[Pki-devel] [pki-devel][PATCH 0003] Added condition for checking instance id in kra commands

[Abhijeet Kasurde]

Hi All,

Please review this patch.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From ebda787c714e950e682ef42177a18927b8398c1f Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Thu, 30 Jun 2016 15:18:24 +0530
Subject: [PATCH] Added condition for checking instance id in kra commands

Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/__init__.py | 28 
 base/server/python/pki/server/cli/kra.py  | 25 ++---
 2 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 454408f6ad54202a5a94809dede2a08e43078a3a..00c79c281a9e0598dd91239ba5a1ddcbb52150b4 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -32,6 +32,7 @@ import re
 import shutil
 import subprocess
 import tempfile
+import sys
 
 import pki
 import pki.nssdb
@@ -187,8 +188,9 @@ class PKISubsystem(object):
 nickname = cert['nickname']
 token = cert['token']
 
-if token and token.lower() in ['internal', 'internal key storage token']:
-token = None
+if token and token.lower() in ['internal',
+   'internal key storage token']:
+token = 'internal'
 
 nssdb_password = self.instance.get_token_password(token)
 
@@ -224,6 +226,10 @@ class PKISubsystem(object):
 
 subprocess.check_call(cmd)
 
+except subprocess.CalledProcessError as e:
+print("ERROR: Command '%s' exited with return "
+  "code %d" % (" ".join(cmd), e.returncode))
+sys.exit(e.returncode)
 finally:
 shutil.rmtree(tmpdir)
 
@@ -237,8 +243,9 @@ class PKISubsystem(object):
 nickname = cert['nickname']
 token = cert['token']
 
-if token and token.lower() in ['internal', 'internal key storage token']:
-token = None
+if token and token.lower() in ['internal',
+   'internal key storage token']:
+token = 'internal'
 
 nssdb_password = self.instance.get_token_password(token)
 
@@ -286,7 +293,10 @@ class PKISubsystem(object):
 ])
 
 subprocess.check_call(cmd)
-
+except subprocess.CalledProcessError as e:
+print("ERROR: Command '%s' exited with return "
+  "code %d" % (" ".join(cmd), e.returncode))
+sys.exit(e.returncode)
 finally:
 shutil.rmtree(tmpdir)
 
@@ -562,7 +572,8 @@ class PKIInstance(object):
 def get_token_password(self, token='internal'):
 
 # determine the password name for the token
-if token.lower() in ['internal', 'internal key storage token']:
+if token and token.lower() in ['internal',
+   'internal key storage token']:
 name = 'internal'
 
 else:
@@ -616,8 +627,9 @@ class PKIInstance(object):
 nickname = cert.nickname
 token = cert.token
 
-if token and token.lower() in ['internal', 'internal key storage token']:
-token = None
+if token and token.lower() in ['internal',
+   'internal key storage token']:
+token = 'internal'
 
 nssdb_password = self.get_token_password(token)
 
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index b4f0df43f39078618b58be74087b520c7d874b48..8f043276a453e9b364f2f7ace8fdf0e29c73fd38 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -132,9 +132,16 @@ class KRAClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print("ERROR: Invalid instance '%s' provided" % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('kra')
+if not subsystem:
+print("ERROR: No KRA subsystem configured for '%s' "
+  "instance id" % instance_name)
+sys.exit(1)
 
 tmpdir = tempfile.mkdtemp()
 
@@ -142,7 +149,6 @@ class KRAClonePrepareCLI(pki.cli.CLI):
 pkcs12_password_file = os.path.join(tmpdir, 'pkcs12_password.txt')
 with open(pkcs12_password_file, 'w') as f:
 f.write(pkcs12_password)
-
 subsystem.export_system_cert(
 'subsystem', pkcs12_file, pkcs12_password_file, new_file=True)
 subsystem.export_system_cert(
@@ -235,12 +241,16 @@ class KRADBVLVFindCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PK

[Pki-devel] [PATCH 0004] Updated notification message for kra-db-vlv-del command

[Abhijeet Kasurde]

Hi All,

Please review this patch,

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From 7016f3e893a613da9913e0b5c0af75b1c54b3a62 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Thu, 30 Jun 2016 16:53:36 +0530
Subject: [PATCH] Updated notification message for kra-db-vlv-del command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/kra.py | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index b4f0df43f39078618b58be74087b520c7d874b48..8fb073d62a9ff0b40823368fa8af8c3a161e7e62 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -448,10 +448,13 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
 def delete_vlv(self, instance, bind_dn, bind_password):
 subsystem = instance.get_subsystem('kra')
 if not subsystem:
+msg = "No KRA subsystem available. Skipping ..."
 if self.verbose:
-print('modify_kra_vlv: No KRA subsystem available.  '
-  'Skipping ...')
-return
+print('modify_kra_vlv: %s' % msg)
+else:
+print('ERROR: %s' % msg)
+return
+
 database = subsystem.config['internaldb.database']
 
 if self.out_file:
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Endi Sukma Dewata]

On 6/22/2016 4:53 AM, Fraser Tweedale wrote:

The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
See commit message and bz1323400[1] for full history and details.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400

The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
10.2.x release cut for f23.

I have an f23 COPR build containing the fix for anyone wishing to
test:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/

Huge props to Adam Williamson for doing a lot of legwork in tracking
down the cause of this issue.

Thanks,
Fraser


ACK. When we have a proper database upgrade method we should consider 
converting this code into an upgrade script.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0125 AuthInfoAccess: use default OCSP URI if configured

[Endi Sukma Dewata]

On 6/27/2016 1:38 AM, Fraser Tweedale wrote:

Attached patch fixes https://fedorahosted.org/pki/ticket/2387
(wanted for 10.3.4).

Thanks,
Fraser


Just one thing, maybe we should add a blank pki_default_ocsp_uri under 
the [CA] section in the default.cfg so people knows about this parameter?


Regardless, it's ACKed.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

[Endi Sukma Dewata]

On 6/27/2016 9:52 PM, Fraser Tweedale wrote:

The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
Wanted for 10.3.4.

Thanks,
Fraser


Two things:

1. I don't think the patch author is correct :)

2. Existing issue, but while you're there could you chain the original 
exception to the ECAException?


Assuming they're addressed, ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0127 Fix build on Fedora 25

[Endi Sukma Dewata]

On 6/28/2016 1:29 AM, Fraser Tweedale wrote:

The attached patch fixes build on Fedora 25 (JAX-RS API JAR had
moved).  It also removes a bunch of redundant find_file directives.
This can probably be done for many other JARs but I've kept it to
just the one for now.

No urgency to get this in.

Cheers,
Fraser


I suppose this is a fix for this ticket?
https://fedorahosted.org/pki/ticket/2373

If so please assign the ticket to yourself and add a reference to this 
ticket in the patch description.


The build still works on F23 & F24, so I think it's safe to push. ACK.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

[Christina Fu]

This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add 
granularity to token termination in TPS

It
1. adds the missing parameters
2. adds a table for revocation code

thanks,
Christina

>From 63a58cf51ef2982e8a35eff1f98dd42453e5681e Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Thu, 30 Jun 2016 14:03:24 -0700
Subject: [PATCH] Ticket #1306 config params: Add granularity to token
 termination in TPS

This patch adds the missing configuration parameters that go with the
original bug.  The code would take on defaults when these parameters are
missing, but putting them in the CS.cfg would make it easier for the
administrators.
---
 base/tps/shared/conf/CS.cfg | 123 ++--
 1 file changed, 119 insertions(+), 4 deletions(-)

diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 258d5a76c5ec8e392634f6075f32ae9baa68b290..4f2b3919cf73610ad1a8c8e8c1baf977fb117f6c 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -265,7 +265,20 @@ op.enroll._000=#
 op.enroll._001=# TPS Profiles
 op.enroll._002=#  - Operations
 op.enroll._003=#- operation; enroll,pinReset,format
-op.enroll._004=#
+op.enroll._004=#
+op.enroll._005=# Revocation Reasons (revokeCert.reason) according to RFC 5280
+op.enroll._006=# unspecified (0)
+op.enroll._007=# keyCompromise (1)
+op.enroll._008=# CACompromise (2)
+op.enroll._009=# affiliationChanged (3)
+op.enroll._010=# superseded (4)
+op.enroll._011=# cessationOfOperation (5)
+op.enroll._012=# certificateHold (6)
+op.enroll._013=# removeFromCRL (8)
+op.enroll._014=# privilegeWithdrawn (9)
+op.enroll._015=# AACompromise (10)
+op.enroll._016=#
+op.enroll._017=#
 op.enroll.delegateIEtoken._000=#
 op.enroll.delegateIEtoken._001=# Enrollment for externalReg 
 op.enroll.delegateIEtoken._002=# ID, Encryption
@@ -326,12 +339,23 @@ op.enroll.delegateIEtoken.keyGen.authentication.publicKeyNumber=7
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert=true
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason=1
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert=false
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason=6
 op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.scheme=GenerateNewKey
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential=false
+op.enroll.delegateIEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts=false
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.archive=false
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.drm.conn=kra1
 op.enroll.delegateIEtoken.keyGen.authentication.serverKeygen.enable=false
@@ -498,12 +522,23 @@ op.enroll.delegateISEtoken.keyGen.authentication.publicKeyNumber=7
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason=0
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.scheme=GenerateNewKey
+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential=false
+op.enroll.delegateISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert=false
 op.enroll.delegateISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason=1
 op.enroll.delegateISEtoke

Re: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI Instances

[John Magne]

ACK

- Original Message -
From: "Matthew Harmsen" 
To: "pki-devel" 
Sent: Wednesday, June 29, 2016 7:57:34 PM
Subject: [Pki-devel] [PATCH] Separate PKI Instances versus Shared PKI   
Instances

Please review the attached patch which addresses the following ticket: 


* PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for 
shared vs non shared tomcat instance installation 


This ticket adds text to the pkispawn.8 man page to more adequately describe 
the differences between 
separated PKI instances and shared PKI instances including increasing the 
verbosity of the two examples 
related to these two deployment alternatives. 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel] [PATCH] 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch

[John Magne]

Addressed cfu's concerns and pushed to master for cond ACK.

commit e326cd2f06bd651cdd87646eea94622e18cec28d

Closing tiecket #1664

- Original Message -
> From: "Christina Fu" 
> To: pki-devel@redhat.com
> Sent: Monday, June 27, 2016 2:25:33 PM
> Subject: Re: [Pki-devel] [pki-devel] [PATCH] 
> 0074-Add-ability-to-disallow-TPS-to-enroll-a-single-user-.patch
> 
> Just a few minor ones.
> 
> * configuration parameters referencing token existence in tokendb should use
> names begin with "tokendb". e.g.

Done: Changed the names of the params as suggested.

> tokendb.allowMultiActiveTokensPerUser.externalReg=false
> tokendb.allowMultiActiveTokensPerUser.nonExternalReg=false
> 
> * boolean allowMultiCerts -- I think the name is misleading. how about
> alowMultiTokens
> 
> * existing calls to tps.tdb.tdbHasActiveToken() need to be decided:
> e.g.

Both of these blocks of code I simply removed the action taken if the user has 
an active token,
since they can no longer get there.
The alternate case has been left untouched.

The second occurrence is not likely to even happen since the transitions allowed
will not usually allow to go from SUSPENDED to ACTIVE anyway. Case retained as
a fallback.


> 1. TPSEnrollProcessor.java search for tdbHasActiveToken (first occurrence) ,
> you will find that it is called with "TODO:" comment. I believe that whole
> try/catch with the tps.tdb.tdbHasActiveToken(userid); call can be removed
> since you already call that earlier in your patch
> 2. TPSEnrollProcessor.java, the 2nd occurrence is when the enrolling token is
> suspended. You need to look into what it is doing at the point and whether
> that check can also be eliminated.
> 
> thanks,
> Christina
> 
> On 06/24/2016 11:08 AM, John Magne wrote:
> 
> 
> 
> Add ability to disallow TPS to enroll a single user on multiple tokens.
> 
> This patch will install a check during the early portion of the
> enrollment
> process check a configurable policy whether or not a user should be
> allowed
> to have more that one active token.
> 
> This check will take place only for brand new tokens not seen before.
> The check will prevent the enrollment to proceed and will exit before the
> system
> has a chance to add this new token to the TPS tokendb.
> 
> The behavior will be configurable for the the external reg and not
> external reg scenarios
> as follows:
> 
> op.enroll.nonExternalReg.allowMultiActiveTokensUser=false
> op.enroll.externalReg.allowMultiActiveTokensUser=false
> 
> 
> ___
> Pki-devel mailing list Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
> 
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH] 0075-Generting-Symmetric-key-fails-with-key-generate-when.patch

[Matthew Harmsen]

On 06/24/2016 06:23 PM, John Magne wrote:

Generting Symmetric key fails with key-generate when --usages verify is passed
 
 Ticket #1114
 
 Minor adjustment to the man page for the key management commands to say

 which usages are appropriate for sym keys and those appropriate for asym 
keys.
 



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

ACK
___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-cfu-0144-Ticket-1306-config-params-Add-granularity-to-token-t.patch

[Christina Fu]

got verbal ack from Jack.
Pushed to master:
commit 63a58cf51ef2982e8a35eff1f98dd42453e5681e

thanks,
Christina

On 06/30/2016 02:11 PM, Christina Fu wrote:
This patch is for https://fedorahosted.org/pki/ticket/1306 [RFE] Add 
granularity to token termination in TPS

It
1. adds the missing parameters
2. adds a table for revocation code

thanks,
Christina



___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

[Christina Fu]

The tomcatjss patch address:
*Bug 1203407*  
-tomcatjss: missing ciphers


2nd patch is the accompanying dogtag change to remove references to the 
unsupported ciphers.  There is no critical dependency of the new tomcatjss.


thanks,
Christina
diff -up src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java.cfu	2016-06-30 15:52:40.536775347 -0600
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java	2016-06-30 15:54:40.636612569 -0600
@@ -96,8 +96,12 @@ public class JSSSocketFactory implements
 SSLSocket.SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_RSA_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_RSA_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_RSA_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_RSA_WITH_3DES_EDE_CBC_SHA);
 
 cipherMap.put("SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
 SSLSocket.SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
@@ -116,14 +120,23 @@ public class JSSSocketFactory implements
 SSLSocket.SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_DHE_DSS_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_DHE_DSS_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA);
 cipherMap.put("SSL3_DHE_RSA_WITH_DES_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_WITH_DES_CBC_SHA);
+
 cipherMap.put("SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
 SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
+// deprecated SSL3.0 names replaced by IANA-registered TLS names
+cipherMap.put("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA);
 
 cipherMap.put("SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5",
 SSLSocket.SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5);
@@ -257,13 +270,21 @@ public class JSSSocketFactory implements
 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
 cipherMap.put("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
-cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
 cipherMap.put("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+/* unsupported by nss
+cipherMap.put("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
 cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
 SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+*/
 
+cipherMap.put("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+cipherMap.put("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+cipherMap.put("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
+SSLSocket.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
 }
 
 private static HashMap eccCipherMap = new HashMap();
@@ -308,6 +329,10 @@ public class JSSSocketFactory implements
 "TLS_ECDH_RSA_WITH_NULL_SHA");
 eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA,
 "TLS_ECDH_ECDSA_WITH_NULL_SHA");
+/* unsupported by nss
+eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256");
+*/
 }
 
 private AbstractEndpoint endpoint;
@@ -393,6 +418,7 @@ public class JSSSocketFactory implements
 + ": 0x" + Integer.toHexString(cipherid) + "\n");
 SSLSocket.setCipherPreferenceDefault(cipherid, state);
 } catch (Exception e) {
+System.err.println("SSLSocket.setCipherPreferenceDefault exception:" +e);
 if (eccCipherMap.containsKey(cipherid)) {
 System.err
 .println("Warning: SSL ECC cipher \""

From c0bf4a016709d000f81df2262cb73f2a660a2a42 Mon Sep 17 00:00:00 2001
From: Christina Fu 
Date: Thu, 30 Jun 2016 15:01:42 -0700
Subject: [PATCH] Bugzilla #1203407 tomcatjss: missing ciphers

This patch remove

Re: [Pki-devel] [PATCH] Bug 1203407 - tomcatjss: missing ciphers

[Christina Fu]

got verbal ack from Jack.

Pushed to master (the dogtag patch):
commit f0ad71e8a4fbae665a6b4875cce5b82895ad74f0

tomcatjss will be built in the next few days.

Christina


On 06/30/2016 03:04 PM, Christina Fu wrote:

The tomcatjss patch address:
*Bug 1203407*  
-tomcatjss: missing ciphers


2nd patch is the accompanying dogtag change to remove references to 
the unsupported ciphers.  There is no critical dependency of the new 
tomcatjss.


thanks,
Christina


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH 0001] Added condition to verify instance id in db-schema-upgrade

[Endi Sukma Dewata]

On 6/29/2016 4:20 AM, Abhijeet Kasurde wrote:

Hi All,

Please review the patch.

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH 0002] Added fix for checking ldapmodify return code in db-schema-upgrade

[Endi Sukma Dewata]

On 6/29/2016 7:43 AM, Abhijeet Kasurde wrote:

Hi All,

Please review the patch.

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes to handle all LDAP errors 
instead of some specific ones.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [pki-devel][PATCH 0003] Added condition for checking instance id in kra commands

[Endi Sukma Dewata]

On 6/30/2016 5:09 AM, Abhijeet Kasurde wrote:

Hi All,

Please review this patch.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes:

1. The original code was supposed to normalize the token name, so if 
it's 'internal' or 'Internal Key Storage Token' it will be normalized to 
None. If token name is None we don't add -h  when calling 
certutil since by default certutil will use internal token.


There's a bug in PKIInstance.get_token_password() though. If the caller 
specifies token parameter to be None explicitly, it won't get the 
default value of 'internal'. The method has been fixed to check for None 
value.


2. The code that catches CalledProcessError has been moved into the main 
program (i.e. pki-server) so similar errors will be handled more 
consistently.


3. Some error messages are changed for consistency.

--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH 0004] Updated notification message for kra-db-vlv-del command

[Endi Sukma Dewata]

On 6/30/2016 6:29 AM, Abhijeet Kasurde wrote:

Hi All,

Please review this patch,

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde


Thanks! Pushed to master with some changes to return error code 1 if the 
KRA is missing.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0127 Fix build on Fedora 25

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 11:21:12AM -0500, Endi Sukma Dewata wrote:
> On 6/28/2016 1:29 AM, Fraser Tweedale wrote:
> > The attached patch fixes build on Fedora 25 (JAX-RS API JAR had
> > moved).  It also removes a bunch of redundant find_file directives.
> > This can probably be done for many other JARs but I've kept it to
> > just the one for now.
> > 
> > No urgency to get this in.
> > 
> > Cheers,
> > Fraser
> 
> I suppose this is a fix for this ticket?
> https://fedorahosted.org/pki/ticket/2373
> 
> If so please assign the ticket to yourself and add a reference to this
> ticket in the patch description.
> 
> The build still works on F23 & F24, so I think it's safe to push. ACK.
> 
Thanks; I did not know about that ticket.

Added ticket reference to commit message and pushed to master
(3fdc686c9a4bab492d50cef707beef1f5f043153).

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0126 Respond 400 if lightweight CA cert issuance fails

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:49:12AM -0500, Endi Sukma Dewata wrote:
> On 6/27/2016 9:52 PM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2388.
> > Wanted for 10.3.4.
> > 
> > Thanks,
> > Fraser
> 
> Two things:
> 
> 1. I don't think the patch author is correct :)
> 
Hah, yikes!  I think I accidentally squashed something and didn't
notice the author had changed after I fixed it up :)

> 2. Existing issue, but while you're there could you chain the original
> exception to the ECAException?
> 
Yep, done.  Pushed to master
(c7f9e6c4e0711dfafc81d201dcfadee3e0efa335)

Cheers,
Fraser

> Assuming they're addressed, ACK.
>

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0125 AuthInfoAccess: use default OCSP URI if configured

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:30:53AM -0500, Endi Sukma Dewata wrote:
> On 6/27/2016 1:38 AM, Fraser Tweedale wrote:
> > Attached patch fixes https://fedorahosted.org/pki/ticket/2387
> > (wanted for 10.3.4).
> > 
> > Thanks,
> > Fraser
> 
> Just one thing, maybe we should add a blank pki_default_ocsp_uri under the
> [CA] section in the default.cfg so people knows about this parameter?
> 
> Regardless, it's ACKed.
> 
Thanks Endi.  I added the blank config to default.cfg along with
some commentary.  Pushed to master
(ca8edcd504ab81dbc30547c3c59a51fe98ff21cf).

Cheers,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 10:10:32AM -0500, Endi Sukma Dewata wrote:
> On 6/22/2016 4:53 AM, Fraser Tweedale wrote:
> > The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
> > See commit message and bz1323400[1] for full history and details.
> > 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400
> > 
> > The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
> > 10.2.x release cut for f23.
> > 
> > I have an f23 COPR build containing the fix for anyone wishing to
> > test:
> > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/
> > 
> > Huge props to Adam Williamson for doing a lot of legwork in tracking
> > down the cause of this issue.
> > 
> > Thanks,
> > Fraser
> 
> ACK. When we have a proper database upgrade method we should consider
> converting this code into an upgrade script.
> 
Thanks; pushed:

master  2dea243d51765e3a8f01f7680592143c842921ce
DOGTAG_10_2_BRANCH  c34d326712940524419d65c6cb6cc9653221362b
DOGTAG_10_2_6_BRANCHf0d036feb9604cc656b3b8ae46c822bec14e6ac8

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Endi Sukma Dewata]

The pki-server ca-* commands have been modified to validate
the instance and the CA subsystem before proceeding with the
operation.

The usage() methods and invocations have been renamed into
print_help() for consistency.

https://fedorahosted.org/pki/ticket/2364

--
Endi S. Dewata
>From fce674b7e79065b582d631303ff9809065787a37 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 1 Jul 2016 03:26:23 +0200
Subject: [PATCH] Added instance and subsystem validation for pki-server ca-*
 commands.

The pki-server ca-* commands have been modified to validate
the instance and the CA subsystem before proceeding with the
operation.

The usage() methods and invocations have been renamed into
print_help() for consistency.

https://fedorahosted.org/pki/ticket/2364
---
 base/server/python/pki/server/cli/ca.py | 44 +++--
 1 file changed, 37 insertions(+), 7 deletions(-)

diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..1d1c00f0f977d63066d68a9ae960aefcd183ad13 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -129,9 +129,16 @@ class CACertChainExportCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = instance.get_subsystem('ca')
+if not subsystem:
+print('ERROR: No CA subsystem in instance %s.' % instance_name)
+sys.exit(1)
 
 tmpdir = tempfile.mkdtemp()
 
@@ -171,7 +178,7 @@ class CACertRequestFindCLI(pki.cli.CLI):
 super(CACertRequestFindCLI, self).__init__(
 'find', 'Find CA certificate requests')
 
-def usage(self):
+def print_help(self):
 print('Usage: pki-server ca-cert-request-find [OPTIONS]')
 print()
 print('  -i, --instance Instance ID (default: pki-tomcat).')
@@ -190,7 +197,7 @@ class CACertRequestFindCLI(pki.cli.CLI):
 
 except getopt.GetoptError as e:
 print('ERROR: ' + str(e))
-self.usage()
+self.print_help()
 sys.exit(1)
 
 instance_name = 'pki-tomcat'
@@ -216,13 +223,21 @@ class CACertRequestFindCLI(pki.cli.CLI):
 
 else:
 print('ERROR: unknown option ' + o)
-self.usage()
+self.print_help()
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = instance.get_subsystem('ca')
+if not subsystem:
+print('ERROR: No CA subsystem in instance %s.' % instance_name)
+sys.exit(1)
+
 results = subsystem.find_cert_requests(cert=cert)
 
 self.print_message('%s entries matched' % len(results))
@@ -243,7 +258,7 @@ class CACertRequestShowCLI(pki.cli.CLI):
 super(CACertRequestShowCLI, self).__init__(
 'show', 'Show CA certificate request')
 
-def usage(self):
+def print_help(self):
 print('Usage: pki-server ca-cert-request-show  [OPTIONS]')
 print()
 print('  -i, --instance Instance ID (default: pki-tomcat).')
@@ -260,12 +275,12 @@ class CACertRequestShowCLI(pki.cli.CLI):
 
 except getopt.GetoptError as e:
 print('ERROR: ' + str(e))
-self.usage()
+self.print_help()
 sys.exit(1)
 
 if len(args) != 1:
 print('ERROR: missing request ID')
-self.usage()
+self.print_help()
 sys.exit(1)
 
 request_id = args[0]
@@ -288,13 +303,21 @@ class CACertRequestShowCLI(pki.cli.CLI):
 
 else:
 print('ERROR: unknown option ' + o)
-self.usage()
+self.print_help()
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = instance.get_subsystem('ca')
+if not subsystem:
+print('ERROR: No CA subsystem in instance %s.' % instance_name)
+sys.exit(1)
+
 request = subsystem.get_cert_requests(request_id)
 
 if output_file:
@@ -384,9 +407,16 @@ class CAClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = instance.get_subsystem('ca')
+if not subsystem:
+  

[Pki-devel] [PATCH] 782 Removed excessive error message in pki CLI.

[Endi Sukma Dewata]

A recent change in the pki CLI caused excessive error message in
normal usage. The change has been reverted.

https://fedorahosted.org/pki/ticket/2390

Pushed under one-liner/trivial rule.

--
Endi S. Dewata
>From 943e8231fc77ed0ccb6ed34b71817a6d3927d3e5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Fri, 1 Jul 2016 03:54:58 +0200
Subject: [PATCH] Removed excessive error message in pki CLI.

A recent change in the pki CLI caused excessive error message in
normal usage. The change has been reverted.

https://fedorahosted.org/pki/ticket/2390
---
 base/java-tools/bin/pki | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index 6104a5f761a7c52039dbdf989ca59264aae2e49e..c1ba34ead0466e43e2376343de724a168b0c3cf1 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -261,6 +261,7 @@ if __name__ == '__main__':
 
 except subprocess.CalledProcessError as e:
 if cli.verbose:
+print('ERROR: %s' % e)
+elif cli.debug:
 traceback.print_exc()
-print('ERROR: %s' % e)
 sys.exit(e.returncode)
-- 
2.4.11

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 780 Fixed pki-server subsystem-cert-update.

[Fraser Tweedale]

On Wed, Jun 29, 2016 at 11:19:46AM -0500, Endi Sukma Dewata wrote:
> The pki-server subsystem-cert-update is supposed to restore the
> system certificate data and requests into CS.cfg. The command was
> broken since the CASubsystem class that contains the code to find
> the certificate requests from database was not loaded correctly.
> To fix the problem the CASubsystem class has been moved into the
> pki/server/__init__.py.
> 
> All pki-server subsystem-* commands have been modified to check
> the validity of the instance.
> 
> An option has been added to the pki-server subsystem-cert-show
> command to display the data and request of a particular system
> certificate.
> 
> The redundant output of the pki-server subsystem-cert-update has
> been removed. The updated certificate data and request can be
> obtained using the pki-server subsystem-cert-show command.
> 
> https://fedorahosted.org/pki/ticket/2385
> 
ACK; pushed to master (67bbdc5edd1404f89e638037599b4231f50490f8).

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Fraser Tweedale]

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:
> The pki-server ca-* commands have been modified to validate
> the instance and the CA subsystem before proceeding with the
> operation.
> 
> The usage() methods and invocations have been renamed into
> print_help() for consistency.
> 
> https://fedorahosted.org/pki/ticket/2364
> 
> -- 
> Endi S. Dewata
>
ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

# pki-server subsystem-cert-find kra

AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] 781 Added instance and subsystem validation for pki-server ca-* commands.

[Abhijeet Kasurde]

Hi Fraser, All,

I am working on some of the error messages in pki-* , you can track this 
under this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1351295



On 07/01/2016 09:43 AM, Fraser Tweedale wrote:

On Thu, Jun 30, 2016 at 08:38:57PM -0500, Endi Sukma Dewata wrote:

The pki-server ca-* commands have been modified to validate
the instance and the CA subsystem before proceeding with the
operation.

The usage() methods and invocations have been renamed into
print_help() for consistency.

https://fedorahosted.org/pki/ticket/2364

--
Endi S. Dewata


ACK; pushed to master (f8310a4ff306d28cf25ec71693a2e89c5323564d).

There are still lots of pki-server commands that fail if invalid
subsystem given, e.g.:

 # pki-server subsystem-cert-find kra
 
 AttributeError: 'NoneType' object has no attribute 'find_system_certs'

But that can be addressed separately in future patch.

Thanks,
Fraser

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH 0005-0008] Misc. fixes for pki-server commands

[Abhijeet Kasurde]

Hi All,

Please review these patches.

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From c97514152a50e34936a465963d41965a33caa2a7 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 10:35:21 +0530
Subject: [PATCH 8/8] Updated notification message for TPS subsystem command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/tps.py | 34 
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 63da3414ea2ac9caf5101ce3b51f198b42712eeb..1f71b8ece1431426d865d7e98fa87e5417beb36c 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -127,9 +127,15 @@ class TPSClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
+if not subsystem:
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 tmpdir = tempfile.mkdtemp()
 
@@ -228,12 +234,15 @@ class TPSDBVLVFindCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 self.find_vlv(subsystem, bind_dn, bind_password)
 
@@ -340,12 +349,15 @@ class TPSDBVLVAddCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
@@ -450,12 +462,15 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
@@ -582,12 +597,15 @@ class TPSDBVLVReindexCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
 instance.load()
 
 subsystem = instance.get_subsystem('tps')
-
 if not subsystem:
-raise Exception('Subsystem not found')
+print("ERROR: No TPS subsystem in instance %s." % instance_name)
+sys.exit(1)
 
 if out_file:
 self.generate_ldif(subsystem, out_file)
-- 
2.7.4

From d248b6c3abcac5be9bea9311741d493e20561b85 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 1 Jul 2016 10:31:32 +0530
Subject: [PATCH 7/8] Updated notification message for TKS subsystem command

Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295

Signed-off-by: Abhijeet Kasurde 
---
 base/server/python/pki/server/cli/tks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 0bcf748c3ca65980a888946d807536d62bfdf894..2c4157a03bc601c36141f67880fe7624aa1febee 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -118,9 +118,16 @@ class TKSClonePrepareCLI(pki.cli.CLI):
 sys.exit(1)
 
 instance = pki.server.PKIInstance(instance_name)
+if not instance.is_valid():
+print('ERROR: Invalid instance %s.' % instance_name)
+sys.exit(1)
+
 instance.load()
 
 subsystem = instance.get_subsystem('tks')
+if not subsystem:
+print("ERROR: No TKS su

[Pki-devel] Karma Request for Dogtag 10.2.6 on Fedora 23

[Matthew Harmsen]

The following bug has been addressed in Fedora 23:

 * Bugzilla Bug #1323400 - freeipa fails to start correctly after
   pki-core update on upgraded system
   

Please provide Karma for the following Fedora 23 build located in Bodhi at:

 * https://bodhi.fedoraproject.org/updates/FEDORA-2016-188c172b10
   pki-core-10.2.6-20.fc23

Thanks,
-- Matt

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel