8.2. Installing Red Hat Certificate System Subsystems

The following sections contain information on the prerequisites and procedures for installing Red Hat Certificate System subsystems, including basic information that you need to begin installing the packages. Basic installation process is as follows:
  1. Install a Red Hat Enterprise Linux 7.1 server with an active network connection.

    Note

    While not required, for most real-world deployments, the recommended approach is to install the Red Hat Directory Server and the Red Hat Certificate System on separate machines with Red Hat Enterprise Linux 7.1 installed. If separate machines are used in the deployment, unless otherwise noted, execute the following command sequences on both machines.
  2. Subscribe the system using Red Hat Subscription Manager and attach the subscription providing Red Hat Certificate System: 
    # subscription-manager register
						# subscription-manager list --available --all
    Make note of the pool ID providing Red Hat Certificate System. In addition, all certificate subsystems also require access to Red Hat Directory Server: 
    # subscription-manager attach --pool=POOL_ID_CERT_SYSTEM
						# subscription-manager attach --pool=POOL_ID_DIR_SERVER
    For the machine where the certificate system resides, also make sure to attach the subscription for the Red Hat Enterprise Linux Server, and then enable the Red Hat Enterprise Linux Optional repository: 
    # subscription-manager attach --pool=POOL_ID_Red_Hat_Enterprise_Linux_Server
						# subscription-manager repos --enable rhel-7-server-optional-rpms
  3. Enable the certificate system and directory server repositories.
    • Enable the certificate server repository on the machine where it will reside: 
      # subscription-manager repos --enable=rhel-7-server-rhcs-9-rpms
    • Enable the directory server repository on the machine where it will reside: 
      # subscription-manager repos --enable=rhel-7-server-rhds-10-rpms
  4. Before continuing, make sure that the latest updates have been applied to each Red Hat Enterprise Linux 7.1 system you use: 
    # yum update
  5. On the machine where it will reside, install the directory server packages: 
    # yum install redhat-ds
  6. Ensure that a real domain name is specified in each /etc/resolv.conf file and that a host name is set within each /etc/hosts file.
  7. On the machine where it will reside, run the directory server installation script, selecting the defaults or customizing as required: 
    # /usr/sbin/setup-ds-admin.pl
  8. On the machine where it will reside, install the certificate system packages: 
    # yum install redhat-pki
  9. On the machine where the certificate server resides, run the pkispawn script to create and configure the subsystem instances. At least one CA subsystem must be installed and fully configured before any other type of subsystem can be configured. For details, see the pkispawn man page.
  10. To access the agent interface of various Red Hat Certificate System subsystems, use a properly configured local or remote Mozilla Firefox web browser.
Installing and configuring Red Hat Certificate System subsystems is described in more detail in the Planning, Installation, and Deployment Guide.

8.2.1. Verifying JDK Version

Red Hat Certificate System supports and automatically installs OpenJDK 1.7.0.
If you require another version, the OpenJDK can be installed by using yum or by downloading the packages directly from http://openjdk.java.net/install/. For example: 
# yum install java-1.7.0-openjdk
After installing the JDK, run /usr/sbin/alternatives as root to ensure that the proper JDK is available and selected in order to use Red Hat Certificate System 9: 
# /usr/sbin/alternatives --config java
						There are 3 programs which provide 'java'.
						Selection    Command
						-----------------------------------------------
						1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java
						+ 2           /usr/lib/jvm/jre-1.7.0-openjdk/bin/java
						*  3           /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java
Use the /usr/sbin/alternatives command to configure the appropriate selection if it has not already been selected.

8.2.2. Installing through yum

To install the subsystems on Red Hat Enterprise Linux 7.1, run a command like the following for each subsystem: 
# yum install pki-subsystem
subsystem can be any of the Red Hat Certificate System subsystems:
  • ca for the Certificate Manager.
  • kra for the Key Recovery Authority.
  • ocsp for the Online Certificate Status Protocol Responder.
  • tks for the Token Key System.
  • tps for the Token Processing System.
  • console for the Java console.
To install all Red Hat Certificate System 9 certificate server PKI packages, enter: 
# yum install redhat-pki

8.2.3. Installing from an ISO image

Red Hat Certificate System 9 can be downloaded from Content Delivery Network as an ISO image. This ISO image contains an RPMS/ directory which can be used as a local yum repository.
For the machine where the certificate system resides, make sure to attach the subscription for the Red Hat Enterprise Linux Server, and then enable the Red Hat Enterprise Linux Optional repository: 
# subscription-manager attach --pool=POOL_ID_Red_Hat_Enterprise_Linux_Server
						# subscription-manager repos --enable rhel-7-server-optional-rpms
Place the RPMS/ directory on a web server and then configure yum to use that location as a repository. After that, install Red Hat Certificate System as described in Section 8.2.2, “Installing through yum.
Red Hat Directory Server can also be obtained as an ISO image. See the Directory Server documentation for details.