Chapter 2

Installation

---

This chapter explains how to install Red Hat Certificate System (CS).

This chapter contains the following sections:

• Installation and Configuration Overview
• Installation Overview
• Installing CS
• Uninstalling CS

Installation and Configuration Overview

You install Red Hat Certificate System (CS) on each host on which you will be setting up a CS subsystem. You then configure the subsystem that will run on that host. Once a subsystem is setup, you can access its end-entity interface, agent services interface, and its administrative interface and further configure the instance to match the needs of your PKI.

Note: To install Red Hat CS and configure it into a Common Criteria Evaluated subsystem, please see Appendix B, "Common Criteria Environment: Setup and Operations."

You can configure more than one subsystem in an installation of CS. You can also install CS on more than one host, with one or more subsystems configured in each installation. Finally, different instances of CS subsystems can be set up as clones for high availability purposes. To install and configure one or more CS subsystems as clones, please see "Cloning a CA" on page 127.

One of your deployment decisions is which subsystems you will install, how many of each type of subsystem you will configure, and on which hosts they will be installed. Once you decide this, you install CS on each host you will be using, install each subsystem that will be run on that host, and then configure each of the subsystems on each host.

Installation and Configuration Process

The following outlines the process for installing, setting up, and configuring CS:

1. Run the installation program to install Administration Server, Directory Server, and CS on each host system that will be part of your deployment. See "Installing CS" on page 72 for complete instructions on installing CS.
2. Configure each subsystem that will be running on each host. CS provides an installation wizard for configuring an instance of each of the subsystems. Complete instructions for configuring each of the subsystems can be found at the following locations:
   • "Installing a Certificate Manager as a Root CA," on page 85
   • "Installing a Certificate Manager as a Subordinate CA," on page 90
   • "Installing a Registration Manager," on page 133
   • "Installing an Online Certificate Status Manager," on page 165
   • "Installing a Standalone Data Recovery Manager," on page 203
3. Get the first agent certificate for the subsystem. See "Agent Certificates," on page 324" for complete instructions.
4. Configure the instance for the particular needs of your PKI. For complete details on configuring each of the subsystems, see the chapter that describes that subsystem:
   • Chapter 3, "Certificate Manager"
   • Chapter 4, "Registration Manager"
   • Chapter 5, "OCSP Responder"
   • Chapter 6, "Data Recovery Manager"

Installation Overview

This section provides information about the CS installation, and provides information about things you need to consider and decide when installing CS.

About the Installation Program

The installation program installs Administration Server, Directory Server, Red Hat Console, and CS in the server root directory you specify. It creates one instance of Administration Server, one instance of Directory Server, and one instance of CS.

The installation program automatically starts Administration Server and Directory Server. Once installation is complete, you can use Red Hat Console to view all your server settings, make changes to those settings, and configure CS instances. See "The Administrative Interface," on page 236 about accessing and logging into Red Hat Console.

Installation Considerations

This section provides information needed to decide which settings to use when installing CS.

System Requirements

See the Release Notes for the system requirements for this product.

Component Servers

The installation process installs Red Hat Administration Server, Red Hat Console, and Red Hat Directory Server, as well as CS.

You can choose to not install one or more of these servers if you already have one of them installed. Generally, you would install using the default settings, which installs all four products.

Server Groups

A server group is created when you install Administration Server. All servers are then installed in that server group. You can create more than one server group and install servers in each. You must have an Administration Server for each server group. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. See Managing Servers with Red Hat Console for more information about server groups.

Server Root

The server root is the directory in which all servers for a particular group are installed. You specify the server root during installation.

Choosing Ports for Directory and Administration Servers

During installation, you choose port numbers for both the directory server used as the configuration directory, and the administration server. The port for the administration server is the port used to log into Red Hat Console. Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your installation:

• The standard Directory Server (LDAP) port number is 389.
• Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
• Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.
• On UNIX platforms, Directory Server must be run as the UNIX user ID root if it will listen on either port 389 or 636.
• Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

Deciding the User and Group for Your Red Hat Servers

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run the servers with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as Directory Server.

You must therefore decide what user accounts you will use for the following purposes:

• The user and group under which you will run Directory Server.

If you will not be running the Directory Server as root, it is strongly recommended that you create a user account for all Red Hat servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the directory server files; again, you must not use the nobody group.

• The user and group under which you will run Administration Server.

For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all Red Hat servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all Red Hat Directory and Certificate servers, such as gid redhat, to ensure that files can be shared between servers when necessary.

Before you can install Directory Server and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you install Directory Server and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of installation that you are performing:

• Directory Manager DN and password.

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser.

The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server. Therefore, you must not manually create an actual Directory Server entry that has the same DN as the directory manager DN.

• Configuration Directory Administrator ID and password.

The configuration directory administrator is the person responsible for managing all the Red Hat servers accessible through Red Hat Console. If you log in with this user ID, then you can administer any Red Hat server that you can see in the server topology area of Red Hat Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin. This is the user ID and password you will use to log into Red Hat Console.

• Administration Server User and password.

You are prompted for this only during custom installations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the Red Hat servers stored in the local server root.

Administration Server user ID and password is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Determining Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For the purposes of CS, this suffix usually does not matter, unless you plan to store user information in this configuration directory. Normally you will not store users in this configuration directory. You only use this configuration directory to store configuration settings for the Administration Server that allow you to use Red Hat Console to manage CS.

For more information on planning the suffixes for your directory service, see the Red Hat Directory Server Deployment Guide.

Installation Worksheet

You can use the following worksheet to specify the information you will be prompted for during the installation. The default setting is indicated in square brackets.

Install location [/usr/netscape/servers]	______________________________________
Computer name [myhost.mydomain.com]	______________________________________
System User [nobody]	______________________________________
System Group [nobody]	______________________________________
Directory Server Port Number	______________________________________
Directory server identifier [myhost]	______________________________________
Red Hat configuration directory server administrator ID [admin]	______________________________________
Suffix [dc=domaincomponent, dc=com]	______________________________________
Directory Manager DN [cn=Directory Manager]	______________________________________
Administration Domain [mydomain.com]	______________________________________
Administration port [random #]	______________________________________
Run Administration Server as [current login]	______________________________________
Certificate System identifier [certificate]	______________________________________

Installing CS

To install CS:

1. Log in to the host system as the user ID you will be running the servers as. Note that you must be logged into the host locally. Do not install remotely.

See "Deciding the User and Group for Your Red Hat Servers," on page 68 for more information.

2. Go to the directory on the distribution CD or on your file system containing the CS installation program (setup). Untar and/or unzip the distribution files if they are tarred and or zipped.
3. Type the following command to start the installation program:

./setup

The setup command has the following options:

-h	Prints out the help message.
-s	Specifies the silent installation mode.
-f <filename>	Specifies a silent installation script.
-b	Only install binaries without configuration
-k	Saves the installation cache. The cache will be saved to the file <temp>/install.inf.

The installation program launches.

Note	You can use the following commands during installation: Control-B will take you back one screen in the installation. Control-C will cancel the installation. Most prompts have a default value shown in square brackets. To accept the default value, press Enter.

The installation program will prompt you for series of configuration settings detailed in the following steps.

4. Would you like to continue with installation? [Yes]: Press Enter.
5. Do you agree to the license terms? [No]: Type yes and press Enter.
6. Select the component you would like to install [1]: Accept the default to install the Red Hat servers.
7. Choose an installation type [2]: Accept the default for a typical installation.
8. Install location [/usr/netscape/servers]: Enter the full path to the location in which you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the setup program creates it for you. This location is the server root for this installation. See "Server Root," on page 67 for more information.
9. Specify the components you wish to install [All]: Accept the default value, All, to accept the default server product components.
10. Specify the components you wish to install [1,2,3]: Press Enter to accept the default components.
11. Specify the components you wish to install [1,2]: Press Enter to accept the default components.
12. Specify the components you wish to install [1,2]: Press Enter to accept the default components.
13. Specify the components you wish to install [1,2]: Press Enter to accept the default components.
14. Computer name [myhost.mydomain.com]: Accept the default value to install on the local machine. Do not attempt to install remotely.
15. System User [nobody]: Enter the user ID that Directory Server will run as. See "Deciding the User and Group for Your Red Hat Servers," on page 68 for more information.
16. System Group [nobody]: Enter the group that Directory Server will run as. See "Deciding the User and Group for Your Red Hat Servers," on page 68 for more information.
17. Do you want to register this software with an existing configuration directory server? [No]: If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.

You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory.

18. Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 17) or installs a new instance of Directory Server for use as a user/group directory.

You can also choose to use a previously installed user/group directory. In this case, enter Yes, then fill in the values that identify and provide access to the previously installed directory.

19. Directory server network port [random #]: Accept the default, which is either 389 or a randomly generated number, or enter any port number that is not and will not be used for another purpose.

If you are using an existing configuration directory, enter its port number.

See "Choosing Ports for Directory and Administration Servers," on page 68 for more information.

20. Directory server identifier [myhost]: Enter a unique identifier for the new instance of Directory Server.

If you are using an existing configuration directory, enter its identifier.

21. Red Hat configuration directory server administrator ID [admin]: Enter the name and password of the user ID who will authenticate to Red Hat Console with full privileges. The password must be at least eight characters long.

If you are using an existing configuration directory, enter its administrator ID and password.

See "Defining Authentication Entities," on page 69 for more information.

22. Suffix [dc=domaincomponent, dc=com]: Accept the default value for the suffix, or base DN, to be used for the directory tree. See "Determining Your Directory Suffix," on page 70 for more information.
23. Directory Manager DN [cn=Directory Manager]: Enter the distinguished name (DN) and password of the directory manager for the configuration directory. The password must be at least eight characters long.

This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory.

See "Defining Authentication Entities," on page 69 for more information.

24. Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory.
25. Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose. See "Choosing Ports for Directory and Administration Servers," on page 68 for more information.
26. Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as root, you can accept the default to run the server as root.
27. Certificate System identifier [certificate]: Enter a unique identifier for the new instance of CS.

The script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. For specifics on installing each subsystem, see:

• "Installing a Certificate Manager as a Root CA," on page 85.
• "Installing a Certificate Manager as a Subordinate CA," on page 90.
• "Installing a Registration Manager," on page 133.
• "Installing an Online Certificate Status Manager," on page 165.
• "Installing a Standalone Data Recovery Manager," on page 203.
28. You should note the choices you made for later reference, especially the following:
    • The server root in which the software was installed. You will need to know this whenever you need to access any of the files installed for any of the servers, or to manually stop and start any of the servers.
    • The administration domain and administration port number. You will need both of these to log into Red Hat Console.
    • The configuration directory server administrator ID and password. You will log in as this user ID when logging into Red Hat Console.
29. The installation logs are located in the directory:

<server_root>/cert-<instance_id>/logs

See "Logs," on page 255 for more information.

Uninstalling CS

To remove CS from a host system, run the uninstall program. To remove a specific CS instance, follow the instructions provided in "Removing an Instance From a System" on page 249.

To uninstall CS:

1. Log in as the user account under which the server is running.
2. Go to the server root directory containing the installed software.
3. Type the following command:

./uninstall.

4. Specify the components you wish to uninstall [All]: Accept the default value.
5. Specify the components you wish to uninstall [1,2,3]: Accept the default value.
6. Specify the components you wish to uninstall [1,2]: Accept the default value.
7. Specify the components you wish to uninstall [1,2]: Accept the default value.
8. Specify the components you wish to uninstall [1,2]: Accept the default value.
9. Configuration admin ID or DN [admin]: Accept the default value.

The uninstallation program starts.