Comment from vakwetu (@vakwetu) at 2012-02-23 23:18:31

Additional steps needed to set up client auth for dogtag. This is because we These steps will be automatically set up in IPA, but they need to be documented for the standalone case.

1. Install CA cert in directory server and trust it (or specifically security domain CA cert).
2. Enable ssl on the CA (and ldaps port).
3. Add something like the following to certmap.conf

certmap ipaca CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on

where the first line is the issuer dn of the CA cert for your security domain CA.

4. Restart the DS.
5. Modify the following in CS.cfg:

authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
authz.instance.DirAclAuthz.ldap.ldapconn.host=vm-100.idm.lab.bos.redhat.com
authz.instance.DirAclAuthz.ldap.ldapconn.port=636
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true

internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.host=vm-100.idm.lab.bos.redhat.com
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true

6. Restart CS component. (works for java components)

from pki.

Comment from vakwetu (@vakwetu) at 2012-02-24 16:20:56

Pushed to master and dogtag 9

from pki.

Comment from vakwetu (@vakwetu) at 2012-08-22 18:37:14

Just for documentation completeness. The fix for this issue occurred on dogtag 9 in the following commits:

2566d4d
ada9213
ff4d47d

The acls required for the new db user are specified in a new manager.ldif file, which is copied here so that anyone who wants to add a similar user can provide the relevant acls.

acis for cert manager

dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

dn: {rootSuffix}
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)

dn: cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)

dn: ou=csusers,cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)

dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)

from pki.

Comment from vakwetu (@vakwetu) at 2017-02-27 14:01:23

Metadata Update from @vakwetu:

• Issue assigned to vakwetu
• Issue set to the milestone: Dogtag 10.0.0.a1

from pki.