Red Hat CERTIFICATE SYSTEM 7.3 - RELEASE NOTES Release Note page 13

Reconfiguring the Red Hat Certificate System Subsystems to Prevent a Potential TLS-Related Man-in-the-Middle Attack
2. First, in the CA, edit the CS.cfg file to contain the connector information with the agent's SSL
port. For example:
vim -/var/lib/rhpki-ca/conf/CS.cfg
ca.connector.KRA.port=10443
3. Then, for the DRM, open the server.xml file.
vim -/var/lib/rhpki-kra/conf/server.xml
4. Change the clientAuth directive in the agent connector to true. For example:
<Connector name="Agent" port="10443" maxHttpHeaderSize="8192"
5. Restart the subsystem. For example:
/etc/init.d/rhpki-kra restart
Procedure 3. For the OCSP and TKS
1. Update the NSS packages by installing the system nss packages.
up2date nss
2. Open the server.xml file.
vim -/var/lib/instance_name/conf/server.xml
3. Change the clientAuth directive in the agent connector to true. For example:
<Connector name="Agent" port="11443" maxHttpHeaderSize="8192"
4. Restart the subsystem. For example:
/etc/init.d/rhpki-ocsp restart
Procedure 4. For the TPS
1. Update the NSS packages by installing the system nss packages and install the new TPS
packages.
up2date nss pki-tps
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
13