Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

12.3. Managing Users and Groups for a CA, OCSP, KRA, or TKS

Many of the operations that users can perform are dictated by the groups that they belong to; for instance, agents for the CA manage certificates and profiles, while administrators manage CA server configuration.
Four subsystems — the CA, OCSP, KRA, and TKS — use the Java administrative console to manage groups and users. The TPS has web-based admin services, and users and groups are configured through its web service page.

12.3.1. Managing Groups
Link kopieren

12.3.1.1. Creating a New Group
Link kopieren

  1. Log into the administrative console. 
    pkiconsole https://server.example.com:8443/subsystem_type
    Copy to Clipboard Toggle word wrap
  2. Select Users and Groups from the navigation menu on the left.
  3. Select the Groups tab.
  4. Click Edit, and fill in the group information.
    View larger image
    It is only possible to add users who already exist in the internal database.
  5. Edit the ACLs to grant the group privileges. See Section 12.4.3, “Editing ACLs” for more information. If no ACIs are added to the ACLs for the group, the group will have no access permissions to any part of Certificate System.

12.3.1.2. Changing Members in a Group
Link kopieren

Members can be added or deleted from all groups. The group for administrators must have at least one user entry.
  1. Log into the administrative console.
  2. Select Users and Groups from the navigation tree on the left.
  3. Click the Groups tab.
  4. Select the group from the list of names, and click Edit.
  5. Make the appropriate changes.
    • To change the group description, type a new description in the Group description field.
    • To remove a user from the group, select the user, and click Delete.
    • To add users, click Add User. Select the users to add from the dialog box, and click OK.

12.3.2. Managing Users (Administrators, Agents, and Auditors)
Link kopieren

The users for each subsystem are maintained separately. Just because a person is an administrator in one subsystem does not mean that person has any rights (or even a user entry) for another subsystem. Users can be configured and, with their user certificates, trusted as agents, administrators, or auditors for a subsystem.

12.3.2.1. Creating Users
Link kopieren

After you installed Certificate System, only the user created during the setup exists. This section describes how to create additional users.

Note

For security reasons and audit trails, create individual accounts for Certificate System users and administrators.
12.3.2.1.1. Creating Users Using the Command Line
Link kopieren
To create a user using the command line:
  1. Add a user account. For example, to add the example user to the CA: 
    # pki -c password -n caadmin \
     ca-user-add example --fullName "Example User"
---------------------
Added user "example"
---------------------
  User ID: example
  Full name: Example User
    Copy to Clipboard Toggle word wrap
    This command uses the caadmin user to add a new account.
  2. Optionally, add a user to a group. For example, to add the example user to the Certificate Manager Agents group: 
    # pki -p password -n "caadmin" \
     user-add-membership example Certificate Manager Agents
    Copy to Clipboard Toggle word wrap
  3. Create a certificate request:
    • If a Key Recovery Authority (KRA) exists in your Certificate System environment: 
      # CRMFPopClient -d ~/.dogtag/pki-instance_name/ -p password \
     -n "user_name" -q POP_SUCCESS -b kra.transport -w "AES/CBC/PKCS5Padding" \
     -v -o ~/user_name.req
      Copy to Clipboard Toggle word wrap
      This command stores the Certificate Signing Request (CSR) in the CRMF format in the ~/user_name.req file.
    • If no Key Recovery Authority (KRA) exists in your Certificate System environment: 
      # PKCS10Client -d ~/.dogtag/pki-instance_name/ -p password \
     -n "user_name" -o ~/user_name.req
      Copy to Clipboard Toggle word wrap
      This command stores the CSR in pkcs10 format in the ~/user_name.req file.
  4. Create an enrollment request:
    1. Create the ~/cmc.role_crmf.cfg file with the following content: 
      #numRequests: Total number of PKCS10 requests or CRMF requests.
numRequests=1

#input: full path for the PKCS10 request or CRMF request,
#the content must be in Base-64 encoded format
#Multiple files are supported. They must be separated by space.
input=~/user_name.req

#output: full path for the CMC request in binary format
output=~/cmc.role_crmf.req

#tokenname: name of token where agent signing cert can be found (default is internal)
tokenname=internal

#nickname: nickname for agent certificate which will be used
#to sign the CMC full request.
nickname=PKI Administrator for Example.com

#dbdir: directory for cert8.db, key3.db and secmod.db
dbdir=~/.dogtag/pki-instance_name/

#password: password for cert8.db which stores the agent
#certificate
password=password

#format: request format, either pkcs10 or crmf
format=crmf
      Copy to Clipboard Toggle word wrap
      Set the parameters based on your environment and the CSR format used in the previous step.
    2. Pass the previously created configuration file to the CMCRequest utility to create the CMC request: 
      # CMCRequest ~/cmc.role_crmf.cfg
      Copy to Clipboard Toggle word wrap
  5. Submit a Certificate Management over CMS (CMC) request:
    1. Create the ~/HttpClient_role_crmf.cfg file with the following content: 
      # #host: host name for the http server
host=server.example.com

#port: port number
port=8443

#secure: true for secure connection, false for nonsecure connection
secure=true

#input: full path for the enrollment request, the content must be in binary format
input=~/cmc.role_crmf.req

#output: full path for the response in binary format
output=~/cmc.role_crmf.resp

#tokenname: name of token where TLS client authentication cert can be found (default is internal)
#This parameter will be ignored if secure=false
tokenname=internal

#dbdir: directory for cert8.db, key3.db and secmod.db
#This parameter will be ignored if secure=false
dbdir=~/.dogtag/pki-instance_name/

#clientmode: true for client authentication, false for no client authentication
#This parameter will be ignored if secure=false
clientmode=true

#password: password for cert8.db
#This parameter will be ignored if secure=false and clientauth=false
password=password

#nickname: nickname for client certificate
#This parameter will be ignored if clientmode=false
nickname=PKI Administrator for Example.com

#servlet: servlet name
servlet=/ca/ee/ca/profileSubmitCMCFull
      Copy to Clipboard Toggle word wrap
      Set the parameters based on your environment.
    2. Submit the request to the CA: 
      # HttpClient ~/HttpClient_role_crmf.cfg
Total number of bytes read = 3776
after SSLSocket created, thread token is Internal Key Storage Token
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 2523
MIIJ1wYJKoZIhvcNAQcCoIIJyDCCCcQCAQMxDzANBglghkgBZQMEAgEFADAxBggr
...
The response in data format is stored in ~/cmc.role_crmf.resp
      Copy to Clipboard Toggle word wrap
    3. Verify the result: 
      # CMCResponse ~/cmc.role_crmf.resp
Certificates:
    Certificate:
        Data:
            Version:  v3
            Serial Number: 0xE
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,OU=pki-instance_name Security Domain
            Validity:
                Not Before: Friday, July 21, 2017 12:06:50 PM PDT America/Los_Angeles
                Not  After: Wednesday, January 17, 2018 12:06:50 PM PST America/Los_Angeles
            Subject: CN=user_name
...
Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1
   Status: SUCCESS
      Copy to Clipboard Toggle word wrap
  6. Optionally, to import the certificate as the user to its own ~/.dogtag/pki-instance_name/ database: 
    # certutil -d ~/.dogtag/pki-instance_name/ -A -t "u,u,u" -n "user_name certificate" -i ~/cmc.role_crmf.resp
    Copy to Clipboard Toggle word wrap
  7. Add the certificate to the user record:
    1. List certificates issued for the user to discover the certificate's serial number. For example, to list certificates that contain the example user name in the certificate's subject: 
      pki -c password -n caadmin ca-user-cert-find example
-----------------
1 entries matched
-----------------
  Cert ID: 2;6;CN=CA Signing Certificate,O=EXAMPLE;CN=PKI Administrator,E=example@example.com,O=EXAMPLE
  Version: 2
  Serial Number: 0x6
  Issuer: CN=CA Signing Certificate,O=EXAMPLE
  Subject: CN=PKI Administrator,E=example@example.com,O=EXAMPLE
----------------------------
Number of entries returned 1
      Copy to Clipboard Toggle word wrap
      The serial number of the certificate is required in the next step.
    2. Add the certificate using its serial number from the certificate repository to the user account in the Certificate System database. For example, for a CA user: 
      pki -c password -n caadmin ca-user-cert-add example --serial 0x6
      Copy to Clipboard Toggle word wrap
12.3.2.1.2. Creating Users Using the Console
Link kopieren
To create a user using the PKI Console:
  1. Log into the administrative console. 
    pkiconsole https://server.example.com:8443/subsystem_type
    Copy to Clipboard Toggle word wrap
  2. In the Configuration tab, select Users and Groups. Click Add.
  3. Fill in the information in the Edit User Information dialog.
    View larger image
    Most of the information is standard user information, such as the user's name, email address, and password. This window also contains a field called User State, which can contain any string, which is used to add additional information about the user; most basically, this field can show whether this is an active user.
  4. Select the group to which the user will belong. The user's group membership determines what privileges the user has. Assign agents, administrators, and auditors to the appropriate subsystem group.
  5. Store the user's certificate.
    1. Request a user certificate through the CA end-entities service page.
    2. If auto-enrollment is not configured for the user profile, then approve the certificate request.
    3. Retrieve the certificate using the URL provided in the notification email, and copy the base-64 encoded certificate to a local file or to the clipboard.
    4. Select the new user entry, and click Certificates.
    5. Click Import, and paste in the base-64 encoded certificate.

12.3.2.2. Changing a Certificate System User's Certificate
Link kopieren

  1. Log into the administrative console.
  2. Select Users and Groups.
  3. Select the user to edit from the list of user IDs, and click Certificates.
  4. Click Import to add the new certificate.
  5. In the Import Certificate window, paste the new certificate in the text area. Include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- marker lines.

12.3.2.3. Renewing Administrator, Agent, and Auditor User Certificates
Link kopieren

There are two methods of renewing a certificate. Regenerating the certificate takes its original key and its original profile and request, and recreates an identical key with a new validity period and expiration date. Re-keying a certificate resubmits the initial certificate request to the original profile, but generates a new key pair. Administrator certificates can be renewed by being re-keyed.
Each subsystem has a bootstrap administrator user that was created at the time the subsystem was created. A new certificate can be requested for this user before their original one expires, using one of the default renewal profiles.
Certificates for administrative users can be renewed directly in the end user enrollment forms, using the serial number of the original certificate.
  1. Renew the admin user certificate. For details, seeSection 5.4, “Renewing Certificates”.
  2. Add the renewed user certificate to the user entry in the internal LDAP database.
    1. Open the console for the subsystem. 
      pkiconsole https://server.example.com:admin_port/subsystem_type
      Copy to Clipboard Toggle word wrap
    2. Configuration | Users and Groups | Users | admin | Certificates | Import
    3. In the Configuration tab, select Users and Groups.
    4. In the Users tab, double-click the user entry with the renewed certificate, and click Certificates.
    5. Click Import, and paste in the base-64 encoded certificate.
    This can also be done by using ldapmodify to add the renewed certification directly to the user entry in the internal LDAP database, by replacing the userCertificate attribute in the user entry, such as uid=admin,ou=people,dc=subsystem-base-DN.

12.3.2.4. Deleting a Certificate System User
Link kopieren

Users can be deleted from the internal database. Deleting a user from the internal database deletes that user from all groups to which the user belongs. To remove the user from specific groups, modify the group membership.
Delete a privileged user from the internal database by doing the following:
  1. Log into the administrative console.
  2. Select Users and Groups from the navigation menu on the left.
  3. Select the user from the list of user IDs, and click Delete.
  4. Confirm the delete when prompted.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat