Overview#

To install KRA, IPA calls pkispawn with a configuration file (see ipaserver/install/krainstance.py).

General#

In all cases the configuration file contains the following parameters:

[KRA]

# Security Domain Authentication
pki_security_domain_https_port=443
pki_security_domain_password=<admin password>
pki_security_domain_user=admin

# issuing ca
pki_issuing_ca_uri=https://<fqdn>:443

# Server
pki_enable_proxy=True
pki_restart_configured_instance=False
pki_backup_keys=True
pki_backup_password=<admin password>

# Client security database
pki_client_database_dir=<agent db>
pki_client_database_password=<admin password>
pki_client_database_purge=False
pki_client_pkcs12_password=<admin password>

# Administrator
pki_admin_name=admin
pki_admin_uid=admin
pki_admin_email=root@localhost
pki_admin_password=<admin password>
pki_admin_nickname=ipa-ca-agent
pki_admin_subject_dn=cn=ipa-ca-agent,<subject base>
pki_import_admin_cert=True
pki_admin_cert_file=<ADMIN_CERT_PATH>
pki_client_admin_cert_p12=<DOGTAG_ADMIN_P12>

# Directory server
pki_ds_ldap_port=<ds port>
pki_ds_password=<dm password>
pki_ds_base_dn=<basedn>
pki_ds_database=ipaca
pki_ds_create_new_db=False

# Certificate subject DNs
pki_subsystem_subject_dn=cn=CA Subsystem,<subject base>
pki_ssl_server_subject_dn=cn=<fqdn>,<subject base>
pki_audit_signing_subject_dn=cn=KRA Audit,<subject base>
pki_transport_subject_dn=cn=KRA Transport Certificate,<subject base>
pki_storage_subject_dn=cn=KRA Storage Certificate,<subject base>

# Certificate nicknames
# Note that both the server certs and subsystem certs reuse
# the ca certs.
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_ssl_server_nickname=Server-Cert cert-pki-ca
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
pki_transport_nickname=transportCert cert-pki-kra
pki_storage_nickname=storageCert cert-pki-kra

# Shared db settings
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca

Clone#

For KRA clone, IPA adds the following parameters:

# Security domain registration
pki_security_domain_hostname=<master host>
pki_security_domain_https_port=443
pki_security_domain_user=admin
pki_security_domain_password=<admin password>

# Clone
pki_clone=True
pki_clone_pkcs12_path=<tmpfile name>
pki_clone_pkcs12_password=<dm password>
pki_clone_setup_replication=False
pki_clone_uri=https://<master host>:443

The PKCS #12 file is generated by Custodia. See the following files:

Enabling Secure LDAP Connection#

After KRA installation IPA enables secure LDAP connection with client certificate authenticaton in CS.cfg (see ipaserver/install/dogtaginstance.py):

authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
authz.instance.DirAclAuthz.ldap.ldapconn.port=<DS_SECURE_PORT>
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=uid=pkidbuser,ou=people,o=ipaca
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.port=<DS_SECURE_PORT>
internaldb.ldapconn.secureConn=true

Also IPA removes the internaldb from password.conf.