Configuring CMC Shared Token Authentication - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to configure CMC shared token authentication.

It assumes that:

  • Issuance protection certificate has been created.

Setting Up Authentication Database

Adding LDAP Attribute

Define an LDAP attribute (e.g. shrTok) to store the shared token in an LDIF file (e.g. /usr/share/pki/ca/auth/ds/schema.ldif).

To add the attribute:

$ ldapmodify \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f schema.ldif

Creating LDAP Subtree

Define an LDAP subtree (e.g. ou=people,dc=example,dc=com) to store LDAP users in an LDIF file (e.g. /usr/share/pki/ca/auth/ds/create.ldif).

To add the subtree:

$ ldapadd \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f create.ldif

Adding LDAP Users

Define an LDAP user (e.g. uid=testuser,ou=people,dc=example,dc=com) in an LDIF file (e.g. /usr/share/pki/ca/auth/ds/example.ldif):

To add the user:

$ ldapadd \
    -H ldap://ds.example.com:3389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f example.ldif

Configuring Authentication Manager

Configure CMC shared token authentication to use the above authentication database:

$ pki-server ca-config-set auths.instance.SharedToken.ldap.basedn ou=people,dc=example,dc=com
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.authtype BasicAuth
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindDN "cn=Directory Manager"
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt "Rule SharedToken"
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.host ds.example.com
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.port 3389
$ pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.secureConn false
$ pki-server ca-config-set auths.instance.SharedToken.pluginName SharedToken
$ pki-server ca-config-set auths.instance.SharedToken.shrTokAttr shrTok

Enabling CMC Profile with Shared Token

To enable the RSA profile:

$ sed -i \
    -e "s/^\(enable\)=.*/\1=true/" \
    /var/lib/pki/pki-tomcat/ca/profiles/ca/caFullCMCSharedTokenCert.cfg

To enable the EC profile:

$ sed -i \
    -e "s/^\(enable\)=.*/\1=true/" \
    /var/lib/pki/pki-tomcat/ca/profiles/ca/caECFullCMCSharedTokenCert.cfg

Restarting CA Subsystem

$ pki-server ca-undeploy --wait
$ pki-server ca-deploy --wait

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️