Show Table of Contents
6.6. Setting up Operating System Users and Groups
When installing Certificate System, the
pkiuser account and the corresponding pkiuser group are automatically created. Certificate System uses this account and group to start services. Additionally, Red Hat recommends creating additional groups to let users maintain tasks and to read the signed audit logs.
6.6.1. Creating Groups for Certificate System
Certificate Systems uses the following groups:
pkiuser- The
pkiusergroup is automatically created when installing the Certificate Systems packages and uses GID17. Only the auto-createdpkiuseraccount is a member of this group. Certificate Systems uses this account and group to start services. Do not add other accounts to this group. pkiadmin- Members of this system group have full access to tasks in the agent service interface.To create the recommended
pkiadmingroup, enter:# groupadd -r pkiadmin
Optionally, addsudorules to Red Hat Enterprise Linux to enable members of this group to read and modify Certificate System configuration files, such asCS.cfg,server.xml, and profiles. For details about configuringsudo, see the corresponding documentation in the Red Hat System Administrator's Guide. pkiaudit- Members of this system group can read the signed audit logs.To create the recommended
pkiauditgroup, enter:# groupadd -r pkiaudit
- Optional: A hardware token group
- If the subsystem uses a hardware token, the
pkiuseraccount must be a member of the hardware token group. For example, when you use the nCipher token, thenfastgroup is used to access the module.
6.6.2. Creating Users and Assigning Them to the Certificate System Groups
By adding users to the recommended
pkiadmin and pkiaudit groups, you assign permissions to these accounts. For example, members of pkiadmin can manage tasks in the agent interface, and members of pkiaudit can read signed audit logs.
For example, to create a new user and assign the account to the
pkiadmin group:
- Create the user account:
# useradd -m user_name
For further details about creating user accounts, see the corresponding section in the System Administrator's Guide. - Set a password to the account:
# passwd user_name
- Add the account to the
pkiadmingroup:# usermod -a -G pkiadmin user_name
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.