红帽全球峰会15.2. PKI 实例执行管理
启动、停止、重启或获取 PKI 实例的状态称为执行管理。每个 PKI 实例(单独的或共享)都已启动、停止、重启,其状态单独获得。本节介绍任何 PKI 实例的执行管理。
15.2.1. 启动、停止和重启 PKI 实例
复制链接链接已复制到粘贴板!
PKI 实例通过 systemd 启动、停止和重新启动,如其他系统程序。
-
以
root用户身份登录服务器计算机。 运行
systemctl命令,指定操作和实例名称:# systemctl start|stop|restart pki-tomcatd@instance_name.service例如:
# systemctl restart pki-tomcatd@pki-tomcat.service或者,您可以使用
pki-server别名:# pki-server start|stop|restart instance_name例如:
# pki-server restart pki-tomcat
15.2.2. 在机器重启后重启 PKI 实例
复制链接链接已复制到粘贴板!
如果意外关闭运行一个或多个 PKI 实例的计算机,则必须以正确顺序重启更多服务,以便子系统可以通过 HTML 服务页面和管理控制台使用。
如果本地计算机上安装了子系统使用的 Directory Server 实例,请重启 {ADS} 和 Directory Server 进程。
# systemctl start dirsrv-admin.service # systemctl start dirsrv@instance_name.service启动证书系统子系统实例。
# pki-server start instance_name
15.2.3. 检查 PKI 实例状态
复制链接链接已复制到粘贴板!
systemctl 命令可用于检查进程的状态,显示它是否正在运行还是停止。例如:
systemctl -l status pki-tomcatd@pki-tomcat.service
pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled)
Active: inactive (dead) since Fri 2015-11-20 19:04:11 MST; 12s ago
Process: 8728 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)
Process: 8465 ExecStart=/usr/libexec/tomcat/server start (code=exited, status=143)
Process: 8316 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
Main PID: 8465 (code=exited, status=143)
Nov 20 19:04:10 pki.example.com server[8728]: options used: -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Nov 20 19:04:10 pki.example.com server[8728]: arguments used: stop
Nov 20 19:04:11 pki.example.com server[8465]: Nov 20, 2015 7:04:11 PM org.apache.catalina.core.StandardServer await
Nov 20 19:04:11 pki.example.com server[8465]: INFO: A valid shutdown command was received via the shutdown port. Stopping the Server instance.
Nov 20 19:04:11 pki.example.com server[8465]: PKIListener: org.apache.catalina.core.StandardServer[before_stop]
Nov 20 19:04:11 pki.example.com server[8465]: PKIListener: org.apache.catalina.core.StandardServer[stop]
Nov 20 19:04:11 pki.example.com server[8465]: PKIListener: org.apache.catalina.core.StandardServer[configure_stop]
Nov 20 19:04:11 pki.example.com server[8465]: Nov 20, 2015 7:04:11 PM org.apache.coyote.AbstractProtocol pause
Nov 20 19:04:11 pki.example.com server[8465]: INFO: Pausing ProtocolHandler ["http-bio-8080"]
Nov 20 19:04:11 pki.example.com systemd[1]: Stopped PKI Tomcat Server pki-tomcat.如果实例正在运行,状态检查会返回类似以下示例的信息:
systemctl -l status pki-tomcatd@pki-tomcat.service
pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/lib/systemd/system/pki-tomcatd@.service; enabled)
Active: active (running) since Fri 2015-11-20 19:09:09 MST; 3s ago
Process: 8728 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)
Process: 9154 ExecStartPre=/usr/bin/pkidaemon start tomcat %i (code=exited, status=0/SUCCESS)
Main PID: 9293 (java)
CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service
������9293 java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start
Nov 20 19:09:10 pki.example.com server[9293]: Nov 20, 2015 7:09:10 PM org.apache.catalina.core.StandardService startInternal
Nov 20 19:09:10 pki.example.com server[9293]: INFO: Starting service Catalina
Nov 20 19:09:10 pki.example.com server[9293]: Nov 20, 2015 7:09:10 PM org.apache.catalina.core.StandardEngine startInternal
Nov 20 19:09:10 pki.example.com server[9293]: INFO: Starting Servlet Engine: Apache Tomcat/7.0.54
Nov 20 19:09:10 pki.example.com server[9293]: Nov 20, 2015 7:09:10 PM org.apache.catalina.startup.HostConfig deployDescriptor
Nov 20 19:09:10 pki.example.com server[9293]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml
Nov 20 19:09:12 pki.example.com server[9293]: Nov 20, 2015 7:09:12 PM org.apache.catalina.startup.HostConfig deployDescriptor
Nov 20 19:09:12 pki.example.com server[9293]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/ROOT.xml has finished in 2,071 ms
Nov 20 19:09:12 pki.example.com server[9293]: Nov 20, 2015 7:09:12 PM org.apache.catalina.startup.HostConfig deployDescriptor
Nov 20 19:09:12 pki.example.com server[9293]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catalina/localhost/pki#admin.xml15.2.4. 将 PKI 实例配置为在重新引导时自动启动
复制链接链接已复制到粘贴板!
systemctl 命令可用于在重启后自动启动实例。例如,以下命令在重启后自动启动 Red Hat Administration Server、Directory 服务器和 CA:
# systemctl enable dirsrv-admin.service
# systemctl enable dirsrv.target
# systemctl enable pki-tomcatd@pki-tomcat.service注意
使用 pkispawn 命令默认 PKI 实例安装和配置会自动使实例在重启后启动。
要禁用此行为(即防止 PKI 实例在重启后自动启动),请运行以下命令:
# systemctl disable pki-tomcatd@pki-tomcat.service
# systemctl disable dirsrv.target
# systemctl disable dirsrv-admin.service15.2.5. 为证书系统服务设置 sudo 权限
复制链接链接已复制到粘贴板!
为了简化管理和安全性,可以配置证书系统和目录服务器进程,以便 PKI 管理员(而不是只有 root)可以启动和停止服务。
在设置子系统时,推荐的选项是使用 pkiadmin 系统组。(详细信息请查看 红帽认证系统规划、安装和部署指南。)然后,所有作为证书系统管理员的操作系统用户都会被添加到此组中。如果存在这个 pkiadmin 系统组,则可以授予执行某些任务的 sudo 访问权限。
编辑
/etc/sudoers文件;在 Red Hat Enterprise Linux 中,您可以使用visudo命令完成此操作:# visudo根据机器上安装的内容,为 Directory 服务器添加一行、{ADS}、PKI 管理工具和每个 PKI 子系统实例,为
pkiadmin组授予sudo权限:# For Directory Server services %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service # For PKI instance management %pkiadmin ALL = PASSWD: /usr/sbin/pkispawn * %pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy * # For PKI instance services %pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
重要
确保为机器上的每个证书系统、目录服务器和 {ADS} 设置 sudo 权限,并且仅对 机器上的那些实例设置 sudo 权限。在一个计算机上可能有多个相同子系统类型的实例,或者没有子系统类型的实例。它取决于部署。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}