[ol7_latest_archive] pki-tools-10.3.3-16.el7_3.x86_64

This package contains PKI executables that can be used to help make
Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.


==================================
||  ABOUT "CERTIFICATE SYSTEM"  ||
==================================

Certificate System (CS) is an enterprise software system designed
to manage enterprise Public Key Infrastructure (PKI) deployments.

PKI Core contains ALL top-level java-based Tomcat PKI components:

  * pki-symkey
  * pki-base
  * pki-base-python2 (alias for pki-base)
  * pki-base-python3
  * pki-base-java
  * pki-tools
  * pki-server
  * pki-ca
  * pki-kra
  * pki-ocsp
  * pki-tks
  * pki-tps
  * pki-javadoc

which comprise the following corresponding PKI subsystems:

  * Certificate Authority (CA)
  * Key Recovery Authority (KRA)
  * Online Certificate Status Protocol (OCSP) Manager
  * Token Key Service (TKS)
  * Token Processing Service (TPS)

Python clients need only install the pki-base package.  This
package contains the python REST client packages and the client
upgrade framework.

Java clients should install the pki-base-java package.  This package
contains the legacy and REST Java client packages.  These clients
should also consider installing the pki-tools package, which contain
native and Java-based PKI tools and utilities.

Certificate Server instances require the fundamental classes and
modules in pki-base and pki-base-java, as well as the utilities in
pki-tools.  The main server classes are in pki-server, with subsystem
specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc.

Finally, if Certificate System is being deployed as an individual or
set of standalone rather than embedded server(s)/service(s), it is
strongly recommended (though not explicitly required) to include at
least one PKI Theme package:

  * dogtag-pki-theme (Dogtag Certificate System deployments)
    * dogtag-pki-server-theme
  * redhat-pki-server-theme (Red Hat Certificate System deployments)
    * redhat-pki-server-theme
  * customized pki theme (Customized Certificate System deployments)
    * <customized>-pki-server-theme

  NOTE:  As a convenience for standalone deployments, top-level meta
         packages may be provided which bind a particular theme to
         these certificate server packages.

Changelog (Show File list) (Show related packages)

• Thu Dec 15 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-16

  - Separate original patches into RHEL and RHCS portions
  - ## RHEL 7.3.z Batch Update 2
  - Bugzilla Bug #1404176 - logging properties and man pages (edewata)
  - Bugzilla Bug #1405328 - TPS throws "err=6" when attempting to format and
    enroll G&D Cards (jmagne)
  - ## RHCS 9.1.z Batch Update 2
  - Bugzilla Bug #1395479 - TPS throws "err=6" when attempting to format and
    enroll G&D Cards (jmagne)
  - Bugzilla Bug #1404900 - RHCS logging properties (edewata)

• Tue Dec 13 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-15

  - ## RHEL 7.3.z Batch Update 2
  - Bugzilla Bug #1404173 - user-cert-add --serial CLI request to secure port
    with remote CA shows authentication failure (edewata)
  - Bugzilla Bug #1404175 -  pki ca-cert-request-submit fails presumably because
    of missing authentication even if it should not require any (edewata)
  - Bugzilla Bug #1404178 - Changes to target.agent.approve.list parameter is
    not reflected in the TPS Web UI [pki-base] (edewata)
  - Bugzilla Bug #1404172 - Unable to install subordinate CA with HSM in FIPS
    mode (edewata)
  - Bugzilla Bug #1403689 - pkispawn does not change default ecc key size from
    nistp256 when nistp384 is specified in spawn config (jmagne)
  - Bugzilla Bug #1404176 - logging properties and man pages (edewata)
  - ## RHCS 9.1.z Batch Update 2
  - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
    not reflected in the TPS Web UI [pki-tps] (edewata)
  - Bugzilla Bug #1391207 - Automatic recovery of encryption cert - CA and TPS
    tokendb shows different certificate status (cfu)
  - Bugzilla Bug #1395479 -  TPS throws "err=6" when attempting to format and
    enroll G&D Cards (jmagne)

• Tue Nov 08 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-14

  - Marked the following RHCS 9.1.z bug:
    Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
    when TPS and TKS security db is on fips mode. (jmagne)
    as a duplicate of RHEL 7.3.z bug:
    Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
    and moved the patch from the RHCS 9.1.z bug to the RHEL 7.3.z bug.

• Thu Nov 03 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-13

  - ## RHEL 7.3.z Batch Update 1
  - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
    (added KRA key recovery via CLI in FIPS mode)
  - ## RHCS 9.1.z Batch Update 1
  - Reverted patches associated with
    Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
    not reflected in the TPS Web UI (edewata)

• Mon Oct 31 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-12

  - ## RHEL 7.3.z Batch Update 1
  - Bugzilla Bug #1390318 - CA EE: Submit caUserCert request without uid does
    not show proper error message (alee)
  - Bugzilla Bug #1390319 - Failed to start pki-tomcatd Service
    ("ipa-cacert-manage renew" failed?) (edewata)
  - Bugzilla Bug #1390320 - pkispawn fails as it is not able to find openssl as
    a dependency package (mharmsen)
  - Bugzilla Bug #1390321 - two-step externally-signed CA installation fails due
    to missing AuthorityID (ftweedal)
  - Bugzilla Bug #1390322 - Spurious host authority entries created (ftweedal)
  - Bugzilla Bug #1390324 - KRA installation failed against externally-signed CA
    with partial certificate chain (edewata)
  - Bugzilla Bug #1389757 - Problems with FIPS mode (edewata)
  - Bugzilla Bug #1390311 - Fix packaging duplicates of classes in multiple jar
    files (edewata)
  - Bugzilla Bug #1390325 - Typo in comment line of UserPwdDirAuthentication.java
    (edewata)
  - ## RHCS 9.1.z Batch Update 1
  - Bugzilla Bug #1248553 - TPS Enrollment always goes to "ca1" (cfu)
  - Bugzilla Bug #1274096 -  [BUG] Add ability to disallow TPS to enroll a
    single user on multiple tokens. (jmagne)
  - Bugzilla Bug #1379379 - Unable to read an encrypted email using renewed
    tokens (jmagne)
  - Bugzilla Bug #1379749 - Automatic recovery of encryption cert is not working
    when a token is physically damaged and a temporary token is issued (jmagne)
  - Bugzilla Bug #1381375 - Cert/Key recovery is successful when the cert serial
    number and key id on the ldap user mismatches
  - Bugzilla Bug #1381635 - Token format with external reg fails when
    op.format.externalRegAddToToken.revokeCert=true (cfu)
  - Bugzilla Bug #1382762 - PIN_RESET policy is not giving expected results when
    set on a token (jmagne)
  - Bugzilla Bug #1382862 - TPS token enrollment fails to setupSecureChannel
    when TPS and TKS security db is on fips mode. (jmagne)
  - Bugzilla Bug #1386257 - Changes to target.agent.approve.list parameter is
    not reflected in the TPS Web UI (edewata)

• Mon Oct 10 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-11

  - PKI TRAC Ticket #1527 - TPS Enrollment always goes to "ca1" (cfu)
  - PKI TRAC Ticket #1664 - [BUG] Add ability to disallow TPS to enroll a single
    user on multiple tokens. (jmagne)
  - PKI TRAC Ticket #2478 - pkispawn fails as it is not able to find openssl as a
    dependency package (mharmsen)
  - PKI TRAC Ticket #2483 - Unable to read an encrypted email using renewed
    tokens (jmagne)
  - PKI TRAC Ticket #2496 - Cert/Key recovery is successful when the cert serial
    number and key id on the ldap user mismatches (cfu)
  - PKI TRAC Ticket #2505 - Fix packaging duplicates of classes in multiple jar
    files (edewata)

• Fri Sep 09 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-10

  - Revert Patch:  PKI TRAC Ticket #2449 - Unable to create system certificates
    in different tokens (edewata)
  - Resolves:  rhbz #1374054 - ipa-replica-install fails setting up certificate
  - Restores:  rhbz #1319557 - pkispawn KRA instance is failing server
  - Removes from Errata:  rhbz #1372041 - Unable to create system certificates
    in different tokens

• Tue Sep 06 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-9

  - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion
    (ftweedal)
  - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    (edewata)
  - PKI TRAC Ticket #2443 - Prevent deletion of host CA's keys if LWCA entry
    deleted (ftweedal)
  - PKI TRAC Ticket #2444 - Authority entry without entryUSN is skipped even if
    USN plugin enabled (ftweedal)
  - PKI TRAC Ticket #2446 - pkispawn: make subject_dn defaults unique per
    instance name (for shared HSM) (cfu)
  - PKI TRAC Ticket #2447 - CertRequestInfo has incorrect URLs (vakwetu)
  - PKI TRAC Ticket #2449 - Unable to create system certificates in different
    tokens (edewata)

• Mon Aug 29 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-8

  - PKI TRAC Ticket #1578 - Authentication Instance Id PinDirEnrollment with authType value as SslclientAuth is not working (jmagne)
  - PKI TRAC TIcket #2414 - pki pkcs12-cert-del shows a successfully deleted message when a wrong nickname is provided (gkapoor)
  - PKI TRAC Ticket #2423 - pki_ca_signing_token when not specified does not fallback to pki_token_name value (edewata)
  - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements (akasurde) - ticket remains open
  - PKI TRAC Ticket #2439 - Outdated deployment descriptors in upgraded server(edewata)

• Tue Aug 23 2016 Dogtag Team <pki-devel@redhat.com> 10.3.3-7

  - PKI TRAC Ticket #690 - [MAN] pki-tools man pages (mharmsen)
    - CMCEnroll
  - PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error message
    "PKIException: LDAP error (21): error result" (edewata)
  - PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
    (cheimes, edewata, mharmsen)
  - PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected (edewata)
  - PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
    (edewata, mharmsen)
  - PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from TPSUI pem
    format with/without header works while pkcs7 with header is not allowed
    (edewata)
  - PKI TRAC Ticket #2440 - Optional CA signing CSR for migration (edewata)