Certificate System uses operating system user and groups to run the subsystem processes. The groups used by Certificate System must be created on the operating systems before the packages are installed and any operating system users must be created or associated with those groups.
NOTE
The administrator who creates these groups and users must have the required access to the operating system and any associated programs (like NIS).
Certificate System uses three and possibly four operating system groups:
- pkiuser
- pkiadmin
- pkiaudit
- A hardware token group, such as nfast (optional)
The first group,
pkiuser, is used by the Certificate System subsystems; this is the user which the subsystem daemons run as. The other two groups, pkiadmin and pkiaudit, are used by Certificate System users who manage the subsystem instances. If the subsystem uses a hardware token, then the PKI administrator users must also belong to that group, such as nfast for an nCipher token.
All of the PKI groups are system accounts. They must meet certain criteria as system accounts:
- They must have a GID and UID lower than 500. It is strongly recommended that the
pkiusergroup has a GID and UID of 17. On Red Hat Enterprise Linux 5.6 and later systems, thepkiusergroup is already configured and has a GID of 17. - The groups must not have a login shell, meaning that the login shell has a value of
/sbin/nologin. - All PKI groups must be created before attempting to install any subsystem. This account must be present in
/etc/group. - The PKI user should be create before installing any subsystems. This account must be present in
/etc/passwd.
Both the
pkiadmin and pkiaudit groups must be created for Certificate System. This is done using the groupadd tool, which is described in the the SELinux section in the Red Hat Enterprise Linux Deployment Guide.
- For Red Hat Enterprise Linux 5.6 (and later) systems, the
pkiusergroup is already created. This can be verified by checking the/etc/groupfile:grep pkiuser /etc/group pkiuser:x:17:If thepkiusergroup does not exist, then make sure that the appropriate tool packages are installed:# rpm -q setup setup-2.5.58-7.el5 # rpm -q shadow-utils shadow-utils-4.0.17-15.el5
Then, if thepkiusergroup does not exist or if it has a GID other than 17, then create thepkiusergroup. This group must have a GID value of 17; this can be specified using the-goption.# userdel pkiuser # groupdel pkiuser # groupadd -g 17 -r pkiuser
- Create the
pkiadmingroup. This group can have any randomly assigned GID for a system account. Use the-roption to create a system group.# groupadd -r pkiadmin - Create the
pkiauditgroup. This group can have any randomly assigned GID for a system account. Use the-roption to create a system group.# groupadd -r pkiaudit - Assign user accounts to the group so that users can perform the administrative and audit tasks for the subsystems. (If necessary, also create users for the groups.) This is described in Section 5.3.7.2, “Creating Operating System Users”.
# usermod -a -G pkiadmin bjensenAlong with assigning regular users to thepkiadminandpkiauditgroups, be sure to add thepkiusersystem user account.
TIP
Using
groupadd or the Red Hat Enterprise Linux UI tools updates all of the group files on the system, including /etc/group, /etc/gshadow, and /etc/login.defs.