Install RHCS and deploy the subsystem

this section outlines the basic installation method for rhcs it assumes that you already installed red hat enterprise linux (rhel), subscribed the system to the red hat subscription management service, attached the rhcs subscription, and enabled the required repositories refer to the rhcs get started article for instructions on how to perform the preceding actions perform the tasks in the following sections to install rhcs and deploy the subsystem install rhcs and its prerequisites rhcs requires red hat directory server, which serves as an internal repository for certificate requests, certificates, and so on install the directory server packages by using the following command sudo yum install redhat ds run the directory server installation script, selecting the defaults or customizing as needed sudo /usr/sbin/setup ds admin pl by default, red hat directory server does not automatically run on system startup run the following command to ensure that the directory server starts automatically when the computer is rebooted sudo systemctl enable dirsrv target run the following command to install the certificate system packages sudo yum install redhat pki modify selinux if you want to deploy an rhcs subsystem on a hardware security module (hsm) and run selinux in enforcing mode, you must manually update certain selinux and firewalld settings before deploying the subsystem the following section describes the required actions to modify selinux to support subsystem deployment using an hsm run the following commands to reset the context of the fxpkcs11 cfg file and the main fxpkcs11 directory, modifying the paths to match the locations of the fxpkcs11 cfg file and the main fxpkcs11 directory on your system sudo /sbin/restorecon v /etc/fxpkcs11 cfg sudo /sbin/restorecon r /usr/local/bin/fxpkcs11/ run the following commands to allow outbound connections to tcp port 2001 , the system/host api port on the {{k}} sudo semanage port m t http port t p tcp 2001 create and configure a subsystem instance use the pkispawn command line tool to install and configure a new pki instance the command eliminates the need for separate installation and configuration steps, and you can run it interactively, as a batch process, or a combination of both (that is, a batch process with prompts for passwords) refer to pkispawn documentation for detailed information about all supported options by running the following command man pkispawn the pkispawn command reads its default installation and configuration values from a plain text configuration file ( /etc/pki/default cfg ) this file consists of name=value pairs divided into \[default] , \[tomcat] , \[ca] , \[kra] , \[ocsp] , \[tks] , and \[tps] sections we strongly recommend that you read the full documentation ( access redhat com/documentation/en us/red hat certificate system/9/html/planning installation and deployment guide/sect certificate system subsystem overview ) to understand the purpose of every parameter in the /etc/pki/default cfg file this enables you to customize your pki environment to your specific needs red hat recommends a procedure for spawning a subsystem that uses an hsm to create an override configuration file that contains only the parameters necessary for using the hsm as its token any parameter settings in this file override the parameter settings in the default cfg file the system can spawn any of the various rhcs subsystems ( ca , kra , ocsp , tks , and tps ) to use the hsm, but this integration guide focuses solely on the certificate authority (ca) subsystem for brevity prepare a configuration file perform the following steps to prepare an override configuration file with the required hsm parameters in a terminal, go to the directory where you installed the {{futurex}} pkcs #11 module on your system (such as /usr/local/bin/fxpkcs11 ) run the following sudo vim command sudo vim default futurex txt you can use the following example override file to spawn a ca subsystem with the {{k}} , setting the values in angle brackets to your specifications the pki ds password value must match the password set for the directory manager when you installed the red hat directory server \[default] \########################## \# provide hsm parameters # \########################## pki hsm enable=true pki hsm libfile=\<path to fxpkcs11 libfile> pki hsm modulename=fxpkcs11 pki token name=futurex pki token password=\<hsm identity password> \######################################## \# provide pki specific hsm token names # \######################################## pki audit signing token=futurex pki ssl server token=futurex pki subsystem token=futurex \################################## \# provide pki specific passwords # \################################## pki admin password=\<pki admin password> pki client pkcs12 password=\<pki client pkcs12 password> pki ds password=\<pki ds password> \##################################### \# provide non ca specific passwords # \##################################### pki client database password=\<pki client database password> \[ca] \####################################### \# provide ca specific hsm token names # \####################################### pki ca signing token=futurex pki ocsp signing token=futurex save the file run the pkispawn utility perform the following steps to run the pkispawn utility in a terminal, run the following command to deploy a ca subsystem by using the {{k3}} the full path to the default futurex txt file is required if you are not running the command from the same directory where default futurex txt is saved sudo pkispawn s ca f default futurex txt vvv if the deployment succeeds, an installation summary similar to the following summary displays after the command completes ========================================================================== installation summary \========================================================================== administrator's username caadmin administrator's pkcs #12 file /root/ dogtag/pki tomcat/ca admin cert p12 to check the status of the subsystem systemctl status pki tomcatd\@pki tomcat service to restart the subsystem systemctl restart pki tomcatd\@pki tomcat service the url for the subsystem is https //localhost localdomain 8443/ca pki instances will be enabled upon system boot \========================================================================== perform remedial action if the pkispawn command fails if the pkispawn command fails, you must perform the following steps before re attempting to run the command log in to the kmes series 3 application interface, go to pki > certificate authorities , and confirm if a certificate container named ca signing certificate exists if you can find it, you must delete the ca signing certificate certificate container (which also deletes all certificates inside it) if you don't delete the certificate container before running pkispawn again, the command will fail delete the partially created ca subsystem instance by running the following command sudo pkidestroy s ca i pki tomcat then, execute the steps in the run the pkispawn utility section view the keys and certificates to view the keys and certificates that rhcs created on the {{k}} , perform the following steps log in to the {{k3}} application interface with the default admin identities go to the pki > certificate authorities menu all of the certificates that rhcs created for the ca subsystem instance display in the ca signing certificate x 509 certificate container go to the key management > keys menu and select the asym rhcs asymmetric key group in the keys section, you can see the private keys of the certificates viewed in step 2 of this workflow import the pkcs #12 file the following steps use a firefox web browser to import the ca administrator pkcs #12 file into the browser the steps might vary when using a different browser, but the basic process is similar in firefox, go to settings > privacy & security > certificates and select \[ view certificates ] on the your certificates tab, select \[ import ] to import the ca administrator pkcs #12 file, ca admin cert p12 the location of the ca admin cert p12 file was included in the installation summary for the ca subsystem deployment when prompted for a password, enter the value that was configured for the pki client pkcs12 password define in the default futurex txt file access the new ca subsystem in the browser access the red hat certificate system subsystem console by going to the following url https //\<fully qualified domain name> 8443/pki/ui/ https //portal futurex com/documentation/integration guides/kmes series 3/red hat certificate system/content/hsm integration guides/rhcs/ when submitting csrs in rhcs, you must include both the common name and uid fields if you submit a request with only the common name field completed, the request fails, and you receive an error stating that the subject name does not match