Configuring Key Archival and Recovery Process
Chapter
6
Data Recovery Manager
229
Step A. Deploy Clients That Can Generate Dual Key Pairs
You can use the Data Recovery Manager to archive and recover keys only from
clients that support dual key-pair generation, the key archival option, and the CMC
protocol. Clients that do not meet this criteria cannot be used with the Data
Recovery Manager. To understand why you need to use clients that can generate
dual key pairs, see “Clients That Can Generate Dual Key Pairs” on page 198. The
same section also points you to an introduction to Netscape Personal Security
Manager, which when plugged into Netscape Communicator version 4.7x enables
it to support the CMC protocol and generate dual key pairs.
Step B. Connect the Enrollment Authority and the Data Recovery
Manager
Key archival occurs when dual key pairs are generated by the client. The client
generates the key pairs when a user requests a certificate by filling out the
appropriate certificate enrollment form served by an enrollment authority, which
can be either a Certificate Manager or a Registration Manager. When the
enrollment authority detects the key archival option in the request, it initiates the
key archival process and requests the service of the Data Recovery Manager for
archiving the key.
For the enrollment authority to be able to request the service of the Data Recovery
Manager, the two subsystems must be configured to recognize, trust, and
communicate with each other. When you installed the Certificate Manager, you
were asked if you wanted to connect it to a Data Recovery Manager. If you did,
some of the configuration was done at this time.
However, to ensure that key archival takes place successfully, you must make sure
that the Certificate Manager is connected to the Data Recovery Manager. Also
verify whether the enrollment authority has been set up as a privileged user, with
an appropriate SSL client authentication certificate, in the internal database of the
Data Recovery Manager. By default, the Certificate Manager uses its SSL server
certificate for SSL client authentication, whereas the Registration Manager uses its
signing certificate for this purpose.
Otherwise, follow the instructions in “Setting Up a Trusted Manager” on page 331
and set up the enrollment authority as a trusted front end to the Data Recovery
Manager.
Step C. Customize the Certificate Enrollment Form
For the enrollment authority to automatically initiate the key archival process at
the time key pairs are generated, a certificate request must include the following
information:
Summary of Contents for Certificate Management System 6.2
Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 2 June 2003...
Page 22: ...22 Netscape Certificate Management System Administrator s Guide June 2003...
Page 30: ...Documentation 30 Netscape Certificate Management System Administrator s Guide June 2003...
Page 84: ...Uninstalling CMS 84 Netscape Certificate Management System Administrator s Guide June 2003...
Page 380: ...ACL Reference 380 Netscape Certificate Management System Administrator s Guide June 2003...
Page 750: ...Object Identifiers 750 Netscape Certificate Management System Administrator s Guide June 2003...
Page 828: ...Managing Certificates 828 Netscape Certificate Manager System Administrator s Guide June 2003...
Page 844: ...The SSL Handshake 844 Netscape Certificate Manager System Administrator s Guide June 2003...
Page 862: ...862 Netscape Certificate Management System Administrator s Guide June 2003...