Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 6. Prerequisites for installation

The Red Hat Certificate System installation process requires some preparation of the environment. This chapter describes the requirements, dependencies, and other prerequisites for installing Certificate System in a Common Criteria environment.

6.1. Installing and subscribing the RHEL machines
Copier lien

Red Hat Certificate System requires Red Hat Enterprise Linux 8.6.

Prerequisites

Procedure

  1. On both machines, install RHEL 8 with all z-stream updates.

    1. Both BaseOS and AppStream repositories must be enabled (by default, those repositories are part of the full installation image that is available on the Red Hat Customer Portal and already enabled).
      For example, to verify that the BaseOS and Appstream repos are enabled for RHEL x86_64: 

      # subscription-manager repos --enable rhel-8-for-x86_64-baseos-rpms
      Copy to Clipboard Toggle word wrap 
      # subscription-manager repos --enable rhel-8-for-x86_64-appstream-rpms
      Copy to Clipboard Toggle word wrap

    2. Both machines should be registered and subscribed with a valid RHEL subscription.
      For example: 

      # subscription-manager register --username=<customer access portal username>
      Copy to Clipboard Toggle word wrap
      NOTE

      Check if Simple Content Access (SCA) mode is enabled on your account using: 

      # subscription-manager status
      Copy to Clipboard Toggle word wrap

      After registering with subscription-manager, if experiencing any issues installing packages from the enabled BaseOS and AppStream repositories, disable SCA in the subscription management page in the Access Portal. If you are not the administrator of your account, you will need to request the administrator to do so. Attach the pool ID containing your Red Hat Enterprise Linux subscription using the same method as outlined in the below step, and then try again to install the packages.

  2. Attach the Red Hat subscriptions to the system. If your system already has a subscription attached that provides Certificate System, or if Simple Content Access (SCA) is set to the default setting enabled, skip to step 3.

    1. List the available subscriptions and note the pool ID providing Red Hat Certificate System. For example: 

      # subscription-manager list --available --all

...
Subscription Name:   Red Hat Enterprise Linux Developer Suite
Provides:            ...
                     Red Hat Certificate System
                     ...
Pool ID:             7aba89677a6a38fc0bba7dac673f7993
Available:           1
...
      Copy to Clipboard Toggle word wrap

      Depending on the number of subscriptions you have, the output can be very long. In this case, you can redirect it to a file: 

      # subscription-manager list --available --all > /root/subscriptions.txt
      Copy to Clipboard Toggle word wrap

    2. Attach the Certificate System subscription to the system using the pool ID from the previous step: 

      # subscription-manager attach --pool=7aba89677a6a38fc0bba7dac673f7993

Successfully attached a subscription for: Red Hat Enterprise Linux Developer Suite
      Copy to Clipboard Toggle word wrap

  3. "Pin" the RHEL version to 8.6 by using the subscription-manager release --set command. For example: 

    # subscription-manager release --list
    Copy to Clipboard Toggle word wrap 
    # subscription-manager release --set 8.6
    Copy to Clipboard Toggle word wrap

    Verification: 

    # subscription-manager release --show
    Copy to Clipboard Toggle word wrap

  4. In addition, on rhcs10.example.com, install the environment group Server with GUI: 

    # dnf groupinstall "Server with GUI"
    Copy to Clipboard Toggle word wrap

6.2. Enabling the repositories
Copier lien

Before you can install and update Red Hat Certificate System, you must enable the corresponding repositories for Certificate System and Directory Server.

Prerequisites

Enabling online repositories:

If you are installing Red Hat Certificate System with online repositories, follow the below steps on the Certificate System and on the Directory Server machine:

  1. Enable the Certificate System repository on rhcs10.example.com: 

    # subscription-manager repos --enable certsys-10.x-for-rhel-8-x86_64-rpms
    Copy to Clipboard Toggle word wrap

    Where x denotes the latest Certificate System version. For example, to enable the Certificate System repository for Red Hat Certificate System 10.4, please use the below command: 

    # subscription-manager repos --enable certsys-10.4-for-rhel-8-x86_64-rpms

Repository 'certsys-10.4-for-rhel-8-x86_64-rpms' is enabled for this system.
    Copy to Clipboard Toggle word wrap

  2. Enable the Directory Server repository on rhds11.example.com: 

    # subscription-manager repos --enable=dirsrv-11-for-rhel-8-x86_64-rpms

Repository 'dirsrv-11-for-rhel-8-x86_64-rpms' is enabled for this system.
    Copy to Clipboard Toggle word wrap
Note

For compliance, only enable Red Hat approved repositories. You can only enable repositories approved by Red Hat through the subscription-manager utility.

ISO repositories

If you are installing RHCS with ISO repositories, follow the below steps:

  • On rhcs10.example.com:

    1. Create a repo file in /etc/yum.repos.d/: 

      # vi /etc/yum.repos.d/redhat.repo
      Copy to Clipboard Toggle word wrap 
      [rhcs10]

name=rhcs10
baseurl=http://rhcs10.example.com/rhcs10/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
skip_if_unavailable=1
      Copy to Clipboard Toggle word wrap

    2. Install the Apache web server, if it is not already installed on the system: 

      # dnf install httpd
      Copy to Clipboard Toggle word wrap

    3. Start the httpd service: 

      # service httpd start
      Copy to Clipboard Toggle word wrap

    4. Create a directory that will be used as the web root for hosting the ISO repository. For example: 

      # mkdir -p /var/www/html/rhcs10
      Copy to Clipboard Toggle word wrap

    5. Mount the ISO to the directory. For example: 

      # mount -o loop XXXXXXX-CertificateSystem-x86_64-dvd1.iso /var/www/html/rhcs10
      Copy to Clipboard Toggle word wrap

  • On rhds11.example.com:

    1. Create a repo file in /etc/yum.repos.d/: 

      # vi /etc/yum.repos.d/redhat.repo
      Copy to Clipboard Toggle word wrap 
      [rhds11]

name=rhds11
baseurl=http://rhds11.example.com/rhds11/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
skip_if_unavailable=1
      Copy to Clipboard Toggle word wrap

    2. Install the Apache web server, if it is not already installed on the system: 

      # dnf install httpd
      Copy to Clipboard Toggle word wrap

    3. Start the httpd service: 

      # service httpd start
      Copy to Clipboard Toggle word wrap

    4. Create a directory that will be used as the web root for hosting the ISO repository. For example: 

      # mkdir -p /var/www/html/rhds11
      Copy to Clipboard Toggle word wrap

    5. Mount the ISO to the directory. For example: 

      # mount -o loop XXXXXXX-DirectoryServer-x86_64-dvd1.iso /var/www/html/rhds11
      Copy to Clipboard Toggle word wrap

6.3. Setting the FQDN
Copier lien

  1. Make sure the Fully Qualified Domain Name (FQDN) of each host matches how you wish them to be recognized. For example, run the following on both machines: 

    # hostname
    Copy to Clipboard Toggle word wrap

  2. If a hostname is not what you expect it to be, you can configure the FQDN using hostnamectl. For example, to update the CS machine’s hostname: 

    # hostnamectl set-hostname rhcs10.example.com
    Copy to Clipboard Toggle word wrap

  3. To update the DS machine’s hostname: 

    # hostnamectl set-hostname rhds11.example.com
    Copy to Clipboard Toggle word wrap

  4. Additionally, add both the CS and DS machines' IP addresses and new hostnames as entries in /etc/hosts: 

    # vi /etc/hosts
    Copy to Clipboard Toggle word wrap 
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.111.111 rhcs10.example.com
10.2.222.222 rhds11.example.com
    Copy to Clipboard Toggle word wrap

  5. Verify the FQDN again after the change: 

    # hostname
    Copy to Clipboard Toggle word wrap

6.4. Enabling FIPS on RHEL 8
Copier lien

FIPS mode must be enabled before you install the Certificate System.

  • To check whether your system is in FIPS mode, run the following command: 

    # sysctl crypto.fips_enabled
    Copy to Clipboard Toggle word wrap

    If the returned value is 1, FIPS mode is enabled.

The following procedure demonstrates how to enable the Federal Information Processing Standard (FIPS) mode on both rhcs10.example.com and rhds11.example.com.

  1. To switch to FIPS mode, use the fips-mode-setup --enable command. 

    # fips-mode-setup --enable

Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
    Copy to Clipboard Toggle word wrap

  2. Restart your system to allow the kernel to switch to FIPS mode: 

    # reboot
    Copy to Clipboard Toggle word wrap

  3. Verify the current state of FIPS mode after the restart: 

    # fips-mode-setup --check

FIPS mode is enabled.
    Copy to Clipboard Toggle word wrap
Note

If an existing directory server is running on a non-FIPS RHEL 8 system that has only just had its FIPS enabled, you will need to reset the Directory Manager password to allow the existing directory server to run properly. For more information, see Managing the Directory Manager Password in the Red Hat Directory Server Administration Guide.

6.5. Setting up fapolicyd (for STIG environments)
Copier lien

The fapolicyd software framework controls the execution of applications based on a user-defined policy. In a STIG environment, installing Certificate System will fail if fapolicyd is not set up properly. The following procedure describes how to add the rules needed to install and run RHCS instances.

Important

Do not follow this section unless you are certain that your system is in a STIG environment. In case you complete the below procedure unnecessarily, and later run into issues when running pkispawn, you will need to revert the changes before proceeding.

Procedure

To add the required fapolicyd rule:

  1. As root, create a file under /etc/fapolicyd/rules.d/ with a unique name. The prefix must contain a number in the 30s range for the priority, such as 35-allow-java.rules, or 39. 

    # vi /etc/fapolicyd/35-allow-java.rules
    Copy to Clipboard Toggle word wrap

  2. Add the following rule: 

    allow perm=open dir=/usr/lib/jvm/ : dir=/usr/share/tomcat/bin/ ftype=application/java-archive
    Copy to Clipboard Toggle word wrap

  3. After saving the file, restart the fapolicyd service to recompile the rules: 

    # systemctl restart fapolicyd.service
    Copy to Clipboard Toggle word wrap

6.6. Configuring a HSM
Copier lien

To use a Hardware Security Module (HSM), a Federal Information Processing Standard (FIPS) 140-2 validated HSM is required. Red Hat Certificate System supports the nShield Connect XC hardware security module (HSM) and Thales Luna HSM by default (please see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations). Certificate System-supported HSMs are automatically added to the pkcs11.txt database with the modutil command during the pre-configuration stage of the installation, if the PKCS #11 library modules are in the specified installation paths.

  • Configure rhcs10.example.com to be the HSM client machine.
Important

Please follow the instructions provided by your HSM vendor for your specific HSM brand / model / release.

In our example, an nShield Connect XC unit is installed and configured with the latest software and firmware for compliance with FIPS 140-2 (Level 3). As of this writing the RFS software is SecWorld_Lin64-12.71.0, the firmware is nShield firmware 12.72.1 (FIPS certified), image 12.80.5.

6.6.1. FIPS mode on an HSM
Copier lien

To use a Hardware Security Module (HSM), a Federal Information Processing Standard (FIPS) 140-2 validated HSM is required. Certain deployments require to setup their HSM to use FIPS mode. To enable FIPS Mode on HSMs, please refer to your HSM vendor’s documentation.

Important
nShield Connect XC HSM
On a nShield Connect XC HSM, the FIPS mode can only be enabled when generating the Security World, this cannot be changed afterwards. While there is a variety of ways to generate the Security World, the preferred method is always to use the new-world command.
For guidance on how to generate a FIPS-compliant Security World, please follow the HSM vendor’s documentation.
Luna HSM
Similarly, enabling the FIPS mode on a Luna HSM must be done during the initial configuration, since changing this policy zeroizes the HSM as a security measure.
For details, please refer to the Luna HSM vendor’s documentation. Please see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations.

The below steps help you verify if FIPS mode is enabled for nShield Connect XC and Luna HSMs. For other HSMs, please refer to your HSM manufacturer’s documentation.

nShield Connect XC HSM

To verify if the FIPS mode is enabled on an nShield HSM, enter: 

# /opt/nfast/bin/nfkminfo
Copy to Clipboard Toggle word wrap

With older versions of the software, if the StrictFIPS140 is listed in the state flag, the FIPS mode is enabled. In newer versions, it is however better to check the new mode line and look for fips1402level3. In all cases, there should also be an hkfips key present in the nfkminfo output.

Luna HSM

To verify if the FIPS mode is enabled on a Luna HSM:

  1. Open the lunash management console

  2. Use the hsm show command and verify that the output contains the text The HSM is in FIPS 140-2 approved operation mode.: 

    lunash:> hsm show
...
       FIPS 140-2 Operation:
       =====================
       The HSM is in FIPS 140-2 approved operation mode.
...
    Copy to Clipboard Toggle word wrap
Note

Please refer to your HSM vendor’s documentation for complete procedures.

6.6.2. Setting up SELinux for an HSM
Copier lien

Certain HSMs require that you manually update SELinux settings before you can install Certificate System. The following describes nShield and Luna HSMs. For other HSMs, please refer to your HSM manufacturer’s documentation.

nShield Connect XC

After you have installed the HSM and before you start installing Certificate System:

  1. Reset the context of files in the /opt/nfast/ directory: 

    # restorecon -R /opt/nfast/
    Copy to Clipboard Toggle word wrap

  2. Restart the nfast software. 

    # /opt/nfast/sbin/init.d-ncipher restart
    Copy to Clipboard Toggle word wrap
Thales Luna HSM
No SELinux-related actions are required before you start installing Certificate System.

For details about supported HSMs and their limits, see Section 4.4, “Supported Hardware Security Modules”.

In Chapter 7, Installing and configuring Red Hat Certificate System, you are instructed to use the following parameters in the configuration file you pass to the pkispawn utility when installing Certificate System with an HSM: 

...
[DEFAULT]
##########################
# Provide HSM parameters #
##########################
pki_hsm_enable=True
pki_hsm_libfile=hsm_libfile
pki_hsm_modulename=hsm_modulename
pki_token_name=hsm_token_name
pki_token_password=pki_token_password

########################################
# Provide PKI-specific HSM token names #
########################################
pki_audit_signing_token=hsm_token_name
pki_ssl_server_token=hsm_token_name
pki_subsystem_token=hsm_token_name
...
Copy to Clipboard Toggle word wrap
  • The values of the pki_hsm_libfile and pki_token_name parameter depend on your specific HSM installation. These values allow the pkispawn utility to set up your HSM and enable Certificate System to connect to it.
  • The value of the pki_token_password depends upon your particular HSM token’s password. The password gives the pkispawn utility read and write permissions to create new keys on the HSM.
  • The value of the pki_hsm_modulename is a name used in later pkispawn operations to identify the HSM. The string is an identifier you can set as whatever you like. It allows pkispawn and Certificate System to refer to the HSM and configuration information by name in later operations.

The following section provides settings for individual HSMs. If your HSM is not listed, consult your HSM manufacturer’s documentation.

nShield HSM parameters

For a nShield Connect XC, set the following parameters: 

pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
Copy to Clipboard Toggle word wrap

Note that you can set the value of pki_hsm_modulename to any value. The above is a suggested value.

To identify the token name, run the following command as the root user: 

# /opt/nfast/bin/nfkminfo

Module #1 Slot #0 IC 1
 generation    1
 phystype      SmartCard
 slotlistflags 0x2 SupportsAuthentication
 state         0x5 Operator
 flags         0x10000
 shareno       1 (`CONNXC-1')
 shares        LTU(PIN) LTFIPS
 error         OK
Cardset
 name          "NHSM-CONN-XC"
 k-out-of-n    1/2
 flags         Persistent PINRecoveryForbidden(disabled) !RemoteEnabled
 timeout       none
 card names    "CONNXC-1" "CONNXC-2"
 hkltu         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 gentime       2021-11-17 21:19:47

Module #1 Slot #1 IC 0
 generation    1
 phystype      SoftToken
 slotlistflags 0x0
 state         0x2 Empty
 flags         0x0
 shareno       0
 shares
 error         OK
No Cardset

No Pre-Loaded Objects
Copy to Clipboard Toggle word wrap

The value of the name field in the Cardset section lists the token name.

Set the token name as follows: 

pki_token_name=NHSM-CONN-XC
Copy to Clipboard Toggle word wrap

SafeNet / Luna HSM parameters

For a SafeNet / Luna HSM, such as a SafeNet Luna Network HSM, specify the following parameters: 

pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
pki_hsm_modulename=thalesluna
Copy to Clipboard Toggle word wrap

Note that you can set the value of pki_hsm_modulename to any value. The above is a suggested value.

To identify the token name, run the following command as the root user: 

# /usr/safenet/lunaclient/bin/vtl verify

The following Luna Slots/Partitions were found:

Slot    Serial #            Label
===    ===============    =====
   0       1209461834772     thaleslunaQE
Copy to Clipboard Toggle word wrap

The value in the label column lists the token name.

Set the token name as follows: 

pki_token_name=thaleslunaQE
Copy to Clipboard Toggle word wrap
Note

Please see Section 4.4, “Supported Hardware Security Modules” for more information on Luna’s limitations.

6.6.4. Testing the HSM connection
Copier lien

To test the HSM connection:

  1. Create a temporary database: 

    # mkdir -p /root/tmp1
    Copy to Clipboard Toggle word wrap 
    # certutil -N -d /root/tmp1
    Copy to Clipboard Toggle word wrap

  2. Add the PKCS #11 library module to the database:

    • nShield Connect XC: 

      # modutil -dbdir /root/tmp1 -nocertdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so
---
Module "nfast" added to database.
      Copy to Clipboard Toggle word wrap

    • Thales Luna: 

      # modutil -dbdir ~/testLuna -nocertdb -add thalesluna -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so
---
Module "thalesluna" added to database.
      Copy to Clipboard Toggle word wrap

  3. List the modules and note down the HSM name at "token:" for the next step (e.g. NHSM-CONN-XC in the below example): 

    # modutil -dbdir /root/tmp1 -list

1. NSS Internal PKCS #11 Module
…
token: NSS FIPS 140-2 Certificate DB
…
2. nfast
…
token: accelerator
…
token: NHSM-CONN-XC
    Copy to Clipboard Toggle word wrap

  4. Display the certificates for this token: 

    # certutil -L -d /root/tmp1 -h <token name>
    Copy to Clipboard Toggle word wrap

6.7. Verifying SELinux enforcement
Copier lien

Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism in the Linux kernel, checking for allowed operations after standard discretionary access controls are checked. SELinux can enforce rules on files and processes in a Linux system, and on their actions, based on defined policies.

By default, RHEL 8 is installed with SELinux enabled. The SELinux policy must be set to Enforcing.

  • To verify the current SELinux mode: 

    # /usr/sbin/getenforce

  Enforcing
    Copy to Clipboard Toggle word wrap 
    # /usr/sbin/sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
    Copy to Clipboard Toggle word wrap

  • Optional: If you need to set the policy to Enforcing: 

    # /usr/sbin/setenforce 1

  Enforcing
    Copy to Clipboard Toggle word wrap

6.8. Adding ports to the firewall and with SELinux context
Copier lien

In our examples, Certificate System subsystems use the following ports. You might want to bookmark the following table for ease of reference to selected ports used by the example installations.

Expand
Table 6.1. Ports
Instance and servicesPorts (RSA)Ports (ECC)

RootCA

HTTP / HTTPS

8080 / 8443

20080 / 20443

CRL HTTP

8085

20085

LDAP

389 / 636

1389 / 1636

Tomcat

8009 / 8005

20009 / 20005

SubCA

HTTP / HTTPS

31080 / 31443

21080 / 21443

CRL HTTP

31085

21085

LDAP

7389 / 7636

8389 / 8636

Tomcat

31009 / 31005

21009 / 21005

OCSP (RootCA)

HTTP / HTTPS

33080 / 33443

34080 / 34443

LDAP

6389 / 6636

2389 / 2636

Tomcat

33009 / 33005

34009 / 34005

CRL publishing

12389 / 12636

13389 / 13636

OCSP (SubCA)

HTTP / HTTPS

32080 / 32443

22080 / 22443

LDAP

11389 / 11636

9389 / 9636

Tomcat

32009 / 32005

22009 / 22005

CRL publishing

5389 / 5636

14389 / 14636

KRA

HTTP / HTTPS

28080 / 28443

23080 / 23443

LDAP

22389 / 22636

4389 / 4636

Tomcat

28009 / 28005

23009 / 23005

TKS

HTTP / HTTPS

24080 / 24443

N/A

LDAP

16389 / 16636

N/A

Tomcat Management

14009 / 14005

N/A

TPS

HTTP / HTTPS

25080 / 25443

N/A

LDAP

17389 / 17636

N/A

TPS Auth

9389 / 9636

N/A

Tomcat Management

14019 / 14015

N/A

Note

When you set up Certificate System using the pkispawn utility, you can customize the port numbers. If you use different ports than the ones listed above, open them correspondingly in the firewall as described below.

To enable communication between the clients and Certificate System, open the required ports in your firewall on the machine that will be hosting the corresponding service:

  1. Make sure the firewalld service is running. 

    # systemctl status firewalld
    Copy to Clipboard Toggle word wrap

  2. To start firewalld and configure it to start automatically when the system boots: 

    # systemctl start firewalld
# systemctl enable firewalld
    Copy to Clipboard Toggle word wrap

Adding ports to the firewall

  1. Open the required ports using the firewall-cmd utility. For example, to open the default ports for the RootCA instance in the default firewall zone: 

    # firewall-cmd --permanent --add-port={8080/tcp,8443/tcp,8009/tcp,8005/tcp}
    Copy to Clipboard Toggle word wrap

    Additionally, to open the default ports for the RootCA’s LDAP instance: 

    # firewall-cmd --permanent --add-port={389/tcp,636/tcp}
    Copy to Clipboard Toggle word wrap

  2. Verify that all ports that will be used are successfully added to the firewall: 

    # firewall-cmd --list-ports
    Copy to Clipboard Toggle word wrap

  3. Reload the firewall configuration to ensure that the change takes place immediately: 

    # firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

Adding ports with SELinux context

If you want to add non-default ports, you will need to add them with SELinux context. If not, you will get an error like the following: Installation failed: port 33080 has invalid selinux context ephemeral_port_t.

  1. For CS instances, add SELinux context to all ports that will be used as type http_port_t. You can do this quickly using a FOR loop command with all ports you need to add. For example, to add the default RootCA ports: 

    # for port in 8080 8443 8009 8005 31080 31443 31009 31005 33080 33443 33009 33005 32080 32443 32009 32005 28080 28443 28009 28005 24080 24443 14009 14005 25080 25443 14019 14015; do semanage port -a -t http_port_t -p tcp $port; done
    Copy to Clipboard Toggle word wrap

  2. For DS ports, replace the port type option http_port_t with ldap_port_t. For example, for the RootCA’s LDAP ports: 

    # for port in 389 636 7389 7636 6389 6636 12389 12636 11389 11636 5389 5636 22389 22636 16389 16636 17389 17636; do semanage port -a -t ldap_port_t -p tcp $i; done
    Copy to Clipboard Toggle word wrap

  3. Verify that all ports that will be used are successfully added with SELinux context: 

    # semanage port -l
    Copy to Clipboard Toggle word wrap

6.9. Installing RHCS and RHDS packages
Copier lien

This section describes the installation of Red Hat Directory Server (RHDS) and Red Hat Certificate System (RHCS) packages and their initial configuration.

When installing the Certificate System packages you can either install them for each subsystem individually or all at once.

The following subsystem packages and components are available in Red Hat Certificate System:

  • pki-ca: Provides the Certificate Authority (CA) subsystem.
  • pki-kra: Provides the Key Recovery Authority (KRA) subsystem.
  • pki-ocsp: Provides the Online Certificate Status Protocol (OCSP) responder.
  • pki-tks: Provides the Token Key Service (TKS).
  • pki-tps: Provides the Token Processing Service (TPS).
  • pki-server and redhat-pki-server-theme: Provides the web-based Certificate System interface. Both packages must be installed. This is installed as a dependency if you install one of the following packages: pki-ca, pki-kra, pki-ocsp, pki-tks, pki-tps.
  • pki-console and redhat-pki-console-theme: Provides the Java-based Red Hat PKI console. Both packages must be installed.
  • pki-acme provides Automatic Certificate Management Environment (ACME).

  • pki-est is available as Technology Preview, providing Enrollment over Secure Transport (EST).

    Note

    Technology Preview features provide early access to upcoming product functionality, and are not yet fully supported under subscription agreements.

Important

ACME (Automatic Certificate Management Environment) and (EST) Enrollment over Secure Transport are not evaluated and must not be used in the Common Criteria configuration.

With the redhat-pki module, you can install all Certificate System subsystem packages and components at once on a RHEL 8 system. The redhat-pki module installs the five subsystems of Red Hat Certificate System: in addition to the pki-core module (CA, KRA) which is part of Red Hat Identity Management (IdM), includes the RHCS-specific subsystems (OCSP, TKS and TPS) as well as the pki-deps module that takes care of the required dependencies.

Prerequisites

Install the packages

  • Install the Red Hat Certificate System (RHCS) subsystem packages as follows:

    1. On rhcs10.example.com, enable the RHCS module and install the RHCS 10.4 packages: 

      # dnf module enable redhat-pki
      Copy to Clipboard Toggle word wrap 
      # dnf install redhat-pki
      Copy to Clipboard Toggle word wrap

      This installs the following packages: 

      idm-console-framework-1.3.0-1.module+el8pki+14677+1ef79a68.noarch.rpm
jss-4.9.10-1.module+el8pki+21949+4b2d0700.x86_64.rpm
jss-javadoc-4.9.10-1.module+el8pki+21949+4b2d0700.x86_64.rpm
ldapjdk-4.23.0-1.module+el8pki+14677+1ef79a68.noarch.rpm
ldapjdk-javadoc-4.23.0-1.module+el8pki+14677+1ef79a68.noarch.rpm
python3-redhat-pki-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm
redhat-pki-acme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-base-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-base-java-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-ca-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-console-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-console-theme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-est-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-javadoc-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-kra-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-ocsp-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-server-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-server-theme-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-symkey-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm
redhat-pki-tks-10.13.11-1.module+el8pki+21949+4b2d0700.noarch.rpm
redhat-pki-tools-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm
redhat-pki-tps-10.13.11-1.module+el8pki+21949+4b2d0700.x86_64.rpm
tomcatjss-7.7.4-1.module+el8pki+21738+33a5e23b.noarch.rpm
      Copy to Clipboard Toggle word wrap

    2. In addition, on rhds11.example.com, install the RHDS module to install all the Red Hat Directory Server 11.5 packages: 

      # dnf module install redhat-ds:11
      Copy to Clipboard Toggle word wrap

Create directories for storing pki files

  • On rhcs10.example.com: 

    # mkdir -p /root/pki_rsa
    Copy to Clipboard Toggle word wrap 
    # mkdir -p /opt/pki_rsa
    Copy to Clipboard Toggle word wrap

  • On rhds11.example.com: 

    # mkdir -p /root/pki_rsa/dirsrv
    Copy to Clipboard Toggle word wrap 
    # mkdir -p /opt/pki_rsa
    Copy to Clipboard Toggle word wrap 
    # mkdir -p /etc/dirsrv/save-rsa
    Copy to Clipboard Toggle word wrap

Verifying Certificate System product version

The Red Hat Certificate System product version is stored in the /usr/share/pki/CS_SERVER_VERSION file.

  • To display the version: 

    # cat /usr/share/pki/CS_SERVER_VERSION

Red Hat Certificate System 10.4.3
    Copy to Clipboard Toggle word wrap

  • To display the PKI version: 

    # cat /usr/share/pki/VERSION

Name: pki
Specification-Version: 10.13.11
Implementation-Version: 10.13.11-1.module+el8pki+21949+4b2d0700
    Copy to Clipboard Toggle word wrap
Note

Future updates will have newer version numbers (that is, 10.4.x).

Note

Once you have a server installed and running, you could find the product version for each instance by accessing the URLs as instructed in Section 7.13.16, “Determining the product version”.

Updating Certificate System packages

To update Certificate System and operating system packages, use the dnf update command.

  • For example: 

    # dnf update
    Copy to Clipboard Toggle word wrap

    This updates the whole system including the RHCS packages. You can verify the version number before and after updating packages, to confirm they were successfully installed.

Important

Updating Certificate System requires the PKI infrastructure to be restarted. We suggest scheduling a maintenance window during which you can take the PKI infrastructure offline to install the update.

  • To optionally download updates without installing, use the --downloadonly option in the above procedure: 

    # dnf update --downloadonly
    Copy to Clipboard Toggle word wrap

    The downloaded packages are stored in the /var/cache/yum/ directory.
    The dnf update will later use the packages if they are the latest versions.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat