7.1. Manually Adding a New Port to the RA

7.1. Manually Adding a New Port to the RA

Bugzilla Bug: 229246

The following section documents how to manually add a new port to the RA.

The default RA server has an "optional" port for performing SSL client authentication. It is expected that the agent/administration users will select the appropriate certificate to perform SSL authentication when asked, while EE users will just "Cancel" out of the certificate selection process, if asked. The problem with this approach is that if an EE user cancels out of the certificate selection process, and chooses to renew a certificate (Bugzilla Bug# 233274), then the certificate selection process is automatically skipped, thus causing an error during certificate renewal.

This forces an EE user who wishes to renew a certificate to select the certificate to be renewed the first time they are asked to authenticate. This is awkward. To circumvent this situation, the following steps should be taken by the administrator to provide a second port purely to handle EE operations.

After performing the recommended installation procedure:

  1. Change to the configuration directory: cd /var/lib/rhpki-ra/conf

  2. Edit the nss.conf file:

    1. At the top, add another "Listen" line with a different port. For example, Listen 0.0.0.0:12889

    2. Search for an existing <VirtualHost ...> ... </VirtualHost> container, copy the entire container and paste it at the end. Change the new container's port number to the new port: for example, <VirtualHost _default_:12891>

    3. Go to the original <VirtualHost ...> container, and change the value of "NSSVerifyClient" from "optional" to "require."

    4. Go to the new <VirtualHost ...> container, and change the value of "NSSVerifyClient" from "optional" to "none."

    5. Save and exit.

  3. Edit the CS.cfg file:

    1. Search for "service.securePort" and add the following line below it: service.secureEePort=12891

    2. Save and exit.

  4. Change to the document root directory: cd /var/lib/rhpki-ra/docroot

    1. Edit the index.cgi file. Search for "securePort" and make a similar line with secureEePort: for example, $::symbol{secureEePort} = $cfg->get("service.secureEePort");

    2. Edit the index.vm file. Search for "SSL End Users" and change the href line to use secureEePort: for example: <a href="https://$machineName:$secureEePort/ee/index.cgi">SSL End Users Services</a>

    3. Save both files and exit.

  5. Restart the RA system.