27.2. .cfg File


The required configuration file instructs the KRATool how to process attributes in the key archival and key request entries in the LDIF file. There are six types of entries:
  • CA enrollment requests
  • TPS enrollment requests
  • CA key records
  • TPS key records
  • CA and TPS recovery requests (which are treated the same in the KRA)
Each key and key request has an LDAP entry with attributes that are specific to that kind of record. For example, for a recovery request:
dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra
objectClass: top
objectClass: request
objectClass: extensibleObject
requestId: 011
requestState: complete
dateOfCreate: 20110121181006Z
dateOfModify: 20110524094652Z
extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n#
 F#9E#98#B3
extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1
 yTWvwIDAQAB
extdata-archive: true
extdata-requesttype: netkeyKeygen
extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10
extdata-requestversion: 8.1.0
extdata-requestortype: NETKEY_RA
extdata-keyrecord: 1
extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
 F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
extdata-userid: jmagne
extdata-keysize: 1024
extdata-updatedby: TPS-alpha.example.com-7889
extdata-dbstatus: UPDATED
extdata-cuid: 40906145C76224192D2B
extdata-requeststatus: complete
extdata-requestid: 1
extdata-result: 1
requestType: netkeyKeygen
cn: 1
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20110122021010Z
modifyTimestamp: 20110122021010Z
nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
Much of that information passes through the script processing unchanged, so it is entered into the new, target KRA just the same. However, some of those attributes can and should be edited, like the CN and DN being changed to match the new KRA instance. The fields which can safely be changed are listed in the configuration file for each type of key entry. (Any attribute not listed is not touched by the tool under any circumstances.)
If a field should be edited — meaning, the tool can update the record ID number or rename the entry — then the value is set to true in the configuration file. For example, this configuration updates the CN, DN, ID number, last modified date, and associated entry notes for all CA enrollment requests:
kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=true
If a line is set to true, then the attribute is processed in the LDIF file. By default, all possible attributes are processed. Setting a line to false means that the KRATool skips that attribute and passes the value unchanged. For example, this leaves the last modified time unchanged so that it doesn't update for when the KRATool runs:
kratool.ldif.caEnrollmentRequest.dateOfModify=false

Note

Key enrollments, records, and requests all have an optional notes attribute where administrators can enter notes about the process. When the KRATool runs, it appends a note to that attribute or adds the attribute with information about the tool running, what operations were performed, and a timestamp.
extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetri
 c session key' with the '2048-bit RSA public key' obtained from the target s
 torage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA 
 naming context 'alpha.example.com-pki-kra' to target KRA naming context 'ome
 ga.example.com-pki-kra' + PROCESSED requests and key records ONLY!
This information is very useful for both audit and maintenance of the KRA, so it is beneficial to keep the extdata.requestNotes parameter for all of the key record types set to true.

Important

Every parameter line in the default kratool.cfg must be present in the .cfg file used when the tool is invoked. No line can be omitted and every line must have a valid value (true or false). If the file is not properly formatted, the KRATool will fail.
The formatting of the .cfg file is the same as the formatting used in the instance CS.cfg files.
A default .cfg file is included with the KRATool script. This file (shown in Example 27.1, “Default kratool.cfg File”) can be copied and edited into a custom file or edited directly and used with the tool.

Example 27.1. Default kratool.cfg File

kratool.ldif.caEnrollmentRequest._000=########################################
kratool.ldif.caEnrollmentRequest._001=##     KRA CA Enrollment Request      ##
kratool.ldif.caEnrollmentRequest._002=########################################
kratool.ldif.caEnrollmentRequest._003=##                                    ##
kratool.ldif.caEnrollmentRequest._004=##  NEVER allow 'KRATOOL' the ability ##
kratool.ldif.caEnrollmentRequest._005=##  to change the CA 'naming context' ##
kratool.ldif.caEnrollmentRequest._006=##  data in the following fields:     ##
kratool.ldif.caEnrollmentRequest._007=##                                    ##
kratool.ldif.caEnrollmentRequest._008=##    extdata-auth--005ftoken;uid     ##
kratool.ldif.caEnrollmentRequest._009=##    extdata-auth--005ftoken;userid  ##
kratool.ldif.caEnrollmentRequest._010=##    extdata-updatedby               ##
kratool.ldif.caEnrollmentRequest._011=##                                    ##
kratool.ldif.caEnrollmentRequest._012=##  NEVER allow 'KRATOOL' the ability ##
kratool.ldif.caEnrollmentRequest._013=##  to change CA 'numeric' data in    ##
kratool.ldif.caEnrollmentRequest._014=##  the following fields:             ##
kratool.ldif.caEnrollmentRequest._015=##                                    ##
kratool.ldif.caEnrollmentRequest._016=##    extdata-requestId               ##
kratool.ldif.caEnrollmentRequest._017=##                                    ##
kratool.ldif.caEnrollmentRequest._018=########################################
kratool.ldif.caEnrollmentRequest.cn=true
kratool.ldif.caEnrollmentRequest.dateOfModify=true
kratool.ldif.caEnrollmentRequest.dn=true
kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true
kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true
kratool.ldif.caEnrollmentRequest.requestId=true
kratool.ldif.caKeyRecord._000=#########################################
kratool.ldif.caKeyRecord._001=##          KRA CA Key Record          ##
kratool.ldif.caKeyRecord._002=#########################################
kratool.ldif.caKeyRecord._003=##                                     ##
kratool.ldif.caKeyRecord._004=##  NEVER allow 'KRATOOL' the ability  ##
kratool.ldif.caKeyRecord._005=##  to change the CA 'naming context'  ##
kratool.ldif.caKeyRecord._006=##  data in the following fields:      ##
kratool.ldif.caKeyRecord._007=##                                     ##
kratool.ldif.caKeyRecord._008=##    archivedBy                       ##
kratool.ldif.caKeyRecord._009=##                                     ##
kratool.ldif.caKeyRecord._010=#########################################
kratool.ldif.caKeyRecord.cn=true
kratool.ldif.caKeyRecord.dateOfModify=true
kratool.ldif.caKeyRecord.dn=true
kratool.ldif.caKeyRecord.privateKeyData=true
kratool.ldif.caKeyRecord.serialno=true
kratool.ldif.namingContext._000=############################################
kratool.ldif.namingContext._001=##       KRA Naming Context Fields        ##
kratool.ldif.namingContext._002=############################################
kratool.ldif.namingContext._003=##                                        ##
kratool.ldif.namingContext._004=##  NEVER allow 'KRATOOL' the ability to  ##
kratool.ldif.namingContext._005=##  change the CA 'naming context' data   ##
kratool.ldif.namingContext._006=##  in the following 'non-KeyRecord /     ##
kratool.ldif.namingContext._007=##  non-Request' fields (as these records ##
kratool.ldif.namingContext._008=##  should be removed via the option to   ##
kratool.ldif.namingContext._009=##  process requests and key records only ##
kratool.ldif.namingContext._010=##  if this is a KRA migration):          ##
kratool.ldif.namingContext._011=##                                        ##
kratool.ldif.namingContext._012=##    cn                                  ##
kratool.ldif.namingContext._013=##    sn                                  ##
kratool.ldif.namingContext._014=##    uid                                 ##
kratool.ldif.namingContext._015=##    uniqueMember                        ##
kratool.ldif.namingContext._016=##                                        ##
kratool.ldif.namingContext._017=##  NEVER allow 'KRATOOL' the ability to  ##
kratool.ldif.namingContext._018=##  change the KRA 'naming context' data  ##
kratool.ldif.namingContext._019=##  in the following 'non-KeyRecord /     ##
kratool.ldif.namingContext._020=##  non-Request' fields (as these records ##
kratool.ldif.namingContext._021=##  should be removed via the option to   ##
kratool.ldif.namingContext._022=##  process requests and key records only ##
kratool.ldif.namingContext._023=##  if this is a KRA migration):          ##
kratool.ldif.namingContext._024=##                                        ##
kratool.ldif.namingContext._025=##      dc                                ##
kratool.ldif.namingContext._026=##      dn                                ##
kratool.ldif.namingContext._027=##      uniqueMember                      ##
kratool.ldif.namingContext._028=##                                        ##
kratool.ldif.namingContext._029=##  NEVER allow 'KRATOOL' the ability to  ##
kratool.ldif.namingContext._030=##  change the TPS 'naming context' data  ##
kratool.ldif.namingContext._031=##  in the following 'non-KeyRecord /     ##
kratool.ldif.namingContext._032=##  non-Request' fields (as these records ##
kratool.ldif.namingContext._033=##  should be removed via the option to   ##
kratool.ldif.namingContext._034=##  process requests and key records only ##
kratool.ldif.namingContext._035=##  if this is a KRA migration):          ##
kratool.ldif.namingContext._036=##                                        ##
kratool.ldif.namingContext._037=##    uid                                 ##
kratool.ldif.namingContext._038=##    uniqueMember                        ##
kratool.ldif.namingContext._039=##                                        ##
kratool.ldif.namingContext._040=##  If '-source_naming_context            ##
kratool.ldif.namingContext._041=##  original source KRA naming context'   ##
kratool.ldif.namingContext._042=##  and '-target_naming_context           ##
kratool.ldif.namingContext._043=##  renamed target KRA naming context'    ##
kratool.ldif.namingContext._044=##  options are specified, ALWAYS         ##
kratool.ldif.namingContext._045=##  require 'KRATOOL' to change the       ##
kratool.ldif.namingContext._046=##  KRA 'naming context' data in ALL of   ##
kratool.ldif.namingContext._047=##  the following fields in EACH of the   ##
kratool.ldif.namingContext._048=##  following types of records:           ##
kratool.ldif.namingContext._049=##                                        ##
kratool.ldif.namingContext._050=##    caEnrollmentRequest:                ##
kratool.ldif.namingContext._051=##                                        ##
kratool.ldif.namingContext._052=##      dn                                ##
kratool.ldif.namingContext._053=##      extdata-auth--005ftoken;user      ##
kratool.ldif.namingContext._054=##      extdata-auth--005ftoken;userdn    ##
kratool.ldif.namingContext._055=##                                        ##
kratool.ldif.namingContext._056=##    caKeyRecord:                        ##
kratool.ldif.namingContext._057=##                                        ##
kratool.ldif.namingContext._058=##      dn                                ##
kratool.ldif.namingContext._059=##                                        ##
kratool.ldif.namingContext._060=##    recoveryRequest:                    ##
kratool.ldif.namingContext._061=##                                        ##
kratool.ldif.namingContext._062=##      dn                                ##
kratool.ldif.namingContext._063=##                                        ##
kratool.ldif.namingContext._064=##    tpsKeyRecord:                       ##
kratool.ldif.namingContext._065=##                                        ##
kratool.ldif.namingContext._066=##      dn                                ##
kratool.ldif.namingContext._067=##                                        ##
kratool.ldif.namingContext._068=##    tpsNetkeyKeygenRequest:             ##
kratool.ldif.namingContext._069=##                                        ##
kratool.ldif.namingContext._070=##      dn                                ##
kratool.ldif.namingContext._071=##                                        ##
kratool.ldif.namingContext._072=############################################
kratool.ldif.recoveryRequest._000=#####################################
kratool.ldif.recoveryRequest._001=##  KRA CA / TPS Recovery Request  ##
kratool.ldif.recoveryRequest._002=#####################################
kratool.ldif.recoveryRequest.cn=true
kratool.ldif.recoveryRequest.dateOfModify=true
kratool.ldif.recoveryRequest.dn=true
kratool.ldif.recoveryRequest.extdata.requestId=true
kratool.ldif.recoveryRequest.extdata.requestNotes=true
kratool.ldif.recoveryRequest.extdata.serialnumber=true
kratool.ldif.recoveryRequest.requestId=true
kratool.ldif.tpsKeyRecord._000=#########################################
kratool.ldif.tpsKeyRecord._001=##         KRA TPS Key Record          ##
kratool.ldif.tpsKeyRecord._002=#########################################
kratool.ldif.tpsKeyRecord._003=##                                     ##
kratool.ldif.tpsKeyRecord._004=##  NEVER allow 'KRATOOL' the ability  ##
kratool.ldif.tpsKeyRecord._005=##  to change the TPS 'naming context' ##
kratool.ldif.tpsKeyRecord._006=##  data in the following fields:      ##
kratool.ldif.tpsKeyRecord._007=##                                     ##
kratool.ldif.tpsKeyRecord._008=##    archivedBy                       ##
kratool.ldif.tpsKeyRecord._009=##                                     ##
kratool.ldif.tpsKeyRecord._010=#########################################
kratool.ldif.tpsKeyRecord.cn=true
kratool.ldif.tpsKeyRecord.dateOfModify=true
kratool.ldif.tpsKeyRecord.dn=true
kratool.ldif.tpsKeyRecord.privateKeyData=true
kratool.ldif.tpsKeyRecord.serialno=true
kratool.ldif.tpsNetkeyKeygenRequest._000=#####################################
kratool.ldif.tpsNetkeyKeygenRequest._001=##  KRA TPS Netkey Keygen Request  ##
kratool.ldif.tpsNetkeyKeygenRequest._002=#####################################
kratool.ldif.tpsNetkeyKeygenRequest._003=##                                 ##
kratool.ldif.tpsNetkeyKeygenRequest._004=##  NEVER allow 'KRATOOL' the      ##
kratool.ldif.tpsNetkeyKeygenRequest._005=##  ability to change the          ##
kratool.ldif.tpsNetkeyKeygenRequest._006=##  TPS 'naming context' data in   ##
kratool.ldif.tpsNetkeyKeygenRequest._007=##  the following fields:          ##
kratool.ldif.tpsNetkeyKeygenRequest._008=##                                 ##
kratool.ldif.tpsNetkeyKeygenRequest._009=##    extdata-updatedby            ##
kratool.ldif.tpsNetkeyKeygenRequest._010=##                                 ##
kratool.ldif.tpsNetkeyKeygenRequest._011=#####################################
kratool.ldif.tpsNetkeyKeygenRequest.cn=true
kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true
kratool.ldif.tpsNetkeyKeygenRequest.dn=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true
kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true
kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.