diff options
author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-10-12 18:44:02 +0000 |
---|---|---|
committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-10-12 18:44:02 +0000 |
commit | f54681e34ad0ff9009663089a64d26591102f3e8 (patch) | |
tree | 8624ee1d5be4cfc99c1c4e53b525627b9f2b9935 /pki/base/silent/templates | |
parent | 29542dfea4560bb5c8564da3461d2371d02bf964 (diff) | |
download | pki-f54681e34ad0ff9009663089a64d26591102f3e8.tar.gz pki-f54681e34ad0ff9009663089a64d26591102f3e8.tar.xz pki-f54681e34ad0ff9009663089a64d26591102f3e8.zip |
Bugzilla Bug 527322 - pkisilent ConfigureDRM should configure DRM Clone.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1347 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/silent/templates')
-rwxr-xr-x | pki/base/silent/templates/pki_silent.template | 105 |
1 files changed, 104 insertions, 1 deletions
diff --git a/pki/base/silent/templates/pki_silent.template b/pki/base/silent/templates/pki_silent.template index dfce4c612..64d56823a 100755 --- a/pki/base/silent/templates/pki_silent.template +++ b/pki/base/silent/templates/pki_silent.template @@ -497,6 +497,38 @@ ca_audit_signing_cert_subject_name="cn=CA\ Audit\ Signing\ Certificate,o=${pki_s ## + "o=${pki_security_domain_name}" ## +## Optional CA Variables for creating a clone DRM +## +## It is possible for pkisilent to create a DRM that is a clone of a previously +## installed DRM (the master DRM). To do so, the keys of the master DRM must +## first be backed up in a pk12 file, and this file should be copied to the +## alias directory of the clone DRM. This file should have read permission for +## the PKI user (pkiuser). +## +## An example file would be /var/lib/drm-clone/alias/drm-master.p12. +## +## The following variables should then be uncommented and defined for the clone CA. +## kra_clone=true +## kra_clone_p12_file= +## kra_clone_p12_password= +## kra_clone_uri= +## +## NOTES: +## 1. drm_clone_p12_file must be just the filename relative to the alias directory. +## So in the example above, drm_clone_p12_file="drm-master.p12" +## 2. drm_clone_uri has the following format: https://<hostname>:<EE port> of the DRM to be cloned +## +## ADDITIONAL NOTES: +## 1. The clone DRM and master DRM cannot share the same database instance. A new +## instance should be created for the clone DRM. +## 2. The variables kra_base_dn and kra_db_name defined above MUST be identical to the +## kra_base_dn and kra_name of the master CA. The following assignments attempt +## to ensure this is correct. +## +## kra_master_instance_name= +## kra_base_dn="dc=${pki_host}-${kra_master_instance_name}" +## kra_db_name="${pki_host}-${kra_master_instance_name}" + kra_agent_name="KRA\ Administrator\ of\ Instance\ ${kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" kra_agent_key_size=2048 kra_agent_key_type=rsa @@ -1324,10 +1356,81 @@ pkisilent ConfigureDRM \ /sbin/service ${kra_init_script} restart ${kra_instance_name} +############################################################################## +## D A T A R E C O V E R Y M A N A G E R (clone) ## +############################################################################## +## +## Use this to configure a DRM clone. +## +## For example, upon completion, +## execute '/sbin/service ${kra_init_script} status ${kra_instance_name}': +## +## ${kra_instance_name} (pid 11723) is running ... +## +## Unsecure Port = http://${pki_host}:10180/kra/ee/kra +## Secure Agent Port = https://${pki_host}:10443/kra/agent/kra +## Secure EE Port = https://${pki_host}:10444/kra/ee/kra +## Secure Admin Port = https://${pki_host}:10445/kra/services +## PKI Console Port = pkiconsole https://${pki_host}:10445/kra +## Tomcat Port = 10701 (for shutdown) +## + +## Configure DRM +# printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" +# pkisilent ConfigureDRM \ +# -cs_hostname "${pki_host}" \ +# -cs_port ${kra_admin_port} \ +# -sd_hostname "${pki_security_domain_host}" \ +# -sd_ssl_port ${ca_ee_port} \ +# -sd_agent_port ${ca_agent_port} \ +# -sd_admin_port ${ca_admin_port} \ +# -sd_admin_name "${pki_security_domain_admin_name}" \ +# -sd_admin_password ${pki_security_domain_admin_password} \ +# -ca_hostname ${pki_security_domain_host} \ +# -ca_port ${ca_nonssl_port} \ +# -ca_ssl_port ${ca_ee_port} \ +# -client_certdb_dir ${pki_silent_security_database_repository} \ +# -client_certdb_pwd ${pki_silent_security_database_password} \ +# -preop_pin ${kra_preop_pin} \ +# -domain_name "${pki_security_domain_name}" \ +# -admin_user ${pki_silent_admin_user} \ +# -admin_password ${pki_silent_admin_password} \ +# -admin_email "${pki_silent_admin_email}" \ +# -agent_name ${kra_agent_name} \ +# -ldap_host ${pki_ldap_host} \ +# -ldap_port ${pki_ldap_port} \ +# -bind_dn "${pki_bind_dn}" \ +# -bind_password ${pki_bind_password} \ +# -base_dn "${kra_base_dn}" \ +# -db_name "${kra_db_name}" \ +# -key_size ${kra_key_size} \ +# -key_type ${kra_key_type} \ +# -token_name ${kra_token_name} \ +# -token_pwd ${kra_token_password} \ +# -agent_key_size ${kra_agent_key_size} \ +# -agent_key_type ${kra_agent_key_type} \ +# -agent_cert_subject "${kra_agent_cert_subject}" \ +# -subsystem_name ${kra_subsystem_name} \ +# -backup_pwd ${kra_backup_password} \ +# -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ +# -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ +# -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ +# -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ +# -drm_audit_signing_cert_subject_name \ +# "${kra_audit_signing_cert_subject_name}" \ +# -clone ${kra_clone} \ +# -clone_p12_file ${kra_clone_p12_file} \ +# -clone_p12_password ${kra_clone_p12_password} \ +# -clone_uri ${kra_uri} \ +# | tee ${pki_silent_kra_log} + +## Restart drm +#/sbin/service ${kra_init_script} restart ${kra_instance_name} + ############################################################################## ## O N L I N E S T A T U S C E R T I F I C A T E P R O T O C O L ## -############################################################################## +############################################################################### ## ## For example, upon completion, ## execute '/sbin/service ${ocsp_init_script} status ${ocsp_instance_name}': |