Managing Users And Groups For A Ca, Ocsp, Drm, Or Tks; Managing Groups - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 14. Managing Certificate System Users and Groups
security domain, so that each subsystem can efficiently carry out interactions with other subsystems.
For example, this allows OCSPs to push CRL publishing publishing information to all CAs in the
domain, DRMs to push KRA connector information, and CAs to approve certificates generated within
the CA automatically.
Enterprise subsystem administrators are given enough privileges to perform operations on the
subsystems in the domain. Each subsystem has its own security domain role:
• Enterprise CA Administrators
• Enterprise DRM Administrators
• Enterprise OCSP Administrators
• Enterprise TKS Administrators
• Enterprise TPS Administrators
Additionally, there is a Security Domain Administrators group for the CA instance which manages the
security domain, access control, users, and trust relationships within the domain.
Each subsystem administrator authenticates to the other subsystems using SSL client authentication
with the subsystem certificate issued during configuration by the security domain CA.
14.3. Managing Users and Groups for a CA, OCSP, DRM, or
TKS
Many of the operations that users can perform are dictated by the groups that they belong to; for
instance, agents for the CA manage certificates and profiles, while administrators manage CA server
configuration.
Four subsystems — the CA, OCSP, DRM, and TKS — use the Java administrative console to manage
groups and users. The other two — the RA and TPS — have web-based admin services, and users
and groups are configured through their web services pages.

14.3.1. Managing Groups

14.3.1.1. Creating a New Group
1. Log into the administrative console.
pkiconsole https://server.example.com:admin_port/subsystem_type
2. Select Users and Groups from the navigation menu on the left.
3. Select the Groups tab.
4. Click Edit, and fill in the group information.
330