[ol7_latest] pki-kra-10.5.9-6.el7.noarch

Name:	pki-kra
Version:	10.5.9
Release:	6.el7
Architecture:	noarch
Group:	System Environment/Daemons
Size:	557431
License:	GPLv2
RPM:	pki-kra-10.5.9-6.el7.noarch.rpm
Source RPM:	pki-core-10.5.9-6.el7.src.rpm
Build Date:	Wed Oct 31 2018
Build Host:	x86-ol7-builder-02.us.oracle.com
Vendor:	Oracle America
URL:	http://pki.fedoraproject.org/
Summary:	Certificate System - Key Recovery Authority
Description:	The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the KRA which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment. Note that the KRA archives encryption keys; it does NOT archive signing keys, since such archival would undermine non-repudiation properties of signing keys. This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. ================================== \|\| ABOUT "CERTIFICATE SYSTEM" \|\| ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * <customized>-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.

Changelog (Show File list) (Show related packages)

Tue Aug 21 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-6

- Updated nuxwdog dependencies
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #673182 - ECC keys not supported for signing
  audit logs (cfu)
- Bugzilla Bug #1593805 - Better understanding of
  NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu)
- Bugzilla Bug #1601071 - Certificate generation happens with
  partial attributes in CMCRequest file (cfu)
- Bugzilla Bug #1601569 - CC: Enable all config audit events
  (cfu)
- Bugzilla Bug #1608375 - CMC Revocations throws exception
  with same reqIssuer & certissuer (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to

Thu Aug 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-5

- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0
  with latest version (abokovoy)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to

Tue Jul 31 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-4

- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1548203 - pki console configurations that involves ldap
  passwords leave the plain text password in signed audit logs (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1494591 - keyGen fails when only Identity

Mon Jul 23 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-3
```
- Re-spin alpha builds
```

Thu Jul 05 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-2

- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden
  by CSR encoding (cfu)
- Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a
  certificate (ftweedal)
- Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in
  SharedToken scenario's (cfu)
- Bugzilla Bug #1550742 - Address ECC profile overrides (cfu)
- Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu)
- Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu)
- Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request
  authenticated through SharedToken (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to

Mon Jun 11 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-1

- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1538311 - Using a Netmask produces an odd
  entry in a certifcate (ftweedal)
- Bugzilla Bug #1544843 - ExternalCA: Installation failed during
  csr generation with ecc (rrelyea, gkapoor)
- Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest
  upstream 10.5.x (RHEL) (mharmsen)
- Bugzilla Bug #1580394 - CMC CRMF requests result in
  InvalidKeyFormatException when signing algorithm is ECC (cfu)
- Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled
  ACL configuration in AAclAuthz.java reverses rules that allow
  and deny access (ftweedal, cfu)
- Bugzilla Bug #1585866 - CRMFPopClient tool - should allow
  option to do no key archival (cfu)
- Bugzilla Bug #1588655 - Cert validation for installation with
  external CA cert (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to

Sat Jun 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-13.1
```
- Rebuild due to build system database problem
```

Fri Jun 08 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-13

- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1553068 - Using a Netmask produces an odd
  entry in a certifcate [rhel-7.5.z] (ftweedal)
- Bugzilla Bug #1585945 - CMC CRMF requests result in
  InvalidKeyFormatException when signing algorithm is ECC
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1587826 - ExternalCA: Installation failed during
  csr generation with ecc [rhel-7.5.z] (rrelyea, gkapoor)
- Bugzilla Bug #1588944 - Cert validation for installation with
  external CA cert [rhel-7.5.z] (edewata)
- Bugzilla Bug #1588945 - CRMFPopClient tool - should allow
  option to do no key archival (cfu)
- Bugzilla Bug #1589307 - CVE-2018-1080 pki-core: Mishandled
  ACL configuration in AAclAuthz.java reverses rules that allow
  and deny access [rhel-7.5.z] (ftweedal, cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,

Tue May 22 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-12

- Updated "jss" build and runtime requirements (mharmsen)
- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1571582 - [MAN] Missing Man pages for tools CMCRequest,
  CMCResponse, CMCSharedToken (typos) [rhel-7.5.z] (cfu)
- Bugzilla Bug #1572548 - IPA install with external-CA is failing when
  FIPS mode enabled. [rhel-7.5.z] (edewata)
- Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE
  [rhel-7.5.z] (cfu)
- Bugzilla Bug #1575521 - subsystem -> subsystem SSL handshake issue
  with TLS_ECDHE_RSA_* on Thales HSM [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581134 - ECC installation for non CA subsystems needs
  improvement [rhel-7.5.z] (jmagne)
- Bugzilla Bug #1581135 - SAN in internal SSL server certificate in
  pkispawn configuration step [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581167 - CC: CMC profiles: Some CMC profiles have wrong
  input class_id [rhel-7.5.z] (cfu)
- Bugzilla Bug #1581382 - ECDSA Certificates Generated by Certificate System
  9.3 fail NIST validation test with parameter field. [rhel-7.5.z] (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core,

Mon Apr 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.1-11

- ##########################################################################
- # RHEL 7.5:
- ##########################################################################
- Bugzilla Bug #1554726 - Need ECC-specific Enrollment Profiles for
  standard conformance [rhel-7.5.z] (cfu)
- Bugzilla Bug #1557880 - [MAN] Missing Man pages for tools
  CMCRequest, CMCResponse, CMCSharedToken [rhel-7.5.z] (cfu)
- ##########################################################################
- # RHCS 9.3:
- ##########################################################################
- # Bugzilla Bug #1560233 - libtps does not directly depend on libz