-
Notifications
You must be signed in to change notification settings - Fork 0
KRA Installation Process
This page describes the process to install KRA in IPA 4.9.
The process is defined in KRAInstance.configure_instance():
if promote: self.step("creating ACIs for admin", self.add_ipaca_aci) self.step("creating installation admin user", self.setup_admin) self.step("configuring KRA instance", self.__spawn_instance) if not self.clone: self.step("create KRA agent", self.__create_kra_agent) if promote: self.step("destroying installation admin user", self.teardown_admin) self.step("enabling ephemeral requests", self.enable_ephemeral) self.step("restarting KRA", self.restart_instance) self.step("configure certmonger for renewals", self.configure_certmonger_renewal_helpers) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: self.step("add vault container", self.__add_vault_container) self.step("apply LDAP updates", self.__apply_updates) self.step("enabling KRA instance", self.__enable_instance) try: self.start_creation(runtime=120) finally: self.clean_pkispawn_files()
This step is defined in KRAInstance.__spawn_instance().
It creates and configures a new KRA instance using pkispawn
.
It creates a configuration file with IPA-specific parameters and passes it to the base class to call pkispawn
.
See also:
This step is defined in KRAInstance.__create_kra_agent().
It creates KRA agent:
dn: uid=ipakra,ou=people,o=kra,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: ipakra sn: IPA KRA User cn: IPA KRA User usertype: undefined
assigns the RA agent certificate:
dn: uid=ipakra,ou=people,o=kra,o=ipaca changetype: modify add: userCertificate userCertificate: <cert data> - add: description description: 2;<serial number>;<issuer DN>;<subject DN>
and adds the user to the appropriate groups for accessing KRA services:
dn: cn=Data Recovery Manager Agents,ou=groups,o=kra,o=ipaca changetype: modify add: uniqueMember uniqueMember: uid=ipakra,ou=people,o=kra,o=ipaca
This step is defined in KRAInstance.enable_ephemeral().
It enables ephemeral KRA requests to reduce the number of LDAP write operations.
It modifies the following parameter in /var/lib/pki/pki-tomcat/conf/kra/CS.cfg
:
kra.ephemeralRequests=true
$ systemctl restart pki-tomcatd@pki-tomcat
This step is defined in KRAInstance.__add_vault_container().
This step is defined in KRAInstance.__apply_updates().
It applies the changes defined in 40-vault.update.
This step is defined in KRAInstance.__enable_instance().