Fix home directory owner in containers

.github/workflows/ca-container-system-service-test.yml

@@ -79,6 +79,7 @@ jobs:
       - name: Create shared folders in PKI user's home directory
         run: |
           # create folders with default owner and permissions
+          docker exec pki ls -lR /home
           docker exec -u pkiuser pki mkdir /home/pkiuser/certs
           docker exec -u pkiuser pki mkdir /home/pkiuser/conf
           docker exec -u pkiuser pki mkdir /home/pkiuser/logs

.github/workflows/ca-container-user-service-test.yml

@@ -81,6 +81,7 @@ jobs:
 
           # use fuse-overlayfs
           # https://github.com/containers/podman/issues/8705#issuecomment-744357805
+          docker exec pki ls -lR /home
           docker exec -u pkiuser pki mkdir -p /home/pkiuser/.config/containers
           docker exec -i -u pkiuser pki tee /home/pkiuser/.config/containers/storage.conf << EOF
           [storage]

Dockerfile

@@ -100,6 +100,9 @@ RUN dnf install -y /tmp/RPMS/* \
     && rm -rf /var/cache/dnf \
     && rm -rf /tmp/RPMS
 
+# Update home directory owner
+RUN chown -R pkiuser.pkiuser /home/pkiuser
+
 ################################################################################
 FROM pki-runner AS pki-server
 

docs/admin/acme/Configuring-ACME-Database.adoc

@@ -0,0 +1,65 @@
+= Configuring ACME Database =
+
+== Overview ==
+
+This document describes the process to configure a database for ACME responder.
+The database configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/database.conf`.
+
+The `pki-server acme-database-mod` can be used to configure the database via command-line.
+If the command is invoked without any parameters, it will enter an interactive mode, for example:
+
+```
+$ pki-server acme-database-mod
+The current value is displayed in the square brackets.
+To keep the current value, simply press Enter.
+To change the current value, enter the new value.
+To remove the current value, enter a blank space.
+
+Enter the type of the database. Available types: ds, in-memory, ldap, openldap, postgresql.
+  Database Type: ds
+
+Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
+  Server URL [ldap://localhost.localdomain:389]:
+
+Enter the authentication type. Available types: BasicAuth, SslClientAuth.
+  Authentication Type [BasicAuth]:
+
+Enter the bind DN.
+  Bind DN [cn=Directory Manager]:
+
+Enter the bind password.
+  Bind Password [********]:
+
+Enter the base DN for the ACME subtree.
+  Base DN [dc=acme,dc=pki,dc=example,dc=com]:
+```
+
+If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type.
+If the command is invoked with other parameters, it will update the specified parameters.
+
+Some ACME configuration properties are stored in the database such that
+all ACME responders in the cluster can be configured consistently.
+By default the ACME responder will access the database directly
+when retrieving or updating the ACME configuration properties,
+which may increase the load on the database.
+Some databases might provide an ACME configuration monitor to reduce the load on the database.
+
+== Configuring ACME with In-Memory Database ==
+
+The ACME responder can be configured with an in-memory database.
+See link:Configuring-ACME-with-InMemory-Database.adoc[Configuring ACME with In-Memory Database].
+
+== Configuring ACME with DS Database ==
+
+The ACME responder can be configured with a DS database.
+See link:Configuring-ACME-with-DS-Database.adoc[Configuring ACME with DS Database].
+
+== Configuring ACME with OpenLDAP Database ==
+
+The ACME responder can be configured with an OpenLDAP database.
+See link:Configuring-ACME-with-OpenLDAP-Database.adoc[Configuring ACME with OpenLDAP Database].
+
+== Configuring ACME with PostgreSQL Database ==
+
+The ACME responder can be configured with a PostgreSQL database.
+See link:Configuring-ACME-with-PostgreSQL-Database.adoc[Configuring ACME with PostgreSQL Database].

docs/admin/acme/Configuring-ACME-Issuer.adoc

@@ -0,0 +1,53 @@
+= Configuring ACME Issuer =
+
+== Overview ==
+
+This document describes the process to configure an issuer for ACME responder.
+The issuer configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/issuer.conf`.
+
+The `pki-server acme-issuer-mod` can be used to configure the issuer via command-line.
+If the command is invoked without any parameters, it will enter an interactive mode, for example:
+
+```
+$ pki-server acme-issuer-mod
+The current value is displayed in the square brackets.
+To keep the current value, simply press Enter.
+To change the current value, enter the new value.
+To remove the current value, enter a blank space.
+
+Enter the type of the certificate issuer. Available types: nss, pki.
+  Issuer Type: pki
+
+Enter the location of the PKI server (e.g. https://localhost.localdomain:8443).
+  Server URL [https://localhost.localdomain:8443]:
+
+Enter the certificate nickname for client authentication.
+This might be the CA agent certificate.
+Enter blank to use basic authentication.
+  Client Certificate:
+
+Enter the username of the CA agent for basic authentication.
+Enter blank if a CA agent certificate is used for client authentication.
+  Agent Username [caadmin]:
+
+Enter the CA agent password for basic authentication.
+Enter blank if the password is already stored in a separate property file
+or if a CA agent certificate is used for client authentication.
+  Agent Password [********]:
+
+Enter the certificate profile for issuing ACME certificates (e.g. acmeServerCert).
+  Certificate Profile [acmeServerCert]:
+```
+
+If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type.
+If the command is invoked with other parameters, it will update the specified parameters.
+
+== Configuring PKI Issuer ==
+
+The ACME responder can be configured to issue certificates using a PKI issuer.
+See link:Configuring-ACME-with-PKI-Issuer.adoc[Configuring ACME with PKI Issuer].
+
+== Configuring NSS Issuer ==
+
+The ACME responder can be configured to issue certificates using a local NSS database.
+See link:Configuring-ACME-with-NSS-Issuer.adoc[Configuring ACME with NSS Issuer].

docs/admin/acme/Configuring-ACME-Metadata.adoc

@@ -0,0 +1,33 @@
+= Configuring ACME Metadata =
+
+== Overview ==
+
+This document describes the process to configure ACME metadata.
+
+The metadata configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/metadata.conf`.
+If the file does not exist, the server will use the default metadata configuration at
+link:../../../base/acme/conf/metadata.conf[/usr/share/pki/acme/conf/metadata.conf].
+
+== Configuring ACME Metadata ==
+
+The `pki-server acme-metadata-mod` can be used to configure the metadata interactively.
+
+----
+$ pki-server acme-metadata-mod
+The current value is displayed in the square brackets.
+To keep the current value, simply press Enter.
+To change the current value, enter the new value.
+To remove the current value, enter a blank space.
+
+Enter the location of the terms of service.
+  Terms of Service [https://www.example.com/acme/tos.pdf]:
+
+Enter the location of the website.
+  Website [https://www.example.com]:
+
+Enter the CAA identities.
+  CAA Identities [example.com]:
+
+Enter true/false whether an external account is required.
+  External Account Required [false]:
+----

docs/admin/acme/Configuring-ACME-Realm.adoc

@@ -0,0 +1,56 @@
+= Configuring ACME Realm =
+
+== Overview ==
+
+This document describes the process to configure a realm for ACME responder.
+The realm configuration is located at `/var/lib/pki/pki-tomcat/conf/acme/realm.conf`.
+
+The `pki-server acme-realm-mod` can be used to configure the realm via command-line.
+If the command is invoked without any parameters, it will enter an interactive mode, for example:
+
+```
+$ pki-server acme-realm-mod
+The current value is displayed in the square brackets.
+To keep the current value, simply press Enter.
+To change the current value, enter the new value.
+To remove the current value, enter a blank space.
+
+Enter the type of the realm. Available types: ds.
+  Database Type: ds
+
+Enter the location of the LDAP server (e.g. ldap://localhost.localdomain:389).
+  Server URL [ldap://localhost.localdomain:389]:
+
+Enter the authentication type. Available types: BasicAuth, SslClientAuth.
+  Authentication Type [BasicAuth]:
+
+Enter the bind DN.
+  Bind DN [cn=Directory Manager]:
+
+Enter the bind password.
+  Bind Password [********]:
+
+Enter the base DN for the ACME users subtree.
+  Users DN [ou=people,dc=acme,dc=pki,dc=example,dc=com]:
+
+Enter the base DN for the ACME groups subtree.
+  Groups DN [ou=groups,dc=acme,dc=pki,dc=example,dc=com]:
+```
+
+If the command is invoked with `--type` parameter, it will create a new configuration based on the specified type.
+If the command is invoked with other parameters, it will update the specified parameters.
+
+== Configuring ACME with In-Memory Realm ==
+
+The ACME responder can be configured with an in-memory realm.
+See link:Configuring-ACME-with-InMemory-Realm.adoc[Configuring ACME with In-Memory Realm].
+
+== Configuring ACME with DS Realm ==
+
+The ACME responder can be configured with a DS realm.
+See link:Configuring-ACME-with-DS-Realm.adoc[Configuring ACME with DS Realm].
+
+== Configuring ACME with PostgreSQL Realm ==
+
+The ACME responder can be configured with a PostgreSQL realm.
+See link:Configuring-ACME-with-PostgreSQL-Realm.adoc[Configuring ACME with PostgreSQL Realm].

docs/admin/acme/Configuring-ACME-Responder.adoc

@@ -0,0 +1,6 @@
+= Configuring ACME Responder =
+
+* link:Configuring-ACME-Metadata.adoc[Configuring ACME Metadata]
+* link:Configuring-ACME-Database.adoc[Configuring ACME Database]
+* link:Configuring-ACME-Issuer.adoc[Configuring ACME Issuer]
+* link:Configuring-ACME-Realm.adoc[Configuring ACME Realm]

docs/admin/acme/Configuring-ACME-with-DS-Database.adoc

@@ -0,0 +1,91 @@
+# Configuring ACME with DS Database
+
+## Overview
+
+This document describes the process to configure ACME responder to use a DS database.
+It assumes that the DS database has been installed as described in
+link:../others/Creating_DS_instance.adoc[Creating DS instance].
+
+## Initializing DS Database
+
+First, add the ACME DS schema by importing
+link:../../../base/acme/database/ds/schema.ldif[/usr/share/pki/acme/database/ds/schema.ldif] with the following command:
+
+----
+$ ldapmodify -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -f /usr/share/pki/acme/database/ds/schema.ldif
+----
+
+Next, create the ACME DS indexes by importing
+link:../../../base/acme/database/ds/index.ldif[/usr/share/pki/acme/database/ds/index.ldif] with the following command:
+
+----
+$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -f /usr/share/pki/acme/database/ds/index.ldif
+----
+
+**Note:** By default the `index.ldif` will use `userroot` as the DS backend.
+
+If necessary, the database can be reindexed by importing
+link:../../../base/acme/database/ds/indextask.ldif[/usr/share/pki/acme/database/ds/indextask.ldif] with the following command:
+
+----
+$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -f /usr/share/pki/acme/database/ds/indextask.ldif
+----
+
+The progress of the reindex task can be monitored with the following command:
+
+----
+$ ldapsearch -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -b "cn=acme,cn=index,cn=tasks,cn=config"
+----
+
+Once the indexes are ready, create the ACME subtree by importing
+link:../../../base/acme/database/ds/create.ldif[/usr/share/pki/acme/database/ds/create.ldif] with the following command:
+
+----
+$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -f /usr/share/pki/acme/database/ds/create.ldif
+----
+
+**Note:** By default the `create.ldif` will create the subtree under `dc=pki,dc=example,dc=com` which is mapped to `userroot` DS backend.
+
+## Configuring ACME Database
+
+A sample database configuration is available at
+link:../../../base/acme/database/ds/database.conf[/usr/share/pki/acme/database/ds/database.conf].
+
+To use the DS database, copy the sample `database.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder,
+or execute the following command to customize some of the parameters:
+
+----
+$ pki-server acme-database-mod --type ds \
+    -DbindPassword=Secret.123
+----
+
+Customize the database configuration as needed. In a standalone ACME deployment, the `database.conf` should look like the following:
+
+----
+class=org.dogtagpki.acme.database.DSDatabase
+url=ldap://<hostname>:389
+authType=BasicAuth
+bindDN=cn=Directory Manager
+bindPassword=Secret.123
+baseDN=dc=acme,dc=pki,dc=example,dc=com
+----
+
+In a shared CA and ACME deployment, the `database.conf` should look like the following:
+
+----
+class=org.dogtagpki.acme.database.DSDatabase
+configFile=conf/ca/CS.cfg
+baseDN=dc=acme,dc=pki,dc=example,dc=com
+----
+
+The DS database provides an ACME configuration monitor using search persistence.
+It can be enabled with the following parameter:
+
+----
+monitor.enabled=true
+----

docs/admin/acme/Configuring-ACME-with-DS-Realm.adoc

@@ -0,0 +1,55 @@
+# Configuring ACME with DS Realm
+
+## Overview
+
+This document describes the process to configure ACME responder to use a DS database for authentication realm.
+It assumes that the DS database has been installed as described in
+link:../others/Creating_DS_instance.adoc[Creating DS instance].
+
+## Initializing DS Realm
+
+Prepare subtrees for ACME users and groups in DS.
+A sample LDIF file is available at link:../../../base/acme/realm/ds/create.ldif[/usr/share/pki/acme/realm/ds/create.ldif].
+This example uses `dc=acme,dc=pki,dc=example,dc=com` as the base DN.
+Import the file with the following command:
+
+----
+$ ldapadd -H ldap://$HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 \
+    -f /usr/share/pki/acme/realm/ds/create.ldif
+----
+
+A sample realm configuration is available at
+link:../../../base/acme/realm/ds/realm.conf[/usr/share/pki/acme/realm/ds/realm.conf].
+
+To use the DS realm, copy the sample `realm.conf` into the `/var/lib/pki/pki-tomcat/conf/acme` folder,
+or execute the following command to customize some of the parameters:
+
+----
+$ pki-server acme-realm-mod --type ds \
+    -DbindPassword=Secret.123
+----
+
+Customize the realm configuration as needed. In a standalone ACME deployment, the `realm.conf` should look like the following:
+
+----
+class=org.dogtagpki.acme.realm.DSRealm
+url=ldap://<hostname>:389
+authType=BasicAuth
+bindDN=cn=Directory Manager
+bindPassword=Secret.123
+usersDN=ou=people,dc=acme,dc=pki,dc=example,dc=com
+groupsDN=ou=groups,dc=acme,dc=pki,dc=example,dc=com
+----
+
+In a shared CA and ACME deployment, the `realm.conf` should look like the following:
+
+----
+class=org.dogtagpki.acme.realm.DSRealm
+configFile=conf/ca/CS.cfg
+usersDN=ou=people,dc=ca,dc=pki,dc=example,dc=com
+groupsDN=ou=groups,dc=ca,dc=pki,dc=example,dc=com
+----
+
+## See Also
+
+* link:../../admin/acme/Managing_DS_Realm.adoc[Managing DS Realm]