Updating PKI database user roles
Overview
Since PKI server 10.2.5-6 on RHEL 7, the roles of PKI database user have been changed to avoid issues with conflicting certificate mapping (BZ#1258634). This article describes the process to update PKI database user roles in an existing PKI server installation.
Shared DS database
If the PKI server only has a CA subsystem, or if the PKI server has multiple subsystems installed on a shared DS database, update the PKI database user roles with the following commands:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n caadmin ca-group-user-add "Subsystem Group" pkidbuser $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n caadmin ca-group-user-add "Certificate Manager Agents" pkidbuser
This includes IPA server since it is using a PKI server installed on a shared DS database.
Separate DS databases
If the PKI server has multiple subsystems installed on separate DS databases, update the PKI database user roles in each subsystem with the following commands:
CA subsystem:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n caadmin ca-group-user-add "Subsystem Group" pkidbuser $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n caadmin ca-group-user-add "Certificate Manager Agents" pkidbuser
KRA subsystem:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n kraadmin kra-group-user-add "Data Recovery Manager Agents" pkidbuser $ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n kraadmin kra-group-user-add "Trusted Managers" pkidbuser
OCSP subsystem:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n ocspadmin ocsp-group-user-add "Trusted Managers" pkidbuser
TKS subsystem:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c password -n tksadmin tks-group-user-add "Token Key Service Manager Agents" pkidbuser
Comments