Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
tutorial:adm:caw_driver [2019/11/19 13:08] fiserp [Installation] |
tutorial:adm:caw_driver [2022/04/12 08:39] (current) stekld [Example of CAW driver configuration in Appliance] |
||
---|---|---|---|
Line 159: | Line 159: | ||
[root@ca ~]# ./caw create-crl | [root@ca ~]# ./caw create-crl | ||
</ | </ | ||
+ | |||
+ | ==== Example of CAW driver configuration in Appliance ==== | ||
+ | - Create a new folder. It is possible to add more authorities to this folder. Each authority has its own caw folder, caw script and own configuration caw_settings.source and ca_openssl.cnf.In this example, use only one CA.< | ||
+ | [root@ca ~]# mkdir / | ||
+ | </ | ||
+ | - Unzip caw driver to caw directory. Caw driver can be downloaded from our git repository: | ||
+ | [root@ca ~]# unzip caw-master.zip -d / | ||
+ | [root@ca ~]# mv / | ||
+ | </ | ||
+ | - In this example we received from customer already generated CA certificate - private key public key customerCa.key, | ||
+ | [root@ca ~]# cp customerCa.key / | ||
+ | [root@ca ~]# cp customerCa.pem / | ||
+ | </ | ||
+ | - We use random random 128bit serial number.< | ||
+ | [root@ca ~]# cd / | ||
+ | [root@ca ca]# openssl rand -hex 16 > serial | ||
+ | </ | ||
+ | - It is also necessary to merge customerCa.conf file with the caw configuration file ca_openssl.cnf and caw_settings.source. The ca_openssl.cnf and caw_settings.source contains preconfigured CA. Follow the comments in the files and edit files by customerCa.conf. | ||
+ | - Set a correct permision and owner. .< | ||
+ | [root@ca czechidm]# chown -Rf 999:998 cert-authority/ | ||
+ | [root@ca czechidm]# chmod 400 cert-authority/ | ||
+ | [root@ca czechidm]# chmod 750 cert-authority/ | ||
+ | [root@ca czechidm]# cd cert-authority/ | ||
+ | [root@ca caw]# chmod 750 caw | ||
+ | </ | ||
+ | - It is necessary to directory cert-authority mount into a CzechIdM container, because the caw script must be executable by IdM. To file / | ||
+ | - type: bind | ||
+ | source: / | ||
+ | target: / | ||
+ | read_only: false | ||
+ | </ | ||
+ | -An important part of ca is the CRL file, which must be generated regularly. CAW creates CRL by calling ./caw create-crl. Create the .service unit that will generate CRL file. Create new file in / | ||
+ | [Unit] | ||
+ | Description=CRL refreshing | ||
+ | After=network.target docker.service | ||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/ | ||
+ | </ | ||
+ | -Create a .timer unit file which actually schedules the .service unit you just created. Create it in the same location as the .service file. The service is started every hour.< | ||
+ | [Unit] | ||
+ | Description=CzechIdM refresh CRL | ||
+ | After=network.target docker.service | ||
+ | [Timer] | ||
+ | OnCalendar=*-*-* *:00:00 | ||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | -Enable new service and timer:< | ||
+ | [root@ca czechidm]# systemctl enable iam-crl-refresh.service iam-crl-refresh.timer | ||
+ | </ | ||
+ | -The crl has to be available via a web proxy. First, you must mount the file in the Web Proxy container. to file / | ||
+ | - type: bind | ||
+ | source: / | ||
+ | target: / | ||
+ | read_only: true | ||
+ | </ | ||
+ | -To make the file available from web proxy it is necessary to modify a file / | ||
+ | | ||
+ | root / | ||
+ | } | ||
+ | </ | ||
+ | -The next step is to configure our crl module ca directly in IdM. Instructions for configuration in IdM are here: | ||
+ | |||
==== Deconfiguring default PKCS11 engine ==== | ==== Deconfiguring default PKCS11 engine ==== |