The CA, RA, DRM, OCSP, TKS, and TPS subsystems have web services pages for agents, as well as potentially regular users and administrators. These web services can be accessed by opening the URL to the subsystem host over the subsystem's secure end user's port. For example, for the CA:
https://server.example.com:9444/ca/services
TIP
To get a complete list of all of the interfaces, URLs, and ports for a subsystem, check the service's status:
service instance-name status
The main web services page for each subsystem has a list of available services pages; these are summarized in Table 16.2, “Default Web Services Pages”. To access any service specifically, access the appropriate port and append the appropriate directory to the URL. For example, to access the CA's end entities (regular users) web services:
https://server.example.com:9444/ca/ee/ca
If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages. For example:
https://1.2.3.4:9444/ca/services https://[00:00:00:00:123:456:789:00:]:9444/ca/services
NOTE
Anyone can access the end user pages for a subsystem, but accessing agent or admin web services pages requires that an agent or administrator certificate be issued and installed in the web browser, or authentication to the web services fails.
Table 16.2. Default Web Services Pages
| Port | Used for SSL | Used for Client Authentication[a] | Web Services | Web Service Location |
|---|---|---|---|---|
| Certificate Manager | ||||
| 9180 | No | End Entities | ca/ee/ca/ | |
| 9444 | Yes | No | End Entities | ca/ee/ca |
| 9443 | Yes | Yes | Agents | ca/agent/ca |
| 9445 | Yes | Configuration | ca/admin/console/config/login?pin=pin | |
| 9445 | Yes | No | Services | ca/services |
| 9445 | Yes | No | Console | pkiconsole https://host:port/ca |
| Registration Manager | ||||
| 12888 | No | End Entities | ee/index.cgi | |
| 12889 | Yes | Yes | Agents | agent/index.cgi |
| 12889 | Yes | Yes | Admin | admin/index.cgi |
| 12890 | Yes | Configuration | ra/admin/console/config/login?pin=pin | |
| 12890 | Yes | End Entities | ee/index.cgi | |
| 12890 | Yes | Services | index.cgi | |
| Data Recovery Manager | ||||
| 10180 | No | End Entities[b] | kra/ee/kra/ | |
| 10444 | Yes | No | End Entities[b] | kra/ee/kra |
| 10443 | Yes | Yes | Agents | kra/agent/kra |
| 10445 | Yes | Configuration | kra/admin/console/config/login?pin=pin | |
| 10445 | Yes | No | Services | kra/services |
| 10445 | Yes | No | Console | pkiconsole https://host:port/kra |
| Online Certificate Status Manager | ||||
| 11180 | No | End Entities[c] | ocsp/ee/ocsp | |
| 11444 | Yes | No | End Entities[c] | ocsp/ee/ocsp |
| 11443 | Yes | Yes | Agents | ocsp/agent/ocsp |
| 11445 | Yes | Configuration | ocsp/admin/console/config/login?pin=pin | |
| 11445 | Yes | No | Services | ocsp/services |
| 11445 | Yes | No | Console | pkiconsole https://host:port/ocsp |
| Token Key Service | ||||
| 13180 | No | End Entities[b] | tks/ee/tks | |
| 13444 | Yes | No | End Entities[b] | tks/ee/tks |
| 13443 | Yes | Yes | Agents | tks/agent/tks |
| 13445 | Yes | Configuration | tks/admin/console/config/login?pin=pin | |
| 13445 | Yes | No | Services | tks/services |
| 13445 | Yes | No | Console | pkiconsole https://host:port/tks |
| Token Processing System | ||||
| 7888 | No | Enterprise Security Client Phone Home | cgi-bin/home/index.cgi | |
| 7890 | Yes | Enterprise Security Client Phone Home | cgi-bin/home/index.cgi | |
| 7888 | No | Enterprise Security Client Security Officer Enrollment | cgi-bin/so/enroll.cgi | |
| 7890 | Yes | Yes | Enterprise Security Client Security Officer Enrollment | cgi-bin/so/enroll.cgi |
| 7889 | Yes | Yes | Enterprise Security Client Security Officer Workstation | cgi-bin/sow/welcome.cgi |
| 7889 | Yes | Yes | Agents[d] | tus |
| 7889 | Yes | Yes | Admin[d] | tus?op=index_admin |
| 7889 | Yes | Yes | Operator[d] | tus?op=index_operator |
| 7890 | Yes | Configuration | tps/admin/console/config/login?pin=pin | |
| 7890 | Yes | Services | index.cgi | |
| 9445 | Yes | No | Console | pkiconsole https://host:port/ca |
[a]
Services with a client authentication value of No can be reconfigured to require client authentication. Services which do not have either a Yes or No value cannot be configured to use client authentication.
[b]
Although this subsystem type does have end entities ports and interfaces, these end-entity services are not accessible through a web browser, as other end-entity services are.
[c]
Although the OCSP does have end entities ports and interfaces, these end-entity services are not accessible through a web browser, as other end-entity services are. End user OCSP services are accessed by a client sending an OCSP request.
[d]
The agent, admin, and operator services are all accessed through the same web services page. Each role has a different tab on that page. The role-specific tab is visible to every user who is a member of that role.
| ||||