6.5. Installing Red Hat Directory Server

Certificate System uses Red Hat Directory Server to store system certificates and user data. You can install both Directory Server and Certificate System on the same or any other host in the network.

Important

FIPS mode must be enabled on the RHEL host before you install Directory Server. To ensure FIPS mode is enabled: 
# sysctl crypto.fips_enabled
If the returned value is 1, FIPS mode is enabled.

6.5.1. Preparing a Directory Server Instance for Certificate System

Perform the following steps to install Red Hat Directory Server:
  1. Make sure you have attached a subscription that provides Directory Server to the host.
  2. Enable the Directory Server repository: 
    # subscription-manager repos --enable=dirsrv-11-for-rhel-8-x86_64-rpms
  3. Install the Directory Server and the openldap-clients packages: 
    # dnf module install redhat-ds
    # dnf install openldap-clients
  4. Set up a Directory Server instance.
    1. Generate a DS configuration file; for example, /tmp/ds-setup.inf: 
      $ dscreate create-template /tmp/ds-setup.inf
    2. Customize the DS configuration file as follows: 
      $ sed -i \
-e "s/;instance_name = .*/instance_name = localhost/g" \
-e "s/;root_password = .*/root_password = Secret.123/g" \
-e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
-e "s/;create_suffix_entry = .*/create_suffix_entry = True/g" \
-e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
/tmp/ds-setup.inf
    3. Create the instance using the dscreate command with the setup configuration file: 
      # dscreate from-file /tmp/ds-setup.inf
    For a detailed procedure, see the Red Hat Directory Server Installation Guide.

6.5.2. Preparing for Configuring Certificate System

In Section 7.3, “Understanding the pkispawn Utility”, if you chose to set up TLS between Certificate System and Directory Server, use the following parameters in the configuration file you pass to the pkispawn utility when installing Certificate System:

Note

We need to first create a basic TLS server authentication connection. At the end, during post-installation, we will return and make the connection require a client authentication certificate to be presented to Directory Server. At that time, once client authentication is set up, the pki_ds_password would no longer be relevant. 
pki_ds_database=back_end_database_name
pki_ds_hostname=host_name
pki_ds_secure_connection=True
pki_ds_secure_connection_ca_pem_file=path_to_CA_or_self-signed_certificate
pki_ds_password=password
pki_ds_ldaps_port=port
pki_ds_bind_dn=cn=Directory Manager
The value of the pki_ds_database parameter is a name used by the pkispawn utility to create the corresponding subsystem database on the Directory Server instance.
The value of the pki_ds_hostname parameter depends on the install location of the Directory Server instance. This depends on the values used in Section 6.5.1, “Preparing a Directory Server Instance for Certificate System”.
When you set pki_ds_secure_connection=True, the following parameters must be set:
  • pki_ds_secure_connection_ca_pem_file: Sets the fully-qualified path including the file name of the file which contains an exported copy of the Directory Server's CA certificate. This file must exist prior to pkispawn being able to utilize it.
  • pki_ds_ldaps_port: Sets the value of the secure LDAPS port Directory Server is listening to. The default is 636.