Certificate System Instance; Http Engine; User Interfaces - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

1.4.1. Certificate System Instance

Within the Certificate System component, a set of common modules, which can all be extended with
custom Java™ plug-ins, are provided for all subsystems. Although some may not be used in the
default setting, they are available for further customization.
• Authentication.
• Authorization. The default is access control from the internal LDAP database.
• ACL evaluators. The default is to use user/group evaluators.
• Certificate profiles, which have customizable extensions and constraints.
• The job scheduler, which can be edited to control routinely-scheduled events.
• Email notification.
• Event listeners.
• Publishing. Both the publisher and mapper can be modified.
• Logging, including signed audit logs. The logging mechanism can be extended.
• Self-tests. Both the start-up and manually-initiated self-tests can be extended.
• Servlets, depending on subsystem installation.
• Password quality checker.

1.4.2. HTTP Engine

The Certificate System employs Red Hat Fortitude as its HTTP engine; this runs secure Tomcat
for the CA, OCSP, TKS, and DRM subsystems and secure Apache for TPS. Fortitude supports the
subsystem instance HTTP interfaces and provides the entry point for all users and applications to
access Certificate System subsystem functions through the different user interfaces: administrative
console, agent services, and end-entities pages. The subsystem pages are accessed over HTTP,
but they are created by subsystem-specific servlets contained in the Certificate System. While the
HTTP engine provides the connection entry points, Certificate System completes the interfaces by
providing the servlets specific to each interface. These servlets can return data in HTML or XML
formats, making it easier for system administrators to write scripts which interact with these servlets.
For more information, see

1.4.3. User Interfaces

Each of the subsystems contains interfaces for interacting with other parts of the subsystem. Four
subsystems (CA, DRM, OCSP, and TPS) have an agent interface for agents to perform the tasks
assigned to them; four subsystems (CA, DRM, OCSP, and TKS) also have an administrative console
for managing that instance, such as adding users and viewing logs. A CA subsystem also has an end-
entity services interface for users to enroll in the PKI.
• End-Entities Interface . The CA java servlets in the end-entities page process the HTML forms
submitted through the HTTP entry point. From the information in these forms, the servlets enroll and
revoke certificates for users and allow users to retrieve issued certificates.
Section 3.8, "Using Java Servlets".
Certificate System Instance
17