Difference between revisions of "PKI Subsystem Configuration"

From Dogtag
Jump to: navigation, search
m
 
(35 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= PKI Subsystem Configuration =
+
= Static Subsystems =
  
== CA ==
+
* Debug
 +
* LogSubsystem
 +
* [[JSS Subsystem]]
 +
* DBSubsystem
 +
* UGSubsystem
 +
* PluginRegistry
 +
* OidLoaderSubsystem
 +
* X500NameSubsystem
 +
* RequestSubsystem
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
= Dynamic Subsystems =
  
'''(1)''' The configuration URL is present on the screen. When this occurs, something similar to the following should appear on the screen:
+
Dynamic subsystems can be configured in the CS.cfg.
  
    PKI instance creation Utility ...
+
== CA Subsystems ==
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ca:          [  OK  ]
 
   
 
    PKI service(s) are available at https://<fully qualified domain name>:<secure ca port>
 
   
 
    Server can be operated with /etc/init.d/pki-ca start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://<fully qualified domain name>:<ca port>/ca/admin/console/config/login?pin=2yTKpsg1GupESw4tYYOv
 
  
<table>
+
<pre>
<tr>
+
subsystem.0.class=com.netscape.ca.CertificateAuthority
<td>'''NOTE:&nbsp;&nbsp;'''</td>
+
subsystem.0.id=ca
<td>Default secure ca port:&nbsp;&nbsp;</td>
+
subsystem.1.class=com.netscape.cmscore.profile.[PKI_PROFILE_SUBSYSTEM]
<td>9443</td>
+
subsystem.1.id=profile
</tr>
+
subsystem.1.enabled=false
<tr>
+
subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem
<td>&nbsp;</td>
+
subsystem.2.id=selftests
<td>Default ca port:</td>
+
subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem
<td>9080</td>
+
subsystem.3.id=CrossCertPair
</tr>
+
subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem
</table>
+
subsystem.4.id=stats
 +
</pre>
  
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
+
See also https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg.
  
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
+
== KRA Subsystems ==
  
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''. For example:
+
<pre>
 +
subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority
 +
subsystem.0.id=kra
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
    .
+
See also https://github.com/dogtagpki/pki/blob/master/base/kra/shared/conf/CS.cfg.
    .
 
    .
 
    [2008-02-22 18:20:00] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ca port&gt;/ca/admin/console/config/login?pin=2yTKpsg1GupESw4tYYOv
 
  
<table>
+
== OCSP Subsystems ==
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The ca port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
  
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
+
<pre>
 +
subsystem.0.class=com.netscape.ocsp.OCSPAuthority
 +
subsystem.0.id=ocsp
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
+
See also https://github.com/dogtagpki/pki/blob/master/base/ocsp/shared/conf/CS.cfg.
  
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
+
== TKS Subsystems ==
  
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
+
<pre>
 +
subsystem.0.class=com.netscape.tks.TKSAuthority
 +
subsystem.0.id=tks
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
 +
See also https://github.com/dogtagpki/pki/blob/master/base/tks/shared/conf/CS.cfg.
  
== DRM ==
+
== TPS Subsystems ==
  
Configuration of this PKI subsystem can be accomplished in one of three ways:
+
<pre>
 +
subsystem.0.class=org.dogtagpki.server.tps.TPSSubsystem
 +
subsystem.0.id=tps
 +
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
 +
subsystem.1.id=selftests
 +
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
 +
subsystem.2.id=stats
 +
</pre>
  
'''(1)''' The configuration URL is present on the screen. When this occurs, something similar to the following should appear on the screen:
+
See also https://github.com/dogtagpki/pki/blob/master/base/tps/shared/conf/CS.cfg.
  
    PKI instance creation Utility ...
+
= Final Subsystems =
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-kra:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure drm port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-kra start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;drm port&gt;/kra/admin/console/config/login?pin=4GW0J9AE529VcwUEulBU
 
  
<table>
+
* AuthSubsystem
<tr>
+
* AuthzSubsystem
<td>'''NOTE:&nbsp;&nbsp;'''</td>
+
* [https://github.com/dogtagpki/pki/wiki/Scheduler-Configuration JobsScheduler]
<td>Default secure drm port:&nbsp;&nbsp;</td>
 
<td>10443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default drm port:</td>
 
<td>10080</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:21:00] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;drm port&gt;/kra/admin/console/config/login?pin=4GW0J9AE529VcwUEulBU
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The drm port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
 
 
== OCSP ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
'''(1)''' The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ocsp:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure ocsp port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-ocsp start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;ocsp port&gt;/ocsp/admin/console/config/login?pin=ceUqWDSnuDGd6hHj52TY
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure ocsp port:&nbsp;&nbsp;</td>
 
<td>11443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default ocsp port:</td>
 
<td>11080</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:21:55] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ocsp port&gt;/ocsp/admin/console/config/login?pin=ceUqWDSnuDGd6hHj52TY
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The ocsp port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
 
 
== RA ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
'''(1)''' The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-ra:                                        [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure ra port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-ra start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;ra port&gt;/ra/admin/console/config/login?pin=ZvgA642EXN9R8NX2JqDK
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure ra port:&nbsp;&nbsp;</td>
 
<td>12889</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default ra port:</td>
 
<td>12888</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:23:49] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;ra port&gt;/ra/admin/console/config/login?pin=ZvgA642EXN9R8NX2JqDK
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The ra port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
== TKS ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
'''(1)''' The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-tks:          [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure tks port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-tks start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http:/&lt;fully qualified domain name&gt;:&lt;tks port&gt;//tks/admin/console/config/login?pin=ki0R7vMRR75NoIhBrxmf
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure tks port:&nbsp;&nbsp;</td>
 
<td>13443</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default tks port:</td>
 
<td>13080</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:22:46] [log] Configuration Wizard listening on
 
    http:/&lt;fully qualified domain name&gt;:&lt;tks port&gt;//tks/admin/console/config/login?pin=ki0R7vMRR75NoIhBrxmf
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The tks port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
== TPS ==
 
 
 
Configuration of this PKI subsystem can be accomplished in one of three ways:
 
 
 
'''(1)''' The configuration URL is present on the screen.  When this occurs, something similar to the following should appear on the screen:
 
 
 
    PKI instance creation Utility ...
 
   
 
   
 
    PKI instance creation completed ...
 
   
 
    Starting pki-tps:                                        [  OK  ]
 
   
 
    PKI service(s) are available at https://&lt;fully qualified domain name&gt;:&lt;secure tps port&gt;
 
   
 
    Server can be operated with /etc/init.d/pki-tps start | stop | restart
 
   
 
    Please start the configuration by accessing:
 
    http://&lt;fully qualified domain name&gt;:&lt;tps port&gt;/tps/admin/console/config/login?pin=X4PRHsoagBcuNUGeneUM
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>Default secure tps port:&nbsp;&nbsp;</td>
 
<td>7889</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>Default tps port:</td>
 
<td>7888</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(2)''' If the user no longer has access to the configuration URL displayed on the screen, one can find the configuration URL at the end of the '''/var/log/&lt;instance name&gt;-install.log'''.  For example:
 
 
 
    .
 
    .
 
    .
 
    [2008-02-22 18:27:58] [log] Configuration Wizard listening on
 
    http://&lt;fully qualified domain name&gt;:&lt;tps port&gt;/tps/admin/console/config/login?pin=X4PRHsoagBcuNUGeneUM
 
 
 
<table>
 
<tr>
 
<td>'''NOTE:&nbsp;&nbsp;'''</td>
 
<td>The pin is also stored in the '''/etc/&lt;instance name&gt;/CS.cfg''' file as the '''preop.pin''' parameter.</td>
 
</tr>
 
<tr>
 
<td>&nbsp;</td>
 
<td>The tps port is also stored in the '''/etc/&lt;instance name&gt;/server.xml''' file as the first uncommented "non-SSL HTTP/1.1 Connector" '''Connector port''' parameter.</td>
 
</tr>
 
</table>
 
 
 
Invoke a browser, insert the configuration URL, and follow the step-by-step instructions displayed in each panel.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 
 
 
'''(3)''' PKI subsystems can also be configured "automatically" by creating and using the pkisilent component with a predefined profile.
 
 
 
'''IMPORTANT:&nbsp;&nbsp;''' When finished, don't forget to restart this PKI instance before attempting to use it!
 

Latest revision as of 23:02, 29 July 2022

Static Subsystems

  • Debug
  • LogSubsystem
  • JSS Subsystem
  • DBSubsystem
  • UGSubsystem
  • PluginRegistry
  • OidLoaderSubsystem
  • X500NameSubsystem
  • RequestSubsystem

Dynamic Subsystems

Dynamic subsystems can be configured in the CS.cfg.

CA Subsystems

subsystem.0.class=com.netscape.ca.CertificateAuthority
subsystem.0.id=ca
subsystem.1.class=com.netscape.cmscore.profile.[PKI_PROFILE_SUBSYSTEM]
subsystem.1.id=profile
subsystem.1.enabled=false
subsystem.2.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.2.id=selftests
subsystem.3.class=com.netscape.cmscore.cert.CrossCertPairSubsystem
subsystem.3.id=CrossCertPair
subsystem.4.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.4.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg.

KRA Subsystems

subsystem.0.class=com.netscape.kra.KeyRecoveryAuthority
subsystem.0.id=kra
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/kra/shared/conf/CS.cfg.

OCSP Subsystems

subsystem.0.class=com.netscape.ocsp.OCSPAuthority
subsystem.0.id=ocsp
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/ocsp/shared/conf/CS.cfg.

TKS Subsystems

subsystem.0.class=com.netscape.tks.TKSAuthority
subsystem.0.id=tks
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/tks/shared/conf/CS.cfg.

TPS Subsystems

subsystem.0.class=org.dogtagpki.server.tps.TPSSubsystem
subsystem.0.id=tps
subsystem.1.class=com.netscape.cmscore.selftests.SelfTestSubsystem
subsystem.1.id=selftests
subsystem.2.class=com.netscape.cmscore.util.StatsSubsystem
subsystem.2.id=stats

See also https://github.com/dogtagpki/pki/blob/master/base/tps/shared/conf/CS.cfg.

Final Subsystems