dogtagpki

Clone
Source Code
GIT

#1431 setting different pki_security_domain_password and pki_admin_password should be allowed
Closed: Invalid None Opened 9 years ago by dminnich.

Closed: Invalid
Reopen Issue

Recently when working with a CA clone hooked to an HSM mharmsen discovered and that both the pki_security_domain_password and the pki_admin_password must be set to the same value for the CA clone to be stood up successfully.

Per CS/DS Meeting of 06/22/2015: 10.3

Per discussions, moving this ticket back to 10.2.6 Milestone.

There seems to be some confusion here.

When a CA is installed, an admin user is created. For convenience, this user is placed in various admin groups (including the security domain admin groups) as well as the certificate agent groups. This means that this convenience user is a security domain admin, a regular CA admin, and a CA agent.

If you use this default convenience user, then of course the security domain user's password and the admin users password must be the same - because they are one and the same user. In fact, when installing a root CA, the security_domain_password is likely ignored.

We expect though that in a real deployment, folks will create their own agents, and may even create separate users to manage the security domain (as opposed to other CA admin tasks).

So, if you want to use different passwords for the security domain user, then you should do the following:

  1. create the CA providing the admin user password.
  2. create a new security domain admin user using the pki utility -- authenticating as the admin user. Add a different password for this user.
  3. Add this user to the relevant enterprise X admin groups.
  4. Install other subsystems using the security domain UID and password.

I'm not sure there is any work to be done here, except potentially to better document what is needed in the man page.

That makes sense.

We were actually doing the suggested steps but were having issues. I think our issues may have came from setting a different password in the config.txt files than in LDAP. I know at some point we changed passwords in a lot of places and I'm thinking we forgot to update the hash in the LDIF.

Anyhow, I can confirm that at least for a master and clone CA setup not connected to an HSM that I can use different accounts and passwords.

Feel free to close the ticket. Thanks for the help.

Thanks for the update Dustin. Closing this ticket.

Metadata Update from @dminnich:
- Issue set to the milestone: 10.2.6
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1991

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
None
minor
None
None
None
defect
None
None
None
None
Installer Cleanup/ Improvement
RHCust
None
None
None
None
None
None
CA
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.