Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 18. Creating a role user

As explained in Section 2.6.6.1, “Default administrative roles”, a bootstrap user was created during the installation. After the installation, create real users and assign them proper system privileges. For compliance, each user must be a member of only one role (group).

This chapter instructs you how to:

  • Create a Certificate System administrative user on the operating system
  • Create a PKI role in Certificate System

18.1. Creating a PKI administrative user on the operating system
Copia collegamento

This section is for administrative role users. Agent and Auditor role users, see Section 18.2, “Creating a PKI role user in Certificate System”.

In general, administrators, agents, and auditors in Certificate System can manage the Certificate System instance remotely using client applications, such as command-line utilities, the Java Console, and browsers. For the majority of CS management tasks, a Certificate System role user does not need to log on to the host machine where the instance runs. For example, an auditor role user is allowed to retrieve signed audit logs remotely for verification, and an agent role user can use the agent interface to approve a certificate issuance, while an administrator role user can use command-line utilities to configure a profile.

In certain cases, however, a Certificate System administrator requires to log in to the host system to modify configuration files directly, or to start or stop a Certificate System instance. Therefore, on the operating system, the administrator role user should be someone who is allowed to make changes to the configuration files and read various logs associated with Red Hat Certificate System.

Note

Do not allow the Certificate System administrators or anyone other than the auditors to access the audit log files.

  1. Create the pkiadmin group on the operating system. 

    # groupadd -r pkiadmin
    Copy to Clipboard Toggle word wrap

  2. Add the pkiuser to the pkiadmin group: 

    # usermod -a -G pkiadmin pkiuser
    Copy to Clipboard Toggle word wrap

  3. Create a user on the operating system. For example, to create the jsmith account: 

    # useradd -g pkiadmin -d /home/jsmith -s /bin/bash -c "Red Hat Certificate System Administrator John Smith" -m jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the useradd(8) man page.

  4. Add the user jsmith to the pkiadmin group: 

    # usermod -a -G pkiadmin jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the usermod(8) man page.

    If you are using a nCipher hardware security module (HSM), add the user who manages the HSM device to the nfast group: 

    # usermod -a -G nfast pkiuser
# usermod -a -G nfast jsmith
    Copy to Clipboard Toggle word wrap

  5. Add proper sudo rules to allow the pkiadmin group to Certificate System and other system services.

    For both simplicity of administration and security, the Certificate System and Directory Server processes can be configured so that PKI administrators (instead of only root) can start and stop the services.

    A recommended option when setting up subsystems is to use a pkiadmin system group. (Details are Section 6.5, “Certificate System operating system users and groups”). All of the operating system users which will be Certificate System administrators are then added to this group. If this pkiadmin system group exists, then it can be granted sudo access to perform certain tasks.

    1. Edit the /etc/sudoers file; on Red Hat Enterprise Linux, this can be done using the visudo command: 

      # visudo
      Copy to Clipboard Toggle word wrap

    2. Depending on what is installed on the machine, add a line for the Directory Server, the {ADS}, PKI management tools, and each PKI subsystem instance, granting sudo rights to the pkiadmin group: 

      # For Directory Server services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service

# For PKI instance management
%pkiadmin ALL = PASSWD: /usr/sbin/pkispawn *
%pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy *

# For PKI instance services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
      Copy to Clipboard Toggle word wrap
    Important

    Make sure to set sudo permissions for every Certificate System, Directory Server, and {ADS} on the machine -and only for those instances on the machine. There could be multiple instances of the same subsystem type on a machine or no instance of a subsystem type. It depends on the deployment.

  6. Set the group on the following files to pkiadmin: 

    # chgrp pkiadmin /etc/pki/ instance_name/server.xml
# chgrp -R pkiadmin /etc/pki/ instance_name/alias
# chgrp pkiadmin /etc/pki/ instance_name/subsystem/CS.cfg
# chgrp pkiadmin /var/log/pki/ instance_name/subsystem/debug
    Copy to Clipboard Toggle word wrap

After creating the administrative user on the operating system, follow Section 18.2, “Creating a PKI role user in Certificate System”.

18.2. Creating a PKI role user in Certificate System
Copia collegamento

To create a PKI role user, see the Managing Certificate System Users and Groups section in the Red Hat Certificate System Administration Guide.

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat