Netscape Certificate Management System Administrator's Guide: Chapter 2 Installation

Administrator's Guide
Netscape Certificate Management System

Chapter 2 Installation

This chapter explains how to install Netscape Certificate Management System (CMS).

This chapter contains the following sections:

Installation and Configuration Overview

Installation Overview

Installing CMS

Uninstalling CMS

Installation and Configuration Overview

You install Netscape Certificate Management System (CMS) on each host on which you will be setting up a CMS subsystem. You then configure the subsystem that will run on that host. Once a subsystem is setup, you can access its end-entity interface, agent services interface, and its administrative interface and further configure the instance to match the needs of your PKI.

Note: To install Netscape CMS and configure it into a Common Criteria Evaluated subsystem, please see Appendix B "Common Criteria Environment: Setup and Operations."

You can configure more than one subsystem in an installation of CMS. You can also install CMS on more than one host, with one or more subsystems configured in each installation. Finally, different instances of CMS subsystems can be set up as clones for high availability purposes. To install and configure one or more CMS subsystems as clones, please see Cloning a CA.

One of your deployment decisions is which subsystems you will install, how many of each type of subsystem you will configure, and on which hosts they will be installed. Once you decide this, you install CMS on each host you will be using, install each subsystem that will be run on that host, and then configure each of the subsystems on each host.

Installation and Configuration Process

The following outlines the process for installing, setting up, and configuring CMS:

Run the installation program to install Administration Server, Directory Server, and CMS on each host system that will be part of your deployment. See Installing CMS for complete instructions on installing CMS.

Configure each subsystem that will be running on each host. CMS provides an installation wizard for configuring an instance of each of the subsystems. Complete instructions for configuring each of the subsystems can be found at the following locations:

"Installing a Certificate Manager as a Root CA"

"Installing a Certificate Manager as a Subordinate CA"

"Installing a Registration Manager"

"Installing an Online Certificate Status Manager"

"Installing a Standalone Data Recovery Manager"

Get the first agent certificate for the subsystem. See "Agent Certificates"" for complete instructions.

Configure the instance for the particular needs of your PKI. For complete details on configuring each of the subsystems, see the chapter that describes that subsystem:

Chapter 3 "Certificate Manager"

Chapter 4 "Registration Manager"

Chapter 5 "OCSP Responder"

Chapter 6 "Data Recovery Manager"

Installation Overview

This section provides information about the CMS installation, and provides information about things you need to consider and decide when installing CMS.

About the Installation Program

The installation program installs Administration Server, Directory Server, Netscape Console, and CMS in the server root directory you specify. It creates one instance of Administration Server, one instance of Directory Server, and one instance of CMS.

The installation program automatically starts Administration Server and Directory Server. Once installation is complete, you can use Netscape Console to view all your server settings, make changes to those settings, and configure CMS instances. See "The Administrative Interface" about accessing and logging into Netscape Console.

Installation Considerations

This section provides information needed to decide which settings to use when installing CMS.

System Requirements

See the Release Notes for the system requirements for this product.

Component Servers

The installation process installs Netscape Administration Server, Netscape Console, and Netscape Directory Server, as well as CMS.

You can choose to not install one or more of these servers if you already have one of them installed. Generally, you would install using the default settings, which installs all four products.

Server Groups

A server group is created when you install Administration Server. All servers are then installed in that server group. You can create more than one server group and install servers in each. You must have an Administration Server for each server group. Administration Server can use a local configuration directory or refer to an existing configuration directory installed elsewhere. See Managing Servers with Netscape Console for more information about server groups.

Server Root

The server root is the directory in which all servers for a particular group are installed. You specify the server root during installation.

Choosing Ports for Directory and Administration Servers

During installation, you choose port numbers for both the directory server used as the configuration directory, and the administration server. The port for the administration server is the port used to log into Netscape Console. Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your installation:

The standard Directory Server (LDAP) port number is 389.

Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

Port numbers between 1 and 1024 have been assigned to various services by the Internet Assigned Numbers Authority. Do not use port numbers below 1024 other than 389 or 636 for directory services as they will conflict with other services.

On UNIX platforms, Directory Server must be run as the UNIX user ID root if it will listen on either port 389 or 636.

Make sure the ports you choose are not already in use. Additionally, if you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical.

Deciding the User and Group for Your Netscape Servers

For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run the servers with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as Directory Server.

You must therefore decide what user accounts you will use for the following purposes:

The user and group under which you will run Directory Server.

If you will not be running the Directory Server as root, it is strongly recommended that you create a user account for all Netscape servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the directory server files; again, you must not use the nobody group.

The user and group under which you will run Administration Server.

For installations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all Netscape servers, and run Administration Server as this account.

As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.

You should use a common group for all Netscape servers, such as gid Netscape, to ensure that files can be shared between servers when necessary.

Before you can install Directory Server and Administration Server, you must make sure that the user and group accounts you will use exist on your system.

Defining Authentication Entities

As you install Directory Server and Administration Server, you will be asked for various user names, distinguished names (DN), and passwords. This list of login and bind entities will differ depending on the type of installation that you are performing:

Directory Manager DN and password.

The Directory Manager DN is the special directory entry to which access control does not apply. Think of the directory manager as your directory's superuser.

The default Directory Manager DN is cn=Directory Manager. Because the Directory Manager DN is a special entry, the Directory Manager DN does not have to conform to any suffix configured for your Directory Server. Therefore, you must not manually create an actual Directory Server entry that has the same DN as the directory manager DN.

Configuration Directory Administrator ID and password.

The configuration directory administrator is the person responsible for managing all the Netscape servers accessible through Netscape Console. If you log in with this user ID, then you can administer any Netscape server that you can see in the server topology area of Netscape Console.

For security, the configuration directory administrator should not be the same as the directory manager. The default configuration directory administrator ID is admin. This is the user ID and password you will use to log into Netscape Console.

Administration Server User and password.

You are prompted for this only during custom installations. The Administration Server user is the special user that has all privileges for the local Administration Server. Authentication as this person allows you to administer all the Netscape servers stored in the local server root.

Administration Server user ID and password is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

Determining Your Directory Suffix

A directory suffix is the directory entry that represents the first entry in a directory tree. You will need at least one directory suffix for the tree that will contain your enterprise's data. It is common practice to select a directory suffix that corresponds to the DNS host name used by your enterprise. For example, if your organization uses the DNS name example.com, then select a suffix of dc=example,dc=com.

For the purposes of CMS, this suffix usually does not matter, unless you plan to store user information in this configuration directory. Normally you will not store users in this configuration directory. You only use this configuration directory to store configuration settings for the Administration Server that allow you to use Netscape Console to manage CMS.

For more information on planning the suffixes for your directory service, see the Netscape Directory Server Deployment Guide.

Installation Worksheet

You can use the following worksheet to specify the information you will be prompted for during the installation. The default setting is indicated in square brackets.

Install location [/usr/netscape/servers]

______________________________________

Computer name [myhost.mydomain.com]

______________________________________

System User [nobody]

______________________________________

System Group [nobody]

______________________________________

Directory Server Port Number

______________________________________

Directory server identifier [myhost]

______________________________________

Netscape configuration directory
server administrator ID [admin]

______________________________________

Suffix
[dc=domaincomponent, dc=com]

______________________________________

Directory Manager DN
[cn=Directory Manager]

______________________________________

Administration Domain [mydomain.com]

______________________________________

Administration port [random #]

______________________________________

Run Administration Server as
[current login]

______________________________________

Certificate Management System
identifier [certificate]

______________________________________

Installing CMS

To install CMS:

Log in to the host system as the user ID you will be running the servers as. Note that you must be logged into the host locally. Do not install remotely.

See "Deciding the User and Group for Your Netscape Servers" for more information.

Go to the directory on the distribution CD or on your file system containing the CMS installation program (setup). Untar and/or unzip the distribution files if they are tarred and or zipped.

Type the following command to start the installation program:

./setup

The setup command has the following options:

-h

Prints out the help message.

-s

Specifies the silent installation mode.

-f <filename>

Specifies a silent installation script.

-b

Only install binaries without configuration

-k

Saves the installation cache. The cache will be saved to the file <temp>/install.inf.

The installation program launches.

Note

You can use the following commands during installation:

Control-B will take you back one screen in the installation.

Control-C will cancel the installation.

Most prompts have a default value shown in square brackets. To accept the default value, press Enter.

The installation program will prompt you for series of configuration settings detailed in the following steps.

Would you like to continue with installation? [Yes]: Press Enter.

Do you agree to the license terms? [No]: Type yes and press Enter.

Select the component you would like to install [1]: Accept the default to install the Netscape servers.

Choose an installation type [2]: Accept the default for a typical installation.

Install location [/usr/netscape/servers]: Enter the full path to the location in which you want to install the servers. The location that you enter must be different from the directory from which you are running the setup program. You must have write access to the directory. If the directory that you specify does not exist, the setup program creates it for you. This location is the server root for this installation. See "Server Root" for more information.

Specify the components you wish to install [All]: Accept the default value, All, to accept the default server product components.

Specify the components you wish to install [1,2,3]: Press Enter to accept the default components.

Specify the components you wish to install [1,2]: Press Enter to accept the default components.

Specify the components you wish to install [1,2]: Press Enter to accept the default components.

Specify the components you wish to install [1,2]: Press Enter to accept the default components.

Computer name [myhost.mydomain.com]: Accept the default value to install on the local machine. Do not attempt to install remotely.

System User [nobody]: Enter the user ID that Directory Server will run as. See "Deciding the User and Group for Your Netscape Servers" for more information.

System Group [nobody]: Enter the group that Directory Server will run as. See "Deciding the User and Group for Your Netscape Servers" for more information.

Do you want to register this software with an existing Netscape configuration directory server? [No]: If you accept the default setting, the installation script installs a new instance of Directory Server for use as a configuration directory.

You can also choose to use a previously installed configuration directory. In this case, select "Use existing configuration directory server," then fill in the values that identify and provide access to the previously installed directory.

Do you want to use another directory to store your data? [No]: If you accept the default setting, the installation script either adds a user/group directory to the newly installed instance of Directory Server (if you accepted the default in step 17) or installs a new instance of Directory Server for use as a user/group directory.

You can also choose to use a previously installed user/group directory. In this case, enter Yes, then fill in the values that identify and provide access to the previously installed directory.

Directory server network port [random #]: Accept the default, which is either 389 or a randomly generated number, or enter any port number that is not and will not be used for another purpose.

If you are using an existing configuration directory, enter its port number.

See "Choosing Ports for Directory and Administration Servers" for more information.

Directory server identifier [myhost]: Enter a unique identifier for the new instance of Directory Server.

If you are using an existing configuration directory, enter its identifier.

Netscape configuration directory server administrator ID [admin]: Enter the name and password of the user ID who will authenticate to Netscape Console with full privileges. The password must be at least eight characters long.

If you are using an existing configuration directory, enter its administrator ID and password.

See "Defining Authentication Entities" for more information.

Suffix [dc=domaincomponent, dc=com]: Accept the default value for the suffix, or base DN, to be used for the directory tree. See "Determining Your Directory Suffix" for more information.

Directory Manager DN [cn=Directory Manager]: Enter the distinguished name (DN) and password of the directory manager for the configuration directory. The password must be at least eight characters long.

This DN can be short and does not need to conform to any suffix configured for your directory. It also should not correspond to an actual entry stored in your directory.

See "Defining Authentication Entities" for more information.

Administration Domain [mydomain.com]: Accept the default value. This domain name identifies the collection of servers that use the same configuration directory.

Administration port [random #]: Accept the default port number, which is randomly generated, or enter any port number that is not and will not be used for another purpose. See "Choosing Ports for Directory and Administration Servers" for more information.

Run Administration Server as [current login]: Enter the user ID for the Administration Server process. If you are running as root, you can accept the default to run the server as root.

Certificate Management System identifier [certificate]: Enter a unique identifier for the new instance of CMS.

The script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. For specifics on installing each subsystem, see:

"Installing a Certificate Manager as a Root CA".

"Installing a Certificate Manager as a Subordinate CA".

"Installing a Registration Manager".

"Installing an Online Certificate Status Manager".

"Installing a Standalone Data Recovery Manager".

You should note the choices you made for later reference, especially the following:

The server root in which the software was installed. You will need to know this whenever you need to access any of the files installed for any of the servers, or to manually stop and start any of the servers.

The administration domain and administration port number. You will need both of these to log into Netscape Console.

The configuration directory server administrator ID and password. You will log in as this user ID when logging into Netscape Console.

The installation logs are located in the directory:

<server_root>/cert-<instance_id>/logs

See "Logs" for more information.

Uninstalling CMS

To remove CMS from a host system, run the uninstall program. To remove a specific CMS instance, follow the instructions provided in Removing an Instance From a System.

To uninstall CMS:

Log in as the user account under which the server is running.

Go to the server root directory containing the installed software.

Type the following command:

./uninstall.

Specify the components you wish to uninstall [All]: Accept the default value.

Specify the components you wish to uninstall [1,2,3]: Accept the default value.

Specify the components you wish to uninstall [1,2]: Accept the default value.

Specify the components you wish to uninstall [1,2]: Accept the default value.

Specify the components you wish to uninstall [1,2]: Accept the default value.

Configuration admin ID or DN [admin]: Accept the default value.

The uninstallation program starts.

Last Updated November 23, 2004

Install location [/usr/netscape/servers]	______________________________________
Computer name [myhost.mydomain.com]	______________________________________
System User [nobody]	______________________________________
System Group [nobody]	______________________________________
Directory Server Port Number	______________________________________
Directory server identifier [myhost]	______________________________________
Netscape configuration directory server administrator ID [admin]	______________________________________
Suffix [dc=domaincomponent, dc=com]	______________________________________
Directory Manager DN [`cn=Directory Manager`]	______________________________________
Administration Domain [mydomain.com]	______________________________________
Administration port [random #]	______________________________________
Run Administration Server as [current login]	______________________________________
Certificate Management System identifier [certificate]	______________________________________

`-h`	`Prints out the help message.`
`-s`	`Specifies the silent installation mode.`
`-f <filename>`	`Specifies a silent installation script.`
`-b`	`Only install binaries without configuration`
`-k`	`Saves the installation cache. The cache will be saved to the file` `<temp>/install.inf.`