diff options
author | Ade Lee <alee@redhat.com> | 2014-03-27 11:08:32 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-03-31 10:26:12 -0400 |
commit | b834efbaa8c929c10cf00252b71ebc29e2f10456 (patch) | |
tree | e218ae6b2045cd5aa0f137efcdbd940f7de7333e /base/server/etc | |
parent | 86f4022cc0598353d16901fa2d1ef90f474baaca (diff) | |
download | pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.gz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.tar.xz pki-b834efbaa8c929c10cf00252b71ebc29e2f10456.zip |
Share subsystem cert in shared tomcat instances
In shared tomcat instances, we need to share the subsystem cert and
not create a new one for each additional subsystem added to the instance.
In addition, if the instances share the same database, then only one
pkidbuser should be created with the relevant subsystem cert and seeAlso
attribute.
Ticket 893
Diffstat (limited to 'base/server/etc')
-rw-r--r-- | base/server/etc/default.cfg | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index ea9c54019..41b3bd39f 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -114,6 +114,8 @@ pki_ssl_server_token=Internal Key Storage Token pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s +pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s pki_subsystem_token=Internal Key Storage Token pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui @@ -399,8 +401,7 @@ pki_ds_base_dn=o=%(pki_instance_name)s-CA pki_ds_database=%(pki_instance_name)s-CA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA -pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=False # Paths # These are used in the processing of pkispawn and are not supposed @@ -479,8 +480,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-KRA pki_ds_database=%(pki_instance_name)s-KRA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA -pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA + # Paths # These are used in the processing of pkispawn and are not supposed @@ -540,8 +542,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-OCSP pki_ds_database=%(pki_instance_name)s-OCSP pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP -pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA + ############################################################################### ## RA Configuration: ## @@ -571,8 +574,8 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TKS pki_ds_database=%(pki_instance_name)s-TKS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS -pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA ############################################################################### ## TPS Configuration: ## @@ -593,8 +596,6 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TPS pki_ds_database=%(pki_instance_name)s-TPS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TPS -pki_subsystem_subject_dn=cn=TPS Subsystem Certificate,o=%(pki_security_domain_name)s pki_authdb_hostname=%(pki_hostname)s pki_authdb_port=389 pki_authdb_secure_conn=False @@ -603,6 +604,8 @@ pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_enable_server_side_keygen=False pki_import_shared_secret=False +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA # Paths # These are used in the processing of pkispawn and are not supposed |