Planning The Installation - Red Hat CERTIFICATE SYSTEM 8 Install Manual

Hide thumbs Also See for CERTIFICATE SYSTEM 8:

Manual (86 pages)

Deployment manual (114 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

page of 132

/ 132
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 1. Overview of Certificate System Subsystems

1.3. Planning the Installation

Before beginning to install and configure the Certificate System subsystems, determine what the

organization of the PKI is.

What types of subsystems do you need to install?

This depends on the kind of functionality you need and the load you expect to have. There

are several different kinds of subsystems for managing certificates

for Managing

Certificates") and for managing tokens

Tokens").

How many subsystems do you need to install?

This depends very much on the expected load and also on geographical or departmental

divisions. Subsystems can be cloned, meaning they essentially are clustered, operating as a

single unit, which is good for load balancing and high availability. Additionally, security domains

create trusted relationships between subsystems, allowing them to work together to find

available subsystems to respond to immediate needs. Multiple security domains can be used in

a single PKI, with multiple instances of any kind of subsystem.

Will the subsystem certificates and keys be stored on the internal software token in

Certificate System or on an external hardware token?

Certificate System supports two hardware security modules (HSM): nCipher netHSM 2000 and

Safenet LunaSA. Using a hardware token can require additional setup and configuration before

installing the subsystems, but it also adds another layer of security.

What machines should the subsystem be installed on?

This depends on the network design. The RA and OCSP subsystems are specifically designed

to operate outside a firewall for user convenience, while the CA, DRM, and TPS should all be

secured behind a firewall.

To what security domain should a subsystem instance be added?

Because the subsystems within a security domain have trusted relationships with each other, it is

important what domain a subsystem joins. Security domains can have different certificate issuing

policies, different kinds of subsystems within them, or a different Directory Server database. Map

out where (both on the physical machine and in relation to each other) each subsystem belongs,

and assign it to the security domain accordingly.

Should a subsystem be cloned?

Cloned subsystems work together, essentially as a single instance. This can be good for high

demand systems, failover, or load balancing, but it can become difficult to maintain. For example,

cloned CAs have serial number ranges for the certificates they issue, and a clone could hit the

end of its range.

Should the Certificate Manager be a self-signed root CA or a subordinate CA?

(Section 1.1, "Subsystems

(Section 1.2, "Subsystems for Managing

Table of Contents

This manual is also suitable for:

System 8 - install guide 25-03-2010

Planning The Installation - Red Hat CERTIFICATE SYSTEM 8 Install Manual

1.3. Planning the Installation

Related Manuals for Red Hat CERTIFICATE SYSTEM 8

Related Content for Red Hat CERTIFICATE SYSTEM 8

This manual is also suitable for:

Table of Contents