Tokens For Storing Certificate System Subsystem Keys And Certificates - Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Chapter 5. Planning the Certificate System
pkiconsole https://server.example.com:9445/ca
All agent and admin functions require SSL client authentication. For requests from end entities, the
Certificate System listens on both the SSL (encrypted) port and non-SSL ports.
The ports for the different services to use are defined in the server.xml file for the CA, OCSP, DRM,
and TKS and in the httpd.conf and nss.conf files for the RA and TPS. If a port is not used, it can
be disabled in that file. For example:
<Service name="Catalina">
<!--Connector port="9180" ... /-->
<Connector port="9443" ... />
The default ports for the first instance installed on a machine are already defined, but it is possible
to choose ports different ports for additional instances. Whenever a new instance in installed, it can
be configured to have a single SSL port or to use three separate SSL ports for the different interface.
Whichever way you choose, make sure that the new ports are unique on the host system.
To verify that a port is available for use, check the appropriate file for the operating system. Port
numbers for network-accessible services are usually maintained in a file named services. On Red
Hat Enterprise Linux, it is also helpful to confirm that a port is not assigned by SELinux, by running the
command semanage port -l to list all ports which currently have an SELinux context.
When a new subsystem instance is created, any number between 1 and 65535 can be specified as
the secure port number.
For additional instances, created with the pkicreate utility, it is possible to configure the instance
with port separation or using a single, consolidated SSL port for all services. Port separation is more
secure, but it depends on the maintenance costs, users, and network which is preferable.
Subsystem Standard
CA 9180
RA 12888
OCSP 11180
DRM 10180
TKS 13180
TPS 7888
Table 5.2. Default Port Assignments for Certificate System 8.0
5.6. Tokens for Storing Certificate System Subsystem Keys
and Certificates
A token is a hardware or software device that performs cryptographic functions and stores public-key
certificates, cryptographic keys, and other data.
The Certificate System defines two types of tokens, internal and external, for storing key pairs and
certificates that belong to the Certificate System subsystems.
An internal (software) token is a pair of files, usually called the certificate database (cert8.db) and
key database (key3.db), that the Certificate System uses to generate and store its key pairs and
76
unused standard port
End-Entity Agent SSL
SSL
9444 9443
12889
11444 11443
10444 10443
13444 13443
7889
Admin SSL Tomcat
9445 9701
12889
11445 11701
10445 10701
13445 13701
7889