<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>The following test scenarios have been run successfully on
Dogtag 10.0.2:</tt><tt><br>
</tt>
<ul>
<li><tt>Default installation and REST configuration of CA, KRA,
OCSP, and TKS instances within a single Tomcat 7 PKI instance:</tt></li>
<ul>
<li><b><tt>pkispawn -s CA -f ca.cfg</tt></b></li>
<ul>
<li><tt>where 'ca.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt></li>
</ul>
<li><b><tt>pkispawn -s KRA -f kra.cfg</tt></b></li>
<ul>
<li><tt>where 'kra.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt></li>
</ul>
<li><b><tt>pkispawn -s OCSP -f ocsp.cfg</tt></b></li>
<ul>
<li><tt>where 'ocsp.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt></li>
</ul>
<li><b><tt>pkispawn -s TKS -f tks.cfg</tt></b></li>
<ul>
<li><tt>where 'tks.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt><tt><br>
</tt><tt><br>
</tt><tt>Since a TKS must remain FIPS-compliant, the</tt><tt><br>
</tt><tt>following post-configuration steps are also
necessary:</tt><tt><br>
</tt><tt> </tt><tt><br>
</tt><b><tt> # cat
/var/lib/pki/pki-tomcat/conf/password.conf</tt></b><b><tt><br>
</tt></b><b><tt> # tkstool -T -d
/var/lib/pki/pki-tomcat/alias -n sharedSecret</tt></b><b><tt><br>
</tt></b><b><tt> # stty sane</tt></b><b><tt><br>
</tt></b><b><tt> #/bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a></tt></b></li>
</ul>
</ul>
</ul>
<tt><br>
</tt><tt><br>
</tt>
<ul>
<li><tt>Default installation and legacy GUI browser configuration
of CA, KRA, OCSP, and TKS instances within separate Tomcat 7
PKI instances:</tt></li>
<ul>
<li><b><tt>pkispawn -s CA -f ca.cfg</tt></b></li>
<ul>
<li><tt>where 'ca.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_skip_configuration=True</tt><tt><br>
</tt></li>
</ul>
<li><tt>CA instance is configured via the legacy GUI browser
configuration</tt><tt><br>
</tt><tt><br>
</tt><tt>For a CA instance which has been configured via the
legacy GUI browser</tt><tt><br>
</tt><tt>interface, the following post-configuration steps are
necessary:</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># /bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a></b></tt><tt><br>
</tt><tt><br>
</tt></li>
<li><b><tt>pkispawn -s KRA -f kra.cfg</tt></b></li>
<ul>
<li><tt>where 'kra.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_http_port=28080</tt><tt><br>
</tt><tt>pki_https_port=28443</tt><tt><br>
</tt><tt>pki_instance_name=pki-tomcat-kra</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_skip_configuration=True</tt><tt><br>
</tt><tt><br>
</tt><tt>[Tomcat]</tt><tt><br>
</tt><tt>pki_ajp_port=28009</tt><tt><br>
</tt><tt>pki_tomcat_server_port=28005</tt><tt><br>
</tt><tt><br>
</tt><tt>[KRA]</tt><tt><br>
</tt><tt>pki_import_admin_cert=False</tt></li>
</ul>
</ul>
<ul>
<li><tt>KRA instance is configured via the legacy GUI browser
configuration</tt><tt><br>
</tt><tt><br>
</tt><tt>For a KRA instance which has been configured via the
legacy GUI browser</tt><tt><br>
</tt><tt>interface, the following post-configuration steps are
necessary:</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># /bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat-kra.service">pki-tomcatd@pki-tomcat-kra.service</a></b></tt><tt><br>
</tt><tt><br>
</tt></li>
<li><b><tt>pkispawn -s OCSP -f ocsp.cfg</tt></b></li>
<ul>
<li><tt>where 'ocsp.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_http_port=29080</tt><tt><br>
</tt><tt>pki_https_port=29443</tt><tt><br>
</tt><tt>pki_instance_name=pki-tomcat-ocsp</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_skip_configuration=True</tt><tt><br>
</tt><tt><br>
</tt><tt>[Tomcat]</tt><tt><br>
</tt><tt>pki_ajp_port=29009</tt><tt><br>
</tt><tt>pki_tomcat_server_port=29005</tt><tt><br>
</tt><tt><br>
</tt><tt>[OCSP]</tt><tt><br>
</tt><tt>pki_import_admin_cert=False</tt></li>
</ul>
<li><tt>OCSP instance is configured via the legacy GUI browser
configuration</tt><tt><br>
</tt><tt><br>
</tt><tt>For an OCSP instance which has been configured via
the legacy GUI browser</tt><tt><br>
</tt><tt>interface, the following post-configuration steps are
necessary:</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># /bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat-ocsp.service">pki-tomcatd@pki-tomcat-ocsp.service</a></b></tt><tt><br>
</tt><tt><br>
</tt><tt>Additionally, whenever an OCSP instance is installed
as a standalone</tt><tt><br>
</tt><tt>PKI Tomcat instance that is separate from the CA
instance, the CA</tt><tt><br>
</tt><tt>instance needs to reset publishing in the CA so that
the OCSP will</tt><tt><br>
</tt><tt>obtain the updates. Therefore, the following
additional</tt><tt><br>
</tt><tt>post-configuration steps are necessary (restart the
CA):</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># /bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat.service">pki-tomcatd@pki-tomcat.service</a></b></tt><tt><br>
</tt><tt><br>
By default, since the REST configuration process restarts
the PKI<br>
Tomcat instance at the end of its configuration, both the CA
instance and<br>
the OCSP instance will be restarted since they are the same
instance.<br>
<br>
</tt></li>
<li><b><tt>pkispawn -s TKS -f tks.cfg</tt></b></li>
<ul>
<li><tt>where 'tks.cfg' contains:</tt><tt><br>
</tt><tt>[DEFAULT]</tt><tt><br>
</tt><tt>pki_admin_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_database_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_client_pkcs12_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_ds_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_http_port=30080</tt><tt><br>
</tt><tt>pki_https_port=30443</tt><tt><br>
</tt><tt>pki_instance_name=pki-tomcat-tks</tt><tt><br>
</tt><tt>pki_security_domain_password=XXXXXXXX</tt><tt><br>
</tt><tt>pki_skip_configuration=True</tt><tt><br>
</tt><tt><br>
</tt><tt>[Tomcat]</tt><tt><br>
</tt><tt>pki_ajp_port=30009</tt><tt><br>
</tt><tt>pki_tomcat_server_port=30005</tt><tt><br>
</tt><tt><br>
</tt><tt>[TKS]</tt><tt><br>
</tt><tt>pki_import_admin_cert=False</tt></li>
</ul>
<li><tt>TKS instance is configured via the legacy GUI browser
configuration</tt><tt><br>
</tt><tt><br>
</tt><tt>For a TKS instance which has been configured via the
legacy GUI browser</tt><tt><br>
</tt><tt>interface, the following post-configuration steps are
necessary:</tt><tt><br>
</tt><tt> </tt><tt><br>
</tt><tt> <b># /bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat-tks.service">pki-tomcatd@pki-tomcat-tks.service</a></b> </tt><tt><br>
</tt><tt> </tt><tt><br>
</tt><tt>Additionally, since a TKS must remain FIPS-compliant,
the</tt><tt><br>
</tt><tt>following post-configuration steps are also
necessary:</tt><tt><br>
</tt><tt> </tt><tt><br>
</tt><b><tt> # cat
/var/lib/pki/pki-tomcat-tks/conf/password.conf</tt></b><b><tt><br>
</tt></b><b><tt> # tkstool -T -d
/var/lib/pki/pki-tomcat-tks/alias -n sharedSecret</tt></b><b><tt><br>
</tt></b><b><tt> # stty sane</tt></b><b><tt><br>
</tt></b><b><tt> #/bin/systemctl restart
<a class="moz-txt-link-abbreviated" href="mailto:pki-tomcatd@pki-tomcat-tks.service">pki-tomcatd@pki-tomcat-tks.service</a></tt></b></li>
</ul>
</ul>
<tt>ADDITIONAL TEST NOTES for legacy GUI browser configurations:</tt><tt><br>
</tt>
<ul>
<li><tt>For KRA, OCSP, and TKS, the 'pki_import_admin_cert=False'
parameter was specified so that a single browser profile could
be utilized to configure and test all four PKI subsystems (CA,
KRA, OCSP, and TKS)</tt><br>
</li>
<li><tt>When selecting ports for KRA, OCSP, and TKS, it was
discovered that an SELinux conflict occurred if ports were
selected higher than 32768 since these are of type
'ephemeral_port_t' and cannot be re-labeled without an
additional procedure:</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># semanage -l port | grep ephemeral</b></tt><tt><br>
</tt><tt> ephemeral_port_t tcp 32768-61000</tt><tt><br>
</tt><tt> ephemeral_port_t udp 32768-61000</tt><tt><br>
</tt><tt><br>
</tt></li>
<li><tt>When configuring the KRA, OCSP, and TKS, in order to
obtain the CA security domain URL required by the 'Join an
Existing Security Domain' option on the 'Security Domain'
panel, the following command was utilized:</tt><tt><br>
</tt><tt><br>
</tt><tt> <b># pkidaemon status tomcat pki-tomcat</b></tt><tt><br>
</tt><tt><br>
</tt></li>
<li><tt>Unlike the default 'pki_security_domain_user=caadmin'
utilized by the REST configuration, the KRA, OCSP, and TKS
legacy GUI browser configurations utilized 'admin' rather than
'caadmin' as the 'Uid:' entry on the 'Security Domain (<DNS
Domain> Domain) Login' panel.</tt></li>
<li><tt>For convenience, when configuring the CA, KRA, OCSP, and
TKS the 'Remove the existing data from the Base DN shown
above.' checkbox option was checked on the 'Internal Database'
panel.</tt><br>
</li>
</ul>
</body>
</html>