Features/DogtagCertificateSystem

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Dependencies)
(How To Test)
Line 69: Line 69:
  
 
== How To Test ==
 
== How To Test ==
'''FIXME''' section is incomplete
 
  
Hardware Requirements
+
'''Hardware Requirements'''
  
System Prep
+
At least Intel Pentium 4 or faster with 1GB RAM and 10GB disk
  
Testing
+
'''System Prep'''
  
Expected Results
+
Update system with all the latest Fedora packages
 +
 
 +
'''Testing and Expected Results'''
 +
 
 +
The following list of tests is not comprehensive by any means and not in
 +
any order but will give the user the means and the ideas of how to test a PKI system:
 +
 
 +
* Install pki-ca,pki-kra,pki-ocsp,pki-tps,pki-tks packages via yum
 +
* Follow the default instance creation procedures to create a base instance of the various sub-systems.
 +
* Once the setup is complete, perform these tests
 +
** Issue different types of certificates like user certs, server certs.
 +
** Revoke a few certificates
 +
** Generate a CRL
 +
** Customize profiles based on different types of extensions and constraints
 +
*** Generate certs to have say for example an AIA extension..
 +
** Submit a CRL to the OCSP responder.
 +
** Check Java Console access
 +
*** Use the Java console to perform various configuration updates such as;
 +
**** Adding/editing/deleting additional CRL issuing points
 +
**** ACL configurations
 +
**** Adding/editing/deleting profiles
 +
**** Log file configurations
 +
** Certificate enrollment via different types of browsers such as IE and Firefox
 +
** Smartcard enrollment and format operations
  
 
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
 
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  

Revision as of 17:19, 26 January 2010


Contents

Dogtag Certificate System

Summary

Dogtag Certificate System is an enterprise-class open source Certificate Authority (CA) supporting all aspects of certificate lifecycle management including key archival, OCSP and smartcard management.

Owner

Current status

  • Targeted release: Fedora 13
  • Last updated: 01-22-2010
  • Percentage of completion: 98%

Detailed Description

Details can be found here.

Benefit to Fedora

All new feature. Full featured open source PKI comprised of 6 major subsystems (25 packages):

  • Certificate Authority (CA)
  • Data Recovery Manager (DRM)
  • OCSP Manager (OCSP)
  • Registration Authority (RA)
  • Token Key Service (TKS)
  • Token Processing System (TPS)

Package List:

  • tomcatjss
  • osutil (x86, x86_64, ppc, ppc64)
  • pki-symkey (x86, x86_64, ppc, ppc64)
  • pki-native-tools (x86, x86_64, ppc, ppc64)
  • pki-util
    • pki-util-javadoc
  • pki-java-tools
    • pki-java-tools-javadoc
  • pki-selinux
  • pki-setup
  • dogtag-pki-common-ui
  • pki-common
    • pki-common-javadoc
  • pki-silent
  • dogtag-pki-ca-ui
  • pki-ca
  • dogtag-pki-kra-ui
  • pki-kra
  • dogtag-pki-ocsp-ui
  • pki-ocsp
  • dogtag-pki-tks-ui
  • pki-tks
  • dogtag-pki-ra-ui
  • pki-ra
  • dogtag-pki-tps-ui
  • pki-tps (x86, x86_64, ppc, ppc64)
    • pki-tps-devel
  • dogtag-pki-console-ui
  • pki-console

Scope

  • Code complete. Awaiting Package Review and fedora-cvs approval on the following four remaining packages:
    • pki-console
    • pki-ra
    • pki-tps
    • pki-symkey

How To Test

Hardware Requirements

At least Intel Pentium 4 or faster with 1GB RAM and 10GB disk

System Prep

Update system with all the latest Fedora packages

Testing and Expected Results

The following list of tests is not comprehensive by any means and not in any order but will give the user the means and the ideas of how to test a PKI system:

  • Install pki-ca,pki-kra,pki-ocsp,pki-tps,pki-tks packages via yum
  • Follow the default instance creation procedures to create a base instance of the various sub-systems.
  • Once the setup is complete, perform these tests
    • Issue different types of certificates like user certs, server certs.
    • Revoke a few certificates
    • Generate a CRL
    • Customize profiles based on different types of extensions and constraints
      • Generate certs to have say for example an AIA extension..
    • Submit a CRL to the OCSP responder.
    • Check Java Console access
      • Use the Java console to perform various configuration updates such as;
        • Adding/editing/deleting additional CRL issuing points
        • ACL configurations
        • Adding/editing/deleting profiles
        • Log file configurations
    • Certificate enrollment via different types of browsers such as IE and Firefox
    • Smartcard enrollment and format operations


User Experience

FIXME

Dependencies

BuildRequires

Build-time packages already included in Fedora:

  • ant
  • apr-devel
  • apr-util-devel
  • cyrus-sasl-devel
  • httpd-devel >= 2.2.3
  • idm-console-framework
  • java-devel >= 1:1.6.0
  • jpackage-utils
  • jss >= 4.2.6
  • ldapjdk
  • m4
  • make
  • mozldap-devel
  • nspr-devel >= 4.6.99
  • nss-devel >= 3.12.3.99
  • pcre-devel
  • pkgconfig
  • policycoreutils
  • selinux-policy-devel
  • svrcore-devel
  • tomcat5
  • velocity
  • xalan-j2
  • xerces-j2
  • zlib
  • zlib-devel

Build-time Dogtag packages new to Fedora:

  • osutil
  • pki-common
  • pki-symkey
  • pki-util
  • tomcatjss

Requires

Runtime packages already included in Fedora:

  • idm-console-framework
  • java >= 1:1.6.0
  • jpackage-utils
  • jss >= 4.2.6
  • ldapjdk
  • mod_nss >= 1.0.7
  • mod_perl
  • mod_perl >= 1.99_16
  • mozldap
  • mozldap >= 6.0.2
  • mozldap-tools
  • nss >= 3.12.3.99
  • nss-tools >= 3.12.3.99
  • perl-DBD-SQLite
  • perl-DBI
  • perl-HTML-Parser
  • perl-HTML-Tagset
  • perl-Parse-RecDescent
  • perl-URI
  • perl-XML-NamespaceSupport
  • perl-XML-Parser
  • perl-XML-Simple
  • policycoreutils
  • selinux-policy-targeted
  • sendmail
  • sqlite
  • tomcat5
  • velocity
  • xalan-j2
  • xerces-j2

Runtime Dogtag packages new to Fedora:

  • osutil
  • pki-ca-ui
  • pki-common
  • pki-common-ui
  • pki-console-ui
  • pki-java-tools
  • pki-kra-ui
  • pki-native-tools
  • pki-ocsp-ui
  • pki-ra-ui
  • pki-selinux
  • pki-setup
  • pki-silent
  • pki-symkey
  • pki-tks-ui
  • pki-tps-ui
  • pki-util
  • tomcatjss

Top-level Dogtag packages new to Fedora:

  • pki-ca
  • pki-console
  • pki-kra
  • pki-ocsp
  • pki-ra
  • pki-tks
  • pki-tps

Dogtag Subpackages new to Fedora:

  • osutil-debuginfo
  • pki-common-javadoc
  • pki-java-tools-javadoc
  • pki-native-tools-debuginfo
  • pki-symkey-debuginfo
  • pki-tps-debuginfo
  • pki-tps-devel
  • pki-util-javadoc

Contingency Plan

N/A since Dogtag is a new addition to Fedora. In it's current state, Dogtag will work.

Documentation

  • Documentation can be found here.

Release Notes

  • Release Notes can be found here.

Comments and Discussion