Difference between revisions of "PKI Subsystem Configuration"

From Dogtag
Jump to: navigation, search
m
 
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= PKI Subsystem Configuration =
+
= Static Subsystems =
  
== CA ==
+
* Debug
 +
* LogSubsystem
 +
* [[JSS Subsystem]]
 +
* DBSubsystem
 +
* UGSubsystem
 +
* PluginRegistry
 +
* OidLoaderSubsystem
 +
* X500NameSubsystem
 +
* RequestSubsystem
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
= Dynamic Subsystems =
  
(1) The configuration URL is present on the screen. When this occurs, something similar to the following should appear on the screen:
+
Dynamic subsystems can be configured in the CS.cfg.
  
    PKI instance creation Utility ...
+
== CA Subsystems ==
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ca:          [  OK  ]
 
   
 
    PKI service(s) are available at https://<fully qualified domain name>:<secure ca port>
 
   
 
    Server can be operated with /etc/init.d/pki-ca start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://<fully qualified domain name>:<ca port>/ca/admin/console/config/login?pin=2yTKpsg1GupESw4tYYOv
 
<ul>   
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure ca port:&nbsp;&nbsp;</td>
 
<td>9443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default ca port:</td>
 
<td>9080</td>
 
</tr>
 
</table>
 
  
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
+
<pre>
</ul>
+
subsystem.0.class=com.netscape.ca.CertificateAuthority
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''. For example:
+
subsystem.0.id=ca
 +
subsystem.1.class=com.netscape.cmscore.profile.[PKI_PROFILE_SUBSYSTEM]
 +
subsystem.1.id=profile
 +
subsystem.1.enabled=false
 +
subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.2.id=selftests
 +
subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem
 +
subsystem.3.id=CrossCertPair
 +
subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.4.id=stats
 +
</pre>
  
    .
+
See also https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg.
    .
 
    .
 
    [2008-02-22 18:20:00] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ca port&gt;/ca/admin/console/config/login?pin=2yTKpsg1GupESw4tYYOv
 
<ul>
 
'''Note:&nbsp;&nbsp;''' The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.<br>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
  
== DRM ==
+
== KRA Subsystems ==
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
<pre>
 +
subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority
 +
subsystem.0.id=kra
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
(1) The configuration URL is present on the screen. When this occurs, something similar to the following should appear on the screen:
+
See also https://github.com/dogtagpki/pki/blob/master/base/kra/shared/conf/CS.cfg.
  
    PKI instance creation Utility ...
+
== OCSP Subsystems ==
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-kra:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure drm port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-kra start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;drm port&gt;/kra/admin/console/config/login?pin=4GW0J9AE529VcwUEulBU
 
<ul>
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure drm port:&nbsp;&nbsp;</td>
 
<td>10443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default drm port:</td>
 
<td>10080</td>
 
</tr>
 
</table>
 
  
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
+
<pre>
</ul>
+
subsystem.0.class=com.netscape.ocsp.OCSPAuthority
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''. For example:
+
subsystem.0.id=ocsp
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
    .
+
See also https://github.com/dogtagpki/pki/blob/master/base/ocsp/shared/conf/CS.cfg.
    .
 
    .
 
    [2008-02-22 18:21:00] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;drm port&gt;/kra/admin/console/config/login?pin=4GW0J9AE529VcwUEulBU
 
<ul>
 
'''Note:&nbsp;&nbsp;''' The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.<br>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
  
== OCSP ==
+
== TKS Subsystems ==
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
<pre>
 +
subsystem.0.class=com.netscape.tks.TKSAuthority
 +
subsystem.0.id=tks
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
(1) The configuration URL is present on the screen. When this occurs, something similar to the following should appear on the screen:
+
See also https://github.com/dogtagpki/pki/blob/master/base/tks/shared/conf/CS.cfg.
  
    PKI instance creation Utility ...
+
== TPS Subsystems ==
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ocsp:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure ocsp port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-ocsp start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;ocsp port&gt;/ocsp/admin/console/config/login?pin=ceUqWDSnuDGd6hHj52TY
 
<ul>
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure ocsp port:&nbsp;&nbsp;</td>
 
<td>11443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default ocsp port:</td>
 
<td>11080</td>
 
</tr>
 
</table>
 
  
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
+
<pre>
</ul>
+
subsystem.0.class=org.dogtagpki.server.tps.TPSSubsystem
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''. For example:
+
subsystem.0.id=tps
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
    .
+
See also https://github.com/dogtagpki/pki/blob/master/base/tps/shared/conf/CS.cfg.
    .
 
    .
 
    [2008-02-22 18:21:55] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ocsp port&gt;/ocsp/admin/console/config/login?pin=ceUqWDSnuDGd6hHj52TY
 
<ul>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
  
== RA ==
+
= Final Subsystems =
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
* AuthSubsystem
 
+
* AuthzSubsystem
(1) The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
+
* [https://github.com/dogtagpki/pki/wiki/Scheduler-Configuration JobsScheduler]
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ra:                                        [ OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure ra port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-ra start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;ra port&gt;/ra/admin/console/config/login?pin=ZvgA642EXN9R8NX2JqDK
 
<ul>
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure ra port:&nbsp;&nbsp;</td>
 
<td>12889</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default ra port:</td>
 
<td>12888</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:23:49] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ra port&gt;/ra/admin/console/config/login?pin=ZvgA642EXN9R8NX2JqDK
 
<ul>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
 
 
== TKS ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
(1) The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-tks:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure tks port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-tks start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http:/&lt;fully qualified domain name&gt;:&lt;tks port&gt;//tks/admin/console/config/login?pin=ki0R7vMRR75NoIhBrxmf
 
<ul>
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure tks port:&nbsp;&nbsp;</td>
 
<td>13443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default tks port:</td>
 
<td>13080</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:22:46] [log] Configuration Wizard listening on
 
    http:/&lt;fully qualified domain name&gt;:&lt;tks port&gt;//tks/admin/console/config/login?pin=ki0R7vMRR75NoIhBrxmf
 
<ul>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
== TPS ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
(1) The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-tps:                                        [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure tps port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-tps start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;tps port&gt;/tps/admin/console/config/login?pin=X4PRHsoagBcuNUGeneUM
 
<ul>
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure tps port:&nbsp;&nbsp;</td>
 
<td>7889</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default tps port:</td>
 
<td>7888</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(2) If the user no longer has access to the configuration URL, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:27:58] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;tps port&gt;/tps/admin/console/config/login?pin=X4PRHsoagBcuNUGeneUM
 
<ul>
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
</ul>
 
(3) PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 

Latest revision as of 23:02, 29 July 2022

Static Subsystems

  • Debug
  • LogSubsystem
  • JSS Subsystem
  • DBSubsystem
  • UGSubsystem
  • PluginRegistry
  • OidLoaderSubsystem
  • X500NameSubsystem
  • RequestSubsystem

Dynamic Subsystems

Dynamic subsystems can be configured in the CS.cfg.

CA Subsystems

subsystem.0.class=com.netscape.ca.CertificateAuthority
subsystem.0.id=ca
subsystem.1.class=com.netscape.cmscore.profile.[PKI_PROFILE_SUBSYSTEM]
subsystem.1.id=profile
subsystem.1.enabled=false
subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.2.id=selftests
subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem
subsystem.3.id=CrossCertPair
subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.4.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg.

KRA Subsystems

subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority
subsystem.0.id=kra
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/kra/shared/conf/CS.cfg.

OCSP Subsystems

subsystem.0.class=com.netscape.ocsp.OCSPAuthority
subsystem.0.id=ocsp
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/ocsp/shared/conf/CS.cfg.

TKS Subsystems

subsystem.0.class=com.netscape.tks.TKSAuthority
subsystem.0.id=tks
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/tks/shared/conf/CS.cfg.

TPS Subsystems

subsystem.0.class=org.dogtagpki.server.tps.TPSSubsystem
subsystem.0.id=tps
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/tps/shared/conf/CS.cfg.

Final Subsystems