Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual page 178

Chapter 7. Token Processing System
b. Import the transport certificate into the TKS security databases in the /var/
lib/instance_ID/alias/ directory. In the TKS Console, click Subsystem Keys and
Certificates in the left navigation panel. In the Local Certificates tab, click Add, and paste in
the certificate information.
Alternatively, use the certutil to import the certificate.
certutil -d . -P cert-db-prefix -A -n DRM Transport -t ,, -a -i certfilename
c. Stop the TKS.
/etc/init.d/instance_ID stop
d. Edit the CS.cfg file by adding the DRM transport certificate information to the following
parameter:
tks.drm_transport_cert_nickname=DRM Transport
e. Restart the TKS.
/etc/init.d/instance_ID start
3. Configure the TPS to generate and archive keys.
a. Stop the TPS.
/etc/init.d/instance_ID stop
b. Edit the following parameters in the TPS CS.cfg file to use the appropriate DRM connection
information:
conn.drm.totalConns=1
conn.drm1.hostport=DRM_HOST:DRM_SSLPORT
conn.drm1.clientNickname=Server-Cert
conn.drm1.servlet.GenerateKeyPair=/kra/GenerateKeyPair
conn.drm1.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery
conn.drm1.retryConnect=3
conn.drm1.SSLOn=true
conn.drm1.keepAlive=false
c. Also edit the smart card profiles in the TPS CS.cfg file.
The TPS CS.cfg file has a section defining each type of smart card profile to maintain. In the
default configuration, the userKey is defined under the op.enroll.userKey subsection.
The keyGen subsection of the userKey profile defines each type of key/certificate pair
allowed for that type of smart card. In the default configuration, one of the key/certificate pairs
158