Enabling Ssl In Tps - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 7. Token Processing System
Section 7.5.1, "Enabling SSL in TPS"
•
Section 7.5.2, "Server-Side Key Generation and Archival of Encryption Keys"
•
Section 7.5.3, "Smart Card Certificate Enrollment Profiles"
•
Section 7.5.4, "Automating Encryption Key Recovery"
•
Section 7.5.5, "Configuring Symmetric Key Changeover"
•
Section 7.5.6, "Setting Token Types for Specified Smart Cards"
•

7.5.1. Enabling SSL in TPS

By default, the TPS communicates with the Enterprise Security Client over standard HTTP. It may be
desirable to protect the TPS-client communications by using HTTP over SSL (HTTPS). To enable the
TPS to communicate over SSL, so that following:
1. Open the TPS instance configuration directory.
/var/lib/rhpki-tps
2. Edit the virtual host section in the nss.conf file with the SSL configuration. There are two
parameters to add to the default virtual host configuration, ScriptAlias and DocumentRoot.
Additionally, the NSSVerifyClient parameter is reset to none and the port numbers should be
reset to the TPS secure port. For example:
Listen 0.0.0.0:7890
<VirtualHost _default_:7890>ScriptAlias /cgi-bin/ "/var/lib/rhpki-tps/cgi-bin/"
DocumentRoot "/var/lib/rhpki-tps/docroot"
ErrorLog /var/lib/rhpki-tps/logs/error1_log
TransferLog /var/lib/rhpki-tps/logs/access1_log
NSSEngine on
NSSCipherSuite
-des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,
-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,
-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,
-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,
-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,
+ecdhe_ecdsa_aes_256_sha
NSSProtocol SSLv3,TLSv1
NSSNickname "Server-Cert cert-rhpki-tps"
NSSCertificateDatabase
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
156
/var/lib/rhpki-tps/aliasNSSVerifyClient none