From b834efbaa8c929c10cf00252b71ebc29e2f10456 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 27 Mar 2014 11:08:32 -0400 Subject: Share subsystem cert in shared tomcat instances In shared tomcat instances, we need to share the subsystem cert and not create a new one for each additional subsystem added to the instance. In addition, if the instances share the same database, then only one pkidbuser should be created with the relevant subsystem cert and seeAlso attribute. Ticket 893 --- base/server/etc/default.cfg | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'base/server/etc') diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index ea9c54019..41b3bd39f 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -114,6 +114,8 @@ pki_ssl_server_token=Internal Key Storage Token pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa +pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s +pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s pki_subsystem_token=Internal Key Storage Token pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui @@ -399,8 +401,7 @@ pki_ds_base_dn=o=%(pki_instance_name)s-CA pki_ds_database=%(pki_instance_name)s-CA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s CA -pki_subsystem_subject_dn=cn=CA Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=False # Paths # These are used in the processing of pkispawn and are not supposed @@ -479,8 +480,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-KRA pki_ds_database=%(pki_instance_name)s-KRA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s KRA -pki_subsystem_subject_dn=cn=KRA Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA + # Paths # These are used in the processing of pkispawn and are not supposed @@ -540,8 +542,9 @@ pki_ds_base_dn=o=%(pki_instance_name)s-OCSP pki_ds_database=%(pki_instance_name)s-OCSP pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s OCSP -pki_subsystem_subject_dn=cn=OCSP Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA + ############################################################################### ## RA Configuration: ## @@ -571,8 +574,8 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TKS pki_ds_database=%(pki_instance_name)s-TKS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TKS -pki_subsystem_subject_dn=cn=TKS Subsystem Certificate,o=%(pki_security_domain_name)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA ############################################################################### ## TPS Configuration: ## @@ -593,8 +596,6 @@ pki_ds_base_dn=o=%(pki_instance_name)s-TPS pki_ds_database=%(pki_instance_name)s-TPS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s -pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s TPS -pki_subsystem_subject_dn=cn=TPS Subsystem Certificate,o=%(pki_security_domain_name)s pki_authdb_hostname=%(pki_hostname)s pki_authdb_port=389 pki_authdb_secure_conn=False @@ -603,6 +604,8 @@ pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_enable_server_side_keygen=False pki_import_shared_secret=False +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA # Paths # These are used in the processing of pkispawn and are not supposed -- cgit