27.2. .cfg File
The required configuration file instructs the
KRATool how to process attributes in the key archival and key request entries in the LDIF file. There are six types of entries:
- CA enrollment requests
- TPS enrollment requests
- CA key records
- TPS key records
- CA and TPS recovery requests (which are treated the same in the KRA)
Each key and key request has an LDAP entry with attributes that are specific to that kind of record. For example, for a recovery request:
dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra objectClass: top objectClass: request objectClass: extensibleObject requestId: 011 requestState: complete dateOfCreate: 20110121181006Z dateOfModify: 20110524094652Z extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n# F#9E#98#B3 extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1 yTWvwIDAQAB extdata-archive: true extdata-requesttype: netkeyKeygen extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10 extdata-requestversion: 8.1.0 extdata-requestortype: NETKEY_RA extdata-keyrecord: 1 extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6 F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79 extdata-userid: jmagne extdata-keysize: 1024 extdata-updatedby: TPS-alpha.example.com-7889 extdata-dbstatus: UPDATED extdata-cuid: 40906145C76224192D2B extdata-requeststatus: complete extdata-requestid: 1 extdata-result: 1 requestType: netkeyKeygen cn: 1 creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20110122021010Z modifyTimestamp: 20110122021010Z nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
Much of that information passes through the script processing unchanged, so it is entered into the new, target KRA just the same. However, some of those attributes can and should be edited, like the CN and DN being changed to match the new KRA instance. The fields which can safely be changed are listed in the configuration file for each type of key entry. (Any attribute not listed is not touched by the tool under any circumstances.)
If a field should be edited — meaning, the tool can update the record ID number or rename the entry — then the value is set to true in the configuration file. For example, this configuration updates the CN, DN, ID number, last modified date, and associated entry notes for all CA enrollment requests:
kratool.ldif.caEnrollmentRequest.cn=true kratool.ldif.caEnrollmentRequest.dateOfModify=true kratool.ldif.caEnrollmentRequest.dn=true kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true kratool.ldif.caEnrollmentRequest.requestId=true
If a line is set to true, then the attribute is processed in the LDIF file. By default, all possible attributes are processed. Setting a line to false means that the
KRATool skips that attribute and passes the value unchanged. For example, this leaves the last modified time unchanged so that it doesn't update for when the KRATool runs:
kratool.ldif.caEnrollmentRequest.dateOfModify=false
Note
Key enrollments, records, and requests all have an optional notes attribute where administrators can enter notes about the process. When the
KRATool runs, it appends a note to that attribute or adds the attribute with information about the tool running, what operations were performed, and a timestamp.
extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetri c session key' with the '2048-bit RSA public key' obtained from the target s torage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming context 'alpha.example.com-pki-kra' to target KRA naming context 'ome ga.example.com-pki-kra' + PROCESSED requests and key records ONLY!
This information is very useful for both audit and maintenance of the KRA, so it is beneficial to keep the
extdata.requestNotes parameter for all of the key record types set to true.
Important
Every parameter line in the default
kratool.cfg must be present in the .cfg file used when the tool is invoked. No line can be omitted and every line must have a valid value (true or false). If the file is not properly formatted, the KRATool will fail.
The formatting of the
.cfg file is the same as the formatting used in the instance CS.cfg files.
A default
.cfg file is included with the KRATool script. This file (shown in Example 27.1, “Default kratool.cfg File”) can be copied and edited into a custom file or edited directly and used with the tool.
Example 27.1. Default kratool.cfg File
kratool.ldif.caEnrollmentRequest._000=######################################## kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ## kratool.ldif.caEnrollmentRequest._002=######################################## kratool.ldif.caEnrollmentRequest._003=## ## kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ## kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ## kratool.ldif.caEnrollmentRequest._007=## ## kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ## kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ## kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ## kratool.ldif.caEnrollmentRequest._011=## ## kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ## kratool.ldif.caEnrollmentRequest._014=## the following fields: ## kratool.ldif.caEnrollmentRequest._015=## ## kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ## kratool.ldif.caEnrollmentRequest._017=## ## kratool.ldif.caEnrollmentRequest._018=######################################## kratool.ldif.caEnrollmentRequest.cn=true kratool.ldif.caEnrollmentRequest.dateOfModify=true kratool.ldif.caEnrollmentRequest.dn=true kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true kratool.ldif.caEnrollmentRequest.requestId=true kratool.ldif.caKeyRecord._000=######################################### kratool.ldif.caKeyRecord._001=## KRA CA Key Record ## kratool.ldif.caKeyRecord._002=######################################### kratool.ldif.caKeyRecord._003=## ## kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ## kratool.ldif.caKeyRecord._006=## data in the following fields: ## kratool.ldif.caKeyRecord._007=## ## kratool.ldif.caKeyRecord._008=## archivedBy ## kratool.ldif.caKeyRecord._009=## ## kratool.ldif.caKeyRecord._010=######################################### kratool.ldif.caKeyRecord.cn=true kratool.ldif.caKeyRecord.dateOfModify=true kratool.ldif.caKeyRecord.dn=true kratool.ldif.caKeyRecord.privateKeyData=true kratool.ldif.caKeyRecord.serialno=true kratool.ldif.namingContext._000=############################################ kratool.ldif.namingContext._001=## KRA Naming Context Fields ## kratool.ldif.namingContext._002=############################################ kratool.ldif.namingContext._003=## ## kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._005=## change the CA 'naming context' data ## kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._007=## non-Request' fields (as these records ## kratool.ldif.namingContext._008=## should be removed via the option to ## kratool.ldif.namingContext._009=## process requests and key records only ## kratool.ldif.namingContext._010=## if this is a KRA migration): ## kratool.ldif.namingContext._011=## ## kratool.ldif.namingContext._012=## cn ## kratool.ldif.namingContext._013=## sn ## kratool.ldif.namingContext._014=## uid ## kratool.ldif.namingContext._015=## uniqueMember ## kratool.ldif.namingContext._016=## ## kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._018=## change the KRA 'naming context' data ## kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._020=## non-Request' fields (as these records ## kratool.ldif.namingContext._021=## should be removed via the option to ## kratool.ldif.namingContext._022=## process requests and key records only ## kratool.ldif.namingContext._023=## if this is a KRA migration): ## kratool.ldif.namingContext._024=## ## kratool.ldif.namingContext._025=## dc ## kratool.ldif.namingContext._026=## dn ## kratool.ldif.namingContext._027=## uniqueMember ## kratool.ldif.namingContext._028=## ## kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._030=## change the TPS 'naming context' data ## kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._032=## non-Request' fields (as these records ## kratool.ldif.namingContext._033=## should be removed via the option to ## kratool.ldif.namingContext._034=## process requests and key records only ## kratool.ldif.namingContext._035=## if this is a KRA migration): ## kratool.ldif.namingContext._036=## ## kratool.ldif.namingContext._037=## uid ## kratool.ldif.namingContext._038=## uniqueMember ## kratool.ldif.namingContext._039=## ## kratool.ldif.namingContext._040=## If '-source_naming_context ## kratool.ldif.namingContext._041=## original source KRA naming context' ## kratool.ldif.namingContext._042=## and '-target_naming_context ## kratool.ldif.namingContext._043=## renamed target KRA naming context' ## kratool.ldif.namingContext._044=## options are specified, ALWAYS ## kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ## kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ## kratool.ldif.namingContext._047=## the following fields in EACH of the ## kratool.ldif.namingContext._048=## following types of records: ## kratool.ldif.namingContext._049=## ## kratool.ldif.namingContext._050=## caEnrollmentRequest: ## kratool.ldif.namingContext._051=## ## kratool.ldif.namingContext._052=## dn ## kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ## kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ## kratool.ldif.namingContext._055=## ## kratool.ldif.namingContext._056=## caKeyRecord: ## kratool.ldif.namingContext._057=## ## kratool.ldif.namingContext._058=## dn ## kratool.ldif.namingContext._059=## ## kratool.ldif.namingContext._060=## recoveryRequest: ## kratool.ldif.namingContext._061=## ## kratool.ldif.namingContext._062=## dn ## kratool.ldif.namingContext._063=## ## kratool.ldif.namingContext._064=## tpsKeyRecord: ## kratool.ldif.namingContext._065=## ## kratool.ldif.namingContext._066=## dn ## kratool.ldif.namingContext._067=## ## kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ## kratool.ldif.namingContext._069=## ## kratool.ldif.namingContext._070=## dn ## kratool.ldif.namingContext._071=## ## kratool.ldif.namingContext._072=############################################ kratool.ldif.recoveryRequest._000=##################################### kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ## kratool.ldif.recoveryRequest._002=##################################### kratool.ldif.recoveryRequest.cn=true kratool.ldif.recoveryRequest.dateOfModify=true kratool.ldif.recoveryRequest.dn=true kratool.ldif.recoveryRequest.extdata.requestId=true kratool.ldif.recoveryRequest.extdata.requestNotes=true kratool.ldif.recoveryRequest.extdata.serialnumber=true kratool.ldif.recoveryRequest.requestId=true kratool.ldif.tpsKeyRecord._000=######################################### kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ## kratool.ldif.tpsKeyRecord._002=######################################### kratool.ldif.tpsKeyRecord._003=## ## kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ## kratool.ldif.tpsKeyRecord._006=## data in the following fields: ## kratool.ldif.tpsKeyRecord._007=## ## kratool.ldif.tpsKeyRecord._008=## archivedBy ## kratool.ldif.tpsKeyRecord._009=## ## kratool.ldif.tpsKeyRecord._010=######################################### kratool.ldif.tpsKeyRecord.cn=true kratool.ldif.tpsKeyRecord.dateOfModify=true kratool.ldif.tpsKeyRecord.dn=true kratool.ldif.tpsKeyRecord.privateKeyData=true kratool.ldif.tpsKeyRecord.serialno=true kratool.ldif.tpsNetkeyKeygenRequest._000=##################################### kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ## kratool.ldif.tpsNetkeyKeygenRequest._002=##################################### kratool.ldif.tpsNetkeyKeygenRequest._003=## ## kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ## kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ## kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ## kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ## kratool.ldif.tpsNetkeyKeygenRequest._008=## ## kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ## kratool.ldif.tpsNetkeyKeygenRequest._010=## ## kratool.ldif.tpsNetkeyKeygenRequest._011=##################################### kratool.ldif.tpsNetkeyKeygenRequest.cn=true kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true kratool.ldif.tpsNetkeyKeygenRequest.dn=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
