---

+--------------------------------------------------------------+
| WARNING: This is currently an **EXPERIMENTAL** module things |
| may change drastically, and in breaking ways, without notice!|
+--------------------------------------------------------------+

---

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Module Description

simp/simp_pki_service is a SIMP-oriented installation of the Dogtag Certificate System.

Traditionally, SIMP has used an internal "FakeCA" openssl-based CA. Over time, this has proven insufficient for our needs, particularly for capabilities in terms of Key Enrollment (SCEP and CMC), OCSP, and overall management of certificates.

Additionally, we found that many users wanted to adjust the certificate parameters for the Puppet subsystem itself outside of the defaults and/or use a "real", and more scalable CA system for all certificate management.

Dogtag was selected since it was likely to be the most familiar to any users of the FreeIPA or Red Hat Identity Management product suite and should allow for transition from one to the other in a vendor supported manner.

Setup

What simp_pki_service affects

This module sets up the following components on your system:

• Internal 389ds Directory Server

  • Bound to 127.0.0.1 only to restrict access

• Dogtag with the following subsystems:

  • Root CA -> simp-pki-root
  • Sub CA with KRA and SCEP -> simp-puppet-pki
  • Sub CA with KRA and SCEP -> simp-site-pki

Setup Requirements

Due to the high entropy requirements, systems will need to be able to install the haveged package from the EPEL repository.

The creation of the PKI infrastructure is extremely CPU intensive. Once created, individual actions are not too burdensome on the system. At a minimum, the system should have:

• 2 CPUs
  • These will be completely utilized during setup
• 512MB RAM Free

Usage

Installation

To install the CA system, you simply need to include the simp_pki_service class on your node. This will instantiate the services as follows:

                  +----------------+
                  |                |
                  |  simp-pki-root |
                  |   Port: 4509   |
                  |                |
                  +----------------+
                          |
           ---------------+---------------
          /                               \
         v                                 v
+-----------------+                +---------------+
|                 |                |               |
| simp-puppet-pki |                | simp-site-pki |
|   Port: 5509    |                |  Port: 8443   |
|                 |                |               |
+-----------------+                +---------------+

The CA and subordinate CA configuration shown above is controlled by the simp_pki_service::cas parameter. You can change the settings, including the bound ports, for the default infrastructure by manipulating this data hash. However, once the system is active you CANNOT change the ports or hostname since the OCSP information is usually incorporated into all signed certificates and will then be invalid.

If you wish to customize the existing CA settings, or add your own CAs to the mix, you can easily do this using the simp_pki_service::custom_cas parameter. This hash will be combined with simp_pki_service::cas using a deep_merge to allow for full customization.

The simp-pki-root CA

This CA is the root for all subordinate CAs and should never be exposed outside of the local system unless it is specifically to an off-system subordinate CA.

If this CA is compromised, then all subordinate CAs are now invalid and must be replaced, additionally, when this CA expires, all subordinate CAs must be regenerated.

The simp-puppet-pki subordinate CA

This CA is the new root for all puppet operations in the infrastructure. The goal of this is that the puppet CA will no longer be used and certificates from this new CA will be used in place of the traditional puppet certificates in accordance with the External CA Support documentation from Puppet, Inc.

The simp-site-pki subordinate CA

This CA replaces the SIMP FakeCA for general purpose internal certificate generation and maintenance. It is meant to be used with certmonger, or another automated enrollment utility but can also be used to generate certificates and ship them using the simp-pki puppet module in the same way that the FakeCA was traditionally used.

NOTE: This has been pinned to port 8443 by default since it is the default dogtag port and the most likely to be allowed through firewalls by default.

The /root/.dogtag Directory

This directory holds all configuration and maintenance information and credentials for the various CAs that have been set up on the system.

/root/.dogtag
├── generated_configs                   <- Puppet Generated Files
│   ├── dogtag_simp-pki-root_ca.cfg
│   ├── dogtag_simp-puppet-pki_ca.cfg
│   ├── dogtag_simp-puppet-pki_kra.cfg
│   ├── dogtag_simp-site-pki_ca.cfg
│   ├── dogtag_simp-site-pki_kra.cfg
│   ├── ds_pw.txt                       <- Directory Server Password
│   └── ds_simp-pki-ds_setup.inf
├── simp-pki-root
│   ├── ca
│   │   ├── alias                       <- NSSDB for Root PKI
│   │   ├── password.conf               <- Password for Root PKI
│   │   └── pkcs12_password.conf
│   ├── ca_admin.cert
│   ├── ca_admin.cert.der
│   └── ca_admin_cert.p12
├── simp-puppet-pki
│   ├── ca
│   │   ├── alias                       <- NSSDB for Puppet Sub PKI
│   │   ├── password.conf               <- Password for Puppet Sub PKI
│   │   └── pkcs12_password.conf
│   ├── ca_admin.cert
│   ├── ca_admin.cert.der
│   └── ca_admin_cert.p12
└── simp-site-pki
    ├── ca
    │   ├── alias                       <- NSSDB for Site Sub PKI
    │   ├── password.conf               <- Password for Site Sub PKI
    │   └── pkcs12_password.conf
    ├── ca_admin.cert
    ├── ca_admin.cert.der
    └── ca_admin_cert.p12

CLI CA Control

The pki subsystem has a great number of command line options that may be used to interact with the different subsystems. There is also a server CLI interface but we recommend using the standard remote CLI so that you know if the remote connections are working properly.

BASH aliases

---

IMPORTANT: DO NOT SKIP THIS SECTION

---

The following aliases are recommended to be added to the root user's $HOME/.bashrc file to make daily interaction with the different systems as easy as possible:

# This will be your most commonly used command

alias site-pki-base='pki -d $HOME/.dogtag/simp-site-pki/ca/alias -C $HOME/.dogtag/simp-site-pki/ca/password.conf'
alias site-pki='site-pki-base -n "caadmin" -P https -p 8443'

# This should only be used for Puppet ecosystem certificates:
# For example: puppetserver, puppetdb, puppet agent

alias puppet-pki-base='pki -d $HOME/.dogtag/simp-puppet-pki/ca/alias -C $HOME/.dogtag/simp-puppet-pki/ca/password.conf'
alias puppet-pki='puppet-pki-base -n "caadmin" -P https -p 5509'

# This will rarely be used and controls the *root* CA
# If you invalidate or break the root CA, everything below it will need to be
# regenerated!

alias pki-root-base='pki -d $HOME/.dogtag/simp-pki-root/ca/alias -C $HOME/.dogtag/simp-pki-root/ca/password.conf'
alias pki-root='pki-root-base -n "caadmin" -P https -p 4509'

Adding CA certs for the BASH aliases

Prior to using the aliases above for regular purposes you need to ensure that the CA chains are properly imported into the NSS databases in the corresponding alias directories listed above.

Don't worry, you only need to do this once per CA and it is good to know what commands are being run for future reference in case you need to add additional certificates in the future!

The following uses site-pki as an example, but you need to repeat the steps for all three aliased CAs.

# You'll want to do this in a temp directory, we'll use one in the $HOME/.dogtag space
[root@ca ~]# cd $HOME/.dogtag
[root@ca ~]# mkdir crt_tmp
[root@ca ~]# cd crt_tmp

# Obtain the PKCS12 certificate chain from the server

[root@ca crt_tmp]# pki-server subsystem-cert-export ca signing -i simp-site-pki \
--no-key \
--pkcs12-file simp-site-pki-certs.p12 \
--pkcs12-password-file $HOME/.dogtag/simp-site-pki/ca/password.conf

# Generate a PEM file containing the CA certificate chain from the PKCS12 file

[root@ca crt_tmp]# openssl pkcs12 -in simp-site-pki-certs.p12 \
-passin file:$HOME/.dogtag/simp-site-pki/ca/password.conf \
-out simp-site-pki-ca-chain.pem

# Split the PEM file out into separate PEM files for each CA
# This is done to get them into into your NSS database
#
# You may also want to provide these to your clients for download but the
# single file version is generally preferred

[root@ca crt_tmp]# mkdir ca_certs
[root@ca crt_tmp]# awk '/friendlyName:/{$1="";sub($1 OFS, "");n=$0} \
/^-----BEGIN.*CERTIFICATE/,/^-----END.*CERTIFICATE/{print >"ca_certs/"n".pem"}' \
< simp-site-pki-ca-chain.pem

# Finally, import the CA certificates into the associated trust chain NSS
# database

[root@ca crt_tmp]# cd ca_certs
[root@ca ca_certs]# for x in *.pem; do
  site-pki-base client-cert-import "`basename "$x" .pem`" --ca-cert "$x"
done

---

IMPORTANT: IF YOU SKIPPED THIS SECTION, GO BACK AND READ IT!!!

---

Certificate Operations

Certificate Enrollment

This section describe three different certificate enrollment options, each of which has been exercised in this module's acceptance tests.

A summary of these options is listed in the following table:

Option	Pros	Cons
certmonger SCEP	Enrollment via HTTP(S)	Does not work in FIPS mode yet
	Automatic cert refresh
	Simple API
	Single use passwords
SSCEP	Simple API	Does not work in FIPS mode yet
	Single use passwords	Enrollment via HTTP only
		Only MD5 or SHA1 for fingerprints or PKCS#7
CMC	Works in FIPS mode	Only appropriate (secure) when on CA server
		Clunky API

Certmonger SCEP

---

IMPORTANT: For certmonger < 0.79.6, this will NOT work properly in FIPS mode due to a bug in certmonger and an associated bug in dogtag which, when combined, result in the inability to negotiate a proper cipher set for SCEP communication.

• https://pagure.io/certmonger/issue/89
• https://pagure.io/dogtagpki/issue/627

---

Certmonger allows clients to obtain certificates from CAs via SCEP. Each SCEP request is validated via a one time password linked to the client's IP address. Requests can be sent over HTTPS (preferred) or HTTP.

Server Setup

Each CA has a text file, flatfile.txt, that contains the per-client one time passwords.

For the site-pki CA, this would be in /var/lib/pki/simp-site-pki/ca/conf/flatfile.txt.

The file is organized as a set of paired values, one for the IP address (not hostname) of the client that will be enrolling and the other a unique, one time use, password that will be used by the client during enrollment. Each pair must be separated by a blank line.

WARNING: The PWD entries can not contain underscores _!

Example

UID:1.2.3.4
PWD:my-one-time-password

UID:1.2.3.5
PWD:your-one-time-password

---

NOTE: You do NOT need to restart anything after editing the file!

---

Client Setup

1. Ensure that the certmonger package is installed and that the certmonger process is running and enabled.

   [root@client ~]# yum -y install certmonger
   [root@client ~]# systemctl start certmonger
   [root@client ~]# systemctl enable certmonger
   

2. Obtain the root certificate for the CA that you will be connecting to. In this case, we'll assume that you've saved it to a file named /etc/pki/simp-pki-root-ca.pem with SELinux context cert_t.

   • This is probably called CA Signing Certificate - SIMP.pem in the ca_certs directory if you followed the steps outlined above.

3. Obtain the certificate chain for the CA that you will be connecting to. In this case, we'll assume that you've saved it to a file named /etc/pki/simp-site-pki-ca.pem with SELinux context cert_t.

   • This is probably called caSigningCert cert-simp-site-pki CA.pem in the ca_certs directory if you followed the steps outlined above.

4. Add the CA to certmonger:

   [root@client ~]# getcert add-scep-ca -c SIMP_Site \
     -u https://ca.your.domain:8443/ca/cgi-bin/pkiclient.exe \
     -R /etc/pki/simp-pki-root-ca.pem -I /etc/pki/simp-site-pki-ca.pem
   

5. Ensure that your default nssdb space exists, as, under the hood, certmonger uses certutil, which, in turn requires this NSS database to be present:

   [root@client ~]#
     if [ ! -d $HOME/.netscape ]; then
       mkdir $HOME/.netscape
       certutil -N
     fi
   

6. Request a certificate using certmonger:

   [root@client ~]# getcert request -c SIMP_Site -k /etc/pki/host_cert.pem \
     -f /etc/pki/host_cert.pub \
     -I Host_Cert_Nickname \
     -r -w -L <password from server setup step>
   

   NOTE: The target for the public and private keys must have context cert_t for certmonger to be able to write the keys appropriately.

SSCEP Enrollment

IMPORTANT: For sscep <= 0.6.1, this will NOT work properly in FIPS mode, because, even with the -S sha1 option set, sscep under the hood still tries to generate the certificate request transaction ID using MD5.

• https://github.com/certnannay/scep/issues/#86

SSCEP allows clients to obtain certificates from CAs via SCEP. Each SCEP request is validated via a one time password linked to the client's IP address. Requests can only be sent over HTTP.

Server Setup

You must set one time passwords for each client on the CA server, exactly as is described in Server Setup for Certmonger.

Client Setup

1. Ensure that the sscep package is installed.

   [root@client ~]# yum -y install sscep
   

2. Obtain the CA certificate for the CA that you will be connecting to. In this example, we will be connecting to the simp-site-pki CA.

   [root@client ~]# sscep getca \
     -u http://ca.your.domain:8080/ca/cgi-bin/pkiclient.exe \
     -c ca.crt \
     -F sha1
   

3. Create a certificate request.

   • For simple cases, you can use the mkrequest script provided by the sscep package. This will create local.key and local.csr files.

     [root@client ~]# mkrequest -ip `hostname -i` <password from server setup step>
     

   • For cases, in which you need to customize the CSR beyond what is provided by mkrequest script, you can use openssl genrsa and openssl req to generate the key and CSR files, respectively. A complete example that uses those openssl commands can be found in the Puppet certificate replacement test, spec/acceptance/suites/default/20_puppet_swap_spec.rb.

4. Request a certificate using sscep:

   [root@client ~]# sscep enroll \
     -u http://ca.your.domain:8080/ca/cgi-bin/pkiclient.exe \
     -c ca.crt \
     -k local.key \
     -r local.csr \
     -l cert.crt \
     -S sha1
   

CMC Manual Enrollment

An alternate method for certificate enrollment, CMC may be used if you need to generate certificates for a set of hosts or users and distribute them via the simp-pki puppet module or some other means.

At this time, single use credentials have not been implemented so you should not add this capability to all hosts.

All of the following steps should be done from a host that has access to one of the privileged PKI user certificates (in general this is only your CA).

1. Ensure that your default nssdb space exists, as certutil requires this NSS database to be present:

   [root@ca ~]#
     if [ ! -d $HOME/.netscape ]; then
       mkdir $HOME/.netscape
       certutil -N
     fi
   

2. Create a certificate request for your host, using a seed of 512 bytes from /dev/urandom:

   [root@ca ~]# mkdir -f CMC && cd CMC
   [root@ca CMC]# dd if=/dev/urandom of=seed count=1
   [root@ca CMC]# certutil -R \
     -s "cn=`hostname -f`,ou=Hosts,dc=your,dc=domain" \
     -k rsa \
     -g 4096 \
     -Z SHA384 \
     -z seed \
     | openssl req -inform DER -outform PEM > hostcert.req
   

3. Create a cmc-request.cfg file with the following content:

   # NSS database directory.
   dbdir=/root/.dogtag/simp-site-pki/ca/alias
   
   # NSS database password.
   password=<password from /root/.dogtag/simp-site-pki/ca/password.conf>
   
   # Token name (default is internal).
   tokenname=internal
   
   # Nickname for CA agent certificate.
   nickname=caadmin
   
   # Request format: pkcs10 or crmf.
   format=pkcs10
   
   # Total number of PKCS10/CRMF requests.
   numRequests=1
   
   # Path to the PKCS10/CRMF request.
   # The content must be in Base-64 encoded format.
   # Multiple files are supported. They must be separated by space.
   input=/root/CMC/hostcert.req
   
   # Path for the CMC request.
   output=/root/CMC/sslserver-cmc-request.bin
   

4. Generate the CMCRequest bin file

   [root@ca CMC]# CMCRequest cmc-request.cfg
   

5. Create a cmc-submit.cfg file with the following content

   # PKI server host name.
   host=ca.<your.domain>
   
   # PKI server port number.
   port=8443
   
   # Use secure connection.
   secure=true
   
   # Use client authentication.
   clientmode=true
   
   # NSS database directory.
   dbdir=/root/.dogtag/simp-site-pki/ca/alias
   
   # NSS database password.
   password=<password from /root/.dogtag/simp-site-pki/ca/password.conf>
   
   # Token name (default: internal).
   tokenname=internal
   
   # Nickname of CA agent certificate.
   nickname=caadmin
   
   # CMC servlet path
   servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCserverCert
   
   # Path for the CMC request.
   input=/root/CMC/sslserver-cmc-request.bin
   
   # Path for the CMC response.
   output=/root/CMC/sslserver-cmc-response.bin
   

6. Submit the CMC Request

   [root@ca CMC]# HttpClient cmc-submit.cfg
   

7. Unpack the signed certificate along with its certificate chain into a PKCS #7 PEM-formatted file: nssdb for this):

   [root@ca CMC]# CMCResponse -d ~/.dogtag/simp-puppet-pki/ca/alias \
     -i sslserver-cmc-response.bin -o signed_host_cert_chain.p7b
   

8. Extract the all the certificates in the chain from the PKCS #7 file into a single file:

   [root@ca CMC]# openssl pkcs7 -print_certs \
      -in signed_host_cert_chain.p7b \
      -out signed_host_cert_chain.pem
   

9. Manually save the new certificate to its own file, move to the appropriate directory and ensure the file has the SELinux context cert_t.

Listing Certificates

You can list the certificates for the site CA using the following command:

[root@ca ~]# site-pki cert-find

Certificate Revocation

You can revoke certificates from the site CA using the following command:

[root@ca ~]# site-pki cert-revoke <CERT ID>

---

IMPORTANT: Take care not to revoke any certificate below ID 0x9 since those are internal subsystem certificates and may cause issues.

---

OCSP Validation

There is an OCSP endpoint attached to all CA systems automatically. To validate that OCSP is working properly for the site CA, you can use the following command:

[root@ca ~]# OCSPClient -d ~/.dogtag/simp-site-pki/ca/alias -h `hostname -f` \
  -p 8080 -t /ca/ocsp --serial 1 -vv -c caadmin

If that works, then you can try an external query by pulling the OCSP endpoint out of a generated certificate as follows:

[root@ca ~]# openssl ocsp -issuer site-pki-ca-chain.pem -cert to_verify.pem \
  -text -url `openssl x509 -noout -ocsp_uri -in to_verify.pem`

Certificate Problem Debug

Debugging the reason a certificate request failed can be challenging. This section contains a few notes to aid in that debug.

• The dogtag server logs for a CA are found at /var/log/pki/<CA name>/ca

  • The system log will contain any enrollment error message.

  • The debug file will contain hex dumps of DER-encoded request messages. You can print those request messages out as follows:

    1. Copy the hex dump of a single request to a file named debug_snippet.

    2. Create a DER-formatted file from that hex dump by executing the following Ruby code:

       File.open('debug.req', 'w'){|fh| fh.puts [File.read('debug_snippet').gsub("\n",' ').gsub(' ','')].pack('H*') }
       

    3. Use openssl to inspect the file contents:

       openssl req -inform DER -in debug.req -text
       

• If you see "CEP Enrollment: CRS enrollment failed: Could not post new request. Error Invalid Credential" in the CA server system log, the wrong password was used for the SCEP request. Verify a one time password for the client is set in /var/lib/pki/<CA name>/ca/conf/flatfile.txt on the CA server and that the specified password matches the one used in the certificate request.

• If you see "sscep: wrong (or missing) MIME content type" from the scep enroll command or "Couldn't handle CEP request (PKCSReq) - Could not unwrap PKCS10 blob: DerValue.getDirectoryString: invalid tag" in the CA server system log, the SCEP one time password may contain characters disallowed by the underlying software (e.g., an underscore). Per RFC 2985, these passwords must be of X.520 type DirectoryString, which is comprised of UTF-8 encoded Unicode characters. However, the validation software may impose additional restrictions.

• If you see "CEP Enrollment: Enrollment failed: user used duplicate transaction ID." in the CA server system log, that means you need to regenerate your client private key.

Directory Operations

The administrative DN for 389ds consists of the value in simp_pki_service::pki_security_domain appended with Directory Manager.

By default, to access the 389ds configuration, you would use the following:

[root@ca ~]# ldapsearch -H ldap://localhost:389 -y $HOME/.dogtag/generated_configs/ds_pw.txt \
  -D "cn=SIMP Directory Manager" -s base -b "cn=config"

Development

Please read our Contribution Guide.

If you find any issues, they can be submitted to our JIRA.

System Integrity Management Platform

Reference

Table of Contents

Classes

• simp_pki_service: Creates a single-host Dogtag CA with active sub-CAs
• simp_pki_service::config: NOTE: THIS IS A PRIVATE CLASS This class simply provides a protected w

Defined types

• simp_pki_service::ca: Set up a Dogtag CA
• simp_pki_service::ca::config_item: Set a configuration item in a specific CA instance The $subsystem and $file parameters have been pre-set with the most common config
• simp_pki_service::ca::service: NOTE: THIS IS A PRIVATE DEFINED TYPE Start a CA service on the given p
• simp_pki_service::ca::wait_for_service: NOTE: THIS IS A PRIVATE DEFINED TYPE Wait for the given timeout for
• simp_pki_service::destroy: Removes all instances of a given CA and/or CA stack to optionally include the 389 Directory Server
• simp_pki_service::directory_server: Set up a local 389DS for use by Dogtag
• simp_pki_service::directory_server::conf_item: Modifies the running directory server configuration and restarts the service when necessary. IMPORTANT Do not set sensitive values with
• simp_pki_service::kra: NOTE: THIS IS A PRIVATE DEFINED TYPE Set up a Dogtag KRA This should

Functions

• simp_pki_service::validate_ca_hash: Validate that the passed Hash of CAs meets the following requirements: There is at least one Root CA Each Sub CA has defined a parent CA

Data types

• Simp_pki_service::Ca::ConfigItemHash: Structure of the 'config_hash' for 'config_item' calls
• Simp_pki_service::SecurityDomain: Allowed Security Domain Text

Classes

simp_pki_service

Creates a single-host Dogtag CA with active sub-CAs

Parameters

The following parameters are available in the simp_pki_service class:

• pki_security_domain
• ds_config
• cas
• custom_cas
• enable_haveged

pki_security_domain

Data type: Simp_pki_service::SecurityDomain

A unique name for the security domain for the CA collection

Default value: 'SIMP'

ds_config

Data type: Hash

Backend 389DS data storage configuration for Dogtag

• This is passed directly into the simp_pki_service::directory_server defined type

Default value:

{
    'root_dn'        => "cn=${pki_security_domain} Directory Manager",
    'base_dn'        => sprintf('ou=%s,%s',$pki_security_domain, simplib::ldap::domain_to_dn($facts['networking']['domain'], false)),
    'admin_password' => simplib::passgen('389-ds-simp-pki', {'length' => 64, 'complexity' => 0 })
  }

cas

Data type: Hash[String[1], Hash]

A Hash of CA entries that are passed directly into the simp_pki_service::ca defined type

• Hash keys are the parameters in simp_pki_service::ca
• Nested Sub CAs are currently not supported

Default value:

{
    'simp-pki-root' => {
      'root_ca'             => true,
      'pki_security_domain' => $pki_security_domain,
      # The following two items need to be here so that the other CA instances
      # can use them for connecting to the security domain
      'admin_user'         => 'caadmin',
      'admin_password'     => simplib::passgen("${pki_security_domain}_simp-pki-root", { 'length' => 64, 'complexity' => 0 }),
      'http_port'          => 4508,
      'https_port'         => 4509,
      'tomcat_ajp_port'    => 4506,
      'tomcat_server_port' => 4507
    },
    'simp-puppet-pki' => {
      'enable_kra'         => true,
      'http_port'          => 5508,
      'https_port'         => 5509,
      'tomcat_ajp_port'    => 5506,
      'tomcat_server_port' => 5507,
      'parent_ca'          => 'simp-pki-root',
      'ca_config'          => {
        'ca.scep.enable' => true
      }
    },
    'simp-site-pki' => {
      'enable_kra'         => true,
      'http_port'          => 8080,
      'https_port'         => 8443,
      'tomcat_ajp_port'    => 8440,
      'tomcat_server_port' => 8441,
      'parent_ca'          => 'simp-pki-root',
      'ca_config'          => {
        'ca.scep.enable' => true
      }
    }
  }

custom_cas

Data type: Hash[String[1], Hash]

A user-provided Hash of additional CA entries that are passed directly into the simp_pki_service::ca defined type

• NOTE: These will be deep merged into the regular $cas parameter

Default value: {}

enable_haveged

Data type: Boolean

Enable the HAVEGEd entropy collection daemon

Default value: simplib::lookup('simp_options::haveged', { 'default_value' => true })

simp_pki_service::config

NOTE: THIS IS A PRIVATE CLASS

This class simply provides a protected working directory that persists for later CA interaction.

Defined types

simp_pki_service::ca

Set up a Dogtag CA

Parameters

The following parameters are available in the simp_pki_service::ca defined type:

• http_port
• https_port
• tomcat_ajp_port
• tomcat_server_port
• dirsrv_bind_dn
• dirsrv_bind_password
• pki_security_domain
• admin_user
• admin_password
• pki_security_domain_hostname
• pki_security_domain_https_port
• root_ca
• pki_security_domain_user
• pki_security_domain_password
• create_subordinate_security_domain
• enable_kra
• parent_ca
• ca_config
• kra_config
• scep_profile_config
• debug_level
• service_timeout
• package_ensure

http_port

Data type: Simplib::Port

The insecure port

https_port

Data type: Simplib::Port

The secure port

tomcat_ajp_port

Data type: Simplib::Port

The Apache JServ Protocol port

tomcat_server_port

Data type: Simplib::Port

Port used to shutdown Tomcat

dirsrv_bind_dn

Data type: String[2]

The bind_dn for 389DS

• Note: This is probably your root DN

dirsrv_bind_password

Data type: String[1]

The password for dirsrv_bind_dn

pki_security_domain

Data type: Simp_pki_service::SecurityDomain

The Security Domain for your CA

• It is highly recommended that you keep groups of related CAs in the same security domain for this module

admin_user

Data type: String[2]

The CA administrative user

Default value: 'caadmin'

admin_password

Data type: String[1]

The password for the CA administrative user

Default value: simplib::passgen("${pki_security_domain}_${name}", { 'length' => 64, 'complexity' => 0 })

pki_security_domain_hostname

Data type: Simplib::Hostname

The hostname for the root CA for $pki_security_domain

Default value: $facts['networking']['fqdn']

pki_security_domain_https_port

Data type: Simplib::Port

The secure port for the root CA for $pki_security_domain

Default value: 8443

root_ca

Data type: Boolean

Set if this CA is a root

Default value: false

pki_security_domain_user

Data type: String[2]

The administrative username for the root CA for $pki_security_domain

Default value: $admin_user

pki_security_domain_password

Data type: String[1]

The administrative password for the root CA for $pki_security_domain

Default value: $admin_password

create_subordinate_security_domain

Data type: Boolean

Add a separate subordinate security domain for this CA

• Note: Has no effect if $root_ca is true

Default value: false

enable_kra

Data type: Boolean

Enable the KRA subsystem for this CA

Default value: false

parent_ca

Data type: Optional[String[1]]

The root CA for this CA

• Should not be set if this system is a root CA

Default value: undef

ca_config

Data type: Hash

A 'one-to-one' configuration Hash for the CA

• Each key/value pair is directly mapped into the CA's CS.cfg file without type checking
• For example, to enable the SCEP responder, you would set ca.scep.enable to true

Default value: {}

kra_config

Data type: Hash

A 'one-to-one' configuration Hash for the KRA

• Each key/value pair is directly mapped into the KRA's CS.cfg file without type checking

Default value: {}

scep_profile_config

Data type: Hash

A 'one-to-one' configuration Hash that will udpdate the values in the 'caRouterCert.cfg'

• Each key/value pair is directly mapped into the CA's caRouterCert.cfg profile file since this is hard coded for SCEP use.
• No validity checking is performed.

Default value:

{
    'desc'                                                                 => 'This certificate profile is for enrolling server certificates via SCEP.',
    'name'                                                                 => 'One Time Pin Server Certificate Enrollment',
    'policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment' => true,
    'policyset.serverCertSet.6.default.params.keyUsageDataEncipherment'    => true,
    'policyset.serverCertSet.7.default.params.exKeyUsageOIDs'              => ['1.3.6.1.5.5.7.3.1','1.3.6.1.5.5.7.3.2','1.3.6.1.5.5.7.3.4']
  }

debug_level

Data type: Integer[0,10]

Set the debug level of the CA and KRA

• 10 => off
• 0 => highest level of debugging

Default value: 10

service_timeout

Data type: Integer[1]

The number of seconds to wait for the service to listen on http_port

Default value: 5

package_ensure

Data type: Simplib::PackageEnsure

What to do regarding package installation

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_pki_service::ca::config_item

Set a configuration item in a specific CA instance

The $subsystem and $file parameters have been pre-set with the most common configuration target.

Parameters

The following parameters are available in the simp_pki_service::ca::config_item defined type:

• ca_id
• port
• timeout
• key
• value
• config_hash
• value_join
• subsystem
• file
• target

ca_id

Data type: String[1]

The ID (name) of the CA that you will be modifying

port

Data type: Simplib::Port

The port upon which the service should be listening

• Used to validate that the service is active

timeout

Data type: Integer[1]

How long to wait, in seconds, for the service to start listening

Default value: 5

key

Data type: Optional[String[1]]

The 'key' that you want to set in the configuration file

• You can set either config_hash OR key and value, but not both
• Must be set if value is set

Default value: undef

value

Data type: Optional[Variant[String[1], Boolean, Numeric]]

The 'value' to which to set the $key in the configuration file

• You can set either config_hash OR key and value, but not both
• Must be set if key is set

Default value: undef

config_hash

Data type: Simp_pki_service::Ca::ConfigItemHash

A Hash of key/value pairs that should be added to the system

• You can set either config_hash OR key and value, but not both

Default value: {}

value_join

Data type: String[1]

If the value is an Array, this String will be used to join the elements

Default value: ','

subsystem

Data type: String[1]

The Dogtag Subsystem that is to be managed (lower case)

• Has no effect if target is set

Default value: 'ca'

file

Data type: String[1]

The specific configuration file to update

• Has no effect if target is set

Default value: 'CS.cfg'

target

Data type: Optional[Stdlib::AbsolutePath]

The full path to the target file

Default value: undef

simp_pki_service::ca::service

NOTE: THIS IS A PRIVATE DEFINED TYPE

Start a CA service on the given port and wait until the service has successfully started or the timeout is reached.

Parameters

The following parameters are available in the simp_pki_service::ca::service defined type:

• port
• timeout

port

Data type: Simplib::Port

The port upon which to listen

timeout

Data type: Integer[1]

How long to wait, in seconds, for the daemon to start

Default value: 5

simp_pki_service::ca::wait_for_service

NOTE: THIS IS A PRIVATE DEFINED TYPE

Wait for the given timeout for the service on port to start.

This is present because the Dogtag services will return that they are fully functional prior to actually listening on a port.

Parameters

The following parameters are available in the simp_pki_service::ca::wait_for_service defined type:

• port
• timeout

port

Data type: Simplib::Port

The port upon which to listen

timeout

Data type: Integer[1]

How long to wait, in seconds, for the daemon to start listening

Default value: 5

simp_pki_service::destroy

Removes all instances of a given CA and/or CA stack to optionally include the 389 Directory Server

Examples

Completely wipe the default module setup

puppet apply -e 'simp_pki_service::destroy { "simp-puppet-pki": }'
puppet apply -e 'simp_pki_service::destroy { "simp-site-pki": }'
puppet apply -e 'simp_pki_service::destroy { "simp-pki-root": remove_dirsrv => true }'

Parameters

The following parameters are available in the simp_pki_service::destroy defined type:

• remove_dirsrv
• security_domain

remove_dirsrv

Data type: Any

Also remove the module default 389DS installation

Default value: false

security_domain

Data type: Any

The security domain to target

Default value: 'SIMP'

simp_pki_service::directory_server

Set up a local 389DS for use by Dogtag

Parameters

The following parameters are available in the simp_pki_service::directory_server defined type:

• base_dn
• root_dn
• admin_password
• listen_address
• port
• enable_admin_service
• admin_user
• admin_service_listen_address
• admin_service_port
• service_user
• service_group
• package_ensure

base_dn

Data type: String[2]

The 'base' DN component of the directory server

root_dn

Data type: String[2]

The default administrator DN for the directory server

admin_password

Data type: String[2]

The password for the $admin_user and the $root_dn

Default value: simplib::passgen("389-ds-${name}", { 'length' => 64, 'complexity' => 0 })

listen_address

Data type: Simplib::IP

The IP address upon which to listen

Default value: '127.0.0.1'

port

Data type: Simplib::Port

The port upon which to accept connections

Default value: 389

enable_admin_service

Data type: Boolean

Enable the administrative interface for the GUI

Default value: false

admin_user

Data type: String[2]

The administrative user for administrative GUI connections

Default value: 'admin'

admin_service_listen_address

Data type: Simplib::IP

The IP address upon which the administrative interface should listen

Default value: '0.0.0.0'

admin_service_port

Data type: Simplib::Port

The port upon which the administrative interface should listen

Default value: 9830

service_user

Data type: String[1]

The user that 389ds should run as

Default value: 'nobody'

service_group

Data type: String[1]

The group that 389ds should run as

Default value: 'nobody'

package_ensure

Data type: Simplib::PackageEnsure

What to do regarding package installation

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

simp_pki_service::directory_server::conf_item

Modifies the running directory server configuration and restarts the service when necessary.

IMPORTANT Do not set sensitive values with this until it switches over to being a native type!

Parameters

The following parameters are available in the simp_pki_service::directory_server::conf_item defined type:

• key
• value
• admin_dn
• pw_file
• ds_service_name
• restart_service
• ds_host
• ds_port
• base_dn

key

Data type: Any

The configuration key to be set

• You can get a list of all configuration keys by running: ldapsearch -H ldap://localhost:389 -y $HOME/.dogtag/generated_configs/ds_pw.txt \ -D "cn=SIMP Directory Manager" -s base -b "cn=config"

value

Data type: Any

The value that should be set for $key

admin_dn

Data type: Any

A DN with administrative rights to the directory

pw_file

Data type: Any

A file containing the password for use with $admin_dn

ds_service_name

Data type: Any

The Puppet resource name for the directory Service resource

restart_service

Data type: Any

Whether or not to restart the directory server after applying this item

• There is a known list of items in the module data that will always generate a restart action

Default value: false

ds_host

Data type: Any

The host where the service is running

Default value: '127.0.0.1'

ds_port

Data type: Any

The port to which to connect

Default value: '389'

base_dn

Data type: Any

The DN that holds the directory configuration items

Default value: 'cn=config'

simp_pki_service::kra

NOTE: THIS IS A PRIVATE DEFINED TYPE

Set up a Dogtag KRA

This should only be called from the simp_pki_service::ca define. Doing otherwise may work but is an untested configuration.

Parameters

The following parameters are available in the simp_pki_service::kra defined type:

• http_port
• https_port
• tomcat_ajp_port
• tomcat_server_port
• dirsrv_bind_dn
• dirsrv_bind_password
• pki_security_domain
• pki_security_domain_user
• pki_security_domain_password
• pki_security_domain_hostname
• pki_security_domain_https_port
• admin_password
• ca_hostname
• ca_port
• admin_user
• kra_config
• service_timeout
• package_ensure

http_port

Data type: Simplib::Port

The insecure port

https_port

Data type: Simplib::Port

The secure port

tomcat_ajp_port

Data type: Simplib::Port

The Apache JServ Protocol port

tomcat_server_port

Data type: Simplib::Port

Port used to shutdown Tomcat

dirsrv_bind_dn

Data type: String[2]

The bind_dn for 389DS

dirsrv_bind_password

Data type: String[1]

The password for dirsrv_bind_dn

pki_security_domain

Data type: Simp_pki_service::SecurityDomain

The Security Domain for your KRA

• It is highly recommended that you keep groups of related CAs in the same security domain for this module.

pki_security_domain_user

Data type: String[2]

The administrative username for the root CA for $pki_security_domain

pki_security_domain_password

Data type: String[2]

The administrative password for the root CA for $pki_security_domain

pki_security_domain_hostname

Data type: Simplib::Hostname

The hostname for the root CA for $pki_security_domain

pki_security_domain_https_port

Data type: Simplib::Port

The secure port for the root CA for $pki_security_domain

admin_password

Data type: String[1]

The password for the CA administrative user specified in $admin_user

ca_hostname

Data type: Simplib::Hostname

The hostname of the CA that this KRA is bound to

ca_port

Data type: Simplib::Port

The port of the CA that this KRA is bound to

admin_user

Data type: String[1]

The administrative user of the CA that this KRA is bound to

Default value: 'caadmin'

kra_config

Data type: Hash

A key/value pair set that will be fed directly into the KRA CS.cfg

Default value: {}

service_timeout

Data type: Integer[1]

The number of seconds to wait for the service to listen on http_port

Default value: 5

package_ensure

Data type: Simplib::PackageEnsure

What to do regarding package installation

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

Functions

simp_pki_service::validate_ca_hash

Type: Ruby 4.x API

Validate that the passed Hash of CAs meets the following requirements:

• There is at least one Root CA
• Each Sub CA has defined a parent CA
• Each Sub CA is bound to a Root CA (nested Sub CAs are not supported)

The CA hashes are a one-to-one mapping to the parameters in simp_pki_service::ca.

This does not check that all options for each CA are valid, that is left to the defined types to which the hash components are passed.

Compilation will be terminated if validation fails

Examples

Missing Root CA Failure

$ca_hash = {
  'sub_ca' => {
    'root_ca'   => false,
    'parent_ca' => 'unknown-ca'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

No Parent CA Defined Failure

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

Missing Parent Root CA Failure

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false,
    'parent_ca' => 'missing-ca'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

Valid Hash

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false,
    'parent_ca' => 'pki-root'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

simp_pki_service::validate_ca_hash(Hash[String[1], Hash] $ca_hash)

Validate that the passed Hash of CAs meets the following requirements:

• There is at least one Root CA
• Each Sub CA has defined a parent CA
• Each Sub CA is bound to a Root CA (nested Sub CAs are not supported)

The CA hashes are a one-to-one mapping to the parameters in simp_pki_service::ca.

This does not check that all options for each CA are valid, that is left to the defined types to which the hash components are passed.

Compilation will be terminated if validation fails

Returns: None

Raises:

• RuntimeError if validation fails

Examples

Missing Root CA Failure

$ca_hash = {
  'sub_ca' => {
    'root_ca'   => false,
    'parent_ca' => 'unknown-ca'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

No Parent CA Defined Failure

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

Missing Parent Root CA Failure

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false,
    'parent_ca' => 'missing-ca'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

Valid Hash

$ca_hash = {
  'pki-root' => {
    'root_ca' => true
  },
  'pki-sub' => {
    'root_ca'   => false,
    'parent_ca' => 'pki-root'
  }
}
simp_pki_service::validate_ca_hash($ca_hash)

ca_hash

Data type: Hash[String[1], Hash]

The CA Hash to process

Data types

Simp_pki_service::Ca::ConfigItemHash

Structure of the 'config_hash' for 'config_item' calls

Alias of

Hash[String[1], Variant[
    String[1],
    Boolean,
    Numeric,
    Array[String[1]
    ]
  ]]

Simp_pki_service::SecurityDomain

Allowed Security Domain Text

Alias of Pattern['^(\w|\-)+$']

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 0.6.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 0.5.0

• Add RockyLinux 8 support

• Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.4.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Thu Jul 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.3.1-0

• update the upper bound of simplib for SIMP 6.5 release

• Fri Aug 09 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.3.0-0

• Remove Puppet 4 support
• Add Puppet 6 support
• Add puppetlabs-stdlib 6 support

• Tue Jan 15 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.2.0

• Update documentation
• Add acceptance tests for obtaining certs via CMC and certmonger
• Update the upper bound of stdlib to < 6.0.0

• Fri Dec 28 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.2.0

• Minor breaking changes - Module still experimental
• Fix the configuration variants required for the documented layout
  • Add acceptance tests for swapping out puppet certificates
    • This is the "real life" test case outside of just setting up the CA infrastructure

• Mon Nov 05 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.1.1

• Update to Hiera 5
• Update contribution guide URL in README.md

• Mon Feb 12 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.0

• First cut of a working Dogtag setup

• Mon Jan 29 2018 SIMP Team <simp-project.com> - 0.0.1

• This is the initial code for a simp_pki_service module, which is a SIMP-oriented installation of the Dogtag Certificate System.