c0d55ce Centralize enable/disable of the ACME service

Authored and Committed by rcritten 3 years ago
    Centralize enable/disable of the ACME service
    
    The initial implementation of ACME in dogtag and IPA required
    that ACME be manually enabled on each CA.
    
    dogtag added a REST API that can be access directly or through
    the `pki acme` CLI tool to enable or disable the service.
    
    It also abstracted the database connection and introduced the
    concept of a realm which defines the DIT for ACME users and
    groups, the URL and the identity. This is configured in realm.conf.
    
    A new group was created, Enterprise ACME Administrators, that
    controls the users allowed to modify ACME configuration.
    
    The IPA RA is added to this group for the ipa-acme-manage tool
    to authenticate to the API to enable/disable ACME.
    
    Related dogtag installation documentation:
    https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
    https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
    https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md
    
    ACME REST API:
    https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API
    
    https://pagure.io/freeipa/issue/8524
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
    
        
file modified
+1 -0
file modified
+1 -0
file modified
+2 -2