Considering Physical Security And Location; Port Considerations - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Considering Physical Security and Location

• Allowing appropriate access to other subsystems and clients outside of the firewall
The CA, DRM, and TKS are always placed inside a firewall because they contain critical information
that can cause devastating security consequences if they are compromised.
The RA is frequently placed outside the firewall and the TPS and OCSP can be. Likewise, other
services and clients used by the Certificate System can be on a different machine outside the firewall.
In that case, the local networks have to be configured to allow access between the subsystems behind
the firewall and the services outside it.
The LDAP database can be on a different server, even on a different network, than the subsystem
which uses it. In this case, all LDAP ports (389 for LDAP and 636 for LDAPS, by default) need to be
open in the firewall to allow traffic to the directory service. Without access to the LDAP database, all
subsystem operations can fail.
As part of configuring the firewalls, if iptables is enabled, then it must have configured policies to allow
communication over the appropriate Certificate System ports. Configuring iptables is described in the
4
Red Hat Enterprise Linux Deployment Guide, such as "Using iptables."
5.5.2. Considering Physical Security and Location
Because of the sensitive data they hold, consider keeping the CA, DRM, and TKS in a secure facility
with adequate physical access restrictions. Just as network access to the systems needs to be
restricted, the physical access also needs to be restricted.
Along with finding a secure location, consider the proximity to the subsystem agents and
administrators. Key recovery, for example, can require multiple agents to give approval; if these agents
are spread out over a large geographical area, then the time differences may negatively impact the
ability to retrieve keys. Plan the physical locations of the subsystems, then according to the locations
of the agents and administrators who will manage the subsystem.

5.5.3. Port Considerations

The default subsystems are installed and configured with a separate TCP/IP port for each service,
called port separation. Each Certificate System subsystem uses up to five ports:
• A standard port
• An SSL port for end users services
• An SSL port for agent services
• An SSL port for the administrative console or admin services
• A web server port (Tomcat for CA, DRM, OCSP, and TKS subsystems, Apache for the TPS and RA
subsystems)
Section 2.2, "Red Hat Certificate System Services"
All of the service pages and interfaces described in
are connected to using the instance's URL and the corresponding port number. For example:
https://server.example.com:9444/ca/ee/ca
To access the admin console, the URL specifies the admin port:
4
http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Deployment_Guide/s1-fireall-ipt-act.html
75