[ol7_latest_archive] pki-kra-10.3.3-14.el7_3.noarch

Name:	pki-kra
Version:	10.3.3
Release:	14.el7_3
Architecture:	noarch
Group:	System Environment/Daemons
Size:	548300
License:	GPLv2
RPM:	pki-kra-10.3.3-14.el7_3.noarch.rpm
Source RPM:	pki-core-10.3.3-14.el7_3.src.rpm
Build Date:	Tue Dec 06 2016
Build Host:	x86-ol7-builder-02.us.oracle.com
Vendor:	Oracle America
URL:	http://pki.fedoraproject.org/
Summary:	Certificate System - Key Recovery Authority
Description:	The Key Recovery Authority (KRA) is an optional PKI subsystem that can act as a key archival facility. When configured in conjunction with the Certificate Authority (CA), the KRA stores private encryption keys as part of the certificate enrollment process. The key archival mechanism is triggered when a user enrolls in the PKI and creates the certificate request. Using the Certificate Request Message Format (CRMF) request format, a request is generated for the user's private encryption key. This key is then stored in the KRA which is configured to store keys in an encrypted format that can only be decrypted by several agents requesting the key at one time, providing for protection of the public encryption keys for the users in the PKI deployment. Note that the KRA archives encryption keys; it does NOT archive signing keys, since such archival would undermine non-repudiation properties of signing keys. This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. ================================== \|\| ABOUT "CERTIFICATE SYSTEM" \|\| ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * <customized>-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.

Changelog (Show File list) (Show related packages)

Tue Nov 08 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-14

- Marked the following RHCS 9.1.z bug:
  Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
  when TPS and TKS security db is on fips mode. (jmagne)
  as a duplicate of RHEL 7.3.z bug:
  Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
  and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.

Thu Nov 03 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-13

- ## RHEL 7.3.z Batch Update 1
- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
  (added KRA key recovery via CLI in FIPS mode)
- ## RHCS 9.1.z Batch Update 1
- Reverted patches associated with
  Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
  not reflected in the TPS Web UI (edewata)

Mon Oct 31 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-12

- ## RHEL 7.3.z Batch Update 1
- Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does
  not show proper error message (alee)
- Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service
  ("ipa-cacert-manage renew" failed?) (edewata)
- Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as
  a dependency package (mharmsen)
- Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due
  to missing AuthorityID (ftweedal)
- Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal)
- Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA
  with partial certificate chain (edewata)
- Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
- Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar
  files (edewata)
- Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java
  (edewata)
- ## RHCS 9.1.z Batch Update 1
- Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu)
- Bugzilla Bug #1274096 -  [BUG] Add ability to disallow TPS to enroll a
  single user on multiple tokens. (jmagne)
- Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed
  tokens (jmagne)
- Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working
  when a token is physically damaged and a temporary token is issued (jmagne)
- Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial
  number and key id on the ldap user mismatches
- Bugzilla Bug #1381635 - Token format with external reg fails when
  op.format.externalRegAddToToken.revokeCert=true (cfu)
- Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when
  set on a token (jmagne)
- Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
  when TPS and TKS security db is on fips mode. (jmagne)
- Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
  not reflected in the TPS Web UI (edewata)

Mon Oct 10 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-11

- PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu)
- PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single
  user on multiple tokens. (jmagne)
- PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a
  dependency package (mharmsen)
- PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed
  tokens (jmagne)
- PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial
  number and key id on the ldap user mismatches (cfu)
- PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar
  files (edewata)

Fri Sep 09 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-10

- Revert Patch:  PKI TRAC Ticket #2449 - Unable to create system certificates
  in different tokens (edewata)
- Resolves:  rhbz #1374054 - ipa-replica-install fails setting up certificate
- Restores:  rhbz #1319557 - pkispawn KRA instance is failing server
- Removes from Errata:  rhbz #1372041 - Unable to create system certificates
  in different tokens

Tue Sep 06 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-9

- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion
  (ftweedal)
- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
  (edewata)
- PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry
  deleted (ftweedal)
- PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if
  USN plugin enabled (ftweedal)
- PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per
  instance name (for shared HSM) (cfu)
- PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu)
- PKI TRAC Ticket #2449 - Unable to create system certificates in different
  tokens (edewata)

Mon Aug 29 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-8

- PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne)
- PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor)
- PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata)
- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open
- PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)

Tue Aug 23 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-7

- PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen)
  - CMCEnroll
- PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message
  "PKIException: LDAP error (21): error result" (edewata)
- PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
  (cheimes, edewata, mharmsen)
- PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata)
- PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
  (edewata, mharmsen)
- PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem
  format with/without header works while pkcs7 with header is not allowed
  (edewata)
- PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)

Mon Aug 15 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-6
```
- Bugzilla Bug #1366465 - Errata TPS upgrade test fails
```

Mon Aug 08 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-5

- PKI TRAC Ticket #978  - TPS connector man page: add revocation routing
  info (cfu)
- PKI TRAC Ticket #1285 - [MAN] Apply 'generateCRMFRequest() removed from
  Firefox' workarounds to appropriate 'pki' man page (jmagne)
- PKI TRAC Ticket #2246 - [MAN] Man Page: AuditVerify (cfu)
- PKI TRAC Ticket #2381 - Throws exception while providing invalid module.
  (edewata)
- PKI TRAC Ticket #2383 - CLI :: pki client-cert-request --extractable
  should accept only boolean value (edewata)
- PKI TRAC Ticket #2389 - Installation: subsystem certs could have notAfter
  beyond CA signing cert in case of external or existing CA (cfu)
- PKI TRAC Ticket #2399 - Dogtag 10.3.5: Miscellaneous Enhancements
  (akasurde, alee, cheimes, edewata, jmagne, mharmsen)
- PKI TRAC Ticket #2401 - pkispawn calls dnsdomainname even if it does not
  rpm-require hostname (mharmsen)
- PKI TRAC Ticket #2402 - Conflict in file ownership in pki-base and
  pki-server (cheimes)
- PKI TRAC Ticket #2403 - Deployment problem with RESTEasy 3.0.17 (edewata)
- PKI TRAC Ticket #2406 - Make starting CRL Number configurable (jmagne)
- PKI TRAC Ticket #2412 - pki client-cert-import --trust option does not
  apply the specified trust bits (alee)
- PKI TRAC Ticket #2418 - [TPS] Some template substitution didn't happen
  during installation (alee)
- PKI TRAC Ticket #2420 - CA subsystem OSCP responder fails when LWCAs are
  not used (ftweedal)
- PKI TRAC Ticket #2421 - Incorrect SELinux contexts
  Installation/Configuration (edewata)
- PKI TRAC Ticket #2424 - ipa-ca-install fails on replica when IPA server
  is converted from CA-less to CA-full (edewata)
- PKI TRAC Ticket #2428 - broken request links for CA's system certs in
  agent request viewing (cfu)
- PKI TRAC Ticket #2430 - CA Agent certificate list is not sorted by serial
  number in migration case (jmagne)
- PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
  (mharmsen)
- PKI TRAC Ticket #2433 - Lightweight CA GET <id>/chain returns bogus PEM
  data (ftweedal)