6.3.7. Setting up Operating System Users and Groups

Certificate System uses operating system user and groups to run the subsystem processes. The groups used by Certificate System must be created on the operating systems before the packages are installed and any operating system users must be created or associated with those groups.

NOTE

The administrator who creates these groups and users must have the required access to the operating system and any associated programs (like NIS).

6.3.7.1. Creating Operating System Groups

Certificate System uses potentially four operating system groups:
  • pkiuser
  • pkiadmin
  • pkiaudit
  • A hardware token group, such as nfast
The first group, pkiuser, is used by the Certificate System subsystems; this is the user which the subsystem daemons run as. The other two groups, pkiadmin and pkiaudit, are used by Certificate System users who manage the subsystem instances. If the subsystem uses a hardware token, then the PKI administrator users must also belong to that group, such as nfast for an nCipher token.
All of the PKI groups are system accounts.
Both the pkiadmin and pkiaudit groups (and the pkiuser group for systems other than Red Hat Enterprise Linux 5.6) must be created for Certificate System. This is done using the groupadd tool, which is described in the the SELinux section in the Red Hat Enterprise Linux Deployment Guide.
  1. For Red Hat Enterprise Linux 5.6 systems, the pkiuser group is already created. This can be verified by checking the /etc/group file:
    grep pkiuser /etc/group
    pkiuser:x:17:
    If the pkiuser group does not exist, then make sure that the appropriate tool packages are installed:
    # rpm -q setup
    setup-2.5.58-7.el5
    
    # rpm -q shadow-utils
    shadow-utils-4.0.17-15.el5
    Then, if the pkiuser group does not exist or if it has a GID other than 17, then create the pkiuser group. This group must have a GID value of 17; this can be specified using the -g option.
    # userdel pkiuser
    # groupdel pkiuser
    # groupadd -g 17 -r pkiuser
  2. Create the pkiadmin group. This group can have any randomly assigned GID for a system account. Use the -r option to create a system group.
    # groupadd -r pkiadmin
  3. Create the pkiaudit group. This group can have any randomly assigned GID for a system account. Use the -r option to create a system group.
    # groupadd -r pkiaudit
  4. Assign user accounts to the group so that users can perform the administrative and audit tasks for the subsystems. (If necessary, also create users for the groups.) This is described in Section 6.3.7.2, “Creating Operating System Users”.
    # usermod -a -G pkiadmin bjensen
    Along with assigning regular users to the pkiadmin and pkiaudit groups, be sure to add the pkiuser system user account.

TIP

Using groupadd or the Red Hat Enterprise Linux UI tools updates all of the group files on the system, including /etc/group, /etc/gshadow, and /etc/login.defs.