.classpath

@@ -50,7 +50,6 @@
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/commons-io.jar"/>
-	<classpathentry kind="lib" path="/usr/lib/java/nuxwdog.jar"/>
 	<classpathentry kind="lib" path="/usr/lib/java/jss4.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcatjss.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-api.jar"/>
@@ -65,5 +64,6 @@
 	<classpathentry kind="lib" path="/usr/share/java/jackson-databind.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/jackson-core.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-jackson2-provider.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/slf4j/slf4j-simple.jar"/>
 	<classpathentry kind="output" path="build/classes"/>
 </classpath>

.copr/Makefile

+srpm:
+	dnf install -y git
+	./build.sh --with-timestamp --with-commit-id srpm
+	if [[ "${outdir}" != "" ]]; then \
+	    mv ${HOME}/build/pki/SRPMS/* ${outdir}; \
+	fi

.gitignore

@@ -7,3 +7,7 @@ MANIFEST
 __pycache__
 .pytest_cache/
 .idea/
+tests/artifacts/
+tests/tests.retry
+base/util/test/PKICertImport/dbs
+target/

.travis.yml

@@ -6,10 +6,10 @@ services:
 cache: pip
 
 env:
-  - BASE_IMAGE_VERSION=28 TASK="PKI"
-  - BASE_IMAGE_VERSION=28 TASK="IPA"
-  - BASE_IMAGE_VERSION=29 TASK="PKI"
-  - BASE_IMAGE_VERSION=29 TASK="IPA"
+  - IMAGE=fedora:29 TASK="PKI"
+  - IMAGE=fedora:29 TASK="IPA"
+  - IMAGE=fedora:30 TASK="PKI"
+  - IMAGE=fedora:30 TASK="IPA"
 
 before_install:
   - set -a && source travis/global_variables
@@ -50,6 +50,23 @@ script:
       docker exec -i ${CONTAINER} ${SCRIPTDIR}/ds-remove.sh
     fi
 
+matrix:
+  fast_finish: true
+  include:
+    - stage: rawhide
+      env: IMAGE=fedora:rawhide TASK="PKI"
+    - env: IMAGE=fedora:rawhide TASK="IPA"
+    # This is a dummy job to mark the build as finished, without waiting for rawhide jobs
+    - env: DUMMY_JOB=FOR_FAST_FINISH
+      before_install: true
+      install: true
+      script: true
+      after_script: true
+  allow_failures:
+    - stage: rawhide
+      env: IMAGE=fedora:rawhide TASK="PKI"
+    - env: IMAGE=fedora:rawhide TASK="IPA"
+
 after_script:
   - cat ${LOGS}
   - docker kill ${CONTAINER}

CMakeLists.txt

@@ -39,6 +39,10 @@ option(WITH_PYTHON3_DEFAULT "Build server and scripts with Python 3" OFF)
 
 set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINOR}.${APPLICATION_VERSION_PATCH}")
 
+if(WITH_TEST)
+    enable_testing()
+endif(WITH_TEST)
+
 # where to look first for cmake modules
 # (before ${CMAKE_ROOT}/Modules/ is checked)
 set(CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/cmake/Modules)

README.md

@@ -14,19 +14,9 @@ regulations defined at:
 
 http://www.dogtagpki.org/wiki/PKI_Download
 
-These directories contain the following:
-
-* CMakeLists.txt
-* LICENSE
-* cmake
-
-  These files and this directory contain
-  the top-level files necessary to integrate
-  the CMake build system in pki.
-
-* README.md
+## Content
 
-  This file.
+These directories contain the following:
 
 * base
 
@@ -37,11 +27,11 @@ These directories contain the following:
   components required to build a working
   Certificate System.
 
-* themes
+* cmake
 
-  Contains the scripts and user-interface
-  components to customize PKI web UI and
-  console.
+  These files and this directory contain
+  the top-level files necessary to integrate
+  the CMake build system in pki.
 
 * scripts
 
@@ -51,13 +41,21 @@ These directories contain the following:
   useful for building RPMS/SRPMS of the
   various certificate system components.
 
+* themes
+
+  Contains the scripts and user-interface
+  components to customize PKI web UI and
+  console.
+
 * tools
 
   Contains utilities useful to
   certificate system components.
 
-Detailed instructions for building, installing, and
-running this project are located at:
+## Development
+
+To build the project, see [Building PKI](docs/development/Building_PKI.md).
 
-http://www.dogtagpki.org/wiki/PKI_Main_Page
+## See Also
 
+* [Dogtag PKI](http://www.dogtagpki.org)

base/CMakeLists.txt

@@ -34,6 +34,14 @@ find_file(SLF4J_JDK14_JAR
         /usr/share/java
 )
 
+find_file(SLF4J_SIMPLE_JAR
+    NAMES
+        slf4j-simple.jar
+    PATHS
+        /usr/share/java/slf4j
+        /usr/share/java
+)
+
 find_file(COMMONS_CLI_JAR
     NAMES
         commons-cli.jar
@@ -183,14 +191,6 @@ find_file(LDAPJDK_JAR
         /usr/share/java
 )
 
-find_file(NUXWDOG_JAR
-    NAMES
-        nuxwdog.jar
-    PATHS
-        ${JAVA_LIB_INSTALL_DIR}
-        /usr/share/java
-)
-
 find_file(RESTEASY_JAXRS_JAR
     NAMES
         resteasy-jaxrs.jar

base/ca/setup/registry_instance

@@ -15,9 +15,6 @@ export PKI_INSTANCE_NAME
 PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
 export PKI_INSTANCE_PATH
 
-PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
-export PKI_INSTANCE_INITSCRIPT
-
 PKI_SERVER_XML_CONF=[PKI_SERVER_XML_CONF]
 export PKI_SERVER_XML_CONF
 
@@ -35,18 +32,6 @@ export TOMCAT_USER
 TOMCAT_GROUP=$PKI_GROUP
 export TOMCAT_GROUP
 
-PKI_LOCKDIR="/var/lock/pki/${PKI_SUBSYSTEM_TYPE}"
-export PKI_LOCKDIR
-
-PKI_LOCKFILE="${PKI_LOCKDIR}/${PKI_INSTANCE_NAME}"
-export PKI_LOCKFILE
-
-PKI_PIDDIR="/var/run/pki/${PKI_SUBSYSTEM_TYPE}"
-export PKI_PIDDIR
-
-PKI_PIDFILE="${PKI_PIDDIR}/${PKI_INSTANCE_NAME}.pid"
-export PKI_PIDFILE
-
 TOMCAT_LOCKFILE=/var/lock/subsys/${PKI_INSTANCE_NAME}
 export TOMCAT_LOCKFILE
 

base/ca/shared/conf/CS.cfg

@@ -799,12 +799,7 @@ dbs.replicaDN=ou=replica
 dbs.replicaRangeDN=ou=replica, ou=ranges
 dbs.ldap=internaldb
 dbs.newSchemaEntryAdded=true
-debug.append=true
-debug.enabled=true
-debug.filename=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/debug
-debug.hashkeytypes=
-debug.level=0
-debug.showcaller=false
+debug.level=10
 features.authority.description=Lightweight CAs
 features.authority.enabled=true
 features.authority.version=1.0
@@ -903,20 +898,21 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server ca-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SCHEDULE_CRL_GENERATION,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.FULL_CRL_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.OCSP_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
 log.instance.SignedAudit.flushInterval=5
@@ -956,26 +952,26 @@ log.instance.Transactions.rolloverInterval=2592000
 log.instance.Transactions.type=transaction
 logAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/access
 logError.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/error
-oidmap.auth_info_access.class=netscape.security.extensions.AuthInfoAccessExtension
+oidmap.auth_info_access.class=org.mozilla.jss.netscape.security.extensions.AuthInfoAccessExtension
 oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
 oidmap.challenge_password.class=com.netscape.cms.servlet.cert.scep.ChallengePassword
 oidmap.challenge_password.oid=1.2.840.113549.1.9.7
-oidmap.extended_key_usage.class=netscape.security.extensions.ExtendedKeyUsageExtension
+oidmap.extended_key_usage.class=org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension
 oidmap.extended_key_usage.oid=2.5.29.37
 oidmap.extensions_requested_pkcs9.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested
 oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14
 oidmap.extensions_requested_vsgn.class=com.netscape.cms.servlet.cert.scep.ExtensionsRequested
 oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8
-oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension
+oidmap.netscape_comment.class=org.mozilla.jss.netscape.security.x509.NSCCommentExtension
 oidmap.netscape_comment.oid=2.16.840.1.113730.1.13
-oidmap.ocsp_no_check.class=netscape.security.extensions.OCSPNoCheckExtension
+oidmap.ocsp_no_check.class=org.mozilla.jss.netscape.security.extensions.OCSPNoCheckExtension
 oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5
-oidmap.pse.class=netscape.security.extensions.PresenceServerExtension
+oidmap.pse.class=org.mozilla.jss.netscape.security.extensions.PresenceServerExtension
 oidmap.pse.oid=2.16.840.1.113730.1.18
-oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
+oidmap.subject_info_access.class=org.mozilla.jss.netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
@@ -1050,10 +1046,10 @@ profile.caFullCMCUserSignedCert.class_id=caEnrollImpl
 profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg
 profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl
 profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg
-profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl
-profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg
-profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl
-profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg
+profile.caFullCMCSharedTokenCert.class_id=caEnrollImpl
+profile.caFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSharedTokenCert.cfg
+profile.caECFullCMCSharedTokenCert.class_id=caEnrollImpl
+profile.caECFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSharedTokenCert.cfg
 profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
 profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg
 profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl

base/ca/shared/conf/registry.cfg

 types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
 constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
 constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
 constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
@@ -36,9 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
 constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
 constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
 constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSharedTokenSubjectNameConstraint
+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.desc=CMC Shared Token request User Subject Name Constraint
+constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.name=CMC Shared Token request User Subject Name Constraint
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint

base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg → base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg

-desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
+desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC Shared Token certificate request
 enable=false
 enableBy=admin
-name=Self-Signed CMC User Certificate Enrollment
+name=CMC Shared Token User Certificate Enrollment
 visible=false
 auth.instance_id=CMCUserSignedAuth
 input.list=i1
@@ -10,8 +10,8 @@ output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=cmcUserCertSet
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
-policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
 policyset.cmcUserCertSet.1.default.params.name=

base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg → base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg

-desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
+desc=This certificate profile is for enrolling user certificates by using the CMC Shared Token certificate request
 enable=false
 enableBy=admin
-name=Self-Signed CMC User Certificate Enrollment
+name=CMC Shared Token User Certificate Enrollment
 visible=false
 auth.instance_id=CMCUserSignedAuth
 input.list=i1
@@ -10,8 +10,8 @@ output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=cmcUserCertSet
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
-policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
 policyset.cmcUserCertSet.1.default.params.name=

base/ca/shared/webapps/ca/WEB-INF/web.xml

@@ -2622,16 +2622,6 @@
       <url-pattern>   /ee/ca/pkiclient </url-pattern>
    </servlet-mapping>
 
-   <!-- ==================== Default Session Configuration =============== -->
-   <!-- You can set the default session timeout (in minutes) for all newly -->
-   <!-- created sessions by modifying the value below.                     -->
-   <!--                                                                    -->
-   <!-- To disable session timeouts for this instance, set a value of -1.  -->
-
-   <session-config>
-        <session-timeout>30</session-timeout>
-   </session-config>
-
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>Account Services</web-resource-name>

base/ca/shared/webapps/ca/services.template

@@ -103,28 +103,20 @@ Certificate System CA Services Page
 <td>&nbsp;</td>
 <td>&nbsp;</td>
 </tr>
-<script language=javascript>
-
-for (var i=0; i<result.recordSet.length; ++i) {
-    document.write('<tr valign="TOP">');
-    document.write('<td>');
-    document.write('<td>');
-    document.write('<font size=4 face="PrimaSans BT, Verdana, sans-serif">');
-    document.write('<li><a href="');
-    document.write(result.recordSet[i].prefix + "://" +
-      result.recordSet[i].host + ":" + result.recordSet[i].port + "/"+
-      result.recordSet[i].uri);
-    if (result.recordSet[i].type == "admin") {
-        document.write('">Admin Services</a></font>');
-    } else if (result.recordSet[i].type == "agent") {
-        document.write('">Agent Services</a></font>');
-    } else if (result.recordSet[i].type == "ee") {
-        document.write('">SSL End Users Services</a></font>');
-    }
-
-    document.write('</font></td></tr>');
-}
-</script>
+<tr valign="TOP">
+<td>
+<td>
+<li><font size=4 face="PrimaSans BT, Verdana, sans-serif"><a href="ee/ca">SSL End Users Services</a></font>
+</font>
+</td>
+</tr>
+<tr valign="TOP">
+<td>
+<td>
+<li><font size=4 face="PrimaSans BT, Verdana, sans-serif"><a href="agent/ca">Agent Services</a></font>
+</font>
+</td>
+</tr>
 <tr valign="TOP">
 <td>&nbsp;</td>
 <td>&nbsp;</td>

base/ca/src/com/netscape/ca/AuthorityMonitor.java

+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2019 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.ca;
+
+import java.util.Arrays;
+
+import com.netscape.certsrv.ca.AuthorityID;
+import com.netscape.certsrv.ca.ECAException;
+import com.netscape.certsrv.ldap.ELdapException;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.controls.LDAPEntryChangeControl;
+import netscape.ldap.controls.LDAPPersistSearchControl;
+import netscape.ldap.util.DN;
+
+public class AuthorityMonitor implements Runnable {
+
+    public final static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(AuthorityMonitor.class);
+
+    private CertificateAuthority certificateAuthority;
+    private boolean running = true;
+
+    /**
+     * @param certificateAuthority
+     */
+    AuthorityMonitor(CertificateAuthority certificateAuthority) {
+        this.certificateAuthority = certificateAuthority;
+    }
+
+    public void run() {
+
+        int op = LDAPPersistSearchControl.ADD
+            | LDAPPersistSearchControl.MODIFY
+            | LDAPPersistSearchControl.DELETE
+            | LDAPPersistSearchControl.MODDN;
+
+        LDAPPersistSearchControl persistCtrl =
+            new LDAPPersistSearchControl(op, false, true, true);
+
+        String lwcaContainerDNString = this.certificateAuthority.authorityBaseDN();
+        DN lwcaContainerDN = new DN(lwcaContainerDNString);
+
+        logger.debug("AuthorityMonitor: starting.");
+
+        while (!CertificateAuthority.stopped) {
+
+            LDAPConnection conn = null;
+
+            try {
+                conn = CertificateAuthority.dbFactory.getConn();
+                LDAPSearchConstraints cons = conn.getSearchConstraints();
+                cons.setServerControls(persistCtrl);
+                cons.setBatchSize(1);
+                cons.setServerTimeLimit(0 /* seconds */);
+                String[] attrs = {"*", "entryUSN", "nsUniqueId", "numSubordinates"};
+
+                LDAPSearchResults results = conn.search(
+                    lwcaContainerDNString, LDAPConnection.SCOPE_SUB,
+                    "(objectclass=*)", attrs, false, cons);
+
+                /* Wait until the last possible moment before taking
+                 * the load lock so that we can continue to service
+                 * requests while LDAP is down.
+                 */
+                this.certificateAuthority.lwcaLoader.startLoading();
+
+                while (!CertificateAuthority.stopped && results.hasMoreElements()) {
+
+                    LDAPEntry entry = results.next();
+                    DN entryDN = new DN(entry.getDN());
+
+                    if (entryDN.countRDNs() == lwcaContainerDN.countRDNs()) {
+                        /* This must be the base entry of the search, i.e. the
+                         * LWCA container.  Read numSubordinates to get the
+                         * expected number of LWCA entries to read.
+                         *
+                         * numSubordinates is not reliable; it may be too high
+                         * due to objects we cannot see (e.g. replication
+                         * conflict entries).  In that case AsyncLoader has a
+                         * watchdog timer to interrupt waiting threads after it
+                         * times out.
+                         */
+                        this.certificateAuthority.lwcaLoader.setNumItems(new Integer(
+                            entry.getAttribute("numSubordinates")
+                                .getStringValueArray()[0]));
+                        continue;
+                    }
+
+                    if (entryDN.countRDNs() > lwcaContainerDN.countRDNs() + 1) {
+                        /* This entry is unexpectedly deep.  We ignore it.
+                         * numSubordinates only counts immediate subordinates
+                         * (https://tools.ietf.org/html/draft-boreham-numsubordinates-01)
+                         * so don't increment() the AsyncLoader.
+                         */
+                        continue;
+                    }
+
+                    /* This entry is at the expected depth.  Is it a LWCA entry? */
+                    String[] objectClasses =
+                        entry.getAttribute("objectClass").getStringValueArray();
+
+                    if (!Arrays.asList(objectClasses).contains("authority")) {
+                        /* It is not a LWCA entry; ignore it.  But it does
+                         * contribute to numSubordinates so increment the loader. */
+                        this.certificateAuthority.lwcaLoader.increment();
+                        continue;
+                    }
+
+                    LDAPEntryChangeControl changeControl = (LDAPEntryChangeControl)
+                        LDAPUtil.getControl(
+                            LDAPEntryChangeControl.class, results.getResponseControls());
+
+                    logger.debug("AuthorityMonitor: Processed change controls.");
+
+                    if (changeControl != null) {
+
+                        int changeType = changeControl.getChangeType();
+
+                        switch (changeType) {
+                        case LDAPPersistSearchControl.ADD:
+                            logger.debug("AuthorityMonitor: ADD");
+                            this.certificateAuthority.readAuthority(entry);
+                            break;
+                        case LDAPPersistSearchControl.DELETE:
+                            logger.debug("AuthorityMonitor: DELETE");
+                            handleDELETE(entry);
+                            break;
+                        case LDAPPersistSearchControl.MODIFY:
+                            logger.debug("AuthorityMonitor: MODIFY");
+                            // TODO how do we handle authorityID change?
+                            this.certificateAuthority.readAuthority(entry);
+                            break;
+                        case LDAPPersistSearchControl.MODDN:
+                            logger.debug("AuthorityMonitor: MODDN");
+                            handleMODDN(new DN(changeControl.getPreviousDN()), entry);
+                            break;
+                        default:
+                            logger.debug("AuthorityMonitor: unknown change type: " + changeType);
+                            break;
+                        }
+
+                    } else {
+                        logger.debug("AuthorityMonitor: immediate result");
+                        this.certificateAuthority.readAuthority(entry);
+                        this.certificateAuthority.lwcaLoader.increment();
+                    }
+                }
+
+            } catch (ELdapException e) {
+
+                logger.warn("AuthorityMonitor: Failed to get LDAPConnection: " + e.getMessage(), e);
+                logger.warn("AuthorityMonitor: Retrying in 1 second.");
+
+                try {
+                    Thread.sleep(1000);
+                } catch (InterruptedException ex) {
+                    Thread.currentThread().interrupt();
+                }
+
+            } catch (LDAPException e) {
+
+                if (running) {
+                    logger.warn("AuthorityMonitor: Failed to execute LDAP search for lightweight CAs: " + e, e);
+                } else {
+                    logger.info("AuthorityMonitor: Shutting down: " + e.getMessage());
+                }
+
+            } finally {
+                try {
+                    CertificateAuthority.dbFactory.returnConn(conn);
+                } catch (Exception e) {
+                    logger.warn("AuthorityMonitor: Error releasing the LDAPConnection" + e.getMessage(), e);
+                }
+            }
+        }
+
+        logger.debug("AuthorityMonitor: stopping.");
+    }
+
+    private synchronized void handleMODDN(DN oldDN, LDAPEntry entry) {
+
+        DN authorityBase = new DN(this.certificateAuthority.authorityBaseDN());
+
+        boolean wasMonitored = oldDN.isDescendantOf(authorityBase);
+        boolean isMonitored = (new DN(entry.getDN())).isDescendantOf(authorityBase);
+
+        if (wasMonitored && !isMonitored) {
+            LDAPAttribute attr = entry.getAttribute("authorityID");
+            if (attr != null) {
+                AuthorityID aid = new AuthorityID(attr.getStringValueArray()[0]);
+                this.certificateAuthority.forgetAuthority(aid);
+            }
+
+        } else if (!wasMonitored && isMonitored) {
+            this.certificateAuthority.readAuthority(entry);
+        }
+    }
+
+    private synchronized void handleDELETE(LDAPEntry entry) {
+
+        LDAPAttribute attr = entry.getAttribute("nsUniqueId");
+        String nsUniqueId = null;
+
+        if (attr != null)
+            nsUniqueId = attr.getStringValueArray()[0];
+
+        if (CertificateAuthority.deletedNsUniqueIds.remove(nsUniqueId)) {
+            logger.debug("handleDELETE: delete was already effected");
+            return;
+        }
+
+        AuthorityID aid = null;
+        attr = entry.getAttribute("authorityID");
+
+        if (attr != null) {
+
+            aid = new AuthorityID(attr.getStringValueArray()[0]);
+            CertificateAuthority ca = (CertificateAuthority) this.certificateAuthority.getCA(aid);
+
+            if (ca == null)
+                return;  // shouldn't happen
+
+            try {
+                ca.deleteAuthorityNSSDB();
+            } catch (ECAException e) {
+                // log and carry on
+                logger.warn("Caught exception attempting to delete NSSDB material "
+                    + "for authority '" + aid + "': " + e.getMessage(), e);
+            }
+
+            this.certificateAuthority.forgetAuthority(aid);
+        }
+    }
+
+    public void shutdown() {
+        running = false;
+    }
+}

base/ca/src/com/netscape/ca/CMSCRLExtensions.java

@@ -25,7 +25,21 @@ import java.util.Map;
 import java.util.StringTokenizer;
 import java.util.Vector;
 
-import com.netscape.certsrv.apps.CMS;
+import org.mozilla.jss.netscape.security.extensions.AuthInfoAccessExtension;
+import org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension;
+import org.mozilla.jss.netscape.security.x509.CRLExtensions;
+import org.mozilla.jss.netscape.security.x509.CRLNumberExtension;
+import org.mozilla.jss.netscape.security.x509.CRLReasonExtension;
+import org.mozilla.jss.netscape.security.x509.DeltaCRLIndicatorExtension;
+import org.mozilla.jss.netscape.security.x509.Extension;
+import org.mozilla.jss.netscape.security.x509.FreshestCRLExtension;
+import org.mozilla.jss.netscape.security.x509.HoldInstructionExtension;
+import org.mozilla.jss.netscape.security.x509.InvalidityDateExtension;
+import org.mozilla.jss.netscape.security.x509.IssuerAlternativeNameExtension;
+import org.mozilla.jss.netscape.security.x509.IssuingDistributionPointExtension;
+import org.mozilla.jss.netscape.security.x509.OIDMap;
+import org.mozilla.jss.netscape.security.x509.PKIXExtensions;
+
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotDefined;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -39,24 +53,13 @@ import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.crl.CMSIssuingDistributionPointExtension;
 import com.netscape.cms.logging.Logger;
-import com.netscape.cmscore.base.SubsystemRegistry;
-
-import netscape.security.extensions.AuthInfoAccessExtension;
-import netscape.security.x509.AuthorityKeyIdentifierExtension;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLNumberExtension;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.DeltaCRLIndicatorExtension;
-import netscape.security.x509.Extension;
-import netscape.security.x509.FreshestCRLExtension;
-import netscape.security.x509.HoldInstructionExtension;
-import netscape.security.x509.InvalidityDateExtension;
-import netscape.security.x509.IssuerAlternativeNameExtension;
-import netscape.security.x509.IssuingDistributionPointExtension;
-import netscape.security.x509.OIDMap;
-import netscape.security.x509.PKIXExtensions;
+import com.netscape.cmscore.apps.CMS;
+import com.netscape.cmscore.apps.CMSEngine;
 
 public class CMSCRLExtensions implements ICMSCRLExtensions {
+
+    public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CMSCRLExtensions.class);
+
     public static final String PROP_ENABLE = "enable";
     public static final String PROP_EXTENSION = "extension";
     public static final String PROP_CLASS = "class";
@@ -195,12 +198,12 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
     public CMSCRLExtensions(ICRLIssuingPoint crlIssuingPoint, IConfigStore config) {
         boolean modifiedConfig = false;
 
+        CMSEngine engine = CMS.getCMSEngine();
         mConfig = config;
         mCRLExtConfig = config.getSubStore(PROP_EXTENSION);
         mCRLIssuingPoint = crlIssuingPoint;
 
-        IConfigStore mFileConfig =
-                SubsystemRegistry.getInstance().get("MAIN").getConfigStore();
+        IConfigStore mFileConfig = engine.getConfigStore();
 
         IConfigStore crlExtConfig = mFileConfig;
         StringTokenizer st = new StringTokenizer(mCRLExtConfig.getName(), ".");
@@ -575,7 +578,9 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
     }
 
     public void setConfigParams(String id, NameValuePairs nvp, IConfigStore config) {
-        ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+
+        CMSEngine engine = CMS.getCMSEngine();
+        ICertificateAuthority ca = (ICertificateAuthority) engine.getSubsystem(ICertificateAuthority.ID);
         String ipId = nvp.get("id");
 
         ICRLIssuingPoint ip = null;
@@ -630,7 +635,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
                             cmsCRLExtensions.isCRLExtensionEnabled(IssuingDistributionPointExtension.NAME);
                 }
 
-                CMS.debug("issuingDistPointExtEnabled = " + issuingDistPointExtEnabled);
+                logger.debug("issuingDistPointExtEnabled = " + issuingDistPointExtEnabled);
 
                 if (!(value.equals(Constants.TRUE) || value.equals(Constants.FALSE))) {
                     continue;
@@ -639,7 +644,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
                 //Get value of caCertsOnly from CRLIssuingPoint
                 if ((ip != null) && (issuingDistPointExtEnabled == true)) {
                     crlCACertsOnly = ip.isCACertsOnly();
-                    CMS.debug("CRLCACertsOnly is: " + crlCACertsOnly);
+                    logger.debug("CRLCACertsOnly is: " + crlCACertsOnly);
                     crlIssuingPointPairs = new NameValuePairs();
 
                 }
@@ -649,7 +654,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
                 //If the CRLCACertsOnly prop is false change it to true to sync.
                 if (value.equals(Constants.TRUE) && (issuingDistPointExtEnabled == true)) {
                     if (crlCACertsOnly == false) {
-                        CMS.debug(" value = true and CRLCACertsOnly is already false.");
+                        logger.debug(" value = true and CRLCACertsOnly is already false.");
                         crlIssuingPointPairs.put(Constants.PR_CA_CERTS_ONLY, Constants.TRUE);
                         newValue = Constants.TRUE;
                         ip.updateConfig(crlIssuingPointPairs);
@@ -669,7 +674,7 @@ public class CMSCRLExtensions implements ICMSCRLExtensions {
 
                 if (modifiedCRLConfig == true) {
                     //Commit to this CRL IssuingPoint's config store
-                    ICertificateAuthority CA = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA);
+                    ICertificateAuthority CA = (ICertificateAuthority) engine.getSubsystem(ICertificateAuthority.ID);
                     IConfigStore crlsSubStore = CA.getConfigStore();
                     crlsSubStore = crlsSubStore.getSubStore(ICertificateAuthority.PROP_CRL_SUBSTORE);
                     crlsSubStore = crlsSubStore.getSubStore(ipId);

base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java

@@ -25,14 +25,15 @@ import java.util.Stack;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-
-import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
 
 
 public class ExternalProcessKeyRetriever implements KeyRetriever {
+
+    public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(ExternalProcessKeyRetriever.class);
+
     protected String executable;
 
     public ExternalProcessKeyRetriever(IConfigStore config) {
@@ -49,7 +50,7 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
     }
 
     public Result retrieveKey(String nickname, Collection<String> hostPorts) {
-        CMS.debug("Running ExternalProcessKeyRetriever");
+        logger.debug("Running ExternalProcessKeyRetriever");
 
         Stack<String> command = new Stack<>();
         command.push(this.executable);
@@ -58,8 +59,9 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
         for (String hostPort : hostPorts) {
             String host = hostPort.split(":")[0];
             command.push(host);
-            CMS.debug("About to execute command: " + command);
-            ProcessBuilder pb = new ProcessBuilder(command);
+            logger.debug("About to execute command: " + command);
+            ProcessBuilder pb = new ProcessBuilder(command)
+                .redirectError(ProcessBuilder.Redirect.INHERIT);
             try {
                 Process p = pb.start();
                 int exitValue = p.waitFor();
@@ -67,12 +69,12 @@ public class ExternalProcessKeyRetriever implements KeyRetriever {
                     continue;
                 return parseResult(p.getInputStream());
             } catch (Throwable e) {
-                CMS.debug("Caught exception while executing command: " + e);
+                logger.warn("Caught exception while executing command: " + e.getMessage(), e);
             } finally {
                 command.pop();
             }
         }
-        CMS.debug("Failed to retrieve key from any host.");
+        logger.error("Failed to retrieve key from any host.");
         return null;
     }