3.6.3. Configuring a TPS

3.6.3. Configuring a TPS

  1. Open the configuration wizard. When the instance is installed, the process returns a success message which includes a URL with the login PIN. For example: 

    http://server.example.com:7888/
 tps/admin/console/config/login?pin=kI7E1MByNIUcPJ6RKHmH

    Using this URL skips the login screen.

    Alternatively, log into the setup wizard through admin link on the services page and supply the preop.pin value from the CS.cfg file when prompted. 

    http://server.example.com:7888/tps/services

  2. Join an existing security domain. Supply the hostname and SSL port of the CA which hosts the domain. When the CA is successfully contacted, then supply the admin username and password for the CA so that it can be properly accessed.

  3. Enter a name for the new instance.

  4. Supply the CA information for the Certificate System CA which will be used to issue, renew, and revoke certificates for token operations requested through the TPS subsystem.

  5. Supply information about the TKS which will manage the TPS keys. Select the TKS from the drop-down menu of TKS subsystems within the security domain.

  6. There is an option for server-side key generation for tokens enrolled through the TPS. If server-side key generation is selected, supply information about the DRM which will be used to generate keys and archive encryption keys. Key and certificate recovery is initiated automatically through the TPS, which is a DRM agent. Select the DRM from the drop-down menu of DRM subsystems within the security domain.

  7. Fill in the Directory Server hostname, port, bind DN, and bind password.

  8. Select the key store token; a list of detected hardware tokens and databases is given.

    To determine whether a token is detected by the Certificate System, use the TokenInfo tool. For more information on this tool, see the Certificate System Command-Line Tools Guide.

  9. Set the key size.

  10. Select the CA which will generate the subsystem certificates; to use a Certificate System CA, select the CA from the drop-down menu of the CAs configured within the security domain. To select and external CA, select the External CA radio button and supply the appropriate information.

    Optionally, give subject names to the listed certificates.

  11. The next panels generate and show certificate requests, certificates, and key pairs.

    If an external CA is used to issue the certificates, configuration cannot go forward until they are received from the CA. When they are issued, paste the certificates into this panel to add them to the TPS database, and then proceed with the installation. Click Apply to view the certificates as they are imported.

  12. Give the information for the new subsystem administrator.

  13. Click Next through the remaining panels to import the agent certificate into the browser and complete the configuration.

  14. When the configuration is complete, restart the subsystem. 

    /etc/init.d/rhpki-tps restart