Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:caw_driver [2019/11/19 13:08]
fiserp [Installation]
+++ tutorial:adm:caw_driver [2022/04/11 12:28]
stekld
@@ Line 159: / Line 159: @@
 [root@ca ~]# ./caw create-crl
 </code>
+==== Example of CAW driver configuration in Appliance ====
+  - Create a new folder. It is possible to add more authorities to this folder. Each authority has its own caw folder, caw script and own configuration caw_settings.source and ca_openssl.cnf.In this example, use only one CA.<code>
+[root@ca ~]# mkdir /data/volumes/czechidm/cert-authority
+</code>
+  - Unzip caw driver to caw directory. Caw driver can be downloaded from our git repository:[[https://github.com/bcvsolutions/caw|CAW]].<code>
+[root@ca ~]# unzip caw-master.zip -d /data/volumes/czechidm/cert-authority/
+[root@ca ~]# mv /data/volumes/czechidm/cert-authority/caw-master /data/volumes/czechidm/cert-authority/caw
+</code>
+  - In this example we received from customer already generated CA certificate - private key public key customerCa.key, public key customerCa.pem and configuration file customerCa.conf.Copy a files to caw directory and replace our default test ca.<code>
+[root@ca ~]# cp customerCa.key /data/volumes/czechidm/cert-authority/caw/ca/private/ca.key
+[root@ca ~]# cp customerCa.pem /data/volumes/czechidm/cert-authority/caw/ca/ca.pem
+</code>
+  - We use random random 128bit serial number.<code>
+[root@ca ~]# cd /data/volumes/czechidm/cert-authority/caw/ca/
+[root@ca ca]# openssl rand -hex 16 > serial
+</code>
+  - It is also necessary to merge customerCa.conf file with the caw configuration file ca_openssl.cnf and caw_settings.source.
+  - Set a correct permision and owner. .<code>
+[root@ca czechidm]# chown -Rf 999:998 cert-authority/
+[root@ca czechidm]# chmod 400 cert-authority/caw/ca/private/ca.key
+[root@ca czechidm]# chmod 750 cert-authority/
+[root@ca czechidm]# cd cert-authority/caw/
+[root@ca caw]# chmod 750 caw
+</code>
+  - It is necessary to directory cert-authority mount into a CzechIdM container, because the caw script must be executable by IdM. To file /data/registry/node-active-config/docker-compose-czechidm.yml add:<code>
+ - type: bind
+        source: /data/volumes/czechidm/cert-authority
+        target: /opt/cert-authority
+        read_only: false
+</code>
+  -An important part of ca is the CRL file, which must be generated regularly. CAW creates CRL by calling ./caw create-crl. Create the .service unit that will generate CRL file. Create new file in /usr/lib/systemd/system/iam-crl-refresh.service <code>
+[Unit]
+Description=CRL refreshing
+After=network.target docker.service
+[Service]
+Type=simple
+ExecStart=/usr/bin/docker exec czechidm /opt/cert-authority/caw/caw create-crl
+</code>
+  -Create a .timer unit file which actually schedules the .service unit you just created. Create it in the same location as the .service file. The service is started every hour.<code>
+[Unit]
+Description=CzechIdM refresh CRL
+After=network.target docker.service
+[Timer]
+OnCalendar=*-*-* *:00:00
+[Install]
+WantedBy=multi-user.target
+</code>
+  -The crl has to be available via a web proxy. First, you must mount the file in the Web Proxy container. to file /data/registry/node-active-config/docker-compose-web-proxy.yml add:<code>
+ - type: bind
+        source: /data/volumes/czechidm/cert-authority/caw/ca/crl/ca.crl
+        target: /etc/nginx/crl/ca.crl
+        read_only: true
+</code>
+  -To make the file available from web proxy it is necessary to modify a file /data/volumes/web-proxy/config/reverse_proxy.conf and add:<code>
+ -   location /crl/ca.crl {
+        root /etc/nginx/;
+    }
+</code> Then the crl file is available at URL:https://iam.appliance.tld/crl/ca.crl
+  -The next step is to configure our crl module ca directly in IdM. Instructions for configuration in IdM are here:[[tutorial:adm:modules_crt| crt module tutorial]]
 ==== Deconfiguring default PKCS11 engine ====