SupportConsoleDevelopersStart a trialContact

11.4. Configuring ACME Realm

This section describes how to configure a realm for PKI ACME responder. The realm configuration is located at /etc/pki/pki-tomcat/acme/realm.conf.
You can configure ACME Realm realm via command line using the pki-server acme-realm-mod command.
  • Invoking this command without any parameters launches an interactive mode, for example: 
    $ pki-server acme-realm-mod
The current value is displayed in the square brackets.
To keep the current value, simply press Enter.
To change the current value, enter the new value.
To remove the current value, enter a blank space.

Enter the type of the realm. Available types: ds.
Database Type: ds

Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
Server URL [ldap://localhost.localdomain:389]:

Enter the authentication type. Available types: BasicAuth, SslClientAuth.
Authentication Type [BasicAuth]:

Enter the bind DN.
Bind DN [cn=Directory Manager]:

Enter the bind password.
Bind Password [********]:

Enter the base DN for the ACME users subtree.
Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]:

Enter the base DN for the ACME groups subtree.
Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]:
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.

11.4.1. Configuring DS Realm

You can configure PKI ACME Responder to use a DS realm. A sample configuration for DS Realm is available at /usr/share/pki/acme/realm/ds/realm.conf.
To configure a DS realm:
  1. Prepare subtrees for ACME users and groups in DS. A sample LDIF file is available at /usr/share/pki/acme/realm/ds/create.ldif]. This example uses dc=acme,dc=pki,dc=example,dc=com as the base DN.
  2. Import the LDIF file using the ldapadd command: 
    $ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/realm/ds/create.ldif
  3. Copy the sample configuration file from /usr/share/pki/acme/realm/ds/realm.conf into the /etc/pki/pki-tomcat/acme directory, or run the following command to customize some of the parameters: 
    $ pki-server acme-realm-mod --type ds \
            -DbindPassword=Secret.123
  4. Customize the configuration as needed:
    • In a standalone ACME deployment, the realm.conf file should look like the following: 
      class=org.example.acme.realm.DSRealm
url=ldap://<hostname>:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
    • In a shared CA and ACME deployment, the realm.conf file should look like the following: 
      class=org.example.acme.realm.DSRealm
configFile=conf/ca/CS.cfg
usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.