14.4. Finding the Subsystem Web Services Pages

The CA, RA, DRM, OCSP, TKS, and TPS subsystems have web services pages for agents, as well as potentially regular users and administrators. These web services can be accessed by opening the URL to the subsystem host over the subsystem's secure end user's port. For example, for the CA:
https://server.example.com:9444/ca/services

TIP

To get a complete list of all of the interfaces, URLs, and ports for a subsystem, check the service's status:
service instance-name status
The main web services page for each subsystem has a list of available services pages; these are summarized in Table 14.2, “Default Web Services Pages”. To access any service specifically, access the appropriate port and append the appropriate directory to the URL. For example, to access the CA's end entities (regular users) web services:
https://server.example.com:9444/ca/ee/ca
If DNS is properly configured, then an IPv4 or IPv6 address can be used to connect to the services pages. For example:
https://1.2.3.4:9444/ca/services
https://[00:00:00:00:123:456:789:00:]:9444/ca/services

NOTE

Anyone can access the end user pages for a subsystem, but accessing agent or admin web services pages requires that an agent or administrator certificate be issued and installed in the web browser, or authentication to the web services fails.

Table 14.2. Default Web Services Pages

Port Used for SSL Used for Client Authentication[a] Web Services Web Service Location
Certificate Manager     
9180 No End Entities ca/ee/ca/
9444 Yes No End Entities ca/ee/ca
9443 Yes Yes Agents ca/agent/ca
9445 Yes Configuration ca/admin/console/config/login?pin=pin
9445 Yes No Services ca/services
9445 Yes No Console pkiconsole https://host:port/ca
Registration Manager     
12888 No End Entities ee/index.cgi
12889 Yes Yes Agents agent/index.cgi
12889 Yes Yes Admin admin/index.cgi
12890 Yes Configuration ra/admin/console/config/login?pin=pin
12890 Yes End Entities ee/index.cgi
12890 Yes Services index.cgi
Data Recovery Manager     
10180 No End Entities[b] kra/ee/kra/
10444 Yes No End Entities[b] kra/ee/kra
10443 Yes Yes Agents kra/agent/kra
10445 Yes Configuration kra/admin/console/config/login?pin=pin
10445 Yes No Services kra/services
10445 Yes No Console pkiconsole https://host:port/kra
Online Certificate Status Manager     
11180 No End Entities[c] ocsp/ee/ocsp
11444 Yes No End Entities[c] ocsp/ee/ocsp
11443 Yes Yes Agents ocsp/agent/ocsp
11445 Yes Configuration ocsp/admin/console/config/login?pin=pin
11445 Yes No Services ocsp/services
11445 Yes No Console pkiconsole https://host:port/ocsp
Token Key Service     
13180 No End Entities[b] tks/ee/tks
13444 Yes No End Entities[b] tks/ee/tks
13443 Yes Yes Agents tks/agent/tks
13445 Yes Configuration tks/admin/console/config/login?pin=pin
13445 Yes No Services tks/services
13445 Yes No Console pkiconsole https://host:port/tks
Token Processing System     
7888 No Enterprise Security Client Phone Home cgi-bin/home/index.cgi
7890 Yes Enterprise Security Client Phone Home cgi-bin/home/index.cgi
7888 No Enterprise Security Client Security Officer Enrollment cgi-bin/so/enroll.cgi
7890 Yes Yes Enterprise Security Client Security Officer Enrollment cgi-bin/so/enroll.cgi
7889 Yes Yes Enterprise Security Client Security Officer Workstation cgi-bin/sow/welcome.cgi
7889 Yes Yes Agents[d] tus
7889 Yes Yes Admin[d] tus?op=index_admin
7889 Yes Yes Operator[d] tus?op=index_operator
7890 Yes Configuration tps/admin/console/config/login?pin=pin
7890 Yes Services index.cgi
9445 Yes No Console pkiconsole https://host:port/ca
[a] Services with a client authentication value of No can be reconfigured to require client authentication. Services which do not have either a Yes or No value cannot be configured to use client authentication.
[b] Although this subsystem type does have end entities ports and interfaces, these end-entity services are not accessible through a web browser, as other end-entity services are.
[c] Although the OCSP does have end entities ports and interfaces, these end-entity services are not accessible through a web browser, as other end-entity services are. End user OCSP services are accessed by a client sending an OCSP request.
[d] The agent, admin, and operator services are all accessed through the same web services page. Each role has a different tab on that page. The role-specific tab is visible to every user who is a member of that role.