DEV-1903

Separate service credentials for registration and authentication; administration

Current SKFS has only one LDAP/AD group (FIDOAuthorized) which allows service credentials to both register and authenticate users. Divide this up to have more granularity.

The LDAP lookup has been updated. Instead of one group (FIDOAuthorized) to verify service credentials for all FIDO operations, SKFS enables more granularity with multiple groups:

• FIDORegAuthorized is used for registration operations (preregistration, registration)
• FIDOSignAuthorized is used for authentication (preauthentication, authentication)
• FIDOAdminAuthorized is used for administrative operations on policies and configurations

All other operations still rely on the FIDOAuthorized group.

DEV-1969

Making the switch from OpenDJ to OpenLDAP

This change was implemented due to the following changes:

• The latest version of OpenJDK 8 does not work with OpenDJ and must be downgraded before performing an OpenDJ install
• The OpenDJ version StrongKey uses (3.0.0) has been marked as End of Life Support (EOSL)

DEV-1970

MariaDB Upgrade bufferpool size fix

• When upgrading to the latest version of MariaDB, bufferpool size is now taken from the previous my.cnf instead of using the new value.

DEV-1971

The SKFS user creation script (create-SKFS-Users.sh) has been added to the FIDO Server distribution

• This script adds default SKFS users to the specified previously existing domain.

DEV-1972

getkeysinfo now returns more data

• The getkeysinfo (REST/SOAP) web service now includes credential id and attestation format in its response.

DEV-1975

Create a script that performs administrative operations against OpenLDAP credentials:

• Add User
• Add User to Groups
• Delete User
• Change User Password
• Add Administrator
• Delete Administrator
• Change Administrator Password

manageSKFSCreds.sh has been created to enable these operations.