################################################################################ Name: pki ################################################################################ # Don't use macros in these params since they need to be parsed by build.sh %global vendor_id dogtag %global product_name Dogtag PKI %global product_id dogtag-pki %global theme dogtag # Upstream version number: %global major_version 11 %global minor_version 7 %global update_version 0 # Downstream release number: # - development/stabilization (unsupported): 0. where n >= 1 # - GA/update (supported): where n >= 1 %global release_number 0.1 # Development phase: # - development (unsupported): alpha where n >= 1 # - stabilization (unsupported): beta where n >= 1 # - GA/update (supported): %global phase alpha1 %undefine timestamp %undefine commit_id Summary: %{product_name} Package URL: https://www.dogtagpki.org # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPL-2.0-only AND LGPL-2.0-only Version: 11.7.0 Release: 0.20250527143350301151.master.313.gd8c32dba67%{?dist} # To create a tarball from a version tag: # $ git archive \ # --format=tar.gz \ # --prefix pki-/ \ # -o pki-.tar.gz \ # Source: pki-11.7.0.tar.gz # To create a patch for all changes since a version tag: # $ git format-patch \ # --stdout \ # \ # > pki-VERSION-RELEASE.patch # Patch: pki-VERSION-RELEASE.patch %if 0%{?java_arches:1} ExclusiveArch: %{java_arches} %else ExcludeArch: i686 %endif ################################################################################ # PKCS #11 Kit Trust ################################################################################ %global p11_kit_trust /usr/lib64/pkcs11/p11-kit-trust.so ################################################################################ # Java ################################################################################ # use Java 17 on Fedora 39 or older and RHEL 9 or older # otherwise, use Java 21 # maven-local is a subpackage of javapackages-tools %if 0%{?fedora} && 0%{?fedora} <= 39 || 0%{?rhel} && 0%{?rhel} <= 9 %define java_runtime java-17-openjdk %define java_devel java-17-openjdk-devel %define java_headless java-17-openjdk-headless %define java_home %{_jvmdir}/jre-17-openjdk %define maven_local maven-local-openjdk17 %else %define java_runtime java-21-openjdk %define java_devel java-21-openjdk-devel %define java_headless java-21-openjdk-headless %define java_home %{_jvmdir}/jre-21-openjdk %define maven_local maven-local %endif ################################################################################ # Application Server ################################################################################ %global app_server tomcat-9.0 ################################################################################ # PKI ################################################################################ # Use external build dependencies unless --without build_deps is specified. %bcond_without build_deps # Use bundled runtime dependencies unless --with runtime_deps is specified. %bcond_with runtime_deps # Build with Maven unless --without maven is specified. %bcond_without maven # Execute unit tests unless --without test is specified. %bcond_without test # Build the package unless --without is specified. %bcond_without base %bcond_without server %bcond_without acme %bcond_without ca %bcond_without esc %bcond_without est %bcond_without kra %bcond_without ocsp %bcond_without tks %bcond_without tps %bcond_without javadoc %bcond_without theme %bcond_without meta %bcond_without tests %bcond_without debug # Don't build console unless --with console is specified. %bcond_with console %if ! %{with debug} %define debug_package %{nil} %endif # ignore unpackaged files from native 'tpsclient' # REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app %define _unpackaged_files_terminate_build 0 # The PKI UID and GID are preallocated, see: # https://bugzilla.redhat.com/show_bug.cgi?id=476316 # https://bugzilla.redhat.com/show_bug.cgi?id=476782 # https://pagure.io/setup/blob/master/f/uidgid # /usr/share/doc/setup/uidgid %define pki_username pkiuser %define pki_uid 17 %define pki_groupname pkiuser %define pki_gid 17 # Create a home directory for PKI user at /home/pkiuser # to store rootless Podman container. %define pki_homedir /home/%{pki_username} %global saveFileContext() \ if [ -s /etc/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ fi \ fi; %global relabel() \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ selinuxenabled; \ if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ rm -f ${FILE_CONTEXT}.%name; \ fi; ################################################################################ # Build Dependencies ################################################################################ BuildRequires: make BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: zip BuildRequires: nspr-devel BuildRequires: nss-devel >= 3.36.1 BuildRequires: openldap-devel BuildRequires: pkgconfig BuildRequires: policycoreutils # Java build dependencies BuildRequires: %{java_devel} BuildRequires: %{maven_local} %if 0%{?fedora} BuildRequires: xmvn-tools %endif BuildRequires: javapackages-tools %if %{without runtime_deps} BuildRequires: xmlstarlet %endif BuildRequires: mvn(commons-cli:commons-cli) BuildRequires: mvn(commons-codec:commons-codec) BuildRequires: mvn(commons-io:commons-io) BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(commons-net:commons-net) BuildRequires: mvn(org.apache.commons:commons-lang3) BuildRequires: mvn(org.apache.httpcomponents:httpclient) BuildRequires: mvn(org.slf4j:slf4j-api) BuildRequires: mvn(xml-apis:xml-apis) BuildRequires: mvn(xml-resolver:xml-resolver) BuildRequires: mvn(org.junit.jupiter:junit-jupiter-api) %if %{with build_deps} BuildRequires: mvn(jakarta.activation:jakarta.activation-api) BuildRequires: mvn(jakarta.annotation:jakarta.annotation-api) BuildRequires: mvn(jakarta.xml.bind:jakarta.xml.bind-api) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) BuildRequires: mvn(com.fasterxml.jackson.module:jackson-module-jaxb-annotations) BuildRequires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-base) BuildRequires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) BuildRequires: mvn(org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec) BuildRequires: mvn(org.jboss.logging:jboss-logging) BuildRequires: mvn(org.jboss.resteasy:resteasy-jaxrs) BuildRequires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) BuildRequires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) %endif BuildRequires: mvn(org.apache.tomcat:tomcat-catalina) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-servlet-api) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-jaspic-api) >= 9.0.62 BuildRequires: mvn(org.apache.tomcat:tomcat-util-scan) >= 9.0.62 %if 0%{?rhel} && 0%{?rhel} >= 10 BuildRequires: tomcat9-lib %endif BuildRequires: mvn(org.dogtagpki.jss:jss-base) >= 5.7 BuildRequires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.7 BuildRequires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.6.0 # Python build dependencies BuildRequires: python3 >= 3.6 BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-cryptography BuildRequires: python3-lxml BuildRequires: python3-ldap BuildRequires: python3-libselinux BuildRequires: python3-requests >= 2.6.0 BuildRequires: python3-six BuildRequires: python3-sphinx BuildRequires: systemd-units # additional build requirements needed to build native 'tpsclient' # REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app BuildRequires: apr-devel BuildRequires: apr-util-devel BuildRequires: cyrus-sasl-devel BuildRequires: httpd-devel >= 2.4.2 BuildRequires: systemd # build dependency to build man pages BuildRequires: golang-github-cpuguy83-md2man # pki-healthcheck depends on the following library %if 0%{?rhel} BuildRequires: ipa-healthcheck-core %else BuildRequires: freeipa-healthcheck-core %endif # PKICertImport depends on certutil and openssl BuildRequires: nss-tools BuildRequires: openssl # description for top-level package (if there is a separate meta package) %if "%{name}" != "%{product_id}" %description %{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. %{product_name} consists of the following components: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) * Automatic Certificate Management Environment (ACME) Responder * Enrollment over Secure Transport (EST) Responder %endif %if %{with meta} %if "%{name}" != "%{product_id}" ################################################################################ %package -n %{product_id} ################################################################################ Summary: %{product_name} Package %endif Obsoletes: pki-symkey < %{version} Obsoletes: %{product_id}-symkey < %{version} Obsoletes: pki-console < %{version} Obsoletes: pki-console-theme < %{version} %if %{with base} Requires: %{product_id}-base = %{version}-%{release} Requires: python3-%{product_id} = %{version}-%{release} Requires: %{product_id}-java = %{version}-%{release} Requires: %{product_id}-tools = %{version}-%{release} %endif %if %{with server} Requires: %{product_id}-server = %{version}-%{release} %endif %if %{with acme} Requires: %{product_id}-acme = %{version}-%{release} %else Obsoletes: pki-acme < %{version} Conflicts: pki-acme < %{version} Obsoletes: %{product_id}-acme < %{version} Conflicts: %{product_id}-acme < %{version} %endif %if %{with ca} Requires: %{product_id}-ca = %{version}-%{release} %else Obsoletes: pki-ca < %{version} Conflicts: pki-ca < %{version} Obsoletes: %{product_id}-ca < %{version} Conflicts: %{product_id}-ca < %{version} %endif %if %{with est} Requires: %{product_id}-est = %{version}-%{release} %else Obsoletes: pki-est < %{version} Conflicts: pki-est < %{version} Obsoletes: %{product_id}-est < %{version} Conflicts: %{product_id}-est < %{version} %endif %if %{with kra} Requires: %{product_id}-kra = %{version}-%{release} %else Obsoletes: pki-kra < %{version} Conflicts: pki-kra < %{version} Obsoletes: %{product_id}-kra < %{version} Conflicts: %{product_id}-kra < %{version} %endif %if %{with ocsp} Requires: %{product_id}-ocsp = %{version}-%{release} %else Obsoletes: pki-ocsp < %{version} Conflicts: pki-ocsp < %{version} Obsoletes: %{product_id}-ocsp < %{version} Conflicts: %{product_id}-ocsp < %{version} %endif %if %{with tks} Requires: %{product_id}-tks = %{version}-%{release} %else Obsoletes: pki-tks < %{version} Conflicts: pki-tks < %{version} Obsoletes: %{product_id}-tks < %{version} Conflicts: %{product_id}-tks < %{version} %endif %if %{with tps} Requires: %{product_id}-tps = %{version}-%{release} %else Obsoletes: pki-tps < %{version} Conflicts: pki-tps < %{version} Obsoletes: %{product_id}-tps < %{version} Conflicts: %{product_id}-tps < %{version} %endif %if %{with javadoc} Requires: %{product_id}-javadoc = %{version}-%{release} %else Obsoletes: pki-javadoc < %{version} Conflicts: pki-javadoc < %{version} Obsoletes: %{product_id}-javadoc < %{version} Conflicts: %{product_id}-javadoc < %{version} %endif %if %{with console} Requires: %{product_id}-console = %{version}-%{release} %else Obsoletes: pki-console < %{version} Conflicts: pki-console < %{version} Obsoletes: %{product_id}-console < %{version} Conflicts: %{product_id}-console < %{version} %endif %if %{with theme} Requires: %{product_id}-theme = %{version}-%{release} %if %{with console} Requires: %{product_id}-console-theme = %{version}-%{release} %endif %else Obsoletes: pki-theme < %{version} Conflicts: pki-theme < %{version} Obsoletes: %{product_id}-theme < %{version} Conflicts: %{product_id}-theme < %{version} Obsoletes: pki-console-theme < %{version} Conflicts: pki-console-theme < %{version} Obsoletes: %{product_id}-console-theme < %{version} Conflicts: %{product_id}-console-theme < %{version} %endif %if %{with tests} Requires: %{product_id}-tests = %{version}-%{release} %endif %if %{with esc} # Make certain that this 'meta' package requires the latest version(s) # of ALL PKI clients -- except for s390/s390x where 'esc' is not built %ifnarch s390 s390x Requires: esc >= 1.1.2 %endif %else Obsoletes: esc <= 1.1.2 Conflicts: esc <= 1.1.2 %endif # description for top-level package (unless there is a separate meta package) %if "%{name}" == "%{product_id}" %description %else %description -n %{product_id} %endif %{product_name} is an enterprise software system designed to manage enterprise Public Key Infrastructure deployments. %{product_name} consists of the following components: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) * Automatic Certificate Management Environment (ACME) Responder * Enrollment over Secure Transport (EST) Responder # with meta %endif %if %{with base} ################################################################################ %package -n %{product_id}-base ################################################################################ Summary: %{product_name} Base Package BuildArch: noarch Obsoletes: pki-base < %{version}-%{release} Provides: pki-base = %{version}-%{release} Requires: nss >= 3.36.1 Requires: python3-pki = %{version}-%{release} Requires(post): python3-pki = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-javadoc < %{version} Conflicts: pki-server-theme < %{version} Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-base This package provides default configuration files for %{product_name} client. ################################################################################ %package -n python3-%{product_id} ################################################################################ Summary: %{product_name} Python 3 Package BuildArch: noarch Obsoletes: python3-pki < %{version}-%{release} Provides: python3-pki = %{version}-%{release} Obsoletes: pki-base-python3 < %{version}-%{release} Provides: pki-base-python3 = %{version}-%{release} %{?python_provide:%python_provide python3-pki} Requires: %{product_id}-base = %{version}-%{release} Requires: python3 >= 3.6 Requires: python3-cryptography Requires: python3-ldap Requires: python3-lxml Requires: python3-requests >= 2.6.0 Requires: python3-six %description -n python3-%{product_id} This package provides common and client library for Python 3. ################################################################################ %package -n %{product_id}-java ################################################################################ Summary: %{product_name} Base Java Package BuildArch: noarch Obsoletes: pki-base-java < %{version}-%{release} Provides: pki-base-java = %{version}-%{release} Obsoletes: %{product_id}-base-java < %{version}-%{release} Provides: %{product_id}-base-java = %{version}-%{release} Requires: %{java_headless} Requires: mvn(commons-cli:commons-cli) Requires: mvn(commons-codec:commons-codec) Requires: mvn(commons-io:commons-io) Requires: mvn(commons-logging:commons-logging) Requires: mvn(commons-net:commons-net) Requires: mvn(org.apache.commons:commons-lang3) Requires: mvn(org.apache.httpcomponents:httpclient) Requires: mvn(org.slf4j:slf4j-api) Requires: mvn(org.slf4j:slf4j-jdk14) %if %{with runtime_deps} Requires: mvn(jakarta.activation:jakarta.activation-api) Requires: mvn(jakarta.annotation:jakarta.annotation-api) Requires: mvn(jakarta.xml.bind:jakarta.xml.bind-api) Requires: mvn(com.fasterxml.jackson.core:jackson-annotations) Requires: mvn(com.fasterxml.jackson.core:jackson-core) Requires: mvn(com.fasterxml.jackson.core:jackson-databind) Requires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-base) Requires: mvn(com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider) Requires: mvn(org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec) Requires: mvn(org.jboss.logging:jboss-logging) Requires: mvn(org.jboss.resteasy:resteasy-jaxrs) Requires: mvn(org.jboss.resteasy:resteasy-jackson2-provider) %else Provides: bundled(jakarta-activation) Provides: bundled(jakarta-annotations) Provides: bundled(jaxb-api) Provides: bundled(jackson-annotations) Provides: bundled(jackson-core) Provides: bundled(jackson-databind) Provides: bundled(jackson-modules-base) Provides: bundled(jackson-jaxrs-providers) Provides: bundled(jackson-jaxrs-json-provider) Provides: bundled(jboss-jaxrs-2.0-api) Provides: bundled(jboss-logging) Provides: bundled(resteasy-jaxrs) Provides: bundled(resteasy-jackson2-provider) %endif Requires: mvn(org.dogtagpki.jss:jss-base) >= 5.7 Requires: mvn(org.dogtagpki.ldap-sdk:ldapjdk) >= 5.6.0 Requires: %{product_id}-base = %{version}-%{release} %description -n %{product_id}-java This package provides common and client libraries for Java. ################################################################################ %package -n %{product_id}-tools ################################################################################ Summary: %{product_name} Tools Package Obsoletes: pki-tools < %{version}-%{release} Provides: pki-tools = %{version}-%{release} Requires: openldap-clients Requires: nss-tools >= 3.36.1 Requires: %{product_id}-java = %{version}-%{release} Requires: p11-kit-trust Requires: file # PKICertImport depends on certutil and openssl Requires: nss-tools Requires: openssl %description -n %{product_id}-tools This package provides tools that can be used to help make %{product_name} into a more complete and robust PKI solution. The utility "tpsclient" is a test tool that interacts with TPS. This tool is useful to test TPS server without risking an actual smart card. # with base %endif %if %{with server} ################################################################################ %package -n %{product_id}-server ################################################################################ Summary: %{product_name} Server Package BuildArch: noarch Obsoletes: pki-server < %{version}-%{release} Provides: pki-server = %{version}-%{release} Requires: hostname Requires: policycoreutils Requires: procps-ng Requires: openldap-clients Requires: openssl Requires: %{product_id}-tools = %{version}-%{release} Requires: %{java_devel} Requires: keyutils Requires: policycoreutils-python-utils Requires: python3-lxml Requires: python3-libselinux Requires: python3-policycoreutils Requires: selinux-policy-targeted >= 3.13.1-159 %if %{with runtime_deps} Requires: mvn(org.jboss.resteasy:resteasy-servlet-initializer) %else Provides: bundled(resteasy-servlet-initializer) %endif %if 0%{?rhel} && 0%{?rhel} >= 10 Requires: tomcat9 >= 1:9.0.62 %else Requires: tomcat >= 1:9.0.62 %endif Requires: mvn(org.dogtagpki.jss:jss-tomcat) >= 5.7 Requires: systemd Requires(post): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils # pki-healthcheck depends on the following library %if 0%{?rhel} Requires: ipa-healthcheck-core %else Requires: freeipa-healthcheck-core %endif # https://pagure.io/freeipa/issue/7742 %if 0%{?rhel} Conflicts: ipa-server < 4.7.1 %else Conflicts: freeipa-server < 4.7.1 %endif Provides: bundled(js-backbone) = 1.6.0 Provides: bundled(js-bootstrap) = 3.4.1 Provides: bundled(js-jquery) = 3.7.1 Provides: bundled(js-jquery-i18n-properties) = 1.2.7 Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-underscore) = 1.13.7 %description -n %{product_id}-server This package provides libraries and utilities needed by %{product_name} services. # with server %endif %if %{with acme} ################################################################################ %package -n %{product_id}-acme ################################################################################ Summary: %{product_name} ACME Package BuildArch: noarch Obsoletes: pki-acme < %{version}-%{release} Provides: pki-acme = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} %description -n %{product_id}-acme %{product_name} ACME responder is a service that provides an automatic certificate management via ACME v2 protocol defined in RFC 8555. # with acme %endif %if %{with ca} ################################################################################ %package -n %{product_id}-ca ################################################################################ Summary: %{product_name} CA Package BuildArch: noarch Obsoletes: pki-ca < %{version}-%{release} Provides: pki-ca = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(postun): systemd-units %description -n %{product_id}-ca %{product_name} Certificate Authority (CA) is a required subsystem which issues, renews, revokes, and publishes certificates as well as compiling and publishing Certificate Revocation Lists (CRLs). The Certificate Authority can be configured as a self-signing Certificate Authority, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA. # with ca %endif %if %{with est} ################################################################################ %package -n %{product_id}-est ################################################################################ Summary: %{product_name} EST Package BuildArch: noarch Obsoletes: pki-est < %{version}-%{release} Provides: pki-est = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} %description -n %{product_id}-est %{product_name} EST subsystem provides an Enrollment over Secure Transport (RFC 7030) service. # with est %endif %if %{with kra} ################################################################################ %package -n %{product_id}-kra ################################################################################ Summary: %{product_name} KRA Package BuildArch: noarch Obsoletes: pki-kra < %{version}-%{release} Provides: pki-kra = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(postun): systemd-units %description -n %{product_id}-kra %{product_name} Key Recovery Authority (KRA) is an optional subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the KRA which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment. Note that the KRA archives encryption keys; it does NOT archive signing keys, since such archival would undermine non-repudiation properties of signing keys. # with kra %endif %if %{with ocsp} ################################################################################ %package -n %{product_id}-ocsp ################################################################################ Summary: %{product_name} OCSP Package BuildArch: noarch Obsoletes: pki-ocsp < %{version}-%{release} Provides: pki-ocsp = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(postun): systemd-units %description -n %{product_id}-ocsp %{product_name} Online Certificate Status Protocol (OCSP) Manager is an optional subsystem that can act as a stand-alone OCSP service. The OCSP Manager performs the task of an online certificate validation authority by enabling OCSP-compliant clients to do real-time verification of certificates. Note that an online certificate-validation authority is often referred to as an OCSP Responder. Although the Certificate Authority (CA) is already configured with an internal OCSP service. An external OCSP Responder is offered as a separate subsystem in case the user wants the OCSP service provided outside of a firewall while the CA resides inside of a firewall, or to take the load of requests off of the CA. The OCSP Manager can receive Certificate Revocation Lists (CRLs) from multiple CA servers, and clients can query the OCSP Manager for the revocation status of certificates issued by all of these CA servers. When an instance of OCSP Manager is set up with an instance of CA, and publishing is set up to this OCSP Manager, CRLs are published to it whenever they are issued or updated. # with ocsp %endif %if %{with tks} ################################################################################ %package -n %{product_id}-tks ################################################################################ Summary: %{product_name} TKS Package BuildArch: noarch Obsoletes: pki-tks < %{version}-%{release} Provides: pki-tks = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(postun): systemd-units %description -n %{product_id}-tks %{product_name} Token Key Service (TKS) is an optional subsystem that manages the master key(s) and the transport key(s) required to generate and distribute keys for hardware tokens. TKS provides the security between tokens and an instance of Token Processing System (TPS), where the security relies upon the relationship between the master key and the token keys. A TPS communicates with a TKS over SSL using client authentication. TKS helps establish a secure channel (signed and encrypted) between the token and the TPS, provides proof of presence of the security token during enrollment, and supports key changeover when the master key changes on the TKS. Tokens with older keys will get new token keys. Because of the sensitivity of the data that TKS manages, TKS should be set up behind the firewall with restricted access. # with tks %endif %if %{with tps} ################################################################################ %package -n %{product_id}-tps ################################################################################ Summary: %{product_name} TPS Package BuildArch: noarch Obsoletes: pki-tps < %{version}-%{release} Provides: pki-tps = %{version}-%{release} Requires: %{product_id}-server = %{version}-%{release} Requires(post): systemd-units Requires(postun): systemd-units # additional runtime requirements needed to run native 'tpsclient' # REMINDER: Revisit these once 'tpsclient' is rewritten as a Java app Requires: nss-tools >= 3.36.1 Requires: openldap-clients %description -n %{product_id}-tps %{product_name} Token Processing System (TPS) is an optional subsystem that acts as a Registration Authority (RA) for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from the Enterprise Security Client (ESC). TPS is designed to communicate with tokens that conform to Global Platform's Open Platform Specification. TPS communicates over SSL with various PKI backend subsystems (including the Certificate Authority (CA), the Key Recovery Authority (KRA), and the Token Key Service (TKS)) to fulfill the user's requests. TPS also interacts with the token database, an LDAP server that stores information about individual tokens. # with tps %endif %if %{with javadoc} ################################################################################ %package -n %{product_id}-javadoc ################################################################################ Summary: %{product_name} Javadoc Package BuildArch: noarch Obsoletes: pki-javadoc < %{version}-%{release} Provides: pki-javadoc = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-server-theme < %{version} Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-javadoc This package provides %{product_name} API documentation. # with javadoc %endif %if %{with console} ################################################################################ %package -n %{product_id}-console ################################################################################ Summary: %{product_name} Console Package BuildArch: noarch Obsoletes: pki-console < %{version}-%{release} Provides: pki-console = %{version}-%{release} Requires: %{java_runtime} Requires: %{product_id}-java = %{version}-%{release} Requires: %{product_id}-console-theme = %{version}-%{release} # IDM Console Framework has been merged into PKI Console. # This will remove installed IDM Console Framework packages. Obsoletes: idm-console-framework <= 2.1 Conflicts: idm-console-framework <= 2.1 %description -n %{product_id}-console %{product_name} Console is a Java application used to administer %{product_name} Server. # with console %endif %if %{with theme} ################################################################################ %package -n %{product_id}-theme ################################################################################ Summary: %{product_name} Server Theme Package BuildArch: noarch Obsoletes: pki-server-theme < %{version}-%{release} Provides: pki-server-theme = %{version}-%{release} Obsoletes: %{product_id}-server-theme < %{version}-%{release} Provides: %{product_id}-server-theme = %{version}-%{release} %if 0%{?fedora} > 38 || 0%{?rhel} > 9 BuildRequires: fontawesome4-fonts-web Requires: fontawesome4-fonts-web %else BuildRequires: fontawesome-fonts-web Requires: fontawesome-fonts-web %endif # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-javadoc < %{version} %description -n %{product_id}-theme This package provides theme files for %{product_name}. %if %{with console} ################################################################################ %package -n %{product_id}-console-theme ################################################################################ Summary: %{product_name} Console Theme Package BuildArch: noarch Obsoletes: pki-console-theme < %{version}-%{release} Provides: pki-console-theme = %{version}-%{release} # Ensure we end up with a useful installation Conflicts: pki-base < %{version} Conflicts: pki-server-theme < %{version} Conflicts: pki-javadoc < %{version} Conflicts: %{product_id}-theme < %{version} %description -n %{product_id}-console-theme This package provides theme files for %{product_name} Console. # with console %endif # with theme %endif %if %{with tests} ################################################################################ %package -n %{product_id}-tests ################################################################################ Summary: %{product_name} Tests BuildArch: noarch Obsoletes: pki-tests < %{version}-%{release} Provides: pki-tests = %{version}-%{release} Requires: python3-pylint Requires: python3-flake8 %description -n %{product_id}-tests This package provides test suite for %{product_name}. # with tests %endif ################################################################################ %prep ################################################################################ %autosetup -n pki-11.7.0 -p 1 %if %{without runtime_deps} if [ ! -d base/common/lib ] then # import common libraries from RPMs mkdir -p base/common/lib pushd base/common/lib JAKARTA_ACTIVATION_API_VERSION=$(rpm -q jakarta-activation | sed -n 's/^jakarta-activation-$[^-]*$-.*$/\1/p') echo "JAKARTA_ACTIVATION_API_VERSION: $JAKARTA_ACTIVATION_API_VERSION" cp /usr/share/java/jakarta-activation/jakarta.activation-api.jar \ jakarta.activation-api-$JAKARTA_ACTIVATION_API_VERSION.jar JAKARTA_ANNOTATION_API_VERSION=$(rpm -q jakarta-annotations | sed -n 's/^jakarta-annotations-$[^-]*$-.*$/\1/p') echo "JAKARTA_ANNOTATION_API_VERSION: $JAKARTA_ANNOTATION_API_VERSION" cp /usr/share/java/jakarta-annotations/jakarta.annotation-api.jar \ jakarta.annotation-api-$JAKARTA_ANNOTATION_API_VERSION.jar JAXB_API_VERSION=$(rpm -q jaxb-api | sed -n 's/^jaxb-api-$[^-]*$-.*$/\1/p') echo "JAXB_API_VERSION: $JAXB_API_VERSION" if [ -f /usr/share/java/jaxb-api.jar ] then cp /usr/share/java/jaxb-api.jar \ jakarta.xml.bind-api-$JAXB_API_VERSION.jar elif [ -f /usr/share/java/jaxb-api/jakarta.xml.bind-api.jar ] then cp /usr/share/java/jaxb-api/jakarta.xml.bind-api.jar \ jakarta.xml.bind-api-$JAXB_API_VERSION.jar fi JACKSON_VERSION=$(rpm -q jackson-annotations | sed -n 's/^jackson-annotations-$[^-]*$-.*$/\1/p') echo "JACKSON_VERSION: $JACKSON_VERSION" cp /usr/share/java/jackson-annotations.jar \ jackson-annotations-$JACKSON_VERSION.jar cp /usr/share/java/jackson-core.jar \ jackson-core-$JACKSON_VERSION.jar cp /usr/share/java/jackson-databind.jar \ jackson-databind-$JACKSON_VERSION.jar cp /usr/share/java/jackson-jaxrs-providers/jackson-jaxrs-base.jar \ jackson-jaxrs-base-$JACKSON_VERSION.jar cp /usr/share/java/jackson-jaxrs-providers/jackson-jaxrs-json-provider.jar \ jackson-jaxrs-json-provider-$JACKSON_VERSION.jar cp /usr/share/java/jackson-modules/jackson-module-jaxb-annotations.jar \ jackson-module-jaxb-annotations-$JACKSON_VERSION.jar JAXRS_VERSION=$(rpm -q jboss-jaxrs-2.0-api | sed -n 's/^jboss-jaxrs-2.0-api-$[^-]*$-.*$/\1.Final/p') echo "JAXRS_VERSION: $JAXRS_VERSION" cp /usr/share/java/jboss-jaxrs-2.0-api.jar \ jboss-jaxrs-api_2.0_spec-$JAXRS_VERSION.jar JBOSS_LOGGING_VERSION=$(rpm -q jboss-logging | sed -n 's/^jboss-logging-$[^-]*$-.*$/\1.Final/p') echo "JBOSS_LOGGING_VERSION: $JBOSS_LOGGING_VERSION" cp /usr/share/java/jboss-logging/jboss-logging.jar \ jboss-logging-$JBOSS_LOGGING_VERSION.jar RESTEASY_VERSION=$(rpm -q pki-resteasy-core | sed -n 's/^pki-resteasy-core-$[^-]*$-.*$/\1.Final/p') echo "RESTEASY_VERSION: $RESTEASY_VERSION" cp /usr/share/java/resteasy/resteasy-jaxrs.jar \ resteasy-jaxrs-$RESTEASY_VERSION.jar cp /usr/share/java/resteasy/resteasy-jackson2-provider.jar \ resteasy-jackson2-provider-$RESTEASY_VERSION.jar ls -l popd fi if [ ! -d base/server/lib ] then # import server libraries from RPMs mkdir -p base/server/lib pushd base/server/lib RESTEASY_VERSION=$(rpm -q pki-resteasy-servlet-initializer | sed -n 's/^pki-resteasy-servlet-initializer-$[^-]*$-.*$/\1.Final/p') echo "RESTEASY_VERSION: $RESTEASY_VERSION" cp /usr/share/java/resteasy/resteasy-servlet-initializer.jar \ resteasy-servlet-initializer-$RESTEASY_VERSION.jar ls -l popd fi %endif %if ! %{with base} %pom_disable_module common base %pom_disable_module tools base %endif %if ! %{with server} %pom_disable_module tomcat base %pom_disable_module tomcat-9.0 base %pom_disable_module server base %pom_disable_module server-webapp base %endif %if ! %{with ca} %pom_disable_module ca base %endif %if ! %{with kra} %pom_disable_module kra base %endif %if ! %{with ocsp} %pom_disable_module ocsp base %endif %if ! %{with tks} %pom_disable_module tks base %endif %if ! %{with tps} %pom_disable_module tps base %endif %if ! %{with acme} %pom_disable_module acme base %endif %if ! %{with est} %pom_disable_module est base %endif %if ! %{with console} %pom_disable_module console base %endif # remove plugins not needed to build RPM %pom_remove_plugin org.codehaus.mojo:flatten-maven-plugin %pom_remove_plugin org.apache.maven.plugins:maven-deploy-plugin %pom_remove_plugin com.github.github:site-maven-plugin # specify Maven artifact locations %mvn_file org.dogtagpki.pki:pki-common pki/pki-common %mvn_file org.dogtagpki.pki:pki-tools pki/pki-tools %mvn_file org.dogtagpki.pki:pki-server pki/pki-server %mvn_file org.dogtagpki.pki:pki-server-webapp pki/pki-server-webapp %mvn_file org.dogtagpki.pki:pki-tomcat pki/pki-tomcat %mvn_file org.dogtagpki.pki:pki-tomcat-9.0 pki/pki-tomcat-9.0 %mvn_file org.dogtagpki.pki:pki-ca pki/pki-ca %mvn_file org.dogtagpki.pki:pki-kra pki/pki-kra %mvn_file org.dogtagpki.pki:pki-ocsp pki/pki-ocsp %mvn_file org.dogtagpki.pki:pki-tks pki/pki-tks %mvn_file org.dogtagpki.pki:pki-tps pki/pki-tps %mvn_file org.dogtagpki.pki:pki-acme pki/pki-acme %mvn_file org.dogtagpki.pki:pki-est pki/pki-est %if %{with console} %mvn_file org.dogtagpki.pki:pki-console pki/pki-console %endif # specify Maven artifact packages %mvn_package org.dogtagpki.pki:pki-common pki-java %mvn_package org.dogtagpki.pki:pki-tools pki-tools %mvn_package org.dogtagpki.pki:pki-server pki-server %mvn_package org.dogtagpki.pki:pki-server-webapp pki-server %mvn_package org.dogtagpki.pki:pki-tomcat pki-server %mvn_package org.dogtagpki.pki:pki-tomcat-9.0 pki-server %mvn_package org.dogtagpki.pki:pki-ca pki-ca %mvn_package org.dogtagpki.pki:pki-kra pki-kra %mvn_package org.dogtagpki.pki:pki-ocsp pki-ocsp %mvn_package org.dogtagpki.pki:pki-tks pki-tks %mvn_package org.dogtagpki.pki:pki-tps pki-tps %mvn_package org.dogtagpki.pki:pki-acme pki-acme %mvn_package org.dogtagpki.pki:pki-est pki-est %if %{with console} %mvn_package org.dogtagpki.pki:pki-console pki-console %endif %if 0%{?fedora} # Create a sysusers.d config file cat > %{product_id}.sysusers.conf </dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} # create PKI user if it doesn't exist if ! getent passwd %{pki_username} >/dev/null ; then useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} fi %endif # create PKI home directory if it doesn't exist if [ ! -d %{pki_homedir} ] ; then cp -ar /etc/skel %{pki_homedir} chown -R %{pki_username}:%{pki_groupname} %{pki_homedir} chmod 700 %{pki_homedir} usermod -d %{pki_homedir} %{pki_username} fi exit 0 # with server %endif %if %{with base} %post -n %{product_id}-base if [ $1 -eq 1 ] then # On RPM installation create system upgrade tracker echo "Configuration-Version: %{version}" > %{_sysconfdir}/pki/pki.version else # On RPM upgrade run system upgrade echo "Upgrading PKI system configuration at `/bin/date`." >> /var/log/pki/pki-upgrade-%{version}.log /sbin/pki-upgrade 2>&1 | tee -a /var/log/pki/pki-upgrade-%{version}.log echo >> /var/log/pki/pki-upgrade-%{version}.log fi %postun -n %{product_id}-base if [ $1 -eq 0 ] then # On RPM uninstallation remove system upgrade tracker rm -f %{_sysconfdir}/pki/pki.version fi # with base %endif %if %{with server} %post -n %{product_id}-server # CVE-2021-3551 # Remove world access from existing installation logs find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \; # Reload systemd daemons on upgrade only if [ "$1" == "2" ] then systemctl daemon-reload fi # Update the fapolicy rules for each PKI server instance for instance in $(ls /var/lib/pki) do target="/etc/fapolicyd/rules.d/61-pki-$instance.rules" sed -e "s/\[WORK_DIR\]/\/var\/lib\/pki\/$instance\/work/g" \ /usr/share/pki/server/etc/fapolicy.rules \ > $target chown root:fapolicyd $target chmod 644 $target done # Restart fapolicy daemon if it's active status=$(systemctl is-active fapolicyd) if [ "$status" = "active" ] then systemctl restart fapolicyd fi # with server %endif %if %{with meta} %if "%{name}" != "%{product_id}" ################################################################################ %files -n %{product_id} %{?with_maven:-f .mfiles} ################################################################################ %else %files %{?with_maven:-f .mfiles} %endif %doc %{_datadir}/doc/pki/README # with meta %endif %if %{with base} ################################################################################ %files -n %{product_id}-base ################################################################################ %license base/common/LICENSE %license base/common/LICENSE.LESSER %doc %{_datadir}/doc/pki-base/html %dir %{_datadir}/pki %{_datadir}/pki/VERSION %{_datadir}/pki/pom.xml %dir %{_datadir}/pki/etc %{_datadir}/pki/etc/pki.conf %{_datadir}/pki/etc/logging.properties %dir %{_datadir}/pki/lib %dir %{_datadir}/pki/scripts %{_datadir}/pki/scripts/config %{_datadir}/pki/upgrade/ %{_datadir}/pki/key/templates %dir %{_sysconfdir}/pki %config(noreplace) %{_sysconfdir}/pki/pki.conf %dir %{_localstatedir}/log/pki %{_sbindir}/pki-upgrade %{_mandir}/man1/pki-python-client.1.gz %{_mandir}/man5/pki-logging.5.gz %{_mandir}/man8/pki-upgrade.8.gz ################################################################################ %files -n %{product_id}-java %{?with_maven:-f .mfiles-pki-java} ################################################################################ %license base/common/LICENSE %license base/common/LICENSE.LESSER %{_datadir}/pki/examples/java/ %{_datadir}/pki/lib/*.jar %if %{without maven} %{_datadir}/java/pki/pki-common.jar %endif ################################################################################ %files -n python3-%{product_id} ################################################################################ %license base/common/LICENSE %license base/common/LICENSE.LESSER %if %{with server} %exclude %{python3_sitelib}/pki/server %endif %{python3_sitelib}/pki ################################################################################ %files -n %{product_id}-tools %{?with_maven:-f .mfiles-pki-tools} ################################################################################ %license base/tools/LICENSE %doc base/tools/doc/README %{_bindir}/pistool %{_bindir}/pki %{_bindir}/revoker %{_bindir}/setpin %{_bindir}/tkstool %{_bindir}/tpsclient %{_bindir}/AtoB %{_bindir}/AuditVerify %{_bindir}/BtoA %{_bindir}/CMCEnroll %{_bindir}/CMCRequest %{_bindir}/CMCResponse %{_bindir}/CMCRevoke %{_bindir}/CMCSharedToken %{_bindir}/CRMFPopClient %{_bindir}/ExtJoiner %{_bindir}/GenExtKeyUsage %{_bindir}/GenIssuerAltNameExt %{_bindir}/GenSubjectAltNameExt %{_bindir}/HttpClient %{_bindir}/KRATool %{_bindir}/OCSPClient %{_bindir}/PKCS10Client %{_bindir}/PKCS12Export %{_bindir}/PKICertImport %{_bindir}/PrettyPrintCert %{_bindir}/PrettyPrintCrl %{_bindir}/TokenInfo %{_datadir}/pki/tools/ %{_datadir}/pki/lib/p11-kit-trust.so %{_libdir}/libpki-tps.so %{_mandir}/man1/AtoB.1.gz %{_mandir}/man1/AuditVerify.1.gz %{_mandir}/man1/BtoA.1.gz %{_mandir}/man1/CMCEnroll.1.gz %{_mandir}/man1/CMCRequest.1.gz %{_mandir}/man1/CMCSharedToken.1.gz %{_mandir}/man1/CMCResponse.1.gz %{_mandir}/man1/KRATool.1.gz %{_mandir}/man1/PrettyPrintCert.1.gz %{_mandir}/man1/PrettyPrintCrl.1.gz %{_mandir}/man1/pki.1.gz %{_mandir}/man1/pki-audit.1.gz %{_mandir}/man1/pki-ca-cert.1.gz %{_mandir}/man1/pki-ca-kraconnector.1.gz %{_mandir}/man1/pki-ca-profile.1.gz %{_mandir}/man1/pki-client.1.gz %{_mandir}/man1/pki-group.1.gz %{_mandir}/man1/pki-group-member.1.gz %{_mandir}/man1/pki-kra-key.1.gz %{_mandir}/man1/pki-pkcs12-cert.1.gz %{_mandir}/man1/pki-pkcs12-key.1.gz %{_mandir}/man1/pki-pkcs12.1.gz %{_mandir}/man1/pki-securitydomain.1.gz %{_mandir}/man1/pki-tps-profile.1.gz %{_mandir}/man1/pki-user.1.gz %{_mandir}/man1/pki-user-cert.1.gz %{_mandir}/man1/pki-user-membership.1.gz %{_mandir}/man1/PKCS10Client.1.gz %{_mandir}/man1/PKICertImport.1.gz %{_mandir}/man1/tpsclient.1.gz %{_javadir}/pki/pki-tools.jar %{_jnidir}/pki/pki-tools.jar # with base %endif %if %{with server} ################################################################################ %files -n %{product_id}-server %{?with_maven:-f .mfiles-pki-server} ################################################################################ %license base/common/THIRD_PARTY_LICENSES %license base/server/LICENSE %doc base/server/README %attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki %attr(755,-,-) %dir %{_sysconfdir}/sysconfig/pki/tomcat %{_sbindir}/pkispawn %{_sbindir}/pkidestroy %{_sbindir}/pki-server %{_sbindir}/pki-healthcheck %{python3_sitelib}/pki/server/ %{python3_sitelib}/pkihealthcheck-*.egg-info/ %config(noreplace) %{_sysconfdir}/pki/healthcheck.conf %{_datadir}/pki/etc/tomcat.conf %dir %{_datadir}/pki/deployment %{_datadir}/pki/deployment/config/ %{_datadir}/pki/scripts/operations %{_bindir}/pkidaemon %{_bindir}/pki-server-nuxwdog %dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd.target %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog@.service %attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target %dir %{_sharedstatedir}/pki %{_mandir}/man1/pkidaemon.1.gz %{_mandir}/man5/pki_default.cfg.5.gz %{_mandir}/man5/pki_healthcheck.conf.5.gz %{_mandir}/man5/pki-server-logging.5.gz %{_mandir}/man8/pki-server-upgrade.8.gz %{_mandir}/man8/pkidestroy.8.gz %{_mandir}/man8/pkispawn.8.gz %{_mandir}/man8/pki-server.8.gz %{_mandir}/man8/pki-server-acme.8.gz %{_mandir}/man8/pki-server-est.8.gz %{_mandir}/man8/pki-server-instance.8.gz %{_mandir}/man8/pki-server-subsystem.8.gz %{_mandir}/man8/pki-server-nuxwdog.8.gz %{_mandir}/man8/pki-server-migrate.8.gz %{_mandir}/man8/pki-server-cert.8.gz %{_mandir}/man8/pki-server-ca.8.gz %{_mandir}/man8/pki-server-kra.8.gz %{_mandir}/man8/pki-server-ocsp.8.gz %{_mandir}/man8/pki-server-tks.8.gz %{_mandir}/man8/pki-server-tps.8.gz %{_mandir}/man8/pki-healthcheck.8.gz %{_datadir}/pki/setup/ %{_datadir}/pki/server/ %if 0%{?fedora} %{_sysusersdir}/%{product_id}.conf %endif %if %{without maven} %{_datadir}/java/pki/pki-server.jar %{_datadir}/java/pki/pki-server-webapp.jar %{_datadir}/java/pki/pki-tomcat.jar %{_datadir}/java/pki/pki-tomcat-9.0.jar %endif # with server %endif %if %{with acme} ################################################################################ %files -n %{product_id}-acme %{?with_maven:-f .mfiles-pki-acme} ################################################################################ %{_datadir}/pki/acme/ %if %{without maven} %{_datadir}/java/pki/pki-acme.jar %endif # with acme %endif %if %{with ca} ################################################################################ %files -n %{product_id}-ca %{?with_maven:-f .mfiles-pki-ca} ################################################################################ %license base/ca/LICENSE %{_datadir}/pki/ca/ %if %{without maven} %{_datadir}/java/pki/pki-ca.jar %endif # with ca %endif %if %{with est} ################################################################################ %files -n %{product_id}-est %{?with_maven:-f .mfiles-pki-est} ################################################################################ %{_datadir}/pki/est/ %if %{without maven} %{_datadir}/java/pki/pki-est.jar %endif # with est %endif %if %{with kra} ################################################################################ %files -n %{product_id}-kra %{?with_maven:-f .mfiles-pki-kra} ################################################################################ %license base/kra/LICENSE %{_datadir}/pki/kra/ %if %{without maven} %{_datadir}/java/pki/pki-kra.jar %endif # with kra %endif %if %{with ocsp} ################################################################################ %files -n %{product_id}-ocsp %{?with_maven:-f .mfiles-pki-ocsp} ################################################################################ %license base/ocsp/LICENSE %{_datadir}/pki/ocsp/ %if %{without maven} %{_datadir}/java/pki/pki-ocsp.jar %endif # with ocsp %endif %if %{with tks} ################################################################################ %files -n %{product_id}-tks %{?with_maven:-f .mfiles-pki-tks} ################################################################################ %license base/tks/LICENSE %{_datadir}/pki/tks/ %if %{without maven} %{_datadir}/java/pki/pki-tks.jar %endif # with tks %endif %if %{with tps} ################################################################################ %files -n %{product_id}-tps %{?with_maven:-f .mfiles-pki-tps} ################################################################################ %license base/tps/LICENSE %{_datadir}/pki/tps/ %{_mandir}/man5/pki-tps-connector.5.gz %{_mandir}/man5/pki-tps-profile.5.gz %if %{without maven} %{_datadir}/java/pki/pki-tps.jar %endif # with tps %endif %if %{with javadoc} ################################################################################ %files -n %{product_id}-javadoc ################################################################################ %{_javadocdir}/pki/ # with javadoc %endif %if %{with console} ################################################################################ %files -n %{product_id}-console %{?with_maven:-f .mfiles-pki-console} ################################################################################ %license base/console/LICENSE %{_bindir}/pkiconsole %if %{without maven} %{_datadir}/java/pki/pki-console.jar %endif # with console %endif %if %{with theme} ################################################################################ %files -n %{product_id}-theme ################################################################################ %license themes/%{theme}/common-ui/LICENSE %dir %{_datadir}/pki %if %{with server} %{_datadir}/pki/CS_SERVER_VERSION %{_datadir}/pki/common-ui/ %{_datadir}/pki/server/webapps/pki/ca %{_datadir}/pki/server/webapps/pki/css %{_datadir}/pki/server/webapps/pki/esc %{_datadir}/pki/server/webapps/pki/fonts %{_datadir}/pki/server/webapps/pki/images %{_datadir}/pki/server/webapps/pki/kra %{_datadir}/pki/server/webapps/pki/ocsp %{_datadir}/pki/server/webapps/pki/pki.properties %{_datadir}/pki/server/webapps/pki/tks # with server %endif %if %{with console} ################################################################################ %files -n %{product_id}-console-theme ################################################################################ %license themes/%{theme}/console-ui/LICENSE %{_javadir}/pki/pki-console-theme.jar # with console %endif # with theme %endif %if %{with tests} ################################################################################ %files -n %{product_id}-tests ################################################################################ %{_datadir}/pki/tests/ # with tests %endif ################################################################################ %changelog * Tue May 27 2025 Packit - 11.7.0-0.20250527143350301151.master.313.gd8c32dba67 - Fix NPE in pki ca-kraconnector-add (Endi S. Dewata) - Convert PKIDeployer.ds_init() into get_ds_url() (Endi S. Dewata) - Clean up log messages in PKIInstance.load_external_certs_conf() (Endi S. Dewata) - Update PKIDeployer.ds_connect() (Endi S. Dewata) - Update TPS container (Endi S. Dewata) - Clean up PKIDeployer.import_ds_ca_cert() (Endi S. Dewata) - Fix IPA clone test (Endi S. Dewata) - Replace PKIDeployer.authdb_init() with get_authdb_url() (Endi S. Dewata) - Add pki-server ca-connector-* commands (Endi S. Dewata) - Add MCP_TESTS_ENABLED variable (Endi S. Dewata) - Add TPSSubsystem.update_profiles() (Endi S. Dewata) - Add MCP server prototype (Endi S. Dewata) - Modify EST to send client information (Marco Fargetta) - Add a new profile input for client information (Marco Fargetta) - Fix P12 constraint configuration key (Marco Fargetta) - Update creating-ds-instance.adoc (#5076) (Pritam Singh) - Update TPS container test (Endi S. Dewata) - Add pki-server tks-connector-* commands (Endi S. Dewata) - Remove redundant code from EST spawn (Marco Fargetta) - Add pki nss-key-export --wrapper-cert (Endi S. Dewata) - Add pki nss-key-export --session-key-size (Endi S. Dewata) - Consolidate CryptoUtil.generateKey() (Endi S. Dewata) - Add pki-server tps-connector-add (Endi S. Dewata) - Fix pki CLI help commands list (Marco Fargetta) - Update TPS container test (Endi S. Dewata) - Remove RESTEasy based services from ACME (Marco Fargetta) - Implement ACME service with PKIServlet (Marco Fargetta) - fix broken formating in installing-ca-with-existing-keys-in-hsm.adoc (vzlamal) - changing commands to use pki export csr instead of parsing it with sed (vzlamal) - remove substitutions that broke the code block (vzlamal) - remove substitutions that broke the code block (vzlamal) - Add pki-server tps-connector-find (Endi S. Dewata) - Remove resteasy client jar link (Marco Fargetta) - Update standalone OCSP test (Endi S. Dewata) - Removed not used RESTeasy dependencies (Marco Fargetta) - Fix EST id when running in different context (Marco Fargetta) - Update standalone KRA test (Endi S. Dewata) - Fix client redirect strategy (Marco Fargetta) - Add KRA clone failover test (Endi S. Dewata) - Update log messages in AgentCertRequestServlet (Endi S. Dewata) - Update log messages in CertRequestServlet (Endi S. Dewata) - Update log messages in CertRequestService (Endi S. Dewata) - Clean up pki pkcs12-cert-import output (Endi S. Dewata) - Clean up pki pkcs12-key-del output (Endi S. Dewata) - Clean up pki pkcs12-cert-del output (Endi S. Dewata) - Update clone tests to check replica ID ranges (Endi S. Dewata) - Upedate EST CI to read JSON error message (Marco Fargetta) - Remove RESTeasy from EST subsystem (Marco Fargetta) - Disable password console callback if file provided (Marco Fargetta) - Fix pki-server -clone-prepare (Endi S. Dewata) - Fix postgres library path in EST doc installation (Marco Fargetta) - Fix postgres library for CI tests (Marco Fargetta) - Allow searching for certs by the issuerDN of the cert (Rob Crittenden) - Replace WebTarget with URIBuilder in PKI client (Marco Fargetta) - Update SystemConfigClient to support REST API v2 (Endi S. Dewata) - Update SecurityDomainClient to support REST API v2 (Endi S. Dewata) - Update FeatureClient to support REST API v2 (Endi S. Dewata) - Update SystemCertClient to support REST API v2 (Endi S. Dewata) - Update ProfileClient to support REST API v2 (Endi S. Dewata) - Update AuthorityClient to support REST API v2 (Endi S. Dewata) - Update CertClient to support REST API v2 (Endi S. Dewata) - Add Python SubsystemClient (Endi S. Dewata) - Refactor HandleNewPinRequest() (Endi S. Dewata) - Refactor HandleTokenPDURequest() (Endi S. Dewata) - Refactor HandleASQRequest() (Endi S. Dewata) - Refactor HandleSecureIdRequest() (Endi S. Dewata) - Refactor HandleStatusUpdateRequest() (Endi S. Dewata) - Refactor HandleExtendedLoginRequest() (Endi S. Dewata) - Refactor HandleLoginRequest() (Endi S. Dewata) - Merge formatToken(), resetPIN(), enrollToken() (Endi S. Dewata) - Convert TPSClientCLI.performEnrollToken() to Java (Endi S. Dewata) - Convert TPSClientCLI.performResetPIN() to Java (Endi S. Dewata) - Convert TPSClientCLI.performFormatToken() to Java (Endi S. Dewata) - Update FormatToken(), ResetPIN(), EnrollToken() (Endi S. Dewata) - Rename KeyRetrieverRunner.certificateAuthority (Endi S. Dewata) - Move CAEngine.checkForNewerCert() into CertificateAuthority (Endi S. Dewata) - Move CAEngine.initCA() into CertificateAuthority (Endi S. Dewata) - Use synchronous LWCA KeyRetriever (Endi S. Dewata) - Add token methods in TPSClientCLI (Endi S. Dewata) - Add connection methods in TPSClientCLI (Endi S. Dewata) - Move CAEngine.startKeyRetriever() into CertificateAuthority (Endi S. Dewata) - Move CAEngine.initOCSPSigningUnit() into CertificateAuthority (Endi S. Dewata) - Move CAEngine.initCRLSigningUnit() into CertificateAuthority (Endi S. Dewata) - Move CAEngine.initCertSigningUnit() into CertificateAuthority (Endi S. Dewata) - Refactor ThreadConnEnroll() (Endi S. Dewata) - Refactor ThreadConnResetPin() (Endi S. Dewata) - Refactor ThreadConnUpdate() (Endi S. Dewata) - Convert RA_Client::OpConnStart() to Java (Endi S. Dewata) - Update KRA container test (Endi S. Dewata) - Add CRMFUtil.getSANExtension() (Endi S. Dewata) - Refactor NSSDatabase.createCertificate() (Endi S. Dewata) - Refactor NSSDatabase.createCRMFRequest() (Endi S. Dewata) - Refactor CRMFUtil.createCertRequest() (Endi S. Dewata) - Refactor CRMFUtil.createCRMFRequest() (Endi S. Dewata) - Refactor CRMFUtil.encodeCRMF() (Endi S. Dewata) - Clean up CRMFUtil.getExtensionFromCertTemplate() (Endi S. Dewata) - Remove resteasy MediaType from PKIClient (Marco Fargetta) - Move CryptoUtil.createCRMFRequest() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.createPop() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.createCertRequest() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.createCertTemplate() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.getExtensionFromCertTemplate() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.getSubjectName() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.getX509KeyFromCRMFMsgs() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.getX509KeyFromCRMFMsg() to CRMFUtil (Endi S. Dewata) - Move CertUtil.encodeCRMF() to CRMFUtil (Endi S. Dewata) - Move CertUtil.parseCRMF() to CRMFUtil (Endi S. Dewata) - Move CryptoUtil.parseCRMFMsgs() to CRMFUtil (Endi S. Dewata) - Add AuthorityMonitor.init() (Endi S. Dewata) - Move AuthorityMonitor.authorities into CAEngine (Endi S. Dewata) - Update CertClient.list_requests() to support REST API v2 (Endi S. Dewata) - Replace erroneous resteasy exception from v2 servlet (Marco Fargetta) - Replace erroneous resteasy MediaType from v2 servlet (Marco Fargetta) - Implement client POST,PUT and PATCH with httpclient (Marco Fargetta) - Implement client DELETE with httpclient (Marco Fargetta) - Update AuthorityRepository.createCA() (Endi S. Dewata) - Implement client GET collections with httpclient (Marco Fargetta) - Update log messages in OCSPServlet (Endi S. Dewata) - Update log messages in SigningUnit (Endi S. Dewata) - Update log messages in CAEngine (Endi S. Dewata) - Refactor CAEngine.createCA() (Endi S. Dewata) - Add dedicated exception for client connection problem (Marco Fargetta) - Update exception message in CI for the httpclient connections (Marco Fargetta) - Fix error handling for httpcomponent client connections (Marco Fargetta) - Converting a CLI HTTP GET to httpclient (Marco Fargetta) - Fix CLI debug (Marco Fargetta) - Revert removing blank arguments in nssdb.py Block blank nicknames in adding subsystem_certs (Michal Travnicek) - Fix empty parameter in CLI (Michal Travnicek) - Update CRLPublisher.init() (Endi S. Dewata) - update docs relating to serial number mechanism change (Christina Fu) - Add KRARequestInQListener (Endi S. Dewata) - Add RequestListener.init() (Endi S. Dewata) - Move PinRemovalListener to pki-ca.jar (Endi S. Dewata) - Remove redundant type casts (Endi S. Dewata) - Add issuer_dn to the CertDataInfo (Rob Crittenden) - Refactor CMSEngine.loadSubsystems() (Endi S. Dewata) - Refactor RequestInQListener (part 2) (Endi S. Dewata) - Refactor RequestInQListener (part 1) (Endi S. Dewata) - Add test for LWCA clone with HSM (Endi S. Dewata) - Using apache http basic authentication (Marco Fargetta) - moved dogtagpki-docs-convention-readme.adoc and update with more clarification. Also pushing the current "include" lists. (Christina Fu) - Update test for CA clone with HSM (Endi S. Dewata) - Refactor CAEngine.validate() (Endi S. Dewata) - Replace httpclient deprecated code (Marco Fargetta) - Refactor AuthorityRepository.findAuthorityRecords() (Endi S. Dewata) - Update doc for name change in clientRevocationCheck (Marco Fargetta) - Move clientRevocationCheck to KRA connector (Marco Fargetta) - Fix network alias for IPA CI (Marco Fargetta) - Update CI for JSSSocket in pki CLI (Marco Fargetta) - Update v11.7 for OCSP in client commands (Marco Fargetta) - Make optional OCSP check in CA running as client (Marco Fargetta) - Make client OCSP check optional (Marco Fargetta) - Installation steps has to ignore revoked certificate (Marco Fargetta) - Make PKIConnection default to non blocking (Marco Fargetta) - Comment out lines imcompatible with downstream doc build [skip ci] (Christina Fu) - Refactor AuthorityRepository.getCA() (Endi S. Dewata) - Refactor AuthorityRepository.findCAs() (Endi S. Dewata) - Update doc for OCSP ResponderID default change (Marco Fargetta) - Modify default ResponderID in OCSP (Marco Fargetta) - Update doc change for CA internal OCSP (Marco Fargetta) - Upgrade script for internal OCSP ResponderID configuration (Marco Fargetta) - Add CI test for RootOCSP in SubCA scenario (Marco Fargetta) - Fix KeyHash for CA OCSP Responder ID (Marco Fargetta) - Modify default CA OCSP response to use Key hash instead of name (Marco Fargetta) - fixed downstream build issue on formatting reported by writer [skip ci] (Christina Fu) - Update LWCA tests (Endi S. Dewata) - Move CAEngine.updateAuthoritySerialNumber() to AuthorityRepository (Endi S. Dewata) - Drop KeyClient.key_url and key_requests_url (Endi S. Dewata) - Disable access log buffer in IPA tests (Endi S. Dewata) - Move CAEngine.haveAuthorityContainer() to AuthorityRepository (Endi S. Dewata) - Fix doc typos (Marco Fargetta) - replace past tense with present tense to conform to downstream conventions. [skip ci] (Christina Fu) - Add AuthorityRepository.deleteAuthorityRecord() (Endi S. Dewata) - Move CAEngine.modifyAuthorityEntry() to AuthorityRepository (Endi S. Dewata) - Move CAEngine.addAuthorityRecord() to AuthorityRepository (Endi S. Dewata) - Move CAEngine.getAuthorityRecord() to AuthorityRepository (Endi S. Dewata) - Revert "defer moving these user tool pages from wiki." (Christina Fu) - Move AuthorityRepository instance to CAEngine (Endi S. Dewata) - Rename Authority to AuthorityRepository (Endi S. Dewata) - Update KeyClient to support archieval/retrieval with REST API v2 (Endi S. Dewata) - fixed unpaird blocks --- (Christina Fu) - fixed issue introduced by the comment between id line and the header line by moving it below the header [skip ci] (Christina Fu) - Fixed formatting for consistency (Louise McGarry) - Fixes in line with feedback (Louise McGarry) - Reviewed est files to align with doc requirements (Louise McGarry) - Updates to align with docs standards (Louise McGarry) - As it turns out, standalone KRA and OCSP are described in the downstream Installation guide secton 7.6. Setting up a standalone KRA or OCSP. (Christina Fu) - getting installing-ca-with-external-ca-signing-certificate.adoc ready to replace the section: 7.5. Setting up subsystems with an external CA in downstream install guide [skip ci] (Christina Fu) - Update KeyClient.modify_key_status() to support REST API v2 (Endi S. Dewata) - Renamed ServerSideKeygen-related files for upstream->downstream convergence: (Christina Fu) - Fixed issue where comment lines were between the 'id' line and the subject header line that it's supposed to anchor. Solution was to move the comments to after the subjet header. [skip ci] (Christina Fu) - Clean up log messages in pki ca-cert-create (Endi S. Dewata) - Clean up pki pkcs12-export output (Endi S. Dewata) - Add test for paging parameters (Endi S. Dewata) - Update pki *-find commands (Endi S. Dewata) - Update log messages in DBSearchResults (Endi S. Dewata) - Update log messages in AgentCertRequestServlet (Endi S. Dewata) - Update log messages in PKIServlet (Endi S. Dewata) - Do not set up VLV by default (Endi S. Dewata) - CASigningUnit hexstring serial number (Michal Travnicek) - downstream import processing: one small change for single line for script processing [skip ci] (Christina Fu) - Misc update to make it compatible with downstream docs once imported [skip ci] (Christina Fu) - Fix missing error messages (Endi S. Dewata) - Update pki.spec (MichalTravnicek) - fixed xref from old md files to new adoc files [skip ci] (Christina Fu) - Update KeyClient.list_requests() and list_keys() to support REST API v2 (Endi S. Dewata) - Update IPA tests to check pkispawn and pkidestroy logs (Endi S. Dewata) - Remmove "_{context}" in adoc id under pki/docs/installation/ - based on the latest changes in upstream rhcs-docs, "_{context}" needs to be removed from the file id [sip ci] (Christina Fu) - Update pki ca-cert-issue to support CRMF (Endi S. Dewata) - Update KRA tests (Endi S. Dewata) - Update pki ca-cert-request-submit to support CRMF (Endi S. Dewata) - Update pki nss-cert-request to support CRMF (Endi S. Dewata) - Fix deprecation warning in pki ca-cert-request-submit (Endi S. Dewata) - Update CACertClient.submitRequest() (Endi S. Dewata) - Add CertUtil.encodeCRMF() (Endi S. Dewata) - Rename CertUtil.unwrapPKCS10() into unwrapCSR() (Endi S. Dewata) - under pki/docs/installation, replace - Import admin key and certificate: - with - Import admin certificate and key into the client NSS database (by default ~/.dogtag/nssdb) with the following command: [skip ci] (Christina Fu) - under pki/docs/installation - remove more pki client-init calls [skip ci] (Christina Fu) - under pki/docs/installation, - replace the import admin cert and key intro line [skip ci] (Christina Fu) - under pki/docs/installation, - replace the "To use the admin certificate ..." line [skip ci] (Christina Fu) - under pki/docs/installation - remove all pki client-init calls [skip ci] (Christina Fu) - under pki/docs/installation, replace calls to pki client-cert-import ... with pki nss-cert-import ... [skip ci] (Christina Fu) - Add EST reenroll test with different CSR (Marco Fargetta) - Fix EST csr match condition (Marco Fargetta) - Update pki nss-cert-request (Endi S. Dewata) - misc adjustments in pki/docs/installation, including: - removing the word "temporary" for the DS bootstrap certs - adding dc=est to pki ldap tree [skip ci] (Christina Fu) - Convert TPSClientCLI.enrollToken() to Java (Endi S. Dewata) - squashing pki-ldap-tree.adoc into creating-ds-instance.adoc [skip ci] (Christina Fu) - Renaming enabling-ssl-connection-in-ds.adoc to getting-ds-cert-issued-by-actual-ca.adoc so that it fits in the downstream post-install section more nicely. [skip ci] (Christina Fu) - Convert TPSClientCLI.resetPIN() to Java (Endi S. Dewata) - Fix RHCS-5701: (Jack Magne) - Convert TPSClientCLI.formatToken() to Java (Endi S. Dewata) - removed test file [skip ci] (Christina Fu) - replacing "link:" with 'xref:" for links not begin with "http" - to allow asciidoc processor to do intelligent substitution (supposedly). [skip ci] (Christina Fu) - continue the test remove the file name between [] [skip ci] (Christina Fu) - doc convergence: This is a test for asciidoc include [skip ci] (Christina Fu) - xref ref test into subsection using downstream style of - [id=xyz] [skip ci] (Christina Fu) - desolving doc with simple command: exporting-ds-certificates.adoc - merge the command line into referencing docs [skip ci] (Christina Fu) - testing xref link to subsection of an adoc [skip ci] (Christina Fu) - Fix erroneous opsFlag in nss-key-create operation (Marco Fargetta) - Fix CMake libraries for EST (Marco Fargetta) - Update EST test for CSR subject check (Marco Fargetta) - Update EST doc for basic authentication subject check (Marco Fargetta) - Add EST subject check to basic authentication (Marco Fargetta) - Add EST test for enrollMatchTLSSubjSAN (Marco Fargetta) - Add enrollMatchTLSSubjSAN option in est installation doc (Marco Fargetta) - Add option to match CSR subject and SAN with TLS cert (Marco Fargetta) - Fix JRE dependency for pki-console (Endi S. Dewata) - ldaps-related setup cleanup, including: - copying the slightly adjusted installing-ca-clone-with-ldaps-connection.adoc to installing-ca-clone-with-temp-ldaps-connection.adoc for reference. Using the temporary bootstrap DS server cert shouldn't be a recommended case - modified installing-ca-clone-with-temp-ldaps-connection.adoc so that it assumes that the existing PKI instance is running withr real DS server cert, and issues a real DS server cert for the DS of the clone - modified all ldaps installation adoc files to reflect the changes - some adjustments to the already updated ldaps-related sections under pki/docs/installation/others - renamed enabling-temp-ssl-connection-in-ds.adoc to enabling-ssl-connection-in-ds-with-bootstrap-cert.adoc - renamed installing-ca-clone-with-temp-ldaps-connection.adoc to installing-ca-clone-with-ldaps-using-bootstrap-ds-certs.adoc [skip ci] (Christina Fu) - Add SELinux workaround note for cracklibCheck (#4974) (Pritam Singh) - Fix: RHCS-5675 (#4993) (jmagne) - Update dependency to JSS 5.7 (Endi S. Dewata) - Clean up TPSClientCLI.cpp (Endi S. Dewata) - Add test for reinstalling IPA (Endi S. Dewata) - Convert TPSClientCLI.invokeOperation() to Java (Endi S. Dewata) - removed the "moved to" .md files [skip ci] (Christina Fu) - remove the "moved to" files under pki/docs/installation [skip ci] (Christina Fu) - Cover two conditions: - using ds temp bootstrap certs - using certs issued by a real CA (Christina Fu) - defer moving these user tool pages from wiki. [skip ci] (Christina Fu) - Fix javac --release option (Endi S. Dewata) - Don't create audit signing cert by default (Endi S. Dewata) - Update CI for typo fixes (Marco Fargetta) - Fix typos for SSN messages (Marco Fargetta) - Update minimum CMake version (Endi S. Dewata) - Add actionw write permission to stale CI (Marco Fargetta) - Don't use pki_token_name as default token (Endi S. Dewata) - Fix Azure pipelines (Endi S. Dewata) - Increase number for CI stale actions (Marco Fargetta) - Refactor RA_Client::Execute() (Endi S. Dewata) - Remove hard-coded pkidbuser (Endi S. Dewata) - Update CI stale to v9.1.0 (Marco Fargetta) - Update dogtagpki-docs-convention-readme.adoc (Christina Fu) - Update dogtagpki-docs-convention-readme.adoc (Christina Fu) - under pki/docs/installation - adding the following three lines to the top of adoc files with all lower case file names: -- :_mod-docs-content-type: PROCEDURE -- \n -- [id="xxx_{context}"] where 'xxx' is the file name minus the .adoc extention [skip ci] (Christina Fu) - The initial Dogtag pki documentation convention readme file. - future contributors to pki/docs are expected to conform to the contentions listed in this file. - reviewers are expected to give a comment pointing any future doc PR to this file before giving any detailed reviews. [skip ci] (Christina Fu) - Add support for subsystem logging.properties (Endi S. Dewata) - pki/docs/installation adoc files renamed according to new conventions. - All lower case - ‘-’ instead of “_” - Adding “moved to” message to old files - Changing link references from old to new names - replaced "Secure-Connection" with "ldaps" (Christina Fu) - Update to backbone v1.6.0 (Marco Fargetta) - Update to underscore v1.13.7 (Marco Fargetta) - Update to jquery v3.7.1 (Marco Fargetta) - Add pki tps-client (Endi S. Dewata) - Split tpsclient into libpki-tps.so (Endi S. Dewata) - Enable certificate revocation check in NonBlockingSocketFactory (Marco Fargetta) - Enable stale action (Marco Fargetta) - replace "will be" with "is" (if singular) or "are" (if plural) under pki/docs/installation [skip ci] (Christina Fu) - - replace "will be deployed" with "is deployed" under pki/docs/installation - remove backticks surrounding words (instead of names) under pki/docs/installation - remove the extra ", for example" under pki/docs/installation [skip ci] (Christina Fu) - replacing "e.g." with "for example" with some additional rules: - if ')' is not followed by a punctuation, replace it with ',' - if ')' is followed by a punctuation, remove the ')' - ignore "e.g." inside asciidoc code blocks, e.g. acme/Installing-ACME-Responder-using-PKI-Server-ACME-CLI.adoc - adding a pair of backticks to surround the example [skip ci] (Christina Fu) - Refactor CRMFPopClient (part 2) (Endi S. Dewata) - Refactor CRMFPopClient (part 1) (Endi S. Dewata) - Clean up HTTPConnectorCLI.print_connector() (Endi S. Dewata) - Add stale automation for issues and PRs (Marco Fargetta) - Fix product_id and theme params in pki.spec (Endi S. Dewata) - Use Tomcat 9 on RHEL 10 (Endi S. Dewata) - adding missing note to assume export of CA signing cert to ca_signing.crt prior to cloning kra and ocsp with HSM [skip ci] (Christina Fu) - Added 'token' and 'pki_cert_chain_path' configuration parameters (Pritam Singh) - Added 'token' parameters (Pritam Singh) - Added 'token' parameters (Pritam Singh) - Added 'pki_cert_chain_path' configuration parameter (Pritam Singh) - Added 'pki_cert_chain_path' configuration parameter (Pritam Singh) - Fix expected backup folder permissions in CI (Endi S. Dewata) - avoid reference to the word "page" for downstream convergence. [skip ci] (Christina Fu) - Replace "This page describes the process" with "Follow this process" per downstream convergence. [skip ci] (Christina Fu) - Removed "Overview" per downstream convergence. [skip ci] (Christina Fu) - Update version number to 11.7.0-alpha1 (Endi S. Dewata) - Update PKIServer.create_logs_dir() (Endi S. Dewata) - adding [literal,subs="+quotes,verbatim"] line above code "...." blocks [skip ci] (Christina Fu) - replace md quote style (“```”) with adoc style ("....") [skip ci] (Christina Fu) - Update ACME docs [skip ci] (Endi S. Dewata) - Fix home directory owner in containers (Endi S. Dewata) - [skip ci] remove closing ='s from headers in adoc files under pki/docs/installation (Christina Fu) - Reduce failures in container tests (Endi S. Dewata) - [skip ci] - point DS setup link to ../others/Installation_Prerequisites.adoc (Christina Fu) - Use Maven with OpenJDK 17 on RHEL 9 (Endi S. Dewata) * Tue Mar 6 2018 Dogtag PKI Team 10.6.0-0 - To list changes in since : $ git log --pretty=oneline --abbrev-commit --no-decorate ..