Setting up Security Domain - dogtagpki/pki GitHub Wiki

Overview

This page describe the process to set up a security domain and register a security domain manager and a security domain member.

In most cases the security domain manager will be running on the CA, but standalone KRA and OCSP might have their own security domain manager.

Creating Security Domain Database

To create a security domain database:

$ pki-server sd-create --name EXAMPLE

Adding Security Domain Manager

To configure a subsystem (e.g. CA) as a security domain manager:

$ pki-server ca-config-set securitydomain.select new
$ pki-server ca-config-set securitydomain.name EXAMPLE
$ pki-server ca-config-set securitydomain.host ca.example.com
$ pki-server ca-config-set securitydomain.httpport 8080
$ pki-server ca-config-set securitydomain.httpsadminport 8443
$ pki-server ca-config-set securitydomain.checkIP false
$ pki-server ca-config-set securitydomain.checkinterval 300000
$ pki-server ca-config-set securitydomain.flushinterval 86400000
$ pki-server ca-config-set securitydomain.source ldap

To remotely register the subsystem into the security domain:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -d /var/lib/pki/pki-tomcat/conf/password.conf \
    -U https://ca.example.com:8443
    securitydomain-join \
    --install-token <token> \
    --type CA \
    --hostname ca.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    --domain-manager \
    "CA kra.example.com 8443"

To locally register the subsystem into the security domain:

$ pki-server sd-subsystem-add \
    --subsystem CA \
    --hostname pki.example.com \
    --unsecure-port 8080 \
    --secure-port 8443 \
    --domain-manager \
    "CA pki.example.com 8443"

Adding Security Domain Member

To configure a subsystem (e.g. KRA) as a security domain member:

$ pki-server kra-config-set securitydomain.select existing
$ pki-server kra-config-set securitydomain.name EXAMPLE
$ pki-server kra-config-set securitydomain.host ca.example.com
$ pki-server kra-config-set securitydomain.httpport 8080
$ pki-server kra-config-set securitydomain.httpsadminport 8443

To remotely register the subsystem into the security domain:

$ pki \
    -d /var/lib/pki/pki-tomcat/conf/alias \
    -d /var/lib/pki/pki-tomcat/conf/password.conf \
    -U https://ca.example.com:8443
    securitydomain-join \
    --install-token <token> \
    --type KRA \
    --hostname kra.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    "KRA kra.example.com 8443"

To locally register the subsystem into the security domain:

$ pki-server sd-subsystem-add \
    --subsystem KRA \
    --hostname kra.example.com \
    --secure-port 8443 \
    --unsecure-port 8080 \
    "KRA kra.example.com 8443"

See Also

⚠️ **GitHub.com Fallback** ⚠️