
||||
- Drop BuildRequires and Requires on glassfish-jaxb-api and jaxb-impl
|
||||
Resolves #2002594
|
||||
|
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (pki-11.0.0-alpha1.tar.gz) = 7dd458897d63a2aaba7e8cf62f74537cc7ba7798b5a5f6df5b6b3bee15ff00e1f6397540a23556eb25e86da3562d9723f66a14c619c25014e542a664023769d5
|
||||
SHA512 (pki-11.0.0-beta1.tar.gz) = 66762825f9120d65712e33708199be4f9951fe1328e924d134b89e47b440bb862b8bbfe1dfa025d1e532439324c4a46ca2fd0e2451fc433ff6d5c9a61613ed61
|
||||
|
|
Loading…
Reference in New Issue