9.2. Installing with Shared Port Assignments


Using shared SSL ports is deprecated is and not recommended.
The recommended and most secure configuration for subsystems is to use port separation for secure connections, so that each type of secure connection (end entities, agents, and administrators) uses its own SSL port. Older versions of Certificate System used a single port for all SSL connctions, and it is still possible to create an instance with a single SSL port.
An instance must be created with either a single SSL port or all three separate SSL ports. It is not possible to share a port for some interfaces and then have others separate when running pkicreate, though this can be configured manually after the instance is configured.
To create an instance with three separate ports for the different subsystem services, run pkicreate with three options which specify the services ports: -admin_secure_port, -agent_secure_port, and -ee_secure_port. For CAs only, there is an additional port for end-entity client authentication, -ee_secure_client_auth_port.
  1. Run the pkicreate command, specifying the type of subsystem being created, the configuration directory, instance name, and port numbers. For example, this created a second DRM instance:
    pkicreate -pki_instance_root=/var/lib -subsystem_type=kra -pki_instance_name=pki-drm2 -secure_port=10543 -unsecure_port=10180 -tomcat_server_port=1802 -verbose
  2. When the instance is successfully created, the process returns a URL for the HTML configuration page. For example:


    The configuration URL is written to the end of the instance's installation file, /var/lib/instance_name/logs-install.log. This log is also useful for debugging an instance.
  3. Open the new instance URL, and go through the configuration wizard as described in Chapter 7, Installing and Configuring Certificate System. Supply the security domain, CA, instance ID, internal LDAP database, and agent information.
  4. When the configuration is complete, restart the subsystem.
    service instance_ID restart
For more information on the pkicreate tool options, see the Certificate System Command-Line Tools Guide.