Self-Tests; Authorization; Security-Enhanced Linux Support; Authentication - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Self-Tests

1.1.5. Self-Tests
The Certificate System provides the framework for system self-tests that are automatically run at
startup and can be run on demand. A set of configurable self-tests are already included with the
Section 3.10, "Self-Tests"
Certificate System. See for details.

1.1.6. Authorization

Certificate System users can be assigned to groups, and they then have the privileges of whichever
group they are members. A user only has privileges for the instance of the subsystem in which the
user is created and the privileges of the group to which the user is a member.
The Certificate System provides an authorization framework for creating groups and assigning access
control to those groups. The default access control on preexisting groups can be modified, and access
control can be assigned to individual users and IP addresses. Access points for authorization have
been created for the major portions of the system, and access control rules can be set for each point.
The Certificate System is configured by default with four user types with different access levels to the
system:
• Administrators, who can perform any administrative or configuration task.
• Agents, who can edit and approve requests.
• Auditors, who can view and configure audit logs.
• Trusted managers, which are subsystems with trusted relationship with another subsystem.
Additionally, when a security domain is created, the CA subsystem which hosts the domain is
automatically granted the role of Security Domain Administrator, which gives the subsystem the
ability to manage the security domain and the subsystem instances within it. Other security domain
administrator roles can be created for the different subsystem instances. These roles are described in
Section 4.4.2, "Security Domain Roles".

1.1.7. Security-Enhanced Linux Support

Security-enhanced Linux, or SELinux, is a collection of mandatory access control rules which are
enforced across a system to restrict unauthorized access and tampering. These mandatory access
controls limit users and applications to the lowest amount of access possible for them to operate.
Processes or applications, such as CGIs, may have special policies in place to enable them to run
under the restricted access rules.
The Certificate System is able to run under SELinux configuration, which enhances the security of
the information created and maintained by the Certificate System. All Certificate System subsystems
can be installed and run with SELinux policies fully enforced. By default, the Certificate System
subsystems run unconfined by SELinux policies.

1.1.8. Authentication

Certificate System provides authentication options for certificate enrollment. These include agent-
approved enrollment, in which an agent processes the request, and automated enrollment, in which
an authentication method is used to authenticate the end entity and then the CA automatically issues
a certificate. CMC enrollment is also supported, which automatically processes a request approved by
an agent.
3