Configuring ACME with DS Database - dogtagpki/pki GitHub Wiki
This document describes the process to configure ACME responder to use a DS database. It assumes that the DS database has been installed as described in DS Installation.
First, add the ACME DS schema by importing /usr/share/pki/acme/database/ds/schema.ldif with the following command:
$ ldapmodify -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-f /usr/share/pki/acme/database/ds/schema.ldif
Next, create the ACME DS indexes by importing /usr/share/pki/acme/database/ds/index.ldif with the following command:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-f /usr/share/pki/acme/database/ds/index.ldif
Note: By default the index.ldif will use userroot as the DS backend.
If necessary, the database can be reindexed by importing /usr/share/pki/acme/database/ds/indextask.ldif with the following command:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-f /usr/share/pki/acme/database/ds/indextask.ldif
The progress of the reindex task can be monitored with the following command:
$ ldapsearch -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-b "cn=acme,cn=index,cn=tasks,cn=config"
Once the indexes are ready, create the ACME subtree by importing /usr/share/pki/acme/database/ds/create.ldif with the following command:
$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
-f /usr/share/pki/acme/database/ds/create.ldif
Note: By default the create.ldif will create the subtree under dc=pki,dc=example,dc=com which is mapped to userroot DS backend.
A sample database configuration is available at /usr/share/pki/acme/database/ds/database.conf.
To use the DS database, copy the sample database.conf into the /var/lib/pki/pki-tomcat/conf/acme folder,
or execute the following command to customize some of the parameters:
$ pki-server acme-database-mod --type ds \
-DbindPassword=Secret.123
Customize the database configuration as needed. In a standalone ACME deployment, the database.conf should look like the following:
class=org.dogtagpki.acme.database.DSDatabase url=ldap://<hostname>:389 authType=BasicAuth bindDN=cn=Directory Manager bindPassword=Secret.123 baseDN=dc=acme,dc=pki,dc=example,dc=com
In a shared CA and ACME deployment, the database.conf should look like the following:
class=org.dogtagpki.acme.database.DSDatabase configFile=conf/ca/CS.cfg baseDN=dc=acme,dc=pki,dc=example,dc=com
The DS database provides an ACME configuration monitor using search persistence. It can be enabled with the following parameter:
monitor.enabled=true