setting different pki_security_domain_password and pki_admin_password should be allowed

[pki-bot]

This issue was migrated from Pagure Issue #1431. Originally filed by dminnich (@dminnich) on 2015-06-19 20:49:12:

• Closed as Invalid
• Assigned to nobody

---

Recently when working with a CA clone hooked to an HSM mharmsen discovered and that both the pki_security_domain_password and the pki_admin_password must be set to the same value for the CA clone to be stood up successfully.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-06-22 22:16:54

Per CS/DS Meeting of 06/22/2015: 10.3

[pki-bot]

Comment from mharmsen (@mharmsen) at 2015-07-06 20:46:20

Per discussions, moving this ticket back to 10.2.6 Milestone.

[pki-bot]

Comment from vakwetu (@vakwetu) at 2015-07-07 18:39:47

There seems to be some confusion here.

When a CA is installed, an admin user is created. For convenience, this user is placed in various admin groups (including the security domain admin groups) as well as the certificate agent groups. This means that this convenience user is a security domain admin, a regular CA admin, and a CA agent.

If you use this default convenience user, then of course the security domain user's password and the admin users password must be the same - because they are one and the same user. In fact, when installing a root CA, the security_domain_password is likely ignored.

We expect though that in a real deployment, folks will create their own agents, and may even create separate users to manage the security domain (as opposed to other CA admin tasks).

So, if you want to use different passwords for the security domain user, then you should do the following:

1. create the CA providing the admin user password.
2. create a new security domain admin user using the pki utility -- authenticating as the admin user. Add a different password for this user.
3. Add this user to the relevant enterprise X admin groups.
4. Install other subsystems using the security domain UID and password.

I'm not sure there is any work to be done here, except potentially to better document what is needed in the man page.

[pki-bot]

Comment from dminnich (@dminnich) at 2015-07-10 17:51:06

That makes sense.

We were actually doing the suggested steps but were having issues. I think our issues may have came from setting a different password in the config.txt files than in LDAP. I know at some point we changed passwords in a lot of places and I'm thinking we forgot to update the hash in the LDIF.

Anyhow, I can confirm that at least for a master and clone CA setup not connected to an HSM that I can use different accounts and passwords.

Feel free to close the ticket. Thanks for the help.

[pki-bot]

Comment from nkinder (@nkinder) at 2015-07-10 18:16:09

Thanks for the update Dustin. Closing this ticket.

[pki-bot]

Comment from dminnich (@dminnich) at 2017-02-27 14:04:47

Metadata Update from @dminnich:

• Issue set to the milestone: 10.2.6