Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 14. Creating a role user

As explained in Section 2.6.6.1, “Default administrative roles”, a bootstrap user was created during the installation. After the installation, create real users and assign them proper system privileges. For compliance, each user must be a member of only one role (group).

This chapter instructs you how to:

  • Create a Certificate System administrative user on the operating system
  • Create a PKI role in Certificate System

14.1. Creating a PKI administrative user on the operating system
Copiar o link

This section is for administrative role users. Agent and Auditor role users, see Section 14.2, “Creating a PKI role user in Certificate System”.

In general, administrators, agents, and auditors in Certificate System can manage the Certificate System instance remotely using client applications, such as command-line utilities, the Java Console, and browsers. For the majority of CS management tasks, a Certificate System role user does not need to log on to the host machine where the instance runs. For example, an auditor role user is allowed to retrieve signed audit logs remotely for verification, and an agent role user can use the agent interface to approve a certificate issuance, while an administrator role user can use command-line utilities to configure a profile.

In certain cases, however, a Certificate System administrator requires to log in to the host system to modify configuration files directly, or to start or stop a Certificate System instance. Therefore, on the operating system, the administrator role user should be someone who is allowed to make changes to the configuration files and read various logs associated with Red Hat Certificate System.

Note

Do not allow the Certificate System administrators or anyone other than the auditors to access the audit log files.

  1. Create the pkiadmin group on the operating system. 

    # groupadd -r pkiadmin
    Copy to Clipboard Toggle word wrap

  2. Add the pkiuser to the pkiadmin group: 

    # usermod -a -G pkiadmin pkiuser
    Copy to Clipboard Toggle word wrap

  3. Create a user on the operating system. For example, to create the jsmith account: 

    # useradd -g pkiadmin -d /home/jsmith -s /bin/bash -c "Red Hat Certificate System Administrator John Smith" -m jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the useradd(8) man page.

  4. Add the user jsmith to the pkiadmin group: 

    # usermod -a -G pkiadmin jsmith
    Copy to Clipboard Toggle word wrap

    For details, see the usermod(8) man page.

    If you are using a nShield hardware security module (HSM), add the user who manages the HSM device to the nfast group: 

    # usermod -a -G nfast pkiuser
    Copy to Clipboard Toggle word wrap 
    # usermod -a -G nfast jsmith
    Copy to Clipboard Toggle word wrap

  5. Add proper sudo rules to allow the pkiadmin group to Certificate System and other system services.

    For both simplicity of administration and security, the Certificate System and Directory Server processes can be configured so that PKI administrators (instead of only root) can start and stop the services.

    A recommended option when setting up subsystems is to use a pkiadmin system group. (Details are Section 7.1.1, “Creating OS users and groups”). All of the operating system users which will be Certificate System administrators are then added to this group. If this pkiadmin system group exists, then it can be granted sudo access to perform certain tasks.

    1. Edit the /etc/sudoers file; on Red Hat Enterprise Linux, this can be done using the visudo command: 

      # visudo
      Copy to Clipboard Toggle word wrap

    2. Depending on what is installed on the machine, add a line for the Directory Server, PKI management tools, and each PKI subsystem instance, granting sudo rights to the pkiadmin group: 

      # For Directory Server services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service

# For PKI instance management
%pkiadmin ALL = PASSWD: /usr/sbin/pkispawn *
%pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy *

# For PKI instance services
%pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
      Copy to Clipboard Toggle word wrap
    Important

    Make sure to set sudo permissions for every Certificate System and Directory Server on the machine -and only for those instances on the machine. There could be multiple instances of the same subsystem type on a machine or no instance of a subsystem type. It depends on the deployment.

  6. Set the group on the following files to pkiadmin: 

    # chgrp pkiadmin /etc/pki/instance_name/server.xml
# chgrp -R pkiadmin /etc/pki/instance_name/alias
# chgrp pkiadmin /etc/pki/instance_name/subsystem/CS.cfg
# chgrp pkiadmin /var/log/pki/instance_name/subsystem/debug
    Copy to Clipboard Toggle word wrap

After creating the administrative user on the operating system, follow Section 14.2, “Creating a PKI role user in Certificate System”.

14.2. Creating a PKI role user in Certificate System
Copiar o link

To create a PKI role user, see Chapter 11 Managing Certificate System Users and Groups in the Administration Guide (Common Criteria Edition).

Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat