manualshive.com logo in svg

Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT, Install Manual, Page: 92 / 132

Share
Download
Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Install Manual Download Page 92

Chapter 6. Cloning Subsystems

82

• If the token is network-based, then the keys and certificates simply need to be available to the

token; the keys and certificates do not need to be copied.

• When using a network-based hardware token, make sure the high-availability feature is enabled on

the hardware token to avoid single point of failure.

6.1.5. Cloning Considerations

As mentioned in 

Section 6.1, “About Cloning”

, part of the behavior of cloning is to replication

information between the master and the clone, so that they work from an identical set of data
and records. This means that the LDAP servers for the master and clones need to be able to
communicate. If these servers are on different hosts, then make sure that there is appropriate firewall
access to allow the Directory Server instances to connect with each other.

6.2. Exporting Keys from a Software Database

Ideally, the keys for the master instance are exported when the instance is first created. If the keys
were not exported then or if the backup file is lost, then it is possible to extract the keys from the
internal software database for the subsystem instance using the 

PKCS12Export

 command. For

example:

PKCS12Export -debug -d /var/lib/

subsystem_name

/alias -w p12pwd.txt -p internal.txt -o

 master.p12

The PKCS#12 file (in this example, 

master.p12

) can then be copied to the clone instance's 

alias/

directory and imported during the clone configuration.

NOTE

Keys and certificates do not need to be exported from an HSM, so long as the clone
instance is installed using the same HSM as the master. If both instances use the same
key store, then the keys are naturally available to the clone.

6.3. Cloning a CA

1. Configure the master CA, as described in 

Section 3.3, “Configuring a CA”

, and back up the keys.

2. In the 

CS.cfg

 file for the master CA, enable the the master CA to monitor replication database

changes by adding the 

ca.listenToCloneModifications

 parameter:

cd /etc/

subsystem_name

ca.listenToCloneModifications=true

3. Create the clone subsystem instance.

IMPORTANT

Do 

not

 go through the setup wizard for the instance yet.

Summary of Contents for CERTIFICATE SYSTEM 8 - DEPLOYMENT

Page 1: ...Red Hat Certificate System 8 Install Guide Ella Deon Lackey Publication date July 22 2009 updated on March 25 2010 ...

Page 2: ... the original version Red Hat as the licensor of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered tr...

Page 3: ... 1 3 Supported Smart Cards 10 2 1 4 Supported HSM 10 2 1 5 Supported Charactersets 10 2 2 Required Programs Dependencies and Configuration 11 2 2 1 Java Development Kit JDK 11 2 2 2 Apache 11 2 2 3 Red Hat Directory Server 12 2 2 4 Additional Packages 12 2 2 5 Firewall Configuration and iptables 13 2 2 6 SELinux Settings 13 2 3 Packages Installed on Red Hat Enterprise Linux 13 2 4 Required Informa...

Page 4: ...ers and Clones 90 6 6 1 Converting CA Clones and Masters 90 6 6 2 Converting OCSP Clones 92 6 7 Updating CA Clones 92 7 Silent Configuration 95 7 1 About pkisilent 95 7 2 Silently Configuring Subsystem 99 7 3 Cloning a Subsystem Silently 102 7 4 Performing Silent Configuration Using an External CA 102 8 Updating and Removing Subsystem Packages 105 8 1 Updating Certificate System Packages 105 8 2 U...

Page 5: ...v 9 5 7 Shared Certificate System Subsystem File Locations 119 Index 121 ...

Page 6: ...vi ...

Page 7: ...formation on performing agent tasks such as handling certificate requests and revoking certificates For information on using Certificate System to manage smart cards and security tokens see Managing Smart Cards with the Enterprise Security Client 1 Examples and Formatting 1 1 Formatting for Examples and Commands All of the examples for Red Hat Certificate System commands file locations and other u...

Page 8: ...s intended for Certificate System administrators Certificate System Installation Guide 2 covers the installation process for all Certificate System subsystems This manual is intended for Certificate System administrators Certificate System Administrator s Guide 3 explains all administrative functions for the Certificate System Administrators maintain the subsystems themselves so this manual detail...

Page 9: ...es and workarounds and other important deployment information for Red Hat Certificate System 8 0 All of the latest information about Red Hat Certificate System and both current and archived documentation is available at http www redhat com docs manuals cert system 3 Giving Feedback If there is any error in this Installation Guide or there is any way to improve the documentation please let us know ...

Page 10: ... per QE feedback Adding note about no 64 bit support for ESC Revision 8 0 5 November 3 2009 Ella Deon Lackey Adding information on setting the NSS_USE_DECODED_CKA_EC_POINT environment variable for the console and clarifying the security database argument in the modutil step for configuring the Certicom ECC module Revision 8 0 4 August 28 2009 Ella Deon Lackey Removing the draft watermarks Tech rev...

Page 11: ...subsystems interact in flexibly established ways to manage certificates and to manage tokens 1 1 Subsystems for Managing Certificates Up to four Certificate System subsystems work together to manage certificates Certificate Manager a certificate authority CA which issues renews and revokes certificates and publishes certificate revocation lists CRLs Data Recovery Manager DRM which archives and rec...

Page 12: ...the load for some common operations off of the CA such as using an OCSP for status requests and an RA to process certificate requests The CA RA DRM and OCSP are the subsystems used to manage certificates keys and CRLs through every step of the cycle of a certificate 1 Generating a certificate request CA or RA 2 Submitting the request to a CA CA or RA 3 Generating key pairs CA 4 Storing the key pai...

Page 13: ...s to having a self signed CA certificate for your root CA as well as some benefits to having the certificate signed by a third party CA Additionally a Certificate Manager is always the subsystem which works as the registry for the security domain The very first Certificate Manager configured must create a security domain but every Certificate Manager configured after has the option of joining an e...

Page 14: ...te Manager behind the firewall Like the RA the OCSP acts as a load balancer for requests to the Certificate Manager The Online Certificate Status Manager verifies the status of a certificate by checking a certificate revocation list published by the Certificate Manager to see if the specified certificate has been revoked More than one Certificate Manager can publish CRLs to a single OCSP 1 2 Subsy...

Page 15: ... a master key to derive specific separate keys for every smart card The TPS uses these secret keys to communicate with each smart card securely since all communication between the TPS and the smart card is encrypted The only Certificate System subsystem which the TKS interacts with is the TPS 1 2 3 Enterprise Security Client The Enterprise Security Client is not a subsystem since it does not perfo...

Page 16: ...are token A Certificate System supports two hardware security modules HSM nCipher netHSM 2000 and Safenet LunaSA Using a hardware token can require additional setup and configuration before installing the subsystems but it also adds another layer of security Q What machines should the subsystem be installed on A This depends on the network design The RA and OCSP subsystems are specifically designe...

Page 17: ... the Certificate manager subordinate to a public CA This can be very restrictive since it introduces the restrictions that public CAs place on the kinds of certificates the subordinate CA can issue and the nature of the certificate chain On the other hand one benefit of chaining to a public CA is that the third party is responsible for submitting the root CA certificate to a web browser or other c...

Page 18: ...8 ...

Page 19: ...d Hat Enterprise Linux 5 3 x86 32 bit Red Hat Enterprise Linux 5 3 x86_64 64 bit Microsoft Windows Vista 32 bit Microsoft Windows Vista 64 bit Microsoft Windows XP 32 bit Microsoft Windows XP 64 bit 2 1 2 Supported Web Browsers The services pages for the subsystems require a web browser that supports SSL It is strongly recommended that users such as agents or administrators use Mozilla Firefox to ...

Page 20: ... CoolKey applet which ships with Red Hat Enterprise Linux 5 3 2 1 4 Supported HSM Red Hat Certificate System supports two hardware security modules HSM nCipher netHSM 2000 and Chrysalis IT LunaSA HSM Firmware Appliance Software Client Software Safenet Chrysalis ITS LunaSA 4 5 2 3 2 4 3 2 4 nCipher netHSM 2000 2 33 60 11 10 2 1 5 Supported Charactersets Red Hat Certificate System fully supports UTF...

Page 21: ...alled by using yum or by downloading the packages directly from http openjdk java net install For example yum install java 1 6 0 openjdk After installing the JDK run usr sbin alternatives as root to insure that the proper JDK is available usr sbin alternatives config java There are 3 programs which provide java Selection Command 1 usr lib jvm jre 1 4 2 gcj bin java 2 usr lib jvm jre 1 6 0 openjdk ...

Page 22: ...le yum info redhat ds Installed Packages Name redhat ds Arch x86_64 Version 8 1 0 Release 0 14el5dsrv Size 136M Repo installed Install and configure Red Hat Directory Server 8 1 if a directory service is not already available For example yum install redhat ds setup ds admin pl Go through the configuration wizard the default settings are fine for the Certificate System needs Installing Red Hat Dire...

Page 23: ... 2 6 SELinux Settings SELinux policies for Certificate System subsystems are installed as a dependency for Certificate System 8 0 in the pki selinux package The SELinux policies are automatically configured whenever a new instance is created by the pkicreate command Red Hat recommends running Certificate System with SELinux in enforcing mode to make the most of the security policies If SELinux is ...

Page 24: ... jaf jakarta commons logging tomcat5 server classpathx mail jakarta commons modeler velocity eclipse ecj jakarta commons pool werken xpath geronimo specs jdom wsdl4j xalan j2 geronimo specs compat jakarta commons beanutils xerces j2 jakarta commons collections ldapjdk xml commons jakarta commons daemon log4j xml commons apis jakarta commons dbcp mx4j xml commons resolver jakarta commons digester R...

Page 25: ...em is not a CA then it is necessary to select a CA from a drop down menu or add an external CA If a Certificate System CA is selected then supply the CA agent username and password Subsystem information for TPS configuration When installing a TPS you must have already configured the other subsystem and have their bind information available The CA The TKS required The DRM optional for server side k...

Page 26: ...iles in the filesystem of its host machine when first using the internal token These files were created during the Certificate System subsystem configuration if the internal token was selected for key pair generation In the Certificate System the certificate database is named cert8 db the key database is named key3 db These files are located in the instanceID alias directory 2 5 1 2 External Token...

Page 27: ...ate Manager 2 5 2 Using Hardware Security Modules with Subsystems The Certificate System supports the nCipher netHSM hardware security module HSM by default Certificate System supported HSMs are automatically added to the secmod db database with modutil during the pre configuration stage of the installation if the PKCS 11 library modules are in the default installation paths During configuration t...

Page 28: ...figuring the subsystems 1 Check that the LunaSA module has been properly installed modutil dbdir var lib subsystem_name alias list Listing of PKCS 11 Modules 1 NSS Internal PKCS 11 Module slots 2 slots attached status loaded slot NSS Internal Cryptographic Services token NSS Generic Crypto Services slot NSS User Private Key and Certificate Services token NSS Certificate DB 2 lunasa library name us...

Page 29: ...s to the server Server Cert instanceID The new value includes a reference to the LunaSA HSM lunasa3 ca Server Cert instanceID 3 Start the server service subsystem_name start 2 5 2 3 Installing External Tokens and Unsupported HSM To use HSMs which are not officially supported by the Certificate System add the module to the subsystem database manually If the desired HSM does not appear in the Securi...

Page 30: ... libCryptoki2 so For an nCipher HSM modutil dbdir nocertdb add nethsm libfile opt nfast toolkits pkcs11 libcknfast so 2 5 2 4 Setting up SELinux on nCiper netHSM 2000 SELinux policies are created and configured automatically for all Certificate System instances so Certificate System can run with SELinux in enforcing or permissive modes If SELinux is in enforcing mode than any hardware tokens to be...

Page 31: ... installed as well as information on the corresponding tokens using the modutil tool modutil dbdir nocertdb list 2 5 4 Detecting Tokens To see if a token can be detected by Certificate System use the TokenInfo utility This is a Certificate System tool which is available after the Certificate System packages are installed TokenInfo This utility will return all tokens which can be detected by the Ce...

Page 32: ...22 ...

Page 33: ...ed Hat Directory Server This can be on a different machine from the Certificate System which is the recommended scenario for most deployments 2 Download the Certificate System packages from the Red Hat Network channel Each subsystem has its own packages as well as dependencies and related packages These are listed in Section 2 3 Packages Installed on Red Hat Enterprise Linux 3 Install the packages...

Page 34: ...available when it is configured so this is the last subsystem to set up See Section 3 6 Configuring a TPS for the process on installing and configuring the TPS The order in which subsystems are configured is very important because of the basic relationships which are established between subsystems at the time they are installed For example every subsystem depends on a certificate authority the TPS...

Page 35: ...allation process automatically creates a new user pkiuser and group pkiuser All default Certificate System instances run as this user and group 3 2 1 Installing through yum NOTE pkicreate is launched by the installer to create the default instances using default settings There is an environment variable DONT_RUN_PKICREATE which stops the pkicreate script from running automatically after the subsys...

Page 36: ... URL to access the new instance is printed to the screen which gives the subsystem instances hostname port and a login PIN to access the configuration wizard PKI instance creation Utility PKI instance creation completed Starting instance_name OK instance_name pid 17990 is running instance_name must still be CONFIGURED see var log instance_name install log Before proceeding with the configuration m...

Page 37: ... an ECC signing certificate it can issue both RSA and ECC client certificates To enable ECC for the CA load an ECC module first described in Section 4 2 Installing a CA with ECC Enabled and then configure the CA Subsystem configuration is done by accessing a unique web based configuration page for the instance The only supported web browser for subsystem configuration is Mozilla Firefox 1 Install ...

Page 38: ...ion 28 The default CA instance must create a new security domain Subsequent CAs can create a new domain or join an existing security domain but it is recommended that each CA have its own security domain 4 Enter a name for the new instance ...

Page 39: ...rather than submitting its certificates to a third party CA for issuance Subsequent CAs can be subordinate CAs to that root There are many other options depending on the PKI environment For a CA there are two possible configuration options Root CA A root CA signs its own CA signing certificate and therefore can set its own certificate issuance rules ...

Page 40: ... server which will be used for the instance s internal database This requires connection information for the Directory Server instance such as the hostname port number bind DN username and password This step also creates a database in the Directory Server and a corresponding base directory entry base DN to use for the subsystem s entries The hostname can be the fully qualified domain name or an IP...

Page 41: ... hardware tokens and databases is given IMPORTANT Any hardware tokens used with the instance must be configured before configuring the subsystem instance If the HSM is not properly configured it may not be listed in the key stores panel or the instance may not function properly HSM configuration is described in Section 2 5 2 Using Hardware Security Modules with Subsystems To determine whether a to...

Page 42: ...expand the form so each key pair is listed The default RSA key size is 2048 and for ECC 256 NOTE An ECC CA signing certificate can be used to sign both ECC and RSA certificates If you do not want to use the ECC client certificate that is generated at installation simply replace the client certificate after configuration and keep the ECC CA signing certificate An ECC module must be loaded for ECC c...

Page 43: ...lgorithms are as follows SHA256withRSA the default SHA1withRSA SHA256withRSA SHA512withRSA MD5withRSA MD2withRSA For ECC SHA256withEC the default SHA1withEC SHA384withEC SHA512withEC 9 Optionally change the subject names for the certificates NOTE Certificate nicknames must be unique and changing the default nicknames is one way to ensure that ...

Page 44: ...ed paste the certificates into this panel to add them to the CA database and then proceed with the installation Click Apply to view the certificates as they are imported 11 If the subsystem will ever be cloned or as a protection if keys or certificates are ever lost back up the keys and certificates when prompted It is also possible to extract these keys later as long as they are not stored on an ...

Page 45: ...he information for the new subsystem administrator 13 Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration 14 When the configuration is complete restart the subsystem ...

Page 46: ...create the default subsystem instance automatically A URL to access the new instance is printed to the screen which gives the subsystem instances hostname port and a login PIN to access the configuration wizard https server example com 12889 ra admin console config login pin kI7E1MByNIUcPJ6RKHmH 2 Open the configuration wizard using the URL returned by the package installation https server example...

Page 47: ...ng an RA 37 The hostname for the security domain CA can be the fully qualified domain name or an IPv4 or IPv6 address if IPv6 was configured before the packages were installed 4 Enter a name for the new instance ...

Page 48: ...other subsystems do 7 Select the token which will store the Certificate System certificates and keys a list of detected hardware tokens and databases is given IMPORTANT Any hardware tokens used with the instance must be configured before configuring the subsystem instance If the HSM is not properly configured it may not be listed in the key stores panel or the instance may not function properly HS...

Page 49: ...urity modules The discovery process assumes that the client software installations for these modules are local to the Certificate System subsystem and are in the following locations LunaSA usr lunasa lib libCryptoki2 so nCipher opt nfast toolkits pkcs11 libcknfast so 8 Set the key size The default RSA key size is 2048 ...

Page 50: ...Chapter 3 Installation and Configuration 40 9 Optionally change the subject names for the certificates ...

Page 51: ...t nicknames is one way to ensure that Having unique certificate nicknames is vital for using an HSM since any nickname conflicts even for subsystems on different servers will cause configuration to fail 10 The next panels generate and show certificate requests certificates and key pairs ...

Page 52: ...cannot go forward until they are received from the CA When they are issued paste the certificates into this panel to add them to the subsystem database and then proceed with the installation Click Apply to view the certificates as they are imported 11 Provide the information for the new subsystem administrator ...

Page 53: ...3 5 Configuring a DRM OCSP or TKS Subsystem configuration is done by accessing a unique web based configuration page for the instance The only supported web browser for subsystem configuration is Mozilla Firefox IMPORTANT Before any DRM OCSP or TKS subsystem can be set up a Certificate System CA must be installed configured and running These subsystems depend on the CA to issue their certificates ...

Page 54: ... admin console config login pin kI7E1MByNIUcPJ6RKHmH 2 Open the configuration wizard using the URL returned by the package installation http server example com 10180 kra admin console config login pin kI7E1MByNIUcPJ6RKHmH Alternatively log into the setup wizard through admin link on the services page and supply the preop pin value from the var lib subsystem_name conf CS cfg file when prompted http...

Page 55: ...ation for the LDAP server which will be used for the instance s internal database This requires connection information for the Directory Server instance such as the hostname port number bind DN username and password This step also creates a database in the Directory Server and a corresponding base directory entry base DN to use for the subsystem s entries ...

Page 56: ...access If the Red Hat Directory Server instances is on a different server or network than the Certificate System subsystem then make sure that the Certificate System host s firewall allows access to whatever LDAP port was set in the previous configuration panel Installation will not complete if iptables is not configured properly To configure iptables see the Red Hat Enterprise Linux Deployment Gu...

Page 57: ...systems To determine whether a token is detected by the Certificate System use the TokenInfo tool as described in Section 2 5 4 Detecting Tokens The Certificate System automatically discovers Safenet s LunaSA and nCipher s netHSM hardware security modules The discovery process assumes that the client software installations for these modules are local to the Certificate System subsystem and are in ...

Page 58: ...pter 3 Installation and Configuration 48 9 Optionally change subject names to the listed certificates NOTE Certificate nicknames must be unique and changing the default nicknames is one way to ensure that ...

Page 59: ... show certificate requests certificates and key pairs If an external CA is used to issue the certificates configuration cannot go forward until they are received from the CA When they are issued paste the certificates into this panel to add them to the subsystem database and then proceed with the installation Click Apply to view the certificates as they are imported 11 Provide the information for ...

Page 60: ...PS Subsystem configuration is done by accessing a unique web based configuration page for the instance The only supported web browser for subsystem configuration is Mozilla Firefox IMPORTANT Before the TPS can be set up a Certificate System CA and TKS must be installed and configured If you want to enable server side key generation then the DRM must also be installed and configured The TPS configu...

Page 61: ...e config login pin kI7E1MByNIUcPJ6RKHmH Alternatively log into the setup wizard through admin link on the services page and supply the preop pin value from the var lib pki tps conf CS cfg file when prompted http server example com 7888 tps services 3 Join an existing security domain by entering the CA information This URL can be identified by running service pki ca status on the CA s host the secu...

Page 62: ... CA which will issue renew and revoke certificates for token operations requested through the TPS subsystem 6 Supply information about the TKS which will manage the TPS keys Select the TKS from the drop down menu of TKS subsystems within the security domain ...

Page 63: ...ain The hostname for the DRM can be the fully qualified domain name or an IPv4 or IPv6 address 8 Fill in the Directory Server authentication directory This directory is used by the TPS to authenticate users which access the Enterprise Security Client and as an additional database for certificates and keys This Directory Server instance is not the same Directory Server instance used as the TPS s in...

Page 64: ...ormation for the LDAP server which will be used for the instance s internal database This requires connection information for the Directory Server instance such as the hostname port number bind DN username and password This step also creates a database in the Directory Server and a corresponding base directory entry base DN to use for the subsystem s entries ...

Page 65: ...e Red Hat Directory Server instances is on a different server or network than the Certificate System subsystem then make sure that the Certificate System host s firewall allows access to whatever LDAP port was set in the previous configuration panel Installation will not complete if iptables is not configured properly To configure iptables see the Red Hat Enterprise Linux Deployment Guide such as ...

Page 66: ...urity Modules with Subsystems To determine whether a token is detected by the Certificate System use the TokenInfo tool as described in Section 2 5 4 Detecting Tokens The Certificate System automatically discovers Safenet s LunaSA and nCipher s netHSM hardware security modules The discovery process assumes that the client software installations for these modules are local to the Certificate System...

Page 67: ...ificates NOTE Certificate nicknames must be unique and changing the default nicknames is one way to ensure that Having unique certificate nicknames is vital for using an HSM since any nickname conflicts even for subsystems on different servers will cause configuration to fail ...

Page 68: ... used to issue the certificates configuration cannot go forward until they are received from the CA When they are issued paste the certificates into this panel to add them to the TPS database and then proceed with the installation Click Apply to view the certificates as they are imported 14 Provide the information for the new subsystem administrator ...

Page 69: ...ficate into the browser and complete the configuration 16 When the configuration is complete restart the subsystem service pki tps restart IMPORTANT The new instance is not active until it is restarted and weird behaviors can occur if you try to use the instance without restarting it first ...

Page 70: ...60 ...

Page 71: ... considerations covered in the Certificate System Deployment Guide All subsystem certificates can be submitted to an external CA when the subsystem is configured When the certificates are generated from a CA outside the Certificate System deployment or from a Certificate System CA in a different security domain then the configuration process does not occur in one sitting The configuration process ...

Page 72: ... the CA signing certificate is listed with an action required label Once that certificate is generated the other certificates for the CA will be automatically generated For other subsystems each subsystem certificate has an action required label and must be submitted to the external CA ...

Page 73: ... contain the leaf certificate the certificate being requested 12 After retrieving the issued certificates click the Step 3 Paste in the base 64 encoded certificate link and paste in the new certificate this should be only the new certificate not a certificate chain 13 For the CA this only has to be done for the signing certificate For the other subsystems repeat steps 9 10 and 12 for each certific...

Page 74: ... any subsystem operations which require the ECC module will fail 4 2 1 Loading a Third Party ECC Module 1 Copy the third party module to a common directory like usr lib for 32 bit systems or usr lib64 for 64 bit systems 2 Create a new CA instance by running pkicreate but do not go through the configuration wizard 3 Stop the CA service pki ca stop 4 The CA runs as the pkiuser user As root create a ...

Page 75: ...be listed as an available token Select that module for the key store In the Key Pairs panel ECC should be listed as an option to use to generate the keys used for the CA s certificates Select the ECC key type 12 After completing the configuration for the CA try to log into the CA console pkiconsole https server example com 9445 ca This fails because the console is not yet configured to run with EC...

Page 76: ...rty module in the CA s security databases so it is available for the configuration modutil dbdir nocertdb add certicom libfile usr lib libsbcpgse so This creates a certicom directory in the new pkiuser home directory 8 Certicom s ECC module includes an initpin file copy this into the new pkiuser directory and give it execute permissions For example cp tmp initpin usr share pki pkiuser chmod x init...

Page 77: ...t has been properly loaded The module is in security databases in the subsystem s alias directory For example modutil dbdir var lib pki ca alias list certicom 12 Add the password for the ECC token to the subsystem s password file Escape any spaces or special characters in the name For example vim etc pki ca password conf hardware Certicom FIPS Cert Key Services secret The hardware prefix is requir...

Page 78: ...om libfile usr lib libsbcpgse so Now logging into the console succeeds 18 The web browser used to access administrative and agent services pages also needs to be configured to support ECC a Create a user for the browser profile such as agent pki b Launch Firefox and create a profile for this user this automatically creates the required security databases and directory c Set the root home directory...

Page 79: ...orithm Used for Subsystem Keys When a CA is installed along with determining the key type and size the hashing algorithm for the key pair is set However for other subsystems the hashing algorithm is not configurable so they use whatever the default is for the CA which issues their certificates Instead of using the CA s hashing algorithm it is possible to edit the profiles used to generate the subs...

Page 80: ...HA512withRSA MD5withRSA MD2withRSA For ECC SHA256withEC the default SHA1withEC SHA384withEC SHA512withEC 4 4 Enabling IPv6 for a Subsystem Certificate System automatically configures and manages connections between subsystems Every subsystem must interact with a CA as members of a security domain and to perform their PKI operations For these connections Certificate System subsystems can be recogni...

Page 81: ...UN_PKICREATE variable so that the new instances can be created export DONT_RUN_PKICREATE 0 6 Run pkicreate to create the new instance The values for the server hostname in the CS cfg file will be set to the IPv6 address 4 5 Configuring Separate RA Instances When an RA is installed or created it is automatically added to a default Registration Managers Group on the CA This means that all RA manager...

Page 82: ...t to utilize the new RA authentication instance a Open the CA profiles directory cd var lib pki ca profiles ca b Copy the current RA profile to create the new profile For example cp caDualRAuserCert cfg caDualRA2userCert cfg c Edit the new file to contain the second RA instance s information Change raCertAuth to ra2CertAuth 5 Open the CA configuration directory and edit the CS cfg file cd var lib ...

Page 83: ... param name AuthMgr param name param value TokenAuth param value init param init param param name GroupName param name param value Registration Manager2 Agents param value init param init param param name AuthzMgr param name param value BasicAclAuthz param value init param init param param name resourceID param name param value certServer ca registerUser param value init param servlet c At about l...

Page 84: ...wal approve_request 0 profileId caDualRAuser2Cert request user approve_request 0 profileId caDualRA2userCert 12 Restart the new RA instance For example service pki ra2 restart 13 A URL was generated at the end of the pkicreate command go to that URL to configure the second RA For example http server example com 12898 ra admin console config login pin bFyAk9nWPfgLZXffRBT9 14 When the new RA is comp...

Page 85: ...ces with their predefined settings The pkicreate script can be invoked after the packages are installed to create additional individual subsystem instances with user defined settings like the configuration and log directories and port numbers After the instance is created it is then configured through the HTML based configuration wizard or by using the pkisilent script The syntax for pkicreate is ...

Page 86: ... specified For CAs only an end entities client authentication port is also required with the ee_secure_client_auth_port option ee_secure_port 1 Sets the SSL port for the end entities web services If this is specified then both agent_secure_port and admin_secure_port must be specified For CAs only an end entities client authentication port is also required with the ee_secure_client_auth_port option...

Page 87: ...ers For more information on the pkicreate tool options see the Certificate System Command Line Tools Guide 5 2 Running pkicreate for a Single SSL Port 1 Run the pkicreate command specifying the type of subsystem being created the configuration directory instance name and port numbers For example this created a second DRM instance pkicreate pki_instance_root var lib pki drm2 subsystem_type kra pki_...

Page 88: ...port 9544 ee_secure_port 9543 ee_secure_client_auth_port 9546 unsecure_port 9180 tomcat_server_port 1802 verbose 2 When the instance is successfully created the process returns a URL for the HTML configuration page For example http server example com 10180 kra admin console config login pin nt2z2keqcqAZiBRBGLDf TIP The configuration URL is written to the end of the instance s installation file var...

Page 89: ...nistrative tasks without interrupting the services of the overall PKI system NOTE All of the subsystems except the TPS and RA can be cloned Cloning is one method of providing scalability to the PKI by assigning the same task such as handling certificate requests to separate instances on different machines The internal databases for the master and its clones are replicated between each other so the...

Page 90: ...ys as the master so their certificates are identical For CAs that means that the CA signing certificates are identical for the original master CA and its cloned CAs From the perspectives of clients these look like a single CA Every CA both cloned and master can issue certificates and process revocation requests The main issue with managing cloned CAs is how to assign serial numbers to the certific...

Page 91: ...out the recovery operation 6 1 3 Cloning for Other Subsystems There is no real operational difference between masters and clones for TKSs the information created or maintained on one is replicated along the other servers For OCSPs only the master OCSP receives CRL updates and then the published CRLs are replicated to the clones 6 1 4 Cloning and Key Stores Cloning a subsystem creates two server pr...

Page 92: ...e is first created If the keys were not exported then or if the backup file is lost then it is possible to extract the keys from the internal software database for the subsystem instance using the PKCS12Export command For example PKCS12Export debug d var lib subsystem_name alias w p12pwd txt p internal txt o master p12 The PKCS 12 file in this example master p12 can then be copied to the clone ins...

Page 93: ...to pkiuser For example chown pkiuser pkiuser example p12 6 Open the setup wizard URL which was returned when the instance was created For example http server example com 9180 ca admin console config login pin HIsd90RJSioDK 7 In the Security Domain panel add the clone to the same security domain to which the master belongs 8 The Subsystem Type panel sets whether to create a new instance or a clone ...

Page 94: ... spin endlessly and never complete if localhost is used for the internal database location even if the LDAP database is indeed installed on the localhost Use the the fully qualified domain name for the LDAP database in the Internal Database panel when configuring a clone 11 Edit the CS cfg file for the clone Certain parameters must be added to the clone configuration to disable caching and generat...

Page 95: ...ick Update Certificate Revocation List Find the CRL in the list The CRL should show the certificate revoked by the cloned Certificate Manager If that certificate is not listed check logs to resolve the problem 6 4 Cloning OCSP Subsystems 1 Configure the master OCSP as described in Section 3 5 Configuring a DRM OCSP or TKS and back up the keys 2 In the CS cfg file for the master OCSP set the OCSP R...

Page 96: ...xample p12 6 Open the setup wizard URL which was returned when the instance was created For example http server example com 11180 ocsp admin console config login pin IOjh7fIOjkld90k 7 In the Security Domain panel add the clone to the same security domain to which the master belongs 8 The Subsystem Type panel sets whether to create a new instance or a clone select the clone radio button 9 Give the ...

Page 97: ...panel when configuring a clone 11 Edit the CS cfg file for the clone Set the OCSP Responder store defStore refreshInSec parameter in the clone instance to 21600 vim etc subsystem_name CS cfg OCSP Responder store defStore refreshInSec 21600 12 Restart the clone instance service subsystem_name start After configuring the clone test to make sure that the master clone relationship is functioning 1 Set...

Page 98: ...gured Alternatively the keys can be exported using the PKCS12Export command as in Section 6 2 Exporting Keys from a Software Database 4 Make sure the PKCS 12 file is accessible by the Certificate System user If necessary change the file permissions to pkiuser For example chown pkiuser pkiuser example p12 5 Open the setup wizard URL which was returned when the instance was created For example http ...

Page 99: ...p file which was saved when the master instance was created or that were exported in 3 If the keys are stored on an HSM that is accessible to the clone then they are picked up automatically NOTE When cloning a DRM the master and clone instances have the same storage and transport keys ...

Page 100: ...quest type and status 4 Click Submit 5 Compare the results from the cloned DRM and the master DRM The results ought to be identical For the TKS enroll a smart card and then run an ldapsearch to make sure that the same key information is contained in both databases 6 6 Converting Masters and Clones There can be any number of clones but there can only be a single configured master For DRMs and TKSs ...

Page 101: ...A server service subsystem_name stop 5 Open the cloned CA s configuration directory cd etc subsystem_name 6 Edit the CS cfg file to configure the clone as the new master a Delete each line which begins with the ca crl prefix b Copy each line beginning with the ca crl prefix from the former master CA CS cfg file into the cloned CA s CS cfg file c Enable control of the database maintenance thread th...

Page 102: ...nSec 21600 4 Stop the online cloned OCSP server service subsystem_name stop 5 Open the cloned OCSP responder s configuration directory cd etc subsystem_name 6 Open the CS cfg file and delete the OCSP Responder store defStore refreshInSec parameter or change its value to any non zero number OCSP Responder store defStore refreshInSec 15000 7 Start the new master OCSP responder server service subsyst...

Page 103: ... clone CA service subsystem_name stop Always stop a subsystem instance before editing its configuration files 2 Copy all of the ca connecter KRA parameters for the new DRM connection in the CS cfg for the master CA over to the clone CA CS cfg file 3 Restart the clone CA service subsystem_name restart ...

Page 104: ...94 ...

Page 105: ...the subsystem s default settings and users There are two template files that are shell scripts for silent configuration usr share pki silent pki_silent template and usr share pki silent subca_silent template Both of these templates have detailed information on parameters and usage options for pkisilent pkisilent Configuretype parameters to configure the subsystem URL parameters to configure the ad...

Page 106: ...nitial configuration This PIN is part of the output of pkicreate at the end of the configuration URL It can also be found in the URL in the installation file for the instance var log subsystem_name install log token_name Gives the name of the HSM token used to store the subsystem certificates This is only required for hardware tokens if this parameter is not given then the script automatically use...

Page 107: ... the Directory Server this is normally the Directory Manager ID bind_password The bind DN password base_dn The entry DN under which to create all of the subsystem entries db_name The database name Subsystem Certificates and Keys Configuration key_size The size of the key to generate The recommended size for an RSA key is 1048 bits for regular operations and 2048 bits for sensitive operations key_t...

Page 108: ..._cert_subject_name The subject names for the DRM subsystem certificates tks_subsystem_cert_subject_name tks_server_cert_subject_name tks_audit_signing_cert_subject_name The subject names for the TKS subsystem certificates tps_subsystem_cert_subject_name tps_server_cert_subject_name tps_subsystem_cert_nickname tps_server_cert_nickname The subject names and nicknames for the TPS subsystem certificat...

Page 109: ...rocess ext_ca_cert_file The input file for the certificates issued by the external CA Step two of the silent configuration process ext_ca_cert_chain_file The input file for the CA certificate chain for the external CA issuing the certificate Step two of the silent configuration process Cloning Configuration clone Sets whether the new instance is a clone Its possible values are true or false If thi...

Page 110: ...different in name the configuration concepts like cloning or generating certificates are the same NOTE Any spaces in the arguments used with pkisilent must be escaped Example 7 2 Configuring a Root CA configures a CA creates a new security domain backs up its keys and self signs its certificates pkisilent ConfigureCA cs_hostname localhost cs_port 9445 subsystem_name pki ca2 client_certdb_dir tmp c...

Page 111: ...admin_port 9445 sd_agent_port 9443 sd_ssl_port 9444 sd_admin_name admin sd_admin_password secret admin_user admin admin_email admin example com admin_password secret agent_key_size 2048 agent_key_type rsa agent_cert_subject cn ra agent cert ca_hostname server example com ca_port 9180 ca_ssl_port 9443 key_size 2048 key_type rsa ra_subsystem_cert_subject_name cn ra subsystem cert o testca domain ra_...

Page 112: ...nternal LDAP directories is the same as with any other subsystem configuration For example pkisilent ConfigureCA cs_hostname localhost cs_port 9445 subsystem_name clone ca2 client_certdb_dir tmp client_certdb_pwd password preop_pin sYY8er834FG9793fsef7et5 sd_hostname domain example com sd_admin_port 9445 sd_agent_port 9443 sd_ssl_port 9444 sd_admin_name admin sd_admin_password secret admin_user ad...

Page 113: ...nal CA 2 The certificate requests are submitted to the external CA and the issued certificates are retrieved and saved to file 3 The newly issued subsystem certificates are installed in the instance by referencing the saved certificate file in the ext_ca_cert_file parameter This is also when the final configuration creating the administrator user is performed For example step 1 pkisilent Configure...

Page 114: ...104 ...

Page 115: ...t just the subsystem packages For all supported platforms individual Certificate System packages may be updated through the native package utility yum NOTE All Certificate System instances must be stopped before beginning any updates The recommended way to update packages is to use yum to manage the updates 1 Stop all Certificate System instances service instance_ID stop 2 Log in as root 3 Run yum...

Page 116: ...moves all files associated with the instance without removing the subsystem packages pkiremove pki_instance_root pki_instance_root pki_instance_name pki_instance_ID force The pki_instance_root is the directory path of the instance such as var lib The pki_instance_name is the instance name such as pki ca TIP Use force with pkiremove to remove the instance without prompting for confirmation pkiremov...

Page 117: ...ompletely uninstalling Red Hat Certificate System or one of its subsystems requires using package management tools like yum to remove each package individually To uninstall an individual Certificate System subsystem packages 1 Remove all the associated subsystem instances using pkiremove For example pkiremove pki_instance_root var lib pki_instance_name pki ca 2 Run the uninstall utility For exampl...

Page 118: ...108 ...

Page 119: ... 00 00 00 123 456 789 00 9445 ca 9 2 Starting Stopping and Restarting an Instance The Certificate System subsystem instances can be stopped and started using system tools on Red Hat Enterprise Linux For example service instance name start stop restart The instance name for default subsystem instances is usually pki instance id such as pki ca 9 3 Starting the Subsystem Automatically Red Hat Enterpr...

Page 120: ...mely important or the subsystems will not function The Directory Server and Administration Server instances used by the subsystems must be running before the subsystems can be started and their web services Tomcat or Apache must be running before the subsystems are started or their web services will not function The default Certificate System chkconfig settings set a start and stop priority for al...

Page 121: ...ell as potentially regular users and administrators These web services can be accessed by opening the URL to the subsystem host over the subsystem s secure end user s port For example for the CA https server example com 9444 ca services TIP To get a complete list of all of the interfaces URLs and ports for a subsystem check the service s status service instance name status The main web services pa...

Page 122: ...ca 9445 Yes Configuration ca admin console config login pin pin 9445 Yes No Services ca services 9445 Yes No Console pkiconsole https host port ca Registration Manager 12888 No End Entities ee index cgi 12889 Yes Yes Agents agent index cgi 12889 Yes Yes Admin admin index cgi 12890 Yes Configuration ra admin console config login pin pin 12890 Yes End Entities ee index cgi 12890 Yes Services index c...

Page 123: ...port ocsp Token Key Service 13180 No End Entities 2 tks ee tks 13444 Yes No End Entities 2 tks ee tks 13443 Yes Yes Agents tks agent tks 13445 Yes Configuration tks admin console config login pin pin 13445 Yes No Services tks services 13445 Yes No Console pkiconsole https host port tks Token Processing System 7888 No Enterprise Security Client Phone Home cgi bin home index cgi 7890 Yes Enterprise ...

Page 124: ...cessed by a client sending an OCSP request The agent admin and operator services are all accessed through the same web services page Each role has a different tab on that page The role specific tab is visible to every user who is a member of that role Table 9 2 Default Web Services Pages 9 5 Default File and Directory Locations for Certificate System Certificate System servers consist of subsystem...

Page 125: ...Tomcat Port 9701 Instance Name pki ca Main Directory var lib pki ca Configuration Directory etc pki ca Configuration File etc pki ca CS cfg etc pki ca password conf Subsystem Certificates CA signing certificate OCSP signing certificate for the CA s internal OCSP service SSL server certificate Audit log signing certificate Subsystem certificate 1 Security Databases var lib pki ca alias Log Files va...

Page 126: ...s var log pki ra Install Logs var log pki ra install log Web Services Files var lib pki ra docroot var lib pki ra lib The subsystem certificate is always issued by the security domain so that domain level operations that require client authentication are based on this subsystem certificate Table 9 4 Default RA Instance Information 9 5 3 Default DRM Instance Information The default DRM configuratio...

Page 127: ...formation The default OCSP configuration is listed in Table 9 6 Default OCSP Instance Information Most of these values are unique to the default instance the default certificates and some other settings are true for every OCSP instance Setting Value Standard Port 11180 End Users Secure Port 11444 Agents Port 11443 Admin Port 11445 Tomcat Port 11701 Instance Name pki ocsp Main Directory var lib pki...

Page 128: ... tks Configuration Directory etc pki tks Configuration File etc pki tks CS cfg etc pki tks password conf Subsystem Certificates SSL server certificate Audit log signing certificate Subsystem certificate 1 Security Databases var lib pki tks alias Log Files var log pki tks Install Logs var log pki tks install log Process File var run pki tks pid The subsystem certificate is always issued by the secu...

Page 129: ...e System subsystem instances for general server operations listed in Table 9 9 Subsystem File Locations Directory Location Contents var lib instance_name Contains the main instance directory which is the location for user specific default and customized configuration files profiles certificate databases web files and other files for the subsystem instance usr share java pki Contains Java archive f...

Page 130: ...icate System subsystems Not used by the TPS or RA subsystems var lib tomcat5 server lib Contains Java archive files used by the local Tomcat web server and shared by the Certificate System subsystems Not used by the TPS or RA subsystems usr lib httpd modules usr lib64 httpd modules Contains Apache modules shared by TPS and RA subsystems Not used by the CA DRM OCSP or TKS subsystems usr lib mozldap...

Page 131: ...tallation 23 planning 6 installing external hardware tokens 19 internal tokens 16 K keys changing hashing algorithm 69 P PKCS 11 support 16 16 planning installation 6 S security domains 3 subsystems for certificates 1 Certificate Manager 3 Data Recovery Manager 3 Online Certificate Status Manager 4 overview 2 Registration Authority 3 subsystems for tokens 4 Enterprise Security Client 5 overview 5 ...

Page 132: ...122 ...

Reviews:

No comments