2.5. Installing the Certificate System
There are two major parts of the installation process: obtaining the packages and configuring the subsystem. This section explains how to obtain and install the Certificate System packages.
There are two ways to obtain and install the subsystem packages. For all supported platforms, the Certificate System packages can be downloaded as ISO images through the appropriate Red Hat Network channel. These packages are then installed through a package utility; on Red Hat Enterprise Linux systems, this is rpm and on Solaris 9, pkgadd.
Alternatively, if the appropriate network access is available, the subsystems and all dependencies can be downloaded and installed on Red Hat Enterprise Linux systems using the up2date command.
Whether downloading and installing the Certificate System from an ISO image or through up2date, several packages are installed for related applications and dependencies, not just the subsystem packages. These packages are listed in Section 2.2.3.1, “Red Hat Enterprise Linux RPMs” and Section 2.2.3.2, “Solaris Packages”.
For Sun Solaris and Red Hat Enterprise Linux AS and ES, do the following to install the Certificate System from an ISO image:
There is an environment variable, DONT_RUN_PKICREATE, which will stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installation directories, instead of the default locations in var/lib. It can be preferable to install through the ISO image with this environment variable set to block the pkicreate script for deployments where the default instances must be installed in custom locations.
Open the platform-appropriate Red Hat Certificate System 7.2 Red Hat Network channel.
Solaris packages are downloaded as a single ISO image; Red Hat Enterprise Linux packages can be downloaded as an ISO image or individually.
Download the packages.
Log into the machine as root.
There are two different methods of installation:
Use the installation scripts for the packages in the RedHat/scripts directory in the ISO. There are individual scripts for each subsystem server and the client:
rhpki-ca_install for the CA
rhpki-kra_install for the DRM
rhpki-ocsp_install for the OCSP
rhpki-tks_install for the TKS
rhpki-tps_install for the TPS
esc_install for the Enterprise Security Client
Running any of these installation scripts first installs a package called rhpki-manage, which contains two scripts, rhpki-install and rhpki-uninstall. The rhpki-install script is then automatically run to install the specified subsystem.
Install the rhpki-manage package and run rhpki-install manually. For example, on Red Hat Enterprise Linux:
rpm -Uvh rhpki-manage-7.2.0-3.noarch.rpm
Once the rhpki-manage package is installed, then the rhpki-install script can be run directly to install the subsystem.
There is an environment variable, DONT_RUN_PKICREATE, which will stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installation directories, instead of the default locations in var/lib. In that case, set the environment variable to DONT_RUN_PKICREATE=1 before running the rhpki-install script for the subsystem, then run the pkicreate script manually.
rhpki-install -pki_subsystem=subsystem_type -pki_package_path=/path/to/ISO image -force
subsystem can be ca for the CA, drm for the DRM, ocsp for the OCSP, tks for the TKS, and tps for the TPS. It can also be used for the Enterprise Security Client by using esc. force proceeds through the installation without prompting for confirmation.
For example, to install the CA and then the DRM, run the following:
rhpki-install -pki_subsystem=ca -pki_package_path=/media/cdrom/RedHat/RPMS -force rhpki-install -pki_subsystem=drm -pki_package_path=/media/cdrom/RedHat/RPMS -force
The rhpki-install script uses the rpm program on Red Hat Enterprise Linux systems and pkginfo and pkgadd programs on Solaris 9 systems.
When the installation process is complete, a URL to access this instance is printed to the screen with the following format.
Configuration Wizard listening on http://hostname.domainname:unsecure-port/subsystem_type /admin/console/config/login?pin=pin
For example, a new CA may have the following URL:
http://server.example.com:9080/ ca/admin/console/config/login?pin=Yc6EuvuY2OeezKeX7REk
When the first subsystem is installed on a machine, the installation process automatically creates a new user (pkiuser) and group (pkiuser) as which the Certificate System subsystems will run. All default Certificate System instances will run as this user and group.
There is an environment variable, DONT_RUN_PKICREATE, which will stop the pkicreate script from running automatically after the subsystems are installed. This allows the default instances to be installed in user-defined installation directories, instead of the default locations in var/lib. It can be preferable to install through the ISO image with this environment variable set to block the pkicreate script for deployments where the default instances must be installed in custom locations.
To install the subsystems on Red Hat Enterprise Linux using the up2date command, run a command like the following for each subsystem:
up2date rhpki-subsystem
subsystem can be ca for the CA, kra for the DRM, ocsp for the OCSP, tks for the TKS, and tps for the TPS.
up2date is used only for the first subsystem instance; any additional subsystem instances should be added using pkicreate.
To install the client using up2date, run the following:
up2date esc