[ol7_latest] pki-kra-10.4.1-10.el7.noarch

Name:	pki-kra
Version:	10.4.1
Release:	10.el7
Architecture:	noarch
Group:	System Environment/Daemons
Size:	562173
License:	GPLv2
RPM:	pki-kra-10.4.1-10.el7.noarch.rpm
Source RPM:	pki-core-10.4.1-10.el7.src.rpm
Build Date:	Thu Aug 03 2017
Build Host:	x86-ol7-builder-01.us.oracle.com
Vendor:	Oracle America
URL:	http://pki.fedoraproject.org/
Summary:	Certificate System - Key Recovery Authority
Description:	The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the KRA which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment. Note that the KRA archives encryption keys; it does NOT archive signing keys, since such archival would undermine non-repudiation properties of signing keys. This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. ================================== \|\| ABOUT "CERTIFICATE SYSTEM" \|\| ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * <customized>-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.

Changelog (Show File list) (Show related packages)

Mon Jun 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-10

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1458043 - Key recovery on token fails with
  invalid public key error on KRA (alee)
- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client
  authentication cert against CMC signer (cfu)
- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after
  deleting the any of the subsystem certs from it (ftweedal)

Mon Jun 12 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-9

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC
  non-signing certificate requests (cfu)
- Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC
   revocation non-signing cert requests (cfu)
- Bugzilla Bug #1458047 - change the way aes clients refer to
  aes keysets (alee)
- Bugzilla Bug #1458055 - dont reuse IVs in the CMC code
  (alee)
- Bugzilla Bug #1460028 - In keywrap mode, key recovery on
  KRA with HSM causes KRA to crash (ftweedal)

Mon Jun 05 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-8

- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement
- Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
  enabled system (edewata)
- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
  creation (edewata)
- Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure
  ACCESS_SESSION_ESTABLISH_FAILURE (edewata)
- Bugzilla Bug #1454450 - SubCA installation failure with 2 step
  installation in fips enabled mode (edewata)
- Bugzilla Bug #1456597 - Certificate import using pki client-cert-import
  is asking for password when already provided (edewata)
- Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes)
- Bugzilla Bug #1458043 - Key recovery using externalReg fails
  with java null pointer exception on KRA (alee)
- Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter
  (edewata)
- Bugzilla Bug #1458429 - client-cert-import --ca-cert should
  import CA cert with trust bits "CT,C,C" (edewata)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)

Tue May 30 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-7

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
- Bugzilla Bug #1445519 - CA Server installation with HSM fails
  (jmagne)
- Bugzilla Bug #1452617 - Unable to create IPA Sub CA
  (ftweedal)
- Bugzilla Bug #1454471 - Enabling all subsystems on startup
  (edewata)
- Bugzilla Bug #1455617 - Key recovery on token fails because
  key record is not marked encrypted (alee)

Tue May 23 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-6

- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
  (mharmsen)

Mon May 22 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-5

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal
  non-signing cert requests (cfu)
- Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed)
  CMC with identity proof (cfu)
- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
  creation (mharmsen)
- Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when
  defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata)
- Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne)
- Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen)
- Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in
  ConnectorServlet. (edewata)
- Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata)
- Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED
  audit event. (edewata)

Tue May 09 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-4

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1386303 - cannot extract generated private key from KRA when
  HSM is used. (alee)
- Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes)
- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause
  error (cfu)
- Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from
  the KRA (ftweedal)
- Bugzilla Bug #1448204 - pkispawn of clone install fails with
  InvalidBERException (ftweedal)
- Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on
  thales hsm (alee)
- Updated "jss" build and runtime requirements (mharmsen)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)

Mon May 01 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-3

- ############################################################################
- RHEL 7.4:
- ############################################################################
- Bugzilla Bug #1303683 - dogtag should support GSSAPI based auth in
  conjuction with FreeIPA (ftweedal)
- Bugzilla Bug #1385208 - RHCS 9.1 RC5 CA in the certificate profiles the
  startTime parameter is not working as expected. (jmagne)
- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC non-signing
  certificate requests (cfu)
- Bugzilla Bug #1426754 - PKCS12: upgrade to at least AES and SHA2 (ftweedal)
- Bugzilla Bug #1445088 - profile modification cannot remove existing config
  parameters (ftweedal)
- Bugzilla Bug #1445535 - CC: Crypto Operation (AES Encryption/Decryption)
  (RHEL) (alee)
- Bugzilla Bug #1446874 - Missing ClientIP and ServerIP in audit log when
  pki CLI terminates SSL connection (edewata)
- Bugzilla Bug #1446875 - Session timeout for PKI console (RHEL) (edewata)
- ############################################################################
- RHCS 9.2:
- ############################################################################
- Bugzilla Bug #1404480 - CC: Crypto Operation (AES Encryption/Decryption)
  (RHCS) (alee)

Mon Apr 17 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-2

- ############################################################################
- RHEL 7.4:
- ############################################################################
- Bugzilla Bug #1282504 - Installing pki-server in container reports
  scriptlet failed, exit status 1 (jpazdziora)
- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
  enabled system (edewata)
- Bugzilla Bug #1410650 - [RFE] Add SCP03 support
  for sc 7 g & d cards (RHEL) (jmagne)
- Bugzilla Bug #1437591 - cli authentication using expired cert throws an
  exception (edewata)
- Bugzilla Bug #1437602 - non-CA cli looks for CA in the instance during a
  request (edewata)
- ############################################################################
- RHCS 9.2:
- ############################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support
  for sc 7 g & d cards (RHCS) (jmagne)
- ############################################################################
- Common Criteria
- ############################################################################
- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures
  (edewata)
- Bugzilla Bug #1417307 - CC: Audit Review /Searches (edewata)
- Bugzilla Bug #1419737 - CC: CMC: id-cmc-popLinkWitnessV2 feature
  implementation (cfu)

Mon Mar 27 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-1

- Require "nss >= 3.28.3" as a build and runtime requirement
- Require "jss >= 4.4.0-4" as a build and runtime requirement
- Require "tomcatjss >= 7.2.1-3" as a build and runtime requirement
- dogtagpki Pagure Issue #2612 - Unable to clone due to pki pkcs12-cert-find
  failure (edewata)
- ############################################################################
- Bugzilla Bug #1394309 - Rebase pki-core to 10.4.x in RHEL-7.4
- Bugzilla Bug #1394315 - Rebase redhat-pki, redhat-pki-theme, pki-core, and
  pki-console to 10.4.x
- ############################################################################
- RHEL 7.4:
- ############################################################################
- ############################################################################
- RHCS 9.2:
- ############################################################################
- ############################################################################
- Common Criteria
- ############################################################################
- Bugzilla Bug #1419734 - CC: CMC: id-cmc-identityProofV2 feature
  implementation (cfu)
- Bugzilla Bug #1419742 - CC: CMC: provide Proof of Possession for encryption
  cert requests (cfu)
- Bugzilla Bug #1404080 - CC: add audit event: various SSL/TLS failures
  (edewata)
- Bugzilla Bug #1428020 - CC: CMC feature support: provided issuance
  protection cert mechanism (cfu)