Quick Start

From Dogtag
Jump to: navigation, search

Overview

This document describes the process to install basic Dogtag subsystems.

Installing DS and PKI Packages

Install 389-ds-base and dogtag-pki packages:

$ <span class="cli-demo-input">yum install 389-ds-base dogtag-pki</span>
yum install 389-ds-base dogtag-pki
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Resolving Dependencies
...

Complete!
$ 

Creating DS Instance

Use setup-ds.pl to create a DS instance:

$ <span class="cli-demo-input">setup-ds.pl --silent\
 General.FullMachineName=`hostname`\
 General.SuiteSpotUserID=nobody\
 General.SuiteSpotGroup=nobody\
 slapd.ServerPort=389\
 slapd.ServerIdentifier=pki-tomcat\
 slapd.Suffix=dc=example,dc=com\
 slapd.RootDN="cn=Directory Manager"\
 slapd.RootDNPwd=Secret.123</span>
Your new DS instance 'pki-tomcat' was successfully created.
Exiting . . .
Log file is '/tmp/setup4SHUVV.log'

$ 

Creating CA Subsystem

Run pkispawn to create CA subsystem in interactive mode:

$ <span class="cli-demo-input">pkispawn</span>
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: <span class="cli-demo-input"></span>

Tomcat:
  Instance [pki-tomcat]: <span class="cli-demo-input"></span>
  HTTP port [8080]: <span class="cli-demo-input"></span>
  Secure HTTP port [8443]: <span class="cli-demo-input"></span>
  AJP port [8009]: <span class="cli-demo-input"></span>
  Management port [8005]: <span class="cli-demo-input"></span>

Administrator:
  Username [caadmin]: <span class="cli-demo-input"></span>
  Password: <span class="cli-demo-input">Secret.123</span>
  Verify password: <span class="cli-demo-input">Secret.123</span>
  Import certificate (Yes/No) [N]? <span class="cli-demo-input"></span>
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: <span class="cli-demo-input"></span>

Directory Server:
  Hostname [server.example.com]: <span class="cli-demo-input"></span>
  Port [389]: <span class="cli-demo-input"></span>
  Bind DN [cn=Directory Manager]: <span class="cli-demo-input"></span>
  Password: <span class="cli-demo-input">Secret.123</span>
  Base DN [o=pki-tomcat-CA]: <span class="cli-demo-input"></span>

Security Domain:
  Name [example.com Security Domain]: <span class="cli-demo-input"></span>

Begin installation (Yes/No/Quit)? <span class="cli-demo-input">Y</span>

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             caadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/pki-tomcat/ca_admin_cert.p12

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service
      The URL for the subsystem is:
            https://server.example.com:8443/ca

    ==========================================================================
$ 

See also Installing CA.

Creating KRA Subsystem

Run pkispawn to create KRA subsystem in interactive mode:

$ <span class="cli-demo-input">pkispawn</span>
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: <span class="cli-demo-input">KRA</span>

Tomcat:
  Instance [pki-tomcat]: <span class="cli-demo-input"></span>
  HTTP port [8080]: <span class="cli-demo-input"></span>
  Secure HTTP port [8443]: <span class="cli-demo-input"></span>
  AJP port [8009]: <span class="cli-demo-input"></span>
  Management port [8005]: <span class="cli-demo-input"></span>

Administrator:
  Username [kraadmin]: <span class="cli-demo-input"></span>
  Password: <span class="cli-demo-input">Secret.123</span>
  Verify password: <span class="cli-demo-input">Secret.123</span>
  Import certificate (Yes/No) [Y]? <span class="cli-demo-input"></span>
  Import certificate from [/root/.dogtag/pki-tomcat/ca_admin.cert]: <span class="cli-demo-input"></span>
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: <span class="cli-demo-input"></span>

Directory Server:
  Hostname [server.example.com]: <span class="cli-demo-input"></span>
  Port [389]: <span class="cli-demo-input"></span>
  Bind DN [cn=Directory Manager]: <span class="cli-demo-input"></span>
  Password: <span class="cli-demo-input">Secret.123</span>
  Base DN [o=pki-tomcat-KRA]: <span class="cli-demo-input"></span>

Security Domain:
  Hostname [server.example.com]: <span class="cli-demo-input"></span>
  Secure HTTP port [8443]: <span class="cli-demo-input"></span>
  Name: example.com Security Domain
  Username [caadmin]: <span class="cli-demo-input"></span>
  Password: <span class="cli-demo-input">Secret.123</span>

Begin installation (Yes/No/Quit)? <span class="cli-demo-input">Y</span>

Installing KRA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/kra/deployment.cfg.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin

      To check the status of the subsystem:
            systemctl status pki-tomcatd@pki-tomcat.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@pki-tomcat.service
      The URL for the subsystem is:
            https://server.example.com:8443/kra

    ==========================================================================
$ 

See also Installing KRA.

Accessing PKI Services

To access PKI services via Web UI open https://server.example.com:8443/ with a browser.

To access PKI services via command-line, use the PKI CLI.

By default only the Default CA Admin and end-entities can access PKI services. Follow User Certificate Setup to add additional system users.

Managing PKI Services

To manage PKI services via PKI Console:

$ pkiconsole https://server.example.com:8443/<subsystem>

To manage PKI services via CLI, use the PKI Server CLI.

Common PKI Tasks

Removing PKI Subsystem

$ <span class="cli-demo-input">pkidestroy</span>
Subsystem (CA/KRA/OCSP/TKS/TPS) [CA]: <span class="cli-demo-input"></span>
Instance [pki-tomcat]: <span class="cli-demo-input"></span>

Begin uninstallation (Yes/No/Quit)? <span class="cli-demo-input">Y</span>

Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg.
Uninstalling CA from /var/lib/pki/pki-tomcat.

Uninstallation complete.
$ 

References