Setting up Token Management System - dogtagpki/pki GitHub Wiki
This page describes the manual process to set up a Token Management System (TMS) with standalone CA, TKS, and TPS or their containers.
Optionally, KRA can be added if server-side key generation is required.
The process consists of the following steps:
-
Importing KRA transport certificate into TKS (optional)
-
Setting up CA connector in TPS
-
Setting up KRA connector in TPS (optional)
-
Setting up TKS connector in TPS
-
Setting up TPS connector in TKS
-
Importing shared secret into TPS
-
Setting up TPS authentication
-
Install standalone CA or its container
-
Install standalone KRA or its container (optional)
-
Install standalone TKS or its container
-
Install standalone TPS or its container
To import KRA transport certificate into TKS:
$ pki-server cert-import \
--input kra_transport.crt \
--nickname kra_transport
To configure TKS to use the certificate:
$ pki-server tks-config-set \
tks.drm_transport_cert_nickname \
kra_transport
To add a TPS subsystem user (e.g. TPS) in CA, execute the following commands:
$ pki-server ca-user-add \
--full-name TPS \
--type agentType \
--cert tps_subsystem.crt \
TPS
$ pki-server ca-user-role-add \
TPS \
"Certificate Manager Agents"
$ pki-server ca-user-role-add \
TPS \
"Subsystem Group"
To add a CA connector (e.g. ca1) in TPS, execute the following command:
$ pki-server tps-connector-add \
--type CA \
--url https://ca.example.com:8443 \
--nickname subsystem \
ca1
To add a TPS subsystem user (e.g. TPS) in KRA, execute the following commands:
$ pki-server kra-user-add \
--full-name TPS \
--type agentType \
--cert tps_subsystem.crt \
TPS
$ pki-server kra-user-role-add \
TPS \
"Data Recovery Manager Agents"
To add a KRA connector (e.g. kra1) in TPS, execute the following command:
$ pki-server tps-connector-add \
--type KRA \
--url https://kra.example.com:8443 \
--nickname subsystem \
kra1
To add a TPS subsystem user (e.g. TPS) in TKS, execute the following commands:
$ pki-server tks-user-add \
--full-name TPS \
--type agentType \
--cert tps_subsystem.crt \
TPS
$ pki-server kra-user-role-add \
TPS \
"Token Key Service Manager Agents"
To add a TKS connector (e.g. tks1) in TPS, execute the following command:
$ pki-server tps-connector-add \
--type TKS \
--url https://tks.example.com:8443 \
--nickname subsystem \
--keygen \
tks1
To create a shared secret (e.g. TPS sharedSecret) in TKS locally, execute the following command:
$ pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-key-create \
--key-type AES \
--op-flags WRAP,UNWRAP,ENCRYPT,ENCRYPT \
"TPS sharedSecret"
To add the TPS connector, execute the following command:
$ pki-server tks-connector-add \
--url https://tps.example.com:8443 \
--nickname "TPS sharedSecret" \
--uid TPS \
0
To export the shared secret, execute the following command:
$ pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-key-export \
--wrapper-cert tps_subsystem.crt \
--output shared-secret.json \
"TPS sharedSecret"
To add a TPS connector in TKS remotely, execute the following command:
$ pki \
-U https://tks.example.com:8443 \
-n tps_subsystem \
tks-tpsconnector-add \
--host tps.example.com \
--port 8443
To create a shared secret and export it, execute the following command:
$ pki \
-U https://tks.example.com:8443 \
-n tps_subsystem \
tks-key-create \
--output-format json \
0 \
> tee shared-secret.json
To import the shared secret into TKS, execute the following commands:
$ pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
-f /var/lib/pki/pki-tomcat/conf/password.conf \
nss-key-import \
--input shared-secret.json \
--wrapper subsystem \
"TPS sharedSecret"
$ pki-server tps-config-set \
conn.tks1.tksSharedSymKeyName \
"TPS sharedSecret"