IPAv3_Add_a_KRA#

Description#

This page explains how to setup and configure a KRA to an IPA server installed with a Dogtag CA. A KRA is used for key escrow and recovery. This is also referred to as the Data Recovery Manager (DRM).

NOTE: This is being developed as a Proof-of-Concept.

Prerequisites#

  • Fedora 18

  • ipa-server 3.1.4

  • pki-core 10.0.3

This procedure is only tested to work with the above versions

Install and configure IPA server#

Make sure all packages are up to date#

# yum update -y

Install required packages#

# yum install -y freeipa-server bind bind-dyndb-ldap pki-kra

Install IPA server#

# ipa-server-install -a mypassword1 -p mypassword2 --domain=ipa_domain --realm=IPA_DOMAIN --setup-dns --no-forwarders -U

NOTE: This configures IPA with its own DNS server. This is not an absolute requirement.

Install the KRA#

Create KRA installation configuration file#

Create a file with these contents somewhere in your filesystem. It is only needed during installation of the KRA.

Replace the password, host name and realm names as appropriate to your installation.

[KRA]
pki_security_domain_https_port=443
pki_security_domain_password= mypassword2
pki_security_domain_user=admin
pki_enable_proxy = True
pki_restart_configured_instance = False
pki_backup_keys = True
pki_backup_password = mypassword2
pki_client_database_dir = /tmp/tmp-ce2oQN
pki_client_database_password = mypassword2
pki_client_database_purge = False
pki_client_pkcs12_password = mypassword2
pki_admin_name = admin
pki_admin_uid = admin
pki_admin_email = root@localhost
pki_admin_password = mypassword2
pki_admin_nickname = ipa-ca-agent
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_import_admin_cert=True
pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_ds_ldap_port = 389
pki_ds_password = mypassword2
pki_ds_base_dn = o=ipakra
pki_ds_database = ipakra
pki_storage_subject_dn=cn=DRM Storage Certificate,o=EXAMPLE.COM
pki_transport_subject_dn=cn=DRM Transport Certificate,o=EXAMPLE.COM
pki_subsystem_subject_dn = cn=DRM Subsystem,O=EXAMPLE.COM
pki_ssl_server_subject_dn = cn=ipa.example.com,O=EXAMPLE.COM
pki_audit_signing_subject_dn = cn=DRM Audit,O=EXAMPLE.COM
pki_subsystem_nickname = subsystemCert cert-pki-kra
pki_ssl_server_nickname = Server-Cert cert-pki-ca
pki_audit_signing_nickname = auditSigningCert cert-pki-kra
pki_storage_nickname=storageCert cert-pki-kra
pki_transport_nickname=transportCert cert-pki-kra

Update IPA proxy configuration#

Replace /etc/httpd/conf.d/ipa-pki-proxy.conf with this:

# VERSION 3 - DO NOT REMOVE THIS LINE

ProxyRequests Off

# matches for ee port
<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/profileSubmit|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for admin port and installer
<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/getSubsystemCert|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateConnector|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient none
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# matches for agent port and eeca port
<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

# Only enable this on servers that are not generating a CRL
#RewriteRule ^/ipa/crl/MasterCRL.bin https://dart.greyoak.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

<LocationMatch "^/kra/agent/kra/connector">
    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    NSSVerifyClient require
    ProxyPassMatch ajp://localhost:8009
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

Restart httpd#

# systemctl restart httpd.service

Add the KRA#

# pkispawn -s KRA -f /path/to/kra.cfg

Restart Tomcat#

# systemctl restart pki-tomcatd@pki-tomcat.service

Configure a browser for KRA adminisrtrative work#

Copy the Agent PKCS#12 file#

The PKCS#12 file that contains the IPA RA agent that we’ll use to do the KRA work is in /root/ca-agent.p12. Copy this to your client machine, or to a location on the server that is readable by the user you want to run Firefox. Fix permissions as needed.

# cp /root/ca-agent.p12 /home/someuser
# chown someuser /home/someuser/ca-agent.p12

Import the cert#

Start Firefox and select Edit -> Preferences -> Advanced -> Encryption -> View Certificates

select Import

Enter the path to ca-agent.p12

Enter the PKCS#12 password (the Directory manager password, mypassword2 in the example)

Test the cert#

We will be using the CA directly as opposed to going through the IPA GUI.

Browse to https://ipa.example.com:8443/

You may be prompted to trust the CA. You can import it directly by instead by going to http://ipa.example.com/ipa/config/ca.crt

Select Agent Services and you should be prompted to select a client certificate to use. If you imported the certificate correctly then selecting it and clicking Ok should display the CA agent page.

Issue and Recover a Certificate#

There are further instructions for testing the KRA at https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Testing_the_Key_Archival_and_Recovery_Setup.html