2.5. Installing the Certificate System

2.5. Installing the Certificate System

The installation process consists of two main steps: obtaining the packages and configuring the subsystems. This section explains how to obtain and install the Certificate System packages.

There are two ways to obtain and install the subsystem packages. For all supported platforms, the Certificate System packages can be downloaded as ISO images through the appropriate Red Hat Network channel. These packages are then installed through a package utility; on Red Hat Enterprise Linux systems, this is rpm and on Solaris 9, pkgadd.

Alternatively, if the appropriate network access is available, the subsystems and all dependencies can be downloaded and installed on Red Hat Enterprise Linux systems using the up2date command.

Whether downloading and installing the Certificate System from an ISO image or through up2date, several packages are also installed for related applications and dependencies, not only for the subsystem packages. These packages are listed in Section 2.2.3.1, “Red Hat Enterprise Linux RPMs” and Section 2.2.3.2, “Solaris Packages”.

2.5.1. Installing from an ISO Image

For Sun Solaris and Red Hat Enterprise Linux AS and ES, use the following procedure to install the Certificate System from an ISO image:

  1. Open the appropriate Red Hat Certificate System 7.3 Red Hat Network channel and download the packages.

    Solaris packages are contained in a single ISO image; Red Hat Enterprise Linux packages can be downloaded as an ISO image or individually.

  2. Log into the machine as the root user.

  3. Install the rhpki-manage package and run rhpki-install manually. For example, on Red Hat Enterprise Linux: 

    rpm -Uvh rhpki-manage-<version>.noarch.rpm

    After you have installed the rhpki-manage package, use the rhpki-install script to install the subsystem. For example: 

    rhpki-install -pki_subsystem=<subsystem_type>     -pki_package_path=</path/to/ISO image> -force

    NOTE

    The DONT_RUN_PKICREATE environment variable can stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installation directories, instead of the default locations in /var/lib. It can be preferable to install through the ISO image with this environment variable set to block the pkicreate script for deployments where the default instances must be installed in custom locations.

    The following options are available for subsystem:

    • ca installs the Certificate Authority.

    • ra installs the Registration Authority.

    • drm installs the Data Recovery Manager.

    • ocsp installs the Online Certificate Status Protocol Responder.

    • tks installs the Token Key System.

    • tps installs the Token Processing System.

    • esc installs the Enterprise Security Client.

    The force option bypasses any confirmation prompts that may otherwise appear during the installation.

    For example, to install the CA and then the DRM, use the following commands: 

    rhpki-install -pki_subsystem=ca
     -pki_package_path=/media/cdrom/RedHat/RPMS -force

rhpki-install -pki_subsystem=drm
     -pki_package_path=/media/cdrom/RedHat/RPMS -force

    The rhpki-install script uses the rpm program on Red Hat Enterprise Linux systems and pkginfo and pkgadd programs on Solaris 9 systems.

  4. When the installation process is complete, a URL to access this instance is printed to the screen with the following format. 

    Configuration Wizard listening on
http://<hostname.domainname:unsecure-port/subsystem_type> /admin/console/config/login?pin=<pin>

    For example, a new CA may have the following URL: 

    http://server.example.com:9080/ca/admin/console/config/login?pin=Yc6EuvuY2OeezKeX7REk

NOTE

When the first subsystem is installed on a machine, the installation process automatically creates a new user (pkiuser) and group (pkiuser). All default Certificate System instances will run as this user and group.

2.5.2. Installing through up2date

NOTE

There is an environment variable, DONT_RUN_PKICREATE, which will stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installation directories, instead of the default locations in var/lib. It can be preferable to install through the ISO image with this environment variable set to block the pkicreate script for deployments where the default instances must be installed in custom locations.

To install the subsystems on Red Hat Enterprise Linux using the up2date command, run a command like the following for each subsystem: 

up2date rhpki-subsystem

subsystem can be ca for the CA, ra for the RA, kra for the DRM, ocsp for the OCSP, tks for the TKS, and tps for the TPS.

up2date is used only for the first subsystem instance; any additional subsystem instances should be added using pkicreate.

To install the client using up2date, run the following: 

up2date esc