Part III. Managing the Subsystem Instances

Table of Contents

11. The Certificate System Configuration Files
11.1. File and Directory Locations for Certificate System Subsystems
11.1.1. CA Instance Information
11.1.2. RA Instance Information
11.1.3. DRM Instance Information
11.1.4. OCSP Instance Information
11.1.5. TKS Instance Information
11.1.6. TPS Instance Information
11.1.7. Shared Certificate System Subsystem File Locations
11.2. CS.cfg Files
11.2.1. Locating the CS.cfg File
11.2.2. Overview of the CS.cfg Configuration File
11.2.3. Editing the Configuration File
11.3. Managing System Passwords
11.3.1. Configuring the password.conf File
11.3.2. Requiring System Password Prompts
11.3.3. Changing System Passwords
11.4. Configuration Files for Web Services
11.5. Removing Unused Interfaces from web.xml (CA Only)
11.6. Restoring Configuration in web.xml
12. Basic Subsystem Management
12.1. Starting and Stopping Subsystem Instances
12.1.1. Starting and Stopping a Subsystem Server Instance
12.1.2. Restarting a Subsystem after a Machine Restart
12.1.3. Checking the Subsystem Instance Status
12.1.4. Managing Subsystem Processes with chkconfig
12.1.5. Setting sudo Permissions for Certificate System Services
12.2. Opening Subsystem Consoles and Services
12.2.1. Finding the Subsystem Web Services Pages
12.2.2. Starting the Certificate System Administrative Console
12.2.3. Enabling SSL for the Java Administrative Console
12.3. Customizing Web Services
12.3.1. Customizing CA End-Entities Pages
12.3.2. Customizing RA End-Entities Pages
12.3.3. Setting Limits on Searches through the CA End-Entities Pages
12.3.4. Setting SSL Session Timeouts
12.3.5. Configuring Port Forwarding
12.4. Running Subsystems under a Java Security Manager
12.4.1. About the Security Manager Policy Files
12.4.2. Starting a Subsystem Instance without the Java Security Manager
12.5. Configuring Ports
12.5.1. About Port Assignments
12.5.2. Changing a Port Number
12.6. Configuring the LDAP Database
12.6.1. Changing the Internal Database Configuration
12.6.2. Enabling SSL Client Authentication with the Internal Database
12.6.3. Restricting Access to the Internal Database
12.7. Searching the SQLite Database
12.8. Viewing Security Domain Configuration
12.9. Managing the SELinux Policies for Subsystems
12.9.1. About SELinux
12.9.2. Viewing SELinux Policies for Subsystems
12.9.3. Relabeling Subsystem and LDAP Ports
12.9.4. Relabeling nCipher netHSM Contexts
12.10. Backing up and Restoring Certificate System
12.10.1. Backing up and Restoring the LDAP Internal Database
12.10.2. Backing up and Restoring the SQLite Internal Database
12.10.3. Backing up and Restoring the Instance Directory
12.11. Running Self-Tests
12.11.1. Running Self-Tests
12.11.2. Self-Test Logging
12.11.3. Configuring Self-Tests
12.11.4. Modifying Self-Test Configuration
12.12. Configuring POSIX System ACLs
12.12.1. Setting POSIX System ACLs for the CA, DRM, OCSP, TKS, and TPS
12.12.2. Setting POSIX System ACLs for the RA
13. Managing Certificate System Users and Groups
13.1. About Authorization
13.2. Default Groups
13.2.1. Administrators
13.2.2. Auditors
13.2.3. Agents
13.2.4. Enterprise Groups
13.3. Disabling Multi-Roles Support
13.4. Managing Users and Groups for a CA, OCSP, DRM, or TKS
13.4.1. Managing Groups
13.4.2. Managing Users (Administrators, Agents, and Auditors)
13.4.3. Preventing Users from Belonging to Multiple Roles
13.5. Creating and Managing Users and Groups for an RA
13.5.1. Managing RA Groups
13.5.2. Managing RA Users
13.6. Creating and Managing Users for a TPS
13.6.1. Searching for Users
13.6.2. Adding Users
13.6.3. Setting Profiles for Users
13.6.4. Changing Roles for Users
13.6.5. Renewing TPS Agent and Administrator Certificates
13.6.6. Deleting Users
13.7. Configuring Access Control for Users for the CA, OCSP, DRM, and TKS
13.7.1. About Access Control
13.7.2. Changing the Access Control Settings for the Subsystem
13.7.3. Editing ACLs
14. Configuring Subsystem Logs
14.1. About Certificate System Logs
14.1.1. System Log
14.1.2. Transactions Log
14.1.3. Debug Logs
14.1.4. Error Log
14.1.5. Installation Logs
14.1.6. Apache and Tomcat Error and Access Logs
14.1.7. Self-Tests Log
14.2. Managing Logs for the Java Subsystems
14.2.1. An Overview of Log Settings
14.2.2. Viewing Logs
14.2.3. Configuring Logs in the Console
14.2.4. Configuring Logs in the CS.cfg File
14.2.5. Managing Audit Logs
14.2.6. Managing Log Modules
14.3. Managing TPS Logs
14.3.1. An Overview of TPS Log Settings
14.3.2. Configuring TPS Logging in CS.cfg
14.3.3. Managing Audit Logs
14.3.4. Smart Card Error Codes
14.4. Configuring RA Logging
14.4.1. About RA Log Settings
14.4.2. Configuring RA Logs
15. Managing Subsystem Certificates
15.1. Required Subsystem Certificates
15.1.1. Certificate Manager Certificates
15.1.2. RA Certificates
15.1.3. Online Certificate Status Manager Certificates
15.1.4. Data Recovery Manager Certificates
15.1.5. TKS Certificates
15.1.6. TPS Certificates
15.1.7. About Subsystem Certificate Key Types
15.1.8. Using an HSM to Store Subsystem Certificates
15.2. Requesting Certificates through the Console
15.2.1. Requesting Signing Certificates
15.2.2. Requesting Other Certificates
15.3. Renewing Subsystem Certificates
15.3.1. Re-keying Certificates in the End-Entities Forms
15.3.2. Renewing Certificates in the Console
15.3.3. Renewing Certificates Using certutil
15.4. Changing the Names of Subsystem Certificates
15.5. Using Cross-Pair Certificates
15.5.1. Installing Cross-Pair Certificates
15.5.2. Searching for Cross-Pair Certificates
15.6. Managing the Certificate Database
15.6.1. Installing Certificates in the Certificate System Database
15.6.2. Viewing Database Content
15.6.3. Deleting Certificates from the Database
15.7. Changing the Trust Settings of a CA Certificate
15.7.1. Changing Trust Settings through the Console
15.7.2. Changing Trust Settings Using certutil
15.8. Managing Tokens Used by the Subsystems
15.8.1. Detecting Tokens
15.8.2. Viewing Tokens
15.8.3. Changing a Token's Password