Add a KRA to IPA
    
    This patch adds the capability of installing a Dogtag KRA
    to an IPA instance.  With this patch,  a KRA is NOT configured
    by default when ipa-server-install is run.  Rather, the command
    ipa-kra-install must be executed on an instance on which a Dogtag
    CA has already been configured.
    
    The KRA shares the same tomcat instance and DS instance as the
    Dogtag CA.  Moreover, the same admin user/agent (and agent cert) can
    be used for both subsystems.  Certmonger is also confgured to
    monitor the new subsystem certificates.
    
    To create a clone KRA, simply execute ipa-kra-install <replica_file>
    on a replica on which a Dogtag CA has already been replicated.
    ipa-kra-install will use the security domain to detect whether the
    system being installed is a replica, and will error out if a needed
    replica file is not provided.
    
    The install scripts have been refactored somewhat to minimize
    duplication of code.  A new base class dogtagintance.py has
    been introduced containing code that is common to KRA and CA
    installs.  This will become very useful when we add more PKI
    subsystems.
    
    The KRA will install its database as a subtree of o=ipaca,
    specifically o=ipakra,o=ipaca.  This means that replication
    agreements created to replicate CA data will also replicate KRA
    data.  No new replication agreements are required.
    
    Added dogtag plugin for KRA.  This is an initial commit providing
    the basic vault functionality needed for vault.  This plugin will
    likely be modified as we create the code to call some of these
    functions.
    
    Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
    
    The uninstallation option in ipa-kra-install is temporarily disabled.
    
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Petr Viktorin <pviktori@redhat.com>