Download or browse on-line these Administration Manual for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Other.
This manual for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 512 pages, and the size of the file at download is 5.25 Mb. The document type is Administration Manual.
In case you failed to obtain relevant information in this document, please, look through related operating manuals and user instructions for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE. Just click one of the links below to go to the selected manual:
Pages: 73
Pages: 240
Pages: 206
Pages: 337
[Page 1] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Red Hat Certificate System 7.2 Administration Guide Publication date: November 6, 2006, and updated on August 25, 2009 ...
[Page 2] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide Red Hat Certificate System 7.2 Administration Guide Copyright © 2008 Red Hat, Inc. Copyright © 2008 Red Hat, Inc.. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Sh...
[Page 3] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
iii About This Guide xv 1. Who Should Read This Guide .................................................................................
[Page 4] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide iv 1.5. CS SDK ..................................................................................................................... 21 1.6. Support for Open Standards ............................................................
[Page 5] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
v 3.3. System Passwords ..................................................................................................... 62 3.3.1. Protecting the password.conf File ..................................................................... 62 3.3.2...
[Page 6] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide vi 4.2.3. SSL Server Key Pair and Certificate ............................................................... 104 4.2.4. Certificate Considerations ............................................................................... ...
[Page 7] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
vii 6.4. Overview of Archiving Keys ....................................................................................... 143 6.4.1. Reasons to Archive Keys ............................................................................... 143 6.4.2....
[Page 8] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide viii 10.2.3. Retrieving Certificates from the End-Entities Page .......................................... 216 10.3. Managing User Certificates .......................................................................................
[Page 9] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
ix 12.7.2. Authority Key Identifier Extension Default ...................................................... 259 12.7.3. Basic Constraints Extension Default .............................................................. 260 12.7.4. CRL Distribution...
[Page 10] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide x 13.4. Issuing CRLs .......................................................................................................... 292 13.4.1. Configuring Issuing Points .................................................................
[Page 11] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
xi 15.4. Setting up CMC Enrollment ..................................................................................... 350 15.4.1. Setting up the Server for Multiple Requests in a Full CMC Request .................. 351 15.4.2. Testing CMCEnroll ....
[Page 12] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide xii 16.7.26. certServer.ee.facetofaceenrollment .............................................................. 383 16.7.27. certServer.ee.request.enrollment ................................................................. 383 ...
[Page 13] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
xiii 18.3.3. Configuration Parameters of requestInQueueNotifier ...................................... 410 18.3.4. Configuration Parameters of publishCerts ...................................................... 411 18.3.5. Configuration Parameters ...
[Page 14] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administration Guide xiv B.1. Internet Security Issues ............................................................................................ 449 B.2. Encryption and Decryption .....................................................................
[Page 15] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
xv About This Guide This guide explains how to install, configure, and maintain the Red Hat Certificate System and how to use it for issuing and managing certificates to end entities such as web browsers, users, servers, and virtual private network (...
[Page 16] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
About This Guide xvi • Chapter 4, Certificate Manager provides information and instructions for configuring the Certificate Manager and an overview of the configuration options. • Chapter 5, Online Certificate Status Protocol Responder provides i...
[Page 17] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Examples and Formatting xvii 4. Examples and Formatting All of the examples for Red Hat Certificate System commands, file locations, and other usage are given for Red Hat Enterprise Linux 5 systems. Be certain to use the appropriate commands and file...
[Page 18] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
About This Guide xviii WARNING A warning indicates potential data loss, as may happen when tuning hardware for maximum performance. 5. Additional Reading The Certificate System Administrator's Guide describes how to set up, configure, and admini...
[Page 19] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Document History xix through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: • Select the Red Hat Certificate System product. • Set the component to...
[Page 20] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
About This Guide xx Edited to token management sections per Bugzilla 455345. Revision 7.2.2 July 3, 2008 Ella Deon Lackey [email protected] Added information for configuring client authentication, per Bugzilla 236253. Added information that there ...
[Page 21] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. 1 Overview This chapter provides an overview of Red Hat Certificate System, a highly configurable set of software components and tools for creating, deploying, and managing certificates. Based on open standards for certificate management, ...
[Page 22] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 2 1.1.2. Interfaces Each of the subsystems contains interfaces for interaction with various portions of the subsystem. The CA, DRM, OCSP, and TKS subsystems have an administrative console to manage and configure the subsystem itse...
[Page 23] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Self-Tests 3 sign and encrypt the logs. Audit logging is configured to specify the events that are logged. See Section 3.9.13, “Signed Audit Log” for details. 1.1.5. Self-Tests The Certificate System provides the framework for system self-tests t...
[Page 24] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 4 1.1.8. Authentication Certificate System provides authentication options for certificate enrollment. These include agent- approved enrollment, in which an agent processes the request, and automated enrollment, in which an authen...
[Page 25] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
CRLs 5 1.1.11. CRLs The Certificate System can create certificate revocation lists (CRLs) from a configurable framework which allows user-defined issuing points so a CRL can be created for each issuing point. Delta CRLs can also be created for any is...
[Page 26] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 6 1.1.17. Support for Open Standards The Certificate System supports open standards and protocols so that its subsystems can communicate across a heterogeneous computing environment. Some of the standards and areas which the Certi...
[Page 27] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
How the Certificate System Works 7 1.2. How the Certificate System Works The Certificate System manages certificates through a flexible, scalable system for issuing and publishing certificates; creating and publishing CRLs; and providing key storage ...
[Page 28] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 8 certificate chains outside the company certificate hierarchy. A Certificate Manager is chained to a third- party CA by requesting the Certificate Manager's CA signing certificate from the third-party CA. 1.2.1.1.3. CA Cloni...
[Page 29] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
How the Certificate Manager Works 9 1.2.1.5. Revocation and CRLs Revoking certificates can be initiated either by an agent or by the end user. An administrator can also revoke the certificates of any of the subsystems or agents. The Certificate Syste...
[Page 30] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 10 certificate content. The default certificate profiles can be modified and new custom modules created. See Chapter 12, Certificate Profiles for details. If the policies in the certificate profile are not met, the request is reje...
[Page 31] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Data Recovery Manager 11 1.2.3. Data Recovery Manager The Data Recovery Manager (DRM) is an optional subsystem that acts as a Key Recovery Authority. When configured in conjunction with a Certificate Manager, the DRM stores private encryption keys as...
[Page 32] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 12 When an OCSP responder is set up with a Certificate Manager, and publishing is set up to the OCSP responder, CRLs are published to the OCSP responder when they are issued or updated. 1.2.5. Token Key Service The Token Key Servi...
[Page 33] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Certificate Manager and DRM 13 Figure 1.1. Single-Root Certificate Manager Figure 1.1, “Single-Root Certificate Manager” shows the relationships between a single Certificate Manager, end entities, and a publishing directory. The Certificate Manag...
[Page 34] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 14 Figure 1.2. Certificate Manager and DRM in Different Instances NOTE The DRM is intended for archival and recovery of private encryption keys only. Therefore, end entities must use either a browser that supports dual-key generat...
[Page 35] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Smart Card Enrollment 15 A cloned Certificate Manager has the same features, such as agent and end-entity gateway functions, of a regular Certificate Manager. 1.3.4. Smart Card Enrollment Most certificates are enrolled through the CA. This is useful ...
[Page 36] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 16 Figure 1.4. Certificate System Architecture ...
[Page 37] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Certificate System Instance 17 1.4.1. Certificate System Instance Within the Certificate System component, a set of common modules, which can all be extended with custom Java™ plug-ins, are provided for all subsystems. Although some may not be used...
[Page 38] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 18 NOTE The OCSP, DRM, TKS, and TPS subsystems do not have end-entity pages. • Agent Services Interface . The agent services page java servlets process HTML form submitted through the agent services HTTP pages. From the informat...
[Page 39] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
PKCS #11 19 cryptographic token interfaces. Red Hat uses NSS to support these features in a wide range of products, including Certificate System. NSS documentation is available on-line at http:// www.mozilla.org/projects/security/pki/nss/overview.htm...
[Page 40] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 20 • Bulk certificate issuance tool (bulkissuance) For more information about Certificate System command-line tools, see the Certificate System Command-Line Tools Guide, which is available at http://redhat.com/docs/manuals/cert-...
[Page 41] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
CS SDK 21 three times as long as the key for standard DES. Because the key size is so large, there are approximately 3.7 * 10 50 possible keys. This cipher suite is FIPS-compliant. • RC4 and RC2 and MD5 Message Authentication. The RC4 and RC2 ciph...
[Page 42] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 1. Overview 22 certificates with Diffie-Hellman public-keys. A standard from the IETF PKIX working group. CMC incorporates CRMF and CMMF. • Cryptographic Message Syntax (CS). A superset of PKCS #7 syntax used for digital signatures and encr...
[Page 43] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. 23 Installation and Configuration The Certificate System is comprised of subsystems which can be independently installed on different servers, multiple instances installed on a single server, and other flexible configurations for availabil...
[Page 44] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 24 • How many subsystems to install. • On which hosts to install the subsystems. • How and where to install an available Red Hat Directory Server. Only one Directory Server is required, although there c...
[Page 45] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Prerequisites 25 issue and the nature of the certificate chain. This may not be acceptable for some PKI deployments. One benefit of chaining to a public CA is that the third party is responsible for submitting the root CA certificate to a web browser...
[Page 46] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 26 2.2.2. Required Programs and Dependencies The following must be installed before installing the Certificate System: • Java™ 1.5.0 Java Runtime Environment (JRE). Certificate System does not support ear...
[Page 47] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Required Programs and Dependencies 27 After downloading these two files, uncompress them using the gunzip utility, and extract the contents using the tar utility. The contents of the 32-bit file, jdk-1_5_0_09-solaris-sparc.tar.Z, are COPYRIGHT, LICEN...
[Page 48] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 28 • kernel-smp (package) • e2fsprogs (package) • firefox (package) • On 64-bit Red Hat Enterprise Linux platforms, be certain that the 64-bit (x86_64) compat-libstdc ++ libraries are installed, and n...
[Page 49] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Packages Installed 29 RPMs for Tomcat Web Services axis jakarta-commons-httpclient3 tomcat5 bcel jakarta-commons-launcher tomcat5-jasper classpathx-jaf jakarta-commons-logging tomcat5-servlet-2.4-api classpathx-mail jakarta-commons-modeler velocity e...
[Page 50] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 30 RPMs for Java™ java-1.5.0-ibm java-1.5.0-ibm-devel Table 2.8. 2.2.3.2. Solaris Packages Solaris packages have the format VENDORpackage_name-version_number-release_number- architecture.pkg; only the pack...
[Page 51] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Packages Installed 31 Packages for Tomcat Web Services RHATjakarta-commons- beanutilsx RHATjpackage-utilsx RHATxerces-j2x RHATjakarta-commons- collectionsx RHATldapjdkx RHATxml-commons-apisx RHATjakarta-commons- daemonx RHATlog4jx RHATxml-commons-res...
[Page 52] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 32 Packages for Java™ SUNWj5rt (32-bit JRE) SUNWj5rtx (64-bit JRE) Table 2.15. 2.3. Configuration Preparation • Section 2.3.1, “Required Information” • Section 2.3.2, “Default Settings” 2.3.1. ...
[Page 53] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Default Settings 33 • Certificate and key recovery files. If the subsystem being configured is a clone of another subsystem, then the backup files for the master subsystem must be locally accessible. 2.3.2. Default Settings The ports and file direc...
[Page 54] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 34 • Subsystem certificate • TPS • SSL server certificate • Subsystem certificate 2.4. Configuration Setup Wizard When the installation process is complete, either when installing the initial subsyste...
[Page 55] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Subsystem Type Panel 35 The first security domain for the Certificate System is created when the default CA is configured. Every subsystem must belong to a security domain; no system can be successfully configured without an existing security domain....
[Page 56] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 36 cloning an existing subsystem, select the master subsystem from the list provided, and give the name of the new cloned subsystem. The list of subsystems in the Clone section list is retrieved from the secu...
[Page 57] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
CA Information Panel 37 For a CA, there are two possible configuration options: • Root CA. A root CA signs its own CA signing certificate and, therefore, can set its own certificate issuance rules. • Subordinate CA. A subordinate CA receives its ...
[Page 58] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 38 Figure 2.6. Selecting the TKS 2.4.6. DRM Information Panel This panel is only available when configuring a TPS subsystem. The TPS can be associated with an existing DRM subsystem to enable server-side key ...
[Page 59] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Authentication Directory Panel 39 2.4.7. Authentication Directory Panel This panel is only available when configuring a TPS subsystem. All subsystems are configured to use a Directory Server database for system certificates and users. The TPS subsyst...
[Page 60] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 40 Figure 2.9. Configuring the Internal LDAP Database Information NOTE Do not share the same suffix and database name for more than one Certificate System subsystem. The same instance can be used for more tha...
[Page 61] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Key Pairs Panel 41 Figure 2.10. Selecting the Key and Certificate Location The LunaSA partitions, the nCipher slots, and the NSS internal software token are provided in this screen. The internal software token is logged in by default. The password to...
[Page 62] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 42 Figure 2.11. Setting the Key Pair Type 2.4.11. Subject Names Panel This panel lists the different certificate subject names for all of the certificates issued for the subsystem being installed. This panel ...
[Page 63] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Requests and Certificates Panel 43 Figure 2.12. Setting the Certificate Subject Name If an existing subsystem is being cloned, all of these fields are grayed out except the Server Certificate name field because the server certificate is regenerated. ...
[Page 64] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 44 Figure 2.13. Certificate Request and Certificate Links If the certificates are signed by an external CA, such as a third-party CA or a Certificate System CA which is outside the security domain, then actio...
[Page 65] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Administrator Panel 45 Figure 2.14. Exporting the Certificates and Keys 2.4.14. Administrator Panel This panel creates the first administrator user for the instance. This user also has agent privileges, so the agent certificates and keys for the agen...
[Page 66] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 46 Pressing Next causes the browser to generate a key pair which consists of a public key and a private key. The public key is packaged in a certificate request that is submitted to the CA. If the requests ar...
[Page 67] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Installing from an ISO Image 47 NOTE The DONT_RUN_PKICREATE environment variable can stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installati...
[Page 68] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 48 NOTE When the first subsystem is installed on a machine, the installation process automatically creates a new user (pkiuser) and group (pkiuser). All default Certificate System instances will run as this u...
[Page 69] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Configuring a CA 49 http://server.example.com:9080/ca/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH Using this URL skips the login screen. Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin...
[Page 70] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 50 2.6.2. Configuring a DRM, OCSP, or TKS 1. Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example: http://s...
[Page 71] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Configuring a TPS 51 2.6.3. Configuring a TPS 1. Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example: http://server.example.com:7888/tps/admin/conso...
[Page 72] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 52 12. Give the information for the new subsystem administrator. 13. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration. 14. When the confi...
[Page 73] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Cloning a Subsystem 53 3. Open the new instance URL, and go through the configuration wizard as described in Section 2.6, “Configuring the Default Subsystem Instances”. Supply the security domain, CA, instance ID, internal LDAP database, and agen...
[Page 74] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 54 Figure 2.17. Supplying the Key and Certificate Information NOTE When cloning a CA, the master and clone instances have the same CA signing key. 6. The subsystem information is automatically supplied from t...
[Page 75] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Silent Installation 55 The options are slightly different between the subsystems; all subsystems except for the CA subsystem require extra options specifying the Certificate Manager to which to submit the certificate requests. Example 2.1, “Silent ...
[Page 76] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 56 2.9. Updating Certificate System Packages There are many packages, listed in Section 2.2.3.1, “Red Hat Enterprise Linux RPMs” and Section 2.2.3.2, “Solaris Packages”, installed with Certificate Sys...
[Page 77] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Updating Certificate System on Solaris 57 3. Run up2date for the package. For example: up2date rhpki-java-tools-7.2.0-4.noarch 4. Restart the Certificate System instances. /etc/init.d/instance_ID start 2.9.2. Updating Certificate System on Solaris 1....
[Page 78] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 2. Installation and Configuration 58 -pki_instance_name=pki_instance_ID The pki_instance_root is the directory path of the instance, such as /var/lib. The pki_instance_name is the instance name, such as rhpki-ca. force automatically ans...
[Page 79] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. 59 Administrative Basics This chapter discusses the Certificate System administrative console, the configuration files, and other basic administrative tasks such as starting and stopping the server, managing logs, changing port assignments...
[Page 80] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 60 • The Status tab allows the administrator to view the contents of various logs maintained by the Certificate System instance. See Section 3.9, “Logs” for more information. Figure 3.1. Certificate System Conso...
[Page 81] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Enabling SSL Client Authentication for the Certificate System Console 61 failure (14290): Error receiving connection SEC_ERROR_INADEQUATE_CERT_TYPE - Certificate type not approved for application.) 2. Stop the subsystem. /etc/init.d/instance_ID stop ...
[Page 82] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 62 If the procedure is successful, the command prints the following: pk12util: PKCS12 IMPORT SUCCESSFUL Start the Console; now, it prompts for a certificate. 3.3. System Passwords The Certificate System stores passwor...
[Page 83] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Protecting the password.conf File 63 However, storing passwords in clear text can be dangerous. Setting proper file permissions protects this file. Alternatively, the password.conf file can be by-passed by doing the following: 1. Back up the password...
[Page 84] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 64 3.3.2. Password-Quality Checker A Certificate System plug-in, password-quality checker, monitors the quality of passwords set within the Certificate System. All passwords used in the Certificate System are checked ...
[Page 85] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Restarting a Subsystem after a Machine Restart 65 1. Log in as root. 2. Run /etc/init.d/, specifying the instance name. For example, for an instance named rhpki- ca, the command is as follows: /etc/init.d/rhpki-ca restart 3.4.4. Restarting a Subsyste...
[Page 86] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 66 3.6. Configuration Files The runtime properties of a Certificate System subsystem are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup. ...
[Page 87] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Guidelines for Editing the Configuration File 67 • The format for parameters is as follows: #comment [parameter]=value • Comment lines begin with the pound (#) character. Comment lines, blank lines, unknown parameters, or misspelled parameters a...
[Page 88] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 68 • All job-specific information, such as registered job modules and configured instances, appears in the job scheduler section of the configuration file. • Each registered job module is identified by its impleme...
[Page 89] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Other File Locations 69 Directory Location Contents /usr/lib/dirsec Security libraries shared by the CA, DRM, OCSP, and TKS subsystems. For 32-bit Red Hat Enterprise Linux AS and ES i386 machines only. /usr/lib/java JNI Java™ archive files shared b...
[Page 90] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 70 Directory Location Contents /usr/lib/httpd/modules For TPS subsystems only. Apache modules shared by TPS subsystems. For 32-bit Red Hat Enterprise Linux AS and ES i386 machines only. /usr/lib/mozldap For TPS subsys...
[Page 91] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Default Server Instance Locations 71 Default Location Type of Object Description /var/run/rhpki-ca.pid File A file containing the active process ID of the running CA instance. Table 3.2. CA Default Instance Location 3.6.6.2. DRM Default Instance Loca...
[Page 92] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 72 3.6.6.4. TKS Default Instance Location Default Location Type of Object Description /etc/init.d/rhpki-tks File The script used to start, stop, or restart the TKS instance. /etc/rhpki-tks Directory Contains the confi...
[Page 93] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Using Java Servlets 73 SELinux is configured through the config configuration file in the /etc/selinux/ directory. The typical SELinux configuration is as follows: ########################################### # SELINUX= can take one of these three val...
[Page 94] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 74 • Section 3.9.5, “Log File Rotation” • Section 3.9.6, “Configuring Logs in the Console” • Section 3.9.7, “Configuring Logs in the CS.cfg File” • Section 3.9.8, “Configuring TPS Logs” • Sec...
[Page 95] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
About Logs 75 The general types of services which are recorded to the debug log are briefly discussed in Section 3.9.2, “Services That Are Logged”. These services include authorization requests, processing certificate requests, certificate status...
[Page 96] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 76 7gxLzB+XwQ/VsWEoObGldg6WwJPOcBdvLiKKfC605wFdynbEgKs0fChVk9HYDhmJ^M 8hX6+PaquiHJSVNhsv5tOshZkCfMBbyxwrKd8yZ5G5I+2gE9PUznxJaMHTmlOqm4^M HwFxzy0RRQIDAQABo4HFMIHCMB8GA1UdIwQYMBaAFG8gWeOJIMt+aO8VuQTMzPBU^M 78k8MEoGCCsGA...
[Page 97] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Services That Are Logged 77 Apache (TPS) Tomcat (CA, DRM, OCSP, TKS) host-manager.timestamp localhost.timestamp localhost_access_log.timestamp manager.timestamp Table 3.7. Logs Created by Apache and Tomcat These logs are not available or configurable...
[Page 98] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 78 Service Description Request Queue Logs events related to the request queue activity. User and Group Logs events related to users and groups of the instance. Table 3.8. Services Logged 3.9.3. Log Levels (Message Cat...
[Page 99] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Log Levels (Message Categories) 79 Log level Message category Description the server from operating normally, including failures to perform a certificate service operation (User authentication failed or Certificate revoked) and unexpected situations ...
[Page 100] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Chapter 3. Administrative Basics 80 Log levels can be used to filter log entries based on the severity of an event. By default, log level 3 (Failure) is set for all services. The log level is successive; specifying a value of 3 causes levels 4, 5, an...
Manual (240 pages)
Manual (76 pages)
Release note (30 pages)
User reference manual (84 pages)
Manual (80 pages)
Release note (26 pages)