The following section contains important installation, configuration, and deployment information for Red Hat Certificate System 7.2.
Packages are non-relocatable. This means that these base packages may not be installed to a user-designated location.
Do not use the Autorun feature of the CD-ROM. If the Autorun feature of a CD-ROM created from the ISO image is used, all subsystems (CA, DRM, OCSP, TKS, and TPS) as well as the Enterprise Security Client are installed on the system by default. The preferred alternative is to run the installation scripts provided for the server or follow the installation instructions in the Red Hat Certificate System 7.2 Enterprise Security Client Guide.
Java™ 1.5.0 Java Runtime Environment (JRE). Certificate System does not support earlier versions of the JRE. This JRE is required for running Tomcat, among other applications for the Certificate System.
On 32-bit Red Hat Enterprise Linux 4 platforms, Certificate System 7.2 requires the 32-bit version of the IBM JRE 1.5.0. A pre-packaged binary distribution of this package, java-1.5.0-ibm-1.5.0.0-1jpp_2rh:0.i386, is available through either the Red Hat Enterprise Linux AS (v. 4 for x86) Extras Red Hat Network channel or the Red Hat Enterprise Linux ES (v. 4 for x86) Extras Red Hat Network channel.
Similarly, for 64-bit Red Hat Enterprise Linux 4 platforms, Certificate System 7.2 requires the 64-bit version of the IBM JRE 1.5.0. A pre-packaged binary distribution of this package, java-1.5.0-ibm-1.5.0.0-1jpp_2rh:0.x86_64, is available through either the Red Hat Enterprise Linux AS (v. 4 for AMD64/EM64T) Extras Red Hat Network channel or the Red Hat Enterprise Linux ES (v. 4 for AMD64/EM64T) Extras Red Hat Network channel.
As root, run /usr/sbin/alternatives --config java to ensure that the IBM Java™ 1.5.0 JRE is selected.
Both the 32-bit xSeries (Intel-compatible) and 64-bit AMD/Opteron/EM64T versions of the IBM J2SE JRE 5.0 RPM packages available through the IBM download site are packaged in a format which is incompatible with Certificate System 7.2.
For 64-bit Solaris 9 (SPARC) platforms, download and install the latest version of the 64-bit Sun J2SE Java™ Runtime Environment 5.0 (Update 8) available from the Sun download site, http://java.sun.com/javase/downloads/index.jsp.
The 64-bit Solaris version of the Certificate System requires the user to install the 32-bit version of the JRE as well as installing the 64-bit version. The 32-bit version is used for the applet and Java™ Web Start support. Read http://java.sun.com/j2se/1.5.0/README.html, http://java.sun.com/j2se/1.5.0/ReleaseNotes.html, and http://java.sun.com/j2se/1.5.0/jre/install-solaris-64.html before installing the Certificate System.
Under the section Java Runtime Environment (JRE) 5.0 Update 9, Sun only makes this JRE available through a self-extracting file which is incompatible with Certificate System since this format does not use the native Solaris packaging utility database.
It is possible to obtain the Sun 5.0 JRE in a
compatible format. Click Download under the JDK 5.0 Update 9
section, and, under Solaris SPARC Platform - J2SETM Development
Kit 5.0 Update 9, select Solaris SPARC 32-bit packages - tar.Z
(jdk-1_5_0_09-solaris-sparc.tar.Z) and Solaris SPARC 64-bit packages
- tar.Z (use 32-bit version for applet and Java Web Start support) (jdk-1_5_0_09-solaris-sparcv9.tar.Z).
After downloading these two files, uncompress them using the gunzip utility, and extract the contents using the tar utility.
The contents of the 32-bit file, jdk-1_5_0_09-solaris-sparc.tar.Z, are COPYRIGHT, LICENSE, README.html, SUNWj5cfg, SUNWj5dev, SUNWj5dmo, SUNWj5jmp, SUNWj5man, and SUNWj5rt.
The contents of the 64-bit file, jdk-1_5_0_09-solaris-sparcv9.tar.Z, are SUNWj5dmx, SUNWj5dvx, and SUNWj5rtx.
Since only the JRE is needed on Solaris 9 systems, use the pkgadd utility to add the 32-bit package, SUNWj5rt, first, and then add the 64-bit package, SUNWj5rtx.
A JDK must be present on Red Hat Enterprise Linux systems. See http://kbase.redhat.com/faq/FAQ_54_4667.shtm for more information. While almost any JDK is sufficient, installing one of these JDKs is recommended:
For 32-bit Red Hat Enterprise Linux 4 platforms, a pre-packaged
binary distribution of the 32-bit version of the IBM JDK 1.5.0,
java-1.5.0-ibm-devel-1.5.0.0-1jpp_2rh:0.i386, is available through
either the Red Hat Enterprise Linux AS (v. 4 for x86) Extras Red Hat
Network channel or the Red Hat Enterprise Linux ES (v. 4 for x86)
Extras Red Hat Network channel.
For 64-bit Red Hat Enterprise Linux 4 platforms, a
pre-packaged binary distribution of the 64-bit version of the
IBM JDK 1.5.0, java-1.5.0-ibm-devel-1.5.0.0-1jpp_2rh:0.x86_64, is
available through either the Red Hat Enterprise Linux AS
(v. 4 for AMD64/EM64T) Extras Red Hat Network channel or the
Red Hat Enterprise Linux ES (v. 4 for AMD64/EM64T) Extras Red Hat Network
channel.
After installing the JDK, run /usr/sbin/alternatives --config javac as root to insure that a JDK is available.
Solaris 9 systems do not require downloading and installing a JDK; however, it may be required to download and install the Sun JDK 5.0 package in order to obtain a compatible Sun JRE 5.0 package.
TPS subsystems installed on a Red Hat Enterprise Linux system require a local installation of the Apache 2.0.x web server. If the installation is made on a newly-installed Red Hat Enterprise Linux AS or ES system, rather than an upgraded system, and Everything was selected during the Anaconda installation process, an Apache server should already be present.
When installing the TPS subsystem on Solaris 9, a specially-configured Apache server is included as part of the Certificate System 7.2 packages.
The TPS subsystem cannot be cloned.
All subsystems require access to a Red Hat Directory Server 7.1 on either the local machine (if it is also a 32-bit Red Hat Enterprise Linux platform) or a remote machine (acceptable platforms are 32-bit Red Hat Enterprise Linux 4, 32-bit Solaris 9 for SPARC, or 64-bit Solaris 9 for SPARC).
Since Red Hat Certificate System 7.2 is not an open-source product, source RPMs are only available for third-party packages.
Several of these third-party packages may issue warnings upon being installed since they may contain the UID and/or GID of their original packager.
The subsystem files in Certificate System 7.2 are in different locations than in Certificate System 7.1. The old and new locations are listed in Table 3, “Certificate System 7.1 and 7.2 File Locations”. These are explained in more detail in chapter 3, "Administrative Basics," in the Certificate System Administration Guide.
| File | 7.1 Location | 7.2 Location |
|---|---|---|
| Subsystem start and stop scripts |
/opt/redhat-cs/cert-
instance_ID
|
/etc/init.d/
instance_ID
|
| Subsystem installation directory (default) |
/opt/redhat-cs/cert-
instance_ID
|
/var/lib/
instance_ID
|
| Subsystem configuration directory (default) |
/opt/redhat-cs/cert-
instance_ID
/config
|
/var/lib/
instance_ID
/conf
|
| Subsystem log files |
/opt/redhat-cs/cert-
instance_ID
/logs
|
/var/log/
instance_ID
|
| Tools |
/opt/redhat-cs/bin/cert/tools
|
/usr/bin
|
| Security databases |
/opt/redhat-cs/alias
|
/var/lib/
instance_ID
/alias
|
Table 3. Certificate System 7.1 and 7.2 File Locations
In addition to differences between the default directories, versions 7.1 and 7.2 use different URLs for accessing the services HTML pages. The old and new locations are listed in Table 4, “Certificate System 7.1 and 7.2 URLs”.
| Page | 7.1 URL | 7.2 URL |
|---|---|---|
| CA Services Page |
https://
hostname:SSLport
|
https://
hostname:SSLport
/ca/services
|
| CA Agents Page |
https://
hostname:SSLport
/ca/agent/ca
|
|
| CA End-Entities Page |
https://
hostname:SSLport
/ca/ee/ca
|
|
| DRM Services Page |
https://
hostname:SSLport
|
https://
hostname:SSLport
/kra/services
|
| DRM Agents Page |
https://
hostname:SSLport
/kra/agent/kra
|
|
| OCSP Services Page |
https://
hostname:SSLport
|
https://
hostname:SSLport
/ocsp/services
|
| OCSP Agents Page |
https://
hostname:SSLport
/ocsp/agent/ocsp
|
Table 4. Certificate System 7.1 and 7.2 URLs