KRA Installation Process - dogtagpki/freeipa GitHub Wiki

Overview

This page describes the process to install KRA in IPA 4.9.

Installation Process

The process is defined in KRAInstance.configure_instance():

        if promote:
            self.step("creating ACIs for admin", self.add_ipaca_aci)
            self.step("creating installation admin user", self.setup_admin)
        self.step("configuring KRA instance", self.__spawn_instance)
        if not self.clone:
            self.step("create KRA agent",
                      self.__create_kra_agent)
        if promote:
            self.step("destroying installation admin user",
                      self.teardown_admin)
        self.step("enabling ephemeral requests", self.enable_ephemeral)
        self.step("restarting KRA", self.restart_instance)
        self.step("configure certmonger for renewals",
                  self.configure_certmonger_renewal_helpers)
        self.step("configure certificate renewals", self.configure_renewal)
        if not self.clone:
            self.step("add vault container", self.__add_vault_container)
        self.step("apply LDAP updates", self.__apply_updates)

        self.step("enabling KRA instance", self.__enable_instance)

        try:
            self.start_creation(runtime=120)
        finally:
            self.clean_pkispawn_files()

Creating ACIs for admin

See Creating ACIs for Admin.

Creating installation admin user

See Creating Installation Admin User.

Configuring KRA instance

This step is defined in KRAInstance.__spawn_instance().

It creates and configures a new KRA instance using pkispawn. It creates a configuration file with IPA-specific parameters and passes it to the base class to call pkispawn.

See also:

Creating KRA agent

This step is defined in KRAInstance.__create_kra_agent().

It creates KRA agent:

dn: uid=ipakra,ou=people,o=kra,o=ipaca
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: ipakra
sn: IPA KRA User
cn: IPA KRA User
usertype: undefined

assigns the RA agent certificate:

dn: uid=ipakra,ou=people,o=kra,o=ipaca
changetype: modify
add: userCertificate
userCertificate: <cert data>
-
add: description
description: 2;<serial number>;<issuer DN>;<subject DN>

and adds the user to the appropriate groups for accessing KRA services:

dn: cn=Data Recovery Manager Agents,ou=groups,o=kra,o=ipaca
changetype: modify
add: uniqueMember
uniqueMember: uid=ipakra,ou=people,o=kra,o=ipaca

Destroying installation admin user

See Removing Bootstrap Admin User.

Enabling ephemeral requests

This step is defined in KRAInstance.enable_ephemeral().

It enables ephemeral KRA requests to reduce the number of LDAP write operations.

It modifies the following parameter in /var/lib/pki/pki-tomcat/conf/kra/CS.cfg:

kra.ephemeralRequests=true

Restarting KRA

$ systemctl restart pki-tomcatd@pki-tomcat

Configuring certmonger for renewals

See Configuring certmonger for Renewals.

Configuring certificate renewals

See Configure Certificate Renewals.

Adding vault container

This step is defined in KRAInstance.__add_vault_container().

Applying LDAP updates

This step is defined in KRAInstance.__apply_updates().

It applies the changes defined in 40-vault.update.

Enabling KRA instance

This step is defined in KRAInstance.__enable_instance().

Cleaning up pkispawn files

See Cleaning up pkispawn Files.

⚠️ **GitHub.com Fallback** ⚠️