6.6. Setting up Operating System Users and Groups

When installing Certificate System, the pkiuser account and the corresponding pkiuser group are automatically created. Certificate System uses this account and group to start services. Additionally, Red Hat recommends creating additional groups to let users maintain tasks and to read the signed audit logs.

6.6.1. Creating Groups for Certificate System

Certificate Systems uses the following groups:
The pkiuser group is automatically created when installing the Certificate Systems packages and uses GID 17. Only the auto-created pkiuser account is a member of this group. Certificate Systems uses this account and group to start services. Do not add other accounts to this group.
Members of this system group have full access to tasks in the agent service interface.
To create the recommended pkiadmin group, enter:
# groupadd -r pkiadmin
Optionally, add sudo rules to Red Hat Enterprise Linux to enable members of this group to read and modify Certificate System configuration files, such as CS.cfg, server.xml, and profiles. For details about configuring sudo, see the corresponding documentation in the Red Hat System Administrator's Guide.
Members of this system group can read the signed audit logs.
To create the recommended pkiaudit group, enter:
# groupadd -r pkiaudit
Optional: A hardware token group
If the subsystem uses a hardware token, the pkiuser account must be a member of the hardware token group. For example, when you use the nCipher token, the nfast group is used to access the module.

6.6.2. Creating Users and Assigning Them to the Certificate System Groups

By adding users to the recommended pkiadmin and pkiaudit groups, you assign permissions to these accounts. For example, members of pkiadmin can manage tasks in the agent interface, and members of pkiaudit can read signed audit logs.
For example, to create a new user and assign the account to the pkiadmin group:
  1. Create the user account:
    # useradd -m user_name
    For further details about creating user accounts, see the corresponding section in the System Administrator's Guide.
  2. Set a password to the account:
    # passwd user_name
  3. Add the account to the pkiadmin group:
    # usermod -a -G pkiadmin user_name