[Pki-devel] [PATCH] Stand-alone DRM (manual GUI configuration only)

Fri Aug 30 23:59:59 UTC 2013

The following patch addresses the installation and configuration of a 
stand-alone DRM (i. e. - a DRM that exists as the sole subsystem in a 
PKI deployment -- no corresponding Dogtag CA, and no corresponding 
Security Domain).  Eventually, this DRM will be able to be installed and 
configured (as a two step process) using nothing more than 'pkispawn' 
and the REST interface (Phase II). As a preliminary step, this patch 
allows a stand-alone DRM to be installed using 'pkispawn' and manually 
configured using the GUI panel interface via a Firefox browser (Phase I).

Although this patch only addresses Phase I of a stand-alone DRM, the 
patch does contain some additional code changes for Phase II, and 
although incomplete at this time, none of these changes should conflict 
with existing subsystems.

Finally, although this patch only addresses Phase I of configuring a 
stand-alone DRM, I thought it prudent to send out the existing code 
changes due to the relatively healthy size of this effort.

The attached patch addresses the following TRAC tickets:

  * https://fedorahosted.org/pki/ticket/667 TRAC Ticket #667 - provide
    option for ca-less drm install (Phase I)
  * https://fedorahosted.org/pki/ticket/641 TRAC Ticket #641 - Incorrect
    interface labels in pkidaemon output
  * https://fedorahosted.org/pki/ticket/707 TRAC Ticket #707 -Do not
    "require" the following pkispawn parameters for GUI-based configuration

The attached patch has been used to successfully install a Stand-alone 
DRM using the manual GUI panels.

The DRM was installed using the following command:

  * pkispawn -s KRA -f kra.cfg -vvv

where 'kra.cfg' contained the following:

  * [DEFAULT]
    pki_admin_password=XXXXXXXX
    pki_client_pkcs12_password=XXXXXXXX
    pki_skip_configuration=True
    [KRA]
    pki_standalone=True

The DRM was then manually configured from a Firefox browser using the 
GUI panels where:

  * this DRM is not part of any security domain,
  * this DRM's transport, storage, sslserver, and audit_log_signing
    certificates were all submitted and externally signed by a separate
    pre-installed Dogtag CA using the appropriate profiles,
  * a cert request for this DRM's Admin certificate was saved in its
    CS.cfg to be used later

Although I have no tests to verify that this stand-alone DRM functions 
correctly, the standalone DRM server can be successfully installed, 
manually configured by the GUI panels, and started:

  * pkidaemon status tomcat pki-tomcat
    Status for pki-tomcat: pki-tomcat is running ..

         [DRM Status Definitions]
         Unsecure URL        = http://dogtag19.example.com:8080/kra/ee/kra
         Secure Agent URL    =
    https://dogtag19.example.com:8443/kra/agent/kra
         Secure EE URL       = https://dogtag19.example.com:8443/kra/ee/kra
         Secure Admin URL    =
    https://dogtag19.example.com:8443/kra/services
         PKI Console Command = pkiconsole
    https://dogtag19.example.com:8443/kra
         Tomcat Port         = 8005 (for shutdown)

         [DRM Configuration Definitions]
         PKI Instance Name:   pki-tomcat

         PKI Subsystem Type:  DRM (Stand-alone)

Please review this patch, so that Phase I of this effort may be checked-in.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130830/481b1995/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20130830-Stand-alone-DRM-manual-GUI-configuration-only.patch
Type: text/x-patch
Size: 143918 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130830/481b1995/attachment.bin>