Table of Contents
Advertisement
modutil -dbdir . -nocertdb -changepw "THIRD_PARTY_MODULE_TOKEN"
7. Change the ownership of the new home directory from root to pkiuser.
cd /usr/share/pki
chown -R pkiuser:pkiuser pkiuser
8. Add the password for the ECC token to the CA's password file.
vim /etc/pki-ca/password.conf
hardware-THIRD_PARTY_MODULE_TOKEN=secret
The hardware- prefix is required.
9. Edit the CA configuration and add a line to require signature verification.
ca.requestVerify.token=THIRD_PARTY_MODULE_TOKEN
10. Start the CA.
service pki-ca start
11. Continue with the CA configuration, with two important configuration settings:
• In the Key Store panel, the ECC module should be listed as an available token. Select that
module for the key store.
• In the Key Pairs panel, ECC should be listed as an option to use to generate the keys used for
the CA's certificates. Select the ECC key type.
12. After completing the configuration for the CA, try to log into the CA console.
pkiconsole https://server.example.com:9445/ca
This fails, because the console is not yet configured to run with ECC enabled. However, this does
create the security databases for the console, so the ECC module can be loaded.
13. Load the ECC module into the console security databases.
cd ~/.redhat-idm-console/
modutil -dbdir . -nocertdb -add THIRD_PARTY_MODULE -libfile /usr/lib/libYourNewModule.so
Now, logging into the console succeeds.
4.2.2. Loading the Certicom ECC Module
Certicom's ECC module has a slightly different configuration process than the procedure for loading a
general ECC module.
Loading the Certicom ECC Module
65
Advertisement
Table of Contents
