| Name: | pki-kra |
|---|
| Version: | 10.5.1 |
|---|
| Release: | 13.1.el7_5 |
|---|
| Architecture: | noarch |
|---|
| Group: | System Environment/Daemons |
|---|
| Size: | 557423 |
|---|
| License: | GPLv2 |
|---|
| RPM: |
pki-kra-10.5.1-13.1.el7_5.noarch.rpm
|
| Source RPM: |
pki-core-10.5.1-13.1.el7_5.src.rpm
|
| Build Date: | Tue Jun 26 2018 |
|---|
| Build Host: | x86-ol7-builder-02.us.oracle.com |
|---|
| Vendor: | Oracle America |
|---|
| URL: | http://pki.fedoraproject.org/ |
|---|
| Summary: | Certificate System - Key Recovery Authority |
|---|
| Description: | The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
as a key archival facility. When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process. The key archival mechanism is triggered
when a user enrolls in the PKI and creates the certificate request. Using the
Certificate Request Message Format (CRMF) request format, a request is
generated for the user's private encryption key. This key is then stored in
the KRA which is configured to store keys in an encrypted format that can only
be decrypted by several agents requesting the key at one time, providing for
protection of the public encryption keys for the users in the PKI deployment.
Note that the KRA archives encryption keys; it does NOT archive signing keys,
since such archival would undermine non-repudiation properties of signing keys.
This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
==================================
|| ABOUT "CERTIFICATE SYSTEM" ||
==================================
Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.
PKI Core contains ALL top-level java-based Tomcat PKI components:
* pki-symkey
* pki-base
* pki-base-python2 (alias for pki-base)
* pki-base-python3
* pki-base-java
* pki-tools
* pki-server
* pki-ca
* pki-kra
* pki-ocsp
* pki-tks
* pki-tps
* pki-javadoc
which comprise the following corresponding PKI subsystems:
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
* Token Key Service (TKS)
* Token Processing Service (TPS)
Python clients need only install the pki-base package. This
package contains the python REST client packages and the client
upgrade framework.
Java clients should install the pki-base-java package. This package
contains the legacy and REST Java client packages. These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.
Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools. The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.
Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:
* dogtag-pki-theme (Dogtag Certificate System deployments)
* dogtag-pki-server-theme
* redhat-pki-server-theme (Red Hat Certificate System deployments)
* redhat-pki-server-theme
* customized pki theme (Customized Certificate System deployments)
* <customized>-pki-server-theme
NOTE: As a convenience for standalone deployments, top-level meta
packages may be provided which bind a particular theme to
these certificate server packages. |
|---|
-
Sat Jun 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-13.1
- Rebuild due to build system database problem
-
Fri Jun 08 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-13
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1553068 - Using a Netmask produces an odd
entry in a certifcate [rhel-7.5.z] (ftweedal)
- Bugzilla Bug #1585945 - CMC CRMF requests result in
InvalidKeyFormatException when signing algorithm is ECC
[rhel-7.5.z] (cfu)
- Bugzilla Bug #1587826 - ExternalCA: Installation failed during
csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor)
- Bugzilla Bug #1588944 - Cert validation for installation with
external CA cert [rhel-7.5.z] (edewata)
- Bugzilla Bug #1588945 - CRMFPopClient tool - should allow
option to do no key archival (cfu)
- Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled
ACL configuration in AAclAuthz.java reverses rules that allow
and deny access [rhel-7.5.z] (ftweedal, cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
-
Tue May 22 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-12
- Updated "jss" build and runtime requirements (mharmsen)
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest,
CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu)
- Bugzilla Bug #1572548 - IPA install with external-CA is failing when
FIPS mode enabled. [rhel-7.5.z] (edewata)
- Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE
[rhel-7.5.z] (cfu)
- Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue
with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs
improvement [rhel-7.5.z] (jmagne)
- Bugzilla Bug #1581135 - SAN in internal SSL server certificate in
pkispawn configuration step [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong
input class_id [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System
9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
-
Mon Apr 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-11
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for
standard conformance [rhel-7.5.z] (cfu)
- Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1560233 - libtps does not directly depend on libz
-
Fri Mar 23 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-10
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1550581 - CMCAuth throws
org.mozilla.jss.crypto.TokenException: Unable to insert certificate into
temporary database [rhel-7.5.z] (cfu)
- Bugzilla Bug #1551067 - [MAN] Add --skip-configuration
and --skip-installation into pkispawn man page. [rhel-7.5.z] (edewata)
- Bugzilla Bug #1552241 - Make sslget aware of TLSv1_2 ciphers
[rhel-7.5.z] (cheimes, mharmsen)
- Bugzilla Bug #1553068 - Using a Netmask produces an odd entry
in a certifcate [rhel-7.5.z] (ftweedal)
- Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for
standard conformance [rhel-7.5.z] (cfu)
- Bugzilla Bug #1554727 - Permit additional FIPS ciphers to be enabled
by default for RSA . . . [rhel-7.5.z] (mharmsen, cfu)
- Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu)
- Bugzilla Bug #1557883 - Console: Adding ACL from pki-console gives
StringIndexOutOfBoundsException [rhel-7.5.z] (ftweedal)
- Bugzilla Bug #1558919 - Not able to generate certificate request
with ECC using pki client-cert-request [rhel-7.5.z] (akahat)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1560233 - libtps does not directly depend on libz
-
Mon Feb 19 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-9
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
- Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event
set (RHEL) (edewata)
- Bugzilla Bug #1532867 - Inconsistent key ID encoding (edewata)
- Bugzilla Bug #1540687 - CC: External OCSP Installation failure with HSM
and FIPS (edewata)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
- # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit event
-
Mon Feb 12 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-8
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
- Bugzilla Bug #1542210 - pki console configurations that involves ldap
passwords leave the plain text password in debug logs (jmagne)
- Bugzilla Bug #1543242 - Regression in lightweight CA key replication
(ftweedal)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
-
Mon Feb 05 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-7
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- # Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
- Bugzilla Bug #1445532 - CC: Audit Events: Update the default audit event
set (RHEL) (edewata)
- Bugzilla Bug #1522938 - CC: Missing faillure resumption detection and
audit event logging at startup (jmagne)
- Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA instance
(alee)
- Bugzilla Bug #1525306 - CC: missing CMC request and response record
(cfu)
- Bugzilla Bug #1532933 - Installing subsystems with external CMC
certificates in HSM environment shows import error (edewata)
- Bugzilla Bug #1535797 - ExternalCA: Failures when installed with hsm
(edewata)
- Bugzilla Bug #1539125 - restrict default cipher suite to those ciphers
permitted in fips mode (mharmsen)
- Bugzilla Bug #1539198 - Inconsistent CERT_REQUEST_PROCESSED
outcomes. (edewata)
- Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in
SharedToken scenario's (cfu)
- Bugzilla Bug #1541526 - CMC: Revocation works with an unknown
revRequest.issuer (cfu)
- Bugzilla Bug #1541853 - ProfileService: config values with
backslashes have backslashes removed (ftweedal)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
- # Bugzilla Bug #1404075 - CC: Audit Events: Update the default audit
- # Bugzilla Bug #1501436 - TPS CS.cfg should be reflected with the
-
Tue Jan 23 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-6
- Updated jss, nuxwdog, and openssl dependencies
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
(RHEL)
- Bugzilla Bug #1402280 - CA Cloning: Failed to update number range in
few cases (ftweedal)
- Bugzilla Bug #1428021 - CC: shared token storage and retrieval
mechanism (cfu)
- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false
would cause error (cfu)
- Bugzilla Bug #1498957 - pkidestroy does not work with nuxwdog
(alee)
- Bugzilla Bug #1520277 - PR_FILE_NOT_FOUND_ERROR during
pkispawn (alee)
- Bugzilla Bug #1520526 - p12 admin certificate is missing when
certificate is signed Externally (edewata)
- Bugzilla Bug #1523410 - Unable to have non "pkiuser" owned CA
instance (alee)
- Bugzilla Bug #1523443 - HAProxy rejects OCSP responses due to
missing nextupdate field (ftweedal)
- Bugzilla Bug #1526881 - Not able to setup CA with ECC (mharmsen)
- Bugzilla Bug #1532759 - pkispawn seems to be leaving our passwords
in several different files after installation completes (alee)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,
-
Mon Dec 11 2017 Dogtag Team <pki-devel@redhat.com> 10.5.1-5
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1473452 - Rebase pki-core to latest upstream 10.5.x release
(RHEL)
- Bugzilla Bug #1466066 - CC: Secure removal of secret data storage
(jmagne)
- Bugzilla Bug #1518096 - ExternalCA: Failures in ExternalCA when tried to
setup with CMC signed certificates (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, and