Chapter 18. Creating a Role User
As explained in Section 2.6.6.1, “Default Administrative Roles”, a bootstrap user was created during the installation. After the installation, create real users and assign them proper system privileges. For compliance, each user must be a member of only one role (group).
This chapter instruct you how to:
- Create a Certificate System administrative user on the operating system
- Create a PKI role in Certificate System
18.1. Creating a PKI Administrative User on the Operating System
This section is for administrative role users. Agent and Auditor role users, see Section 18.2, “Creating a PKI Role User in Certificate System”.
In general, administrators, agents, and auditors in Certificate System can manage the Certificate System instance remotely using client applications, such as command-line utilities, the Java Console, and browsers. For the majority of CS management tasks, a Certificate System role user does not need to log on to the host machine where the instance runs. For example, an auditor role user is allowed to retrieve signed audit logs remotely for verification, and an agent role user can use the agent interface to approve a certificate issuance, while an administrator role user can use command-line utilities to configure a profile.
In certain cases, however, a Certificate System administrator requires to log in to the host system to modify configuration files directly, or to start or stop a Certificate System instance. Therefore, on the operating system, the administrator role user should be someone who is allowed to make changes to the configuration files and read various logs associated with Red Hat Certificate System.
Note
Do not allow the Certificate System administrators or anyone other than the auditors to access the audit log files.
- Create the
pkiadmingroup on the operating system.# groupadd -r pkiadmin
- Add the
pkiuserto thepkiadmingroup:# usermod -a -G pkiadmin pkiuser
- Create a user on the operating system. For example, to create the
jsmithaccount:# useradd -g pkiadmin -d /home/jsmith -s /bin/bash -c "Red Hat Certificate System Administrator John Smith" -m jsmith
For details, see the useradd(8) man page. - Add the user
jsmithto thepkiadmingroup:# usermod -a -G pkiadmin jsmith
For details, see the usermod(8) man page.If you are using a nCipher hardware security module (HSM), add the user who manages the HSM device to thenfastgroup:# usermod -a -G nfast pkiuser # usermod -a -G nfast jsmith
- Add proper
sudorules to allow thepkiadmingroup to Certificate System and other system services.For both simplicity of administration and security, the Certificate System and Directory Server processes can be configured so that PKI administrators (instead of only root) can start and stop the services.A recommended option when setting up subsystems is to use apkiadminsystem group. (Details are Section 6.7, “Certificate System Operating System Users and Groups”). All of the operating system users which will be Certificate System administrators are then added to this group. If thispkiadminsystem group exists, then it can be granted sudo access to perform certain tasks.- Edit the
/etc/sudoersfile; on Red Hat Enterprise Linux, this can be done using thevisudocommand:# visudo
- Depending on what is installed on the machine, add a line for the Directory Server, the Administration Server, PKI management tools, and each PKI subsystem instance, granting
sudorights to thepkiadmingroup:# For Directory Server services %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv.target %pkiadmin ALL = PASSWD: /usr/bin/systemctl * dirsrv-admin.service # For PKI instance management %pkiadmin ALL = PASSWD: /usr/sbin/pkispawn * %pkiadmin ALL = PASSWD: /usr/sbin/pkidestroy * # For PKI instance services %pkiadmin ALL = PASSWD: /usr/bin/systemctl * pki-tomcatd@instance_name.service
Important
Make sure to set sudo permissions for every Certificate System, Directory Server, and Administration Server on the machine — and only for those instances on the machine. There could be multiple instances of the same subsystem type on a machine or no instance of a subsystem type. It depends on the deployment. - Set the group on the following files to
pkiadmin:# chgrp pkiadmin /etc/pki/instance_name/server.xml # chgrp -R pkiadmin /etc/pki/instance_name/alias # chgrp pkiadmin /etc/pki/instance_name/subsystem/CS.cfg # chgrp pkiadmin /var/log/pki/instance_name/subsystem/debug
After creating the administrative user on the operating system, follow Section 18.2, “Creating a PKI Role User in Certificate System”.
