Setting up Token Management System - dogtagpki/pki GitHub Wiki

Overview

This page describes the manual process to set up a Token Management System (TMS) with standalone CA, TKS, and TPS instances or their containers.

Optionally, KRA can be added if server-side key generation is required.

The process consists of the following steps:

  • Importing KRA transport certificate into TKS (optional)

  • Setting up CA connector in TPS

  • Setting up KRA connector in TPS (optional)

  • Setting up TKS connector in TPS

  • Configuring TPS connector in TKS

Prerequisites

  • Install standalone CA instance or container

  • Install standalone KRA instance or container (optional)

  • Install standalone TKS instance or container

  • Install standalone TPS instance or container

Importing KRA Transport Certificate into TKS

To import KRA transport certificate into TKS:

$ pki-server cert-import \
    --input kra_transport.crt \
    --nickname kra_transport

To configure TKS to use the certificate:

$ pki-server tks-config-set \
    tks.drm_transport_cert_nickname \
    kra_transport

Setting up CA connector in TPS

To add a TPS subsystem user (e.g. TPS-tps.example.com-8443) in CA, execute the following commands:

$ pki-server ca-user-add \
    --full-name "TPS-tps.example.com-8443" \
    --type agentType \
    --cert tps_subsystem.crt \
    TPS-tps.example.com-8443
$ pki-server ca-user-role-add \
    TPS-tps.example.com-8443 \
    "Certificate Manager Agents"
$ pki-server ca-user-role-add \
    TPS-tps.example.com-8443 \
    "Subsystem Group"

To add a CA connector (e.g. ca1) in TPS, execute the following command:

$ pki-server tps-connector-add \
    --type CA \
    --url https://ca.example.com:8443 \
    --nickname subsystem \
    ca1

Setting up KRA connector in TPS

To add a TPS subsystem user (e.g. TPS-tps.example.com-8443) in KRA, execute the following commands:

$ pki-server kra-user-add \
    --full-name "TPS-tps.example.com-8443" \
    --type agentType \
    --cert tps_subsystem.crt \
    TPS-tps.example.com-8443
$ pki-server kra-user-role-add \
    TPS-tps.example.com-8443 \
    "Data Recovery Manager Agents"

To add a KRA connector (e.g. kra1) in TPS, execute the following command:

$ pki-server tps-connector-add \
    --type KRA \
    --url https://kra.example.com:8443 \
    --nickname subsystem \
    kra1

Setting up TKS connector in TPS

To add a TPS subsystem user (e.g. TPS-tps.example.com-8443) in TKS, execute the following commands:

$ pki-server tks-user-add \
    --full-name "TPS-tps.example.com-8443" \
    --type agentType \
    --cert tps_subsystem.crt \
    TPS-tps.example.com-8443
$ pki-server kra-user-role-add \
    TPS-tps.example.com-8443 \
    "Token Key Service Manager Agents"

To add a TKS connector (e.g. tks1) in TPS, execute the following command:

$ pki-server tps-connector-add \
    --type TKS \
    --url https://tks.example.com:8443 \
    --nickname subsystem \
    --keygen \
    tks1

Configuring TPS connector in TKS

T.B.A.

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️