Show Table of Contents
13.4. Customizing Web Services
All of the subsystems (with the exception of the TKS) have some kind of a web-based services page for agents and some for other user types, like administrators or end entities. These web-based services pages use basic HTML and JavaScript, which can be customized to use different colors, logos, and other design elements to fit in with an existing site or intranet.
13.4.1. Customizing Subsystem Web Applications
Each PKI subsystem has a corresponding web application, which contains:
- HTML pages containing texts, JavaScript codes, page layout, CSS formatting, and so on
- A
web.xmlfile, which defines servlets, paths, security constraints, and other - Links to PKI libraries.
The subsystem web applications are deployed using context files located in the
/var/lib/pki/pki-tomcat/conf/Catalina/localhost/ direcotry, for example, the ca.xml file:
<Context docBase="/usr/share/pki/ca/webapps/ca" crossContext="true" allowLinking="true">
...
</Context>
The
docBase points to the location of the default web application directory, /usr/share/pki/.
To customize the web application, copy the web application directory into the instance's
webapps directory:
$ cp -r /usr/share/pki/ca/webapps/ca /var/lib/pki/pki-tomcat/webapps
Then change the
docBase to point to the custom web application directory relative from the webapps directory:
<Context docBase="ca" crossContext="true" allowLinking="true">
...
</Context>
The change will be effective immediately without the need to restart the server.
To remove the custom web application, simply revert the
docBase and delete the custom web application directory:
$ rm -rf /var/lib/pki/pki-tomcat/webapps/ca
13.4.2. Customizing the Web UI Theme
The subsystem web applications in the same instance share the same theme, which contains:
- CSS files, which determine the global appearance
- Image files including logo, icons, and other
- Branding properties, which determine the page title, logo link, title color, and other.
The Web UI theme is deployed using the
pki.xml context file in the /var/lib/pki/pki-tomcat/conf/Catalina/localhost/ directory:
<Context docBase="/usr/share/pki/common-ui" crossContext="true" allowLinking="true">
...
</Context>
The docBase points to the location of the default theme directory,
/usr/share/pki/.
To customize the theme, copy the default theme directory into the
pki directory in the instance's webapps directory:
$ cp -r /usr/share/pki/common-ui /var/lib/pki/pki-tomcat/webapps/pki
Then change the
docBase to point to the custom theme directory relative from the webapps directory:
<Context docBase="pki" crossContext="true" allowLinking="true">
...
</Context>
The change will be effective immediately without the need to restart the server.
To remove the custom theme, simply revert the
docBase and delete the custom theme directory:
$ rm -rf /var/lib/pki/pki-tomcat/webapps/pki
13.4.3. Customizing TPS Token State Labels
The default token state labels are stored in the
/usr/share/pki/tps/conf/token-states.properties file and described in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
To customize the labels, copy the file into the instance directory:
$ cp /usr/share/pki/tps/conf/token-states.properties /var/lib/pki/pki-tomcat/tps/conf
The change will be effective immediately without the need to restart the server.
To remove the customized labels, simply delete the customized file:
$ rm /var/lib/pki/pki-tomcat/tps/conf/token-states.properties
13.4.4. Setting Limits on Searches through the CA End-Entities Pages
Large PKIs can have tens of thousands, even millions, of certificates, keys, and requests maintained in its databases. When users search for their certificates or agents list requests, then, it is possible for thousands or millions of entries to be returned. Large search results can significantly affect CA performance, so it is possible to limit the number of results returned for a search or the amount of time that searches can take.
There are two files that can manage search limits for the CA end-entities pages:
- The
CS.cfgfile in the/var/lib/pki/instance_name/conf/cadirectory - The
web.xmlfile in the/usr/share/pki/ca/webapps/ca/WEB-INF/directory (default), or if configured, the customized one under/var/lib/pki/instance-name/webapps/.
The
CS.cfg file has a single parameter which can set the maximum number of returned results for all user interfaces for all search types. To set this value:
- Stop the CA instance. For example:
systemctl stop pki-tomcatd@instance_name.service
- Open the
CS.cfgfile.vim /var/lib/pki/instance_name/conf/ca/CS.cfg
- Change the
ca.maxSearchReturnsline to set the number of entries to return. The default is 1000.# maxSearchReturns - limits number of search results returned by SearchReqs and SrchCerts ca.maxSearchReturns=1000
- Start the CA instance. For example:
systemctl start pki-tomcatd@instance_name.service
The
web.xml file provides more control over the results settings:
- For one thing, both the number of results and the time limit for searches can be set, as opposed to
- Additionally, each interface — admin, agents, and end-entities — can be configured with a different result limit and time limit.
- Each operation can be configured with a different result limit and time limit. This means that searching for certificate requests can have different search limits than searching for certificates or CRLs.
The two parameters in the
web.xml file which set the search limits are maxResults and timeLimits. These parameters are added as <param-value> lines to a servlet entry. Either one or both can be set for each entry.
Each servlet entry is identified in
<servlet-name> tags and the interface (web services pages) that the servlet is used for is identified in the <param-name>interface</param-name> parameter.
Example 13.1, “web.xml Search Limit Settings” shows the setting for a time limit for searching for requests in the agent interface and the setting for a maximum number of results limit for the listing certificates search in the end-entities interface.
Example 13.1. web.xml Search Limit Settings
<servlet-name> casearchReqs </servlet-name>
...
<init-param><param-name> interface </param-name>
<param-value> agent </param-value> </init-param>
...
<init-param><param-name> timeLimits </param-name>
<param-value> 10 </param-value> </init-param>
<servlet-name> caListCerts </servlet-name>
...
<init-param><param-name> interface </param-name>
<param-value> ee </param-value> </init-param>
<init-param><param-name> maxResults </param-name>
<param-value> 1000 </param-value> </init-param>13.4.5. Setting SSL Session Timeouts
All of the PKI subsystem instances have a default SSL session timeout period of 30 minutes. This timeout removes data from the session cache when the timeout period (meaning, the inactive period) is reached, which decreases the ability of unauthorized users to access that information.
Each CA, KRA, OCSP, TKS, and TPS instance has its own Tomcat service which powers its web services pages. The configuration for the web services is in the
/usr/share/pki/subsystem_type/webapps/subsystem_type/WEB-INF/web.xml file in the <session-timeout> tag.
To change the session timeout for a particular instance, follow the instructions in Section 13.4.1, “Customizing Subsystem Web Applications”, stop the instance, edit the appropriate
web.xml file(s), and restart the instance.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.