| Name: | pki-kra |
|---|
| Version: | 10.5.9 |
|---|
| Release: | 10.el7_6 |
|---|
| Architecture: | noarch |
|---|
| Group: | System Environment/Daemons |
|---|
| Size: | 516585 |
|---|
| License: | GPLv2 |
|---|
| RPM: |
pki-kra-10.5.9-10.el7_6.noarch.rpm
|
| Source RPM: |
pki-core-10.5.9-10.el7_6.src.rpm
|
| Build Date: | Thu Jan 31 2019 |
|---|
| Build Host: | x86-ol7-builder-01.us.oracle.com |
|---|
| Vendor: | Oracle America |
|---|
| URL: | http://pki.fedoraproject.org/ |
|---|
| Summary: | Certificate System - Key Recovery Authority |
|---|
| Description: | The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
as a key archival facility. When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process. The key archival mechanism is triggered
when a user enrolls in the PKI and creates the certificate request. Using the
Certificate Request Message Format (CRMF) request format, a request is
generated for the user's private encryption key. This key is then stored in
the KRA which is configured to store keys in an encrypted format that can only
be decrypted by several agents requesting the key at one time, providing for
protection of the public encryption keys for the users in the PKI deployment.
Note that the KRA archives encryption keys; it does NOT archive signing keys,
since such archival would undermine non-repudiation properties of signing keys.
This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
==================================
|| ABOUT "CERTIFICATE SYSTEM" ||
==================================
Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.
PKI Core contains ALL top-level java-based Tomcat PKI components:
* pki-symkey
* pki-base
* pki-base-python2 (alias for pki-base)
* pki-base-python3
* pki-base-java
* pki-tools
* pki-server
* pki-ca
* pki-kra
* pki-ocsp
* pki-tks
* pki-tps
* pki-javadoc
which comprise the following corresponding PKI subsystems:
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
* Token Key Service (TKS)
* Token Processing Service (TPS)
Python clients need only install the pki-base package. This
package contains the python REST client packages and the client
upgrade framework.
Java clients should install the pki-base-java package. This package
contains the legacy and REST Java client packages. These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.
Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools. The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.
Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:
* dogtag-pki-theme (Dogtag Certificate System deployments)
* dogtag-pki-server-theme
* redhat-pki-server-theme (Red Hat Certificate System deployments)
* redhat-pki-server-theme
* customized pki theme (Customized Certificate System deployments)
* <customized>-pki-server-theme
NOTE: As a convenience for standalone deployments, top-level meta
packages may be provided which bind a particular theme to
these certificate server packages. |
|---|
-
Mon Dec 17 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-10
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1659939 - CC: Simplifying Web UI session timeout
configuration [rhel-7.6.z] (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,
- # Added Batch Update Information to Product Version (mharmsen)
-
Mon Dec 10 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-9
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1657922 - CC: CA/OCSP startup fail on SystemCertsVerification
if enableOCSP is true [rhel-7.6.z] (jmagne)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,
-
Wed Dec 05 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-8
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1645262 - pkidestroy may not remove all files [rhel-7.6.z]
(dmoluguw)
- Bugzilla Bug #1645263 - Auth plugins leave passwords in the access
log and audit log using REST [rhel-7.6.z] (dmoluguw)
- Bugzilla Bug #1645429 - pkispawn fails due to name collision with
/var/log/pki/<instance> [rhel-7.6.z] (dmoluguw)
- Bugzilla Bug #1655951 - CC: tools supporting CMC requests output
keyID needs to be captured in file [rhel-7.6.z] (cfu)
- Bugzilla Bug #1656297 - Unable to install with admin-generated keys
[rhel-7.6.z] (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,
-
Mon Oct 29 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-7
- Require "tomcatjss >= 7.2.1-8" as a build and runtime requirement
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1632116 - CC: missing audit event for CS acting as
TLS client [rhel-7.6.z] (cfu)
- Bugzilla Bug #1632120 - Unsupported RSA_ ciphers should be
removed from the default ciphers list [rhel-7.6.z] (cfu)
- Bugzilla Bug #1632615 - Permit certain SHA384 FIPS ciphers to be
enabled by default for RSA and ECC . . . [rhel-7.6.z] (cfu)
- Bugzilla Bug #1632616 - X500Name.directoryStringEncodingOrder
overridden by CSR encoding (coverity changes) [rhel-7.6.z] (mharmsen)
- Bugzilla Bug #1633104 - CMC: add config to allow non-clientAuth
[rhel-7.6.z] (cfu)
- Bugzilla Bug #1636490 - Installation of CA using an existing CA fails
[rhel-7.6.z] (edewata)
- Bugzilla Bug #1643878 - pki cli command for RHCS doesn't prompt for
a password [rhel-7.6.z] (edewata)
- Bugzilla Bug #1643879 - CC: Identify version/release of pki-ca, pki-kra,
pki-ocsp, pki-tks, and pki-tps remotely [RHEL] [rhel-7.6.z] (cfu, jmagne)
- Bugzilla Bug #1643880 - PKI subsystem process is not shutdown when
there is no space on the disk to write logs [rhel-7.6.z] (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA,
-
Tue Aug 21 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-6
- Updated nuxwdog dependencies
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #673182 - ECC keys not supported for signing
audit logs (cfu)
- Bugzilla Bug #1593805 - Better understanding of
NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu)
- Bugzilla Bug #1601071 - Certificate generation happens with
partial attributes in CMCRequest file (cfu)
- Bugzilla Bug #1601569 - CC: Enable all config audit events
(cfu)
- Bugzilla Bug #1608375 - CMC Revocations throws exception
with same reqIssuer & certissuer (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to
-
Thu Aug 09 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-5
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0
with latest version (abokovoy)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to
-
Tue Jul 31 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-4
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1548203 - pki console configurations that involves ldap
passwords leave the plain text password in signed audit logs (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1494591 - keyGen fails when only Identity
-
Mon Jul 23 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-3
- Re-spin alpha builds
-
Thu Jul 05 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-2
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden
by CSR encoding (cfu)
- Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a
certificate (ftweedal)
- Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in
SharedToken scenario's (cfu)
- Bugzilla Bug #1550742 - Address ECC profile overrides (cfu)
- Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu)
- Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu)
- Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request
authenticated through SharedToken (cfu)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to
-
Mon Jun 11 2018 Dogtag Team <pki-devel@redhat.com> 10.5.9-1
- ##########################################################################
- # RHEL 7.6:
- ##########################################################################
- Bugzilla Bug #1538311 - Using a Netmask produces an odd
entry in a certifcate (ftweedal)
- Bugzilla Bug #1544843 - ExternalCA: Installation failed during
csr generation with ecc (rrelyea, gkapoor)
- Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest
upstream 10.5.x (RHEL) (mharmsen)
- Bugzilla Bug #1580394 - CMC CRMF requests result in
InvalidKeyFormatException when signing algorithm is ECC (cfu)
- Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled
ACL configuration in AAclAuthz.java reverses rules that allow
and deny access (ftweedal, cfu)
- Bugzilla Bug #1585866 - CRMFPopClient tool - should allow
option to do no key archival (cfu)
- Bugzilla Bug #1588655 - Cert validation for installation with
external CA cert (edewata)
- ##########################################################################
- # RHCS 9.4:
- ##########################################################################
- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to