Additional steps needed to set up client auth for dogtag. This is because we These steps will be automatically set up in IPA, but they need to be documented for the standalone case.

1. Install CA cert in directory server and trust it (or specifically security domain CA cert).
2. Enable ssl on the CA (and ldaps port).
3. Add something like the following to certmap.conf

certmap ipaca CN=Certificate Authority,O=IDM.LAB.BOS.REDHAT.COM
ipaca:CmapLdapAttr seeAlso
ipaca:verifycert on

where the first line is the issuer dn of the CA cert for your security domain CA.

1. Restart the DS.
2. Modify the following in CS.cfg:

authz.instance.DirAclAuthz.ldap.ldapauth.authtype=SslClientAuth
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
authz.instance.DirAclAuthz.ldap.ldapconn.host=vm-100.idm.lab.bos.redhat.com
authz.instance.DirAclAuthz.ldap.ldapconn.port=636
authz.instance.DirAclAuthz.ldap.ldapconn.secureConn=true

internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=uid=CA-vm-100.idm.lab.bos.redhat.com-9443,ou=people,o=ipa-ca
internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca
internaldb.ldapconn.host=vm-100.idm.lab.bos.redhat.com
internaldb.ldapconn.port=636
internaldb.ldapconn.secureConn=true

1. Restart CS component. (works for java components)

Pushed to master and dogtag 9

Just for documentation completeness. The fix for this issue occurred on dogtag 9 in the following commits:

2566d4ddfb533d81fe6203d8457b52e7423b418e
ada9213433a122e83c7d0cc0c04a4711ae003a79
ff4d47d6f176c5f7bc1d2848943c6098f8463253

The acls required for the new db user are specified in a new manager.ldif file, which is copied here so that anyone who wants to add a similar user can provide the relevant acls.

acis for cert manager

dn: ou=csusers,cn=config
objectClass: top
objectClass: organizationalUnit
ou: csusers

dn: {rootSuffix}
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager access"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)

dn: cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)

dn: ou=csusers,cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)

dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/577

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.