2. New in Red Hat Certificate System 7.2
Red Hat Certificate System 7.2 is a powerful public-key infrastructure (PKI) system containing the following new features:
New silent installation script to ease installing and configuring multiple subsystem instances
New security domain structure to organize and streamline communications between subsystems
Enhanced cloning functionalities utilizing the new security domain organization
Enhanced Red Hat Enterprise Security Client GUI and diagnostic and Phone Home functionality
Multiple distinct packages rather than a single all-encompassing package
A new standards-based architecture which more closely integrates Red Hat Certificate System with its base operating system
Simplified browser-based HTML configuration panels for setting up subsystems
Replaced Netscape Enterprise Server (NES) with Tomcat and Apache web servers
Decoupled Red Hat Directory Server from Red Hat Certificate System
Relocatable Red Hat Certificate System subsystem instances
New supported server platform, Red Hat Enterprise Linux AS 4 (Intel 64-bit)
New supported client platform, Apple Macintosh OS X 10.4.x (Tiger) (Power PC 32-bit)
Red Hat Certificate System 7.1 was comprised of a single large package. Red Hat Certificate System 7.2 has been modularized into numerous smaller packages to allow easier support by updating an existing package rather than the entire server. This has the additional advantage of allowing changes to be more easily tracked through the operating system's package management database. For example, 32-bit Red Hat Enterprise Linux 4 version of Certificate System is comprised of the following nine entry-point packages:
| Package Name | Package Description |
|---|---|
| rhpki-ca-7.2.0-1.noarch.rpm | Certificate Authority (CA) |
| rhpki-kra-7.2.0-1.noarch.rpm | Data Recovery Manager (DRM); also known as Key Recovery Authority (KRA) |
| rhpki-ocsp-7.2.0-1.noarch.rpm | Online Certificate Status Protocol (OCSP) Responder |
| rhpki-tks-7.2.0-1.noarch.rpm | Token Key Service (TKS) |
| rhpki-tps-7.2.0-1.i386.rpm | Token Processing System (TPS) |
| rhpki-console-7.2.0-1.noarch.rpm | PKI Console |
| rhpki-java-tools-7.2.0-1.noarch.rpm | Java™-based command-line tools |
| rhpki-native-tools-7.2.0-1.i386.rpm | Native command-line tools |
| esc-1.0.0-16.i386.rpm | Red Hat Enterprise Security Client |
Table 1. Packages in Red Hat Certificate System 7.2
The new modular architecture is based upon standards such as the Filesystem
Hierarchy Standard (FHS) 2.3. This means that there is no longer an all-inclusive server root. Rather, Red Hat Certificate System server
functionality is implemented through distribution to appropriate
locations within the operating system. For example, 32-bit Red Hat Certificate System
libraries are located under /usr/lib,
binaries are located under /usr/bin, and Java™
archives (jars) are located under /usr/share/java.
In Red Hat Certificate System 7.1, the Java™-based tool startconsole was used to configure and manage
any server instance of Red Hat Certificate System. In Red Hat Certificate System 7.2, an HTML-based
configuration wizard is used to configure any new subsystem instance, while a utility called pkiconsole is
used to manage existing instances. The HTML configuration panels are individually customized for subsystem type.
Red Hat Certificate System 7.1 used Netscape Enterprise Server as an integrated web server for all of its HTTP/HTTPS transactions. Red Hat Fortitude provides a Network Security Services (NSS) module to the Apache HTTP Server 2.0 and a Java™ Security Services (JSS) plug-in to Tomcat 5.5. The legacy NES web server in CA, DRM, OCSP, and TKS subsystems has been replaced by Tomcat running Fortitude, and the legacy NES web server in TPS subsystems has been replaced by Apache running Fortitude.
Previously, Red Hat Directory Server was bundled and installed with Red Hat Certificate System. Red Hat Certificate System 7.2 still requires a Red Hat Directory Server 7.1 (SP 3) installation for each subsystem at configuration, but this server must be installed separately and before the Certificate System is installed.
The Red Hat Directory Server can be installed on a separate machine, which is the recommended scenario for most production deployments.
Red Hat Certificate System 7.2 creates and removes instances of CA, DRM, OCSP, TKS, and TPS through
command-line utilities called pkicreate and
pkiremove. The pkicreate utility allows an instance to be placed
anywhere on the operating system, including a data partition that may be RAID-enabled.
This allows true separation of unique Red Hat Certificate System data from shared
Red Hat Certificate System libraries, executables, and jars, thus providing a better means
of maintaining the security and integrity of a user's valuable
data. Furthermore, a Red Hat Certificate System instance may only be removed by running
pkiremove; removing the core Red Hat Certificate System services have no effect
on any Red Hat Certificate System instances installed on a given system.
The Red Hat Certificate System 7.2 server product is now available for 64-bit Red Hat Enterprise Linux 4 (AMD64 and Intel EM64T) platforms, as well as 32-bit Red Hat Enterprise Linux 4 (i386).
Red Hat Enterprise Security Client 1.0 is now available on Apple Macintosh OS X 10.4.x (Tiger), as well as Microsoft Windows XP Professional and 32-bit and 64-bit Red Hat Enterprise Linux 4. The TokenD implementation in the new Enterprise Security Client allows use of Red Hat Certificate System smart card technology to be integrated with Apple applications such as the Safari Web browser and Apple Mail.
The Red Hat Enterprise Security Client GUI has been completely revamped and standardized across all platforms. Enhanced diagnostic information has been added to the UI. New Phone Home configuration streamlines the communication between the TPS and Enterprise Security Client and simplifies the initial Enterprise Security Client configuration.