000025250 - How to change CA and RA ownership in RSA Keon

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025250
Applies ToKeon Registration Authority
Keon Certificate Authority
Sun Solaris 2.9
IssueHow to change CA and RA ownership in RSA Keon
ResolutionOwnership of the files can be anyone, so long as the user who starts up the product can access the product's files. UNIX customers typically have root start up the product so it can bind to the "privileged" ports. It's not clear if Sun Solaris has a facility to let non-root users bind to those ports. Apache can be configured to be started up by root to bind to the ports, then it switches its user to someone else for the daemon process. RSA's other servers cannot do that.

It's just a matter of changing the file permissions and the user:group that each server runs as. The services should also be started up by that same user. There are 2 users related to the CA files - CA user & Webserver user. The first is typically root (user that installed files) that runs the CA. The second user/group is what was specified during installation for the webservers to run as (typically 1 user nobody/nogroup for the webservers).

To change your installation, perform a backup, then perform the following steps:

1. Change all permissions and subdirectory permissions on the RSA CM folder to the desired user:group that runs CA

2. Edit any server configuration files to run as the new user:group (e.g. WebServer config, etc.) for Webserver if desired

3. Change all permissions and subdirectory permissions on the WebServer and LogServer directories to the desired user:group that runs Webserver

4. Also, if you are using nCipher, they will need to add the CA user to the machine?s nFast group
Legacy Article IDa28182

Attachments

    Outcomes