Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 117

About Ports
3.11.1.2. Web Port
The HTML-based services, such as the agent and end-entities' services pages and the Console, are
accessed through the web. The Tomcat web server is used for the CA, RA, DRM, OCSP, and TKS
subsystem services, and the Apache web server is used for the TPS subsystem services.
3.11.1.3. Agent Port
The agent port is an SSL (encrypted) port on which the subsystem listens to requests from agents;
agents make these requests through the agent services pages.
• The Certificate Manager agent uses the agent port to process certificate issuance and management
requests from end entities and to perform other privileged operations over HTTPS.
• DRM agents use the agent port for recovering end users' encryption private keys over HTTPS.
Agent functions always require SSL client authentication.
When a new subsystem instance is created, any number between 1 and 65535 can be specified as
the secure port number. The number the agent port affects agent users since all agents access the
subsystem by specifying the name of the server (the Certificate System instance) and the agent port
number in the URL. For example, if the port number is 4430, the URL would look like this:
https://server.example.com:4430/ca/agent/ca
This port number is also used to open the subsystem administrative console.
pkiconsole https://server.example.com:4430/ca/
If the port number is ever changed, the agents must be informed.
3.11.1.4. End-Entity Ports
For requests from end entities, the Certificate System listens on both the SSL (encrypted) port and
non-SSL port. End entities make requests through the end-entities page.
Both the HTTP port and HTTPS port can be used to service end-entity-initiated PKI requests, such as
enrollment and revocation. Enrollment requests can include revocation requests; general certificate
retrieval requests, such as retrieving a single certificate identified by a serial number; listing certificates
based on certain criteria like an LDAP search filter defined over standard attributes; and getting a CA's
certificate chain.
The HTTP port can be disabled if it is not used.
The HTTPS port uses SSL authentication to provide a secure transfer of data. Like the HTTP port,
the HTTPS port can be disabled. For example, to keep end entities from interacting with a Certificate
Section 3.11.2, "Changing a Port Number".
Manager, disable the HTTPS port. For details, see
If the subsystem instance is for a Certificate Manager configured to service OCSP requests from
OCSP-compliant clients, then this port must be enabled so that the clients can successfully query the
Section 6.2, "CA OCSP
Certificate Manager for the revocation status of a certificate. For details, see
Services".
95