pki-tps-connector - Man Page

PKI TPS Connector Configuration

Location

/var/lib/pki/instance/conf/tps/CS.cfg

Description

TPS connector provides a mechanism for TPS to communicate with other PKI subsystems. There are three supported connector types: CA, KRA, and TKS. The connectors are defined using properties in the TPS configuration file.

Ca Connector

A CA connector is defined using properties that begin with tps.connector.ca<n> where n is a positive integer indicating the ID of the CA connector.

tps.connector.ca<n>.enable
This property contains a boolean value indicating whether the connector is enabled.

tps.connector.ca<n>.host
In no-failover configuration, the property contains the hostname of the CA.

In failover configuration, the property contains a list of hostnames and port numbers of the CA subsystems. The format is hostname:port separated by spaces.

tps.connector.ca<n>.port
In no-failover configuration, the property contains the port number of the CA.

tps.connector.ca<n>.nickName
This property contains the nickname of the TPS subsystem certificate for SSL client authentication to the CA.

tps.connector.ca<n>.minHttpConns
This property contains the minimum number of HTTP connections.

tps.connector.ca<n>.maxHttpConns
This property contains the maximum number of HTTP connections.

tps.connector.ca<n>.uri.<op>
This property contains the URI to contact CA for the operation <op>. Example ops: enrollment, renewal, revoke, unrevoke, getcert.

tps.connector.ca<n>.timeout
This property contains the connection timeout.

tps.connCAList
This property is used for Revocation Routing. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to. Example: tps.connCAList=ca1,ca2

tps.connector.ca<n>.caNickname
This property is used for Revocation Routing. It contains the nickname of the CA signing certificate that represents this ca<n>.

tps.connector.ca<n>.caSKI
This property is used for Revocation Routing. It contains the Subject Key Identifier of the CA signing certificate of this ca<n>. This value is automatically calculated by TPS once and should not need handling by the administrator.

Kra Connector

A KRA connector is defined using properties that begin with tps.connector.kra<n> where n is a positive integer indicating the ID of the KRA connector.

tps.connector.kra<n>.enable
This property contains a boolean value indicating whether the connector is enabled.

tps.connector.kra<n>.host
In no-failover configuration, the property contains the hostname of the KRA.

In failover configuration, the property contains a list of hostnames and port numbers of the KRA subsystems. The format is hostname:port separated by spaces.

tps.connector.kra<n>.port
In no-failover configuration, the property contains the port number of the KRA.

tps.connector.kra<n>.nickName
This property contains the nickname of the TPS subsystem certificate for SSL client authentication to the KRA.

tps.connector.kra<n>.minHttpConns
This property contains the minimum number of HTTP connections.

tps.connector.kra<n>.maxHttpConns
This property contains the maximum number of HTTP connections.

tps.connector.kra<n>.uri.<op>
This property contains the URI to contact KRA for the operation <op>. Example ops: GenerateKeyPair, TokenKeyRecovery.

tps.connector.kra<n>.timeout
This property contains the connection timeout.

TKS Connector

A TKS connector is defined using properties that begin with tps.connector.tks<n> where n is a positive integer indicating the ID of the TKS connector.

tps.connector.tks<n>.enable
This property contains a boolean value indicating whether the connector is enabled.

tps.connector.tks<n>.host
In no-failover configuration, the property contains the hostname of the TKS.

In failover configuration, the property contains a list of hostnames and port numbers of the TKS subsystems. The format is hostname:port separated by spaces.

tps.connector.tks<n>.port
In no-failover configuration, the property contains the port number of the TKS.

tps.connector.tks<n>.nickName
This property contains the nickname of the TPS subsystem certificate for SSL client authentication to the TKS.

tps.connector.tks<n>.minHttpConns
This property contains the minimum number of HTTP connections.

tps.connector.tks<n>.maxHttpConns
This property contains the maximum number of HTTP connections.

tps.connector.tks<n>.uri.<op>
This property contains the URI to contact TKS for the operation <op>. Example ops: computeRandomData, computeSessionKey, createKeySetData, encryptData.

tps.connector.tks<n>.timeout
This property contains the connection timeout.

tps.connector.tks<n>.generateHostChallenge
This property contains a boolean value indicating whether to generate host challenge.

tps.connector.tks<n>.serverKeygen
This property contains a boolean value indicating whether to generate keys on server side.

tps.connector.tks<n>.keySet
This property contains the key set to be used on TKS.

tps.connector.tks<n>.tksSharedSymKeyName
This property contains the shared secret key name.

Example

tps.connector.ca1.enable=true
tps.connector.ca1.host=pki.example.com
tps.connector.ca1.port=8443
tps.connector.ca1.minHttpConns=1
tps.connector.ca1.maxHttpConns=15
tps.connector.ca1.nickName=subsystemCert cert-pki-tomcat TPS
tps.connector.ca1.timeout=30
tps.connector.ca1.uri.enrollment=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.renewal=/ca/ee/ca/profileSubmitSSLClient
tps.connector.ca1.uri.revoke=/ca/ee/subsystem/ca/doRevoke
tps.connector.ca1.uri.unrevoke=/ca/ee/subsystem/ca/doUnrevoke
# in case of Revocation Routing
# note that caSKI is automatically calculated by TPS
tps.connCAList=ca1,ca2
tps.connector.ca1.caNickname=caSigningCert cert-pki-tomcat CA
tps.connector.ca1.caSKI=hAzNarQMlzit4BymAlbduZMwVCc
# ca2 connector in case of Revocation Routing
tps.connector.ca2.<etc.>

tps.connector.kra1.enable=true
tps.connector.kra1.host=pki.example.com
tps.connector.kra1.port=8443
tps.connector.kra1.minHttpConns=1
tps.connector.kra1.maxHttpConns=15
tps.connector.kra1.nickName=subsystemCert cert-pki-tomcat TPS
tps.connector.kra1.timeout=30
tps.connector.kra1.uri.GenerateKeyPair=/kra/agent/kra/GenerateKeyPair
tps.connector.kra1.uri.TokenKeyRecovery=/kra/agent/kra/TokenKeyRecovery

tps.connector.tks1.enable=true
tps.connector.tks1.host=pki.example.com
tps.connector.tks1.port=8443
tps.connector.tks1.minHttpConns=1
tps.connector.tks1.maxHttpConns=15
tps.connector.tks1.nickName=subsystemCert cert-pki-tomcat TPS
tps.connector.tks1.timeout=30
tps.connector.tks1.generateHostChallenge=true
tps.connector.tks1.serverKeygen=false
tps.connector.tks1.keySet=defKeySet
tps.connector.tks1.tksSharedSymKeyName=sharedSecret
tps.connector.tks1.uri.computeRandomData=/tks/agent/tks/computeRandomData
tps.connector.tks1.uri.computeSessionKey=/tks/agent/tks/computeSessionKey
tps.connector.tks1.uri.createKeySetData=/tks/agent/tks/createKeySetData
tps.connector.tks1.uri.encryptData=/tks/agent/tks/encryptData

Authors

Dogtag PKI Team &lt;devel@lists.dogtagpki.org&gt;.

Info

April 22, 2014 PKI TPS Connector Configuration