11.2. Configuring an ACME Database

This section describes how to configure a database for the ACME responder. The database configuration is located at /etc/pki/pki-tomcat/acme/database.conf.
  • You can configure the database via command-line using the pki-server acme-database-mod command. Invoking this command without any parameters launches an interactive mode, for example: 
    $ pki-server acme-database-mod

The current value is displayed in the square brackets.
To keep the current value, simply press Enter.
To change the current value, enter the new value.
To remove the current value, enter a blank space.

Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql.
Database Type: ds

Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
Server URL [ldap://localhost.localdomain:389]:

Enter the authentication type. Available types: BasicAuth, SslClientAuth.
Authentication Type [BasicAuth]:

Enter the bind DN.
Bind DN [cn=Directory Manager]:

Enter the bind password.
Bind Password [********]:

Enter the base DN for the ACME subtree.
Base DN [dc=acme,dc=pki,dc=example,dc=com]:
  • Invoking the command with the --type parameter creates a new configuration based on the specified type.
  • Invoking the command with other parameters updates the specified parameters.
Certain ACME configuration properties are stored in the database, enabling you to configure all ACME responders in the cluster consistently. By default, the ACME responder directly accesses the database when retrieving or updating the ACME configuration properties, which may increase the load on the database. Some databases might provide an ACME configuration monitor to reduce this load.

11.2.1. Configuring a DS Database

You can configure the ACME responder to use a DS database. A sample DS database configuration is available at /usr/share/pki/acme/database/ds/database.conf.
To configure a DS database:
  1. First add the ACME DS schema by importing the /usr/share/pki/acme/database/ds/schema.ldif file with the following command: 
    $ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/database/ds/schema.ldif
  2. Next, prepare an LDIF file to create the ACME subtree. A sample LDIF file is available at usr/share/pki/acme/database/ds/create.ldif. This example uses dc=acme,dc=pki,dc=example,dc=com as the base DN.
  3. Import the LDIF file using the ldapadd command: 
    $ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
            -f /usr/share/pki/acme/database/ds/create.ldif
  4. Copy the sample database configuration file from /usr/share/pki/acme/database/ds/database.conf into the /etc/pki/pki-tomcat/acme directory, or execute the following command to customize some of the parameters: 
    $ pki-server acme-database-mod --type ds \
            -DbindPassword=Secret.123
  5. Customize the configuration as needed:
    • In a standalone ACME deployment, the database.conf should look like the following: 
      class=org.example.acme.database.DSDatabase
url=ldap://<hostname>:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
baseDN=dc=acme,dc=pki,dc=example,dc=com
    • In a shared CA and ACME deployment, the database.conf should look like the following: 
      class=org.example.acme.database.DSDatabase
                configFile=conf/ca/CS.cfg
                baseDN=dc=acme,dc=pki,dc=example,dc=com
The DS database provides an ACME configuration monitor using search persistence. You can enable it by enabling setting the following parameter: monitor.enabled=true