diff --git a/pki-core-Add-Bound-Bind-Connection-To-Dirauth-Plugin.patch b/pki-core-Add-Bound-Bind-Connection-To-Dirauth-Plugin.patch
new file mode 100644
index 0000000..cefb52b
--- /dev/null
+++ b/pki-core-Add-Bound-Bind-Connection-To-Dirauth-Plugin.patch
@@ -0,0 +1,311 @@
+commit c13593770108b6d683ab3d3b43b92d67ac64a1ef
+Author: Christina Fu <cfu@redhat.com>
+Date:   Wed Aug 5 16:21:51 2015 -0700
+
+    Ticket 1531 Directory auth plugin requires LDAP anonymous binds
+    -
+    This patch adds a feature to allow a directory based authentication plugin
+    to use bound ldap conneciton instead of anonymous.
+    Two files need to be edited
+    1. <instance>/conf/password.conf
+      add a "tag" and the password of the binding user dn to the file
+      e.g. externalLDAP=password123
+    2. <instance>/ca/CS.cfg
+      add the tag to cms.passwordlist:
+      e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
+      add the authPrefix of the auths entry for the authentication instance
+      e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment
+      add relevant entries to the authentication instance
+      e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
+           auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
+           auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com
+           auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
+
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
+index a8a9528..d723a57 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/DirBasedAuthentication.java
+@@ -84,6 +84,8 @@ public abstract class DirBasedAuthentication
+     protected static final String PROP_DNPATTERN = "dnpattern";
+     protected static final String PROP_LDAPSTRINGATTRS = "ldapStringAttributes";
+     protected static final String PROP_LDAPBYTEATTRS = "ldapByteAttributes";
++    protected static final String PROP_LDAP_BOUND_CONN = "ldapBoundConn";
++    protected static final String PROP_LDAP_BOUND_TAG = "ldapauth.bindPWPrompt";
+ 
+     // members
+ 
+@@ -110,6 +112,7 @@ public abstract class DirBasedAuthentication
+     /* whether to search for member=<userDN> or member=<mGroupUserIdName>=<uid> */
+     protected boolean mSearchGroupUserByUserdn = true;
+ 
++    protected boolean mBoundConnEnable = false;
+     /* factory of anonymous ldap connections */
+     protected ILdapConnFactory mConnFactory = null;
+ 
+@@ -130,6 +133,9 @@ public abstract class DirBasedAuthentication
+     /* the combined list of LDAP attriubutes to retrieve*/
+     protected String[] mLdapAttrs = null;
+ 
++    /* the password prompt (tag) for the userdn of a bound connection */
++    protected String mTag;
++
+     /* default dn pattern if left blank or not set in the config */
+     protected static String DEFAULT_DNPATTERN =
+             "E=$attr.mail, CN=$attr.cn, O=$dn.o, C=$dn.c";
+@@ -255,6 +261,7 @@ public abstract class DirBasedAuthentication
+         mName = name;
+         mImplName = implName;
+         mConfig = config;
++        String method = "DirBasedAuthentication: init: ";
+ 
+         /* initialize ldap server configuration */
+         mLdapConfig = mConfig.getSubStore(PROP_LDAP);
+@@ -263,22 +270,31 @@ public abstract class DirBasedAuthentication
+             if (mBaseDN == null || mBaseDN.trim().equals(""))
+                 throw new EPropertyNotFound(CMS.getUserMessage("CMS_BASE_GET_PROPERTY_FAILED", "basedn"));
+             mGroupsEnable = mLdapConfig.getBoolean(PROP_GROUPS_ENABLE, false);
+-            CMS.debug("DirBasedAuthentication: mGroupsEnable=" + (mGroupsEnable ? "true" : "false"));
++            CMS.debug(method + " mGroupsEnable=" + (mGroupsEnable ? "true" : "false"));
+             mGroupsBaseDN = mLdapConfig.getString(PROP_GROUPS_BASEDN, mBaseDN);
+-            CMS.debug("DirBasedAuthentication: mGroupsBaseDN="+ mGroupsBaseDN);
++            CMS.debug(method + " mGroupsBaseDN="+ mGroupsBaseDN);
+             mGroups= mLdapConfig.getString(PROP_GROUPS, "ou=groups");
+-            CMS.debug("DirBasedAuthentication: mGroups="+ mGroups);
++            CMS.debug(method + " mGroups="+ mGroups);
+             mGroupObjectClass = mLdapConfig.getString(PROP_GROUP_OBJECT_CLASS, "groupofuniquenames");
+-            CMS.debug("DirBasedAuthentication: mGroupObjectClass="+ mGroupObjectClass);
++            CMS.debug(method + " mGroupObjectClass="+ mGroupObjectClass);
+             mUserIDName = mLdapConfig.getString(PROP_USERID_NAME, "uid");
+-            CMS.debug("DirBasedAuthentication: mUserIDName="+ mUserIDName);
++            CMS.debug(method + " mUserIDName="+ mUserIDName);
+             mSearchGroupUserByUserdn = mLdapConfig.getBoolean(PROP_SEARCH_GROUP_USER_BY_USERDN, true);
+-            CMS.debug("DirBasedAuthentication: mSearchGroupUserByUserdn="+ mSearchGroupUserByUserdn);
++            CMS.debug(method + " mSearchGroupUserByUserdn="+ mSearchGroupUserByUserdn);
+             mGroupUserIDName = mLdapConfig.getString(PROP_GROUP_USERID_NAME, "cn");
+-            CMS.debug("DirBasedAuthentication: mGroupUserIDName="+ mGroupUserIDName);
++            CMS.debug(method + " mGroupUserIDName="+ mGroupUserIDName);
++        }
++        mBoundConnEnable = mLdapConfig.getBoolean(PROP_LDAP_BOUND_CONN, false);
++        CMS.debug(method +" mBoundConnEnable =" + (mBoundConnEnable ? "true" : "false"));
++        if (mBoundConnEnable) {
++            mTag = mLdapConfig.getString(PROP_LDAP_BOUND_TAG);
++            CMS.debug(method + " getting ldap bound conn factory using id= " + mTag);
++            mConnFactory = CMS.getLdapBoundConnFactory(mTag);
++        } else {
++            mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication");
+         }
+-        mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication");
+-        mConnFactory.init(mLdapConfig);
++        if (mConnFactory != null) // else can try again later when needed
++            mConnFactory.init(mLdapConfig);
+ 
+         /* initialize dn pattern */
+         String pattern = mConfig.getString(PROP_DNPATTERN, null);
+@@ -372,16 +388,34 @@ public abstract class DirBasedAuthentication
+         String userdn = null;
+         LDAPConnection conn = null;
+         AuthToken authToken = new AuthToken(this);
++        String method = "DirBasedAuthentication: authenticate:";
+ 
++        CMS.debug(method + " begins...mBoundConnEnable=" + mBoundConnEnable);
+         try {
+             if (mConnFactory == null) {
+-                conn = null;
++                CMS.debug(method + " mConnFactory null, getting conn factory");
++                if (mBoundConnEnable) {
++                    mTag = mLdapConfig.getString(PROP_LDAP_BOUND_TAG);
++                    CMS.debug(method + " getting ldap bound conn factory using id= " + mTag);
++                    mConnFactory = CMS.getLdapBoundConnFactory(mTag);
++                } else {
++                    mConnFactory = CMS.getLdapAnonConnFactory("DirBasedAuthentication");
++                }
++                if (mConnFactory != null) {
++                    mConnFactory.init(mLdapConfig);
++                    CMS.debug(method + " mConnFactory gotten, calling getConn");
++                    conn = mConnFactory.getConn();
++                }
+             } else {
++                CMS.debug(method + " mConnFactory class name = " + mConnFactory.getClass().getName());
++                CMS.debug(method + " mConnFactory not null, calling getConn");
+                 conn = mConnFactory.getConn();
+             }
+ 
+             // authenticate the user and get a user entry.
++            CMS.debug(method + " before authenticate() call");
+             userdn = authenticate(conn, authCred, authToken);
++            CMS.debug(method + " after authenticate() call");
+             authToken.set(USER_DN, userdn);
+ 
+             // formulate the cert info.
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
+index 2f9fc43..e731352 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/UdnPwdDirAuthentication.java
+@@ -134,10 +134,22 @@ public class UdnPwdDirAuthentication extends DirBasedAuthentication {
+ 
+             return userdn;
+         } catch (ELdapException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             log(ILogger.LL_FAILURE,
+                     "Couldn't get ldap connection. Error: " + e.toString());
+             throw e;
+         } catch (LDAPException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             switch (e.getLDAPResultCode()) {
+             case LDAPException.NO_SUCH_OBJECT:
+             case LDAPException.LDAP_PARTIAL_RESULTS:
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java
+index 21e024f..26bfaab 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdDirAuthentication.java
+@@ -235,10 +235,22 @@ public class UidPwdDirAuthentication extends DirBasedAuthentication
+             return userdn;
+         } catch (ELdapException e) {
+             CMS.debug("Authenticating: User authentication failure: "+e);
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString()));
+             throw e;
+         } catch (LDAPException e) {
+             CMS.debug("Authenticating: User authentication failure: "+e);
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             switch (e.getLDAPResultCode()) {
+             case LDAPException.NO_SUCH_OBJECT:
+             case LDAPException.LDAP_PARTIAL_RESULTS:
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
+index ed20740..82331da 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/UidPwdPinDirAuthentication.java
+@@ -247,9 +247,21 @@ public class UidPwdPinDirAuthentication extends DirBasedAuthentication
+ 
+             return userdn;
+         } catch (ELdapException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString()));
+             throw e;
+         } catch (LDAPException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             switch (e.getLDAPResultCode()) {
+             case LDAPException.NO_SUCH_OBJECT:
+             case LDAPException.LDAP_PARTIAL_RESULTS:
+diff --git a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
+index 7bcab25..a95dd86 100644
+--- a/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
++++ b/base/server/cms/src/com/netscape/cms/authentication/UserPwdDirAuthentication.java
+@@ -187,9 +187,21 @@ public class UserPwdDirAuthentication extends DirBasedAuthentication
+ 
+             return userdn;
+         } catch (ELdapException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             log(ILogger.LL_FAILURE, CMS.getLogMessage("CANNOT_CONNECT_LDAP", e.toString()));
+             throw e;
+         } catch (LDAPException e) {
++            CMS.debug("Authenticating: closing bad connection");
++            try {
++                conn.disconnect();
++            } catch (Exception f) {
++                CMS.debug("Authenticating: conn.disconnect() exception =" + f.toString());
++            }
+             switch (e.getLDAPResultCode()) {
+             case LDAPException.NO_SUCH_OBJECT:
+             case LDAPException.LDAP_PARTIAL_RESULTS:
+diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+index fa2c814..467836b 100644
+--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+@@ -331,6 +331,7 @@ public class CMSEngine implements ICMSEngine {
+     }
+ 
+     public void initializePasswordStore(IConfigStore config) throws EBaseException, IOException {
++        System.out.println("CMSEngine.initializePasswordStore() begins");
+         // create and initialize mPasswordStore
+         getPasswordStore();
+ 
+@@ -345,6 +346,7 @@ public class CMSEngine implements ICMSEngine {
+             String binddn;
+             String authType;
+             LdapConnInfo connInfo = null;
++            System.out.println("CMSEngine.initializePasswordStore(): tag=" + tag);
+ 
+             if (tag.equals("internaldb")) {
+                 authType = config.getString("internaldb.ldapauth.authtype", "BasicAuth");
+@@ -382,8 +384,43 @@ public class CMSEngine implements ICMSEngine {
+                 binddn = config.getString("ca.publish.ldappublish.ldap.ldapauth.bindDN");
+ 
+             } else {
+-                // ignore any others for now
+-                continue;
++                /*
++                 * This section assumes a generic format of
++                 * <authPrefix>.ldap.xxx
++                 * where <authPrefix> is specified under the tag substore
++                 *
++                 * e.g.  if tag = "externalLDAP"
++                 *   cms.passwordlist=...,externalLDAP
++                 *   externalLDAP.authPrefix=auths.instance.UserDirEnrollment
++                 *
++                 *   auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
++                 *   auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=cn=Corporate Directory Manager
++                 *   auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
++                 *   auths.instance.UserDirEnrollment.ldap.ldapconn.host=host.example.com
++                 *   auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
++                 *   auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
++                 */
++                String authPrefix = config.getString(tag + ".authPrefix", null);
++                if (authPrefix ==  null) {
++                    System.out.println("CMSEngine.initializePasswordStore(): authPrefix not found...skipping");
++                    continue;
++                }
++                System.out.println("CMSEngine.initializePasswordStore(): authPrefix=" + authPrefix);
++                authType = config.getString(authPrefix +".ldap.ldapauth.authtype", "BasicAuth");
++                System.out.println("CMSEngine.initializePasswordStore(): authType " + authType);
++                if (!authType.equals("BasicAuth"))
++                    continue;
++
++                connInfo = new LdapConnInfo(
++                        config.getString(authPrefix + ".ldap.ldapconn.host"),
++                        config.getInteger(authPrefix + ".ldap.ldapconn.port"),
++                        config.getBoolean(authPrefix + ".ldap.ldapconn.secureConn"));
++
++                binddn = config.getString(authPrefix + ".ldap.ldapauth.bindDN", null);
++                if (binddn == null) {
++                    System.out.println("CMSEngine.initializePasswordStore(): binddn not found...skipping");
++                    continue;
++                }
+             }
+ 
+             do {
diff --git a/pki-core-Add-Reindex-Data-During-Cloning-No-Replication.patch b/pki-core-Add-Reindex-Data-During-Cloning-No-Replication.patch
new file mode 100644
index 0000000..07ed98e
--- /dev/null
+++ b/pki-core-Add-Reindex-Data-During-Cloning-No-Replication.patch
@@ -0,0 +1,512 @@
+commit 7c4bc2480c0cb0b4bb816ec090e9673bdddce047
+Author: Ade Lee <alee@redhat.com>
+Date:   Wed Jul 29 14:23:35 2015 -0400
+
+    Add code to reindex data during cloning without replication
+    
+    When setting up a clone, indexes are added before the
+    replication agreements are set up and the consumer is initialized.
+    Thus, as data is replicated and added to the clone db, the
+    data is indexed.
+    
+    When cloning is done with the replication agreements already set
+    up and the data replicated, the existing data is not indexed and
+    cannot be accessed in searches.  The data needs to be reindexed.
+    
+    Related to ticket 1414
+
+diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
+index 3d2dd5e..d6642a4 100644
+--- a/base/ca/shared/conf/CS.cfg.in
++++ b/base/ca/shared/conf/CS.cfg.in
+@@ -828,6 +828,8 @@ preop.internaldb.index_ldif=/usr/share/pki/ca/conf/index.ldif
+ preop.internaldb.manager_ldif=/usr/share/pki/server/conf/manager.ldif
+ preop.internaldb.post_ldif=/usr/share/pki/ca/conf/vlv.ldif,/usr/share/pki/ca/conf/vlvtasks.ldif
+ preop.internaldb.wait_dn=cn=index1160589769, cn=index, cn=tasks, cn=config
++preop.internaldb.index_task_ldif=/usr/share/pki/ca/conf/indextasks.ldif
++preop.internaldb.index_wait_dn=cn=index1160589770,cn=index,cn=tasks,cn=config
+ internaldb.multipleSuffix.enable=false
+ jobsScheduler._000=##
+ jobsScheduler._001=## jobScheduler
+diff --git a/base/ca/shared/conf/indextasks.ldif b/base/ca/shared/conf/indextasks.ldif
+new file mode 100644
+index 0000000..4db159a
+--- /dev/null
++++ b/base/ca/shared/conf/indextasks.ldif
+@@ -0,0 +1,31 @@
++dn: cn=index1160589770, cn=index, cn=tasks, cn=config
++objectclass: top
++objectclass: extensibleObject
++cn: index1160589770
++ttl: 10
++nsinstance: {database}
++nsIndexAttribute: revokedby:eq
++nsIndexAttribute: issuedby:eq
++nsIndexAttribute: publicKeyData:eq
++nsIndexAttribute: clientId:eq
++nsIndexAttribute: dataType:eq
++nsIndexAttribute: status:eq
++nsIndexAttribute: description:eq,pres
++nsIndexAttribute: serialno:eq,pres
++nsIndexAttribute: metaInfo:eq,pres
++nsIndexAttribute: certstatus:eq,pres
++nsIndexAttribute: requestid:eq,pres
++nsIndexAttribute: requesttype:eq,pres
++nsIndexAttribute: requeststate:eq,pres
++nsIndexAttribute: requestowner:eq,pres
++nsIndexAttribute: notbefore:eq,pres
++nsIndexAttribute: notafter:eq,pres
++nsIndexAttribute: duration:eq,pres
++nsIndexAttribute: dateOfCreate:eq,pres
++nsIndexAttribute: revokedOn:eq,pres
++nsIndexAttribute: archivedBy:eq,pres
++nsIndexAttribute: ownername:eq,pres,sub
++nsIndexAttribute: subjectname:eq,pres,sub
++nsIndexAttribute: requestsourceid:eq,pres,sub
++nsIndexAttribute: revInfo:eq,pres,sub
++nsIndexAttribute: extension:eq,pres,sub
+diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+index 0682ac9..7c6c339 100644
+--- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
++++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java
+@@ -130,6 +130,9 @@ public class ConfigurationRequest {
+     protected String setupReplication;
+ 
+     @XmlElement
++    protected String reindexData;
++
++    @XmlElement
+     protected List<SystemCertData> systemCerts;
+ 
+     @XmlElement
+@@ -525,6 +528,18 @@ public class ConfigurationRequest {
+         this.setupReplication = setupReplication;
+     }
+ 
++    public boolean getReindexData() {
++        // default to false
++        if (reindexData == null) {
++            return false;
++        }
++        return reindexData.equalsIgnoreCase("true");
++    }
++
++    public void setReindexData(String reindexData) {
++        this.reindexData = reindexData;
++    }
++
+     /**
+      * @return the database
+      */
+@@ -946,7 +961,8 @@ public class ConfigurationRequest {
+                ", sharedDBUserDN=" + sharedDBUserDN +
+                ", createNewDB=" + createNewDB +
+                ", setupReplication=" + setupReplication +
+-               ", subordinateSecurityDomainName" + subordinateSecurityDomainName +
++               ", subordinateSecurityDomainName=" + subordinateSecurityDomainName +
++               ", reindexData=" + reindexData +
+                "]";
+     }
+ 
+@@ -960,5 +976,4 @@ public class ConfigurationRequest {
+             return uri == null ? null : new URI(uri);
+         }
+     }
+-
+ }
+diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
+index fae7713..64a369e 100644
+--- a/base/kra/shared/conf/CS.cfg.in
++++ b/base/kra/shared/conf/CS.cfg.in
+@@ -236,6 +236,8 @@ preop.internaldb.index_ldif=/usr/share/pki/kra/conf/index.ldif
+ preop.internaldb.manager_ldif=/usr/share/pki/server/conf/manager.ldif
+ preop.internaldb.post_ldif=/usr/share/pki/kra/conf/vlv.ldif,/usr/share/pki/kra/conf/vlvtasks.ldif
+ preop.internaldb.wait_dn=cn=index1160527115, cn=index, cn=tasks, cn=config
++preop.internaldb.index_task_ldif=/usr/share/pki/kra/conf/indextasks.ldif
++preop.internaldb.index_wait_dn=cn=index1160589771,cn=index,cn=tasks,cn=config
+ internaldb.multipleSuffix.enable=false
+ jobsScheduler._000=##
+ jobsScheduler._001=## jobScheduler
+diff --git a/base/kra/shared/conf/indextasks.ldif b/base/kra/shared/conf/indextasks.ldif
+new file mode 100644
+index 0000000..41703a4
+--- /dev/null
++++ b/base/kra/shared/conf/indextasks.ldif
+@@ -0,0 +1,31 @@
++dn: cn=index1160589771, cn=index, cn=tasks, cn=config
++objectclass: top
++objectclass: extensibleObject
++cn: index1160589771
++ttl: 10
++nsinstance: {database}
++nsIndexAttribute: revokedby:eq
++nsIndexAttribute: issuedby:eq
++nsIndexAttribute: publicKeyData:eq
++nsIndexAttribute: clientId:eq
++nsIndexAttribute: dataType:eq
++nsIndexAttribute: status:eq
++nsIndexAttribute: description:eq,pres
++nsIndexAttribute: serialno:eq,pres
++nsIndexAttribute: metaInfo:eq,pres
++nsIndexAttribute: certstatus:eq,pres
++nsIndexAttribute: requestid:eq,pres
++nsIndexAttribute: requesttype:eq,pres
++nsIndexAttribute: requeststate:eq,pres
++nsIndexAttribute: requestowner:eq,pres
++nsIndexAttribute: notbefore:eq,pres
++nsIndexAttribute: notafter:eq,pres
++nsIndexAttribute: duration:eq,pres
++nsIndexAttribute: dateOfCreate:eq,pres
++nsIndexAttribute: revokedOn:eq,pres
++nsIndexAttribute: archivedBy:eq,pres
++nsIndexAttribute: ownername:eq,pres,sub
++nsIndexAttribute: subjectname:eq,pres,sub
++nsIndexAttribute: requestsourceid:eq,pres,sub
++nsIndexAttribute: revInfo:eq,pres,sub
++nsIndexAttribute: extension:eq,pres,sub
+diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
+index 9c878e8..0cbe20b 100644
+--- a/base/ocsp/shared/conf/CS.cfg.in
++++ b/base/ocsp/shared/conf/CS.cfg.in
+@@ -195,6 +195,8 @@ preop.internaldb.index_ldif=/usr/share/pki/ocsp/conf/index.ldif
+ preop.internaldb.manager_ldif=/usr/share/pki/server/conf/manager.ldif
+ preop.internaldb.post_ldif=
+ preop.internaldb.wait_dn=
++preop.internaldb.index_task_ldif=/usr/share/pki/ocsp/conf/indextasks.ldif
++preop.internaldb.index_wait_dn=cn=index1160589772,cn=index,cn=tasks,cn=config
+ internaldb.multipleSuffix.enable=false
+ jss._000=##
+ jss._001=## JSS
+diff --git a/base/ocsp/shared/conf/indextasks.ldif b/base/ocsp/shared/conf/indextasks.ldif
+new file mode 100644
+index 0000000..1169d60
+--- /dev/null
++++ b/base/ocsp/shared/conf/indextasks.ldif
+@@ -0,0 +1,31 @@
++dn: cn=index1160589772, cn=index, cn=tasks, cn=config
++objectclass: top
++objectclass: extensibleObject
++cn: index1160589772
++ttl: 10
++nsinstance: {database}
++nsIndexAttribute: revokedby:eq
++nsIndexAttribute: issuedby:eq
++nsIndexAttribute: publicKeyData:eq
++nsIndexAttribute: clientId:eq
++nsIndexAttribute: dataType:eq
++nsIndexAttribute: status:eq
++nsIndexAttribute: description:eq,pres
++nsIndexAttribute: serialno:eq,pres
++nsIndexAttribute: metaInfo:eq,pres
++nsIndexAttribute: certstatus:eq,pres
++nsIndexAttribute: requestid:eq,pres
++nsIndexAttribute: requesttype:eq,pres
++nsIndexAttribute: requeststate:eq,pres
++nsIndexAttribute: requestowner:eq,pres
++nsIndexAttribute: notbefore:eq,pres
++nsIndexAttribute: notafter:eq,pres
++nsIndexAttribute: duration:eq,pres
++nsIndexAttribute: dateOfCreate:eq,pres
++nsIndexAttribute: revokedOn:eq,pres
++nsIndexAttribute: archivedBy:eq,pres
++nsIndexAttribute: ownername:eq,pres,sub
++nsIndexAttribute: subjectname:eq,pres,sub
++nsIndexAttribute: requestsourceid:eq,pres,sub
++nsIndexAttribute: revInfo:eq,pres,sub
++nsIndexAttribute: extension:eq,pres,sub
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index c8ab38c..a417be4 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -88,6 +88,7 @@ import netscape.security.x509.X500Name;
+ import netscape.security.x509.X509CertImpl;
+ import netscape.security.x509.X509Key;
+ 
++import org.apache.commons.lang.StringUtils;
+ import org.apache.velocity.context.Context;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.CryptoManager.NicknameConflictException;
+@@ -1346,6 +1347,7 @@ public class ConfigurationUtils {
+         boolean remove = cs.getBoolean("preop.database.removeData", false);
+         boolean createNewDB = cs.getBoolean("preop.database.createNewDB", true);
+         boolean setupReplication = cs.getBoolean("preop.database.setupReplication", true);
++        boolean reindexData = cs.getBoolean("preop.database.reindexData", false);
+ 
+         IConfigStore dbCfg = cs.getSubStore("internaldb");
+         ILdapConnFactory dbFactory = CMS.getLdapBoundConnFactory("ConfigurationUtils");
+@@ -1419,6 +1421,9 @@ public class ConfigurationUtils {
+                     // On the other hand, if we are not setting up replication, then we
+                     // are assuming that replication is already taken care of, and schema
+                     // has already been replicated.  No need to add.
++
++                    // Also, data will be replicated from master to clone
++                    // so clone does not need the data
+                     boolean replicateSchema = cs.getBoolean("preop.internaldb.replicateSchema", true);
+                     if (!replicateSchema || !setupReplication) {
+                         importLDIFS("preop.internaldb.schema.ldif", conn);
+@@ -1427,9 +1432,15 @@ public class ConfigurationUtils {
+ 
+                     // add the index before replication, add VLV indexes afterwards
+                     importLDIFS("preop.internaldb.index_ldif", conn);
++
++                    if (!setupReplication && reindexData) {
++                        // data has already been replicated but not yet indexed -
++                        // re-index here
++                        populateIndexes(conn);
++                    }
+                 } else {
+-                    // data will be replicated from the master to the clone
+-                    // so clone does not need the data
++                    // this is the normal non-clone case
++                    // import schema, database, initial data and indexes
+                     importLDIFS("preop.internaldb.schema.ldif", conn);
+                     importLDIFS("preop.internaldb.ldif", conn);
+                     importLDIFS("preop.internaldb.data_ldif", conn);
+@@ -1444,6 +1455,51 @@ public class ConfigurationUtils {
+         }
+     }
+ 
++    private static void populateIndexes(LDAPConnection conn) throws EPropertyNotFound, IOException, EBaseException {
++        CMS.debug("populateIndexes(): start");
++        IConfigStore cs = CMS.getConfigStore();
++
++        importLDIFS("preop.internaldb.index_task_ldif", conn, false);
++
++        /* For populating indexes, we need to check if the task has completed.
++           Presence of nsTaskExitCode means task is complete
++         */
++        String wait_dn = cs.getString("preop.internaldb.index_wait_dn", "");
++        if (!StringUtils.isEmpty(wait_dn)) {
++            wait_for_task(conn, wait_dn);
++        }
++    }
++
++    private static void wait_for_task(LDAPConnection conn, String wait_dn) {
++        LDAPEntry task = null;
++        boolean taskComplete = false;
++        CMS.debug("Checking wait_dn " + wait_dn);
++        do {
++            try {
++                Thread.sleep(1000);
++            } catch (InterruptedException e) {
++                // restore the interrupted status
++                Thread.currentThread().interrupt();
++            }
++
++            try {
++                task = conn.read(wait_dn, (String[]) null);
++                if (task != null) {
++                    LDAPAttribute attr = task.getAttribute("nsTaskExitCode");
++                    if (attr != null) {
++                        taskComplete = true;
++                        String val = (String) attr.getStringValues().nextElement();
++                        if (val.compareTo("0") != 0) {
++                            CMS.debug("Error in populating indexes: nsTaskExitCode=" + val);
++                        }
++                    }
++                }
++            } catch (Exception le) {
++                CMS.debug("Still checking wait_dn '" + wait_dn + "' (" + le.toString() + ")");
++            }
++        } while (!taskComplete);
++    }
++
+     private static void createBaseEntry(String baseDN, LDAPConnection conn) throws EBaseException {
+         try {
+             CMS.debug("Creating base DN: " + baseDN);
+@@ -1624,7 +1680,11 @@ public class ConfigurationUtils {
+         }
+     }
+ 
+-    public static void importLDIFS(String param, LDAPConnection conn) throws IOException, EPropertyNotFound,
++    public static void importLDIFS(String param, LDAPConnection conn) throws EPropertyNotFound, IOException, EBaseException {
++        importLDIFS(param, conn, true);
++    }
++
++    public static void importLDIFS(String param, LDAPConnection conn, boolean suppressErrors) throws IOException, EPropertyNotFound,
+             EBaseException {
+         IConfigStore cs = CMS.getConfigStore();
+ 
+@@ -1706,6 +1766,9 @@ public class ConfigurationUtils {
+                 for (String error : errors) {
+                     CMS.debug(error);
+                 }
++                if (!suppressErrors) {
++                    throw new EBaseException("LDAP Errors in importing " + filename);
++                }
+             }
+         }
+     }
+@@ -1836,33 +1899,7 @@ public class ConfigurationUtils {
+              */
+             String wait_dn = cs.getString("preop.internaldb.wait_dn", "");
+             if (!wait_dn.equals("")) {
+-                LDAPEntry task = null;
+-                boolean taskComplete = false;
+-                CMS.debug("Checking wait_dn " + wait_dn);
+-                do {
+-                    try {
+-                        Thread.sleep(1000);
+-                    } catch (InterruptedException e) {
+-                        // restore the interrupted status
+-                        Thread.currentThread().interrupt();
+-                    }
+-
+-                    try {
+-                        task = conn.read(wait_dn, (String[]) null);
+-                        if (task != null) {
+-                            LDAPAttribute attr = task.getAttribute("nsTaskExitCode");
+-                            if (attr != null) {
+-                                taskComplete = true;
+-                                String val = (String) attr.getStringValues().nextElement();
+-                                if (val.compareTo("0") != 0) {
+-                                    CMS.debug("Error in populating local VLV indexes: nsTaskExitCode=" + val);
+-                                }
+-                            }
+-                        }
+-                    } catch (Exception le) {
+-                        CMS.debug("Still checking wait_dn '" + wait_dn + "' (" + le.toString() + ")");
+-                    }
+-                } while (!taskComplete);
++                wait_for_task(conn, wait_dn);
+             }
+         } catch (Exception e) {
+             CMS.debug("populateVLVIndexes(): Exception thrown: " + e);
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+index 31891ca..6e54147 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+@@ -649,6 +649,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+         cs.putString("preop.database.removeData", data.getRemoveData());
+         cs.putBoolean("preop.database.createNewDB", data.getCreateNewDB());
+         cs.putBoolean("preop.database.setupReplication", data.getSetupReplication());
++        cs.putBoolean("preop.database.reindexData", data.getReindexData());
+     }
+ 
+     public void initializeDatabase(ConfigurationRequest data) {
+diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
+index 26ffd0d..ddd2d83 100644
+--- a/base/server/etc/default.cfg
++++ b/base/server/etc/default.cfg
+@@ -194,6 +194,7 @@ pki_clone_replication_master_port=
+ pki_clone_replication_clone_port=
+ pki_clone_replication_security=None
+ pki_clone_setup_replication=True
++pki_clone_reindex_data=False
+ pki_master_hostname=%(pki_security_domain_hostname)s
+ pki_master_https_port=%(pki_security_domain_https_port)s
+ pki_clone_uri=https://%(pki_master_hostname)s:%(pki_master_https_port)s
+diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
+index 17130ae..4e2c13b 100644
+--- a/base/server/man/man5/pki_default.cfg.5
++++ b/base/server/man/man5/pki_default.cfg.5
+@@ -267,6 +267,14 @@ Location and password of the PKCS #12 file containing the system certificates fo
+ .IP
+ Defaults to True.  If set to False, the installer does not set up replication agreements from the master to the clone as part of the subsystem configuration.  In this case, it is expected that the top level suffix already exists, and that the data has already been replicated.  This option is useful if you want to use other tools to create and manage your replication topology, or if the baseDN is already replicated as part of a top-level suffix.
+ .TP
++.B pki_clone_reindex_data
++.IP
++Defaults to False.  This parameter is only relevant when \fBpki_clone_setup_replication\fP is
++set to False.  In this case, it is expected that the database has been prepared and replicated
++as noted above.  Part of that preparation could involve adding indexes and indexing the data.
++If you would like the Dogtag installer to add the indexes and reindex the data instead, set
++\fBpki_clone_reindex_data\fP to True.
++.TP
+ .B pki_clone_replication_master_port, pki_clone_replication_clone_port
+ .IP
+ Ports on which replication occurs.  These are the ports on the master and clone databases respectively.  Defaults to the internal database port. 
+diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
+index 93fa384..b6ee61b 100644
+--- a/base/server/python/pki/server/deployment/pkihelper.py
++++ b/base/server/python/pki/server/deployment/pkihelper.py
+@@ -4264,6 +4264,7 @@ class ConfigClient:
+             data.cloneReplicationPort = \
+                 self.mdict['pki_clone_replication_clone_port']
+         data.setupReplication = self.mdict['pki_clone_setup_replication']
++        data.reindexData = self.mdict['pki_clone_reindex_data']
+ 
+     def set_hierarchy_parameters(self, data):
+         if self.subsystem == "CA":
+diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
+index f864e29..e63f07d 100644
+--- a/base/tks/shared/conf/CS.cfg.in
++++ b/base/tks/shared/conf/CS.cfg.in
+@@ -187,6 +187,8 @@ preop.internaldb.index_ldif=/usr/share/pki/tks/conf/index.ldif
+ preop.internaldb.manager_ldif=/usr/share/pki/server/conf/manager.ldif
+ preop.internaldb.post_ldif=
+ preop.internaldb.wait_dn=
++preop.internaldb.index_task_ldif=/usr/share/pki/tks/conf/indextasks.ldif
++preop.internaldb.index_wait_dn=cn=index1160589773,cn=index,cn=tasks,cn=config
+ internaldb.multipleSuffix.enable=false
+ jss._000=##
+ jss._001=## JSS
+diff --git a/base/tks/shared/conf/indextasks.ldif b/base/tks/shared/conf/indextasks.ldif
+new file mode 100644
+index 0000000..749ac0a
+--- /dev/null
++++ b/base/tks/shared/conf/indextasks.ldif
+@@ -0,0 +1,31 @@
++dn: cn=index1160589773, cn=index, cn=tasks, cn=config
++objectclass: top
++objectclass: extensibleObject
++cn: index1160589773
++ttl: 10
++nsinstance: {database}
++nsIndexAttribute: revokedby:eq
++nsIndexAttribute: issuedby:eq
++nsIndexAttribute: publicKeyData:eq
++nsIndexAttribute: clientId:eq
++nsIndexAttribute: dataType:eq
++nsIndexAttribute: status:eq
++nsIndexAttribute: description:eq,pres
++nsIndexAttribute: serialno:eq,pres
++nsIndexAttribute: metaInfo:eq,pres
++nsIndexAttribute: certstatus:eq,pres
++nsIndexAttribute: requestid:eq,pres
++nsIndexAttribute: requesttype:eq,pres
++nsIndexAttribute: requeststate:eq,pres
++nsIndexAttribute: requestowner:eq,pres
++nsIndexAttribute: notbefore:eq,pres
++nsIndexAttribute: notafter:eq,pres
++nsIndexAttribute: duration:eq,pres
++nsIndexAttribute: dateOfCreate:eq,pres
++nsIndexAttribute: revokedOn:eq,pres
++nsIndexAttribute: archivedBy:eq,pres
++nsIndexAttribute: ownername:eq,pres,sub
++nsIndexAttribute: subjectname:eq,pres,sub
++nsIndexAttribute: requestsourceid:eq,pres,sub
++nsIndexAttribute: revInfo:eq,pres,sub
++nsIndexAttribute: extension:eq,pres,sub
+diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in
+index 732d143..7bbecee 100644
+--- a/base/tps/shared/conf/CS.cfg.in
++++ b/base/tps/shared/conf/CS.cfg.in
+@@ -1629,6 +1629,8 @@ preop.internaldb.manager_ldif=/usr/share/pki/server/conf/manager.ldif
+ preop.internaldb.post_ldif=/usr/share/pki/tps/conf/vlv.ldif,/usr/share/pki/tps/conf/vlvtasks.ldif
+ preop.internaldb.schema.ldif=/usr/share/pki/server/conf/schema.ldif
+ preop.internaldb.wait_dn=cn=index1160528734, cn=index, cn=tasks, cn=config
++preop.internaldb.index_task_ldif=/usr/share/pki/tps/conf/indextasks.ldif
++preop.internaldb.index_wait_dn=cn=index1160589774,cn=index,cn=tasks,cn=config
+ preop.module.token=Internal Key Storage Token
+ preop.pin=[PKI_RANDOM_NUMBER]
+ preop.product.name=CS
+diff --git a/base/tps/shared/conf/indextasks.ldif b/base/tps/shared/conf/indextasks.ldif
+new file mode 100644
+index 0000000..b5106bb
+--- /dev/null
++++ b/base/tps/shared/conf/indextasks.ldif
+@@ -0,0 +1,14 @@
++dn: cn=index1160589774, cn=index, cn=tasks, cn=config
++objectclass: top
++objectclass: extensibleObject
++cn: index1160589774
++ttl: 10
++nsinstance: {database}
++nsIndexAttribute: tokenUserID:eq,pres,sub
++nsIndexAttribute: tokenID:eq,pres,sub
++nsIndexAttribute: dateOfCreate:eq,pres,sub
++nsIndexAttribute: dateOfModify:eq,pres,sub
++nsIndexAttribute: userCertificate:eq
++nsIndexAttribute: tokenSerial:eq
++nsIndexAttribute: tokenKeyType:eq
++nsIndexAttribute: description:eq,pres
diff --git a/pki-core-Fix-Base-64-Encoded-Cert-Displays.patch b/pki-core-Fix-Base-64-Encoded-Cert-Displays.patch
new file mode 100644
index 0000000..080855b
--- /dev/null
+++ b/pki-core-Fix-Base-64-Encoded-Cert-Displays.patch
@@ -0,0 +1,153 @@
+commit 6999197b067af920b53c75e17dc20181ba49e997
+Author: Matthew Harmsen <mharmsen@redhat.com>
+Date:   Fri Jul 31 17:28:57 2015 -0600
+
+    remove extra space from Base 64 encoded cert displays
+    
+    - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded
+      certificate display
+
+diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+index 2bb2bfa..3b58a47 100644
+--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
++++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+@@ -179,11 +179,11 @@ The following format can be used to install this certificate into a server.
+ Base 64 encoded certificate
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE-----
+ <SCRIPT type="text/javascript">
++document.writeln('-----BEGIN CERTIFICATE-----');
+ document.write(result.header.certChainBase64);
++document.writeln('-----END CERTIFICATE-----');
+ </SCRIPT>
+------END CERTIFICATE-----
+ </pre>
+ 
+ <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
+@@ -191,11 +191,11 @@ document.write(result.header.certChainBase64);
+ Base 64 encoded certificate with CA certificate chain in pkcs7 format
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE CHAIN-----
+ <SCRIPT type="text/javascript">
++document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+ document.write(result.header.pkcs7ChainBase64);
++document.writeln('-----END CERTIFICATE CHAIN-----');
+ </SCRIPT>
+------END CERTIFICATE CHAIN-----
+ </pre>
+ 
+ <br><p>
+diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
+index 4a193e3..7923f41 100644
+--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
++++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
+@@ -97,11 +97,11 @@ The following format can be used to install this certificate into a server.
+ Base 64 encoded certificate
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE CHAIN-----
+ <SCRIPT type="text/javascript">
++document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+ document.write(result.header.certChainBase64);
++document.writeln('-----END CERTIFICATE CHAIN-----');
+ </SCRIPT>
+------END CERTIFICATE CHAIN-----
+ </pre>
+ 
+ <br><p>
+diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+index e9b4d72..d1e65fa 100644
+--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
++++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+@@ -104,11 +104,11 @@ The following format can be used to install this certificate into a server.
+ Base 64 encoded certificate
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE-----
+ <SCRIPT LANGUAUGE="JavaScript">
++document.writeln('-----BEGIN CERTIFICATE-----');
+ document.write(result.header.certChainBase64);
++document.writeln('-----END CERTIFICATE-----');
+ </SCRIPT>
+------END CERTIFICATE-----
+ </pre>
+ 
+ <font size=-1 face="PrimaSans BT, Verdana, sans-serif">
+@@ -116,11 +116,11 @@ document.write(result.header.certChainBase64);
+ Base 64 encoded certificate with CA certificate chain in pkcs7 format
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE-----
+ <SCRIPT LANGUAUGE="JavaScript">
++document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+ document.write(result.header.pkcs7ChainBase64);
++document.writeln('-----END CERTIFICATE CHAIN-----');
+ </SCRIPT>
+------END CERTIFICATE-----
+ </pre>
+ 
+ <br><p>
+diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial2.template
+index f8f3064..7e6678f 100644
+--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial2.template
++++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial2.template
+@@ -97,11 +97,11 @@ The following format can be used to install this certificate into a server.
+ Base 64 encoded certificate
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE-----
+ <SCRIPT LANGUAUGE="JavaScript">
++document.writeln('-----BEGIN CERTIFICATE-----');
+ document.write(result.header.certChainBase64);
++document.writeln('-----END CERTIFICATE-----');
+ </SCRIPT>
+------END CERTIFICATE-----
+ </pre>
+ 
+ <br><p>
+diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
+index 4e93919..49a91af 100644
+--- a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
++++ b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
+@@ -43,9 +43,9 @@ if (result.header.displayFormat == "chain") {
+     document.writeln('<center><b>' + result.header.subjectdn);
+     document.writeln('</b></center><p></font><br>');
+     document.writeln('<pre>');
+-    document.writeln('-----BEGIN CERTIFICATE-----');
+-    document.writeln(result.header.chainBase64);
+-    document.writeln('-----END CERTIFICATE-----');
++    document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
++    document.write(result.header.chainBase64);
++    document.writeln('-----END CERTIFICATE CHAIN-----');
+     document.writeln('</pre>');
+ } else if (result.header.displayFormat == "individual") {
+     if (result.recordSet.length == 0) {
+@@ -86,7 +86,7 @@ function displayCertificate(cert,i)
+     document.writeln('');
+     document.writeln('<pre>');
+     document.writeln('-----BEGIN CERTIFICATE-----');
+-    document.writeln(cert.base64);
++    document.write(cert.base64);
+     document.writeln('-----END CERTIFICATE-----');
+     document.writeln('</pre>');
+     document.writeln('<table border="0" cellspacing="2" cellpadding="2" width="100%">');
+diff --git a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
+index 30af980..06bef2f 100644
+--- a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
++++ b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
+@@ -92,11 +92,11 @@ The following format can be used to install this certificate into a server.
+ Base 64 encoded certificate
+ </font>
+ <p><pre>
+------BEGIN CERTIFICATE-----
+ <SCRIPT LANGUAUGE="JavaScript">
++document.writeln('-----BEGIN CERTIFICATE-----');
+ document.write(result.header.certChainBase64);
++document.writeln('-----END CERTIFICATE-----');
+ </SCRIPT>
+------END CERTIFICATE-----
+ </pre>
+ 
+ <br><p>
diff --git a/pki-core-Fix-Firefox-Warning.patch b/pki-core-Fix-Firefox-Warning.patch
new file mode 100644
index 0000000..442a81b
--- /dev/null
+++ b/pki-core-Fix-Firefox-Warning.patch
@@ -0,0 +1,81 @@
+commit e1eb261b467f6e19c7e6604fc7ecb03e8b1f8166
+Author: Jack Magne <jmagne@localhost.localdomain>
+Date:   Fri Jul 31 13:55:07 2015 -0700
+
+    Firefox warning
+    
+    Ticket #1523
+    
+    Move the dire warning about the crypto object to sections where it applies.
+    
+    Also slightly changed the message due to context.
+
+diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
+index 5075962..2c01b9a 100644
+--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
++++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
+@@ -56,6 +56,11 @@ function getKeyStrengthTableForKeyGen() {
+ 
+ }
+ 
++function getNoCryptoWarning() {
++     document.write('<p> <font color="red"> Warning: This version of Firefox no longer supports the crypto web object used to generate and archive keys from the browser.  As a result expect limited functionality in this area. </font> </p>');
++     document.write('<br>');
++}
++
+ function getKeyTypesOptionsForKeyGen() {
+     var keyTypesDef = "RSA";
+     var keyTypes = null;
+@@ -748,6 +753,7 @@ for (var m = 0; m < inputPluginListSet.length; m++) {
+         document.writeln('<input type=hidden name=cert_request value="">');
+       } else {
+ 
++        getNoCryptoWarning();
+         getKeyStrengthTableForKeyGen();
+ 
+         var keyTypesOptions = getKeyTypesOptionsForKeyGen();
+@@ -770,6 +776,7 @@ for (var m = 0; m < inputPluginListSet.length; m++) {
+       } else if (typeof(crypto) != "undefined" && typeof(crypto.version) != "undefined") {
+         document.writeln('<FONT size="-1" face="PrimaSans BT, Verdana, sans-serif">crmf</FONT><input type=hidden name=' + inputListSet[n].inputId + ' value=crmf>');
+       } else {
++        getNoCryptoWarning();
+         document.writeln('Not Supported<input type=hidden name=' + inputListSet[n].inputId + ' value=>');
+       }
+     } else if ((inputListSet[n].inputSyntax == 'keygen_request_type') ||
+diff --git a/base/ca/shared/webapps/ca/services.template b/base/ca/shared/webapps/ca/services.template
+index 0ccbd1c..0e314b2 100644
+--- a/base/ca/shared/webapps/ca/services.template
++++ b/base/ca/shared/webapps/ca/services.template
+@@ -101,12 +101,6 @@ Certificate System CA Services Page
+ </tr>
+ <script language=javascript>
+ 
+-if (typeof(crypto) != "undefined" && typeof(crypto.version) != "undefined") {
+-} else {
+-    document.write('<p> <font color="red"> Warning: This version of Firefox no longer supports the crypto web object used to generate and archive keys from the browser. Although Certificate System will continue to work, some of the functionality may no longer be supported. </font> </p>');
+-    document.write('<br>');
+-}
+-
+ for (var i=0; i<result.recordSet.length; ++i) {
+     document.write('<tr valign="TOP">');
+     document.write('<td>');
+diff --git a/base/server/share/webapps/ROOT/index.jsp b/base/server/share/webapps/ROOT/index.jsp
+index b79281b..ade01bc 100644
+--- a/base/server/share/webapps/ROOT/index.jsp
++++ b/base/server/share/webapps/ROOT/index.jsp
+@@ -84,15 +84,6 @@ $(function() {
+ 
+ </div>
+ 
+-<script>
+-if (typeof(crypto) != "undefined" && typeof(crypto.version) != "undefined") {
+-} else {
+-    document.write('<p> <font color="red"> Warning: This version of Firefox no longer supports the crypto web object used to generate and archive keys from the browser. Although Certificate System will continue to work, some of the functionality may no longer be supported. </font> </p>');
+-    document.write('<br>');
+-}
+-</script>
+-
+-
+ <center>
+ 
+ <br>
diff --git a/pki-core-Fix-Missing-Cert-Request-Hostname-Address.patch b/pki-core-Fix-Missing-Cert-Request-Hostname-Address.patch
new file mode 100644
index 0000000..670f17b
--- /dev/null
+++ b/pki-core-Fix-Missing-Cert-Request-Hostname-Address.patch
@@ -0,0 +1,329 @@
+commit fec55e3cfa8c0917ef63f3d6289fe3788f80bf33
+Author: Endi S. Dewata <edewata@redhat.com>
+Date:   Wed Aug 5 19:10:19 2015 +0200
+
+    Fixed missing cert request hostname and address.
+    
+    The CA services have been modified to inject request hostname and
+    address into the certificate request object such that they will be
+    stored in the database. This fixes the problem with requests
+    submitted either via the UI or the CLI.
+    
+    An unused method in CertRequestResource has been removed. Some
+    debug messages have been cleaned as well.
+    
+    https://fedorahosted.org/pki/ticket/1535
+
+diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+index a11cb47..95f1f4c 100644
+--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
++++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+@@ -27,7 +27,6 @@ import javax.servlet.http.HttpServletRequest;
+ import javax.ws.rs.PathParam;
+ import javax.ws.rs.core.Context;
+ import javax.ws.rs.core.HttpHeaders;
+-import javax.ws.rs.core.MultivaluedMap;
+ import javax.ws.rs.core.Request;
+ import javax.ws.rs.core.Response;
+ import javax.ws.rs.core.UriInfo;
+@@ -113,13 +112,6 @@ public class CertRequestService extends PKIService implements CertRequestResourc
+         return createOKResponse(info);
+     }
+ 
+-    // Enrollment - used to test integration with a browser
+-    @Override
+-    public Response enrollCert(MultivaluedMap<String, String> form) {
+-        CertEnrollmentRequest data = new CertEnrollmentRequest(form);
+-        return enrollCert(data);
+-    }
+-
+     @Override
+     public Response enrollCert(CertEnrollmentRequest data) {
+ 
+@@ -128,6 +120,9 @@ public class CertRequestService extends PKIService implements CertRequestResourc
+             throw new BadRequestException("Unable to create enrollment reequest: Invalid input data");
+         }
+ 
++        data.setRemoteHost(servletRequest.getRemoteHost());
++        data.setRemoteAddr(servletRequest.getRemoteAddr());
++
+         CertRequestDAO dao = new CertRequestDAO();
+ 
+         CertRequestInfos infos;
+@@ -143,10 +138,10 @@ public class CertRequestService extends PKIService implements CertRequestResourc
+             CMS.debug("enrollCert: bad request data: " + e);
+             throw new BadRequestException(e.toString());
+         } catch (EBaseException e) {
+-            throw new PKIException(e.toString());
++            throw new PKIException(e);
+         } catch (Exception e) {
+             CMS.debug(e);
+-            throw new PKIException(e.toString());
++            throw new PKIException(e);
+         }
+ 
+         // this will return an error code of 200, instead of 201
+diff --git a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
+index 72aad33..d55b5b4 100644
+--- a/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
++++ b/base/common/src/com/netscape/certsrv/cert/CertEnrollmentRequest.java
+@@ -275,6 +275,14 @@ public class CertEnrollmentRequest {
+         return sw.toString();
+     }
+ 
++    public String toString() {
++        try {
++            return toXML();
++        } catch (JAXBException e) {
++            throw new RuntimeException(e);
++        }
++    }
++
+     @Override
+     public int hashCode() {
+         final int prime = 31;
+diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
+index b9ae1f1..7f08b4a 100644
+--- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
++++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
+@@ -17,14 +17,11 @@
+ // --- END COPYRIGHT BLOCK ---
+ package com.netscape.certsrv.cert;
+ 
+-import javax.ws.rs.Consumes;
+ import javax.ws.rs.GET;
+ import javax.ws.rs.POST;
+ import javax.ws.rs.Path;
+ import javax.ws.rs.PathParam;
+ import javax.ws.rs.QueryParam;
+-import javax.ws.rs.core.MediaType;
+-import javax.ws.rs.core.MultivaluedMap;
+ import javax.ws.rs.core.Response;
+ 
+ import org.jboss.resteasy.annotations.ClientResponseType;
+@@ -37,13 +34,6 @@ import com.netscape.certsrv.request.RequestId;
+ @Path("")
+ public interface CertRequestResource {
+ 
+-    // Enrollment - used to test integration with a browser
+-    @POST
+-    @Path("certrequests")
+-    @ClientResponseType(entityType=CertRequestInfos.class)
+-    @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
+-    public Response enrollCert(MultivaluedMap<String, String> form);
+-
+     @POST
+     @Path("certrequests")
+     @ClientResponseType(entityType=CertRequestInfos.class)
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
+index 7a26e8e..d74a285 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertEnrollmentRequestFactory.java
+@@ -20,6 +20,8 @@ package com.netscape.cms.servlet.cert;
+ import java.util.Enumeration;
+ import java.util.Locale;
+ 
++import javax.servlet.http.HttpServletRequest;
++
+ import com.netscape.certsrv.base.IArgBlock;
+ import com.netscape.certsrv.cert.CertEnrollmentRequest;
+ import com.netscape.certsrv.profile.EProfileException;
+@@ -35,18 +37,22 @@ public class CertEnrollmentRequestFactory {
+             throws EProfileException {
+         IArgBlock params = cmsReq.getHttpParams();
+ 
+-        CertEnrollmentRequest ret = new CertEnrollmentRequest();
+-        ret.setProfileId(profile.getId());
++        CertEnrollmentRequest request = new CertEnrollmentRequest();
++        request.setProfileId(profile.getId());
+ 
+         // populate profile inputs
+         Enumeration<String> inputIds = profile.getProfileInputIds();
+         while (inputIds.hasMoreElements()) {
+             IProfileInput input = profile.getProfileInput(inputIds.nextElement());
+             ProfileInput addInput = ProfileInputFactory.create(input, params, locale);
+-            ret.addInput(addInput);
++            request.addInput(addInput);
+         }
+ 
+-        return ret;
++        HttpServletRequest httpRequest = cmsReq.getHttpReq();
++        request.setRemoteHost(httpRequest.getRemoteHost());
++        request.setRemoteAddr(httpRequest.getRemoteAddr());
++
++        return request;
+     }
+ 
+ }
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+index 4cd54a2..f1a147e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+@@ -172,13 +172,14 @@ public class CertProcessor extends CAProcessor {
+                 auditRequesterID = auditRequesterID(req);
+ 
+                 // print request debug
++                CMS.debug("CertProcessor: Request:");
+                 if (req != null) {
+                     Enumeration<String> reqKeys = req.getExtDataKeys();
+                     while (reqKeys.hasMoreElements()) {
+                         String reqKey = reqKeys.nextElement();
+                         String reqVal = req.getExtDataInString(reqKey);
+                         if (reqVal != null) {
+-                            CMS.debug("CertRequestSubmitter: key=$request." + reqKey + "$ value=" + reqVal);
++                            CMS.debug("CertProcessor: - " + reqKey + ": " + reqVal);
+                         }
+                     }
+                 }
+@@ -213,7 +214,7 @@ public class CertProcessor extends CAProcessor {
+                     notify.notify(req);
+                 }
+ 
+-                CMS.debug("CertRequestSubmitter: submit " + e.toString());
++                CMS.debug("CertProcessor: submit " + e);
+                 errorCode = "2";
+                 errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_DEFERRED", e.toString());
+ 
+@@ -223,7 +224,7 @@ public class CertProcessor extends CAProcessor {
+             } catch (ERejectException e) {
+                 // return error to the user
+                 req.setRequestStatus(RequestStatus.REJECTED);
+-                CMS.debug("CertRequestSubmitter: submit " + e.toString());
++                CMS.debug("CertProcessor: submit " + e);
+                 errorCode = "3";
+                 errorReason = CMS.getUserMessage(locale, "CMS_PROFILE_REJECTED", e.toString());
+ 
+@@ -239,8 +240,8 @@ public class CertProcessor extends CAProcessor {
+                 audit(auditMessage);
+             } catch (Throwable e) {
+                 // return error to the user
+-                e.printStackTrace();
+-                CMS.debug("CertRequestSubmitter: submit " + e.toString());
++                CMS.debug(e);
++                CMS.debug("CertProcessor: submit " + e);
+                 errorCode = "1";
+                 errorReason = CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR");
+                 auditMessage = CMS.getLogMessage(
+@@ -261,8 +262,8 @@ public class CertProcessor extends CAProcessor {
+                     profile.getRequestQueue().updateRequest(req);
+                 }
+             } catch (EBaseException e) {
+-                e.printStackTrace();
+-                CMS.debug("CertRequestSubmitter: updateRequest " + e.toString());
++                CMS.debug(e);
++                CMS.debug("CertProcessor: updateRequest " + e);
+             }
+         }
+         return errorCode;
+@@ -312,7 +313,7 @@ public class CertProcessor extends CAProcessor {
+             }
+ 
+             if (fromRA) {
+-                CMS.debug("CertRequestSubmitter: request from RA: " + uid);
++                CMS.debug("CertProcessor: request from RA: " + uid);
+                 req.setExtData(ARG_REQUEST_OWNER, uid);
+             }
+ 
+@@ -326,18 +327,18 @@ public class CertProcessor extends CAProcessor {
+ 
+             if (setId == null) {
+                 // no profile set found
+-                CMS.debug("CertRequestSubmitter: no profile policy set found");
++                CMS.debug("CertProcessor: no profile policy set found");
+                 throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_NO_POLICY_SET_FOUND"));
+             }
+ 
+-            CMS.debug("CertRequestSubmitter profileSetid=" + setId);
++            CMS.debug("CertProcessor: profileSetid=" + setId);
+             req.setExtData(ARG_PROFILE_SET_ID, setId);
+             req.setExtData(ARG_PROFILE_REMOTE_HOST, data.getRemoteHost());
+             req.setExtData(ARG_PROFILE_REMOTE_ADDR, data.getRemoteAddr());
+ 
+-            CMS.debug("CertRequestSubmitter: request " + req.getRequestId().toString());
++            CMS.debug("CertProcessor: request " + req.getRequestId());
+ 
+-            CMS.debug("CertRequestSubmitter: populating request inputs");
++            CMS.debug("CertProcessor: populating request inputs");
+             // give authenticator a chance to populate the request
+             if (authenticator != null) {
+                 authenticator.populate(authToken, req);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+index 8d9d05c..960f997 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java
+@@ -127,13 +127,13 @@ public class EnrollmentProcessor extends CertProcessor {
+                 printParameterValues(params);
+             }
+ 
+-            CMS.debug("EnrollmentSubmitter: isRenewal false");
++            CMS.debug("EnrollmentProcessor: isRenewal false");
+             startTiming("enrollment");
+ 
+             // if we did not configure profileId in xml file,
+             // then accept the user-provided one
+             String profileId = (this.profileID == null) ? data.getProfileId() : this.profileID;
+-            CMS.debug("EnrollmentSubmitter: profileId " + profileId);
++            CMS.debug("EnrollmentProcessor: profileId " + profileId);
+ 
+             IProfile profile = ps.getProfile(profileId);
+             if (profile == null) {
+@@ -141,17 +141,17 @@ public class EnrollmentProcessor extends CertProcessor {
+                 throw new BadRequestDataException(CMS.getUserMessage(locale, "CMS_PROFILE_NOT_FOUND", CMSTemplate.escapeJavaScriptStringHTML(profileId)));
+             }
+             if (!ps.isProfileEnable(profileId)) {
+-                CMS.debug("EnrollmentSubmitter: Profile " + profileId + " not enabled");
++                CMS.debug("EnrollmentProcessor: Profile " + profileId + " not enabled");
+                 throw new BadRequestDataException("Profile " + profileId + " not enabled");
+             }
+ 
+             IProfileContext ctx = profile.createContext();
+-            CMS.debug("EnrollmentSubmitter: set Inputs into profile Context");
++            CMS.debug("EnrollmentProcessor: set Inputs into profile Context");
+             setInputsIntoContext(data, profile, ctx);
+ 
+             IProfileAuthenticator authenticator = profile.getAuthenticator();
+             if (authenticator != null) {
+-                CMS.debug("EnrollmentSubmitter: authenticator " + authenticator.getName() + " found");
++                CMS.debug("EnrollmentProcessor: authenticator " + authenticator.getName() + " found");
+                 setCredentialsIntoContext(request, authenticator, ctx);
+             }
+ 
+@@ -160,7 +160,7 @@ public class EnrollmentProcessor extends CertProcessor {
+             SessionContext context = SessionContext.getContext();
+             context.put("profileContext", ctx);
+             context.put("sslClientCertProvider", new SSLClientCertProvider(request));
+-            CMS.debug("EnrollmentSubmitter: set sslClientCertProvider");
++            CMS.debug("EnrollmentProcessor: set sslClientCertProvider");
+ 
+             // before creating the request, authenticate the request
+             IAuthToken authToken = authenticate(request, null, authenticator, context, false);
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+index 28b1b51..b9af84b 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+@@ -257,7 +257,8 @@ public class CAProcessor extends Processor {
+     }
+ 
+     protected void printParameterValues(HashMap<String, String> data) {
+-        CMS.debug("Start of CertProcessor Input Parameters");
++
++        CMS.debug("CAProcessor: Input Parameters:");
+ 
+         for (Entry<String, String> entry : data.entrySet()) {
+             String paramName = entry.getKey();
+@@ -280,13 +281,11 @@ public class CAProcessor extends Processor {
+                     paramName.equalsIgnoreCase("pwd") ||
+                     paramName.equalsIgnoreCase("pwdagain") ||
+                     paramName.equalsIgnoreCase("uPasswd")) {
+-                CMS.debug("CertProcessor Input Parameter " + paramName + "='(sensitive)'");
++                CMS.debug("CAProcessor: - " + paramName + ": (sensitive)");
+             } else {
+-                CMS.debug("CertProcessor Input Parameter " + paramName + "='" + entry.getValue() + "'");
++                CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue());
+             }
+         }
+-
+-        CMS.debug("End of CertProcessor Input Parameters");
+     }
+ 
+     /**
diff --git a/pki-core-Remove-Inaccessible-URLs-From-Pkidaemon.patch b/pki-core-Remove-Inaccessible-URLs-From-Pkidaemon.patch
new file mode 100644
index 0000000..aef005c
--- /dev/null
+++ b/pki-core-Remove-Inaccessible-URLs-From-Pkidaemon.patch
@@ -0,0 +1,150 @@
+commit 5015475c6084d9397017e5531299f1545fae2a33
+Author: Matthew Harmsen <mharmsen@redhat.com>
+Date:   Fri Aug 7 13:20:22 2015 -0600
+
+    remove more inaccessible URLs from server.xml
+    
+    - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
+      subsystems which are not accessible
+    - PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
+      shows an error page
+
+diff --git a/base/server/man/man1/pkidaemon.1 b/base/server/man/man1/pkidaemon.1
+index 9b4eb46..35c04e5 100644
+--- a/base/server/man/man1/pkidaemon.1
++++ b/base/server/man/man1/pkidaemon.1
+@@ -39,6 +39,8 @@ As stated above, the only optional argument to \fBpkidaemon\fR is \fB[instance-n
+ 
+ For the following examples, two instances were installed.  The first contained a CA, KRA, OCSP, TKS and TPS in a shared PKI instance named 'pki-tomcat', while the second simply contained a CA running on different ports and named 'pki-tomcat-2'.
+ 
++For the OCSP 'Unsecure URL' and the OCSP 'Secure EE URL' which both specify a static string of '<ocsp request blob>', the intention is for the user to replace this static string with an actual OCSP request blob relevant to their particular deployment.
++
+ .SS Listing the status of all local PKI instances on this machine:
+ .BR
+ .PP
+@@ -57,22 +59,20 @@ Status for pki-tomcat: pki-tomcat is running ..
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [DRM Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/kra/ee/kra
+     Secure Agent URL    = https://pki.example.com:8443/kra/agent/kra
+     Secure Admin URL    = https://pki.example.com:8443/kra/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/kra
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [OCSP Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/ocsp/ee/ocsp
++    Unsecure URL        = http://pki.example.com:8080/ocsp/ee/ocsp/<ocsp request blob>
+     Secure Agent URL    = https://pki.example.com:8443/ocsp/agent/ocsp
+-    Secure EE URL       = https://pki.example.com:8443/ocsp/ee/ocsp
++    Secure EE URL       = https://pki.example.com:8443/ocsp/ee/ocsp/<ocsp request blob>
+     Secure Admin URL    = https://pki.example.com:8443/ocsp/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [TKS Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/tks/ee/tks
+     Secure Agent URL    = https://pki.example.com:8443/tks/agent/tks
+     Secure Admin URL    = https://pki.example.com:8443/tks/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/tks
+@@ -179,22 +179,20 @@ Status for pki-tomcat: pki-tomcat is running ..
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [DRM Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/kra/ee/kra
+     Secure Agent URL    = https://pki.example.com:8443/kra/agent/kra
+     Secure Admin URL    = https://pki.example.com:8443/kra/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/kra
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [OCSP Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/ocsp/ee/ocsp
++    Unsecure URL        = http://pki.example.com:8080/ocsp/ee/ocsp/<ocsp request blob>
+     Secure Agent URL    = https://pki.example.com:8443/ocsp/agent/ocsp
+-    Secure EE URL       = https://pki.example.com:8443/ocsp/ee/ocsp
++    Secure EE URL       = https://pki.example.com:8443/ocsp/ee/ocsp/<ocsp request blob>
+     Secure Admin URL    = https://pki.example.com:8443/ocsp/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/ocsp
+     Tomcat Port         = 8005 (for shutdown)
+ 
+     [TKS Status Definitions]
+-    Unsecure URL        = http://pki.example.com:8080/tks/ee/tks
+     Secure Agent URL    = https://pki.example.com:8443/tks/agent/tks
+     Secure Admin URL    = https://pki.example.com:8443/tks/services
+     PKI Console Command = pkiconsole https://pki.example.com:8443/tks
+diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml
+index 81a8016..d944d32 100644
+--- a/base/server/tomcat7/conf/server.xml
++++ b/base/server/tomcat7/conf/server.xml
+@@ -37,7 +37,6 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- KRA Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/kra/ee/kra
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra
+@@ -45,16 +44,15 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- OCSP Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp
++Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp/<ocsp request blob>
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp
+-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp
++Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp/<ocsp request blob>
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp
+ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- TKS Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tks/ee/tks
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks
+diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml
+index c482fc1..2c2536b 100644
+--- a/base/server/tomcat8/conf/server.xml
++++ b/base/server/tomcat8/conf/server.xml
+@@ -37,7 +37,6 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- KRA Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/kra/ee/kra
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/kra/agent/kra
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/kra
+@@ -45,16 +44,15 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- OCSP Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp
++Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ocsp/ee/ocsp/<ocsp request blob>
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/ocsp/agent/ocsp
+-Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp
++Secure EE URL       = https://[PKI_HOSTNAME]:[PKI_EE_SECURE_PORT]/ocsp/ee/ocsp/<ocsp request blob>
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/ocsp
+ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+ -->
+ <!-- TKS Status Definitions -->
+ <!--
+-Unsecure URL        = http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tks/ee/tks
+ Secure Agent URL    = https://[PKI_HOSTNAME]:[PKI_AGENT_SECURE_PORT]/tks/agent/tks
+ Secure Admin URL    = https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks/services
+ PKI Console Command = pkiconsole https://[PKI_HOSTNAME]:[PKI_ADMIN_SECURE_PORT]/tks
+diff --git a/base/server/upgrade/10.2.6/01-RemoveInaccessableURLsFromServerXML b/base/server/upgrade/10.2.6/01-RemoveInaccessableURLsFromServerXML
+index e27cfc4..240fd28 100755
+--- a/base/server/upgrade/10.2.6/01-RemoveInaccessableURLsFromServerXML
++++ b/base/server/upgrade/10.2.6/01-RemoveInaccessableURLsFromServerXML
+@@ -35,7 +35,9 @@ class RemoveInaccessableURLsFromServerXML(
+         subprocess.check_call([
+             'sed', '-i',
+             '-e', '\|^.*EE Client Auth URL.*ca/eeca/ca.*$|d',
++            '-e', '\|^.*Unsecure URL.*kra/ee/kra.*$|d',
+             '-e', '\|^.*Secure EE URL.*kra/ee/kra.*$|d',
++            '-e', '\|^.*Unsecure URL.*tks/ee/tks.*$|d',
+             '-e', '\|^.*Secure EE URL.*tks/ee/tks.*$|d',
+             '/etc/pki/{0}/server.xml'.format(instance.name)
+         ])
diff --git a/pki-core-Temporarily-Silence-InsecureRequestWarning.patch b/pki-core-Temporarily-Silence-InsecureRequestWarning.patch
new file mode 100644
index 0000000..2359603
--- /dev/null
+++ b/pki-core-Temporarily-Silence-InsecureRequestWarning.patch
@@ -0,0 +1,72 @@
+commit a6423245a01217a295091407dfcb8fe79e019342
+Author: Christian Heimes <cheimes@redhat.com>
+Date:   Fri Aug 7 19:08:52 2015 +0200
+
+    Temporary silence InsecureRequestWarning
+    
+    https://fedorahosted.org/pki/ticket/1253
+
+diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
+index 9093993..d28a41d 100644
+--- a/base/common/python/pki/client.py
++++ b/base/common/python/pki/client.py
+@@ -19,7 +19,27 @@
+ # All rights reserved.
+ #
+ 
++import functools
++import warnings
++
+ import requests
++from requests.packages.urllib3.exceptions import InsecureRequestWarning
++
++
++def catch_insecure_warning(func):
++    """Temporary silence InsecureRequestWarning
++
++    PKIConnection is not able to verify HTTPS connections yet. This decorator
++    catches the warning.
++
++    :see: https://fedorahosted.org/pki/ticket/1253
++    """
++    @functools.wraps(func)
++    def wrapper(self, *args, **kwargs):
++        with warnings.catch_warnings():
++            warnings.simplefilter('ignore', InsecureRequestWarning)
++            return func(self, *args, **kwargs)
++    return wrapper
+ 
+ 
+ class PKIConnection:
+@@ -91,6 +111,7 @@ class PKIConnection:
+             raise Exception("No path for the certificate specified.")
+         self.session.cert = pem_cert_path
+ 
++    @catch_insecure_warning
+     def get(self, path, headers=None, params=None, payload=None):
+         """
+         Uses python-requests to issue a GET request to the server.
+@@ -116,6 +137,7 @@ class PKIConnection:
+         r.raise_for_status()
+         return r
+ 
++    @catch_insecure_warning
+     def post(self, path, payload, headers=None, params=None):
+         """
+         Uses python-requests to issue a POST request to the server.
+@@ -141,6 +163,7 @@ class PKIConnection:
+         r.raise_for_status()
+         return r
+ 
++    @catch_insecure_warning
+     def put(self, path, payload, headers=None):
+         """
+         Uses python-requests to issue a PUT request to the server.
+@@ -159,6 +182,7 @@ class PKIConnection:
+         r.raise_for_status()
+         return r
+ 
++    @catch_insecure_warning
+     def delete(self, path, headers=None):
+         """
+         Uses python-requests to issue a DEL request to the server.
diff --git a/pki-core.spec b/pki-core.spec
index aed2e74..fc8d220 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -40,7 +40,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:             pki-core
 Version:          10.2.6
-Release:          4%{?dist}
+Release:          5%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -121,8 +121,12 @@ BuildRequires:    systemd-units
 %if 0%{?rhel}
 BuildRequires:    tomcatjss >= 7.1.0-6
 %else
+%if 0%{?fedora} >= 23
+BuildRequires:    tomcatjss >= 7.1.3
+%else
 BuildRequires:    tomcatjss >= 7.1.2
 %endif
+%endif
 
 
 # additional build requirements needed to build native 'tpsclient'
@@ -154,6 +158,13 @@ Patch4:           pki-core-Fix-Pin-Reset-Operation.patch
 Patch5:           pki-core-Externalreg-Support-Multiple-KeySets.patch
 Patch6:           pki-core-Add-Externalreg-revokeCert-Parameter.patch
 Patch7:           pki-core-Fix-ECC-Admin-Cert-Creation.patch
+Patch8:           pki-core-Fix-Firefox-Warning.patch
+Patch9:           pki-core-Add-Reindex-Data-During-Cloning-No-Replication.patch
+Patch10:          pki-core-Fix-Base-64-Encoded-Cert-Displays.patch
+Patch11:          pki-core-Fix-Missing-Cert-Request-Hostname-Address.patch
+Patch12:          pki-core-Add-Bound-Bind-Connection-To-Dirauth-Plugin.patch
+Patch13:          pki-core-Remove-Inaccessible-URLs-From-Pkidaemon.patch
+Patch14:          pki-core-Temporarily-Silence-InsecureRequestWarning.patch
 
 %global saveFileContext() \
 if [ -s /etc/selinux/config ]; then \
@@ -344,6 +355,13 @@ Requires:         nss-tools
 Requires:         java-headless >= 1:1.7.0
 Requires:         pki-base = %{version}-%{release}
 Requires:         jpackage-utils >= 0:1.7.5-10
+%if 0%{?fedora} >= 23
+Requires:         tomcat-servlet-3.1-api
+%else
+%if 0%{?fedora} >= 22
+Requires:         tomcat-servlet-3.0-api
+%endif
+%endif
 
 %description -n   pki-tools
 This package contains PKI executables that can be used to help make
@@ -418,9 +436,13 @@ Requires(postun): systemd-units
 Requires(pre):    shadow-utils
 
 %if 0%{?rhel}
-Requires:    tomcatjss >= 7.1.0-6
+Requires:         tomcatjss >= 7.1.0-6
 %else
-Requires:    tomcatjss >= 7.1.2
+%if 0%{?fedora} >= 23
+Requires:         tomcatjss >= 7.1.3
+%else
+Requires:         tomcatjss >= 7.1.2
+%endif
 %endif
 
 %description -n   pki-server
@@ -654,6 +676,13 @@ This package is a part of the PKI Core used by the Certificate System.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1002,6 +1031,26 @@ systemctl daemon-reload
 %endif # %{with server}
 
 %changelog
+* Sat Aug  8 2015 Dogtag Team <pki-devel@redhat.com> 10.2.6-5
+- PKI TRAC Ticket #1523 - Firefox warning [jmagne]
+- PKI TRAC Ticket #1414 - Add code to reindex data during cloning without
+  replication [alee]
+- PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded
+  certificate display [mharmsen]
+- PKI TRAC Ticket #1535 - Fixed missing cert request hostname and address.
+  [edewata]
+- PKI TRAC Ticket #1531 - Directory auth plugin requires LDAP anonymous binds
+  [cfu]
+- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
+  subsystems which are not accessible [mharmsen]
+- PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
+  shows an error page [mharmsen]
+- PKI TRAC Ticket #1253 - Temporary silence InsecureRequestWarning [cheimes]
+- PKI TRAC Ticket #1530 - Client pki-tools missing tomcat-servlet dependency
+  [mharmsen]
+- PKI TRAC Ticket #1542 - Update tomcatjss dependency on Fedora 23 and later
+  [mharmsen]
+
 * Tue Jul 28 2015 Dogtag Team <pki-devel@redhat.com> 10.2.6-4
 - PKI TRAC Ticket #1414 - add option to pkispawn to NOT create replication
   agreements when cloning [alee]