Skip to content

PKI Console

Endi S. Dewata edited this page Mar 27, 2024 · 6 revisions

PKI Console

The Certificate System provides a Java GUI-based administration tool called the Console that is used for administrative tasks such as managing users and maintaining PKI subsystems (except TPS), performs daily operational and managerial duties for the subsystem, and configures the server.

Installation

To install PKI console:

$ dnf install pki-console

NSS Database

The PKI console uses NSS Database located at the following directory:

  • Fedora: ~/.dogtag-idm-console

  • RHEL: ~/.redhat-idm-console

If the database does not exist it will be created automatically.

To create a new NSS database manually:

$ pki -d ~/.dogtag-idm-console client-init

Authentication

Username and Password

To authenticate using username and password, make sure the CS.cfg of the subsystem is configured as follows:

authType=pwd

By default the server is configured to use username and password authentication.

Client Certificate

To authenticate using client certificate, make sure the CS.cfg of the subsystem is configured as follows:

authType=sslclientauth

Import the subsystem admin certificate into the NSS database, for example:

$ pki -d ~/.dogtag-idm-console client-cert-import \
  --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
  --pkcs12-password Secret.123

Starting PKI Console

To start PKI console:

$ pkiconsole https://pki.example.com:8443/<subsystem>

Supported subsystems are: ca, kra, ocsp, tks.

If access banner is enabled on the server, it will appear before the console is started, for example:

$ pkiconsole https://pki.example.com:8443/ca
WARNING!
Access to this service is restricted to those individuals with
specific permissions. Any attempts to gain access, authorized
or not, and all operations that follow, are audited and could
be used against you in the court of law.

Do you want to proceed (y/N)? y

See also Access Banner.

PKI Console Features

Session Timeout

Prior to PKI 10.4 the PKI Console did not have session timeout.

Since PKI 10.4 the session timeout can be configured with following parameter in /var/lib/pki/pki-tomcat/conf/server.xml:

<Server>
    <Service>

        <Connector name="Secure"
            ...
            keepAliveTimeout="300000"
            ...
            />

    </Service>
</Server>

The default value is 300000 ms (5 minutes).

See also Tomcat User Guide.

Gnome Launcher

Create /usr/share/applications/pkiconsole.desktop:

[Desktop Entry]
Name=PKI Console
Comment=Manage PKI Server
Exec=/usr/bin/pkiconsole https://pki.example.com:8443/ca
Icon=pki
Terminal=true
Type=Application
Categories=RemoteAccess

Troubleshooting

Main options

$ pkiconsole -h
Usage: pkiconsole <URL> [OPTIONS..]

 -f <file>      Capture stderr and stdout to file.
 -D <options>   Debug options.
 -x <options>   Extra options (javalaf, nowinpos, nologo).
 -h,--help      Show help message.

Example: pkiconsole https://hostname:8443/ca

Debug options

$ pkiconsole -D "?"

-D option format: -D [<type1,type2,...>][:<flag1,flag2,...]
Predefined Debug Types:
n		Debug level  0<=n<=9, 0 = min info, 9 = max info
ldap		LDAP Calls
jss		JSS Calls
http		HTTP Calls
memgc		Garbage Collection
rsptime		Response Time
nojars		no jar files - for debuggers
Debug Flags:
idx		Enumerate debug entries
lvl		Show debug level for debug entries
ts		Time stamp debug entries, format Hour:Minute:Second.Milliseconds
cls		Show caller short mode: (file:line)
clf		ShowCaller full mode: package.metod(file:line)
all		Shortcut for enabling idx,lvl,ts,cls
cs		Print call stack for each debug entry
on<list>	Show only entries that contain strings in the filter <list>
off<list>	Do not show entries that contain strings in the filter <list>
		on/off filter <list> list has the format
		  X<string1>[X<string2>X<string3>...]
		where X is the list entry separator character.
Examples:
		-D 9:all
		-D ldap,http:idx
		-D ":cls,on@HttpChannel,off@send>"

See Also

Clone this wiki locally