Configuring ACME with DS Realm - dogtagpki/pki GitHub Wiki
This document describes the process to configure ACME responder to use a DS database for authentication realm. It assumes that the DS database has been installed as described in DS Installation.
A sample realm configuration is available at /usr/share/pki/acme/realm/ds/realm.conf.
To use the DS realm, copy the sample realm.conf into the /var/lib/pki/pki-tomcat/conf/acme folder,
or execute the following command to customize some of the parameters:
$ pki-server acme-realm-mod \
--type ds \
-DbindPassword=Secret.123
Customize the realm configuration as needed. In a standalone ACME deployment, the realm.conf should look like the following:
class=org.dogtagpki.acme.realm.DSRealm url=ldap://<hostname>:389 authType=BasicAuth bindDN=cn=Directory Manager bindPassword=Secret.123 usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
In a shared CA and ACME deployment, the realm.conf should look like the following:
class=org.dogtagpki.acme.realm.DSRealm configFile=conf/ca/CS.cfg usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com
Once the ACME realm is configured, it can be initialized with the following command:
$ pki-server acme-realm-init
Alternatively, the ACME realm can be initialized manually with LDAP tools.
Create the DS subtrees for ACME realm by importing /usr/share/pki/acme/realm/ds/create.ldif with the following command:
$ ldapadd \
-H ldap://$HOSTNAME \
-x -D "cn=Directory Manager" \
-w Secret.123 \
-f /usr/share/pki/acme/realm/ds/create.ldif