Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 332

Chapter 13. Basic Subsystem Management
b. Add a section for the new port. Make sure that the clientAuth value is set to true. (The
port number and serverCertNickFile and passwordFile directives should all match
your instance information.)
<!-- Port Separation:
<Connector name="EEClientAuth" port="9446" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-
SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-
SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-
SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-
SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
tls3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-
SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-
SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,
+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-
SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,
+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
serverCertNickFile="/var/lib/pki-ca/conf/serverCertNick.conf"
passwordFile="/var/lib/pki-ca/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki-ca/alias"/>
4. Modify the /etc/init.d/instance_name initialization script to read the new status definitions.
a. At line 242, replace the following lines. Replace all the lines with the exact excerpt below
because there are important differences in whitespace in the quoted strings.
unsecure_port_statement="Unsecure Port
secure_agent_port_statement="Secure Agent Port
secure_ee_port_statement="Secure EE Port
secure_ee_client_auth_port_statement="EE Client Auth Port = "
secure_admin_port_statement="Secure Admin Port
pki_console_port_statement="PKI Console Port
tomcat_port_statement="Tomcat Port
b. Modify the highlighted code at around line 280.
310
EE Secure Client Auth Port Connector -->
= "
head=`echo "$line" | cut -b1-22`
if [ "$head" == "$unsecure_port_statement"
[ "$head" == "$secure_agent_port_statement" ] ||
[ "$head" == "$secure_ee_port_statement"
= "
= "
= "
= "
= "
] ||
] ||