Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

9.6. Configuration for CMC

This section describes how to configure Certificate System for Certificate Management over CMS (CMC).

9.6.1. Understanding How CMC Works
Copiar enlace

Before configuring CMC, read the following documentation to learn more about the subject:
  • Section 2.4.1.1.1, “Enrolling with CMC”
  • Requesting and Receiving Certificates Using CMC in the Certificate System Administration Guide (Common Criteria Edition).
  • Making Rules for Issuing Certificates (Certificate Profiles) in the Certificate System Administration Guide (Common Criteria Edition).

9.6.2. Enabling the PopLinkWittnessV2 Feature
Copiar enlace

For a high-level security on the Certificate Authority (CA), enable the following option in the /var/lib/pki/instance_name/ca/conf/CS.cfg file: 
cmc.popLinkWitnessRequired=true
Copy to Clipboard Toggle word wrap

9.6.3. Enabling the CMC Shared Secret Feature
Copiar enlace

To enable the shared token feature in a Certificate Authority (CA):
  1. If the watchdog service is enabled on the host, temporarily disable it. See Section 9.3.2.4, “Disabling the Watchdog Service”.
  2. Add the shrTok attribute to Directory Server's schema: 
    # ldapmodify -D "cn=Directory Manager" -H ldaps://server.example.com:636 -W -x

dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 2.16.840.1.117370.3.1.123 NAME 'shrTok' DESC 'User
 Defined ObjectClass for SharedToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
 SINGLE-VALUE X-ORIGIN 'custom for sharedToken')
    Copy to Clipboard Toggle word wrap
  3. If the system keys are stored on a Hardware Security Module (HSM), set the cmc.token parameter in the /var/lib/pki/instance_name/ca/conf/CS.cfg file. For example: 
    cmc.token=NHSM6000
    Copy to Clipboard Toggle word wrap
  4. Enable the shared token authentication plug-in by using one of the following methods:
    • To enable the plug-in using the pkiconsole utility:
      1. Log into the system using the pkiconsole utility. For example: 
        # pkiconsole https:host.example.com:8443/ca
        Copy to Clipboard Toggle word wrap
      2. On the Configuration tab, select Authentication.
      3. Click Add and select SharedToken.
      4. Click Next.
      5. Enter the following information: 
        Authentication InstanceID=SharedToken
shrTokAttr=shrTok
ldap.ldapconn.host=server.example.com
ldap.ldapconn.port=636
ldap.ldapconn.secureConn=true
ldap.ldapauth.bindDN=cn=Directory Manager
password=password
ldap.ldapauth.authtype=BasicAuth
ldap.basedn=ou=People,dc=example,dc=org
        Copy to Clipboard Toggle word wrap
      6. Click OK.
    • To manually enable the plug-in, add the following settings into the /var/lib/pki/instance_name/ca/conf/CS.cfg file: 
      auths.impl.SharedToken.class=com.netscape.cms.authentication.SharedSecret
auths.instance.SharedToken.dnpattern=
auths.instance.SharedToken.ldap.basedn=ou=People,dc=example,dc=org
auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth
auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager
auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken
auths.instance.SharedToken.ldap.ldapauth.clientCertNickname=
auths.instance.SharedToken.ldap.ldapconn.host=server.example.com
auths.instance.SharedToken.ldap.ldapconn.port=636
auths.instance.SharedToken.ldap.ldapconn.secureConn=true
auths.instance.SharedToken.ldap.ldapconn.version=3
auths.instance.SharedToken.ldap.maxConns=
auths.instance.SharedToken.ldap.minConns=
auths.instance.SharedToken.ldapByteAttributes=
auths.instance.SharedToken.ldapStringAttributes=
auths.instance.SharedToken.pluginName=SharedToken
auths.instance.SharedToken.shrTokAttr=shrTok
      Copy to Clipboard Toggle word wrap
  5. Set the nickname of an RSA issuance protection certificate in the ca.cert.issuance_protection.nickname parameter in the /var/lib/pki/instance_name/ca/conf/CS.cfg file. For example: 
    ca.cert.issuance_protection.nickname=issuance_protection_certificate
    Copy to Clipboard Toggle word wrap
    This step is:
    • Optional if you use an RSA certificate in the ca.cert.subsystem.nickname parameter.
    • Required if you use an ECC certificate in the ca.cert.subsystem.nickname parameter.

    Important

    If the ca.cert.issuance_protection.nickname parameter is not set, Certificate System automatically uses the certificate of the subsystem specified in the ca.cert.subsystem.nickname. However, the issuance protection certificate must be an RSA certificate.
  6. Restart Certificate System: 
    # systemctl restart pki-tomcatd@instance_name.service
    Copy to Clipboard Toggle word wrap
    When the CA starts, Certificate System prompts for the LDAP password used by the Shared Token plug-in.
  7. If you temporarily disabled the watchdog service at the beginning of this procedure, re-enable it. See Section 9.3.2.1, “Enabling the Watchdog Service”.

9.6.4. Enabling CMCRevoke for the Web User Interface
Copiar enlace

As described in the Performing a CMC Revocation section in the Red Hat Certificate System Administration Guide (Common Criteria Edition), there are two ways to submit CMC revocation requests.
In case when you use the CMCRevoke utility to create revocation requests to be submitted through the web UI, add the following setting to the /var/lib/pki/instance_name/ca/conf/CS.cfg file: 
cmc.bypassClientAuth=true
Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat