27.2. .cfg File
所需的配置文件指示 KRATool 如何处理 LDIF 文件中密钥归档和密钥请求条目中的属性。有六个条目:
- CA 注册请求
- TPS 注册请求
- CA 关键记录
- TPS 关键记录
- CA 和 TPS 恢复请求(在 KRA 中被视为相同)
每个密钥和密钥请求都有一个 LDAP 条目,其属性特定于该类型的记录。例如,对于恢复请求:
dn: cn=1,ou=kra,ou=requests,dc=alpha.example.com-pki-kra objectClass: top objectClass: request objectClass: extensibleObject requestId: 011 requestState: complete dateOfCreate: 20110121181006Z dateOfModify: 20110524094652Z extdata-kra--005ftrans--005fdeskey: 3#C7#82#0F#5D#97GqY#0Aib#966#E5B#F56#F24n# F#9E#98#B3 extdata-public--005fkey: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDu6E3uG+Ep27bF1 yTWvwIDAQAB extdata-archive: true extdata-requesttype: netkeyKeygen extdata-iv--005fs: %F2%67%45%96%41%D7%FF%10 extdata-requestversion: 8.1.0 extdata-requestortype: NETKEY_RA extdata-keyrecord: 1 extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6 F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79 extdata-userid: jmagne extdata-keysize: 1024 extdata-updatedby: TPS-alpha.example.com-7889 extdata-dbstatus: UPDATED extdata-cuid: 40906145C76224192D2B extdata-requeststatus: complete extdata-requestid: 1 extdata-result: 1 requestType: netkeyKeygen cn: 1 creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20110122021010Z modifyTimestamp: 20110122021010Z nsUniqueId: b2891805-1dd111b2-a6d7e85f-2c2f0000
大多数信息都通过脚本处理保持不变,因此输入到新的目标 KRA 中同样。但是,其中一些属性可以被编辑,如要更改的 CN 和 DN,以匹配新的 KRA 实例。可安全更改的字段会在配置文件中列出每种密钥条目类型。(任何未列出的属性在任何情况下都不会受到工具影响。)
如果字段 应 编辑 - 表示,该工具可以更新记录 ID 号,或者重命名该条目 - 然后,在配置文件中将值设为 true。例如,此配置更新了所有 CA 注册请求的 CN、DN、ID 号、最后修改日期和相关条目备注:
kratool.ldif.caEnrollmentRequest.cn=true kratool.ldif.caEnrollmentRequest.dateOfModify=true kratool.ldif.caEnrollmentRequest.dn=true kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true kratool.ldif.caEnrollmentRequest.requestId=true
如果一行设为 true,则属性将在 LDIF 文件中处理。默认情况下,处理所有可能的属性。将一行设置为 false 表示 KRATool 跳过该属性并更改该值。例如,这会保留最后一次修改的时间保持不变,以便在 KRATool 运行时不会更新:
kratool.ldif.caEnrollmentRequest.dateOfModify=false
TIP
主要注册、记录和请求都有一个可选备注属性,管理员可以输入有关流程的备注。当 KRATool 运行时,它会将备注附加到该属性,或使用运行工具的信息添加属性、执行哪些操作以及时间戳。
extdata-requestnotes: [20110701150056Z]: REWRAPPED the 'existing DES3 symmetri c session key' with the '2048-bit RSA public key' obtained from the target s torage certificate + APPENDED ID offset '100000000000' + RENAMED source KRA naming context 'alpha.example.com-pki-kra' to target KRA naming context 'ome ga.example.com-pki-kra' + PROCESSED requests and key records ONLY!
此信息对审计和维护 KRA 非常有用,因此
所有关键 记录类型都设为 true 来说非常有用。
重要
默认
kratool.cfg 中的每个参数行 都必须 出现在工具被调用时使用的 .cfg 文件中。不能省略行,每行都必须具有有效的值(true 或 false)。如果文件没有正确格式化,KRATool 将失败。
.cfg 文件的格式化与实例 CS.cfg 文件中使用的格式相同。
例 27.1. 默认 kratool.cfg 文件
kratool.ldif.caEnrollmentRequest._000=######################################## kratool.ldif.caEnrollmentRequest._001=## KRA CA Enrollment Request ## kratool.ldif.caEnrollmentRequest._002=######################################## kratool.ldif.caEnrollmentRequest._003=## ## kratool.ldif.caEnrollmentRequest._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caEnrollmentRequest._005=## to change the CA 'naming context' ## kratool.ldif.caEnrollmentRequest._006=## data in the following fields: ## kratool.ldif.caEnrollmentRequest._007=## ## kratool.ldif.caEnrollmentRequest._008=## extdata-auth--005ftoken;uid ## kratool.ldif.caEnrollmentRequest._009=## extdata-auth--005ftoken;userid ## kratool.ldif.caEnrollmentRequest._010=## extdata-updatedby ## kratool.ldif.caEnrollmentRequest._011=## ## kratool.ldif.caEnrollmentRequest._012=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caEnrollmentRequest._013=## to change CA 'numeric' data in ## kratool.ldif.caEnrollmentRequest._014=## the following fields: ## kratool.ldif.caEnrollmentRequest._015=## ## kratool.ldif.caEnrollmentRequest._016=## extdata-requestId ## kratool.ldif.caEnrollmentRequest._017=## ## kratool.ldif.caEnrollmentRequest._018=######################################## kratool.ldif.caEnrollmentRequest.cn=true kratool.ldif.caEnrollmentRequest.dateOfModify=true kratool.ldif.caEnrollmentRequest.dn=true kratool.ldif.caEnrollmentRequest.extdata.keyRecord=true kratool.ldif.caEnrollmentRequest.extdata.requestNotes=true kratool.ldif.caEnrollmentRequest.requestId=true kratool.ldif.caKeyRecord._000=######################################### kratool.ldif.caKeyRecord._001=## KRA CA Key Record ## kratool.ldif.caKeyRecord._002=######################################### kratool.ldif.caKeyRecord._003=## ## kratool.ldif.caKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.caKeyRecord._005=## to change the CA 'naming context' ## kratool.ldif.caKeyRecord._006=## data in the following fields: ## kratool.ldif.caKeyRecord._007=## ## kratool.ldif.caKeyRecord._008=## archivedBy ## kratool.ldif.caKeyRecord._009=## ## kratool.ldif.caKeyRecord._010=######################################### kratool.ldif.caKeyRecord.cn=true kratool.ldif.caKeyRecord.dateOfModify=true kratool.ldif.caKeyRecord.dn=true kratool.ldif.caKeyRecord.privateKeyData=true kratool.ldif.caKeyRecord.serialno=true kratool.ldif.namingContext._000=############################################ kratool.ldif.namingContext._001=## KRA Naming Context Fields ## kratool.ldif.namingContext._002=############################################ kratool.ldif.namingContext._003=## ## kratool.ldif.namingContext._004=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._005=## change the CA 'naming context' data ## kratool.ldif.namingContext._006=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._007=## non-Request' fields (as these records ## kratool.ldif.namingContext._008=## should be removed via the option to ## kratool.ldif.namingContext._009=## process requests and key records only ## kratool.ldif.namingContext._010=## if this is a KRA migration): ## kratool.ldif.namingContext._011=## ## kratool.ldif.namingContext._012=## cn ## kratool.ldif.namingContext._013=## sn ## kratool.ldif.namingContext._014=## uid ## kratool.ldif.namingContext._015=## uniqueMember ## kratool.ldif.namingContext._016=## ## kratool.ldif.namingContext._017=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._018=## change the KRA 'naming context' data ## kratool.ldif.namingContext._019=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._020=## non-Request' fields (as these records ## kratool.ldif.namingContext._021=## should be removed via the option to ## kratool.ldif.namingContext._022=## process requests and key records only ## kratool.ldif.namingContext._023=## if this is a KRA migration): ## kratool.ldif.namingContext._024=## ## kratool.ldif.namingContext._025=## dc ## kratool.ldif.namingContext._026=## dn ## kratool.ldif.namingContext._027=## uniqueMember ## kratool.ldif.namingContext._028=## ## kratool.ldif.namingContext._029=## NEVER allow 'KRATOOL' the ability to ## kratool.ldif.namingContext._030=## change the TPS 'naming context' data ## kratool.ldif.namingContext._031=## in the following 'non-KeyRecord / ## kratool.ldif.namingContext._032=## non-Request' fields (as these records ## kratool.ldif.namingContext._033=## should be removed via the option to ## kratool.ldif.namingContext._034=## process requests and key records only ## kratool.ldif.namingContext._035=## if this is a KRA migration): ## kratool.ldif.namingContext._036=## ## kratool.ldif.namingContext._037=## uid ## kratool.ldif.namingContext._038=## uniqueMember ## kratool.ldif.namingContext._039=## ## kratool.ldif.namingContext._040=## If '-source_naming_context ## kratool.ldif.namingContext._041=## original source KRA naming context' ## kratool.ldif.namingContext._042=## and '-target_naming_context ## kratool.ldif.namingContext._043=## renamed target KRA naming context' ## kratool.ldif.namingContext._044=## options are specified, ALWAYS ## kratool.ldif.namingContext._045=## require 'KRATOOL' to change the ## kratool.ldif.namingContext._046=## KRA 'naming context' data in ALL of ## kratool.ldif.namingContext._047=## the following fields in EACH of the ## kratool.ldif.namingContext._048=## following types of records: ## kratool.ldif.namingContext._049=## ## kratool.ldif.namingContext._050=## caEnrollmentRequest: ## kratool.ldif.namingContext._051=## ## kratool.ldif.namingContext._052=## dn ## kratool.ldif.namingContext._053=## extdata-auth--005ftoken;user ## kratool.ldif.namingContext._054=## extdata-auth--005ftoken;userdn ## kratool.ldif.namingContext._055=## ## kratool.ldif.namingContext._056=## caKeyRecord: ## kratool.ldif.namingContext._057=## ## kratool.ldif.namingContext._058=## dn ## kratool.ldif.namingContext._059=## ## kratool.ldif.namingContext._060=## recoveryRequest: ## kratool.ldif.namingContext._061=## ## kratool.ldif.namingContext._062=## dn ## kratool.ldif.namingContext._063=## ## kratool.ldif.namingContext._064=## tpsKeyRecord: ## kratool.ldif.namingContext._065=## ## kratool.ldif.namingContext._066=## dn ## kratool.ldif.namingContext._067=## ## kratool.ldif.namingContext._068=## tpsNetkeyKeygenRequest: ## kratool.ldif.namingContext._069=## ## kratool.ldif.namingContext._070=## dn ## kratool.ldif.namingContext._071=## ## kratool.ldif.namingContext._072=############################################ kratool.ldif.recoveryRequest._000=##################################### kratool.ldif.recoveryRequest._001=## KRA CA / TPS Recovery Request ## kratool.ldif.recoveryRequest._002=##################################### kratool.ldif.recoveryRequest.cn=true kratool.ldif.recoveryRequest.dateOfModify=true kratool.ldif.recoveryRequest.dn=true kratool.ldif.recoveryRequest.extdata.requestId=true kratool.ldif.recoveryRequest.extdata.requestNotes=true kratool.ldif.recoveryRequest.extdata.serialnumber=true kratool.ldif.recoveryRequest.requestId=true kratool.ldif.tpsKeyRecord._000=######################################### kratool.ldif.tpsKeyRecord._001=## KRA TPS Key Record ## kratool.ldif.tpsKeyRecord._002=######################################### kratool.ldif.tpsKeyRecord._003=## ## kratool.ldif.tpsKeyRecord._004=## NEVER allow 'KRATOOL' the ability ## kratool.ldif.tpsKeyRecord._005=## to change the TPS 'naming context' ## kratool.ldif.tpsKeyRecord._006=## data in the following fields: ## kratool.ldif.tpsKeyRecord._007=## ## kratool.ldif.tpsKeyRecord._008=## archivedBy ## kratool.ldif.tpsKeyRecord._009=## ## kratool.ldif.tpsKeyRecord._010=######################################### kratool.ldif.tpsKeyRecord.cn=true kratool.ldif.tpsKeyRecord.dateOfModify=true kratool.ldif.tpsKeyRecord.dn=true kratool.ldif.tpsKeyRecord.privateKeyData=true kratool.ldif.tpsKeyRecord.serialno=true kratool.ldif.tpsNetkeyKeygenRequest._000=##################################### kratool.ldif.tpsNetkeyKeygenRequest._001=## KRA TPS Netkey Keygen Request ## kratool.ldif.tpsNetkeyKeygenRequest._002=##################################### kratool.ldif.tpsNetkeyKeygenRequest._003=## ## kratool.ldif.tpsNetkeyKeygenRequest._004=## NEVER allow 'KRATOOL' the ## kratool.ldif.tpsNetkeyKeygenRequest._005=## ability to change the ## kratool.ldif.tpsNetkeyKeygenRequest._006=## TPS 'naming context' data in ## kratool.ldif.tpsNetkeyKeygenRequest._007=## the following fields: ## kratool.ldif.tpsNetkeyKeygenRequest._008=## ## kratool.ldif.tpsNetkeyKeygenRequest._009=## extdata-updatedby ## kratool.ldif.tpsNetkeyKeygenRequest._010=## ## kratool.ldif.tpsNetkeyKeygenRequest._011=##################################### kratool.ldif.tpsNetkeyKeygenRequest.cn=true kratool.ldif.tpsNetkeyKeygenRequest.dateOfModify=true kratool.ldif.tpsNetkeyKeygenRequest.dn=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.keyRecord=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestId=true kratool.ldif.tpsNetkeyKeygenRequest.extdata.requestNotes=true kratool.ldif.tpsNetkeyKeygenRequest.requestId=true
