Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 116

Chapter 3. Administrative Basics
Figure 3.2. Certificate System Ports
3.11.1.1. Port Considerations
When choosing ports for a subsystem, consider the following:
• Choose ports that are unique on the host system.
To verify that a port is available for use, check the appropriate file for the operating system; port
numbers for network-accessible services are usually maintained in a file named services.
• Since the default Certificate System instances are installed as root, all of the port numbers
used are below port 1024, but for security reasons, it may not be desirable to use those ports
directly. Also, since the Certificate System is installed as root yet it runs as a non-root user, the
subsystems may not be able to access the restricted ports. It is possible to direct traffic to non-
restricted ports while still using the default port numbers by configuring the iptables settings. For
example:
/sbin/iptables -A FORWARD -p tcp
--destination-port 443 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -j REDIRECT
-p tcp --destination-port 443 --to-port 8443
/sbin/iptables -A FORWARD -p tcp
--destination-port 80 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -j REDIRECT
-p tcp --destination-port 80 --to-port 8080
/sbin/iptables-save
This redirects all of the agent and administrator traffic on the CA HTTPS port (443) and the Tomcat
port (80).
94