The following patch addresses the installation and configuration
of a stand-alone DRM (i. e. - a DRM that exists as the sole
subsystem in a PKI deployment -- no corresponding Dogtag CA, and
no corresponding Security Domain). Eventually, this DRM will be
able to be installed and configured (as a two step process) using
nothing more than 'pkispawn' and the REST interface (Phase II).
As a preliminary step, this patch allows a stand-alone DRM to be
installed using 'pkispawn' and manually configured using the GUI
panel interface via a Firefox browser (Phase I).
Although this patch only addresses Phase I of a stand-alone
DRM, the patch does contain some additional code changes for
Phase II, and although incomplete at this time, none of these
changes should conflict with existing subsystems.
Finally, although this patch only addresses Phase I of configuring
a stand-alone DRM, I thought it prudent to send out the existing
code changes due to the relatively healthy size of this effort.
The attached patch addresses the following TRAC tickets:
The attached patch has been used to successfully install a
Stand-alone DRM using the manual GUI panels.
The DRM was installed using the following command:
- pkispawn -s KRA -f kra.cfg -vvv
where 'kra.cfg' contained the following:
- [DEFAULT]
pki_admin_password=XXXXXXXX
pki_client_pkcs12_password=XXXXXXXX
pki_skip_configuration=True
[KRA]
pki_standalone=True
The DRM was then manually configured from a Firefox browser
using the GUI panels where:
- this DRM is not part of any security domain,
- this DRM's transport, storage, sslserver, and
audit_log_signing certificates were all submitted and
externally signed by a separate pre-installed Dogtag CA using
the appropriate profiles,
- a cert request for this DRM's Admin certificate was saved
in its CS.cfg to be used later
Although I have no tests to verify that this stand-alone DRM
functions correctly, the standalone DRM server can be
successfully installed, manually configured by the GUI panels,
and started:
Please review this patch, so that Phase I of this effort may
be checked-in.