Overview#

The pkidbuser is an LDAP user created to replace cn=Directory Manager, it is not a PKI user, so it can be moved from ou=people, to the parent subtree . All references to it should be updated accordingly.

Since moving the user affects certificate mapping and ACL, the process should be done in multiple steps to minimize downtime.

New Instances#

On new instances the pkidbuser will be added to the correct location automatically.

Existing Instances with Shared Database#

This includes IPA.

Adding New User#

This should be executed on one of the clones only.

Add the new user in the new location in the shared database:

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=ca,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userCertificate: <subsystem certificate>

Configure ACLs for the new user:

$ pki-ds backend-access-grant ca uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant kra uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant ocsp uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant tks uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant tps uid=pkidbuser,dc=ca,dc=example,dc=com

Switch certificate mapping:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=ca,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: CN=Subsystem Certificate,O=EXAMPLE

dn: uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
changetype: modify
delete: seeAlso

Updating PKI Servers#

This should be executed one server at a time.

Stop PKI server:

$ systemctl stop pki-tomcatd@pki-tomcat.service

Remove redundant references to the old user in CS.cfg (see IPA Ticket #5298):

internaldb.ldapauth.bindDN=uid=pkidbuser,dc=ca,dc=example,dc=com
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,dc=ca,dc=example,dc=com

Restart PKI server:

$ systemctl start pki-tomcatd@pki-tomcat.service

Removing Old User#

This should be executed on one of the clones only.

Remove ACLs for the old user:

$ pki-ds backend-access-deny ca uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny kra uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny ocsp uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny tks uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny tps uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com

Remove the old user from the group:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-user-del "Subsystem Group" pkidbuser

Remove the old user:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-del pkidbuser

Existing Instances with Separate Databases#

Adding New Users#

This should be executed once on the clone hosting the subsystem.

Add the new users into the new location in each database:

$ ldapadd -h <subsystem>.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userCertificate: <DER-encoded certificate>

Configure ACLs for the new users:

$ pki-ds backend-access-grant ca uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant kra uid=pkidbuser,dc=kra,dc=example,dc=com
$ pki-ds backend-access-grant ocsp uid=pkidbuser,dc=ocsp,dc=example,dc=com
$ pki-ds backend-access-grant tks uid=pkidbuser,dc=tks,dc=example,dc=com
$ pki-ds backend-access-grant tps uid=pkidbuser,dc=tps,dc=example,dc=com

Switch certificate mappings:

$ ldapmodify -h <subsystem>.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: CN=Subsystem Certificate,O=EXAMPLE

dn: uid=pkidbuser,ou=people,dc=<subsystem>,dc=example,dc=com
changetype: modify
delete: seeAlso

Updating PKI Servers#

This should be executed one server at a time.

Stop PKI server:

$ systemctl stop pki-tomcatd@pki-tomcat.service

Remove redundant references to the old user in CS.cfg (see IPA Ticket #5298):

internaldb.ldapauth.bindDN=uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,dc=<subsystem>,dc=example,dc=com

Restart PKI server:

$ systemctl start pki-tomcatd@pki-tomcat.service

Removing Old Users#

Remove ACLs for the old users:

$ pki-ds backend-access-deny ca uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny kra uid=pkidbuser,ou=people,dc=kra,dc=example,dc=com
$ pki-ds backend-access-deny ocsp uid=pkidbuser,ou=people,dc=ocsp,dc=example,dc=com
$ pki-ds backend-access-deny tks uid=pkidbuser,ou=people,dc=tks,dc=example,dc=com
$ pki-ds backend-access-deny tps uid=pkidbuser,ou=people,dc=tps,dc=example,dc=com

Remove the old users from the groups:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-user-del "Subsystem Group" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-user-del "Certificate Manager Agents" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-group-user-del "Data Recovery Manager Agents" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-group-user-del "Trusted Managers" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ocsp-group-user-del "Trusted Managers" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tks-group-user-del "Token Key Service Manager Agents" pkidbuser

Remove the old users:

$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ocsp-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tks-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tps-user-del pkidbuser

References#