13.8. Configuration for CMC

This section describes how to configure Certificate System for Certificate Management over CMS (CMC).

13.8.1. Understanding How CMC Works

Before configuring CMC, read the following documentation to learn more about the subject:

13.8.2. Enabling the PopLinkWittnessV2 Feature

For a high-level security on the Certificate Authority (CA), enable the following option in the /var/lib/pki/instance_name/ca/conf/CS.cfg file:
cmc.popLinkWitnessRequired=true

13.8.3. Enabling the CMC Shared Secret Feature

To enable the shared token feature in a Certificate Authority (CA):
  1. If the watchdog service is enabled on the host, temporarily disable it. See Section 13.3.2.4, “Disabling the Watchdog Service”.
  2. Add the shrTok attribute to Directory Server's schema:
    # ldapmodify -D "cn=Directory Manager" -H ldaps://server.example.com:636 -W -x
    
    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes: ( 2.16.840.1.117370.3.1.123 NAME 'shrTok' DESC 'User
     Defined ObjectClass for SharedToken' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
     SINGLE-VALUE X-ORIGIN 'custom for sharedToken')
  3. If the system keys are stored on a Hardware Security Module (HSM), set the cmc.token parameter in the /var/lib/pki/instance_name/ca/conf/CS.cfg file. For example:
    cmc.token=NHSM6000
  4. Enable the shared token authentication plug-in by using one of the following methods:
    • To enable the plug-in using the pkiconsole utility:
      1. Log into the system using the pkiconsole utility. For example:
        # pkiconsole https:host.example.com:8443/ca
      2. On the Configuration tab, select Authentication.
      3. Click Add and select SharedToken.
      4. Click Next.
      5. Enter the following information:
        Authentication InstanceID=SharedToken
        shrTokAttr=shrTok
        ldap.ldapconn.host=server.example.com
        ldap.ldapconn.port=636
        ldap.ldapconn.secureConn=true
        ldap.ldapauth.bindDN=cn=Directory Manager
        password=password
        ldap.ldapauth.authtype=BasicAuth
        ldap.basedn=ou=People,dc=example,dc=org
      6. Click OK.
    • To manually enable the plug-in, add the following settings into the /var/lib/pki/instance_name/ca/conf/CS.cfg file:
      auths.impl.SharedToken.class=com.netscape.cms.authentication.SharedSecret
      auths.instance.SharedToken.dnpattern=
      auths.instance.SharedToken.ldap.basedn=ou=People,dc=example,dc=org
      auths.instance.SharedToken.ldap.ldapauth.authtype=BasicAuth
      auths.instance.SharedToken.ldap.ldapauth.bindDN=cn=Directory Manager
      auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt=Rule SharedToken
      auths.instance.SharedToken.ldap.ldapauth.clientCertNickname=
      auths.instance.SharedToken.ldap.ldapconn.host=server.example.com
      auths.instance.SharedToken.ldap.ldapconn.port=636
      auths.instance.SharedToken.ldap.ldapconn.secureConn=true
      auths.instance.SharedToken.ldap.ldapconn.version=3
      auths.instance.SharedToken.ldap.maxConns=
      auths.instance.SharedToken.ldap.minConns=
      auths.instance.SharedToken.ldapByteAttributes=
      auths.instance.SharedToken.ldapStringAttributes=
      auths.instance.SharedToken.pluginName=SharedToken
      auths.instance.SharedToken.shrTokAttr=shrTok
  5. Set the nickname of an RSA issuance protection certificate in the ca.cert.issuance_protection.nickname parameter in the /var/lib/pki/instance_name/ca/conf/CS.cfg file. For example:
    ca.cert.issuance_protection.nickname=issuance_protection_certificate
    This step is:
    • Optional if you use an RSA certificate in the ca.cert.subsystem.nickname parameter.
    • Required if you use an ECC certificate in the ca.cert.subsystem.nickname parameter.

    Important

    If the ca.cert.issuance_protection.nickname parameter is not set, Certificate System automatically uses the certificate of the subsystem specified in the ca.cert.subsystem.nickname. However, the issuance protection certificate must be an RSA certificate.
  6. Restart Certificate System:
    # systemctl restart pki-tomcatd@instance_name.service
    When the CA starts, Certificate System prompts for the LDAP password used by the Shared Token plug-in.
  7. If you temporarily disabled the watchdog service at the beginning of this procedure, re-enable it. See Section 13.3.2.1, “Enabling the Watchdog Service”.

13.8.4. Enabling CMCRevoke for the Web User Interface

As described in the Performing a CMC Revocation section in the Red Hat Certificate System Administration Guide, there are two ways to submit CMC revocation requests.
In cases when you use the CMCRevoke utility to create revocation requests to be submitted through the web UI, add the following setting to the /var/lib/pki/instance_name/ca/conf/CS.cfg file:
cmc.bypassClientAuth=true