Installing DS Server - dogtagpki/pki GitHub Wiki

Note: This page has been moved/converted to the following pages:

Overview

This page describes the process to prepare a local DS instance for PKI server.

Normally the DS installation will automatically generate a self-signed signing certificate and a server certificate for SSL connection. In this procedure the certificate generation and the SSL connection will be disabled by default, but it can be enabled after installation if necessary.

For DS 1.3 or older, see DS 1.3 Installation.

Installing DS Packages

To install DS packages:

$ dnf install -y 389-ds-base

Creating DS Instance

Generate a DS configuration file (e.g. ds.inf):

$ dscreate create-template ds.inf

Customize the DS configuration file as follows:

$ sed -i \
    -e "s/;instance_name = .*/instance_name = localhost/g" \
    -e "s/;root_password = .*/root_password = Secret.123/g" \
    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
    -e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
    -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
    ds.inf

where

  • instance_name specifies the name of the DS instance. In this example it’s set to localhost.

  • root_password specifies the password for DS admin (i.e. cn=Directory Manager). In this example it’s set to Secret.123.

  • suffix specifies the namespace for the DS instance. In this example it’s set to dc=example,dc=com.

  • self_sign_cert specifies whether to create self-signed certificates for SSL connection. In this example it’s set to False. The SSL connection can be enabled after installation in this document.

For more information see the parameter descriptions in the DS configuration file itself (i.e. ds.inf) and in DS documentation.

Finally, create the instance:

$ dscreate from-file ds.inf

Creating PKI Subtree

Initially the DS instance is empty. Use an LDAP client to add a root entry and PKI base entry, for example:

$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=pki,dc=example,dc=com
objectClass: domain
dc: pki
EOF

The subtree for each PKI subsystem will be created when the subsystem is installed. See PKI LDAP Tree.

Enabling SSL Connection

If required, PKI can use SSL connection to DS.

To enable SSL connection in DS, see Enabling SSL Connection in DS.

Configuring Replication

See Configuring DS Replication.

Removing DS Instance

To remove DS instance:

$ dsctl localhost remove --do-it

Log Files

DS log files are available in /var/log/dirsrv/slapd-localhost:

  • access

  • audit

  • errors

See Also

⚠️ **GitHub.com Fallback** ⚠️