From 48823cef6165435d5e1bda2019dfcd46ef5ec479 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 17 Jan 2025 09:51:55 -0800 Subject: [PATCH] docs/installation/[ocsp,kra.tks.tps] replaced .md files with "Converted/moved to" message --- docs/installation/kra/Installing_KRA.md | 105 +--------- docs/installation/kra/Installing_KRA_Clone.md | 137 +------------ .../kra/Installing_KRA_Clone_with_HSM.md | 151 +------------- .../Installing_KRA_on_Separate_Instance.md | 109 +--------- .../kra/Installing_KRA_with_Custom_Keys.md | 189 +----------------- .../kra/Installing_KRA_with_ECC.md | 141 +------------ ...stalling_KRA_with_External_Certificates.md | 154 +------------- .../kra/Installing_KRA_with_HSM.md | 144 +------------ ...ing_KRA_with_Secure_Database_Connection.md | 155 +------------- docs/installation/ocsp/Installing_OCSP.md | 2 +- .../ocsp/Installing_OCSP_Clone.md | 2 +- .../ocsp/Installing_OCSP_Clone_with_HSM.md | 2 +- .../ocsp/Installing_OCSP_with_Custom_Keys.md | 2 +- .../ocsp/Installing_OCSP_with_ECC.md | 2 +- ...talling_OCSP_with_External_Certificates.md | 2 +- .../ocsp/Installing_OCSP_with_HSM.md | 2 +- ...ng_OCSP_with_Secure_Database_Connection.md | 2 +- docs/installation/tks/Installing_TKS.md | 85 +------- docs/installation/tks/Installing_TKS_Clone.md | 131 +----------- .../tks/Installing_TKS_with_ECC.md | 129 +----------- .../tks/Installing_TKS_with_HSM.md | 122 +---------- ...ing_TKS_with_Secure_Database_Connection.md | 133 +----------- docs/installation/tps/Installing_TPS.md | 87 +------- docs/installation/tps/Installing_TPS_Clone.md | 132 +----------- .../tps/Installing_TPS_with_HSM.md | 124 +----------- ...ing_TPS_with_Secure_Database_Connection.md | 135 +------------ 26 files changed, 26 insertions(+), 2353 deletions(-) diff --git a/docs/installation/kra/Installing_KRA.md b/docs/installation/kra/Installing_KRA.md index f4da0183e77..bc44e0a4c4d 100644 --- a/docs/installation/kra/Installing_KRA.md +++ b/docs/installation/kra/Installing_KRA.md @@ -1,104 +1 @@ -Installing KRA -============== - -Overview --------- - -This page describes the process to install a KRA subsystem. - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra.cfg) that contains the deployment configuration. -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra.cfg](../../../base/server/examples/installation/kra.cfg). - -Then execute the following command: - -``` -$ pkispawn -f kra.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -**Note**: When KRA is installed on a new system without any other subsystems, -it is necessary to provide the CA's root certificate. Specify the path to -the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server -to verify the CA's SSL server certificate when contacting the security domain. -It is up to the administrator to securely transport the CA root certificate -(public key only!) to the system prior to KRA installation. - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_transport u,u,u -kra_storage u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: pki.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA.adoc](../kra/Installing_KRA.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_Clone.md b/docs/installation/kra/Installing_KRA_Clone.md index e99f0e78f17..808e8d9514f 100644 --- a/docs/installation/kra/Installing_KRA_Clone.md +++ b/docs/installation/kra/Installing_KRA_Clone.md @@ -1,136 +1 @@ -Installing KRA Clone -==================== - -Overview --------- - -This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem. - -Before beginning with the installation, please ensure that you have configured the directory -server and added base entries. -The step is described [here](https://github.com/dogtagpki/pki/wiki/DS-Installation). - -Additionally, make sure the FQDN has been [configured](../server/FQDN_Configuration.adoc) correctly. - -Exporting Existing KRA System Certificates ------------------------------------------- - -On the existing system, export the KRA system certificates with the following command: - -``` -$ pki-server kra-clone-prepare \ - --pkcs12-file kra-certs.p12 \ - --pkcs12-password Secret.123 -``` - -The command will export the following certificates (including the certificate chain) and their keys into a PKCS #12 file: - -* KRA storage certificate -* KRA transport certificate -* audit signing certificate -* subsystem certificate - -Note that the existing SSL server certificate will not be exported. - -If necessary, third-party certificates (e.g. trust anchors) can be added into the same PKCS #12 file with the following command: - -``` -$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf \ - pkcs12-cert-import \ - --pkcs12-file kra-certs.p12 \ - --pkcs12-password Secret.123 \ - --append -``` - -KRA Subsystem Installation --------------------------- - -Prepare a deployment configuration (e.g. `kra-clone.cfg`) to deploy KRA subsystem clone. -By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra-clone.cfg](../../../base/server/examples/installation/kra-clone.cfg). -It assumes that the primary CA and KRA subsystems are running at https://primary.example.com:8443, -the CA signing certificate has been exported into `ca_signing.crt`, -and the admin certificate and key have been exported into `ca_admin_cert.p12`. -The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter. -See [Installing CA](../ca/Installing_CA.md) for details. - -To start the installation execute the following command: - -``` -$ pkispawn -f kra-clone.cfg -s KRA -``` - -KRA System Certificates ------------------------ - -After installation the existing KRA system certificates (including the certificate chain) -and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), -and a new SSL server certificate will be created for the new instance: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_storage u,u,u -sslserver u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -kra_transport u,u,u -``` - -If necessary, the certificates can be exported into PEM files with the following command: - -``` -$ pki-server cert-export --cert-file -``` - -The valid certificate IDs for KRA are: -* `kra_storage_signing` -* `kra_transport_signing` -* `kra_audit_signing` -* `subsystem` -* `sslserver` - -Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. -For simplicity the nicknames in this example are configured to be the same as the certificate IDs. - -Admin Certificate ------------------ - -To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): - -``` -$ pki client-init -``` - -Then import the CA signing certificate into the client NSS database: - -``` -$ pki client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Finally, import admin certificate and key with the following command: - -``` -$ pki pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -To verify that the admin certificate can be used to access the KRA subsystem clone, execute the following command: - -``` -$ pki -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_KRA_Clone.adoc](../kra/Installing_KRA_Clone.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_Clone_with_HSM.md b/docs/installation/kra/Installing_KRA_Clone_with_HSM.md index b38d2af27ca..7e0c8695403 100644 --- a/docs/installation/kra/Installing_KRA_Clone_with_HSM.md +++ b/docs/installation/kra/Installing_KRA_Clone_with_HSM.md @@ -1,150 +1 @@ -Installing KRA Clone with HSM -============================= - -Overview --------- - -This page describes the process to install a KRA subsystem as a clone of an existing KRA subsystem -where the system certificates and their keys are stored in HSM. - -Since the certificates and the keys are already in HSM, it's not necessary to export them into a -PKCS #12 file to create a clone. - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -pki_hsm_enable=True -pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so -pki_hsm_modulename=softhsm -pki_token_name=HSM -pki_token_password=Secret.HSM - -[KRA] -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret.123 -pki_admin_uid=kraadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -pki_ds_database=kra -pki_ds_password=Secret.123 - -pki_security_domain_hostname=pki.example.com -pki_security_domain_https_port=8443 -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_storage_nickname=kra_storage -pki_transport_nickname=kra_transport -pki_audit_signing_nickname=kra_audit_signing -pki_sslserver_nickname=sslserver/replica.example.com -pki_subsystem_nickname=subsystem - -pki_clone=True -pki_clone_replicate_schema=True -pki_clone_uri=https://pki.example.com:8443 -``` - -Then execute the following command: - -``` -$ pkispawn -f kra.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -Verifying System Certificates ------------------------------ - -Verify that the internal token contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_audit_signing ,,P -``` - -Verify that the HSM contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -HSM:kra_transport u,u,u -HSM:kra_storage u,u,u -HSM:subsystem u,u,u -HSM:kra_audit_signing u,u,Pu -HSM:sslserver/replica.example.com u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: pki.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA_Clone_with_HSM.adoc](../kra/Installing_KRA_Clone_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_on_Separate_Instance.md b/docs/installation/kra/Installing_KRA_on_Separate_Instance.md index 8a09a56ccd0..1ee2535568a 100644 --- a/docs/installation/kra/Installing_KRA_on_Separate_Instance.md +++ b/docs/installation/kra/Installing_KRA_on_Separate_Instance.md @@ -1,108 +1 @@ -Installing KRA on Separate Instance -=================================== - -Overview --------- - -This page describes the process to install a KRA subsystem on an instance/host separate from the CA. - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra-separate.cfg) that contains the deployment configuration. - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra-separate.cfg](../../../base/server/examples/installation/kra-separate.cfg). -It assumes that the CA is running at https://ca.example.com:8443, -the CA signing certificate has been exported into `ca_signing.crt`, -and the admin certificate has been exported into `ca_admin.cert`. - -Then execute the following command: - -``` -$ pkispawn -f kra-separate.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -**Note**: When KRA is installed on a new system without any other subsystems, -it is necessary to provide the CA's root certificate. Specify the path to -the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server -to verify the CA's SSL server certificate when contacting the security domain. -It is up to the administrator to securely transport the CA root certificate -(public key only!) to the system prior to KRA installation. - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_transport u,u,u -kra_storage u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import CA admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the CA admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: kra.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA_on_Separate_Instance.adoc](../kra/Installing_KRA_on_Separate_Instance.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_with_Custom_Keys.md b/docs/installation/kra/Installing_KRA_with_Custom_Keys.md index 266994474a5..1f83690759e 100644 --- a/docs/installation/kra/Installing_KRA_with_Custom_Keys.md +++ b/docs/installation/kra/Installing_KRA_with_Custom_Keys.md @@ -1,188 +1 @@ -Installing KRA with Custom Keys -=============================== - -Overview --------- - -This page describes the process to install a KRA subsystem with custom KRA system and admin keys, CSRs, and certificates. - -Starting KRA Subsystem Installation ------------------------------------ - -Prepare a file (e.g. kra-step1.cfg) that contains the deployment configuration step 1, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[KRA] -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret.123 -pki_admin_uid=kraadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -pki_ds_database=kra -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_storage_nickname=kra_storage -pki_transport_nickname=kra_transport -pki_subsystem_nickname=subsystem -pki_sslserver_nickname=sslserver -pki_audit_signing_nickname=kra_audit_signing - -pki_external=True -pki_external_step_two=False -``` - -Then execute the following command: - -``` -$ pkispawn -f kra-step1.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/dogtag/pki-tomcat/kra/alias - -Since there are no CSR path parameters specified, it will not generate KRA system and admin keys. - -Generating KRA Keys, CSRs, and Certificates -------------------------------------------- - -Generate custom KRA system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: -* kra_storage.csr -* kra_transport.csr -* subsystem.csr -* sslserver.csr -* kra_audit_signing.csr -* kra_admin.csr - -Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: -* kra_storage.crt -* kra_transport.crt -* subsystem.crt -* sslserver.crt -* kra_audit_signing.crt -* kra_admin.crt - -The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. - -Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the KRA system and admin certificates. - -See also: -* [Generating KRA Storage Certificate](https://github.com/dogtagpki/pki/wiki/Generating-KRA-Storage-Certificate) -* [Generating KRA Transport Certificate](https://github.com/dogtagpki/pki/wiki/Generating-KRA-Transport-Certificate) -* [Generating Subsystem Certificate](https://github.com/dogtagpki/pki/wiki/Generating-Subsystem-Certificate) -* [Generating SSL Server Certificate](https://github.com/dogtagpki/pki/wiki/Generating-SSL-Server-Certificate) -* [Generating Audit Signing Certificate](https://github.com/dogtagpki/pki/wiki/Generating-Audit-Signing-Certificate) -* [Generating Admin Certificate](https://github.com/dogtagpki/pki/wiki/Generating-Admin-Certificate) - -Finishing KRA Subsystem Installation ------------------------------------- - -Prepare another file (e.g. kra-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. kra-step1.cfg) with additional changes below. - -Specify step 2 with the following parameter: - -``` -pki_external_step_two=True -``` - -Specify the custom CSRs with the following parameters: - -``` -pki_storage_csr_path=kra_storage.csr -pki_transport_csr_path=kra_transport.csr -pki_subsystem_csr_path=subsystem.csr -pki_sslserver_csr_path=sslserver.csr -pki_audit_signing_csr_path=kra_audit_signing.csr -pki_admin_csr_path=kra_admin.csr -``` - -Specify the custom certificates with the following parameters: - -``` -pki_storage_cert_path=kra_storage.crt -pki_transport_cert_path=kra_transport.crt -pki_subsystem_cert_path=subsystem.crt -pki_sslserver_cert_path=sslserver.crt -pki_audit_signing_cert_path=kra_audit_signing.crt -pki_admin_cert_path=kra_admin.crt -``` - -Specify the external CA certificate chain with the following parameters: - -``` -pki_cert_chain_nickname=ca_signing -pki_cert_chain_path=ca_signing.crt -``` - -Finally, execute the following command: - -``` -$ pkispawn -f kra-step2.cfg -s KRA -``` - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_storage CTu,Cu,Cu -kra_transport u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the external CA certificate chain: - -``` -$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt -``` - -Import the admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access KRA by executing the following command: - -``` -$ pki -c Secret.123 -n kraadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_KRA_with_Custom_Keys.adoc](../kra/Installing_KRA_with_Custom_Keys.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_with_ECC.md b/docs/installation/kra/Installing_KRA_with_ECC.md index 884656ab793..4c1b81dd842 100644 --- a/docs/installation/kra/Installing_KRA_with_ECC.md +++ b/docs/installation/kra/Installing_KRA_with_ECC.md @@ -1,140 +1 @@ -Installing KRA with ECC -====================== - -Overview --------- - -This page describes the process to install a KRA subsystem with ECC. - -Supported ECC curves: - -- nistp256 -- nistp384 -- nistp521 - -Supported ECC key algorithms: - -- SHA256withEC -- SHA384withEC -- SHA512withEC - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example: -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[KRA] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret.123 -pki_admin_uid=kraadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -pki_ds_database=kra -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_storage_nickname=kra_storage -pki_storage_key_type=rsa -pki_storage_key_algorithm=SHA512withRSA -pki_storage_key_size=2048 -pki_storage_signing_algorithm=SHA512withRSA - -pki_transport_nickname=kra_transport -pki_transport_key_type=rsa -pki_transport_key_algorithm=SHA512withRSA -pki_transport_key_size=2048 -pki_transport_signing_algorithm=SHA512withRSA - -pki_audit_signing_nickname=kra_audit_signing -pki_audit_signing_key_type=ecc -pki_audit_signing_key_algorithm=SHA512withEC -pki_audit_signing_key_size=nistp521 -pki_audit_signing_signing_algorithm=SHA512withEC - -pki_sslserver_nickname=sslserver -pki_sslserver_key_type=ecc -pki_sslserver_key_algorithm=SHA512withEC -pki_sslserver_key_size=nistp521 - -pki_subsystem_nickname=subsystem -pki_subsystem_key_type=ecc -pki_subsystem_key_algorithm=SHA512withEC -pki_subsystem_key_size=nistp521 -``` - -Then execute the following command: - -``` -$ pkispawn -f kra.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_transport u,u,u -kra_storage u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin --------------- -User "kraadmin" --------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_KRA_with_ECC.adoc](../kra/Installing_KRA_with_ECC.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_with_External_Certificates.md b/docs/installation/kra/Installing_KRA_with_External_Certificates.md index 4a62412c35c..c3d6777aec4 100644 --- a/docs/installation/kra/Installing_KRA_with_External_Certificates.md +++ b/docs/installation/kra/Installing_KRA_with_External_Certificates.md @@ -1,153 +1 @@ -Installing KRA with External Certificates -========================================= - -Overview --------- - -This page describes the process to install a KRA subsystem with external certificates. - -Starting KRA Subsystem Installation ------------------------------------ - -Prepare a file (e.g. kra-external-certs-step1.cfg) that contains the first deployment configuration. - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra-external-certs-step1.cfg](../../../base/server/examples/installation/kra-external-certs-step1.cfg). -It assumes that the CA is running at https://ca.example.com:8443, -and the CA signing certificate has been exported into `ca_signing.crt`. - -Then execute the following command: - -``` -$ pkispawn -f kra-external-certs-step1.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/dogtag/pki-tomcat/kra/alias - -It will also generate the system keys in the server NSS database and the CSRs in the specified paths. - -Generating KRA Certificates ---------------------------- - -Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: -* kra_storage.crt -* kra_transport.crt -* subsystem.crt -* sslserver.crt -* kra_audit_signing.crt -* kra_admin.crt - -The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. - -Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the KRA system and admin certificates. - -Finishing KRA Subsystem Installation ------------------------------------- - -Prepare another file (e.g. kra-external-certs-step2.cfg) that contains the second deployment configuration. -The file can be created from the first file (i.e. kra-external-certs-step1.cfg) with the following changes: - -``` -pki_external_step_two=True -``` - -Specify the external certificates with the following parameters: - -``` -pki_storage_cert_path=kra_storage.crt -pki_transport_cert_path=kra_transport.crt -pki_subsystem_cert_path=subsystem.crt -pki_sslserver_cert_path=sslserver.crt -pki_audit_signing_cert_path=kra_audit_signing.crt -pki_admin_cert_path=kra_admin.crt -``` - -Specify the external CA certificate chain with the following parameters: - -``` -pki_cert_chain_nickname=ca_signing -pki_cert_chain_path=ca_signing.crt -``` - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/kra-external-certs-step2.cfg](../../../base/server/examples/installation/kra-external-certs-step2.cfg). - -Finally, execute the following command: - -``` -$ pkispawn -f kra-external-certs-step2.cfg -s KRA -``` - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_storage CTu,Cu,Cu -kra_transport u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA certificate chain: - -``` -$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt -``` - -Import the admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access KRA by executing the following command: - -``` -$ pki -c Secret.123 -n kraadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: kra.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA_with_External_Certificates.adoc](../kra/Installing_KRA_with_External_Certificates.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_with_HSM.md b/docs/installation/kra/Installing_KRA_with_HSM.md index 1371e65bafa..c6702252137 100644 --- a/docs/installation/kra/Installing_KRA_with_HSM.md +++ b/docs/installation/kra/Installing_KRA_with_HSM.md @@ -1,143 +1 @@ -Installing KRA with HSM -======================= - -Overview --------- - -This page describes the process to install a KRA subsystem -where the system certificates and their keys will be stored in HSM. - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -pki_hsm_enable=True -pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so -pki_hsm_modulename=softhsm -pki_token_name=HSM -pki_token_password=Secret.HSM - -[KRA] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret.123 -pki_admin_uid=kraadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -pki_ds_database=kra -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_storage_nickname=kra_storage -pki_transport_nickname=kra_transport -pki_audit_signing_nickname=kra_audit_signing -pki_sslserver_nickname=sslserver/pki.example.com -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f kra.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -Verifying System Certificates ------------------------------ - -Verify that the internal token contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -kra_audit_signing ,,P -``` - -Verify that the HSM contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -HSM:kra_transport u,u,u -HSM:kra_storage u,u,u -HSM:subsystem u,u,u -HSM:kra_audit_signing u,u,Pu -HSM:sslserver/pki.example.com u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: pki.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA_with_HSM.adoc](../kra/Installing_KRA_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/kra/Installing_KRA_with_Secure_Database_Connection.md b/docs/installation/kra/Installing_KRA_with_Secure_Database_Connection.md index 5f08a46938f..54054ad0c6b 100644 --- a/docs/installation/kra/Installing_KRA_with_Secure_Database_Connection.md +++ b/docs/installation/kra/Installing_KRA_with_Secure_Database_Connection.md @@ -1,154 +1 @@ -Installing KRA with Secure Database Connection -============================================== - -Overview --------- - -This page describes the process to install a KRA subsystem with a secure database connection. - -Ensure that the secure connection has been enabled on the directory server. -Export the signing certificate for the directory server into ds_signing.crt. -This step is described [here](https://www.dogtagpki.org/wiki/DS_SSL). - -KRA Subsystem Installation --------------------------- - -Prepare a file (e.g. kra.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[KRA] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret.123 -pki_admin_uid=kraadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_url=ldaps://localhost:636 -pki_ds_secure_connection_ca_nickname=ds_signing -pki_ds_secure_connection_ca_pem_file=ds_signing.crt - -pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com -pki_ds_database=kra -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_storage_nickname=kra_storage -pki_transport_nickname=kra_transport -pki_audit_signing_nickname=kra_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f kra.cfg -s KRA -``` - -It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ds_signing CT,C,C -ca_signing CT,C,C -kra_transport u,u,u -kra_storage u,u,u -subsystem u,u,u -kra_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Database Configuration --------------------------------- - -Verify that the KRA database is configured with a secure connection: - -``` -$ pki-server kra-db-config-show - Hostname: pki.example.com - Port: 636 - Secure: true - Authentication: BasicAuth - Bind DN: cn=Directory Manager - Bind Password Prompt: internaldb - Database: kra - Base DN: dc=kra,dc=pki,dc=example,dc=com - Multiple suffix: false - Maximum connections: 15 - Minimum connections: 3 -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the KRA subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin kra-user-show kraadmin ---------------- -User "kraadmin" ---------------- - User ID: kraadmin - Full name: kraadmin - Email: kraadmin@example.com - Type: adminType - State: 1 -``` - -Verifying KRA Connector ------------------------ - -Verify that the KRA connector is configured in the CA subsystem: - -``` -$ pki -c Secret.123 -n caadmin ca-kraconnector-show - -Host: pki.example.com:8443 -Enabled: true -Local: false -Timeout: 30 -URI: /kra/agent/kra/connector -Transport Cert: - - -``` +Converted/moved to [Installing_KRA_with_Secure_Database_Connection.adoc](../kra/Installing_KRA_with_Secure_Database_Connection.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP.md b/docs/installation/ocsp/Installing_OCSP.md index 0dd9cc94835..1901e6f05f2 100644 --- a/docs/installation/ocsp/Installing_OCSP.md +++ b/docs/installation/ocsp/Installing_OCSP.md @@ -1 +1 @@ -This page has been converted/moved to [Installing_OCSP.adoc](Installing_OCSP.adoc). +Converted/moved to [Installing_OCSP.adoc](../ocsp/Installing_OCSP.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_Clone.md b/docs/installation/ocsp/Installing_OCSP_Clone.md index f8f98d6f2ad..abb6a87c5d6 100644 --- a/docs/installation/ocsp/Installing_OCSP_Clone.md +++ b/docs/installation/ocsp/Installing_OCSP_Clone.md @@ -1 +1 @@ -This page has been converted/moved to [Installing_OCSP_Clone.adoc](../ocsp/Installing_OCSP_Clone.adoc). +Converted/moved to [Installing_OCSP_Clone.adoc](../ocsp/Installing_OCSP_Clone.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.md b/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.md index 5d5d43ebdab..e297d866afc 100644 --- a/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.md +++ b/docs/installation/ocsp/Installing_OCSP_Clone_with_HSM.md @@ -1 +1 @@ -This page has been converted/moved to [Installing_OCSP_Clone_with_HSM.adoc](../ocsp/Installing_OCSP_Clone_with_HSM.adoc). +Converted/moved to [Installing_OCSP_Clone_with_HSM.adoc](../ocsp/Installing_OCSP_Clone_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.md b/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.md index 621540ca683..985bbba62c4 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.md +++ b/docs/installation/ocsp/Installing_OCSP_with_Custom_Keys.md @@ -1 +1 @@ -This page has been copied/converted to [Installing_OCSP_with_Custom_Keys.adoc](Installing_OCSP_with_Custom_Keys.adoc). +Converted/moved to [Installing_OCSP_with_Custom_Keys.adoc](../ocsp/Installing_OCSP_with_Custom_Keys.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_with_ECC.md b/docs/installation/ocsp/Installing_OCSP_with_ECC.md index b620255e6e4..e5e133a61dd 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_ECC.md +++ b/docs/installation/ocsp/Installing_OCSP_with_ECC.md @@ -1 +1 @@ -This page has been converted/moved to [Installing_OCSP_with_ECC.adoc](Installing_OCSP_with_ECC.adoc) +Converted/moved to [Installing_OCSP_with_ECC.adoc](../ocsp/Installing_OCSP_with_ECC.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md b/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md index 2e417072d43..d0710e85dee 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md +++ b/docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md @@ -1 +1 @@ -This content has been copied/converted to [Installing_OCSP_with_External_Certificates.adoc](Installing_OCSP_with_External_Certificates.adoc). +Converted/moved to [Installing_OCSP_with_External_Certificates.adoc](../ocsp/Installing_OCSP_with_External_Certificates.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_with_HSM.md b/docs/installation/ocsp/Installing_OCSP_with_HSM.md index fcb18649363..3cc0e3f2068 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_HSM.md +++ b/docs/installation/ocsp/Installing_OCSP_with_HSM.md @@ -1 +1 @@ -This content has been copied/converted to [Installing_OCSP_with_HSM.adoc](Installing_OCSP_with_HSM.adoc). +Converted/moved to [Installing_OCSP_with_HSM.adoc](../ocsp/Installing_OCSP_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.md b/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.md index 677dc99506f..abb5b8a5cf6 100644 --- a/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.md +++ b/docs/installation/ocsp/Installing_OCSP_with_Secure_Database_Connection.md @@ -1 +1 @@ -This page has been converted to [Installing_OCSP_with_Secure_Database_Connection.adoc](Installing_OCSP_with_Secure_Database_Connection.adoc). +Converted/moved to [Installing_OCSP_with_Secure_Database_Connection.adoc](../ocsp/Installing_OCSP_with_Secure_Database_Connection.adoc) \ No newline at end of file diff --git a/docs/installation/tks/Installing_TKS.md b/docs/installation/tks/Installing_TKS.md index b35443b8592..98acb6a836c 100644 --- a/docs/installation/tks/Installing_TKS.md +++ b/docs/installation/tks/Installing_TKS.md @@ -1,84 +1 @@ -Installing TKS -============== - -Overview --------- - -This page describes the process to install a TKS subsystem. - -TKS Subsystem Installation --------------------------- - -Prepare a file (e.g. tks.cfg) that contains the deployment configuration. -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/tks.cfg](../../../base/server/examples/installation/tks.cfg). - -Then execute the following command: - -``` -$ pkispawn -f tks.cfg -s TKS -``` - -It will install TKS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tks/alias - -**Note**: When TKS is installed on a new system without any other subsystems, -it is necessary to provide the CA's root certificate. Specify the path to -the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server -to verify the CA's SSL server certificate when contacting the security domain. -It is up to the administrator to securely transport the CA root certificate -(public key only!) to the system prior to TKS installation. - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -subsystem u,u,u -tks_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TKS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tks-user-show tksadmin ---------------- -User "tksadmin" ---------------- - User ID: tksadmin - Full name: tksadmin - Email: tksadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TKS.adoc](../tks/Installing_TKS.adoc) \ No newline at end of file diff --git a/docs/installation/tks/Installing_TKS_Clone.md b/docs/installation/tks/Installing_TKS_Clone.md index 769e9b837aa..3da4cfdb0dc 100644 --- a/docs/installation/tks/Installing_TKS_Clone.md +++ b/docs/installation/tks/Installing_TKS_Clone.md @@ -1,130 +1 @@ -Installing TKS Clone -==================== - -Overview --------- - -This page describes the process to install a TKS subsystem as a clone of an existing TKS subsystem. - -Before beginning with the installation, please ensure that you have configured the directory -server and added base entries. -The step is described [here](https://github.com/dogtagpki/pki/wiki/DS-Installation). - -Additionally, make sure the FQDN has been [configured](../server/FQDN_Configuration.adoc) correctly. - -Exporting Existing TKS System Certificates ------------------------------------------- - -On the existing system, export the TKS system certificates with the following command: - -``` -$ pki-server tks-clone-prepare \ - --pkcs12-file tks-certs.p12 \ - --pkcs12-password Secret.123 -``` - -The command will export the following certificates (including the certificate chain) and their keys into a PKCS #12 file: - -* subsystem certificate -* audit signing certificate - -Note that the existing SSL server certificate will not be exported. - -If necessary, third-party certificates (e.g. trust anchors) can be added into the same PKCS #12 file with the following command: - -``` -$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf \ - pkcs12-cert-import \ - --pkcs12-file tks-certs.p12 \ - --pkcs12-password Secret.123 \ - --append -``` - -TKS Subsystem Installation --------------------------- - -Prepare a deployment configuration (e.g. `tks-clone.cfg`) to deploy TKS subsystem clone. -By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/tks-clone.cfg](../../../base/server/examples/installation/tks-clone.cfg). -It assumes that the primary CA and TKS are running at https://primary.example.com:8443, -the CA signing certificate has been exported into `ca_signing.crt`, -and the admin certificate and key have been exported into `ca_admin_cert.p12`. -The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter. -See [Installing CA](../ca/Installing_CA.md) for details. - -To start the installation execute the following command: - -``` -$ pkispawn -f tks-clone.cfg -s TKS -``` - -TKS System Certificates ------------------------ - -After installation the existing TKS system certificates (including the certificate chain) -and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), -and a new SSL server certificate will be created for the new instance: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -subsystem u,u,u -tks_audit_signing u,u,Pu -sslserver u,u,u -``` - -If necessary, the certificates can be exported into PEM files with the following command: - -``` -$ pki-server cert-export --cert-file -``` - -The valid certificate IDs for TKS are: -* `tks_audit_signing` -* `subsystem` -* `sslserver` - -Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. -For simplicity the nicknames in this example are configured to be the same as the certificate ID. - -Admin Certificate ------------------ - -To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): - -``` -$ pki client-init -``` - -Then import the CA signing certificate into the client NSS database: - -``` -$ pki client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Finally, import admin certificate and key with the following command: - -``` -$ pki pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -To verify that the admin certificate can be used to access the TKS subsystem clone, execute the following command: - -``` -$ pki -n caadmin tks-user-show tksadmin ---------------- -User "tksadmin" ---------------- - User ID: tksadmin - Full name: tksadmin - Email: tksadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TKS_Clone.adoc](../tks/Installing_TKS_Clone.adoc) \ No newline at end of file diff --git a/docs/installation/tks/Installing_TKS_with_ECC.md b/docs/installation/tks/Installing_TKS_with_ECC.md index 72df493b6d9..cdf9ede37a1 100644 --- a/docs/installation/tks/Installing_TKS_with_ECC.md +++ b/docs/installation/tks/Installing_TKS_with_ECC.md @@ -1,128 +1 @@ -Installing TKS with ECC -======================= - -Overview --------- - -This page describes the process to install a TKS subsystem with ECC. - -Supported ECC curves: - -- nistp256 -- nistp384 -- nistp521 - -Supported ECC key algorithms: - -- SHA256withEC -- SHA384withEC -- SHA512withEC - -TKS Subsystem Installation --------------------------- - -Prepare a file (e.g. tks.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[TKS] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=tksadmin@example.com -pki_admin_name=tksadmin -pki_admin_nickname=tksadmin -pki_admin_password=Secret.123 -pki_admin_uid=tksadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=tks,dc=pki,dc=example,dc=com -pki_ds_database=tks -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_audit_signing_nickname=tks_audit_signing -pki_audit_signing_key_type=ecc -pki_audit_signing_key_algorithm=SHA512withEC -pki_audit_signing_key_size=nistp521 -pki_audit_signing_signing_algorithm=SHA512withEC - -pki_sslserver_nickname=sslserver -pki_sslserver_key_type=ecc -pki_sslserver_key_algorithm=SHA512withEC -pki_sslserver_key_size=nistp521 - -pki_subsystem_nickname=subsystem -pki_subsystem_key_type=ecc -pki_subsystem_key_algorithm=SHA512withEC -pki_subsystem_key_size=nistp521 - -``` - -Then execute the following command: - -``` -$ pkispawn -f tks.cfg -s TKS -``` - -It will install TKS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/kra/alias - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -subsystem u,u,u -tks_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TKS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tks-user-show tksadmin --------------- -User "tksadmin" --------------- - User ID: tksadmin - Full name: tksadmin - Email: tksadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TKS_with_ECC.adoc](../tks/Installing_TKS_with_ECC.adoc) \ No newline at end of file diff --git a/docs/installation/tks/Installing_TKS_with_HSM.md b/docs/installation/tks/Installing_TKS_with_HSM.md index 31c676cec03..5c999bfa825 100644 --- a/docs/installation/tks/Installing_TKS_with_HSM.md +++ b/docs/installation/tks/Installing_TKS_with_HSM.md @@ -1,121 +1 @@ -Installing TKS with HSM -======================= - -Overview --------- - -This page describes the process to install a TKS subsystem -where the system certificates and their keys will be stored in HSM. - -TKS Subsystem Installation --------------------------- - -Prepare a file (e.g. tks.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -pki_hsm_enable=True -pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so -pki_hsm_modulename=softhsm -pki_token_name=HSM -pki_token_password=Secret.HSM - -[TKS] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=tksadmin@example.com -pki_admin_name=tksadmin -pki_admin_nickname=tksadmin -pki_admin_password=Secret.123 -pki_admin_uid=tksadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=tks,dc=pki,dc=example,dc=com -pki_ds_database=tks -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_audit_signing_nickname=tks_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f tks.cfg -s TKS -``` - -It will install TKS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tks/alias - -Verifying System Certificates ------------------------------ - -Verify that the internal token contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -tks_audit_signing ,,P -``` - -Verify that the HSM contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -HSM:subsystem u,u,u -HSM:tks_audit_signing u,u,Pu -HSM:sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TKS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tks-user-show tksadmin ---------------- -User "tksadmin" ---------------- - User ID: tksadmin - Full name: tksadmin - Email: tksadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TKS_with_HSM.adoc](../tks/Installing_TKS_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/tks/Installing_TKS_with_Secure_Database_Connection.md b/docs/installation/tks/Installing_TKS_with_Secure_Database_Connection.md index d79d1498ae8..f5e720e6d15 100644 --- a/docs/installation/tks/Installing_TKS_with_Secure_Database_Connection.md +++ b/docs/installation/tks/Installing_TKS_with_Secure_Database_Connection.md @@ -1,132 +1 @@ -Installing TKS with Secure Database Connection -============================================== - -Overview --------- - -This page describes the process to install a TKS subsystem with a secure database connection. - -Ensure that the secure connection has been enabled on the directory server. -Export the signing certificate for the directory server into ds_signing.crt. -This step is described [here](https://www.dogtagpki.org/wiki/DS_SSL). - -TKS Subsystem Installation --------------------------- - -Prepare a file (e.g. tks.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[TKS] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=tksadmin@example.com -pki_admin_name=tksadmin -pki_admin_nickname=tksadmin -pki_admin_password=Secret.123 -pki_admin_uid=tksadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_url=ldaps://localhost:636 -pki_ds_secure_connection_ca_nickname=ds_signing -pki_ds_secure_connection_ca_pem_file=ds_signing.crt - -pki_ds_base_dn=dc=tks,dc=pki,dc=example,dc=com -pki_ds_database=tks -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_audit_signing_nickname=tks_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f tks.cfg -s TKS -``` - -It will install TKS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tks/alias - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ds_signing CT,C,C -ca_signing CT,C,C -subsystem u,u,u -tks_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Database Configuration --------------------------------- - -Verify that the TKS database is configured with a secure connection: - -``` -$ pki-server tks-db-config-show - Hostname: pki.example.com - Port: 636 - Secure: true - Authentication: BasicAuth - Bind DN: cn=Directory Manager - Bind Password Prompt: internaldb - Database: tks - Base DN: dc=tks,dc=pki,dc=example,dc=com - Multiple suffix: false - Maximum connections: 15 - Minimum connections: 3 -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TKS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tks-user-show tksadmin ---------------- -User "tksadmin" ---------------- - User ID: tksadmin - Full name: tksadmin - Email: tksadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TKS_with_Secure_Database_Connection.adoc](../tks/Installing_TKS_with_Secure_Database_Connection.adoc) \ No newline at end of file diff --git a/docs/installation/tps/Installing_TPS.md b/docs/installation/tps/Installing_TPS.md index 6035198908b..9008bfa5529 100644 --- a/docs/installation/tps/Installing_TPS.md +++ b/docs/installation/tps/Installing_TPS.md @@ -1,86 +1 @@ -Installing TPS -============== - -Overview --------- - -This page describes the process to install a TPS subsystem. - -TPS Subsystem Installation --------------------------- - -Prepare a file (e.g. tps.cfg) that contains the deployment configuration. -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/tps.cfg](../../../base/server/examples/installation/tps.cfg). - -Then execute the following command: - -``` -$ pkispawn -f tps.cfg -s TPS -``` - -It will install TPS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tps/alias - -**Note**: When TPS is installed on a new system without any other subsystems, -it is necessary to provide the CA's root certificate. Specify the path to -the CA PKCS#7 PEM file in the `pki_cert_chain_path`. This will allow the server -to verify the CA's SSL server certificate when contacting the security domain. -It is up to the administrator to securely transport the CA root certificate -(public key only!) to the system prior to TPS installation. - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -subsystem u,u,u -tps_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TPS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tps-user-show tpsadmin ---------------- -User "tpsadmin" ---------------- - User ID: tpsadmin - Full name: tpsadmin - Email: tpsadmin@example.com - Type: adminType - State: 1 - TPS Profiles: - All Profiles -``` +Converted/moved to [Installing_TPS.adoc](../tps/Installing_TPS.adoc) \ No newline at end of file diff --git a/docs/installation/tps/Installing_TPS_Clone.md b/docs/installation/tps/Installing_TPS_Clone.md index 02913e20bb3..25946d03030 100644 --- a/docs/installation/tps/Installing_TPS_Clone.md +++ b/docs/installation/tps/Installing_TPS_Clone.md @@ -1,131 +1 @@ -Installing TPS Clone -==================== - -Overview --------- - -This page describes the process to install a TPS subsystem as a clone of an existing TPS subsystem -where the system certificates and their keys are stored in internal NSS token. - -Before beginning with the installation, please ensure that you have configured the directory -server and added base entries. -The step is described [here](https://github.com/dogtagpki/pki/wiki/DS-Installation). - -Additionally, make sure the FQDN has been [configured](../server/FQDN_Configuration.adoc) correctly. - -Exporting Existing TPS System Certificates ------------------------------------------- - -On the existing system, export the TPS system certificates with the following command: - -``` -$ pki-server tps-clone-prepare \ - --pkcs12-file tps-certs.p12 \ - --pkcs12-password Secret.123 -``` - -The command will export the following certificates (including the certificate chain) and their keys into a PKCS #12 file: - -* audit signing certificate -* subsystem certificate - -Note that the existing SSL server certificate will not be exported. - -If necessary, third-party certificates (e.g. trust anchors) can be added into the same PKCS #12 file with the following command: - -``` -$ pki -d /var/lib/pki/pki-tomcat/conf/alias -f /var/lib/pki/pki-tomcat/conf/password.conf \ - pkcs12-cert-import \ - --pkcs12-file tps-certs.p12 \ - --pkcs12-password Secret.123 \ - --append -``` - -TPS Subsystem Installation --------------------------- - -Prepare a deployment configuration (e.g. `tps-clone.cfg`) to deploy TPS subsystem clone. -By default the subsystem will be deployed into a Tomcat instance called `pki-tomcat`. - -A sample deployment configuration is available at [/usr/share/pki/server/examples/installation/tps-clone.cfg](../../../base/server/examples/installation/tps-clone.cfg). -It assumes that the primary CA, KRA, TKS, and TPS subsystems are running at https://primary.example.com:8443, -the CA signing certificate has been exported into `ca_signing.crt`, -and the admin certificate and key have been exported into `ca_admin_cert.p12`. -The PKCS #12 password is specified in the `pki_client_pkcs12_password` parameter. -See [Installing CA](../ca/Installing_CA.md) for details. - -To start the installation execute the following command: - -``` -$ pkispawn -f tps-clone.cfg -s TPS -``` - -TPS System Certificates ------------------------ - -After installation the existing TPS system certificates (including the certificate chain) -and their keys will be stored in the server NSS database (i.e. `/var/lib/pki/pki-tomcat/conf/alias`), -and a new SSL server certificate will be created for the new instance: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -sslserver u,u,u -subsystem u,u,u -tps_audit_signing u,u,Pu -``` - -If necessary, the certificates can be exported into PEM files with the following command: - -``` -$ pki-server cert-export --cert-file -``` - -The valid certificate IDs for TPS are: -* `tps_audit_signing` -* `subsystem` -* `sslserver` - -Note that the `pki-server cert-export` command takes a certificate ID instead of a nickname. -For simplicity the nicknames in this example are configured to be the same as the certificate IDs. - -Admin Certificate ------------------ - -To use the admin certificate from the CA subsystem, prepare a client NSS database (default is `~/.dogtag/nssdb`): - -``` -$ pki client-init -``` - -Then import the CA signing certificate into the client NSS database: - -``` -$ pki client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Finally, import admin certificate and key with the following command: - -``` -$ pki pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -To verify that the admin certificate can be used to access the TPS subsystem clone, execute the following command: - -``` -$ pki -n caadmin tps-user-show tpsadmin ---------------- -User "tpsadmin" ---------------- - User ID: tpsadmin - Full name: tpsadmin - Email: tpsadmin@example.com - Type: adminType - State: 1 -``` +Converted/moved to [Installing_TPS_Clone.adoc](../tps/Installing_TPS_Clone.adoc) \ No newline at end of file diff --git a/docs/installation/tps/Installing_TPS_with_HSM.md b/docs/installation/tps/Installing_TPS_with_HSM.md index 1417de7bc97..dc107d31b30 100644 --- a/docs/installation/tps/Installing_TPS_with_HSM.md +++ b/docs/installation/tps/Installing_TPS_with_HSM.md @@ -1,123 +1 @@ -Installing TPS with HSM -======================= - -Overview --------- - -This page describes the process to install a TPS subsystem -where the system certificates and their keys will be stored in HSM. - -TPS Subsystem Installation --------------------------- - -Prepare a file (e.g. tps.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -pki_hsm_enable=True -pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so -pki_hsm_modulename=softhsm -pki_token_name=HSM -pki_token_password=Secret.HSM - -[TPS] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=tpsadmin@example.com -pki_admin_name=tpsadmin -pki_admin_nickname=tpsadmin -pki_admin_password=Secret.123 -pki_admin_uid=tpsadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=tps,dc=pki,dc=example,dc=com -pki_ds_database=tps -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_audit_signing_nickname=tps_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f tps.cfg -s TPS -``` - -It will install TPS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tps/alias - -Verifying System Certificates ------------------------------ - -Verify that the internal token contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ca_signing CT,C,C -tps_audit_signing ,,P -``` - -Verify that the HSM contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias -h HSM -f HSM.pwd - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -HSM:subsystem u,u,u -HSM:tps_audit_signing u,u,Pu -HSM:sslserver u,u,u -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TPS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tps-user-show tpsadmin ---------------- -User "tpsadmin" ---------------- - User ID: tpsadmin - Full name: tpsadmin - Email: tpsadmin@example.com - Type: adminType - State: 1 - TPS Profiles: - All Profiles -``` +Converted/moved to [Installing_TPS_with_HSM.adoc](../tps/Installing_TPS_with_HSM.adoc) \ No newline at end of file diff --git a/docs/installation/tps/Installing_TPS_with_Secure_Database_Connection.md b/docs/installation/tps/Installing_TPS_with_Secure_Database_Connection.md index 6b64bf7b159..202b5754d01 100644 --- a/docs/installation/tps/Installing_TPS_with_Secure_Database_Connection.md +++ b/docs/installation/tps/Installing_TPS_with_Secure_Database_Connection.md @@ -1,134 +1 @@ -Installing TPS with Secure Database Connection -============================================== - -Overview --------- - -This page describes the process to install a TPS subsystem a secure database connection. - -Ensure that the secure connection has been enabled on the directory server. -Export the signing certificate for the directory server into ds_signing.crt. -This step is described [here](https://www.dogtagpki.org/wiki/DS_SSL). - -TPS Subsystem Installation --------------------------- - -Prepare a file (e.g. tps.cfg) that contains the deployment configuration, for example: - -``` -[DEFAULT] -pki_server_database_password=Secret.123 - -[TPS] -pki_admin_cert_file=ca_admin.cert -pki_admin_email=tpsadmin@example.com -pki_admin_name=tpsadmin -pki_admin_nickname=tpsadmin -pki_admin_password=Secret.123 -pki_admin_uid=tpsadmin - -pki_client_pkcs12_password=Secret.123 - -pki_ds_url=ldaps://localhost:636 -pki_ds_secure_connection_ca_nickname=ds_signing -pki_ds_secure_connection_ca_pem_file=ds_signing.crt - -pki_ds_base_dn=dc=tps,dc=pki,dc=example,dc=com -pki_ds_database=tps -pki_ds_password=Secret.123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret.123 - -pki_audit_signing_nickname=tps_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem -``` - -Then execute the following command: - -``` -$ pkispawn -f tps.cfg -s TPS -``` - -It will install TPS subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: -* server NSS database: /var/lib/pki/pki-tomcat/conf/alias -* admin NSS database: ~/.dogtag/pki-tomcat/tps/alias - -Verifying System Certificates ------------------------------ - -Verify that the server NSS database contains the following certificates: - -``` -$ certutil -L -d /var/lib/pki/pki-tomcat/conf/alias - -Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - -ds_signing CT,C,C -ca_signing CT,C,C -subsystem u,u,u -tps_audit_signing u,u,Pu -sslserver u,u,u -``` - -Verifying Database Configuration --------------------------------- - -Verify that the TPS database is configured with a secure connection: - -``` -$ pki-server tps-db-config-show - Hostname: pki.example.com - Port: 636 - Secure: true - Authentication: BasicAuth - Bind DN: cn=Directory Manager - Bind Password Prompt: internaldb - Database: tps - Base DN: dc=tps,dc=pki,dc=example,dc=com - Multiple suffix: false - Maximum connections: 15 - Minimum connections: 3 -``` - -Verifying Admin Certificate ---------------------------- - -Prepare a client NSS database (e.g. ~/.dogtag/nssdb): - -``` -$ pki -c Secret.123 client-init -``` - -Import the CA signing certificate: - -``` -$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt -``` - -Import admin key and certificate: - -``` -$ pki -c Secret.123 pkcs12-import \ - --pkcs12 ca_admin_cert.p12 \ - --pkcs12-password Secret.123 -``` - -Verify that the admin certificate can be used to access the TPS subsystem by executing the following command: - -``` -$ pki -c Secret.123 -n caadmin tps-user-show tpsadmin ---------------- -User "tpsadmin" ---------------- - User ID: tpsadmin - Full name: tpsadmin - Email: tpsadmin@example.com - Type: adminType - State: 1 - TPS Profiles: - All Profiles -``` +Converted/moved to [Installing_TPS_with_Secure_Database_Connection.adoc](../tps/Installing_TPS_with_Secure_Database_Connection.adoc) \ No newline at end of file