Add DNS Resolution for CA Profile

The Certificate Management Protocol (CMP) request generated by the IdAM to the product PKI and/or CA is made via the Trust Service Adapter (TSA) network (default IP address 192.168.5.93). As IdAM version 1.0.0 does not currently include DNS (Domain Name Server) resolution on the TSA, establishing a connection via HTTPS to the PKI requires a TLS certificate on the PKI side (webserver, gateway, or proxy), allowing verification against the IP address instead of the DNS name.

The following covers how to extend the TSA to allow using server certificates with DNS names in the Common Name (CN).

• The change of the installation is limited exclusively to the TSA subsystem and is installed in the overlay operating system via a so-called additive. That is, the changed files of the system are stored in an archive file on the boot partition and are played over the original version at the earliest possible time during any future boot process.
• The process causes a service interruption lasting several minutes.
• Applying the patch requires no reconfiguration of the set process in the Sequence Controller.

Prerequisites

The following is required before you start.

• SSH access to the Sequence Controller network.
• IPv4 address of the DNS server in the TSA network.
• A patch file name dnspatch.tar.xz and checksum: SHA256:6f9ea8d8ca5b4c4d8390319b60eff3a92eac2b5d77546cb263a9ef078a01e7ec. To generate the dnspatch.tar.xz manually, copy the following command into a shell.
  
   Click to expand the patch file generation command...

  To generate the dnspatch.tar.xz manually, copy the following command (until EOF) into a shell. Once run, you will find the file dnspatch.tar.xz in your current directory.
  cat | base64 -d > dnspatch.tar.xz << EOF
  /Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4Hf/CeVdADecCto0aoe1SCl83t8TE7a4v
  NiVyP0J3qcMusjltN6nN8MBYOiV+ZESqlqUAJfy1oHoa6FqAtGlEZDAs+0XaVmGD8
  Cx2LQQ4+PsUX/pWd3itPslzrZG2WQBUmc1drTYPY8oRU11B/XbhQc1ya13ujROJcP
  lcYrYORwW+euj6KL4Cvlc5viLf3VeCKMa0gHfRDloX12h2v9MoD0yLaNPrz/tFekC
  hI4AisIMDJrOPu56HbCtos1fMzdgh+7S3o0KVEUg3ycD5ZvpxNfZEzl1vGQKJAYSI
  dgP6fDxvbK2QmSomGYod78FDIeFniRyZsy0xK+0QsAujmHxUvE+DtNgBSSsevpBmX
  RL7AQQJ1wFBX884HNoyb6an0DfmTktEC3s+X3Lin+kDhK9yPk0R3VFXOmQNZf7nUl
  nKsvVDeIhTpbpzmSA3AKCn7WCH9Is2KSAXf7/rqHK4LIaT41UscQ89PV5FZjrgCRl
  Q8t/W3lvY/9BrDTE1xBQQScX12cmgUMHhRVK2WgPOgs5+So6bg9t4eaFejX3G46rw
  lCEHN3QZ/cD7qpDXcKamUqvMEMK1RSgDOas/u90IKbfOkwp8c1XmAZEn7BvK6CH4A
  cJ5egwkwf2ihbuDUqVFi+gQmnI6aZe/+4Yh6zm+kyNtsuBLc6jxeBwqQStZVsdJiv
  AnfLQxeXOR17SdviLU1oedb/6Z8q1nI71uqkowtNaWSSNOLidd65qpgjqPeYpe+T8
  MfjCgv7KgZtGb6vuvAjAGtjZs++94sIPD5rRLct5dorVodC2G82Kz3iOmXxmWPliD
  2tqhOFNJPW0GjK5959oYhiAorZSvxnXdQokwlCD6FMjUWUhoVOALVPcSeLwtua65b
  ICdeTWnaXdh5gZsmZL4WiE0R3EGP7l82He3EdLG9mZNjG6AfZXXlGFALjE/JaK3NG
  e/GrKvpbevDNBz26keHJn7Kg+uLKhCgOLrVAZVCZMzYPZ1D9rqVDb+kAlGVMEbfY9
  q5AzDBwac9/QZuQjS61Z60E2dtpDpQCB7xtRd8Ps8ZGiSya7HQXHouSW7M5qXLB1P
  ef7RYG4R0Q2zxQZGiBYYuvIkXe0riUTr9LVDtZNibWPY/098C/pDflOIPrEV+Sm4N
  jvzK9u6ySXoQylSVkkioUh8rLQ+Y3HoOaChPP4blbqWhaRiC3W10DhMzeilW4J9va
  XOdd3fAhrTu6tOwDsE210QpP3PtBNeyGnhSNBvOrBErkeRZZQPnsjkDU7wiMbgyMp
  BKdxq+RWQzemSBl8YQ66a0YlhQYR5C0UzOPTYjeMBqEdist0vWCrfzQQAfjXx6pok
  BiirkzKTVXT9SDjvelk2xgkvnaru+6kibBCUTmjawSYMI6u+Hlkp+koR2h1/94aO0
  quLKO69hD+kAwySFgtLyiaRp1aHTSSFto83AyVm1g+P4PN4brP/rNiFGLyDM96/yZ
  Q+8a89f/wfonR4W+HkCZ+m2JBS2bKTYTHQ61j4iM2Ytlr5uNdaRmwMBQ52j20GKR1
  UqXip9Iwu5cOuXf90qWgGcmBjXzSAFi3/EY/1fwWDw/WSiiS0lpckVV6QsGRX/sFn
  zIfy/kDsMgkECI07ZM1iAvHeOmrrMQgq9W23Vu5bCwFtdylWBaKj1rv59VVD/c9S5
  oIWVvNgf/O3fN5z3VbhNGpegEweCvH3r0ZL/qi4ztRNg+8EqVB4WYaEuXsxab5JAt
  xL72TGVsaOENa9LwvAie6Qrw8uhmRcvgbR89R9Z5v9Q1ZiB9rGkUhvvYaSPjSNDMw
  Ql0ekzqiHd1iKET0bWjwL+zX9KnXsqNZophCvvH1lBxnRt5SdvMap+eQO+FlAFKzB
  1JVUoEtVkpR9c5RnP+yDH10VezKRws2f81Y6gu2JPWyhm9xtUiMFtvyGAuJt4YqMk
  iXY0Fo7Kw38Ti1Tmcv/9UcOu70cEWxHGpFpc+v/fw7/0/bca4KTdyoL4JxKwOc4aR
  QrUqKA8Js+dcYfRvoZDBH/LKGEFixPlGNJWbOXhW9cLSy3TCp6ZWW9jb09KX7DmOg
  sdGEbqmUz6DvuL52by14hXoKFz2e0lUaeIaFplKWaVqw/kUfOcE16UO1IUo3tlujW
  sAEcTTWT+ahhPdc3zzDw6HLP2d64clz0p2m+dHPd2HAJ3dhDhAbmy9g46ydocWPL2
  aXSlFljBW/L+16z8MQ9iEoQiNts1dgIuHFTutoVy260SAQvSiQ8VNrNC28m8fpD2X
  +HyjYJWJ0FqtIUnhhEJ0d/ANuVa04KYzTfukDYxQmDXBHyeMDmq1JbFZabkdF9+j0
  wH1wtwYS5IdEcXYQtyR0W0D51vIHAlgjmD45iEaKZ5UxFCTk4vnZapD0Szb4XVquT
  kYdTdc5OavohTfYQNbm78P+DwKsqAAk3UJOISFAeFj4chPUcpZiENdG1Am5J3UK51
  vg9p6NqPsjR3ApRBeiwaOGRU2efvNtIie0ml1W0lWK6ZWkl0Oguvb01jW3I3SixeL
  V5xDlcP9eyZyHRzKtcgZbGOfcdZEfZSIP67ZW7RFz0LSleIdxCaYEyP+gWu5mvmLH
  /J7uWLJPS3isx5JKJSSSd0x9fZVzgFkbEWO3q194Ud/6q+1ITqQFWbbjT69NC9HuI
  7C18CW396dGdouADEm70Phx83TnUOsUqQPz9xX8aaDKBnJ6NOFqBPORNx9Hw0CRbr
  Mn/ffURQRu2y7RZKzz/GBZNFBNy5i4Hojl/06fR3HrgSPSYMRKhoCgnqT5j1JFvAa
  V2pXZYYGxzvTzy2cDB+AD9y8xxjfzISuTUj+lu3kTuGTu3KeeRSQGXapjO7ghHt3h
  PvUQyB8tf9FfKVVTFDfwc7Eqb584VBH92l/NU6h4qRkNkWohOy4vvJjkXqCjHUSh/
  R2jap+4KNSygKaxQEI6I294nFuSRqtEiXdMLtTCWMrrEsIxg89Nq6lf7dVkk7ViG0
  Tj88bJvhH4WWGsTQTTA6/I80CJk0vmRboFzpfLBN+jLvc3vzwVU8UAYMY/o4xrVCh
  OUSx6OapSF0dHyaesPPfrOKAbWTDXXhgr47oYOAiPvIoi3fJWvlXmpL8Mz8esyA3r
  X/j2fcTOylV9xdhlX3s/wARo5C9xa0R+VLjgT/t5Irb8iTYgKVJ3y0tQN4ba5yOpM
  v3LoE6yLKhdybXRCC44FJYEmYp3kGGGyyuHhSSNvNCuknBebDaEet7Z4zSwndG/bD
  kB16OBq+4WfNIAjb9b8PEDd72O3f89kJfcd8vwjGvO53PXt0FuetxJmru2XL+aYTX
  0DzLy6Za71S6WL31pku8UgVARu1vzBFeMabxHLkOcqW7QrDmlS5oPc+DvIJaGAOnn
  yCSL2Xp0XoZJbN4DpCpI8VhClj2XC4mNewryOQAAAAAAiRytmN1YIdUAAYEUgPABA
  EjWX8KxxGf7AgAAAAAEWVo=
  EOF

  TEXT

Add DNS Resolution for CA Profile

To add DNS resolution for the CA profile:

1. SSH to the TSA and access the Sequence Controller according to the following:
   

   $ ssh idam@192.168.5.92 
   # default Password 'PrimeKey'
   $ sudo su -
   # get root privilege
   $ ssh - /root/.ssh/id_* root@100.127.255.4
   # login to TSA; new prompt like:
   root@TrustServiceAdapter/100.127.255.4 [ ~ ]$

   TEXT
2. Mount boot partition:

   $ mount /dev/vda1 /mnt && ls -al /mnt
   # mount boot partition; out should look like this:
   root@TrustServiceAdapter/100.127.255.4 [ ~ ]$ mount /dev/vda1 /mnt && ls -al /mnt
   total 36
   drwxr-xr-x  7 root root  4096 Sep 29 17:53 .
   drwxr-xr-x 21 root root   440 Sep 29 18:01 ..
   drwxr-xr-x  2 root root  4096 Sep 29 17:53 1
   drwxr-xr-x  2 root root  4096 Sep 29 17:53 2
   drwxr-xr-x  3 root root  4096 Sep 29 17:53 boot
   drwx------  2 root root 16384 Sep 29 17:53 lost+found
   drwxr-xr-x  3 root root  4096 Sep 29 17:58 rw
   root@TrustServiceAdapter/100.127.255.4 [ ~ ]$ 

   TEXT
3. Update the GRUB configuration:
   

   $ vi /mnt/boot/grub/grub.cfg
   please change line:
   linux /1/vmlinuz-tsa console=tty0 console=ttyS0  ram=aram osarch=1/OS.tar.xz HWversion=2.0 rootdelay=5 root=UUID=bd5fcd23-5d9b-4343-b0da-9a419af0997a  rw
   to
   linux /1/vmlinuz-tsa console=tty0 console=ttyS0  ram=aram osarch=1/OS.tar.xz HWversion=2.0 rootdelay=5 root=UUID=bd5fcd23-5d9b-4343-b0da-9a419af0997a  rw additive=1/dnspatch.tar.xz
   
   and change : 
   linux /2/vmlinuz-tsa console=tty0 console=ttyS0  ram=aram osarch=2/OS.tar.xz HWversion=1.0.0 rootdelay=5 root=UUID=6fb486c2-49b6-4773-a0c6-ac552fab3a6d  rw
   to 
   linux /2/vmlinuz-tsa console=tty0 console=ttyS0  ram=aram osarch=2/OS.tar.xz HWversion=1.0.0 rootdelay=5 root=UUID=6fb486c2-49b6-4773-a0c6-ac552fab3a6d  rw additive=2/dnspatch.tar.xz
   
   # store file 

   TEXT
4. Generate a *.tar.xz file by copying the Base64 command block form above to your shell. 
   

   # copy file to mnt points enter command: 
   $ cp dnspatch.tar.xz /mnt/1/dnspatch.tar.xz
   $ cp dnspatch.tar.xz /mnt/2/dnspatch.tar.xz
   # verify checksum
   sha256sum /mnt/1/dnspatch.tar.xz /mnt/2/dnspatch.tar.xz
   # result both times:  6f9ea8d8ca5b4c4d8390319b60eff3a92eac2b5d77546cb263a9ef078a01e7ec

   TEXT
5. Release partition:
   

   $ umount /mnt && ls -al /mnt
   # out should look like this: 
   root@TrustServiceAdapter/192.168.5.93 [ ~ ]$ umount /mnt && ls -al /mnt
   total 0
   drwxr-xr-x  2 root root  40 Sep  4 13:32 .
   drwxr-xr-x 21 root root 440 Oct  1 14:41 ..
   root@TrustServiceAdapter/192.168.5.93 [ ~ ]$

   TEXT
6. Set DNS, for example, if you are using DNS Server Quad9 with the IP address 9.9.9.9, then add:
   

   echo "nameserver 9.9.9.9" >/etc/resolv.conf

   TEXT
   To add more than one DNS server, enter the following:
   

   echo "nameserver 9.9.9.9" >/etc/resolv.conf
   echo "nameserver 149.112.112.112" >>/etc/resolv.conf

   TEXT
7. Store the system configuration:
   

   writeConfig.sh

   TEXT
8. Reboot the TSA subsystem:
   

   reboot

   CODE
9. Complete the DNS resolution change by adding the DNS name in the CA profile by activating HTTPS in the CA Profile and enter the DNS Name as URL, see CA Configuration.