sgallagher
commented
8 years ago From the rolekit meeting today, we will need to support gracefully failing back if the underlying freeipa-server-install doesn't support --setup-kra.
If the arguments explicitly request the KRA, we will use --setup-kra and fail if it is unsupported. If the argument is left to the defaults, we will attempt to pass --setup-kra and then retry without it if we get an error back. This is consistent with our behavior on other optional components (installing them by default).
In the latest version FreeIPA has a new "Vault" feature based on dogtag's KRA component. This feature is used to provide a secure storage option for domain users for things like passwords/keys etc... It may also provide escrow access for admins.
The feature is installed providing the --setup-kra option to the main installer or by invoking ipa-kra-install