14.8. Configuration for CMC
This section describes how to configure Certificate System for Certificate Management over CMS (CMC).
14.8.1. Understanding How CMC Works
Before configuring CMC, read the following documentation to learn more about the subject:
- Issuing Certificates Using CMC in the Red Hat Certificate System Administration Guide.
- Making Rules for Issuing Certificates (Certificate Profiles) in the Red Hat Certificate System Administration Guide.
14.8.2. Enabling the PopLinkWittnessV2
Feature
For a high-level security on the Certificate Authority (CA), enable the following option in the
/var/lib/pki/instance_name/ca/conf/CS.cfg
file:
cmc.popLinkWitnessRequired=true
14.8.3. Enabling the CMC Shared Secret Feature
To enable the shared token feature in a Certificate Authority (CA):
- If the watchdog service is enabled on the host, temporarily disable it. See Section 14.3.2.4, “Disabling the Watchdog Service”.
- Add the
shrTok
attribute to Directory Server's schema:# ldapmodify -D "cn=Directory Manager" -H ldaps://server.example.com:636 -W -x dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 2.16.840.1.117370.3.1.123 NAME 'shrTok' DESC 'User Defined ObjectClass for SharedToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'custom for sharedToken')
- If the system keys are stored on a Hardware Security Module (HSM), set the
cmc.token
parameter in the/var/lib/pki/instance_name/ca/conf/CS.cfg
file. For example:cmc.token=NHSM-CONN-XC
- Enable the shared token authentication plug-in by using one of the following methods:
Note
pkiconsole
is being deprecated.To enable the plug-in using thepkiconsole
utility:- Log into the system using the
pkiconsole
utility. For example:# pkiconsole https:host.example.com:8443/ca
- On the Configuration tab, select Authentication.
- Click Add and select SharedToken.
- Click Next.
- Enter the following information:
Authentication InstanceID=SharedToken shrTokAttr=shrTok ldap.ldapconn.host=server.example.com ldap.ldapconn.port=636 ldap.ldapconn.secureConn=true ldap.ldapauth.bindDN=cn=Directory Manager password=password ldap.ldapauth.authtype=BasicAuth ldap.basedn=ou=People,dc=example,dc=org
- Click OK.
- To manually enable the plug-in, add the following settings into the
/var/lib/pki/instance_name/ca/conf/CS.cfg
file:auths.impl.SharedToken.class=com.netscape.cms.authentication.SharedSecret auths.instance.SharedToken.dnpattern= auths.instance.SharedToken.ldap.basedn=ou=People,dc=example,dc=org auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken auths.instance.SharedToken.ldap.ldapauth.clientCertNickname= auths.instance.SharedToken.ldap.ldapconn.host=server.example.com auths.instance.SharedToken.ldap.ldapconn.port=636 auths.instance.SharedToken.ldap.ldapconn.secureConn=true auths.instance.SharedToken.ldap.ldapconn.version=3 auths.instance.SharedToken.ldap.maxConns= auths.instance.SharedToken.ldap.minConns= auths.instance.SharedToken.ldapByteAttributes= auths.instance.SharedToken.ldapStringAttributes= auths.instance.SharedToken.pluginName=SharedToken auths.instance.SharedToken.shrTokAttr=shrTok
- Set the nickname of an RSA issuance protection certificate in the
ca.cert.issuance_protection.nickname
parameter in the/var/lib/pki/instance_name/ca/conf/CS.cfg
file. For example:ca.cert.issuance_protection.nickname=issuance_protection_certificate
This step is:- Optional if you use an RSA certificate in the
ca.cert.subsystem.nickname
parameter. - Required if you use an ECC certificate in the
ca.cert.subsystem.nickname
parameter.
Important
If theca.cert.issuance_protection.nickname
parameter is not set, Certificate System automatically uses the certificate of the subsystem specified in theca.cert.subsystem.nickname
. However, the issuance protection certificate must be an RSA certificate. - Restart Certificate System:
# systemctl restart pki-tomcatd@instance_name.service
When the CA starts, Certificate System prompts for the LDAP password used by the Shared Token plug-in. - If you temporarily disabled the watchdog service at the beginning of this procedure, re-enable it. See Section 14.3.2.1, “Enabling the Watchdog Service”.
14.8.4. Enabling CMCRevoke for the Web User Interface
As described in the Performing a CMC Revocation section in the Red Hat Certificate System Administration Guide, there are two ways to submit CMC revocation requests.
In cases when you use the
CMCRevoke
utility to create revocation requests to be submitted through the web UI, add the following setting to the /var/lib/pki/instance_name/ca/conf/CS.cfg
file:
cmc.bypassClientAuth=true