The following patch addresses the installation and configuration of a stand-alone DRM (i. e. - a DRM that exists as the sole subsystem in a PKI deployment -- no corresponding Dogtag CA, and no corresponding Security Domain). Eventually, this DRM will be able to be installed and configured (as a two step process) using nothing more than 'pkispawn' and the REST interface (Phase II). As a preliminary step, this patch allows a stand-alone DRM to be installed using 'pkispawn' and manually configured using the GUI panel interface via a Firefox browser (Phase I).
Although this patch only addresses Phase I of a stand-alone DRM, the patch does contain some additional code changes for Phase II, and although incomplete at this time, none of these changes should conflict with existing subsystems. Finally, although this patch only addresses Phase I of configuring a stand-alone DRM, I thought it prudent to send out the existing code changes due to the relatively healthy size of this effort. The attached patch addresses the following TRAC tickets:

https://fedorahosted.org/pki/ticket/667 TRAC Ticket #667 - provide option for ca-less drm install (Phase I)
https://fedorahosted.org/pki/ticket/641 TRAC Ticket #641 - Incorrect interface labels in pkidaemon output
https://fedorahosted.org/pki/ticket/707 TRAC Ticket #707 -Do not "require" the following pkispawn parameters for GUI-based configuration

The attached patch has been used to successfully install a Stand-alone DRM using the manual GUI panels.

The DRM was installed using the following command:

pkispawn -s KRA -f kra.cfg -vvv

where 'kra.cfg' contained the following:

[DEFAULT]pki_admin_password=XXXXXXXXpki_client_pkcs12_password=XXXXXXXXpki_skip_configuration=True[KRA]pki_standalone=True

The DRM was then manually configured from a Firefox browser using the GUI panels where:

this DRM is not part of any security domain,
this DRM's transport, storage, sslserver, and audit_log_signing certificates were all submitted and externally signed by a separate pre-installed Dogtag CA using the appropriate profiles,
a cert request for this DRM's Admin certificate was saved in its CS.cfg to be used later

Although I have no tests to verify that this stand-alone DRM functions correctly, the standalone DRM server can be successfully installed, manually configured by the GUI panels, and started:

pkidaemon status tomcat pki-tomcatStatus for pki-tomcat: pki-tomcat is running .. [DRM Status Definitions] Unsecure URL = http://dogtag19.example.com:8080/kra/ee/kra Secure Agent URL = https://dogtag19.example.com:8443/kra/agent/kra Secure EE URL = https://dogtag19.example.com:8443/kra/ee/kra Secure Admin URL = https://dogtag19.example.com:8443/kra/services PKI Console Command = pkiconsole https://dogtag19.example.com:8443/kra Tomcat Port = 8005 (for shutdown) [DRM Configuration Definitions] PKI Instance Name: pki-tomcat PKI Subsystem Type: DRM (Stand-alone)

Please review this patch, so that Phase I of this effort may be checked-in.