Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 119

Only the subsystems which have separate services interfaces (CA, OCSP, DRM, and TKS) can be
configured for port separation. The other subsystems (RA and TPS) cannot.
NOTE
Port separation is required to apply
the TLS/SSL protocols.
For example:
1. Open the directory instance.
cd /var/lib/rhpki-ca/
2. Open the configuration directory.
cd conf/
3. Edit the server.xml file.
By default, there is one service defined, between the <Service> and </Service> tags.
Copy this entry so that all three services have an entry. Add a <Connector port="..." line
with the TCP port and an <Host appBase="..." entry to identify the location of the web
directory for the service. The appBase directory should be something like webapps.admin and
located in the subsystem's instance directory.
... default entry, used as the agent service ...
<Service name="Catalina">
<Connector port="9080" ... />
services
<Connector port="9444" ... />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false"
xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.AccessLogValve"
</Host>
</Engine>
</Service>
... admin services entry ...
<Service name="CatalinaAdmin">
the insecure port definition, which is used by all
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
Errata RHBA-2010:0170
Configuring Port Separation
1
and resolve a vulnerability in
97