OSVDC Series: Root Certificate Authority (PKI) with Dogtag 10.3 on Fedora 24 - rharmonson/richtech GitHub Wiki
Article 14 of the Open Source Virtual Data Center Series
Revision March 10, 2017; link to the CentOS 7.3.1611 version
Published September 28, 2016
Dogtag 10.3 on CentOS 7.3.1611
The reason I originally used Fedora was due to the fact FreeIPA 4.3 on CentOS 7.2.1511 did not support the use of an external CA. As of FreeIPA 4.4 on CentOS 7.3.1611, it is supported. The CentOS 7.3.1611 guide can be found here:
Root Certificate Authority (PKI) with Dogtag 10.3 on CentOS 7.3.1611
The purpose of this guide is to provide instructions on building an off-line Root Certificate Authority (CA) to issue Subordinate CA certificates. My specific use case is for use with FreeIPA, but it is applicable, generally, for any internal PKI implementation.
Why off-line? A Root CA should not be accessible and should be a carefully guarded asset. If an unauthorized individual obtained the Root CA private key, the entire PKI system is compromised. Best case, the PKI will need to be demolished, a new one built, and all certificates replaced. Depending on the size of your organization and the prevalence of certificates, recovery could be a lengthy and costly endeavor.
Using the Fedora 24 Server installation media, select custom and do not select any package groups. This will result with an installation similar to CentOS or RHEL Minimal
# systemctl stop NetworkManager
# systemctl disable NetworkManager
# dnf remove NetworkManager
# cp /etc/resolv.conf /etc/resolv.conf.bak
# rm /etc/resolv.conf (sybolic links to NetworkManager)
# mv /etc/resolv.conf.bak /etc/resolv.conf
# vi /etc/resolv.conf
# chkconfig network on
Unless you will be permitting access to Dogtag web services or other management services, block all access except SSH.
Below outlines one strategy, but it is my personal preference.
Begin by disabling and removing firewalld, then install iptables-services to save your work.
[root@ca ~]# systemctl stop firewalld
[root@ca ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@ca ~]# dnf remove firewalld
Dependencies resolved.
=========================================================================================
Package Arch Version Repository Size
=========================================================================================
Removing:
dbus-glib x86_64 0.106-1.fc24 @anaconda 322 k
ebtables x86_64 2.0.10-20.fc24 @updates 338 k
firewalld noarch 0.4.3.2-1.fc24 @updates 1.8 M
firewalld-filesystem noarch 0.4.3.2-1.fc24 @updates 239
gobject-introspection x86_64 1.48.0-1.fc24 @anaconda 809 k
ipset x86_64 6.27-2.fc24 @anaconda 77 k
ipset-libs x86_64 6.27-2.fc24 @anaconda 262 k
libselinux-python3 x86_64 2.5-9.fc24 @updates 648 k
python3-dbus x86_64 1.2.4-1.fc24 @anaconda 556 k
python3-decorator noarch 4.0.6-2.fc24 @anaconda 371 k
python3-firewall noarch 0.4.3.2-1.fc24 @updates 2.2 M
python3-gobject-base x86_64 3.20.1-1.fc24 @anaconda 1.2 M
python3-slip noarch 0.6.4-3.fc24 @anaconda 68 k
python3-slip-dbus noarch 0.6.4-3.fc24 @anaconda 88 k
Transaction Summary
=========================================================================================
Remove 14 Packages
Installed size: 8.6 M
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Erasing : firewalld-0.4.3.2-1.fc24.noarch 1/14
Erasing : python3-firewall-0.4.3.2-1.fc24.noarch 2/14
Erasing : python3-slip-dbus-0.6.4-3.fc24.noarch 3/14
Erasing : python3-slip-0.6.4-3.fc24.noarch 4/14
Erasing : python3-dbus-1.2.4-1.fc24.x86_64 5/14
Erasing : python3-gobject-base-3.20.1-1.fc24.x86_64 6/14
Erasing : ipset-6.27-2.fc24.x86_64 7/14
Erasing : python3-decorator-4.0.6-2.fc24.noarch 8/14
Erasing : firewalld-filesystem-0.4.3.2-1.fc24.noarch 9/14
Erasing : ipset-libs-6.27-2.fc24.x86_64 10/14
Erasing : gobject-introspection-1.48.0-1.fc24.x86_64 11/14
Erasing : dbus-glib-0.106-1.fc24.x86_64 12/14
Erasing : libselinux-python3-2.5-9.fc24.x86_64 13/14
Erasing : ebtables-2.0.10-20.fc24.x86_64 14/14
Verifying : dbus-glib-0.106-1.fc24.x86_64 1/14
Verifying : firewalld-0.4.3.2-1.fc24.noarch 2/14
Verifying : firewalld-filesystem-0.4.3.2-1.fc24.noarch 3/14
Verifying : ipset-6.27-2.fc24.x86_64 4/14
Verifying : ipset-libs-6.27-2.fc24.x86_64 5/14
Verifying : libselinux-python3-2.5-9.fc24.x86_64 6/14
Verifying : python3-dbus-1.2.4-1.fc24.x86_64 7/14
Verifying : python3-decorator-4.0.6-2.fc24.noarch 8/14
Verifying : python3-firewall-0.4.3.2-1.fc24.noarch 9/14
Verifying : python3-gobject-base-3.20.1-1.fc24.x86_64 10/14
Verifying : gobject-introspection-1.48.0-1.fc24.x86_64 11/14
Verifying : ebtables-2.0.10-20.fc24.x86_64 12/14
Verifying : python3-slip-0.6.4-3.fc24.noarch 13/14
Verifying : python3-slip-dbus-0.6.4-3.fc24.noarch 14/14
Removed:
dbus-glib.x86_64 0.106-1.fc24 ebtables.x86_64 2.0.10-20.fc24
firewalld.noarch 0.4.3.2-1.fc24 firewalld-filesystem.noarch 0.4.3.2-1.fc24
gobject-introspection.x86_64 1.48.0-1.fc24 ipset.x86_64 6.27-2.fc24
ipset-libs.x86_64 6.27-2.fc24 libselinux-python3.x86_64 2.5-9.fc24
python3-dbus.x86_64 1.2.4-1.fc24 python3-decorator.noarch 4.0.6-2.fc24
python3-firewall.noarch 0.4.3.2-1.fc24 python3-gobject-base.x86_64 3.20.1-1.fc24
python3-slip.noarch 0.6.4-3.fc24 python3-slip-dbus.noarch 0.6.4-3.fc24
Complete!
[root@ca ~]# dnf install iptables-services
Last metadata expiration check: 1:59:17 ago on Thu Jul 21 11:08:29 2016.
Dependencies resolved.
=========================================================================================
Package Arch Version Repository Size
=========================================================================================
Installing:
iptables-services x86_64 1.4.21-16.fc24 fedora 53 k
Transaction Summary
=========================================================================================
Install 1 Package
Total download size: 53 k
Installed size: 19 k
Is this ok [y/N]: y
Downloading Packages:
iptables-services-1.4.21-16.fc24.x86_64.rpm 407 kB/s | 53 kB 00:00
-----------------------------------------------------------------------------------------
Total 53 kB/s | 53 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Installing : iptables-services-1.4.21-16.fc24.x86_64 1/1
Verifying : iptables-services-1.4.21-16.fc24.x86_64 1/1
Installed:
iptables-services.x86_64 1.4.21-16.fc24
Complete!
[root@ca ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@ca ~]# systemctl start iptables
Create a file "dogtag.fw" to execute and document our firewall policies. Once created either pipe into bash or chmod +x to execute ./dogtag.fw.
#!/bin/bash
# Dogtag 10.3 Firewall
# Clear or flush existing rules
iptables -F
# Default Policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Accept all local traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Accept ICMP Echo
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Accept Dogtag (optional)
#iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
#iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
# Accept returning connections (stateful)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Save & Restart iptables
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Results
[root@ca ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
47 3368 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 32 packets, 5120 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
DNS in my environment will be FreeIPA, but the Dogtag CA is a dependency to build FreeIPA. As such, configure the host with a static IP address and update /etc/hosts to meet the requirement for name resolution of the 389-ds-base directory service. Using host name ca.mydomain.net and IP address 192.168.10.11/24 results with:
[root@ca ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.11 ca.mydomain.net ca
Entropy in virtual machines can be a bit of a challenge. At this time, I am using "haveged" but I am hoping the oVirt project will resolve the issues with a better implementation of their /dev/random. Please research and understand the pros/cons of haveged for yourself.
Further reading:
- http://wiki.qemu.org/Features-Done/VirtIORNG.
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Guest_virtual_machine_device_configuration-Random_number_generator_device.html
Install haveged
[root@ca ~]# dnf install haveged
Last metadata expiration check: 0:16:42 ago on Tue Sep 6 05:57:02 2016.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
haveged x86_64 1.9.1-5.fc24 fedora 69 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 69 k
Installed size: 189 k
Is this ok [y/N]: y
Downloading Packages:
haveged-1.9.1-5.fc24.x86_64.rpm 202 kB/s | 69 kB 00:00
--------------------------------------------------------------------------------
Total 78 kB/s | 69 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Installing : haveged-1.9.1-5.fc24.x86_64 1/1
Verifying : haveged-1.9.1-5.fc24.x86_64 1/1
Installed:
haveged.x86_64 1.9.1-5.fc24
Complete!
Enable haveged
[root@ca ~]# systemctl enable haveged
Created symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.
[root@ca ~]# systemctl start haveged
[root@ca ~]# systemctl status haveged
● haveged.service - Entropy Daemon based on the HAVEGE algorithm
Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; vendor pres
Active: active (running) since Tue 2016-09-06 06:15:06 PDT; 4s ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 29730 (haveged)
Tasks: 1 (limit: 512)
CGroup: /system.slice/haveged.service
└─29730 /usr/sbin/haveged -w 1024 -v 1 --Foreground
Sep 06 06:15:06 ca.mydomain.net systemd[1]: Started Entropy Daemon bas
Sep 06 06:15:06 ca.mydomain.net haveged[29730]: haveged: ver: 1.9.1; a
Sep 06 06:15:06 ca.mydomain.net haveged[29730]: haveged: cpu: (L4 VC);
Sep 06 06:15:06 ca.mydomain.net haveged[29730]: haveged: tot tests(BA8
Sep 06 06:15:06 ca.mydomain.net haveged[29730]: haveged: fills: 0, gen
The solution components are:
- Dogtag PKI Certificate Authority; pki-ca and dependencies
- Dogtag theme; server theme (optional)
- 389, 389-ds-base; Directory Service
389 is a dependency for Dogtag CA.
Install 389 and Dogtag PKI-CA. Package dogtag-server-theme is optional, however, if you want to explore the web UI, you need the theme package installed prior to configuration of the Dogtag CA instance.
[root@ca ~]# dnf install 389-ds-base pki-ca dogtag-server-theme
Results
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
389-ds-base x86_64 1.3.5.13-1.fc24 updates 1.7 M
389-ds-base-libs x86_64 1.3.5.13-1.fc24 updates 675 k
apache-commons-cli noarch 1.3.1-3.fc24 fedora 72 k
apache-commons-codec noarch 1.10-3.fc24 fedora 247 k
apache-commons-collections noarch 3.2.2-3.fc24 fedora 534 k
apache-commons-daemon x86_64 1.0.15-11.fc24 fedora 60 k
apache-commons-dbcp noarch 1.4-20.fc24 fedora 172 k
apache-commons-io noarch 1:2.4-15.fc24 fedora 192 k
apache-commons-lang noarch 2.6-18.fc24 fedora 281 k
apache-commons-logging noarch 1.2-5.fc24 fedora 86 k
apache-commons-pool noarch 1.6-12.fc24 fedora 122 k
audit-libs-python x86_64 2.6.6-1.fc24 updates 95 k
audit-libs-python3 x86_64 2.6.6-1.fc24 updates 96 k
bea-stax-api noarch 1.2.0-12.fc24 fedora 36 k
checkpolicy x86_64 2.5-6.fc24 updates 298 k
copy-jdk-configs noarch 1.2-1.fc24 updates 18 k
cyrus-sasl-gssapi x86_64 2.1.26-26.2.fc24 fedora 46 k
cyrus-sasl-md5 x86_64 2.1.26-26.2.fc24 fedora 62 k
dogtag-pki-server-theme noarch 10.3.5-1.fc24 updates 296 k
ecj noarch 1:4.6-1.fc24 updates 2.2 M
glassfish-fastinfoset noarch 1.2.13-4.fc24 fedora 352 k
glassfish-jaxb-api noarch 2.2.12-4.fc24 fedora 100 k
glassfish-jaxb-core noarch 2.2.11-4.fc24 fedora 156 k
glassfish-jaxb-runtime noarch 2.2.11-4.fc24 fedora 930 k
glassfish-jaxb-txw2 noarch 2.2.11-4.fc24 fedora 89 k
httpcomponents-client noarch 4.5.2-2.fc24 fedora 700 k
httpcomponents-core noarch 4.4.4-2.fc24 fedora 633 k
istack-commons-runtime noarch 2.21-4.fc24 fedora 43 k
jackson noarch 1.9.11-8.fc24 fedora 1.0 M
jakarta-commons-httpclient noarch 1:3.1-24.fc24 fedora 247 k
java-1.8.0-openjdk-headless x86_64 1:1.8.0.102-1.b14.fc24 updates 32 M
javapackages-tools noarch 4.6.0-14.fc24 fedora 104 k
javassist noarch 3.18.1-5.fc24 fedora 680 k
jboss-annotations-1.2-api noarch 1.0.0-1.fc24 updates 40 k
jboss-jaxrs-2.0-api noarch 1.0.0-3.fc24 updates 112 k
jboss-logging noarch 3.3.0-1.fc24 updates 74 k
jcip-annotations noarch 1-18.20060626.fc24 fedora 14 k
joda-time noarch 2.9.2-1.fc24 fedora 517 k
jsr-311 noarch 1.1.1-12.fc24 fedora 51 k
jss x86_64 4.2.6-41.fc24 updates 714 k
jvnet-parent noarch 4-7.fc24 fedora 15 k
ldapjdk noarch 4.18-19.fc24 updates 321 k
libcgroup x86_64 0.41-8.fc24 fedora 67 k
libevent x86_64 2.0.21-8.fc24 fedora 215 k
libicu x86_64 56.1-4.fc24 fedora 8.3 M
libjpeg-turbo x86_64 1.5.0-1.fc24 updates 153 k
libselinux-python x86_64 2.5-9.fc24 updates 242 k
libselinux-python3 x86_64 2.5-9.fc24 updates 243 k
libsemanage-python x86_64 2.5-5.fc24 updates 109 k
libsemanage-python3 x86_64 2.5-5.fc24 updates 113 k
libtalloc x86_64 2.1.6-1.fc24 fedora 45 k
libtevent x86_64 0.9.28-1.fc24 fedora 37 k
lksctp-tools x86_64 1.0.16-5.fc24 fedora 93 k
lua-posix x86_64 33.3.1-2.fc24 fedora 173 k
net-tools x86_64 2.0-0.37.20160329git.fc24 fedora 318 k
nuxwdog x86_64 1.0.3-6.fc24 fedora 49 k
nuxwdog-client-java x86_64 1.0.3-6.fc24 fedora 16 k
objectweb-asm3 noarch 3.3.1-13.fc24 fedora 395 k
openldap-clients x86_64 2.4.44-1.fc24 fedora 190 k
perl x86_64 4:5.22.2-362.fc24 updates 5.9 M
perl-Algorithm-Diff noarch 1.1903-4.fc24 fedora 51 k
perl-Archive-Tar noarch 2.06-2.fc24 updates 76 k
perl-Carp noarch 1.38-2.fc24 fedora 28 k
perl-Compress-Raw-Bzip2 x86_64 2.069-2.fc24 fedora 37 k
perl-Compress-Raw-Zlib x86_64 2.069-2.fc24 fedora 64 k
perl-DB_File x86_64 1.838-1.fc24 fedora 79 k
perl-Data-Dumper x86_64 2.158-348.fc24 fedora 55 k
perl-Encode x86_64 3:2.84-9.fc24 updates 1.5 M
perl-Errno x86_64 1.23-362.fc24 updates 62 k
perl-Exporter noarch 5.72-349.fc24 fedora 33 k
perl-File-Path noarch 2.12-2.fc24 fedora 34 k
perl-File-Temp noarch 0.23.04-347.fc24 fedora 61 k
perl-Getopt-Long noarch 2.49.1-1.fc24 updates 61 k
perl-HTTP-Tiny noarch 0.056-5.fc24 updates 53 k
perl-IO x86_64 1.35-362.fc24 updates 128 k
perl-IO-Compress noarch 2.069-3.fc24 updates 255 k
perl-IO-Zlib noarch 1:1.10-362.fc24 updates 67 k
perl-MIME-Base64 x86_64 3.15-349.fc24 fedora 29 k
perl-Math-BigInt noarch 1.9997.15-2.fc24 fedora 178 k
perl-Math-Complex noarch 1.59-362.fc24 updates 95 k
perl-Mozilla-LDAP x86_64 1.5.3-18.fc24 fedora 148 k
perl-NetAddr-IP x86_64 4.079-1.fc24 fedora 130 k
perl-PathTools x86_64 3.62-3.fc24 updates 88 k
perl-Pod-Escapes noarch 1:1.07-349.fc24 fedora 20 k
perl-Pod-Perldoc noarch 3.26-1.fc24 updates 86 k
perl-Pod-Simple noarch 1:3.32-3.fc24 fedora 211 k
perl-Pod-Usage noarch 4:1.69-1.fc24 fedora 33 k
perl-Scalar-List-Utils x86_64 2:1.45-1.fc24 fedora 65 k
perl-Socket x86_64 3:2.024-1.fc24 updates 56 k
perl-Socket6 x86_64 0.27-1.fc24 fedora 34 k
perl-Term-ANSIColor noarch 4.03-347.fc24 fedora 45 k
perl-Term-Cap noarch 1.17-2.fc24 fedora 22 k
perl-Text-Diff noarch 1.44-1.fc24 fedora 44 k
perl-Text-ParseWords noarch 3.30-347.fc24 fedora 17 k
perl-Text-Tabs+Wrap noarch 2013.0523-347.fc24 fedora 23 k
perl-Time-Local noarch 1.2300-347.fc24 fedora 29 k
perl-Unicode-Normalize x86_64 1.25-2.fc24 fedora 80 k
perl-constant noarch 1.33-348.fc24 fedora 24 k
perl-libs x86_64 4:5.22.2-362.fc24 updates 1.4 M
perl-macros x86_64 4:5.22.2-362.fc24 updates 59 k
perl-parent noarch 1:0.234-4.fc24 fedora 18 k
perl-podlators noarch 4.07-1.fc24 fedora 113 k
perl-threads x86_64 1:2.02-3.fc24 fedora 58 k
perl-threads-shared x86_64 1.48-347.fc24 fedora 44 k
pki-base noarch 10.3.5-1.fc24 updates 427 k
pki-base-java noarch 10.3.5-1.fc24 updates 1.1 M
pki-ca noarch 10.3.5-1.fc24 updates 486 k
pki-server noarch 10.3.5-1.fc24 updates 3.0 M
pki-tools x86_64 10.3.5-1.fc24 updates 639 k
policycoreutils-python x86_64 2.5-13.fc24 updates 401 k
policycoreutils-python-utils x86_64 2.5-13.fc24 updates 216 k
policycoreutils-python3 x86_64 2.5-13.fc24 updates 1.8 M
publicsuffix-list noarch 20160805-1.fc24 updates 67 k
python-IPy noarch 0.81-15.fc24 fedora 42 k
python-IPy-python3 noarch 0.81-15.fc24 fedora 42 k
python-ldap x86_64 2.4.25-1.fc24 fedora 174 k
python-nss x86_64 1.0.0-beta1.2.fc24.1 fedora 280 k
python2-pyasn1 noarch 0.1.9-6.fc24.1 fedora 105 k
python2-pyasn1-modules noarch 0.1.9-6.fc24.1 fedora 64 k
python3-cssselect noarch 0.9.1-9.fc24 fedora 64 k
python3-javapackages noarch 4.6.0-14.fc24 fedora 89 k
python3-lxml x86_64 3.4.4-4.fc24 fedora 912 k
relaxngDatatype noarch 2011.1-3.fc24 fedora 26 k
resteasy-atom-provider noarch 3.0.17-3.fc24 updates 51 k
resteasy-client noarch 3.0.17-3.fc24 updates 143 k
resteasy-core noarch 3.0.17-3.fc24 updates 779 k
resteasy-jackson-provider noarch 3.0.17-3.fc24 updates 18 k
resteasy-jaxb-provider noarch 3.0.17-3.fc24 updates 79 k
setools-libs x86_64 3.3.8-10.fc24 fedora 561 k
sqlite x86_64 3.13.0-1.fc24 updates 488 k
stax-ex noarch 1.7.7-4.fc24 fedora 54 k
stax2-api noarch 3.1.4-4.fc24 fedora 156 k
svrcore x86_64 4.1.2-1.fc24 fedora 23 k
tomcat noarch 1:8.0.36-2.fc24 updates 94 k
tomcat-el-3.0-api noarch 1:8.0.36-2.fc24 updates 108 k
tomcat-jsp-2.3-api noarch 1:8.0.36-2.fc24 updates 73 k
tomcat-lib noarch 1:8.0.36-2.fc24 updates 4.1 M
tomcat-servlet-3.1-api noarch 1:8.0.36-2.fc24 updates 258 k
tomcatjss noarch 7.1.3-2.fc24 fedora 39 k
tzdata-java noarch 2016f-1.fc24 updates 181 k
velocity noarch 1.7-19.fc24 fedora 434 k
xalan-j2 noarch 2.7.1-28.fc24 fedora 1.9 M
xerces-j2 noarch 2.11.0-24.fc24 fedora 1.2 M
xml-commons-apis noarch 1.4.01-20.fc24 fedora 232 k
xml-commons-resolver noarch 1.2-19.fc24 fedora 114 k
xmlstreambuffer noarch 1.5.4-3.fc24 fedora 86 k
xsom noarch 0-15.20110809svn.fc24 fedora 396 k
Transaction Summary
================================================================================
Install 147 Packages
Total download size: 89 M
Installed size: 232 M
Is this ok [y/N]:
Begin setup by executing setup-ds.pl to setup 389. See "Results" for details and note account names and passwords.
[root@ca ~]# setup-ds.pl
==============================================================================
This program will set up the 389 Directory Server.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" or the word "back" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 14-JULY-2016.
NOTICE : System is x86_64-unknown-linux4.6.7-300.fc24.x86_64 (2 processors).
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
WARNING : The warning messages above should be reviewed before proceeding.
Would you like to continue? [no]: yes
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [ca.mydomain.net]:
==============================================================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.
System User [dirsrv]:
System Group [dirsrv]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [ca]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=mydomain, dc=net]:
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
Your new DS instance 'ca' was successfully created.
Exiting . . .
Log file is '/tmp/setuph_WZPa.log'
[root@ca ~]# systemctl enable dirsrv.target
Created symlink from /etc/systemd/system/multi-user.target.wants/dirsrv.target to /usr/lib/systemd/system/dirsrv.target.
[root@ca ~]# systemctl start dirsrv.target
[root@ca ~]# systemctl status dirsrv.target
● dirsrv.target - 389 Directory Server
Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled; vendor preset: disabled)
Active: active since Wed 2016-09-07 05:49:00 PDT; 4s ago
Sep 07 05:49:00 ca.mydomain.net systemd[1]: Reached target 389 Directory Server.
Dogtag uses pkispawn for component setup where -s specifies the component to configure.
[root@ca ~]# pkispawn -s CA
IMPORTANT:
Interactive installation currently only exists for very basic deployments!
For example, deployments intent upon using advanced features such as:
* Cloning,
* Elliptic Curve Cryptography (ECC),
* External CA,
* Hardware Security Module (HSM),
* Subordinate CA,
* etc.,
must provide the necessary override parameters in a separate
configuration file.
Run 'man pkispawn' for details.
Tomcat:
Instance [pki-tomcat]:
HTTP port [8080]:
Secure HTTP port [8443]:
AJP port [8009]:
Management port [8005]:
Administrator:
Username [caadmin]:
Password:
Verify password:
Import certificate (Yes/No) [N]?
Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]:
Directory Server:
Hostname [ca.mydomain.net]:
Use a secure LDAPS connection (Yes/No/Quit) [N]?
LDAP Port [389]:
Bind DN [cn=Directory Manager]:
Password:
Base DN [o=pki-tomcat-CA]:
Security Domain:
Name [mydomain.net Security Domain]:
Begin installation (Yes/No/Quit)? yes
Log file: /var/log/pki/pki-ca-spawn.20160907055340.log
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Notice: Trust flag u is set automatically if the private key is present.
Created symlink from /etc/systemd/system/multi-user.target.wants/pki-tomcatd.target to /usr/lib/systemd/system/pki-tomcatd.target.
==========================================================================
INSTALLATION SUMMARY
==========================================================================
Administrator's username: caadmin
Administrator's PKCS #12 file:
/root/.dogtag/pki-tomcat/ca_admin_cert.p12
To check the status of the subsystem:
systemctl status [email protected]
To restart the subsystem:
systemctl restart [email protected]
The URL for the subsystem is:
https://ca.mydomain.net:8443/ca
PKI instances will be enabled upon system boot
==========================================================================
If you want to use the Dogtab web UI, import the user authentication certificate for caadmin. Using Fedora 24 Workstation (or CentOS 7 Workstation), copy the caadmin certificate to the workstation then add it to Firefox's user certificates. If you receive an authentication error or "You did not provide a valid certificate for this operation" when browsing to "https://host.domain.net:8443/ca" then have not used caadmin's authentication certificate for privileged access.
The caadmin certificate can be found in ~/.dogtag/pki-tomcat/ca_admin_cert.p12. Copy to an admin workstation using scp root@<ip address or hostname:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
Import the certificate into Firefox by selecting menu, Preferences, Advanced, View Certificates, Your Certificates, then Import. Once complete, you will find "PKI Administrator" under "Your Certificates."
Next article in the series is Identity Management with FreeIPA Server 4.3 on Fedora 24.