Announcing Dogtag 10.0.0 (Alpha)

The Dogtag team is pleased to announce the availability of an Alpha Release of the Dogtag 10.0 code.

(Reposted from the pki-users mailing list)

This release contains the following features:

1. Extension of the functionality of the DRM to store and retrieve symmetric keys and passphrases,
rather than only asymmetric keys. This feature allows the DRM to be used as a secure
vault-like storage for essentially any sensitive data. The data is stored using the same
secure FIPS-compliant storage mechanism used to store PKI keys.
2. The new DRM functionality is exposed through a new REST interface, provided by the RESTEasy
framework. This provides an intuitive mechanism for writing clients to the interface. Both
Java (using the RESTEasy client proxy framework) and Python clients have been coded. The
server uses standard Java libraries to generate and parse XML or JSON input and output data.
3. Extracted authentication and authorization code from the individual servlets into a standard
Tomcat authentication realm. This realm has been configured to require client certificate
authentication, and is being used to secure the new DRM REST interface. In the future, this
authentication realm could be extended to include other kinds of authentication (such as
Kerberos). This is part of a push to refactor the code to expose the core business
functionality in the servlets, while extracting the ancillary tasks (authentication,
authorization, XML parsing and generation, etc.) and using standard methods and libraries to
accomplish these tasks.
4. Enhanced Java subsystems so that they could connect to the internal database using a
non-directory manager user, that is authenticated using client authentication. This resolves a
number of issues with LDAP operations ignoring search limits. In addition, some changes have
been made to allow integrating the Dogtag database with other systems such as IPA.
5. A new package pki-deploy contains the initial framework for a Python-based
installer/de-installer (pkispawn/pkidestroy) that will be used to install and configure a
Dogtag instance. This will ultimately replace the pki-setup installer/de-installer
(pkicreate, pkidestroy) package, and the pki-silent instance configuration (pkisilent) package.
6. Much of the focus of this release was on cleaning up and modernizing the Dogtag source code.
* Dogtag source code has been moved to git.
* Java coding standards have been revised – and the code has been reformatted to match those
standards.
* Initially, Eclipse reported about 13000 warnings in the dogtag code. Those have been reduced
to close to 2400. This included removing dead and unused code, replacing calls to deprecated
functions and replacing raw collections with type-safe generics.
NOTE: These numbers currently exclude console code.
* OSUtil is a package that has certain utilities that were not available when the Dogtag code
was originally written. These utilities are now available in current standard
libraries – and so this package has been eliminated entirely.
* Improved handling of short and long lived threads which allow threads to exit gracefully on
shutdown.

The builds can be found at the following links:

* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/i686 – Fedora 16 (32-bit i686)
* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/x86_64 – Fedora 16 (64-bit x86_64)
* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/SRPMS – Fedora 16 (Source)
* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/i686 – Fedora 17 (32-bit i686)
* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/x86_64 – Fedora 17 (64-bit x86_64)
* http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/SRPMS – Fedora 17 (Source)

2 thoughts on “Announcing Dogtag 10.0.0 (Alpha)

  1. I’ve discovered the project and was wondering if the project was “compatible” with convergence.io. Would be amazing be able to roll out your own certificate for internal use without having to buy wildcard certificate.

  2. Agreed. I have not looked that closely with convergence, but my quick reaction is that if convergence is built on top of Certificate signing, then yes, it will support a convergence deployment. However, we don’t do anything out of the box for convergence. And it will still require a browser plugin no matter what we do….

Leave a Reply

Your email address will not be published. Required fields are marked *