PKI 9 Installation

From Dogtag
Jump to: navigation, search

Overview

This page describes the process to install PKI 9 server. A server instance can only contain a single PKI subsystem, so the terms server, instance, and subsystem are interchangeable in PKI 9.

The installation process consists of two parts:

  • Installation
  • Configuration

Prerequisites

Please make sure you meet all these prerequisites before you attempt to run a Dogtag Certificate System.

System Prerequisites

The following system prerequisites are required to build PKI subsystems:

Runtime Tools

The following runtime environment is required to build these PKI subsystems:

Directory Server Requirements

The CA, DRM, OCSP, TKS, and TPS require the Fedora Directory Server to be installed, while the RA requires SQLite. Dogtag Certificate System uses the Fedora Directory Server to store information about certificates that it issues. The following page provides more details:

Browser

PKI 9 server installation requires Firefox browser.

Note: Firefox removed window.crypto.generateCRMFRequest feature. The latest supported browser is Firefox 32. Linux binaries are available on the Mozilla web site.

Installing PKI Packages

Follow the instructions to use Yum to download and install PKI packages:

To install PKI packages, become the root user, and execute the following commands:

$ yum install pki-ca pki-kra pki-ocsp pki-ra pki-tks pki-tps

This will install many dependencies, too.

Installing PKI Subsystem

Certificate Authority (CA)

To install a CA subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib       \
            -pki_instance_name=pki-ca         \
            -subsystem_type=ca                \
            -agent_secure_port=9443           \
            -ee_secure_port=9444              \
            -ee_secure_client_auth_port=9446  \
            -admin_secure_port=9445           \
            -unsecure_port=9180               \
            -tomcat_server_port=9701          \
            -user=pkiuser                     \
            -group=pkiuser                    \
            -redirect conf=/etc/pki-ca        \
            -redirect logs=/var/log/pki-ca    \
            -verbose

Data Recovery Manager (DRM)

To install a DRM subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib      \
            -pki_instance_name=pki-kra       \
            -subsystem_type=kra              \
            -agent_secure_port=10443         \
            -ee_secure_port=10444            \
            -admin_secure_port=10445         \
            -unsecure_port=10180             \
            -tomcat_server_port=10701        \
            -user=pkiuser                    \
            -group=pkiuser                   \
            -audit_group=pkiaudit            \
            -redirect conf=/etc/pki-kra      \
            -redirect logs=/var/log/pki-kra  \
            -verbose

Online Certificate Status Protocol Manager (OCSP)

To install an OCSP subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib       \
            -pki_instance_name=pki-ocsp       \
            -subsystem_type=ocsp              \
            -agent_secure_port=11443          \
            -ee_secure_port=11444             \
            -admin_secure_port=11445          \
            -unsecure_port=11180              \
            -tomcat_server_port=11701         \
            -user=pkiuser                     \
            -group=pkiuser                    \
            -redirect conf=/etc/pki-ocsp      \
            -redirect logs=/var/log/pki-ocsp  \
            -verbose

Registration Authority (RA)

To install an RA subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib        \
            -pki_instance_name=pki-ra          \
            -subsystem_type=ra                 \
            -secure_port=12889                 \
            -non_clientauth_secure_port=12890  \
            -unsecure_port=12888               \
            -user=pkiuser                      \
            -group=pkiuser                     \
            -redirect conf=/etc/pki-ra         \
            -redirect logs=/var/log/pki-ra     \
            -verbose

Token Key Service (TKS)

To install a TKS subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib      \
            -pki_instance_name=pki-tks       \
            -subsystem_type=tks              \
            -agent_secure_port=13443         \
            -ee_secure_port=13444            \
            -admin_secure_port=13445         \
            -unsecure_port=13180             \
            -tomcat_server_port=13701        \
            -user=pkiuser                    \
            -group=pkiuser                   \
            -redirect conf=/etc/pki-tks      \
            -redirect logs=/var/log/pki-tks  \
            -verbose

Token Processing System (TPS)

To install a TPS subsystem instance, become the root user, and execute the following commands:

$ pkicreate -pki_instance_root=/var/lib       \
            -pki_instance_name=pki-tps        \
            -subsystem_type=tps               \
            -secure_port=7889                 \
            -non_clientauth_secure_port=7890  \
            -unsecure_port=7888               \
            -user=pkiuser                     \
            -group=pkiuser                    \
            -redirect conf=/etc/pki-tps       \
            -redirect logs=/var/log/pki-tps   \
            -verbose

Configuring PKI Subsystem

Before a PKI subsystem instance may be utilized, the user must configure the PKI subsystem instance. See PKI Subsystem Configuration.

Removing PKI Subsystem

To remove a PKI subsystem the following command can be used:

$ /usr/bin/pkiremove

References