Chapter 18. Creating a Role User

As explained in Section 2.6.6.1, “Default Administrative Roles”, a bootstrap user was created during the installation. After the installation, create real users and assign them proper system privileges. For compliance, each user must be a member of only one role (group).
This chapter instruct you how to:
  • Create a Certificate System administrative user on the operating system
  • Create a PKI role in Certificate System

18.1. Creating a PKI Administrative User on the Operating System

This section is for administrative role users. Agent and Auditor role users, see Section 18.2, “Creating a PKI Role User in Certificate System”.
In general, administrators, agents, and auditors in Certificate System can manage the Certificate System instance remotely using client applications, such as command-line utilities, the Java Console, and browsers. For the majority of CS management tasks, a Certificate System role user does not need to log on to the host machine where the instance runs. For example, an auditor role user is allowed to retrieve signed audit logs remotely for verification, and an agent role user can use the agent interface to approve a certificate issuance, while an administrator role user can use command-line utilities to configure a profile.
In certain cases, however, a Certificate System administrator requires to log in to the host system to modify configuration files directly, or to start or stop a Certificate System instance. Therefore, on the operating system, the administrator role user should be someone who is allowed to make changes to the configuration files and read various logs associated with Red Hat Certificate System.

Note

Do not allow the Certificate System administrators or anyone other than the auditors to access the audit log files.
  1. Create the pkiadmin group on the operating system.
    # groupadd -r pkiadmin
  2. Add the pkiuser to the pkiadmin group:
    # usermod -a -G pkiadmin pkiuser
  3. Create a user on the operating system. For example, to create the jsmith account:
    # useradd -g pkiadmin -d /home/jsmith -s /bin/bash -c "Red Hat Certificate System Administrator John Smith" -m jsmith
    For details, see the useradd(8) man page.
  4. Add the user jsmith to the pkiadmin group:
    # usermod -a -G pkiadmin jsmith
    For details, see the usermod(8) man page.
    If you are using a nCipher hardware security module (HSM), add the user who manages the HSM device to the nfast group:
    # usermod -a -G nfast pkiuser
    # usermod -a -G nfast jsmith
  5. Add proper sudo rules to allow the pkiadmin group to Certificate System and other system services.
    For both simplicity of administration and security, the Certificate System and Directory Server processes can be configured so that PKI administrators (instead of only root) can start and stop the services.
    A recommended option when setting up subsystems is to use a pkiadmin system group. (Details are Section 6.7, “Certificate System Operating System Users and Groups”). All of the operating system users which will be Certificate System administrators are then added to this group. If this pkiadmin system group exists, then it can be granted sudo access to perform certain tasks.
    1. Edit the /etc/sudoers file; on Red Hat Enterprise Linux, this can be done using the visudo command:
      # visudo
    2. Depending on what is installed on the machine, add a line for the Directory Server, the Administration Server, PKI management tools, and each PKI subsystem instance, granting sudo rights to the pkiadmin group:
      # For Directory Server services
      %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target
      %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service
      
      # For PKI instance management
      %pkiadmin ALL = PASSWD: /usr/sbin/pkispawn *
      %pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy *
      
      # For PKI instance services
      %pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
      

    Important

    Make sure to set sudo permissions for every Certificate System, Directory Server, and Administration Server on the machine — and only for those instances on the machine. There could be multiple instances of the same subsystem type on a machine or no instance of a subsystem type. It depends on the deployment.
  6. Set the group on the following files to pkiadmin:
    # chgrp pkiadmin /etc/pki/instance_name/server.xml
    # chgrp -R pkiadmin /etc/pki/instance_name/alias
    # chgrp pkiadmin /etc/pki/instance_name/subsystem/CS.cfg
    # chgrp pkiadmin /var/log/pki/instance_name/subsystem/debug
After creating the administrative user on the operating system, follow Section 18.2, “Creating a PKI Role User in Certificate System”.