Skip to content

Setting up CA Database User

Endi S. Dewata edited this page Nov 28, 2023 · 8 revisions

Overview

This page describes the process to set up a user to access the CA database in DS.

Adding Database User

To add a database user with PKI tools:

$ pki-server ca-user-add \
    --full-name pkidbuser \
    --type agentType \
    pkidbuser

To add a database user with OpenLDAP tools:

$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userState: 1
userType: agentType
EOF

Assigning Subsystem Certificate to Database User

To assign subsystem certificate to the database user with PKI tools:

$ pki-server ca-user-cert-add \
    --cert /etc/pki/pki-tomcat/certs/subsystem.crt \
    pkidbuser

To assign subsystem certificate to the database user with OpenSSL/OpenLDAP tools:

Convert the subsystem certificate to DER format:

$ openssl x509 -outform der -in subsystem.crt -out subsystem.der

Get the certificate serial number:

$ openssl x509 -text -noout -in subsystem.crt
...
        Serial Number:
            5a:a7:13:f5:0f:8b:5e:77:ae:fe:58:7e:4f:d0:c7:da
...

Convert it into decimal format:

$ python
>>> int('5aa713f50f8b5e77aefe587e4fd0c7da', 16)
120498037977510792098276151038707812314

Add the certificate into the user entry:

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: description
description: 2;<decimal serial number>;CN=CA Signing Certificate;CN=Subsystem Certificate
-
add: seeAlso
seeAlso: CN=Subsystem Certificate
-
add: userCertificate
userCertificate:< file:subsystem.der
-
EOF

Adding Database User into CA Groups

To add the database user into CA groups with PKI tools:

$ pki-server ca-user-role-add pkidbuser "Subsystem Group"
$ pki-server ca-user-role-add pkidbuser "Certificate Manager Agents"

To add the database user into CA groups with OpenLDAP tools:

$ ldapmodify \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 << EOF
dn: cn=Subsystem Group,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
-

dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
-
EOF

Granting Database User Access to CA Database

To grant the database user access to CA database with PKI tools:

$ pki-server ca-db-access-grant \
    uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com

To grant the database user access to CA database with OpenLDAP tools:

$ sed \
    -e 's/{rootSuffix}/dc=example,dc=com/g' \
    -e 's/{dbuser}/uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com/g' \
    /usr/share/pki/server/database/ds/db-access-grant.ldif \
    | tee db-access-grant.ldif
$ ldapadd \
    -H ldap://$HOSTNAME \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    -f db-access-grant.ldif \
Clone this wiki locally