Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 18. Creating a role user

As explained in Section 2.6.6.1, “Default administrative roles”, a bootstrap user was created during the installation. After the installation, create real users and assign them proper system privileges. For compliance, each user must be a member of only one role (group).

This chapter instructs you how to:

  • Create a Certificate System administrative user on the operating system
  • Create a PKI role in Certificate System

This section is for administrative role users. Agent and Auditor role users, see Section 18.2, “Creating a PKI role user in Certificate System”.

In general, administrators, agents, and auditors in Certificate System can manage the Certificate System instance remotely using client applications, such as command-line utilities, the Java Console, and browsers. For the majority of CS management tasks, a Certificate System role user does not need to log on to the host machine where the instance runs. For example, an auditor role user is allowed to retrieve signed audit logs remotely for verification, and an agent role user can use the agent interface to approve a certificate issuance, while an administrator role user can use command-line utilities to configure a profile.

In certain cases, however, a Certificate System administrator requires to log in to the host system to modify configuration files directly, or to start or stop a Certificate System instance. Therefore, on the operating system, the administrator role user should be someone who is allowed to make changes to the configuration files and read various logs associated with Red Hat Certificate System.

Note

Do not allow the Certificate System administrators or anyone other than the auditors to access the audit log files.

  1. Create the pkiadmin group on the operating system. 

    # groupadd -r pkiadmin
    Copy to Clipboard Toggle word wrap

  2. Add the pkiuser to the pkiadmin group: 

    # usermod -a -G pkiadmin pkiuser
    Copy to Clipboard Toggle word wrap

  3. Create a user on the operating system. For example, to create the jsmith account: 

    # useradd -g pkiadmin -d /home/jsmith -s /bin/bash -c "Red Hat Certificate System Administrator John Smith" -m jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the useradd(8) man page.

  4. Add the user jsmith to the pkiadmin group: 

    # usermod -a -G pkiadmin jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the usermod(8) man page.

    If you are using a nCipher hardware security module (HSM), add the user who manages the HSM device to the nfast group: 

    # usermod -a -G nfast pkiuser
# usermod -a -G nfast jsmith
    Copy to Clipboard Toggle word wrap

  5. Add proper sudo rules to allow the pkiadmin group to Certificate System and other system services.

    For both simplicity of administration and security, the Certificate System and Directory Server processes can be configured so that PKI administrators (instead of only root) can start and stop the services.

    A recommended option when setting up subsystems is to use a pkiadmin system group. (Details are Section 6.5, “Certificate System operating system users and groups”). All of the operating system users which will be Certificate System administrators are then added to this group. If this pkiadmin system group exists, then it can be granted sudo access to perform certain tasks.

    1. Edit the /etc/sudoers file; on Red Hat Enterprise Linux, this can be done using the visudo command: 

      # visudo
      Copy to Clipboard Toggle word wrap

    2. Depending on what is installed on the machine, add a line for the Directory Server, the {ADS}, PKI management tools, and each PKI subsystem instance, granting sudo rights to the pkiadmin group: 

      # For Directory Server services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service

# For PKI instance management
%pkiadmin ALL = PASSWD: /usr/sbin/pkispawn *
%pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy *

# For PKI instance services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
      Copy to Clipboard Toggle word wrap
    Important

    Make sure to set sudo permissions for every Certificate System, Directory Server, and {ADS} on the machine -and only for those instances on the machine. There could be multiple instances of the same subsystem type on a machine or no instance of a subsystem type. It depends on the deployment.

  6. Set the group on the following files to pkiadmin: 

    # chgrp pkiadmin /etc/pki/ instance_name/server.xml
# chgrp -R pkiadmin /etc/pki/ instance_name/alias
# chgrp pkiadmin /etc/pki/ instance_name/subsystem/CS.cfg
# chgrp pkiadmin /var/log/pki/ instance_name/subsystem/debug
    Copy to Clipboard Toggle word wrap

After creating the administrative user on the operating system, follow Section 18.2, “Creating a PKI role user in Certificate System”.

18.2. Creating a PKI role user in Certificate System
Copier lien

To create a PKI role user, see the Managing Certificate System Users and Groups section in the Red Hat Certificate System Administration Guide.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat