| Name: | pki-kra |
|---|
| Version: | 10.4.1 |
|---|
| Release: | 17.el7_4 |
|---|
| Architecture: | noarch |
|---|
| Group: | System Environment/Daemons |
|---|
| Size: | 562315 |
|---|
| License: | GPLv2 |
|---|
| RPM: |
pki-kra-10.4.1-17.el7_4.noarch.rpm
|
| Source RPM: |
pki-core-10.4.1-17.el7_4.src.rpm
|
| Build Date: | Thu Nov 30 2017 |
|---|
| Build Host: | x86-ol7-builder-01.us.oracle.com |
|---|
| Vendor: | Oracle America |
|---|
| URL: | http://pki.fedoraproject.org/ |
|---|
| Summary: | Certificate System - Key Recovery Authority |
|---|
| Description: | The Key Recovery Authority (KRA) is an optional PKI subsystem that can act
as a key archival facility. When configured in conjunction with the
Certificate Authority (CA), the KRA stores private encryption keys as part of
the certificate enrollment process. The key archival mechanism is triggered
when a user enrolls in the PKI and creates the certificate request. Using the
Certificate Request Message Format (CRMF) request format, a request is
generated for the user's private encryption key. This key is then stored in
the KRA which is configured to store keys in an encrypted format that can only
be decrypted by several agents requesting the key at one time, providing for
protection of the public encryption keys for the users in the PKI deployment.
Note that the KRA archives encryption keys; it does NOT archive signing keys,
since such archival would undermine non-repudiation properties of signing keys.
This package is one of the top-level java-based Tomcat PKI subsystems
provided by the PKI Core used by the Certificate System.
==================================
|| ABOUT "CERTIFICATE SYSTEM" ||
==================================
Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.
PKI Core contains ALL top-level java-based Tomcat PKI components:
* pki-symkey
* pki-base
* pki-base-python2 (alias for pki-base)
* pki-base-python3
* pki-base-java
* pki-tools
* pki-server
* pki-ca
* pki-kra
* pki-ocsp
* pki-tks
* pki-tps
* pki-javadoc
which comprise the following corresponding PKI subsystems:
* Certificate Authority (CA)
* Key Recovery Authority (KRA)
* Online Certificate Status Protocol (OCSP) Manager
* Token Key Service (TKS)
* Token Processing Service (TPS)
Python clients need only install the pki-base package. This
package contains the python REST client packages and the client
upgrade framework.
Java clients should install the pki-base-java package. This package
contains the legacy and REST Java client packages. These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.
Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools. The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.
Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:
* dogtag-pki-theme (Dogtag Certificate System deployments)
* dogtag-pki-server-theme
* redhat-pki-server-theme (Red Hat Certificate System deployments)
* redhat-pki-server-theme
* customized pki theme (Customized Certificate System deployments)
* <customized>-pki-server-theme
NOTE: As a convenience for standalone deployments, top-level meta
packages may be provided which bind a particular theme to
these certificate server packages. |
|---|
-
Fri Nov 10 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-17
- ###########################################################################
- ## RHCS 9.2
- ###########################################################################
- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of
-
Fri Oct 13 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-16
- ###########################################################################
- ## RHCS 9.2
- ###########################################################################
- #Bugzilla Bug #1439228 - externalRegRecover does not support multiple
- #Bugzilla Bug #1507160 - TPS new configuration to allow the protocol of
- #Bugzilla Bug #1471996 - Certificate Revocation Reasons not being updated
- ###########################################################################
- ## RHEL 7.4
- ###########################################################################
- Bugzilla Bug #1500499 - Certificate Revocation Reasons not being updated
in some cases [rhel-7.4.z] (cfu)
- Bugzilla Bug #1502527 - CA cert without Subject Key Identifier causes
issuance failure [rhel-7.4.z] (ftweedal)
- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0
[rhel-7.4.z] (ftweedal)
NOTE: Check-ins for #1492560 all reference the dogtagpki Pagure Issue
associated with Bugzilla Bug #1402280 - CA Cloning: Failed to
update number range in few cases (which is not yet fully resolved)
-
Mon Sep 18 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-15
- Bugzilla Bug #1492560 - ipa-replica-install --setup-kra broken on DL0
[rhel-7.4.z] (ftweedal)
-
Tue Sep 12 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-14
- Require "jss >= 4.4.0-8" as a build and runtime requirement
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332
- Bugzilla Bug #1486870 - Lightweight CA key replication fails (regressions)
[RHEL 7.4.z] (ftweedal)
- Bugzilla Bug #1485833 - Missing CN in user signing cert would cause error
in cmc user-signed [rhel-7.4.z] (cfu)
- Bugzilla Bug #1487509 - pki-server-upgrade fails when upgrading from
RHEL 7.1 [rhel-7.4.z] (ftweedal)
- Bugzilla Bug #1490241 - PKCS12: upgrade to at least AES and SHA2 (FIPS)
[rhel-7.4.z] (ftweedal)
- Bugzilla Bug #1491332 - TPS UI: need to display tokenType and tokenOrigin
for token certificates on TPS UI Server [rhel-7.4.z] (edewata)
- dogtagpki Pagure Issue #2764 - py3: pki.key.archive_encrypted_data:
TypeError: ... is not JSON serializable (ftweedal)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Resolves: rhbz #1486870,1485833,1487509,1490241,1491332,1482729,1462271
- Bugzilla Bug #1462271 - TPS incorrectly assigns "tokenOrigin" and
"tokenType" certificate attribute for recovered certificates. (cfu)
- Bugzilla Bug #1482729 - TPS UI: need to display tokenType and tokenOrigin
for token certificates on TPS UI (edewata)
-
Mon Aug 21 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-13
- Resolves: rhbz #1463350
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1463350 - Access banner validation (edewata)
[pki-core-server-access-banner-retrieval-validation.patch]
-
Wed Jul 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-12
- Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing
certificate requests (cfu)
[PREVIOUS PATCH: pki-core-beta.patch]
[PREVIOUS PATCH: pki-core-snapshot-4.patch]
- Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause
error (cfu)
[PREVIOUS PATCH: pki-core-post-beta.patch]
- Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert
against CMC signer (cfu)
[PREVIOUS PATCH: pki-core-CMC-check-HTTPS-client-authentication-cert.patch]
- Bugzilla Bug #1463350 - Access banner validation (edewata)
[pki-core-server-access-banner-validation.patch]
- Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal
non-signing cert requests (cfu)
[PREVIOUS PATCH: pki-core-snapshot-1.patch]
[pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch]
- Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen)
[pki-core-platform-dependent-python-import.patch]
- Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with
id-cmc-statusInfoV2 (cfu)
[pki-core-CMC-id-cmc-statusInfoV2.patch]
- Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option
(dmoluguw)
[pki-core-subsystem-cert-update-CLI-cert-option.patch]
- Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03
(jmagne)
[pki-core-HSM-key-changeover-SCP03-support.patch]
- Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system
certificates (cfu)
[pki-core-system-cert-CMC-enroll-profile.patch]
-
Mon Jul 17 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-11
- Resolves: rhbz #1469432
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1469432 - CMC plugin default change
- Resolves CVE-2017-7537
- Fixes BZ #1470948
-
Mon Jun 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-10
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1458043 - Key recovery on token fails with
invalid public key error on KRA (alee)
- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client
authentication cert against CMC signer (cfu)
- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after
deleting the any of the subsystem certs from it (ftweedal)
-
Mon Jun 12 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-9
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC
non-signing certificate requests (cfu)
- Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC
revocation non-signing cert requests (cfu)
- Bugzilla Bug #1458047 - change the way aes clients refer to
aes keysets (alee)
- Bugzilla Bug #1458055 - dont reuse IVs in the CMC code
(alee)
- Bugzilla Bug #1460028 - In keywrap mode, key recovery on
KRA with HSM causes KRA to crash (ftweedal)
-
Mon Jun 05 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-8
- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement
- Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
enabled system (edewata)
- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
creation (edewata)
- Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure
ACCESS_SESSION_ESTABLISH_FAILURE (edewata)
- Bugzilla Bug #1454450 - SubCA installation failure with 2 step
installation in fips enabled mode (edewata)
- Bugzilla Bug #1456597 - Certificate import using pki client-cert-import
is asking for password when already provided (edewata)
- Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes)
- Bugzilla Bug #1458043 - Key recovery using externalReg fails
with java null pointer exception on KRA (alee)
- Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter
(edewata)
- Bugzilla Bug #1458429 - client-cert-import --ca-cert should
import CA cert with trust bits "CT,C,C" (edewata)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)