Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
tutorial:adm:caw_driver [2019/11/19 13:08] fiserp [Installation] |
tutorial:adm:caw_driver [2022/04/12 08:39] (current) stekld [Example of CAW driver configuration in Appliance] |
||
|---|---|---|---|
| Line 159: | Line 159: | ||
| [root@ca ~]# ./caw create-crl | [root@ca ~]# ./caw create-crl | ||
| </ | </ | ||
| + | |||
| + | ==== Example of CAW driver configuration in Appliance ==== | ||
| + | - Create a new folder. It is possible to add more authorities to this folder. Each authority has its own caw folder, caw script and own configuration caw_settings.source and ca_openssl.cnf.In this example, use only one CA.< | ||
| + | [root@ca ~]# mkdir / | ||
| + | </ | ||
| + | - Unzip caw driver to caw directory. Caw driver can be downloaded from our git repository: | ||
| + | [root@ca ~]# unzip caw-master.zip -d / | ||
| + | [root@ca ~]# mv / | ||
| + | </ | ||
| + | - In this example we received from customer already generated CA certificate - private key public key customerCa.key, | ||
| + | [root@ca ~]# cp customerCa.key / | ||
| + | [root@ca ~]# cp customerCa.pem / | ||
| + | </ | ||
| + | - We use random random 128bit serial number.< | ||
| + | [root@ca ~]# cd / | ||
| + | [root@ca ca]# openssl rand -hex 16 > serial | ||
| + | </ | ||
| + | - It is also necessary to merge customerCa.conf file with the caw configuration file ca_openssl.cnf and caw_settings.source. The ca_openssl.cnf and caw_settings.source contains preconfigured CA. Follow the comments in the files and edit files by customerCa.conf. | ||
| + | - Set a correct permision and owner. .< | ||
| + | [root@ca czechidm]# chown -Rf 999:998 cert-authority/ | ||
| + | [root@ca czechidm]# chmod 400 cert-authority/ | ||
| + | [root@ca czechidm]# chmod 750 cert-authority/ | ||
| + | [root@ca czechidm]# cd cert-authority/ | ||
| + | [root@ca caw]# chmod 750 caw | ||
| + | </ | ||
| + | - It is necessary to directory cert-authority mount into a CzechIdM container, because the caw script must be executable by IdM. To file / | ||
| + | - type: bind | ||
| + | source: / | ||
| + | target: / | ||
| + | read_only: false | ||
| + | </ | ||
| + | -An important part of ca is the CRL file, which must be generated regularly. CAW creates CRL by calling ./caw create-crl. Create the .service unit that will generate CRL file. Create new file in / | ||
| + | [Unit] | ||
| + | Description=CRL refreshing | ||
| + | After=network.target docker.service | ||
| + | [Service] | ||
| + | Type=simple | ||
| + | ExecStart=/ | ||
| + | </ | ||
| + | -Create a .timer unit file which actually schedules the .service unit you just created. Create it in the same location as the .service file. The service is started every hour.< | ||
| + | [Unit] | ||
| + | Description=CzechIdM refresh CRL | ||
| + | After=network.target docker.service | ||
| + | [Timer] | ||
| + | OnCalendar=*-*-* *:00:00 | ||
| + | [Install] | ||
| + | WantedBy=multi-user.target | ||
| + | </ | ||
| + | -Enable new service and timer:< | ||
| + | [root@ca czechidm]# systemctl enable iam-crl-refresh.service iam-crl-refresh.timer | ||
| + | </ | ||
| + | -The crl has to be available via a web proxy. First, you must mount the file in the Web Proxy container. to file / | ||
| + | - type: bind | ||
| + | source: / | ||
| + | target: / | ||
| + | read_only: true | ||
| + | </ | ||
| + | -To make the file available from web proxy it is necessary to modify a file / | ||
| + | | ||
| + | root / | ||
| + | } | ||
| + | </ | ||
| + | -The next step is to configure our crl module ca directly in IdM. Instructions for configuration in IdM are here: | ||
| + | |||
| ==== Deconfiguring default PKCS11 engine ==== | ==== Deconfiguring default PKCS11 engine ==== | ||