Skip to content

Setting up Security Domain

Jump to bottom
Endi S. Dewata edited this page Dec 2, 2023 · 21 revisions

Creating Security Domain Database

To create a security domain database:

$ pki-server sd-create --name EXAMPLE

Adding Security Domain Manager

To configure a subsystem (e.g. CA) as a security domain manager:

$ pki-server ca-config-set securitydomain.select new
$ pki-server ca-config-set securitydomain.name EXAMPLE
$ pki-server ca-config-set securitydomain.host ca.example.com
$ pki-server ca-config-set securitydomain.httpport 8080
$ pki-server ca-config-set securitydomain.httpsadminport 8443
$ pki-server ca-config-set securitydomain.checkIP false
$ pki-server ca-config-set securitydomain.checkinterval 300000
$ pki-server ca-config-set securitydomain.flushinterval 86400000
$ pki-server ca-config-set securitydomain.source ldap

To remotely register the subsystem into the security domain:

$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -d /etc/pki/pki-tomcat/password.conf \
    -U https://ca.example.com:8443
    securitydomain-join \
    --install-token <token> \
    --type CA \
    --hostname ca.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    --domain-manager \
    "CA kra.example.com 8443"

To locally register the subsystem into the security domain:

$ pki-server sd-subsystem-add \
    --subsystem CA \
    --hostname pki.example.com \
    --unsecure-port 8080 \
    --secure-port 8443 \
    --domain-manager \
    "CA pki.example.com 8443"

Adding Security Domain Member

To configure a subsystem (e.g. KRA) as a security domain member:

$ pki-server kra-config-set securitydomain.select existing
$ pki-server kra-config-set securitydomain.name EXAMPLE
$ pki-server kra-config-set securitydomain.host ca.example.com
$ pki-server kra-config-set securitydomain.httpport 8080
$ pki-server kra-config-set securitydomain.httpsadminport 8443

To remotely register the subsystem into the security domain:

$ pki \
    -d /etc/pki/pki-tomcat/alias \
    -d /etc/pki/pki-tomcat/password.conf \
    -U https://ca.example.com:8443
    securitydomain-join \
    --install-token <token> \
    --type KRA \
    --hostname kra.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    "KRA kra.example.com 8443"

To locally register the subsystem into the security domain:

$ pki-server sd-subsystem-add \
    --subsystem KRA \
    --hostname kra.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    "KRA kra.example.com 8443"

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally