Skip to content

Setting up CA Database

Jump to bottom
Endi S. Dewata edited this page Dec 6, 2023 · 19 revisions

Overview

This document describes the process to set up CA database using DS. It assumes that the DS database has been installed as described in DS Installation.

Initializing CA Database

Initializing CA Database with PKI tools

$ pki-server ca-db-init

Availability: Since PKI 11.5

Initializing CA Database with LDAP tools

To configure DS server:

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/server/database/ds/config.ldif

To configure DS schema:

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f /usr/share/pki/server/database/ds/schema.ldif

To add the base entry:

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: dc=ca,dc=pki,dc=example,dc=com
objectClass: dcObject
dc: ca
EOF

To add the container entries:

$ sed \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/create.ldif \
    | tee create.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f create.ldif

To add ACL resources:

$ sed \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/acl.ldif \
    | tee acl.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f acl.ldif

Adding Search Indexes

Adding Search Indexes with PKI tools

$ pki-server ca-db-index-add

Availability: Since PKI 11.5

Adding Search Indexes with LDAP tools

$ sed \
    -e 's/{database}/userroot/g' \
    /usr/share/pki/ca/database/ds/index.ldif \
    | tee index.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f index.ldif

Rebuilding Search Indexes

Rebuilding Search Indexes with PKI tools

$ pki-server ca-db-index-rebuild

Availability: Since PKI 11.5

Rebuilding Search Indexes with LDAP tools

Start the rebuild task with the following commands:

$ sed \
    -e 's/{database}/userroot/g' \
    /usr/share/pki/ca/database/ds/indextasks.ldif \
    | tee indextasks.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f indextasks.ldif

Wait for the task to complete:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "cn=index1160589770, cn=index, cn=tasks, cn=config" \
    nsTaskExitCode

Verify that nsTaskExitCode is 0.

Adding CA VLV Indexes

Adding CA VLV Indexes with PKI tools

$ pki-server ca-db-vlv-add

Adding CA VLV Indexes with LDAP tools

$ sed \
    -e 's/{instanceId}/pki-tomcat/g' \
    -e 's/{database}/userroot/g' \
    -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/ca/database/ds/vlv.ldif \
    | tee vlv.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f vlv.ldif

Rebuilding CA VLV Indexes

Rebuilding CA VLV Indexes with PKI tools

$ pki-server ca-db-vlv-reindex

Rebuilding CA VLV Indexes with LDAP tools

Start the rebuild task with the following commands:

$ sed \
    -e 's/{database}/userroot/g' \
    -e 's/{instanceId}/pki-tomcat/g' \
    /usr/share/pki/ca/database/ds/vlvtasks.ldif \
    | tee vlvtasks.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f vlvtasks.ldif

Wait for the task to complete:

$ ldapsearch \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -b "cn=index1160589769, cn=index, cn=tasks, cn=config" \
    nsTaskExitCode

Verify that nsTaskExitCode is 0.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally