manualshive.com logo in svg

Netscape Certificate Management System 6.2, Administrator'S Manual

Share
Download
Netscape Certificate Management System 6.2 Administrator'S Manual Download Page 354

ACL Reference

354

Netscape Certificate Management System Administrator’s Guide • June 2003

allow (modify) group="Administrators"

Administrators, auditors, and agents are allowed to read CA configuration; only 
administrators are allowed to modify CA configuration. 

certServer.ca.connector

Allow or deny a submit operation for a connection to the CA. 

Operations

Default ACIs

allow (submit) group="Trusted Managers"

Trusted Manager can submit requests to this interface. 

certServer.ca.clone

Allow or deny a submit operation for a connection to the CA by a cloned CA. 

Operations

Default ACIs

allow (submit) group="Certificate Manager Agents" 

Trusted Manager can submit requests to this interface. 

certServer.ca.crl

Allow or deny a read or update operation for CRLs in the agent services interface. 

submit

Submitting requests from remote trusted managers.

submit

Submitting information about a revoked certificate from a cloned 
CA. 

Summary of Contents for Certificate Management System 6.2

Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 2 June 2003...

Page 2: ...CUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2003 20...

Page 3: ...er 1 Overview 31 Features 31 Subsystems 31 Certificate Manager Flexibility and Scalability 32 Interfaces 33 Logging 34 Auditing 34 Self Tests 34 Authorization 34 Authentication 35 Certificate Issuance...

Page 4: ...Recovery Manager 55 Certificate Manager Data Recovery Manager and Registration Manager 57 Cloned Certificate Manager 58 System Architecture 59 CMS Component 60 HTTP Engine 61 Service Interfaces 62 JS...

Page 5: ...118 Changing Subsystem Security Setting 118 Changing Passwords or Storage Settings 119 Configuring Logs 119 Changing Internal Database Settings 119 Configuring Self Test 119 Setting Up a Mail Server 1...

Page 6: ...Setting 153 Changing Passwords or Storage Settings 153 Configuring Logs 154 Changing Internal Database Settings 154 Configuring Self Test 154 Setting Up a Mail Server 154 Setting Up Authentication 15...

Page 7: ...the CA to the OCSP Responder 191 Configure the Revocation Info Stores 193 Testing Your OCSP Setup 195 Chapter 6 Data Recovery Manager 197 PKI Setup for Key Archival and Recovery 197 Clients That Can G...

Page 8: ...Restarting a Server Instance 254 Subsystem Configuration Overview 255 Configuring Multiple CMS Instances 255 Removing an Instance From a System 256 Mail Server 257 Configuration Files 257 Locating the...

Page 9: ...al Token 314 External Token 314 Managing Tokens Used by the Subsystems 317 Hardware Cryptographic Accelerators 318 Configuring the Server s Security Preferences 318 Configuring the Server to Use Separ...

Page 10: ...r ca connector 354 certServer ca clone 354 certServer ca crl 354 certServer ca directory 355 certServer ca group 355 certServer ca ocsp 355 certServer ca profiles 356 certServer ca profile 356 certSer...

Page 11: ...sp configuration 370 certServer ocsp crl 371 certServer policy configuration 371 certServer profile configuration 372 certServer publisher configuration 373 certServer ra configuration 373 certServer...

Page 12: ...ted CEP Enrollment 413 Setting Up Publishing of CEP Certificates and CRLs 417 Certificate Issuance to Routers or VPN Clients 419 Example 421 Testing Your Enrollment Setup 423 Managing Authentication P...

Page 13: ...Default 469 User Supplied Key Default 469 User Signing Algorithm Default 470 User Supplied Subject Name Default 470 User Supplied Validity Default 470 Validity Default 471 Constraints Reference 471 Ba...

Page 14: ...04 ValidityConstraints 506 Extension Specific Policy Module Reference 508 AuthInfoAccessExt 508 AuthorityKeyIdentifierExt 511 BasicConstraintsExt 512 CertificatePoliciesExt 514 CertificateRenewalWindo...

Page 15: ...uler 578 Setting Up Specific Jobs 579 Enabling and Configuring Specific Jobs Using the CMS Console 580 Enabling Configuring Specific Jobs By Editing the Configuration File 581 Configuration Parameters...

Page 16: ...616 About Publishers 617 About Mappers 617 About Rules 617 About Publishing to Files 618 About LDAP Publishing 618 About OCSP Publishing 619 How Publishing Works 619 Setting Up Publishing 620 Publish...

Page 17: ...ng the Online Certificate Status Manager 684 Preparing to Clone the Online Certificate Status Manager 685 Cloning the OCSP Responder 686 Testing the OCSP Cloned Master Connection 690 Cloned Master OCS...

Page 18: ...Setup of Common Criteria Evaluated Netscape CMS 718 CMS Common Criteria Environment Setup and Installation Process 718 Appendix C Understanding the Common Criteria Evaluated CMS Setup 721 Understandin...

Page 19: ...IT security objectives for the environment 735 1 3 Security Objectives for both the TOE and the Environment 735 Appendix E Common Criteria Environment TOE Security Environment Assumptions 739 1 1 Secu...

Page 20: ...stration of Object Identifiers 779 Appendix I Distinguished Names 781 What Is a Distinguished Name 781 Distinguished Name Components 782 DNs in Certificate Management System 784 Extending Attribute Su...

Page 21: ...pendix K Introduction to SSL 829 The SSL Protocol 829 Ciphers Used with SSL 831 Cipher Suites With RSA Key Exchange 832 Fortezza Cipher Suites 834 The SSL Handshake 836 Server Authentication 838 Man i...

Page 22: ...22 Netscape Certificate Management System Administrator s Guide June 2003...

Page 23: ...routers This preface has the following sections Who Should Read This Guide What You Should Know What s in This Guide Conventions Used in This Guide Documentation Who Should Read This Guide This guide...

Page 24: ...Console You are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the S...

Page 25: ...stems including working in the administrative interface starting and stopping the server working with logs working with self test managing the database and managing the certificate database Chapter 8...

Page 26: ...up CMS in the Common Criteria Environment Appendix C Understanding the Common Criteria Evaluated CMS Setup Provides information about running CMS in the Common Criteria Environment Appendix F Certific...

Page 27: ...e Rotation frequency From the drop down list select the interval at which the server should rotate the active error log file The available choices are Hourly Daily Weekly Monthly and Yearly The defaul...

Page 28: ...CMS Administrator s Guide this guide Describes how to plan for install and administer CMS CMS Command Line Tools Guide Provides detailed reference information on CMS tools CMS Customization Guide Exam...

Page 29: ...led reference information on customizing the HTML based agent and end entity interfaces CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information fro...

Page 30: ...Documentation 30 Netscape Certificate Management System Administrator s Guide June 2003...

Page 31: ...obust scalable and high performance certificate management solution for your public key infrastructure PKI extranets and intranets This chapter contains the following sections Features How Certificate...

Page 32: ...to provide flexibility in your PKI Features include support for multiple registration authorities tied to a single CA the ability to act as a root or subordinate CA high availability cloning to allow...

Page 33: ...inate CAs you can create clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers Because cloned CAs and master CAs use the sa...

Page 34: ...who is the only user who can view the audit logs This user s certificate is used to sign and encrypt the logs See Signed Audit Log on page 275 for complete details Self Tests CMS provides the framewor...

Page 35: ...icates that conform to X 509 version 3 standard The Certificate Manager can issue certificates with the following characteristics Certificates that are X 509 version 3 compliant Unicode support for ce...

Page 36: ...ils CRLs CMS is capable of creating certificate revocation lists This configurable framework allows you to define issuing points so a CRL can be created for each issuing point defined You can issue CR...

Page 37: ...encrypting mail messages and other data To support separate key pairs for signing and encrypting data CMS supports generation of dual certificates for end entities capable of generating dual key pair...

Page 38: ...pports multiple message formats such as KEYGEN SPAC CRMF CMMF CRS CEP SCEP and PKCS 10 and CMC for certificate requests All requests are delivered to CMS over HTTP or HTTPS in the case of CRS CEP SCEP...

Page 39: ...a flexible scalable system for issuing renewing and publishing certificates creating and publishing CRLs and providing key storage and retrieval capabilities CMS Basics CMS is installed on each host r...

Page 40: ...stems have an agent interface specific to that subsystem allowing agents to perform the tasks assigned to them A Certificate Manager and a Registration Manager have an end entity services interface al...

Page 41: ...allowing you to select logging levels as well as what is logged You can also create custom logs so that events can be separated by the categories you choose See Logs on page 261 for complete details A...

Page 42: ...al kind of administrator who is able to run the basic operations of the subsystem but is not able to configure any of the features See Chapter 8 Authorization for complete details Self Tests CMS conta...

Page 43: ...is called Federal Bridge Certificate Authority FBCA This feature allows you to trust certificates issued by a CA outside of your PKI that shares a cross signed certificate with the CA in your PKI Cer...

Page 44: ...RLs that contain only the revoked certificates since the last CRL was produced See Chapter 14 Revocation and CRLs for complete details How the Certificate Manager Works This sections details the proce...

Page 45: ...r and then continues processing the request The Certificate Manager next evaluates the request to ensure that it meets either the policies set for this type of certificate or the certificate profile s...

Page 46: ...f publishing is set up a certificate is published to the correct location s whenever a certificate is issued See Chapter 15 Publishing for complete details Key Archival If you install a Data Recovery...

Page 47: ...hed You can also provide delta CRLs allowing you to publish a list of only those certificates have been revoked since a certain date See Chapter 14 Revocation and CRLs for complete details About the R...

Page 48: ...ticates against the authentication method set up See the Netscape Certificate Management System Customization Guide for details about customizing the end entity interface Authentication Methods CMS pr...

Page 49: ...method and certificate type to a set of constraints and certificate content and values for that content It allows you to configure a single module for a type of certificate that binds to an authentic...

Page 50: ...part of the enrollment and stored in the Data Recover Manager See Chapter 6 Data Recovery Manager for complete details Storing Certificate Requests and Certificates When it issues a certificate the Ce...

Page 51: ...ate encryption key The key is then stored in the Data Recovery Manager The Data Recovery Manager is configured to store keys in an encrypted format that can only be decrypted by several agents request...

Page 52: ...ification of certificates Note that an online certificate validation authority is often referred to as an OCSP responder The Online Certificate Status Manager can receive CRLs from multiple Certificat...

Page 53: ...d a publishing directory The Certificate Manager can publish both end entity certificates and CRLs to a directory Certificate Manager and Registration Manager Figure 1 2 shows a Registration Manager a...

Page 54: ...work in different geographic locations Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager Th...

Page 55: ...that the Registration Manager is intended to serve and the physical location of the Certificate Manager agent Registration Manager agent and other persons responsible for administering the Certificat...

Page 56: ...g the location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent Data...

Page 57: ...s Figure 1 4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager a single Registration Manager and a single Data R...

Page 58: ...ertificate Manager or the Certificate Manager might also handle some end entity interactions It s also possible to set up both Certificate Managers and Registration Managers such that each has a hiera...

Page 59: ...lone and confirm that you want to reuse the CA s signing key and certificate if the clone is on the same server you can also reuse the SSL server certificate If you store the CA key material on a hard...

Page 60: ...CMS is a set of pure Java classes This component provides a secure application platform where subsystems CA RA DRM and OCSP can be tightly integrated with a PKI infrastructure Depending on the install...

Page 61: ...ded Event listeners where event listeners can be extended Publishing where publisher and its mapper can be extended Logging includes signed audit logs where logging mechanism can be extended Self test...

Page 62: ...rstands the protocol provided by the CMS Administration Interface Service Interfaces Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem All four sub...

Page 63: ...mmands coming from the administrative entry point Based on the information given at each command the administration servlets allow administrators to perform administrative tasks and configure plug in...

Page 64: ...software devices intended for such purposes One or more PKCS 11 modules must be available to any CMS subsystem instance As shown in the figure a PKCS 11 module also called a cryptographic module or cr...

Page 65: ...tions and communication with the certX db and keyX db files Any PKCS 11 module can be used with CMS The server uses a file called secmod db to keep track of the modules that are available You can modi...

Page 66: ...database while user and group entries are stored in another subtree Except for the creation of a new CMS instances functionalities provided by this component are not fully utilized by CMS Note that a...

Page 67: ...cifies how a device communicates with a CA including how to retrieve the CA s public key how to enroll a device with the CA and how to retrieve a CRL CEP uses PKCS 7 and PKCS 10 Certificate Request Me...

Page 68: ...port Protocol HTTP and Hypertext Transport Protocol Secure HTTPS Protocols used to communicate with web servers KEYGEN tag An HTML tag supported by Netscape browsers that generates a key pair for use...

Page 69: ...v1 v3 Digital certificate formats recommended by the International Telecommunications Union ITU Secure Sockets Layer SSL 2 0 3 0 A set of rules governing server authentication client authentication a...

Page 70: ...Support for Open Standards 70 Netscape Certificate Management System Administrator s Guide June 2003...

Page 71: ...an access its end entity interface agent services interface and its administrative interface and further configure the instance to match the needs of your PKI Note To install Netscape CMS and configur...

Page 72: ...instructions on installing CMS 2 Configure each subsystem that will be running on each host CMS provides an installation wizard for configuring an instance of each of the subsystems Complete instructi...

Page 73: ...nce installation is complete you can use Netscape Console to view all your server settings make changes to those settings and configure CMS instances See The Administrative Interface on page 242 about...

Page 74: ...iguration directory and the administration server The port for the administration server is the port used to log into Netscape Console Port numbers can be any number from 1 to 65535 Keep the following...

Page 75: ...nobody account Also you should create a common group for the directory server files again you must not use the nobody group The user and group under which you will run Administration Server For insta...

Page 76: ...This is the user ID and password you will use to log into Netscape Console Administration Server User and password You are prompted for this only during custom installations The Administration Server...

Page 77: ...uration directory Normally you will not store users in this configuration directory You only use this configuration directory to store configuration settings for the Administration Server that allow y...

Page 78: ...___________________ Directory Server Port Number ______________________________________ Directory server identifier myhost ______________________________________ Netscape configuration directory serve...

Page 79: ...setup The setup command has the following options The installation program launches The installation program will prompt you for series of configuration settings detailed in the following steps 4 Woul...

Page 80: ...11 Specify the components you wish to install 1 2 Press Enter to accept the default components 12 Specify the components you wish to install 1 2 Press Enter to accept the default components 13 Specif...

Page 81: ...ter a unique identifier for the new instance of Directory Server If you are using an existing configuration directory enter its identifier 21 Netscape configuration directory server administrator ID a...

Page 82: ...rectory and creates and starts instances of the Administration Server and Directory Server For specifics on installing each subsystem see Installing a Certificate Manager as a Root CA on page 94 Insta...

Page 83: ...containing the installed software 3 Type the following command uninstall 4 Specify the components you wish to uninstall All Accept the default value 5 Specify the components you wish to uninstall 1 2...

Page 84: ...Uninstalling CMS 84 Netscape Certificate Management System Administrator s Guide June 2003...

Page 85: ...allation instructions an overview of the Certificate Manager processes including information on configuring those processes information about FBCA and details on configuring a cloned CA This chapter c...

Page 86: ...issue certificates is issued by another CA The CA that issued the subordinate CA signing certificate controls the CA through the contents of the CA signing certificate The CA can constrain the subordi...

Page 87: ...cy and certificate profile configuration it is completely unaware of its parents set up for these configurations A Certificate Manager cannot issue a certificate that has a validity period longer than...

Page 88: ...d for the certificate is two years The subject name of the CA signing certificate reflects the name of your certificate authority CA as specified during the installation All certificates signed or iss...

Page 89: ...certificate The first time you generated this certificate is when you installed the Certificate Manager The default nickname for the certificate is Server Cert cert instance_id where instance_id ident...

Page 90: ...egistration Managers or Data Recovery Managers are configured any Certificate Manager must have its own distinguished name DN which is listed in every certificate it issues Like any other X 509 versio...

Page 91: ...igning key pair For more information about the way they are used see the following document http www itl nist gov div897 pubs fip186 htm In general longer keys are considered to be cryptographically s...

Page 92: ...e status change the details reject or approve certificate and revocation requests revoke certificates and approve and configure certificate profiles The agent s services interface is an HTML interface...

Page 93: ...mation in a separate internal database for each subsystem or use one internal database for all subsystems installed on the host It s recommended that you do not use this Directory Server instance for...

Page 94: ...then either click Open or double click this instance The Installation Wizard launches 3 Installation Wizard Introduction Click Next to continue 4 Logon Token Choose either internal if you plan to use...

Page 95: ...te Manager Click Next to continue 8 Remote Data Recovery Manager Select the appropriate options Select No if you don t want to connect the Certificate Manager to a remote Data Recovery Manager Select...

Page 96: ...ir Information for Certificate Manager CA Signing Certificate Token Enter either internal if you plan to use the internal software token or the name of an external token to store the Certificate Manag...

Page 97: ...n page 90 for more information Click Next to continue 17 Certificate Extensions for Certificate Manager CA Signing Certificate Select the required extensions The default settings should work for most...

Page 98: ...must be in increments of 64 bits only See Signing Key Type and Length on page 91 for more information Click Next to continue 21 Message Digest Algorithm Select the algorithm to use for computing the c...

Page 99: ...to create the first agent user for the Certificate Manager See Agent Certificates on page 335 for details Installing a Certificate Manager as a Subordinate CA To install the Certificate Manager as a...

Page 100: ...ming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager...

Page 101: ...the CMS instance See Certificate Manager Interfaces on page 91 for more information Click Next to continue 12 CA Signing Certificate Select the Create subordinate CA certificate request option Click...

Page 102: ...extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64 encoding in the space provided on this screen CMS provides com...

Page 103: ...t to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to retrie...

Page 104: ...stname 17006 to bring up the Certificate Manager page for end entities III Click Manual Certificate Manager Signing Certificate Enrollment In the resulting form choose the request type from the pull d...

Page 105: ...ther the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate II Submit your certificate request to a third party C...

Page 106: ...ormational screen that shows the certificate so you can inspect its contents Notice the nickname assigned to the certificate and verify that you re installing the correct certificate Click Next to con...

Page 107: ...the certificate signature The choices are SHA 1 MD2 or MD5 Click Next to continue 27 Subject Name for SSL Server Certificate Type the values for the subject DN components these values identify the sub...

Page 108: ...ly submit the request to a remote Certificate Manager or for automatic enrollment follow these steps I Select the Send the request to a remote CMS now option II Enter the host name and end entity port...

Page 109: ...ollow these steps I Open a web browser window II Go to the end entity URL for the remote Certificate Manager that will issue the subordinate CA s SSL server certificate For example if you assigned the...

Page 110: ...form select the appropriate action VI After the certificate is generated click Show Certificate VII When the certificate is displayed scroll down to the base 64 encoded version of the certificate hig...

Page 111: ...icate screen appears Step 32 If you selected No you will be presented with the Create Single Sign on Password screen Step 35 32 Location of Certificate Specify the location of the certificate You can...

Page 112: ...certificate chain in its base 64 encoded format to the clipboard e Return to the Installation Wizard f Paste the certificate chain into the text box Click Next to continue 35 Single Sign on Summary C...

Page 113: ...n or cannot be performed by a user group or IP address for that particular ACL You can change the default ACIs set up in the ACLs to change the privileges of a user group or IP address You can also cr...

Page 114: ...a Certificate Wizard that allows you to create additional certificates or to renew or replace a certificate for the Certificate Manager See Certificate Setup Wizard on page 296 for details of using th...

Page 115: ...ons a Log in to the CMS console see Logging Into the CMS Console on page 245 b Select the Configuration tab and then select the Encryption tab c Click Certificate Setup Wizard to launch the wizard d S...

Page 116: ...ng_algorithm ca crl_signing tokenname token_name Where For example your edited entries might look like this ca crl_signing cacertnickname crlSigningCert cert demoCA ca crl_signing defaultSigningAlgori...

Page 117: ...a publishing directory the Certificate Manager also uses its SSL server certificate for SSL client authentication to the publishing directory This is the default configuration You can configure the Ce...

Page 118: ...t the transition from an old CA certificate to a new one You should begin planning for CA renewal or reissuance before you install any CMS managers consider any ramifications your planned procedures m...

Page 119: ...ion about the logs and details of the configuration options for logs Changing Internal Database Settings You can change the configuration of the internal database after installation including restrict...

Page 120: ...CA receives a request with validity period extending beyond that of its CA signing certificate it automatically truncates the validity period to end on the day the CA signing certificate expires Valid...

Page 121: ...y generated with the content being determined by the inputs you set for a particular certificate profile You can even set up the same method of authentication and associated more than one form with it...

Page 122: ...therwise you can customize the form as you like If you are using the certificate profile feature the forms are dynamically generated using the inputs you specify for a certificate profile The authenti...

Page 123: ...be configured to collect other information about an end entity from an LDAP directory and place that information in the certificate A default set of policies is created Some of these are enabled and s...

Page 124: ...te is issued following the constraints and extensions set in that certificate profile For detailed information see Chapter 10 Certificate Profiles Configuring Publishing You can publish certificates a...

Page 125: ...ications The notification feature that allows you to send automated notifications is disabled after installation You can set up three types of automatic notifications Certificate Issuance An email is...

Page 126: ...and Publishing of certificates and CRLs to help you better understand what configuration you will need to perform for your PKI Enrollment An end entity can enroll in your PKI by submitting an enrollme...

Page 127: ...ication or NIS based authentication The request may be submitted using an agent approved enrollment process or an automated process The agent approved process which involves no end entity authenticati...

Page 128: ...issued The certificate is delivered to the end entity In automated for example directory based enrollment the certificate is delivered to the user immediately Normally the enrollment is via HTML page...

Page 129: ...ate is revoked When an end entity makes the request they are asked to present their certificate If they have the certificate and the key materials the request is processed and sent to the Certificate...

Page 130: ...predicate value and then set up any other necessary policies for this kind of certificate You would then associate an end entity enrollment page customized to enroll for cross pair certificates provid...

Page 131: ...try This is set to crossCertificatePair binary See Chapter 15 Publishing for more information about publishing Cloning a CA Cloning a Certificate Manager is the process of creating two server processe...

Page 132: ...abases See Appendix Configuring CMS for High Availability for information on how to set up cloned instances replication between the cloned certificate databases If you enable the OCSP service feature...

Page 133: ...ployment Considerations Installing a Registration Manager Configuring a Registration Manager How a Registration Manager Works Registration Manager Deployment Considerations This section describes the...

Page 134: ...l has a certificate identified as the Registration Manager signing certificate whose public key corresponds to the private key the Registration Manager uses to authenticate itself to the Certificate M...

Page 135: ...ors using the Java based CMS Console GUI application An Agent Services interface that is accessible by default only to members of the Registration Manager Agent group Agents are users who can perform...

Page 136: ...e Each Registration Manager instance contains an internal database that stores certificates certificate requests and the like During installation you set up this database by either choosing to create...

Page 137: ...th to 4096 bits for certificates that provide access to highly sensitive data or services However the question of key length has no simple answers Every organization must make its own decision based o...

Page 138: ...or who can access the CMS window and control all CMS settings Allow Multiple Roles for Users Select if you want to allow users to belong to more than one group thus assuming more than one role Deselec...

Page 139: ...ts only See Signing Key Type and Length on page 136 for more information Click Next to continue 12 Message Digest Algorithm Select the algorithm to use for computing the certificate signature The choi...

Page 140: ...uest in PKCS 10 format select the Generate PKCS10 request option If you want the wizard to generate the certificate request in CMC format select the Generate CMC full enrollment request option This op...

Page 141: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Page 142: ...nager Note that you must be a designated CMS administrator as well as an agent for this option to work correctly X Type a user ID for the new Registration Manager This user ID can be the same that you...

Page 143: ...ith the configuration and resume after you receive the certificate The default selection is No Select Yes if you have the certificate ready in its base 64 encoded format Click Next to continue If you...

Page 144: ...rver option and then click Submit d In the resulting page locate the CA certificate chain in its base 64 encoded format and copy the certificate chain to the clipboard e Return to the Installation Wiz...

Page 145: ...given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select the...

Page 146: ...is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sur...

Page 147: ...nd issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Sel...

Page 148: ...zard screen click Yes or No Select No if you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or...

Page 149: ...e from which you requested the singing certificate Follow these steps to import the remote Certificate Manager s CA chain a Go to the web browser window b Enter the end entity URL for the remote Certi...

Page 150: ...elationship when you issued this certificate by selecting this option in the agent services interface on the request page used to approve the request If you have done this you do not need to further c...

Page 151: ...ACL Configuration The configuration set up for the Certificate Manager gives the following privileges to members of the following groups Members of the Administrator group can perform any operations...

Page 152: ...atabase and they must be configured as trusted see Changing the Trust Settings of a CA Certificate on page 294 and Installing a New CA Certificate in the Certificate Database on page 295 Certificate C...

Page 153: ...r each of the interfaces when you install the Registration Manager You can change the ports that any of the interfaces listen on and you can remove the HTTP non SSL end entity port if you will not use...

Page 154: ...ttings You can change the configuration of the internal database after installation including restricting access to the internal database see The Internal Database on page 288 for information on doing...

Page 155: ...tion method to be agent approved or automated The agent approved enrollment in person agent initiated enrollment and CMC enroll methods are enabled and configured when you install the Registration Man...

Page 156: ...u like The authentication methods that you can configure are Directory Based Enrollment End entities are authenticated against an LDAP directory using their user ID or DN and password See Setting Up D...

Page 157: ...rmation see Chapter 11 Policies If you set up and enable policies in the Registration Manager you must be careful how you set up policies in the Certificate Manager that issues certificates for this R...

Page 158: ...interface for processing The agent can change some aspects of the request as long as they are within the constraints set in the certificate profile reject the request change the status of the request...

Page 159: ...set up a trusted relationship between a Data Recovery Manager and a Registration Manager so that the end entities private encryption keys are archived during the certificate request See Chapter 6 Data...

Page 160: ...he form creates a request that is then submitted to the Registration Manager The enrollment form can trigger the creation of the public and private keys for this request or for dual key pairs The end...

Page 161: ...ate request is either rejected at some point in the process either by an agent because it did not meet the policy certificate profile or authentication requirements or the request is signed and sent t...

Page 162: ...t up for a single method of renewal All requests are made to the renewal page of the end entity interface The end entity presents their old certificate and if they meet the policies for renewal a new...

Page 163: ...agents can approve requests made by end entities to revoke their certificates but agents cannot revoke certificates on their own The Certificate Manager agent for the CA that issued the certificate w...

Page 164: ...How a Registration Manager Works 164 Netscape Certificate Management System Administrator s Guide June 2003...

Page 165: ...with OCSP Service Online Certificate Status Manager Deployment Considerations Installing an Online Certificate Status Manager Setting Up the OCSP Responder Configuring the Online Certificate Status M...

Page 166: ...s all the information required by the responder to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it processe...

Page 167: ...st is subjected to policy checking see Configuring Policy Rules for a Subsystem on page 489 For more information about the certificates associated with OCSP see SSL Server Key Pair and Certificate on...

Page 168: ...eal time status of all certificates it has issued this method of revocation checking is most accurate Since the internal OCSP service checks the status of certificates stored in the Certificate Manage...

Page 169: ...publish the CRL As explained earlier the Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as the default CRL store for verifying certificate...

Page 170: ...ou will have to create this policy and configure it for this service If you installed the Certificate Manager s with its OCSP service feature disabled a default policy rule named AuthInfoAccessExt is...

Page 171: ...alled The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request SSL Server Key Pair and Certificate Every Online Certifica...

Page 172: ...application An Agent Services interface that is accessible by default only to members of the Online Certificate Status Manager Agent group The agent s services interface is an HTML interface accessibl...

Page 173: ...formation such as certificates and certificate requests used by the subsystem you will be installing in this CMS instance By default a separate internal database is created for each subsystem you conf...

Page 174: ...th to 4096 bits for certificates that provide access to highly sensitive data or services CMS signing keys up to 2048 bits in length are not subject to export restrictions However the question of key...

Page 175: ...assuming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor roles Click Nex...

Page 176: ...anager Certificate Manager or Registration Manager automatically The wizard creates a certificate request that you must submit to a CA To automatically submit the request to a remote Certificate Manag...

Page 177: ...u re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 13 Also note that you might be required to past...

Page 178: ...t all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded ce...

Page 179: ...p 17 14 Location of Certificate Specify the location of the certificate You can use one of these options If you noted the file path to the file that contains the certificate in its base 64 encoded for...

Page 180: ...a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the w...

Page 181: ...icate Extensions for SSL Server Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64...

Page 182: ...entity port uses SSL III Click Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response mes...

Page 183: ...entities III Click Manual Server Certificate Enrollment or click Agent Based Server Certificate Enrollment if you have an agent certificate If you choose Agent Based Server Certificate Enrollment and...

Page 184: ...lick Approve Request 22 SSL Server Certificate Installation Depending on whether you have the certificate ready for pasting into the Installation Wizard screen click Yes or No If you have submitted yo...

Page 185: ...continue 25 Import Certificate Chain This screen appears only if you need to import the CA certificate chain Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser...

Page 186: ...up to read from that LDAP publishing directory 3 You must configure your policies or certificate profiles for every CA that will publish to the OCSP Responder to include the Authority Information Acc...

Page 187: ...can configure for the Online Certificate Status Manager and points you to specific information on configuring those sets of features Adding Users Once the Online Certificate Status Manager is installe...

Page 188: ...e signed audit log and can view configuration settings but cannot perform any other operations on configuration settings and do not have any access to the agent services interface Online Certificate S...

Page 189: ...the Certificate Database on page 296 OCSP Certificates Depending on who signed your Online Certificate Status Manager s SSL server certificate you may need to perform the following actions to get that...

Page 190: ...ring or after installation See Changing an IP Addresses on page 287 for details Changing Subsystem Security Setting You can configure the security of each subsystem by changing the SSL version used by...

Page 191: ...Online Certificate Status Manager contains the framework for jobs but does not contain any prebuilt jobs You can build jobs using the CMS SDK For detailed information on setting up publishing see Chap...

Page 192: ...value of zero 0 Verify Certificate Manager and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s end...

Page 193: ...ificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its internal databas...

Page 194: ...ndow to see the updated fields host n Type the fully qualified DNS hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 example com port n T...

Page 195: ...ement tab 7 Click Refresh Testing Your OCSP Setup To test whether the Certificate Manager can service OCSP requests properly follow these steps 1 Turn On Revocation Checking in your browser or client...

Page 196: ...te Manager s OCSP service status again to verify that these things happened The browser sent an OCSP query to the Certificate Manager this response was initiated when you clicked the View button The C...

Page 197: ...ply it for example has left the organization that owns the data This chapter explains how to use the Data Recovery Manager to archive end entity s encryption private keys and how to use the archived k...

Page 198: ...ed to impersonate the digital identity of the original key owner Clients that generate single key pairs use the same private key for both signing and encrypting data so you cannot archive and recover...

Page 199: ...ce of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 229 Initiating the key recovery process also requires its own HTML...

Page 200: ...tored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Data Recovery Manager s Key Pairs and Certificates on page 213 It can b...

Page 201: ...ata Recovery Manager uses two special key pairs A transport key pair and corresponding certificate A storage key pair Figure 6 1 illustrates how the key archival process occurs when an end entity s re...

Page 202: ...decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key corresponds to the end entity s public encryption key...

Page 203: ...tate this by allowing each recovery agent to enter a password in the Data Recovery Manager during configuration They must be available to retrieve your end entity s encryption private keys if the need...

Page 204: ...recovery agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the Ke...

Page 205: ...ery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recovery Auth...

Page 206: ...the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered by the collective efforts of a Data Recovery Mana...

Page 207: ...anager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be recovered an...

Page 208: ...ord for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key rec...

Page 209: ...orage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key Recove...

Page 210: ...strator s Guide June 2003 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery schem...

Page 211: ...ion click Done You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Recovery Mana...

Page 212: ...s 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n can...

Page 213: ...ing key pairs and certificates Transport Key Pair and Certificate Storage Key Pair SSL Server Key Pair and Certificate Transport Key Pair and Certificate Every Data Recovery Manager you have installed...

Page 214: ...sed see Chapter 6 Data Recovery Manager Note that the public component of the storage key pair is not certified there is no certificate that corresponds to the public key Keys encrypted with the stora...

Page 215: ...of already installed and available tokens For example SmartCard For installation instructions see External Token on page 314 Internal Database Each subsystem uses an internal database to store inform...

Page 216: ...ons permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services However...

Page 217: ...ant to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager roles Click Next to continue 7 Subsystems...

Page 218: ...ificate extension text field accepts a single extension blob If you want to add multiple extensions you should use the ExtJoiner program which is also provided in the tools directory For details on us...

Page 219: ...it for the remote Certificate Manager s agent to approve your request IV Open a web browser window V Enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent...

Page 220: ...ficate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests click Show Pending Requests and click Find VIII In the pending request list locate your request...

Page 221: ...inue as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes only if you have the certificate ready in its base 64 encoded format Click Next...

Page 222: ...PKCS 7 for importing into a server option and click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installati...

Page 223: ...fied host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 24 Certificate Extensions for SSL Server Certificate Select the required extensions The defaul...

Page 224: ...u ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the remote Certificate Manager s agent...

Page 225: ...f you used the Agent Based Server Certificate Enrollment and you have an agent certificate the certificate will be automatically issued once you submit the request If you used the Manual Server Certif...

Page 226: ...ficate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate...

Page 227: ...red details Click Next to continue 29 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate...

Page 228: ...e Agent Certificates on page 335 for details Configuring Key Archival and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end entity s encryption private...

Page 229: ...t it initiates the key archival process and requests the service of the Data Recovery Manager for archiving the key For the enrollment authority to be able to request the service of the Data Recovery...

Page 230: ...quired to update the following information only The Data Recovery Manager s transport certificate The algorithm length type and usage for end entity s key pairs When you update this information the ke...

Page 231: ...marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb...

Page 232: ...BEGIN CERTIFICATE and END CERTIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYX...

Page 233: ...BvcmF0aW9uMREw DwYDVQQ LEwhIYXJkY29yZTEnMCUGA1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2Vy dmVyIEl JMB4XDTk4MTExOTIzNDIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMC VVMxETA PBgNVBAoTCG5ldHNjYXBlMQwwCgYDVQQDEwNL...

Page 234: ...s on page 203 In particular you should be familiar with how the key archival process works If you are not see How Agent Initiated Key Recovery Works on page 206 The Data Recovery Manager supports agen...

Page 235: ...ode for Key Recovery The Data Recovery Manager allows key recovery agents to authorize recovery of an end entity s encryption private key locally or remotely The default configuration is local authori...

Page 236: ...using Netscape Communicator 4 7 with Personal Security Manager version 1 01 Step A Test Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll f...

Page 237: ...the value of the E attribute e Locate and approve the request 3 Check if the certificates have been issued To do this a Click the List Requests link again b In the form that appears select the Show co...

Page 238: ...ed and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do this...

Page 239: ...Recovery Works on page 206 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this information...

Page 240: ...Process 240 Netscape Certificate Management System Administrator s Guide June 2003 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate database...

Page 241: ...the internal database This chapter contains the following sections The Administrative Interface System Passwords Starting Stopping and Restarting CMS Instances Subsystem Configuration Overview Mail Se...

Page 242: ...to configure CMS through Netscape Console You access Administration Server by entering its URL in the Netscape Console login screen and providing the user ID and password of the administrative user Ad...

Page 243: ...d administration interface to the user directory You can accomplish various CMS specific tasks from the Console tab Launch the CMS console Install instances of CMS Remove an instance of CMS Clone an i...

Page 244: ...es with Directory Server but does not allow you to create CMS server instances Password Type the password for this user ID Administration URL Specify the URL for the Administration Server you want to...

Page 245: ...e choices available in this tab will change depending on which subsystem is installed in this server instance The specifics of setting these configuration settings is contained in the appropriate sect...

Page 246: ...sented with a list of your certificates to choose from in order to login You will not be presented with the userID Password entry dialog 4 The CMS console opens Viewing Information About a CMS instanc...

Page 247: ...rver s status whether it is started stopped or unknown normally unknown indicates that the server hasn t been configured properly 3 To change the name of the instance or its description Select the ins...

Page 248: ...ou need to use certutil to initialize cert8 db and key3 db and to create certificate request make sure to set the LD_LIBRARY_PATH correctly To do this issue the following command setenv LD_LIBRARY_PAT...

Page 249: ...lientauth authType sslclientauth 20 Save the file 21 Open the file server xml 22 Change the clientauth off attribute to clientauth on in the SSLPARAMS section of the LS id admin LS id admin ip 0 0 0 0...

Page 250: ...manages Passwords you enter for LDAP directory access are not subjected to quality checks The reason for this is the password quality is handled by the system that creates and manages the password In...

Page 251: ...rds because this file stores the passwords in a plain text file If you do delete the password conf file you must start the server instance using the command line You will be prompted for the token pas...

Page 252: ...S Instances Each instance of CMS is started stopped and restarted separately This section describes how to start stop and restart CMS instances and how to check its current status Starting a Server In...

Page 253: ...etting in the CMS cfg file that allows you to set the absolute time out the amount of time before the between issuing the shutdown command and actual shutdown If this time is reached before all proces...

Page 254: ...e To stop a CMS instance from the command line 1 Log in either as root or with the server s user account 2 Go to the following directory server_root cert instance_id 3 Type the following command stop...

Page 255: ...Managers you should install the root CA first You might also want to install a Certificate Manager that will develop a trusted relationship with other subsystems first Configuring Multiple CMS Instanc...

Page 256: ...CMS instance from your host Removing a CMS instance is not the same as uninstalling CMS For instructions on uninstalling CMS see Uninstalling CMS on page 83 To remove a CMS instance 1 Log in to Netsc...

Page 257: ...k Save Configuration Files The runtime properties of CMS are governed by a set of configuration parameters These parameters are stored in a file that is read by the server during startup When you inst...

Page 258: ...diting the configuration file because your changes will be overwritten by the cached version when the server is stopped or restarted 2 Go to the following directory server_root cert instance_id config...

Page 259: ...er The parameter names and their values are strings The parameter names can be hierarchically structured with notation with multiple levels for example ca Policy rule RSAKeyRule maxSize The entries co...

Page 260: ...nrollment form so that the server is able to determine the authentication method during end user enrollment Job Scheduler parameters All job specific information such as registered job modules and con...

Page 261: ...e Registration Managers and you want all these instances to have the same configuration you can accomplish this by configuring one of the instances and then replacing the configuration files of the ot...

Page 262: ...ance_id logs signedAudit You can change the default location for logs by modifying it in the configuration Error and Access Logs The error and access logs are created by Netscape Enterprise Server whi...

Page 263: ...during this installation and configuration System Log This log records information about requests to the server all HTTP and HTTPS requests and the responses from the server Information recorded in t...

Page 264: ...ecifies logged events related to the Certificate Manager Database Specifies logged events related to this server s activity with the internal database HTTP Specifies logged events related to the HTTP...

Page 265: ...l Message category Description 0 Debugging These messages contain debugging information Generally you would not want to set a log to the debugging level since it would yield far too much information f...

Page 266: ...ogs and it holds the messages in these buffers for as long as possible The server flushes out the messages to the log files only when either of the following conditions occurs The buffer gets full the...

Page 267: ...the old file is named using the name of the file with an appended time stamp The appended time stamp is an integer that indicates the date and time the corresponding active log file was rotated The da...

Page 268: ...a Click Add in the Log Event Listener Management tab The Select Log Event Listener Plug in Implementation window appears It lists registered log modules b Select a plug in module c Click Next The Log...

Page 269: ...rval in seconds to flush the buffer to the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file ma...

Page 270: ...Management tab 6 Click Refresh Configuring Logs in the CMS cfg File To modify the configuration settings for logs 1 Stop the CMS instance 2 Open the CMS cfg file located in the directory server_root...

Page 271: ...for Security The default selection is 1 For more information see Log Levels Message Categories on page 265 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100...

Page 272: ...match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Source Select the CM...

Page 273: ...udit Log on page 263 for details about signed audit logs For signing log files you use a command line utility called Netscape Signing Tool signtool For details about this utility check this site http...

Page 274: ...igation tree select Logs and then in the right pane select the Log Event Listener Plug in Registration tab 4 Click Register The Register Log Event Listener Plug in Implementation window appears 5 Spec...

Page 275: ...d audit log feature is disabled by default You can also set this audit log up as a signed audit log You enable this by setting the logSigning parameter to enable and providing the nickname of the cert...

Page 276: ...FILE A change is made to the configuration settings for the CRL framework in other words any of the settings for CRLs including extensions frequency and CRL format CONFIG_OCSP_PROFILE A change is made...

Page 277: ...stored in the Data Recovery Manager KEY_RECOVERY_AGENT_LOGIN DRM agents log in as recovery agents to approve key recovery requests KEY_RECOVERY_PROCESSED A key recovery has been processed KEY_GEN_ASYM...

Page 278: ...in the end entity interface of a Registration Manager enable the raAuditCert profile in that Registration Manager and enable the raAuditCert profile in that Certified Manager that processes the reque...

Page 279: ...as the value of the signedAuditCertNickname parameter and specify the events that will be logged in the events parameter 6 Assign auditor users if you have not done so by creating the user and assigni...

Page 280: ...self tests are run at start up and can also be run on demand The start up self tests run when the server starts up and will keep the server from starting up if a critical self test fails The on demand...

Page 281: ...se associated with which type of subsystem has been configured with this server instance You turn the self test off or change which self tests are considered critical by changing those setting in the...

Page 282: ...s how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Log File Rotation on pag...

Page 283: ...Save the file 6 Start CMS Ports About Ports CMS listens on different ports for requests from different types of users As illustrated in Figure 7 1 it listens on an administration port an agent port a...

Page 284: ...requests from the appropriate Agent Services interface The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end enti...

Page 285: ...initiated PKI requests such as enrollment renewal and revocation enrollment requests can include requests from Cisco routers using the CEP protocol general certificate retrieval requests such as retri...

Page 286: ...his line and edit the value of the port attribute LS id agent ip 0 0 0 0 port 8100 security on acceptorthreads 1 blocking no To change the end entity HTTP port locate this line and edit the value of t...

Page 287: ...ne IP address and the Data Recovery Manager is served on another address if the host is configured with more than one IP address To configure a CMS instance to listen to specific IP addresses 1 Stop t...

Page 288: ...etween two or more instances You can change the internal database used by a CMS instance This section describes how to change that instance and how to restrict access to the internal database About th...

Page 289: ...when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems use the da...

Page 290: ...host name of the machine in which Directory Server is installed Port number Type a TCP IP port number CMS uses this port for non SSL communications with the Directory Server instance that is function...

Page 291: ...dministrators group 9 Click set Access Control Permission and then Click Add 10 Fill in the following information ACIName clientauth Check all the rights in the Rights tab Click This Entry in the Targ...

Page 292: ...b 4 In the navigation tree expand Plug ins and then select Pass Through Authentication 5 In the right pane deselect Enable plugin option 6 Click Save to save your changes You are prompted to restart t...

Page 293: ...ts of the certificate database and make sure that it doesn t include any unwanted CA certificates For example if the database includes CA certificates that you don t ever want to trust in your PKI set...

Page 294: ...ges click Save Changing the Trust Settings of a CA Certificate CMS relies on the CA certificates in its certificate database for validating certificates it receives during an SSL enabled communication...

Page 295: ...utton named Change to Trusted 5 Click Change to Untrusted or Change to Trusted as appropriate 6 Click Close You are returned to the Certificate Database Management window The certificate now shows a d...

Page 296: ...Certificate Chain in the Certificate Database Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database These CA certifica...

Page 297: ...presents you with the screens appropriate to your choice and walks you through the entire process For installing certificates except for cases when the certificate is self signed by the CA you will ne...

Page 298: ...CA signing OCSP signing and SSL server certificates If a Registration Manager is installed the list includes the Registration Manager s signing and SSL server certificates If a Data Recovery Manager i...

Page 299: ...nformation Specify the key pair information for the certificate to be requested You need to identify the following The token that contains the key pair for generating the certificate request the drop...

Page 300: ...h of the key pair you are required to provide this information only if you chose to generate the certificate request based on a new key pair For key type you can choose RSA or DSA Be sure to select a...

Page 301: ...s is located For example Mountain View State or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your...

Page 302: ...type select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting When you select the option the associated fields are enabled You sh...

Page 303: ...in a base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST An example is show below BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZC...

Page 304: ...Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the request...

Page 305: ...d to Install a Certificate or Certificate Chain on page 307 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is a Certificate Manager and t...

Page 306: ...yourself 9 When you receive the certificate from the CA you ll need to install it following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 307 Sending the C...

Page 307: ...currently selected CMS instance Any of the certificates used by a Certificate Manager Registration Manager Data Recovery Manager and Online Certificate Status Manager Any other trusted CA certificate...

Page 308: ...n briefly explains the data formats recognized by the wizard Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats DER encoded certificate This is...

Page 309: ...install a certificate Step 2 Select the Certificate or Certificate Chain Select the certificate you want to install The drop down list shows various options Depending on whether you want to install a...

Page 310: ...information that will help you decide on the location Keeping the certificate or certificate chain in a text file the wizard can import a certificate or certificate chain from a text file in text as...

Page 311: ...ificate Chain The wizard shows the certificate or certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for...

Page 312: ...est and install the new certificate Determine which certificate you want to get You can get CA signing OCSP signing CRL signing and SSL server certificates for the Certificate Manager signing and SSL...

Page 313: ...for a Registration Manager check whether the Registration Manager has been set up as a trusted manager for a Certificate Manager and Data Recovery Manager that is you must identify the subsystems tha...

Page 314: ...cates Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time These files were created for...

Page 315: ...be sure to use a name that will help you identify the token later Install the PKCS 11 Module PKCS 11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors...

Page 316: ...to add a UNIX shared dynamic library which on a Solaris machine is identified with the so extension e Click OK To install the PKCS 11 module using the modutil tool a Locate the CMS instance for which...

Page 317: ...The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them you must enter that...

Page 318: ...stration Manager or Certificate Manager Configuring the Server s Security Preferences Configuring a CMS manager s security preferences involves identifying the following The SSL server certificates a...

Page 319: ...the list of SSL server certificates in the Encryption tab of the CMS window Step 2 Update the Configuration After you verify that the certificates are installed configure the server as follows 1 Stop...

Page 320: ...ructions for requesting and installing an SSL client certificate for a Certificate Manager and configuring it to use that certificate for SSL client authentication to the publishing directory 1 Log in...

Page 321: ...instance_id identifies the CMS instance in which the Certificate Manager is installed 9 After you ve installed the certificate successfully go to the Tasks tab and stop the Certificate Manager 10 Con...

Page 322: ...Configuring the Server s Security Preferences 322 Netscape Certificate Management System Administrator s Guide June 2003...

Page 323: ...ing access to certain tasks associated with Netscape Certificate Management System CMS The authorization model is very flexible allowing you to configure it to your needs In order to authorize users y...

Page 324: ...e database With certificate based authentication the server also checks that the certificate is valid and finds the group membership of the user by associating the DN of the certificate with a user an...

Page 325: ...and adding them to the group called Administrators every member of this group has administrative privileges for this instance of CMS At least one administrator must be defined for each CMS instance t...

Page 326: ...s own agents whose role is defined by the subsystem Each subsystem installed in a CMS instance must have at least one agent and there is no limit to the number of agents a subsystem can have Authentic...

Page 327: ...subsystem it trusts allowing it to communicate with the subsystem It does this by specifying the agent services port information for that subsystem Possible Trusted Relationships The Registration Man...

Page 328: ...ileges For an agent or auditor you also need to get a certificate and store the certificate in the internal database If you set up the CMS console for SSL client authentication you must also import a...

Page 329: ...list of users and the user ID now has the privileges of the group they are assigned in this instance of CMS 5 Click Refresh to view the updated configuration 6 Store the user s certificate if the user...

Page 330: ...their certificate using the manual enrollment form The automated process is built into the request approval form in the Agent Services interface and it enables those who have both Certificate Manager...

Page 331: ...oups The user ID you specified for the new agent will be listed there 12 To view the certificate issued to the new agent select the user ID and click Certificates Setting Up a Trusted Manager You can...

Page 332: ...en The subsystem that will be trusted makes its signing certificate request to the Certificate Manager A user who has both administrator and agent privileges with the Certificate Manager providing tru...

Page 333: ...you just added appears in the list of users Next you need to store the Registration Manager s signing certificate or Certificate Manager s SSL client certificate in the internal database of the subsy...

Page 334: ...tree select Registration Manager or Certificate Manager The General Settings tab appears in the right pane 13 Select the Connectors tab 14 In the List of connectors select the connector If you are con...

Page 335: ...ement System on page 338 You can set up a feature that checks the revocation status of agent certificates See Revocation Status Checking of Agent Certificates on page 339 for details about setting up...

Page 336: ...trator agent Organization unit Type the name of the organization unit to which the administrator agent belongs Organization Type the name of the company or organization the administrator agent works f...

Page 337: ...ilable again Getting an Agent s Certificate from a Public CA The following general guidelines explain how a user can get a client certificate from a public CA and how you can copy that certificate in...

Page 338: ...certificate in base 64 encoded form to the internal database of a subsystem 1 The user sends a client certificate request to CMS from the computer that they will use to access the subsystem from the A...

Page 339: ...ntaining the user s certificate in base 64 encoded form 9 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file 10 Save the text file and...

Page 340: ...MS cfg includes a parameter named jss ocspcheck enable which enables you to specify whether a CMS manager should use Online Certificate Status Protocol OCSP to verify the revocation status of the cert...

Page 341: ...default the feature is enabled revocationChecking unknownStateInterval The default interval is 0 seconds revocationChecking validityInterval Specifies how long in seconds the cached certificates are...

Page 342: ...2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user whose certificate information you want to change and click Certificates...

Page 343: ...Group description field To remove a user from the group select the user and click Delete To add users click Add User In the Select window that appears select the users you want to add and click OK You...

Page 344: ...tree select Users and Groups 3 Select the Group tab 4 Click Edit The Edit Group Information window appears 5 Specify information in the following fields Group name Type a name for this group Group de...

Page 345: ...CI also contains an evaluator expression The default implementation of ACLs specifies only users groups and IP addresses as possible evaluator types although you could create others using the CMS SDK...

Page 346: ...console interface you create or modify ACIs in an editor that allows you to do this in a graphical environment You choose from allow or deny in the Allow and Deny field then you choose one of the oper...

Page 347: ...cess to more than one operator in a single ACI select the first operator from the list and then hold down Ctrl while selecting other operators Syntax The syntax field of the ACI editor is where you sp...

Page 348: ...n specified An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 Stringing Values You can create a string with more t...

Page 349: ...ation specified in this ACI to the group s user s or IP address es specified For more information about allowing or denying access see Allow and Deny on page 346 b Select one operator from the possibl...

Page 350: ...ault ACIs for each ACL resource defined Each subsystem you install will contain only those ACLs that are relevant to that subsystem certServer acl configuration Allow or deny a read or modify operatio...

Page 351: ...uation TOE it is unavailable after the CA is up and running Allow or deny submit read or execute operations for an administrator enrollment request Operations Default ACIs allow submit user anybody al...

Page 352: ...nterface Operations Default ACIs allow import unrevoke revoke read group Certificate Manager Agents Certificate Manager Agents can import unrevoke revoke and read a certificate read Viewing authentica...

Page 353: ...certificate revocation requests list Listing certificates based on a search Retrieving details about a range of certificates based on providing a range of serial numbers read Viewing CRL plug in info...

Page 354: ...fault ACIs allow submit group Trusted Managers Trusted Manager can submit requests to this interface certServer ca clone Allow or deny a submit operation for a connection to the CA by a cloned CA Oper...

Page 355: ...ertificate Manager Agents Certificate Manager agents can update the directory certServer ca group Allow or deny an update operation to add a group Operations Default ACIs allow add group Administrator...

Page 356: ...roup Certificate Manager Agents Certificate Manager agents can list certificate profiles certServer ca profile Allow or deny a read or approve operation for certificate profiles in the agent services...

Page 357: ...assign unassign group Certificate Manager Agents Anyone can submit an enrollment request only Certificate Manager Agents can read or execute enrollment requests certServer ca request profile Allow or...

Page 358: ...iew statistics certServer ee certificate Allow or deny a renew revoke read or import operation in the end entity interface Operations Default ACIs allow renew revoke read import user anybody approve M...

Page 359: ...ver ee certchain Allow or deny a download or read operation for the CA s certificate chain in the end entity interface Operations Default ACIs allow download read user anybody Anyone can read or downl...

Page 360: ...profiles certServer ee profiles Allow or deny a list operation for certificate profiles in the end entity interface Operations Default ACIs allow list user anybody Anyone can list certificate profiles...

Page 361: ...ions Default ACIs allow submit user anybody Anyone can submit an enrollment request certServer ee request facetofaceenrollment Allow or deny to submit face to face enrollment Operations Default ACIs a...

Page 362: ...can submit a revocation request certServer ee requestStatus Allow or deny a read operation for the request status available from the end entity interface Operations Default ACIs allow read user anybo...

Page 363: ...ng environment LDAP configuration SMTP configuration server statistics encryption token names subject name of certificates certificate nicknames all subsystems that have been loaded by the server get...

Page 364: ...uration Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certif...

Page 365: ...can read recover or retrieve key information certServer kra keys Allow or deny a list operation for the Data Recovery Manager Operations Default ACIs allow list group Data Recovery Manager Agents Onl...

Page 366: ...roup Data Recovery Manager Agents Only Data Recovery Manager Agents can list key archival requests certServer kra request status Allow or deny a read operation for a Data Recovery Manager request Oper...

Page 367: ...up Online Certificate Status Manager Agents allow modify group Administrators Administrators Agents and auditors are allowed to read the log configuration only administrators are allowed to modify the...

Page 368: ...parameter of a log instance Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agent...

Page 369: ...all logs Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Page 370: ...ate Authorities certServer ocsp certificate Allow or deny a validate operation for checking certificate revocation information Operations Default ACIs allow validate group Online Certificate Status Ma...

Page 371: ...o modify OCSP configuration certServer ocsp crl Allow or deny an add operation for posting CRL to an OCSP Operations Default ACIs allow add group Online Certificate Status Manager Agents Online Certif...

Page 372: ...Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators read Viewing policy plug ins and instances Listing policy plug ins and instances...

Page 373: ...and agents are allowed to read publisher configuration only administrators are allowed to modify publisher configuration certServer ra configuration Allow or deny a read or modify operation for the c...

Page 374: ...mport unrevoke revoke read group Registration Manager Agents Registration Manager agents can import unrevoke revoke and read certificates certServer ra connector Allow or deny a submit operation for a...

Page 375: ...enable disable face to face enrollment certServer ra facetofaceenrollment enableHosts Allow or deny reading all hosts enabled for face to face registration Operations Default ACIs allow read group Re...

Page 376: ...an read and approve certificate profiles certServer ra profiles Allow or deny a list operation to certificate profiles in the agent services interface in a Registration Manager Operations Default ACIs...

Page 377: ...fault ACIs allow approve read group Registration Manager Agents Registration Manager agents can view and approve certificate profile based requests certServer ra requests Allow or deny a list operatio...

Page 378: ...ration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed...

Page 379: ...tration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user a...

Page 380: ...ACL Reference 380 Netscape Certificate Management System Administrator s Guide June 2003...

Page 381: ...rollment Automated Enrollment Agent Initiated End User Enrollment Certificate Based Enrollment Issuing and Managing Server Certificates CEP Enrollment Testing Your Enrollment Setup Managing Authentica...

Page 382: ...an instance of one of the authentication plug in modules You can also create plug ins for automatic enrollment using other forms of authentication such as a secure ID card or a relational database usi...

Page 383: ...ficate Manager If the subsystem where the request is submitted is a Registration Manager the request must pass the policies and certificate profiles of both the Registration Manager and the Certificat...

Page 384: ...Constraints on page 499 If the renewal lead time does not permit renewing the server rejects the renewal request Also if the policy is disabled renewal of certificates fails If the certificate being p...

Page 385: ...ent s approval An agent can change some aspects of the request change the status of the request reject the request or approve the request Once the request is approved the signed request is sent to the...

Page 386: ...d a pin you set up in their directory entry and then given to the end entity See Setting Up Pin Based Enrollment on page 393 Portal Enrollment End users are registered into an LDAP directory and issue...

Page 387: ...onality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles for information about policies In the case of policy based enrollments customize the H...

Page 388: ...nd entry DN See DNs in Certificate Management System on page 784 ldapStringAttributes Specifies the list of LDAP string attributes that should be considered authentic for the end entity If specified t...

Page 389: ...Specifies the minimum number of connections permitted to the authentication directory Permissible values 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authenticatio...

Page 390: ...uth Authentication plug in module and configure the instance See Setting Up the NISAuth Authentication on page 390 for details Customize the HTML enrollment forms Make sure the proper authentication m...

Page 391: ...ctory attributes and entry DN See DNs in Certificate Management System on page 784 extendedDN Specifies the suffix that the server should add to the default subject DN when an LDAP directory is not sp...

Page 392: ...conn port Specifies the TCP IP port on which the authentication LDAP directory listens to requests from CMS ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authenti...

Page 393: ...t policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles fo...

Page 394: ...pen the setpin conf file in a text editor 3 Follow the instructions outlined in the file and make the appropriate changes Typically you will need to update the Directory Server s host name Directory M...

Page 395: ...need to enable the AttributePresentConstraints policy in the Certificate Manager that actually issues the certificates see AttributePresentConstraints on page 493 This policy forces the Certificate M...

Page 396: ...uld be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token that is values r...

Page 397: ...password cache and uses it for subsequent start ups You need to specify this parameter only if you ve selected removePin ldap ldapauth clientCertNickname Specifies the nickname of the certificate to b...

Page 398: ...t presently exist for that user and to issue the user a certificate Portal enrollment is useful when you have a portal and want to register users and have them later authenticate using a certificate S...

Page 399: ...s Create an instance of the PortalEnroll Authentication plug in module and configure the instance See Setting Up the PortalEnroll Authentication on page 399 for details Customize the HTML enrollment f...

Page 400: ...fully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from CMS ldap ldapconn secureConn S...

Page 401: ...N from the ldap ldapauth bindDN attribute to bind to the directory default SslClientAuth specifies SSL client authentication If you choose this option be sure to set the value of the ldap ldapconn sec...

Page 402: ...ut policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles f...

Page 403: ...C Enroll Utility The CMC Enroll utility CMCEnroll is used to sign a certificate request with an agent s certificate It is installed along with CMS and is available in the following directory server_ro...

Page 404: ...1 Go to the directory server root cert instance web apps ee ra 2 Open the file CMCEnrollment html 3 Find the following line form method post action enrollment onSubmit return validate document forms...

Page 405: ...le the End Entity pages for CMC Enrollment on page 404 7 Submit your signed certificate using the end entity port a Go the End Entity port b Select CMC Enrollment from the main end entity page c Paste...

Page 406: ...DirEnrollment plug in is an instance of the HashAuth plug in You can turn this feature off by disabling or deleting the AgentDirEnrollment instance CMS provides the following form for agent initiated...

Page 407: ...e them available to users by some means Basically a user can get and use any pre initialized and certificate loaded hardware token Next each user uses the randomly picked token to enroll for a pair of...

Page 408: ...edSingleEnroll html this form is provided as a sample It enables end users to request signing certificates by submitting pre issued certificates as authentication tokens when a user enrolls for a cert...

Page 409: ...o other servers and end users and to encrypt data In order to issue SSL server certificates the signing certificate for the Certificate Manager must be enabled for such issuance If the Certificate Man...

Page 410: ...and in the internal database of CMS CMS allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager The renewal...

Page 411: ...for approval by the Certificate Manager agent To submit the server certificate request to CMS manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager...

Page 412: ...upport for IPSec see the information available at this URL http www cisco com warp public cc cisco mkt security encryp prodlit 821_pp htm You can issue certificates to routers and CEP compliant Virtua...

Page 413: ...configure the plug in See Authentication Token File on page 413 and Setting Up the CEP Plug In on page 414 Authentication Token File You create a text file with CEP enrollee information that is used...

Page 414: ...S SDK See the SDK documentation for information about this plug in and any additional programming you may need to do to it 2 Register the plug in the CMS authentication framework See the CMS SDK for d...

Page 415: ...path name keyAttributes Specifies a comma separated list of attributes in the request which together uniquely identify an entry in the authentication token file The list of attributes you specify her...

Page 416: ...way cep cep1 entryObjectClass cep eeGateway cep cep1 url cgi bin pkiclient exe eeGateway cep cep1 authName flatfile_router VPN configuration eeGateway cep cep2 url vpnenroll eeGateway cep cep2 authNam...

Page 417: ...chema can accommodate VPN clients You may need to update the Directory Server s schema The reason for this is if you plan on publishing certificates from routers they may need to be published with the...

Page 418: ...tance of the policy plug in named CRLDistributionPointsExt for router certificates This extension if present in a certificate enables the user of the certificate to find revocation information pertain...

Page 419: ...cate an entry must already exist for the DN in the directory Enter true if you want the Certificate Manager to create an entry if one does not already exist true false Enter false if an entry already...

Page 420: ...length such as 512 or 1024 The longer the key length the more time the router takes to generate the key pair 6 Request the CA s Certificate In this part of the operation you identify the CA to the ro...

Page 421: ...authentication for routers the request will get processed by the CA The CA may return the certificate to the router in the same transaction If it doesn t the router checks with the CA at periodic inte...

Page 422: ...ty exit router config crypto ca authenticate test ca Certificate has the following attributes Fingerprint 24D34656 EB830C39 DD9E8179 0A4EBA98 Do you accept this certificate yes no yes router config cr...

Page 423: ...do it through profiles please read the instructions in Chapter 10 Certificate Profiles To test whether your end users can successfully enroll for a certificate using the authentication method you ve...

Page 424: ...the Directory Server is listening to authentication requests from the Certificate Manager base_dn with the DN to start searching for the user s entry and user_id with the ID of the user for whom you...

Page 425: ...this class is part of a package be sure to include the package name For example if you are registering a class named customAuth and if this class is in a package named com customplugins type com custo...

Page 426: ...rs need to generate Software Publishing File SPC files for their object signing certificates you should ask them to use the Microsoft tool named cert2spc The SPC file enables them to execute commands...

Page 427: ...ls AtoB cert b64 cert der converts the base 64 encoded certificate in the cert b64 file to its DER encoded format and writes the DER encoded certificate to a file named cert der 8 Next use the Microso...

Page 428: ...Generating Files Required By Third Party Object Signing Tools 428 Netscape Certificate Management System Administrator s Guide June 2003...

Page 429: ...content that can be contained in this type of certificate and the contents of the input and output forms associated with the certificate profile Enrollments requests are submitted to a particular cert...

Page 430: ...aults the constraints used in each policy the values assigned to any of the parameters in a policy or the input and output You can also create other certificate profiles either for other types of cert...

Page 431: ...interface where end entity can enroll for a certificate using the certificate profile The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has be...

Page 432: ...uated with the first certificate request and the second set is evaluated with the second certificate request There is no need for more than one set if you are issuing a single certificate or more than...

Page 433: ...by adding or deleting inputs in the certificate profile thus defining the fields on the input page Add or delete the single output Optionally you can modify existing defaults constraints inputs and o...

Page 434: ...s window Certificate Profile Instance ID Specify the instance ID of the certificate profile This name or number will be used by the system to identify the instance Certificate Profile Name Specify a n...

Page 435: ...bmitted request is queued in the request queue of the agent services interface e Click Ok The new certificate profile appears in the Certificate Profile Instances Management tab 6 To modify an existin...

Page 436: ...Certificate Profile Authentication Specify the authentication method Specify an automated authentication by providing the instance ID for the authentication instance that will be used If this field is...

Page 437: ...the policies associated with each certificate Certificate Profile Policy ID Type a name or identifier for this certificate profile policy d Configure any parameters in the Default or Constraint tab S...

Page 438: ...constraint applied to this policy Some values can be edited by clicking into the value field and changing the entry others have pull down menus associated with them where you can pick the values avail...

Page 439: ...puts tab of the Certificate Profile Rule Editor window You need to set up outputs for any certificate profile that uses an automated authentication method you do not need to set up outputs for any cer...

Page 440: ...r the types of certificates that are usually issued by a RA and a CA All certificate profiles are installed with a CA only those certificate profiles beginning with ra are installed with and RA The de...

Page 441: ...red for enrollments for end user certificates using directory based authentication in a Certificate Manager caAgentServerCert Configured for enrollments for server certificates allowing for automatic...

Page 442: ...profile up to match the certificate profile set up in the RA the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere...

Page 443: ...certificate used by a subsystem to sign the signed audit logs Input Reference An input puts certain fields on the enrollment page associated with a particular certificate profile You define inputs fo...

Page 444: ...field will display Not Supported on browsers other than Netscape 7 and above Key Generation Input The Key Generation Input input is used for enrollments in which a single key pair will be generated ge...

Page 445: ...certificate Requestor Phone This field is used to enter the phone number of the requestor of this certificate Output Reference An output represents the response to the end user of a successful enrollm...

Page 446: ...llows you to provide references to CRL locations For general information about this extension see authorityInfoAccess on page 757 You can define the following constraints with this default Extension C...

Page 447: ...ue must be a valid domain name in the fully qualified DNS format For example testCA example com If you selected EDIPartyName the value must be an IA5String For example Example Corporation If you selec...

Page 448: ...ing the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see basicConstraints on p...

Page 449: ...tension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing cert...

Page 450: ...ked with an n in the table to distinguish that the parameter is associated with one of the five possible locations Table 10 3 CRL Distribution Points Extension Configuration Parameters Parameter Descr...

Page 451: ...any of the following formats An X 500 directory name in the RFC 2253 syntax For example CN CA Central OU Research Dept O Example Corporation C US A URIName for example it would look similar to this h...

Page 452: ...s 1 3 6 1 4 1 311 10 3 4 this OID is for the EFS certificate 1 3 6 1 4 1 311 10 3 4 1 this OID is for the EFS recovery certificate The EFS recovery certificate is used by a recovery agent when a user...

Page 453: ...f the five possible locations Table 10 5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark t...

Page 454: ...Select from DirectoryName and URIName PointName_ n If pointType is set to directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example CN CACen...

Page 455: ...efully consider the legal consequences of its use before setting it for any certificate Select true to set select false to not set keyEncipherment Specifies whether to set the extension for SSL server...

Page 456: ...y parameters for each of these location The parameters are marked with an n in the table to distinguish that the parameter is associated with one of the five possible locations decipherOnly Specifies...

Page 457: ...ed RFC822Name the value must be a valid Internet mail address in fully qualified DNS format For example testCA example com If you selected DirectoryName the value must be a string form of X 500 name s...

Page 458: ...c othername txt PermittedSubtree Enable_ n Select true to enable this permitted subtree entry select false to disable this permitted subtree entry ExcludedSubtrees n min Specifies the minimum number o...

Page 459: ...encoding rules The name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected IPAddress the value...

Page 460: ...certificate type for example it identifies whether the certificate is a CA certificate server SSL certificate client SSL certificate object signing certificate or S MIME certificate and thus enables y...

Page 461: ...tions Select true to include this capability select false to not include this capability CertEmail Specifies that the certificate can be used to send secure email messages Select true to include this...

Page 462: ...on Constraint on page 475 Extension Constraint see Extension Constraint on page 473 No Constraints see No Constraint on page 475 Policy Constraints Extension Default This default populates a policy co...

Page 463: ...It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required Note that the number you specify affects the number of CA certificates to be used d...

Page 464: ...y equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associate...

Page 465: ...me on page 766 The standard suggests that if the certificate subject field contains an empty sequence then the subject alternative name extension must contain the subject s alternative name and that t...

Page 466: ...hecks the certificate request for configured attributes If the request contains an attribute the policy reads its value and sets it in the extension This way the extension that gets to added to certif...

Page 467: ...tory name similar to the subject name in a certificate For example CN Jane Doe OU Sales Dept O Example Corporation C US Select DNSName if the request attribute value is a DNS name For example corpDire...

Page 468: ...n page 475 Subject Name Default This default populates server side configurable subject name into the certificate request You provide a static subject name that is used as the subject name in the cert...

Page 469: ...certificate profile allows a user to define extensions No inputs are provided to add user supplied extensions to the enrollment form You can create an input for this purpose using the CMS SDK You can...

Page 470: ...Subject Name Default This default populates a user supplied subject name into the certificate request If included in the certificate profile allows a user to supply a subject name for the certificate...

Page 471: ...if the basic constraint in the certificate request satisfies the criteria set in this constraint Table 10 17 Validity Default Configuration Parameters Parameter Description range Specifies the validi...

Page 472: ...n of the CA signing certificate owned by the CA that will issue these certificates 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued that is...

Page 473: ...guration Parameters Parameter Description Critical Specifies whether the extension can be marked critical or noncritical Select true to allow the extension to be marked critical select false to disall...

Page 474: ...onstraints are placed for this parameter keyEncipherment Specifies whether to set the extension for SSL server certificates and S MIME encryption certificates Select true to allow this to be set selec...

Page 475: ...cifies whether to set the extension if the public key is to be used only for deciphering data If this bit is set keyAgreement should also be set Select true to allow this to be set select false to not...

Page 476: ...as Java applets and plug ins Select true to allow this capability select false to not allow this capability select to indicate no constraints are placed for this parameter CertSSLCA Specifies that th...

Page 477: ...all of the following MD2withRSA MD5withRSA SHA1withRSA Table 10 24 Subject Name Constraint Configuration Parameters Parameter Description Pattern Specifies a regular expression specified as a string a...

Page 478: ...etscape Certificate Management System Administrator s Guide June 2003 Table 10 25 Validity Constraint Configuration Parameters Parameter Description range The range parameter is of type integer And th...

Page 479: ...ewer default certificate enrollment feature Certificate Enrollment Profiles see Chapter 10 Certificate Profiles The policies feature will be discontinued in the future release s To enable the feature...

Page 480: ...revocation key archival and key recovery requests For example in the case of a certificate issuance request the outcome would be the certificate content A Certificate Manager s policy can include rule...

Page 481: ...o fall within a predetermined range say between 6 and 24 months A subsystem s policy configuration can consist of one or more policy rules each performing one or more of the following operations Valid...

Page 482: ...s on the request based on the request type The policy processor also filters the rules based on predicates see Using Predicates in Policy Rules on page 483 Note that the policy processor applies only...

Page 483: ...rs AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates for certificates for users in differen...

Page 484: ...n the request Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving t...

Page 485: ...Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication token what the authentication su...

Page 486: ...icate server SSL server certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollme...

Page 487: ...name attribute_name value attribute_value Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differ...

Page 488: ...policy plug in implementation 2 Enter the appropriate values for all the attributes Assume you named the instance ValidityRule1 set the minimum validity period to 10 days set the maximum validity peri...

Page 489: ...AND HTTP_PARAMS orgunit Sales The new configuration would result in certificates with a validity period of six months for users in the Sales organizational unit and a validity period of three months...

Page 490: ...eter In this way you can avoid re creating the rule in the future Because the subsystems subject end entity requests only to rules that are currently enabled keeping unwanted rules in the disabled sta...

Page 491: ...f required To add a new policy rule to the CMS configuration 1 In the Policy Rules Management tab click Add The Select Policy Plugin Implementation window appears It lists registered policy plug in mo...

Page 492: ...figured policy rules in the order in which they are executed by the subsystem 2 To change the order of a rule select it in the list and click the Up or Down button as appropriate Keep in mind that the...

Page 493: ...ic Policy Module Reference Constraints specific policy plug in modules help you define rules or constraints that CMS uses to evaluate an incoming certificate enrollment renewal or revocation request E...

Page 494: ...icy during installation Table 11 3 describes the configuration parameters of the AttributePresentConstraints policy Table 11 3 AttributePresentConstraints Configuration Parameters Parameter Descriptio...

Page 495: ...ntication type basic authentication or SSL client authentication required in order to check attributes in the LDAP directory BasicAuth specifies basic authentication default If you choose this option...

Page 496: ...axConns Specifies the maximum number of connections permitted to the LDAP directory when needed connection pool can grow to this many multiplexed connections Permissible values 3 to 10 the default val...

Page 497: ...ize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 or 1...

Page 498: ...Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predicate expression for t...

Page 499: ...rmissible values RSA or RSA Table 11 7 RenewalConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable the rule default Dese...

Page 500: ...nstance of the revocation constraints policy named RevocationConstraintsRule that is enabled by default Table 11 9 describes the configuration parameters of the RevocationConstraints policy Table 11 8...

Page 501: ...ion parameters of the RSAKeyConstraints policy predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default...

Page 502: ...d renewal requests During installation CMS automatically creates an instance of the signing algorithm constraints policy named SigningAlgRule that is enabled by default minSize Specifies the minimum l...

Page 503: ...rly You may apply this policy to CA certificate enrollment and renewal requests Table 11 11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description enable Specifies whether the rule...

Page 504: ...server accordingly using the policy Alternatively if you want to allow your users to own multiple certificates each for a different use all having the same subject name you can do so easily using the...

Page 505: ...g Specifies whether the certificate request must be checked for the Key Usage extension Note that the policy can check the certificate request for the Key Usage extension only if you deselect the enab...

Page 506: ...mplementation The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the futu...

Page 507: ...me when the policy rule is run The notBefore attribute value specifies the date on which the certificate validity begins validity dates through the year 2049 are encoded as UTCTime dates in 2050 or la...

Page 508: ...cations most likely will not understand your extension By default only noncritical extensions are added to certificates This ensures that the resulting certificates can be used with all clients If you...

Page 509: ...ation Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you w...

Page 510: ...cifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears Specifying the information based on the following If you selec...

Page 511: ...Pv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the add...

Page 512: ...6 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predica...

Page 513: ...ng up the chain The maxPathLen parameter has no effect if the extension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length spe...

Page 514: ...this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 483 critical Specifi...

Page 515: ...isplayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notice If you want to embed a textual statement for example y...

Page 516: ...form a predicate expression see Using Predicates in Policy Rules on page 483 critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to mark...

Page 517: ...r future time in seconds by which the certificate must be renewed the endTime field of the extension will be set to the specified time since certificate issuance You can specify the time period in sec...

Page 518: ...icate for client authentication the extension enables the certificate using application to restrict the release of individual certificates to web sites requesting SSL client authentication The certifi...

Page 519: ...ry name Select dNSName if the site is a DNS name default Select ediPartyName if the site is a EDI party name Select URL if the site is a uniform resource identifier Select iPAddress if the site is an...

Page 520: ...0 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Exam...

Page 521: ...ion points to be included in the extension it must be an integer greater than zero The default is 3 Note that when you set a number other than O each distribution point has its own set of configuratio...

Page 522: ...nstants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold issuerName n Specifies the name of the issuer that has signed the CRL maintained at distrib...

Page 523: ...he private key and the data encrypted with that key needs to be used CMS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs Normal...

Page 524: ...ifying that no key usage purposes can be contained in the extension or n specifies the total number of key usage purposes to be included in the extension it must be an integer greater than zero The de...

Page 525: ...ting and testing the server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs See Appendix H Object Identifiers for information on...

Page 526: ...lation CMS automatically creates an instance of the generic ASN 1 extension policy named GenericASN1Ext that is disabled by default Configuration Parameters of GenericASN1Ext The configuration defines...

Page 527: ...values A valid OID specified in dot separated numeric component notation see the example Although you can invent your own OIDs for the purposes of evaluating and testing this server in a production e...

Page 528: ...ing for extensions that have ASN 1 PrintableString values It s case insensitive and accepts any normal string as value Select UTCTime for site defined extensions that have ASN 1 UTCTime values Select...

Page 529: ...ue For example 1234567890 If the data type is IA5String enter a normal string as value For example Test of IA5String If the data type is OctetString and if the data source is Value enter the value in...

Page 530: ...hether the extension should be marked critical or noncritical Select to mark critical default deselect to mark noncritical numGeneralNames Specifies the total number of alternative names or identities...

Page 531: ...If you selected rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt...

Page 532: ...at For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of...

Page 533: ...6 lists the bits and their designated purposes You can restrict the purposes for which a key pair and thus the corresponding certificate should be used by setting the appropriate key usage bits For ex...

Page 534: ...g by editing the enrollment forms as you can do this easily by making the appropriate changes to the policy instance bits set on the server side override the ones set on the client side However if you...

Page 535: ...e enrollment form ManRAEnroll html for requesting Registration Manager signing certificates ServerCertKeyUsageExt This rule is for setting the appropriate key usage bits in SSL server certificates and...

Page 536: ...ether to set the digitalSignature bit or bit 0 of the key usage extension in certificates specified by the predicate parameter Permissible values true false or HTTP_INPUT Select true if you want the s...

Page 537: ...e server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable correspon...

Page 538: ...if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input var...

Page 539: ...u don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the decipherOnly bit and set the bit accor...

Page 540: ...r of permitted subtrees to be included in the extension it must be an integer greater than zero The default value is 8 numExcludedSubtrees Specifies the total number of subtrees to be excluded in the...

Page 541: ...ryName permittedSubtrees n base generalNameValue Specifies the general name value for the permitted subtree you want to include in the extension Permissible values Depends on the general name type you...

Page 542: ...IPv4 the address should be in the form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in...

Page 543: ...are allowed excludedSubtrees n base generalNameChoice Specifies the general name type for the excluded subtree you want to include in the extension Permissible values rfc822Name directoryName dNSName...

Page 544: ...For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org r...

Page 545: ...FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected otherNa...

Page 546: ...section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Administrator s Guide Example HTTP_PARAMS certType client critical Specifies whether the extension should be marked c...

Page 547: ...o default value displayText Specifies the textual statement that should be included in certificates If you want to embed a textual statement for example your company s legal notice in certificates the...

Page 548: ...the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Bits set in the Netscape certific...

Page 549: ...quested using the form For example the server enrollment form embeds the ssl_server variable whereas the subordinate CA Certificate Manager enrollment form embeds the ssl_client email_ca ssl_ca and ob...

Page 550: ...ficate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 483 setDefaultBits Specifies whether to set the Netscape certificate type exte...

Page 551: ...nt For general information about this extension see policyConstraints on page 765 During installation CMS automatically creates an instance of the policy constraints extension policy named PolicyConst...

Page 552: ...t in end entity certificates Permissible values 1 0 or n 1 specifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the path...

Page 553: ...he rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the...

Page 554: ...can invent your own OIDs for the purposes of evaluating and testing this server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs S...

Page 555: ...t this extension see subjectAltName on page 766 notBefore Specifies the date on which the validity period for the private key associated with the certificate begins Permissible values A valid date spe...

Page 556: ...S in section JavaScript Used By All Interfaces of CMS Customization Guide You can also distinguish the attributes based on their origin that is whether they originated from the enrollment form or wher...

Page 557: ...ribute whose value is to be included in the extension The attribute value must conform to any of the supported general name types specified by the generalName n generalNameChoice parameter If the serv...

Page 558: ...hentication instance is set to mail or mailalternateaddress or to both The third attribute HTTP_PARAMS csrRequestorEmail is the email component of the subject name in an enrollment request it is an HT...

Page 559: ...e extension you need to specify the attribute name and its value the name must be the X 500 directory attribute name itself and the attribute value can be derived from the request or directly entered...

Page 560: ...teger derived from the value you assign in this field For example if you set the numAttributes parameter to 2 n would be 0 and 1 attribute n attrib uteName Specifies the name of the directory attribut...

Page 561: ...s section explains how to use the CMS window to perform the following operations Table 11 41 SubjectKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is...

Page 562: ...1 Log in to the CMS window see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you want to register 4 Se...

Page 563: ...y framework 1 Log in to the CMS window see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select the subsystem that registers the module you want to d...

Page 564: ...Managing Policy Plug in Modules 564 Netscape Certificate Management System Administrator s Guide June 2003...

Page 565: ...d Notifications The automated notifications feature is an event driven system that sends email notifications when the specified event occurs The system uses listeners that monitor the system to determ...

Page 566: ...of automated notifications are available Certificate Issued Request In Queue Certificate Revocation Certificate Issued A notification message is automatically sent to users who have been issued certif...

Page 567: ...d the notification is sent to the email address specified in the Sender s Email Address field specified when you set up this notifications as undeliverable notification You can customize the email res...

Page 568: ...is the email address of the person who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address this...

Page 569: ...r notification message are explained in the procedure in the section Setting Up Automated Notifications on page 567 5 Save the file 6 Restart the server instance 7 If you set up a job that sends autom...

Page 570: ...of HTML templates Tokens are variables identified with the dollar sign character in the message that are replaced by the current value when the message is constructed See Token Definitions on page 573...

Page 571: ...website http IT if you have any problems Notification Message Templates Notification message templates are located in the following directory server_root cert instance_id emails You can change the na...

Page 572: ...certificate is revoked certRequestRevoked_CA html Template for the Certificate Manager to send HTML based notifications to end entities when their certificate is revoked certRequestRevoked_RA Templat...

Page 573: ...he time the job instance was run HexSerialNumber Specifies the serial number of the certificate that has been issued in hexidecimal format HttpHost Specifies the fully qualified host name of the Certi...

Page 574: ...e displayed as a hexadecimal value in the resulting message Status Specifies the status of the request SubjectDN Specifies the distinguished name of the certificate subject SummaryItemList Specifies t...

Page 575: ...execute specific jobs at specified times The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time...

Page 576: ...The types of automated jobs are RenewalNotification RequestInQueue and UnpublishExpired RenewalNotificationJob The RenewalNotification job checks for certificates that are about to expire in the inte...

Page 577: ...tlined in section Updating Certificates and CRLs in a Directory on page 658 You can create additional automated jobs using the CMS SDK Setting Up the Job Scheduler The Certificate Manager and Registra...

Page 578: ...to be valid For example the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday 0 0 1 15 1 To specify one day type without the othe...

Page 579: ...hat meet the cron specification By default it is set to one minute See Frequency Settings for Automated Jobs on page 577 The window for entering this information may appear too small Drag the corners...

Page 580: ...n to the CMS console see Logging Into the CMS Console on page 245 3 Select the Configuration tab 4 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears showing the...

Page 581: ...Configuration Parameters of UnpublishExpiredJob on page 585 for details about these parameters 8 Click Ok 9 Click Refresh 10 If you set up a job that sends automated messages check that your have corr...

Page 582: ...h jobsScheduler job unpublishExpiredCerts see Configuration Parameters of UnpublishExpiredJob on page 585 for details about these parameters 5 Save the file 6 Restart the server instance 7 If you set...

Page 583: ...ery problems emailSubject Specifies the text of the subject line of the notification message emailTemplate Specifies the path including the filename to the directory that contains the template to be u...

Page 584: ...emplate to be used for formulating the summary report email notification For details see Customizing Notification Messages on page 587 Table 13 3 RequestInQueueJob Parameters Parameter Description ena...

Page 585: ...e summary emailTemplate Specifies the path including the filename to the directory that contains the template to be used for creating the summary report For details see Customizing Notification Messag...

Page 586: ...server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename to the directory that contains...

Page 587: ...essages by modifying the HTML commands included in the HTML template for that message type Templates for Summary Notifications Notification message templates are located in the following directory ser...

Page 588: ...be sent to agents and administrators Uses the rnJob1Item txt template to format items in the message rnJob1Item txt Template for formatting the items to be included in the summary report Table 13 6 T...

Page 589: ...Date Specifies the date the certificate was revoked SenderEmail Specifies the email address of the sender SerialNumber Specifies the serial number of the certificate the serial number will be displaye...

Page 590: ...Configuration tab 3 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears It lists any currently configured jobs 4 Select the Job Plugin Registration tab The Job P...

Page 591: ...cate a server administrator or by a Certificate Manager agent End users can revoke certificates by using the Revocation form provided in the end entity services interface Agents can revoke end entity...

Page 592: ...to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Authentication of End Users During Certificate Revocation When an end user submi...

Page 593: ...ial number of the certificate the user wants to revoke and the challenge password associated with the certificate The server verifies the authenticity of a revocation request by mapping the serial num...

Page 594: ...then send the signed request to the Certificate Manager The enabled instance of the CMCAuth plug in module also activates CMC revoke when it is enabled the default When this method is setup the Certi...

Page 595: ...hat exists d The directory where cert8 db key3 db and secmod db containing the agent certificate are located n The nickname of the agent s certificate i The issuer name of the certificate being revoke...

Page 596: ...ed page confirms that the certificate 22 has been revoked About CRLs Server and client applications that use public key certificates as tokens of identification need access to information about the va...

Page 597: ...directory or an OCSP responder Note that the Registration Manager cannot create or publish CRLs although it can take revocation requests and pass them on to the Certificate Manager A CRL is issued and...

Page 598: ...server End users are also required to authenticate to the server in order to revoke their certificate Whenever a certificate is revoked the Certificate Manager updates the status of the certificate i...

Page 599: ...L issuing points specified in the certificate instead of the master or main CRL the application would check the CRL maintained at the issuing point which would be smaller in size compared to the maste...

Page 600: ...ce its creation For example if the numbering were as simple as 1 2 3 the first CRL would be CRL 1 The second CRL would be CRL 2 and the delta would be deltaCRL 2 The deltaCRL 2 would reference CRL 1 a...

Page 601: ...revoked certificates from the entire CA ARL Authority Revocation List containing only revoked CA certificates Master CRL and Expired Certificates Containing the list of revoked certificates from the...

Page 602: ...t that issuing point and click Edit You can only change the description for the issuing point and change the status from enabled to disabled 4 To add an issuing point click Add The CRL Issuing Point E...

Page 603: ...dragging at one of the corners some fields in this window do not appear large enough to read the content In the Update Frequency section specify the interval for publishing the CRL to the directory E...

Page 604: ...Include expired certificates Select if you want the server to include revoked certificates that have expired in the CRL If this is enabled information about revoked certificates will remain in the CR...

Page 605: ...n this step you modify the default rules to suit your organization s requirements To specify the CRL extensions 1 In the navigation tree select Certificate Manager and then select CRL Issuing Points N...

Page 606: ...n is used to identify the public key that corresponds to the private key used by a CA to sign CRLs The PKIX standard recommends that the CA must include this extension in all CRLs it issues The reason...

Page 607: ...of a certificate included in the CRL For general guidelines on setting the CRL reason code in CRL entries see reasonCode on page 775 For a list of reason codes see Reasons for Revoking a Certificate o...

Page 608: ...ault critical Select if you want the server to mark the extension critical default deselect if you want the server to mark the extension noncritical Table 14 5 FreshestCRL Configuration Parameters Par...

Page 609: ...olute pathname and must specify the host For example http testCA example com get your crls here Table 14 6 HoldInstruction Configuration Parameters Parameter Description enable Specifies whether the r...

Page 610: ...enables binding of or associating alternative identities such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For general guidelines on setti...

Page 611: ...directoryName if the name is an X 500 directory name Select dNSName if the name is a DNS name Select ediPartyName if the name is a EDI party name Select URL if the name is a uniform resource identifi...

Page 612: ...ing distribution point extension in CRLs see issuingDistributionPoint on page 773 If the type is URL the value must be a non relative universal resource identifier URI For example http testCA example...

Page 613: ...he pointType parameter If the pointType attribute is set to DirectoryName the name must be an X 500 Name For example CN CRLCentral OU Research Dept O Example Corporation C US If the pointType attribut...

Page 614: ...of revoked certificates default onlyContainsUserCerts Select if the distribution point contains user certificates only deselect if the distribution point contains all types of certificates default in...

Page 615: ...an online validation authority using the appropriate protocol This chapter explains how to configure the Certificate Manager or Registration Manager to publish certificates and CRLs to a file to a dir...

Page 616: ...pes of CRL files For example you can publish CA certificates to one location while publishing user certificates to a completely different location Similarly you can publish different types of certific...

Page 617: ...in LDAP publishing Mappers allow you to construct the DN for an entry based on information from the certificate or the certificate request The server needs to figure out the DN of the entry in which t...

Page 618: ...0 PST 2000 will be crl 949102696899 der About LDAP Publishing The ability of a server to publish certificates CRLs and other certificate related objects to a directory using the LDAP or LDAPS protocol...

Page 619: ...s issued updated or revoked the publishing system is invoked and the certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule The type setting specifies...

Page 620: ...replace any certificate or CRL that is already published to this attribute For rules that specify to publish to an Online Certificate Status Manager a CRL is published to this manager certificates are...

Page 621: ...you want to publish all CRLs If you are publishing different types of CRLS to separate locations create a publisher for each location you will publish to specifying the location you will publish You...

Page 622: ...ou can set up rules for each object type CA certificate CRL user certificate and cross pair certificate or you can even further divide the rules so that you have different rules for different kinds of...

Page 623: ...configure Publishers for LDAP publishing Configuring Publishers for Publishing to a File You need to create and configure a Publisher for each publishing location publishers are not automatically cre...

Page 624: ...Select Publisher Plug in Implementation window appears It lists registered publisher modules 5 Select the module named FileBasedPublisher This is the only Publisher module that enables the Certificat...

Page 625: ...s certificates 8 Click OK You are returned to the Publishers Management tab It should now list the publisher you just created 9 Repeat this procedure creating all the publishers you will need Configur...

Page 626: ...the Certificate Manager see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager select Publishing and then select Publishers Th...

Page 627: ...lphanumeric string with no spaces For example Ca1CrlToOcspResponder host Type the fully qualified DNS host name of the Online Certificate Status Manager For example ocspResponder example com port Type...

Page 628: ...publish cross signed certificates to the LDAP directory The publishers are enabled and configured using the X 500 standard attributes for storing certificates and CRLs You do not need to modify the pr...

Page 629: ...lation the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory that is already enabled and configured Table 15 1...

Page 630: ...he directory LdapCrlPublisher The LdapCrlPublisher plug in module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList binary attribute of a...

Page 631: ...s not one already Similarly it also removes the certificationAuthority object class on unpublish if the CA has no other certificates During installation the Certificate Manager automatically creates...

Page 632: ...e or some other input information This relationship can either be one in which the exact DN of the entry can be derived from the information using the mapper to derive this DN or one in which the info...

Page 633: ...each of these macros specifying the DN pattern used and whether or not you want CMS to create the CA entry in the directory To use other mappers create an instance of the mapper you want to use and th...

Page 634: ...n window appears It lists registered mapper modules b Select a module For complete information about these modules see Mapper Plug in Modules Reference on page 635 c Click Next The Mapper Editor windo...

Page 635: ...n AVAs check the directory documentation The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry or to do both Note th...

Page 636: ...u select the Certificate Manager first attempts to create an entry for the CA in the directory If the Certificate Manager succeeds in creating the entry it then attempts to publish the CA s certificat...

Page 637: ...automatically creates this mapper during installation You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA s entry in the directory By default th...

Page 638: ...certificate to an LDAP directory entry by deriving the entry s DN from components specified in the certificate request certificate s subject name certificate extension and attribute variable assertio...

Page 639: ...re subject DN specified in the mapper configuration For example assume the certificate subject name is this UID jdoe O Example Corporation C US When searching the directory for the entry the Certifica...

Page 640: ...ts and filter components match an error is returned If the filter components are null a base search is performed Note that both DNComps and filterComps parameters accept valid DN components or attribu...

Page 641: ...ll of these components CN OU O L ST and C to build a DN for searching the directory When creating a mapper rule you can specify the components the server should use to build a DN that is components to...

Page 642: ...ider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute Assume that the two Jane Doe entries are distinguished by the value o...

Page 643: ...specified by that DN for entries matching the filter specified by filterComps parameter values Permissible values Valid DN components or attributes separated by commas filterComps Specifies component...

Page 644: ...e and then where it is to be published Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself Determining where matching objects...

Page 645: ...ter 15 Publishing 645 4 To edit an existing rule select that rule from the list and click Edit The Rule Editor window appears 5 To create a rule a Click Add The Select Rule Plugin Implementation windo...

Page 646: ...he only module If you have registered any custom modules they too will be available for selection c Click Next The Rule Editor window appears 6 Enter the appropriate information Rule ID Type a name fo...

Page 647: ...lisher you created that will be associated with this rule For example if this rule publishes user certificates to a file chose the publisher that publishes to a file in the location set up for user ce...

Page 648: ...CRL set isDeltaCRL false in order to publish only the master CRL For example issuingPointId MasterCRL isDeltaCRL false To publish only the delta CRL set isDeltaCRL true in order to publish only the de...

Page 649: ...Rule Configuration Parameters Parameter Value Description type xcert Specifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this p...

Page 650: ...dapUserCertMap Specifies the mapper used with this rule See LdapSimpleMap on page 638 for details on this mapper publisher LdapUserCertPublisher specifies the publisher used with this rule See LdapUse...

Page 651: ...To enable LDAP publishing select both Enable Publishing and Enable Default LDAP Connection options In the Destination section identify the Directory Server instance Host name Type the fully qualified...

Page 652: ...ertificate for this purpose LDAP version Select the version of LDAP protocol appropriate to your version of Directory Server If the directory you want the Certificate Manager to publish to is based on...

Page 653: ...You should see a file with name similar to cert serial_number der where serial_number specifies the serial number of the certificate contained in the file 5 Convert the DER encoded certificate to its...

Page 654: ...m using the Pretty Print Certificate tool see Chapter 9 Pretty Print Certificate Tool of CMS Command Line Tools Guide To convert the base 64 encoded certificate to a human readable form a Check the co...

Page 655: ...e value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 10 Convert the DER encoded CRL to its base 64 enc...

Page 656: ...s If the directory object that it finds does not allow the userCertificate binary attribute the addition or removal of that specific certificate fails If you have created user entries as inetOrgPerson...

Page 657: ...CA s distinguished name begins with the OU component create a new organizational unit entry for the CA Note that the entry you create doesn t have to be in the certificationAuthority object class The...

Page 658: ...g methods of communication Publishing With Basic Authentication Publishing Over SSL Without Client Authentication Publishing Over SSL With Client Authentication See the Netscape Directory Server docum...

Page 659: ...ht be down for a while and be unable to receive changes from the Certificate Manager In such a situation use the forms provided in the Certificate Manager Agent Services interface to manually update t...

Page 660: ...Manager is installed as a root CA when using the agent interface to update the directory with valid certificates the CA signing certificate may get published using the publishing rule set up for user...

Page 661: ...d in the update When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to check log...

Page 662: ...plug in click Register 7 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implement...

Page 663: ...tion about how to install and configure each of the subsystem clones CMS High Availability Overview Cloning the Certificate Manager Cloning the Online Certificate Status Manager Cloning the Data Recov...

Page 664: ...ime as the other machine is brought back online The cloning feature in CMS also supports scalability by assigning the same task to separate instances on different machines e g handling certificate req...

Page 665: ...an generate the CRLs See Cloned Master CA Conversion on page 681 for more information about configuring a clone for CRL generation during failover Load balancing The load balancer in front of a CMS sy...

Page 666: ...create a clone you must make sure that the instance you are cloning has been properly installed and configured since some of that configuration data is copied over to the new instance In particular y...

Page 667: ...ple as the Starting certificate number This will ensure that the master Certificate Manager has sufficient serial numbers for its own certificates such as the CA signing certificate SSL server certifi...

Page 668: ...ue keys obtained by using the renewal process this scenario requires advanced manual configuration and therefore is not recommended Cloning the CA To setup cloning for a Certificate Manager CA subsyst...

Page 669: ...the Certificate Manager Chapter 16 Configuring CMS for High Availability 669 3 The Installation Wizard asks you to copy the key and certificates from the master CA to the clone if you have not already...

Page 670: ...cate Manager you need to make the keys and certificates used by the master Certificate Manager available to the Certificate Manager clone If the master Certificate Manager s keys and certificates are...

Page 671: ...ertificate Manager s keys and certificates are stored in the hardware token you must also copy the keys and certificates following the instructions provided by the hardware token vendor 5 Open the Ser...

Page 672: ...e Manager System Administrator s Guide June 2003 8 In the Local Consumer Database dialog specify what type of database you are creating a Either select Create a local consumer database to create a new...

Page 673: ...xisting LDAP server as the internal database for the cloned Certificate Manager instance If you select the remote database make sure that you have already created an LDAP server containing a base suff...

Page 674: ...ng the Certificate Manager 674 Netscape Certificate Manager System Administrator s Guide June 2003 9 Configure replication between the cloned CA database and the master CA database in the following di...

Page 675: ...ion Manager role in the Master database the password for the Replication Manager role in the Consumer database and the agreement names between the master and clone s databases See Configuring the Cert...

Page 676: ...Ending certificate number field specify the highest serial number available for this CA For both the fields you can enter the number in decimal or hexadecimal 0xnn CA s request number range On this s...

Page 677: ...eld so that the clone can redirect Update CRL requests to the master CA see About CRLs on page 596 for more information about CRLs 12 Choose the cloned CA s signing certificate the OCSP s signing cert...

Page 678: ...s in the pull down menus follow the instructions in Step 4 above to copy the key and certificate database material over correctly 13 Configure the master CA s CRL cache to accept changes from the new...

Page 679: ...cloned CA or the master CA Additionally for the purpose of high availability it is strongly encouraged that CRL publishing is enabled in this cloned CA presuming that CRL publishing has been enabled i...

Page 680: ...lly most CRLs contain a field that specifies the next update time for both full and delta CRLs By default for full CRLs this field indicates the generation time of the next full CRL However full CRLs...

Page 681: ...itor database replication changes Master CAs maintain the CRL cache Master CAs generate the CRL Cloned CAs redirect CRL generation requests Converting a Master CA into a Cloned CA Since only one maste...

Page 682: ...t ca crl IssuingPointId enableCRLCache false d To disable CRL generation modify all of the enableCRLUpdates lines if they exist by changing true to false adding each line in if it does not already exi...

Page 683: ...lled serverRoot cert masterID config CMS cfg and copying each line beginning with the ca crl prefix into this selected cloned CA s serverRoot cert cloneID config CMS cfg file ca crl c To enable contro...

Page 684: ...ice internal to the Certificate Manager which responds to status requests by going to the Certificate Manager s internal database and a separate Online Certificate Status Manager subsystem When you cr...

Page 685: ...sure that the instance you are cloning has been properly installed and configured since some of that configuration data is copied over to the new instance In particular you must verify the following a...

Page 686: ...r the cloned Online Certificate Status Manager since the SSL server certificate DN should contain the hostname of the load balancer as the common name CN attribute If the cloned Online Certificate Sta...

Page 687: ...ster available to the Online Certificate Status Manager clone If the master Online Certificate Status Manager s keys and certificates are stored in the internal software token you need to copy the cer...

Page 688: ...ready created an LDAP server containing a base suffix of o netscapeCertificateServer on the host whose host name and port number you specify in the fields in the lower portion of the Installation Wiza...

Page 689: ...ectly Once the configuration for the clone is done the cloned Online Certificate Status Manager will be available in the Netscape Console Follow the instructions in the next section to verify that the...

Page 690: ...an existing cloned OCSP Responder into a new master OCSP Responder e g a catastrophic failure of the existing master OCSP Responder one needs to first convert the master existing offline master OCSP R...

Page 691: ...ed OCSP Responders must now be converted into the new online master OCSP Responder First ensure that the master master OCSP Responder is no longer running and has already been converted into an offlin...

Page 692: ...he following aspects of the master Data Recovery Manager that you want to clone 1 Make sure that the master Data Recovery Manager is configured and working properly Also verify the following a Check t...

Page 693: ...Data Recovery Manager If you are not using a load balancer and your master and cloned Data Recovery Managers exist on separate machines e g a proprietary configuration which expects usernames A M usi...

Page 694: ...machine_name key3 db III On the host machine of the clone go to this directory server_root alias IV Copy the certificate and key database files from the master Data Recovery Manager to the clone If th...

Page 695: ...eating a Either select Create a local consumer database to create a new clone database local to the cloned Data Recovery Manager b Or select Connect to the existing remote LDAP server to use the exist...

Page 696: ...hives it creates in the Starting key number field In the Ending key number field specify the highest key number available for this DRM DRM s request number range On this screen specify the lowest requ...

Page 697: ...nd configuration files over correctly 13 Once the configuration for the cloned DRM instance is done the cloned DRM instance will be available for data recovery Follow the instructions in the next sect...

Page 698: ...and functional 1 Go to the DRM agent page 2 Click List Requests 3 Select Show all requests from the pull down menu for Request type Select Show all requests from the pull down menu from Request statu...

Page 699: ...omponents Security Audit FAU FAU_GEN 1 Audit data generation iteration 1 FAU_GEN 2 User identity association iteration 1 FAU_SAR 1 Audit Review FAU_SAR 3 Selectable audit review FAU_SEL 1 Selective au...

Page 700: ...y functions behavior iteration 1 FMT_MSA 1 Management of security attributes FMT_MSA 2 Secure security attributes FMT_MSA 3 Static attribute initialization FMT_MTD 1 Management of TSF data FMT_SMR 2 R...

Page 701: ...itionally the audit shall not include plaintext private or secret keys or other critical security parameters Table A 2 Auditable Events and Audit Data Section Function Component Event Additional Detai...

Page 702: ...e IT environment shall provide the ability to perform searches of audit data based on the type of event the user responsible for causing the event and as specified in Table A 3 below FAU_SEL 1 Selecti...

Page 703: ...generation FCS_CKM 1 1 The FIPS 140 1 validated cryptographic module shall generate cryptographic keys in accordance with any FIPS approved or recommended cryptographic key generation algorithm that...

Page 704: ...y deny access of subjects to objects based on the none FDP_ITT 1 Basic internal transfer protection iteration 1 FDP_ITT 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Poli...

Page 705: ...r security attributes FIA_UAU 1 Timing of authentication iteration 1 FIA_UAU 1 1 The IT environment shall allow HTTP and LDAP based services1 on behalf of the user to be performed before the user is a...

Page 706: ...ment Access Control Policy specified in CIMC TOE Access Control Policy on page 709 to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The IT env...

Page 707: ...machine testing FPT_AMT 1 1 The IT environment shall run a suite of tests other conditions during initial start up periodically during normal operation or at the request of an authorized user to demo...

Page 708: ...ce and tampering by untrusted subjects FPT_SEP 1 2 Each operating system in the IT environment shall enforce separation between the security domains of subjects in its scope of control FPT_STM 1 Relia...

Page 709: ...he security objective O Integrity protection of user data and software and O Periodically check integrity Trusted path channels FTP FTP_TRP 1 Trusted path FTP_TRP 1 1 The IT environment shall provide...

Page 710: ...ndividuals with different access authorizations Roles with different access authorizations Individuals assigned to one or more roles with different access authorizations Access type with explicit allo...

Page 711: ...hapter contains the following sections PKI Overview Security Objectives TOE Security Environment Assumptions Security Requirements for the IT Environment IT Environment Assumptions CMS Privileged User...

Page 712: ...ified Implement automated notification or other responses to the TSF discovered attacks in order to identify attacks and create an attack deterrent Require inspection for downloads Respond to possible...

Page 713: ...vate and Secret Keys CMS certificate private keys and secret keys are to be generated and stored in a FIPS 140 1 level 3 certified hardware cryptographic token The CMS private asymmetric keys are Priv...

Page 714: ...ystem and depend on which CMS subsystem has been installed All of the privileged roles see About Roles on page 717 for more information about privileges require SSL client authentication by presenting...

Page 715: ...on authorization mechanism Conceptually this role is not an actual privileged role that a user can be assigned to Rather the Trusted Manager role is a means of establishing trust between two CMS subsy...

Page 716: ...he subsystem from the command line Data Recovery Manager Agents Can approve recovery of subject private keys via SSL capable browsers to the DRM Agent interface Can export recovered subject private ke...

Page 717: ...command line Online Certificate Status Manager Agents Can add CRLs to the OCSP Responder Agent interface via SSL capable browsers Can define supported CAs via SSL capable browsers to the OCSP Responde...

Page 718: ...nt Setup and Installation Guide Understanding Setup of Common Criteria Evaluated Netscape CMS Appendix C Understanding the Common Criteria Evaluated CMS Setup provides a high level description of the...

Page 719: ...CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment Setup and Operations 719...

Page 720: ...CMS Common Criteria Environment Setup and Installation Guide 720 Netscape Certificate Management System Administrator s Guide June 2003...

Page 721: ...contained in the document CMS Common Criteria Setup Procedure Understanding the Common Criteria Environment This section describes the environment before CMS is installed and configured Secure Enviro...

Page 722: ...example the user Joe cannot be both the CA Administrator and Agent for the same CA subsystem See CMS Privileged Users and Groups Roles on page 714 for a description of the various CMS privileged role...

Page 723: ...ser ID account preventing users from logging in with this user ID Understanding CMS Installation You must install CMS on each host on which a CMS subsystem is installed You can set up the environment...

Page 724: ...ee The Administrative Interface on page 242 For instructions on how to set up SSL client authorization for the CMS console see Appendix I Introduction to SSL Backup and Restore of a CMS Subsystem CMS...

Page 725: ...Recovery Manager to a Registration Manager is one possible CMS deployment scenario it is not currently part of the Common Criteria Evaluation You can install and configure an OCSP responder to any CA...

Page 726: ...main guidance documents where detailed information is provided for each feature but you will need to follow the CMS Common Criteria Setup Procedure in order to set up a Netscape CMS Common Criteria e...

Page 727: ...the Access Control feature are not part of the Common Criteria Environment Audit Logs The Common Criteria Environment requires that the signed audit log file feature be enabled and configured Signed...

Page 728: ...up the CRL feature you cannot set up a CRL that does not have an update frequency specified in the Update at this frequency field Compliant CRLs must contain the nextUpdateTime extension which will no...

Page 729: ...g it is highly recommended that you set it up using SSL client authentication and that you set up the Directory Server in SSL mode as well For information about publishing see Chapter 15 Publishing Se...

Page 730: ...also provides features to recover the user private keys that it has archived Key recovery requires Data Recovery Manager Agents to work in cooperation You will be instructed to configure the key reco...

Page 731: ...es including security objectives for the TOE security objectives for the environment and security objectives for both the TOE and environment 1 1 Security Objectives for the TOE This section includes...

Page 732: ...on Provide sufficient backup storage and effective restoration to ensure that the system can be recreated 1 1 3 Cryptography O Non repudiation Prevent user from avoiding accountability for sending a m...

Page 733: ...s histories variations etc through enforced authentication data management Note this objective is not applicable to biometric authentication data O Communications Protection Protect the system against...

Page 734: ...cal Protection Those responsible for the TOE must ensure that the security relevant components of the TOE are protected from physical attack that might compromise IT security O Social Engineering Trai...

Page 735: ...y in accordance with security requirements recommended by the National Institute of Standards and Technology O Periodically check integrity Provide periodic integrity checks on both system and softwar...

Page 736: ...ckup data O Individual accountability and audit records Provide individual accountability for audited events Record in audit records date and time of action and the entity responsible for the action O...

Page 737: ...n the system O Require inspection for downloads Require inspection of downloads transfers O Respond to possible loss of stored audit records Respond to possible loss of audit records when audit trail...

Page 738: ...ment 738 Netscape Certificate Management System Administrator s Guide June 2003 O React to detected attacks Implement automated notification or other responses to the TSF discovered attacks in an effo...

Page 739: ...n Security Policies 1 1 Secure Usage Assumptions The usage assumptions are organized in three categories personnel assumptions about administrators and users of the system as well as any threat agents...

Page 740: ...CPS under which the TOE is operated A Disposal of Authentication Data Proper disposal of authentication data and associated privileges is performed after access has been removed e g job termination c...

Page 741: ...y this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs This assumption has been copied directly from the CIMC PP In the context of this ST app...

Page 742: ...re of one or more system components results in the loss of system critical functionality T Malicious code exploitation An authorized user IT system or hacker downloads and executes malicious code whic...

Page 743: ...undetected access to a system due to missing weak and or incorrectly implemented access control causing potential violations of integrity confidentiality or availability T Hacker physical access A ha...

Page 744: ...1 3 Organization Security Policies 744 Netscape Certificate Management System Administrator s Guide June 2003...

Page 745: ...Importing Certificate Chains Importing Certificates into Netscape Communicator on page 747 Importing Certificates into Netscape Servers on page 748 Object Identifiers on page 748 Data Formats Netscape...

Page 746: ...It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 748 while the conte...

Page 747: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Page 748: ...the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted into t...

Page 749: ...Object Identifiers Appendix F Certificate Download Specification 749 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Page 750: ...Object Identifiers 750 Netscape Certificate Management System Administrator s Guide June 2003...

Page 751: ...Extensions Netscape Defined Certificate Extensions CA Certificates and Extension Interactions Introduction to Certificate Extensions An X 509 v3 certificate contains an extensions field that permits a...

Page 752: ...ys possible to check a certificate s revocation status against a directory or with the original certificate authority it is useful for certificates to include information about where to check CRLs Eve...

Page 753: ...ned with the international telecommunications network The Internet Engineering Task Force IETF which controls many of the standards that underlie the Internet is currently developing public key infras...

Page 754: ...application must reject the certificate If the extension is not critical and the certificate is sent to an application that does not understand the extension based on the extension s ID the applicati...

Page 755: ...9 1 1 5 Issuer CN Certificate Manager OU netscape O aol L MV ST CA C US Validity Not Before Friday February 21 2003 12 00 00 AM PST America Los_Angeles Not After Monday February 21 2005 12 00 00 AM PS...

Page 756: ...ical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Key Usage 2 5 29 15 Critical yes Key Usage Digital Signature Key CertSign Crl Sign Signature Algorithm SHA...

Page 757: ...For other clients see their web sites for information Each extension in a certificate can be designated as critical or noncritical A certificate using system such as browser software must reject the...

Page 758: ...on The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate This extension is useful when an issuer has multiple signing keys for ex...

Page 759: ...ed during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints The cA component should be set to true for all CA certificates P...

Page 760: ...page 514 CRLDistributionPoints OID 2 5 29 31 Criticality PKIX recommends that this extension be marked noncritical and that it be supported for all certificates Discussion This extension defines how C...

Page 761: ...an OCSP responder s certificate unless the CA signing key that signed the certificates validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly...

Page 762: ...he Issuer Alternative Name extension is used to associate Internet style identities with the certificate issuer Names must use the forms defined for subjectAltName CMS Version Support Supported since...

Page 763: ...carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificates and S MIME encryption certificates dataEncipherment 3 when the...

Page 764: ...tes for users who have separate certificates and key pairs for these operations CMS Version Support Supported since CMS 4 1 Refer to KeyUsageExt on page 533 nameConstraints OID 2 5 29 30 Criticality P...

Page 765: ...fully If the OCSP signing key is compromised the entire process of validating certificates in the PKI will be compromised for the duration of the validity period of the certificate Therefore certifica...

Page 766: ...cify a different validity period for the private key than for the certificate itself This extension is intended for use with digital signature keys PKIX Part 1 recommends against the use of this exten...

Page 767: ...by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative Name extension or from the subject name field CMS Version Support Supported since CMS...

Page 768: ...ension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recompute the key identifier in this case...

Page 769: ...encoded structure appears as the value of the octet string extnValue see the examples in Sample Certificate Extensions on page 755 A flag or boolean field called critical The true or false value assi...

Page 770: ...example a CRL may contain only one authority key identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Ident...

Page 771: ...associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and extensions to individual certificate entries in the CRL Extensions for CRLs CRL Entry Exte...

Page 772: ...ach CRL issued by a CA It allows users to easily determine when a particular CRL supersedes another CRL PKIX requires that all CRLs have this extension CMS Version Support Supported since CMS 4 2 Refe...

Page 773: ...issuerAltName OID 2 5 29 18 Discussion The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL For details see the discussion under certificate e...

Page 774: ...r OID 2 5 29 29 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not s...

Page 775: ...ndard All Netscape extensions should be tagged as noncritical so that their presence in a certificate does not make that certificate incompatible with other clients The specifications for all Netscape...

Page 776: ...te bit 6 S MIME CA certificate bit 7 Object signing CA certificate CMS Version Support Supported since CMS 4 1 Refer to NSCertTypeExt on page 547 netscape comment OID 2 16 840 1 113730 13 Discussion T...

Page 777: ...or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in the subject certifi...

Page 778: ...for their CA they must add the authorityKeyIdentifier extension to all subject certificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field then...

Page 779: ...extension or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to...

Page 780: ...arc http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The sit...

Page 781: ...or the most part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string represe...

Page 782: ...rfc rfc2253 txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table I 2 Table I 1 Definitions of...

Page 783: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Page 784: ...bsence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so that it can search the directory in order to publish to or upda...

Page 785: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Page 786: ...3 UTF 8 String Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to esca...

Page 787: ...order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 Di...

Page 788: ...you can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a V...

Page 789: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Page 790: ...al enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER encod...

Page 791: ...rm Use John_Doe for CN 7 Go to the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the du...

Page 792: ...e CN corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s subj...

Page 793: ...s the certificate subject name The dnpattern configuration variable supports escaped commas and multiple attribute variable assertions AVAs in a RDN Below is the syntax for the DN pattern followed by...

Page 794: ...his example O the first o value in the user s entry DN C the string US Example 3 If the configured DN pattern is CN attr cn rdn 2 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example com LDAP...

Page 795: ...ue in the user s entry OU the second ou value in the user s entry DN followed by the first ou value in the user s entry note the multiple AVAs in a RDN in this example O the first o value in the user...

Page 796: ...DNs in Certificate Management System 796 Netscape Certificate Management System Administrator s Guide June 2003...

Page 797: ...tion Digital Signatures Certificates and Authentication Managing Certificates For more information on these topics and other aspects of cryptography see Security Resources at the following URL http de...

Page 798: ...mpersonation is known as spoofing Misrepresentation A person or organization can misrepresent itself For example suppose the site www netscape com pretends to be a furniture store when it is really ju...

Page 799: ...it is intelligible again A cryptographic algorithm also called a cipher is a mathematical function used for encryption or decryption In most cases two related functions are employed one for encryptio...

Page 800: ...er symmetric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the de...

Page 801: ...ly distribute a public key and only you will be able to read data encrypted using this key In general to send encrypted data to someone you encrypt the data with that person s public key and the perso...

Page 802: ...r ciphers used with SSL see Appendix K Introduction to SSL Different ciphers may require different key lengths to achieve the same level of encryption strength The RSA cipher used for public key encry...

Page 803: ...ics The value of the hash is unique for the hashed data Any change in the data even deleting or altering a single character results in a different value The content of the hashed data cannot for all p...

Page 804: ...o the public key presented by the signer If the two hashes match the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create th...

Page 805: ...their own certificate issuing server software such as Netscape Certificate Management System The methods used to validate an identity vary depending on the policies of a given CA just as the methods...

Page 806: ...rson identified by that certificate did indeed send that message Similarly a digital signature on an HTML form combined with a certificate that identifies the signer can provide evidence after the fac...

Page 807: ...onse to an authentication request from the server the client displays a dialog box requesting the user s name and password for that server The user must supply a name and password separately for each...

Page 808: ...sociated with some data can be thought of as evidence provided by the client to the server The server authenticates the user s identity on the strength of this evidence Like Figure J 4 Figure J 5 assu...

Page 809: ...on the basis of input from both the client and the server This data and the digital signature constitute evidence of the private key s validity The digital signature can be created only with that pri...

Page 810: ...mechanisms based on the authenticated user identity are not affected How Certificates Are Used Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign On Object Signing...

Page 811: ...company deploys combined S MIME and SSL certificates solely for the purpose of authenticating employee identities thus permitting signed email and client SSL authentication but not encrypted email Ano...

Page 812: ...ificate to the server to authenticate the client s identity before the encrypted SSL session can be established For an overview of client authentication over SSL and how it differs from password based...

Page 813: ...the need for persistent authentication of financial transactions Form signing allows a user to associate a digital signature with web based data generated as the result of a transaction such as a purc...

Page 814: ...sswords over the network This approach simplifies access for users because they don t need to enter passwords for each new server It also simplifies network management since administrators can control...

Page 815: ...pported by Netscape and many other software companies are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an...

Page 816: ...the user s public key including the algorithm used and a representation of the key itself The DN of the CA that issued the certificate The period during which the certificate is valid for example bet...

Page 817: ...8 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31...

Page 818: ...e CAs for which it has a certificate It s also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections tha...

Page 819: ...onsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure J 6 Figure J 6 Example of a Hierarchy of Certificate Authorities In this...

Page 820: ...entity through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure J 6 Figure J 7 Example of a Certificate Chain A certificate chain traces...

Page 821: ...scape software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked...

Page 822: ...Root CA Figure J 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure J 8 such as Engineering CA is fou...

Page 823: ...ows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database Figure J 10 A Certificate Chain That Can t Be Ve...

Page 824: ...f your identity such as a utility bill with your address on it and a student identity card If you want to get a regular driving license you also need to take a test a driving test when you first get t...

Page 825: ...nd renewing and revoking certificates can be partially or fully automated with the aid of the directory Information stored in the directory can also be used with certificates to control access to vari...

Page 826: ...icate for authentication before or after its validity period will fail Therefore mechanisms for managing certificate renewal are essential for any certificate management strategy For example an admini...

Page 827: ...ntities of end entities before responding to the requests In addition some requests need to be approved by authorized administrators or managers before being services As previously discussed the means...

Page 828: ...Managing Certificates 828 Netscape Certificate Manager System Administrator s Guide June 2003...

Page 829: ...support the protocol in future versions This document is primarily intended for administrators of Netscape server products but the information it contains may also be useful for developers of applicat...

Page 830: ...be important if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s i...

Page 831: ...use in operations such as authenticating the server and client to each other transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of...

Page 832: ...gotiate the use of the strongest ciphers available And when an domestic client or server is dealing with an international server or client it will negotiate the use of those ciphers that are permitted...

Page 833: ...phers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible k...

Page 834: ...the supported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC...

Page 835: ...te is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented...

Page 836: ...client using SSL 2 The server sends the client the server s SSL version number cipher settings randomly generated data and other information the client needs to communicate with the server over SSL Th...

Page 837: ...the client informing it that future messages from the server will be encrypted with the session key It then sends a separate encrypted message indicating that the server portion of the handshake is f...

Page 838: ...equires server authentication or cryptographic validation by a client of the server s identity As explained in Step 2 of The SSL Handshake which begins on page 836 the server sends the client a certif...

Page 839: ...a on the right side of Figure K 3 This list determines which server certificates the client will accept If the distinguished name DN of the issuing CA matches the DN of a CA on the client s list of tr...

Page 840: ...any reason the server identified by the certificate cannot be authenticated and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be establishe...

Page 841: ...erver of the client s identity When a server configured this way requests client authentication see Step 6 of The SSL Handshake which begins on page 836 the client sends the server both a certificate...

Page 842: ...ey used to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has no...

Page 843: ...icate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL prot...

Page 844: ...The SSL Handshake 844 Netscape Certificate Manager System Administrator s Guide June 2003...

Page 845: ...les to be evaluated when a server receives a request for access to a particular resource See access control instructions ACI administrator The person who installs and configures one or more CMS manage...

Page 846: ...cation module A set of rules implemented as a Java class for authenticating an end entity agent administrator or any other entity that needs to interact with a CMS manager In the case of typical end u...

Page 847: ...ntities enrolled in the PKI certificate authority CA A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify A CA also r...

Page 848: ...defined certificate fingerprint A one way hash associated with a certificate The number is not part of the certificate itself but is produced by applying a hash function to the contents of the certif...

Page 849: ...ity by allowing you to set up policies for a particular type of enrollment along with an authentication method in a certificate profile Certificate Request Message Format CRMF Format used for messages...

Page 850: ...dministrator to control configuration settings for the corresponding CMS instance Common Criteria Environment The configuration settings used for the Common Criteria certification of CMS configuration...

Page 851: ...and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to manage agent services for a Data Recovery Manager including managing the request queue and autho...

Page 852: ...s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication of...

Page 853: ...s to each other and storing the two cross pair certificates as a certificate pair fingerprint See certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is...

Page 854: ...tions and applets using the Java programming language Java Native Interface JNI A standard programming interface that provides binary compatibility across different implementations of the Java Virtual...

Page 855: ...eue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy processing and certificate issuance can proceed MD5...

Page 856: ...vate key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash A number of fixed length generated from data of arbitrary length with...

Page 857: ...c key cryptography The private key is kept secret and is used to decrypt data encrypted with the corresponding public key proof of Archival POA Data signed with the private Data Recovery Manager trans...

Page 858: ...the certificates to the end entities and typically publishes them to the appropriate directory Registration Manager agent A user who belongs to a group authorized to manage agent services for a Regist...

Page 859: ...udit log See audit log signing certificate A certificate whose public key corresponds to a private key used to create digital signatures For example Certificate Manager must have a signing certificate...

Page 860: ...n identify itself as a site called www netscape com when it is not Spoofing is one form of impersonation See also misrepresentation impersonation SSL See Secure Sockets Layer SSL subject The entity id...

Page 861: ...thority CA that issued the certificate If you trust a CA you can generally trust valid certificates issued by that CA virtual private network VPN A way of connecting geographically distant divisions o...

Page 862: ...862 Netscape Certificate Management System Administrator s Guide June 2003...

Page 863: ...ting 343 modifying group membership 343 port used for operations 284 See also ports tools provided CMS console 245 Netscape Console 243 Agent Services interface URL for 284 AgentDirEnrollment instance...

Page 864: ...ificate 88 90 changing trust settings of 294 deleting 293 getting a new one 297 312 nickname 88 renewing 297 viewing details of 293 CEP 67 CEP enrollment 412 setting up multiple services 416 certifica...

Page 865: ...wireless applications 95 100 how to revoke 598 installing 745 749 issuing of 824 and LDAP Directory 825 management formats and protocols 68 object signing 811 publishing to files 618 publishing to LD...

Page 866: ...istributionPoint 612 CRL publisher 630 631 CRL signing certificate 597 nickname 321 cRLDistributionPoints 760 CRLNumber 772 CRLs Certificate Manager support for 36 defined 597 extensions for 771 exten...

Page 867: ...ntions followed 27 downloading certificates 745 749 DSA 91 136 173 215 E email resolver 567 email signed and encrypted 812 encrypted file system EFS 452 523 encryption defined 799 public key 801 symme...

Page 868: ...gning defined 813 G getting new certificates for subsystems 312 groups changing members 343 H hardware accelerators 318 hardware tokens See external tokens HashAuth authentication plug in 406 high ava...

Page 869: ...203 when specified the first time 203 responsibilities 203 role defined 203 KEYGEN tag 68 keys defined 799 management and recovery 825 keyUsage 762 L LDAP 68 LDAP publishing defined 618 manual updates...

Page 870: ...g certificate 321 for OCSP signing certificate 89 for signing certificate 134 171 for SSL server certificate 89 134 171 214 for transport certificate 213 for wTLS signing certificate 89 NIS server bas...

Page 871: ...se it for 480 policy modules deleting 563 registering new ones 562 policy rules adding new 490 defined 481 deleting 490 how policy processor applies them 482 naming convention 491 predicates in 483 re...

Page 872: ...s getting new ones 312 remote admin server certificate 213 signing certificate 134 SSL server certificate 134 specifying IP address for 287 Remote admin server certificate 213 Remove Basic Constraints...

Page 873: ...rage key pair 214 secret sharing 203 subjectAltName 766 subjectDirectoryAttributes 767 subjectKeyIdentifier 767 subordinate CA 33 support for DN characters in CMS 784 T Tasks tab 245 tasks you can acc...

Page 874: ...etting certificates for 412 W when the server was installed 247 why should you revoke certificates 597 wireless CA certificate 95 100 wireless certificates 95 100 wizard See Certificate Setup Wizard w...

Reviews:

No comments

Brands by name

Popular brands

Load more brands