background image

Chapter 9. TPS: Managing Token and Smart Card Operations

126

The token information shows the current definition and state of the token:

Token

, the token ID number entered in the TPS.

User ID

, user of the token.

Status

 and 

Reason

, the current state of the token.

uninitialized

 means the token has not been processed

initialized

 means that the smart card is formatted, but does not have any certificates enrolled

on it

enrolled

 means that certificates have been installed on it

lost

 or 

onHold

 means it has been suspended, and any suspended or revoked token also has

an attribute to show the reason why the token status was changed

Policy

, which sets the user policies for the token, such as whether the token can be reused.

Token Type

, which is the enrollment profile which is used to enroll the token.

The system information shows information about the token that is processed by the TPS:

Key Info

, the types of keys and bit strength generated for the token

Applet ID

, the applet loaded on the token

Creation Date

 and 

Modification Date

, which shows the days that the token was first entered in the

TPS and the most recent change to the token

Additionally, there are two other sets of information that can be viewed for the token.

Summary of Contents for CERTIFICATE SYSTEM 8 - AGENTS GUIDE

Page 1: ...Red Hat Certificate System 8 0 Agents Guide Using Web Based Agent Services Ella Deon Lackey Publication date July 22 2009 updated April 30 2010 ...

Page 2: ...ust provide the URL for the original version Red Hat as the licensor of this document waives the right to enforce and agrees not to assert Section 4d of CC BY SA to the fullest extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Lin...

Page 3: ...b Browsers 13 1 7 Supported Character Sets 13 1 8 Configuring Internet Explorer to Enroll Certificates 14 2 CA Working with Certificate Profiles 17 2 1 About Certificate Profiles 17 2 2 Example caUserCert Profile 18 2 3 List of Certificate Profiles 21 2 4 Enabling and Disabling Certificate Profiles 25 2 4 1 Viewing Certificate Profile Information 25 2 4 2 Enabling or Disabling a Certificate Profil...

Page 4: ...ified by the Online Certificate Status Manager 95 8 2 Identifying a CA to the Online Certificate Status Manager 96 8 3 Adding a CRL to the Online Certificate Status Manager 99 8 4 Checking the Revocation Status of a Certificate 100 8 5 OCSP Responder Summary 103 9 TPS Managing Token and Smart Card Operations 105 9 1 Overview of TPS Roles 105 9 2 Performing Operator Tasks 106 9 2 1 Searching Tokens...

Page 5: ...f public key cryptography and the Secure Sockets Layer SSL protocol including the following topics Encryption and decryption Public keys private keys and symmetric keys Digital signatures The role of digital certificates in a public key infrastructure PKI Certificate hierarchies SSL cipher suites The purpose of and major steps in the SSL handshake 2 What Is in This Guide This guide describes an ag...

Page 6: ... is only available when the OCSP subsystem is installed Chapter 9 TPS Managing Token and Smart Card Operations Describes how to perform tasks related to the Token Processing System and how to manage tokens and certificates through this subsystem This service is only available when the TPS subsystem is installed 3 Examples and Formatting 3 1 Formatting for Examples and Commands All of the examples ...

Page 7: ...is intended for Certificate System administrators Certificate System Installation Guide 2 covers the installation process for all Certificate System subsystems This manual is intended for Certificate System administrators Certificate System Administrator s Guide 3 explains all administrative functions for the Certificate System Administrators maintain the subsystems themselves so this manual detai...

Page 8: ...own issues and workarounds and other important deployment information for Red Hat Certificate System 8 0 All of the latest information about Red Hat Certificate System and both current and archived documentation is available at http www redhat com docs manuals cert system 5 Giving Feedback If there is any error in this Agent s Guide or there is any way to improve the documentation please let us kn...

Page 9: ...s related to tech review comments for chapters 6 and 9 Bugzilla 510555 and 510559 such as adding a section on recovering agent certificates if it is ever lost Revision 8 0 2 July 31 2009 Ella Deon Lackey Tech edits to every chapter per Bugzilla 510550 510551 510552 510553 510554 510555 510556 510557 510559 Revision 8 0 1 July 27 2009 Ella Deon Lackey Adding note to the TPS users section about sett...

Page 10: ...x ...

Page 11: ...content may vary from one organization to another End entity enrollment for some certificates may require physical verification such as an interview or notarized documents while enrollment for others may be fully automated 1 1 1 Certificate System Subsystems To meet the widest possible range of configuration requirements the Certificate System permits independent installation of five separate subs...

Page 12: ...It is also possible to perform server side key generation using the TPS server when enrolling smart cards NOTE The DRM archives encryption keys It does not archive signing keys since archiving signing keys would undermine the non repudiation properties of dual key certificates 1 1 1 4 Online Certificate Status Manager An Online Certificate Status Manager works as an online certificate validation a...

Page 13: ...KI deployment and for certificate maintenance such as renewal or revocation Figure 1 1 The Certificate System and Users shows the ports used by administrators agents and end entities All agent and administrator interactions with Certificate System subsystems occur over HTTPS End entity interactions can take place over HTTP or HTTPS Figure 1 1 The Certificate System and Users 1 2 Agent Tasks The de...

Page 14: ...an perform tasks related to managing certificates stored on tokens and smart cards which includes viewing smart card enrollment and formatting activities listing editing and deleting tokens from the token database and managing lost tokens The privileged operations of an agent are performed through the Certificate System agent services pages For a user to access these pages the user must have a per...

Page 15: ...4 CA Finding and Revoking Certificates Revokes certificates If a user s key is compromised the certificate must be revoked to ensure that the key is not misused Certificates belonging to users who have left the organization may also need revoked Certificate Manager agents can find and revoke a specific certificate or a set of certificates Users can also request that their own certificates be revok...

Page 16: ... Registration Manager Agent Services There are two user types who can access the RA services pages agents and administrators Each user requires a certificate to authenticate to the appropriate services page Figure 1 3 Registration Manager Agent Services Page RA agents can perform four tasks Approve and reject certificate requests List view and add notes to certificate requests List and view issued...

Page 17: ... approves key recovery requests Key recovery requires the authorization of one or more recovery agents The DRM administrator designates recovery agents Typically several recovery agents are required to approve key recovery requests in the DRM so DRM administrators should designate more than one agent For more information on these tasks see Chapter 7 DRM Recovering Encrypted Data 1 2 4 Online Certi...

Page 18: ...ificate to the Online Certificate Status Manager For more information on these tasks see Chapter 8 Online Certificate Status Manager Verifying Certificate Status 1 2 5 Token Processing System Agent Services The TPS agent services page allows operations by two types of users both agents and administrators A third user type operators can view certificate and token information but cannot edit or proc...

Page 19: ...ollowing tasks Lists and searches enrolled tokens by user ID or token CUID Lists and searches certificates associated with enrolled tokens Searches token operations by CUID Edits token information Sets the token status The TPS agent services page also has a tab to allow operations by TPS administrators ...

Page 20: ... including the token owner s user ID Adds tokens Deletes tokens For more information about TPS agent and administrator tasks see Chapter 9 TPS Managing Token and Smart Card Operations 1 3 Accessing Agent Services Access to the agent services forms requires certificate based authentication Only users who authenticate with the correct certificate and who have been granted the appropriate access priv...

Page 21: ...P 7889 for the TPS The port number may be different if the agent services use a user defined port set with the agent_secure_port when the instance was created with pkicreate The subsystem_type type is one of the following ca for the CA ra for the RA kra for the DRM ocsp for the Online Certificate Status Manager tps for the TPS For example if a CA is installed on a host named server example com and...

Page 22: ...e to the agent services pages These certificates are imported into the browser user to access the agent and administrative for the TPS and RA services pages The agent certificate can be imported into a new browser or recovered and re imported into a browser if it is ever lost Retrieve the agent or user certificates from the CA s end entities page and import them into the browser to use for accessi...

Page 23: ...pported Web Browsers The services pages for the subsystems require a web browser that supports SSL Two browsers are supported Mozilla Firefox 2 0 and higher Microsoft Internet Explorer 6 and higher on both Windows XP and Vista Red Hat strongly recommends that agents and administrators use Mozilla Firefox to access the agent services pages NOTE Browsers for Mac such as Safari and other types of web...

Page 24: ... http server example com 9180 ca ee ca b Click the Retrieval tab c Click Import CA Certificate Chain in the left menu and then select Download the CA certificate chain in binary form d When prompted save the CA certificate chain file e In the Internet Explorer menu click Tools and select Internet Options f Open the Content tab and click the Certificates button g Click the Import button In the impo...

Page 25: ... services page to Medium if this security setting is too restrictive in the future then try resetting it to Medium low 5 Close the browser To verify that Internet Explorer can be used for enrollments try enrolling a user certificate 1 Open the Certificate Manager s end entities page https server example com 9444 ca ee ca 2 Select the Manual User Dual Use Certificate Enrollment form 3 Fill in the u...

Page 26: ...16 ...

Page 27: ...ity of a certificate to a maximum of 360 days grace periods to allow certificate renewal as the certificate nears its expiration date or requiring that the subjectaltname extension always be set to true Profile outputs Profile outputs are parameters and values that specify the format in which to issue the certificate to the end entity Profile outputs include base 64 encoded files CMMF responses an...

Page 28: ... to connect to an LDAP directory before that authentication module can be used The issued certificate contains the default content for the certificate profile like the extensions and validity period and follows the constraints set for each default There can be more than one policy set Each policy set consists of multiple sets of defaults and constraints which defines individual policy settings Eac...

Page 29: ...ion specifies that the key pair generation during the request submission be CRMF based A drop down menu sets the key size for the keys Subject name is used when distinguished name DN parameters need to be collected from the user the user DN can be used to create the subject name in the certificate UID for the user in the LDAP directory Email Common name Organizational unit Organization Country Req...

Page 30: ... agent approved enrollment the user can get the certificate once it is issued by providing the request ID in the CA end entities page The last largest block of configuration is the policy set for the profile Policy sets list all of the settings that are applied to the final certificate like its validity period its renewal settings and the actions the certificate can be used for The policyset list ...

Page 31: ...efault params keyUsageNonRepudiation true policyset userCertSet 6 default params keyUsageDataEncipherment false policyset userCertSet 6 default params keyUsageKeyEncipherment true policyset userCertSet 6 default params keyUsageKeyAgreement false policyset userCertSet 6 default params keyUsageKeyCertSign false policyset userCertSet 6 default params keyUsageCrlSign false policyset userCertSet 6 defa...

Page 32: ...ned CMC Authenticated User Certificate Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication caInstallCACert Manual Security Domain Certificate Authority Signing Certificate Enrollment Enrolls Security Domain Certificate Authority certificates caInternalAuthAuditSigningCert Audit Signing Certificate Enrollment Enrolls a signing certificate to u...

Page 33: ...nrollment Enrolls router certificates using an automatically generated one time PIN that the router can use to retrieve its certificate caServerCert Manual Server Certificate Enrollment Enrolls server certificates caSignedLogCert Manual Log Signing Certificate Enrollment Enrolls audit log signing certificates caSimpleCMCUserCert Simple CMC Enrollment Enrolls user certificates by using the CMC cert...

Page 34: ...ent Token User Encryption Certificate Enrollment Enrolls an encryption key on a token used by the TPS for smart card enrollment operations caTokenUserEncryptionKeyRenewal smart card token encryption cert renewal profile Renews an encryption key that was enrolled on a token using the caTokenUserEncryptionKeyEnrollment profile used by a TPS subsystem caTokenUserSigningKeyEnrollment Token User Signin...

Page 35: ...les page of the agent services page which is accessed through the Manage Certificate Profiles link in the left menu of the CA agent services page The Manage Certificate Profiles page contains all of the certificate profiles that have been set up by an administrator It shows the name of the certificate profile a short description of the certificate profile whether this is an end user certificate pr...

Page 36: ...n the end entities page If the End User field of the certificate profile is marked false then this certificate profile does not appear in the end entities page This parameter determines whether the certificate profile needs to be received from the end entities page in order to be processed Each policy has a policy information section which shows a table for each policy set A certificate profile us...

Page 37: ...he Manage Certificate Profiles page and click on a certificate profile name 2 Open the Approve Certificate Profile page for that certificate profile 3 Click the Approve button at the bottom of the page to enable the profile or Disable to disable it NOTE It is only possible to disable a certificate profile after it has been approved New profiles are disabled by default and must be enabled before th...

Page 38: ...28 ...

Page 39: ... by an agent or automatically by the certificate profile if the request has been authenticated and if the system has been configured to allow automatic enrollment After a request has been approved the Certificate System issues the requested certificate The end user can be automatically notified that the certificate was issued Reject the request A certificate request can be rejected manually or aut...

Page 40: ...quest to himself Requests cannot be assigned to another agent Unassign the request A request can be removed from an agent s queue if necessary such as when requests are assigned to an agent who has since left the company Table 3 1 Possible Agent Actions for Certificate Requests Approving canceling and rejecting certificate requests all alter the request status Assigning unassigning updating and va...

Page 41: ...that have been submitted to it The queue records whether a request is pending completed canceled or rejected Three types of requests can be in the queue Certificate enrollment requests Certificate renewal requests Certificate revocation requests A Certificate Manager agent must review and approve manual enrollment requests Certificate requests that require review have a status of pending ...

Page 42: ...w the queue of certificates requests The List Requests form appears 3 View certificate requests request type by selecting one of the options from the Request type menu Show enrollment requests Show renewal requests Show revocation requests Show all requests 4 View requests by request status by selecting one of the options in the Request status menu Show pending requests These are enrollment reques...

Page 43: ...ompleted including issued certificates and completed revocation requests Show all requests This shows all requests of the selected type regardless of status 5 To start the list at a specific place in the queue enter the starting request identifier in decimal or hexadecimal form Use 0x to indicate a hexadecimal number for example 0x2A 6 Choose the number of matching requests to be returned When a n...

Page 44: ...ove or manage the request Figure 3 3 Request Details NOTE If the system changes the state of the displayed request using the browser s Back or Forward buttons or history to navigate can cause the data display to become out of date To refresh the data click the highlighted serial number at the top of the page 3 2 2 Searching for Certificates Advanced Search for certificates by more complex criteria...

Page 45: ...icate the beginning of a hexadecimal number such as 0x2A Serial numbers are displayed in hexadecimal form in the Search Results and Details pages To find all certificates within a range of serial numbers enter the upper and lower limits of the serial number range in decimal or hexadecimal Leaving either the lower limit or upper limit field blank returns all certificates before or after the number ...

Page 46: ...e agent it is possible to use wildcards in this field Issuing Information Lists certificates that have been issued during a particular period or by a particular agent For example an agent can list all certificates issued between July 2005 and April 2006 or all certificates issued by the agent with the username betatest To list certificates issued within a time period select the day month and year ...

Page 47: ...beginning and end of the period To list certificates that have a validity period of a certain length in time select Not greater than or Not less than from the drop down list enter a number and select a time unit from the drop down list days weeks months or years Basic Constraints Shows CA certificates that are based on the Basic Constraints extension Type Lists certain types of certificates such a...

Page 48: ...he included search criteria and leave the others blank The standard tags or components are as follows Email address Narrows the search by email address Common name Finds certificates associated with a specific person or server UserID Searches certificates by the user ID for the person to whom the certificate belongs Organization unit Narrows the search to a specific division department or unit wit...

Page 49: ...the components left blank Wildcards cannot be used in this type of search Partial searches for certificate subject names match the specified components but the returned certificates may also contain values in components that were left blank Wildcard patterns can be used in this type of search by using a question mark to match an arbitrary single character and an asterisk to match an arbitrary stri...

Page 50: ... In automatic enrollment the Certificate System automatically receives and approves the request if it meets established criteria In manual enrollment an agent must review and approve the request Before approving a request an agent can adjust some of the parameters such as the subject name and validity period To adjust and approve a certificate request 1 Open the agent services page https server ex...

Page 51: ...rofile including the definition of the policy the value placed in the certificate by this specific policy and the constraints placed on this policy To change any of the information contained in the certificate such as the subject name or validity period change the settings in the policy information table in the certificate request Any policies that can be changed have either a drop down list or an...

Page 52: ...rms to the constraints for issuing that type of certificate The request is confirmed as valid or the system returns a list of fields that need to be edited Reject Request Rejects the request Cancel Request Cancels the request without issuing a certificate or a rejection After the agent sets the action to Approve Request and clicks Submit the certificate is generated and available to the user throu...

Page 53: ...tor the issued certificate must be sent manually to the requester by the agent or the requester must be directed to retrieve it from the Certificate Manager s end entities page Figure 3 5 A Newly Issued Certificate shows a web page containing a new certificate This is the page shown after the agent selects Approve this certificate request Figure 3 5 A Newly Issued Certificate To copy and mail a ne...

Page 54: ...64 encoded certificate into the email message body and send the message To deliver a new client certificate to the requester note the serial number of the approved request and email the number to them End users can search for and retrieve certificates based on their serial number If it seems helpful then include instructions on how to retrieve certificates in the email 1 Open the end users service...

Page 55: ...range of serial numbers All certificates within the range may be displayed or if the agent selects only those that are currently valid To find a specific certificate or to list certificates by serial number 1 Open the Certificate Manager agent services page 2 Click List Certificates Figure 4 1 List Certificates To find a certificate with a specific serial number enter the serial number in both the...

Page 56: ...cates matching the criteria that should be returned in the results page When any number is entered the first certificates up to that number matching the criteria are displayed 5 Click Find The Certificate System displays a list of the certificates that match the search criteria Select a certificate in the list to examine it in more detail or perform various operations on it For more information re...

Page 57: ...ecimal form in the Search Results and Details pages To find all certificates within a range of serial numbers enter the upper and lower limits of the serial number range in decimal or hexadecimal Leaving either the lower limit or upper limit field blank returns all certificates before or after the number specified Status Selects certificates by their status A certificate has one of the following s...

Page 58: ...en issued during a particular period or by a particular agent For example an agent can list all certificates issued between July 2005 and April 2006 or all certificates issued by the agent with the username jsmith To list certificates issued within a time period select the day month and year from the drop down lists to identify the beginning and end of the period To list certificates issued by a p...

Page 59: ... by locality such as the city State Narrows the search by state or province Country Narrows the search by country use the two letter country code such as US NOTE Certificate System certificate request forms support all UTF 8 characters for the common name and organizational unit fields The common name and organization unit fields are included in the subject name of the certificate This means that ...

Page 60: ...t a time limit on the search in seconds 7 Click Find 8 The Search Results form appears showing a list of the certificates that match the search criteria Select a certificate in the list to examine it in more detail For more information refer to Section 4 3 Examining Certificate Details 4 3 Examining Certificate Details 1 On the agent services page click List Certificates or Search for Certificates...

Page 61: ...evoke certificates other than their own A certificate must be revoked if one of the following situations occurs The owner of the certificate has changed status and no longer has the right to use the certificate The private key of a certificate owner has been compromised These two reasons are not the only ones why a certificate would need revoked there are six reasons available for revoking a certi...

Page 62: ...tion 4 Scroll to the bottom of the form and set the number of matching certificates to display 5 Click Find 6 The search returns a list of matching certificates It is possible to revoke one or all certificates in the list TIP If the search criteria are very specific and all of the certificates returned are to be revoked then click the Revoke ALL Certificates button at the bottom of the page The nu...

Page 63: ...mely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked Once a revocation operation has been confirmed there is no way to undo it 8 Select an invalidity date The invalidity date is the date which it is known or suspected that the user s private key was compromised or that the certificate became invalid A set of drop down lists...

Page 64: ...d as revoked but that certificate can be recovered For example a user may have a personal email certificate stored on a flash drive which he accidentally leaves at home The certificate is not compromised but it should be temporarily suspended That certificate can be temporarily revoked by putting it on hold one of the options given when revoking a certificate as in Section 4 4 1 Revoking Certifica...

Page 65: ...ectory with the latest CRL To view or display the CRL 1 Go to the Certificate Manager agent services page 2 Click Display Certificate Revocation List to display the form for viewing the CRL 3 Select the CRL to view If the administrator has created multiple issuing points these are listed in the Issuing point drop down list Otherwise only the master CRL is shown 4 Choose how to display the CRL by s...

Page 66: ...and the total number of certificates that expired since the last update 4 5 2 Updating the CRL CRLs can be automatically updated if a schedule for automatic CRL generation is enabled and the schedule can set the CRL to be generated at set time schedules or whenever there are certificate revocations Likewise CRLs can be also automatically published if CRL publishing is enabled In some cases the CRL...

Page 67: ...support the algorithm SHA 1 with RSA generates a 160 bit message digest SHA 256 with RSA SHA 512 with RSA MD5 with RSA generates a 128 bit message digest Most existing software applications that handle certificates support only MD5 This is the default algorithm MD2 with RSA generates a 128 bit message digest Before selecting an algorithm make sure that the Certificate System has that algorithm ena...

Page 68: ...58 ...

Page 69: ...e System is started it publishes the Certificate Manager s CA certificate to the LDAP publishing directory When the Certificate System issues a new certificate the certificate is published to the LDAP publishing directory When the Certificate System revokes a certificate the certificate is removed from the publishing directory When the CRL is created or updated the list is published to the LDAP pu...

Page 70: ...voked certificates In some circumstances updating the LDAP publishing directory can take considerable time During this period any changes made through the Certificate System such as issuing or revoking certificates may not be included in the update If certificates have been issued or revoked during that time the publishing directory must be updated again to reflect those changes Use the Skip certi...

Page 71: ...erial numbers of those certificates To remove expired certificates from the publishing directory select Remove expired certificates from the directory To remove a range of certificates instead of all expired certificates specify the range of the serial numbers of those certificates To remove revoked certificates from the publishing directory select Remove revoked certificates from the directory If...

Page 72: ...62 ...

Page 73: ...on certificates for users servers and routers The requests are approved by the RA agent and are then issued by the CA 6 1 Listing Certificate Requests Listing requests initially returns all certificate requests submitted or generated through the RA instance These can be filtered by their status open approved rejected or failed NOTE Open requests have not yet been processed by an RA agent while rej...

Page 74: ...ng and Receiving Certificates Locally 64 4 Click the Request ID for the request to view it 5 The top part of the request details contains the data used for the request and the base 64 encoded blob of the certificate request ...

Page 75: ...Listing Certificate Requests 65 The bottom half of the details page shows information like notes for the request the time it was submitted and if it has been processed the time and agent who reviewed it ...

Page 76: ...by the RA agent Approved requests are immediately sent to the CA to be issued To approve the certificate request 1 Open the RA agent services page https server example com 12889 agent index cgi 2 Click the List Requests link 3 Scroll to the bottom of the screen and add an optional note to the certificate request and click Add Note 4 Click Approve to approve the request ...

Page 77: ...ficate immediately 6 3 Listing Certificates Unlike the CA which can filter and search for specific certificates issued the only way to find a certificate processed through the RA is to list all certificates 1 Open the RA agent services page https server example com 12889 agent index cgi 2 Click the List Certificates link 3 All of the certificates which have been processed through the RA are listed...

Page 78: ...6 RA Requesting and Receiving Certificates Locally 68 6 4 Revoking Certificates RA agents can revoke certificates that were approved through that Registration Manager instance 1 Open the RA agent services page ...

Page 79: ... cgi 2 Click the List Certificates link 3 All of the certificates which have been processed through the RA are listed 4 Open the certificate to revoke by clicking its Serial in the certificate list 5 At the bottom of the certificate s details page click the Revoke link ...

Page 80: ...ks and administrative tasks even though both sets of functions are accessed through web services pages RA agent tasks manage operations related to issuing certificates like approving requests RA administrator tasks relate to managing the server instance mainly managing users and groups 6 5 1 Managing RA Groups By default the RA has administrator and agent groups Other groups can be configured depe...

Page 81: ... the RA services page https server example com 12889 services 2 Click the Administrator Services link 3 Click the New Group link 4 Fill in the group ID and the name of the group the name can be longer than the GID more like a description to help differentiate the group ...

Page 82: ...roup s GID to the adminsitrator or agent group list admin authorized_groups administrators example agent authorized_groups administrators agents example d Start the RA instance service pki ra start 6 5 1 3 Adding and Removing Users in an RA Group When a group is created it does not have any members Likewise as new users are added they have to be added to a group for them to be granted any privileg...

Page 83: ...p page each current member of the group is listed with a Delete link next to the name Existing members who are not members of the group are listed in a drop down menu To add a member select them from the name from the menu and click Add ...

Page 84: ...y managing users and groups For an RA user to be able to perform their tasks the user entry must be created and then added to the appropriate group A default user is created when the RA is first configured and this admin user belongs to both the agent and adminsitrator groups 6 5 2 1 Listing and Viewing Users for an RA 1 Open the RA services page https server example com 12889 services 2 Click the...

Page 85: ...ertificate for the user All access to the RA web services pages is done through certificate based authentication so all RA agents and administrators must have a certificate This is covered in Section 6 5 2 3 Generating Agent Certificates for RA Agents 2 Open the RA services page ...

Page 86: ...ny RA agent or administrator functions Adding members to groups is covered in Section 6 5 1 3 Adding and Removing Users in an RA Group 6 5 2 3 Generating Agent Certificates for RA Agents RA agents must have a client certificate that allows them to authenticate to the RA subsystem meaning accessing the RA agent and administrator services pages Any SSL client certificate can be used as long as it is...

Page 87: ...est d Enter an appropriate UID and email address By default notifications are enabled for the RA subsystem so as soon as the certificate request is submitted a notification is sent to the agent queue 2 An existing agent must approve the PIN request ...

Page 88: ...s listed in a table with a status of OPEN c Click the Request ID to display the details of the request d Click Approve to approve the request This generates the PIN the user will use to retrieve the certificate 3 The last step is for the user to use the generated PIN to retrieve his certificate a Open the SSL End Users Services page ...

Page 89: ... of the PIN request d Click the value in the Import Certificate field to display the one time PIN e Click Agent Enrollment again and then click the Certificate Enrollment link f Enter the user ID and the PIN g When the certificate is successfully generated base 64 encoded blob is displayed ...

Page 90: ...Chapter 6 RA Requesting and Receiving Certificates Locally 80 ...

Page 91: ...junction with server side key generation requests This request can only be initiated through a TPS subsystem A DRM agent reviews these requests An agent can search for and list key service requests with a particular status such as completed or rejected select a key service request from the returned list and examine the request details Key service requests are handled internally it is not necessary...

Page 92: ...s Rejected requests do not comply with the archival or recovery policies Unless the system is specially configured to allow requests to be rejected there are no rejected requests Show completed requests Completed requests include archival requests for which proof of archival has been sent and completed recovery requests Show all requests All requests stored in the system 5 To start the list at a s...

Page 93: ...8 On the Key Service Request Queue form find a particular request If the desired request is not shown scroll to the bottom of the list and use the arrows to move to another page of search results 9 Clicking the ID number next to a request opens the Request Details page which gives the complete information for the request The request cannot be modified in this page ...

Page 94: ...or if a key s owner is unavailable data encrypted with that key cannot be read unless a copy of the private key was archived when the key was created The archived key can then be recovered and used to read the data A DRM agent manages key recovery through the DRM agent services page Archived keys can be searched to view the details or to initiate a key recovery Once a key recovery is initiated a m...

Page 95: ...a Recovery Manager Agents You can change the scheme by modifying the appropriate parameters in the CS cfg file Refer to Section 7 2 2 Recovering Keys for more information on this topic NOTE This section describes how to recover keys that are not stored on a smart card For smart card key recovery see the token management chapter in the Certificate System Administrator s Guide and Chapter 9 TPS Mana...

Page 96: ... The owner name for a key like the subject name for a certificate consists of a string that can be used in searches NOTE Certificate System certificate request forms support all UTF 8 characters for the common name owner name and the common name field is included in the subject name of the certificate This means that the searches for subject names or the common name in the subject name support UTF...

Page 97: ...he text area NOTE The encryption certificate associated with the key pair must be found first Use the Certificate Manager agent services page to find the certificate for instructions see Section 4 3 Examining Certificate Details Archiver Finds keys that were archived by a specific server Select the check box and enter the user ID of the Certificate Manager that submitted the key archival request T...

Page 98: ...select a key If a desired key is not shown scroll to the bottom of the list and use the arrows to move to another page of search results 6 Click the ID number next to the selected key The details of the selected key are shown in the Key details page It is not possible to modify the key through this page ...

Page 99: ... On the DRM agent services page click Recover Keys specify search criteria and click Show Key to display a list of archived keys 2 In the Search Results form select a key If a desired key is not shown scroll to the bottom of the list and select Next or Previous for another page of search results 3 Click Recover next to the selected key The key details are displayed in the Authorize Key Recovery fo...

Page 100: ...assword that the requester uses to import the recovered certificate key pair package 5 Optionally set a certificate nickname for the archived key 6 Paste the base 64 encoded certificate corresponding to the archived key into the text area The certificate can be searched and viewed through the Certificate Manager agent services pages If the archived key was found through the corresponding public ke...

Page 101: ...e the browser after initiating the key recovery The agent must wait for all other agents to authorize the key recovery request before the system returns the hyperlink to download the PKCS 12 file containing the private key This page keeps refreshing to check if all other agents have authorized The status page opens and shows the progress of the recovery to see how many agents have yet to approve t...

Page 102: ...or Key Recovery Every DRM agent must approve the key recovery once the agent receives the recovery authorization number 1 Open the DRM agent services page https server example com 10443 kra agent kra 2 Select Authorize Recovery 3 Enter the recovery authorization request number ...

Page 103: ...Recovering Keys 93 4 Select Examine to examine the key being recovered 5 Select Grant to complete the key recovery ...

Page 104: ...k download import the PKCS 12 file 2 When selecting the PKCS 12 file a dialog box appears Specify the path and filename to save the encrypted file containing the recovered certificate and key pair 3 Send the encrypted file to the requester 4 Give the recovery password to the requester in a secure manner The requester must use this password to import the recovered certificate key pair ...

Page 105: ...s Identified by the Online Certificate Status Manager The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers Each Certificate Manager that can publish CRLs to the Online Certificate Status Manager must have its CA signing certificate stored in the internal database of the Online Certificate Status Manager For instructions see Section 8 2 Identify...

Page 106: ...by storing the Certificate Manager s CA signing certificate in the internal database of the Online Certificate Status Manager To store the Certificate Manager s CA signing certificate in the internal database of the Online Certificate Status Manager 1 Open the Certificate Manager s end entities page https server example com 9444 ca ee ca 2 Select the Retrieval tab and in the left frame click List ...

Page 107: ...TA4MTAxNjE2MTky M1owUTEcMBoGA1UEChMTU2ZiYXkgUmVkaGF0IERvbWFpbjERMA8GA1UECxMIMTAy N3Jvb3QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTBcMA0GCSqGSIb3 DQEBAQUAA0sAMEgCQQDXA7qzGv1LJNxEvlHkDKvLjr OgHmhj4BaPAXTVw64szgT McQh1aY0G4plpTdCwECEiMb3JRa8QzpfRwbB kFpAgMBAAGjaTBnMA8GA1UdEwEB wQFMAMBAf8wDgYDVR0PAQH BAQDAgHGMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEF BQcwAYYoaHR0cDovL3Bhdy5zZmJheS5yZWRoYXQuY29tOjkwODAvY2Evb2Nz...

Page 108: ...tificate Authority Page 11 Click Add The certificate is added to the internal database of the Online Certificate Status Manager NOTE If the CA contains multiple CRL distribution points always publish the master CRL the CRL that contains all revoked certificates from that CA to the OCSP responder ...

Page 109: ...suing point select the option to display the CRL as base 64 encoded and click Display 4 In the CRL details page scroll to the Certificate revocation list base64 encoded section which shows the CRL in base 64 format 5 Copy the base 64 encoded CRL including the BEGIN CERTIFICATE REVOCATION LIST and END CERTIFICATE REVOCATION LIST marker lines to the clipboard or a text file The CRL looks similar to ...

Page 110: ...of the Online Certificate Status Manager 8 4 Checking the Revocation Status of a Certificate The revocation status of a certificate is checked by submitting the certificate in its base 64 encoded format to the Online Certificate Status Manager 1 Open the Certificate Manager s end entities page https server example com 9444 ca ee ca ...

Page 111: ...e certificate This will usually have the server name or user name in the subject name of the certificate 5 Click on the subject name 6 In the certificate contents page scroll to the Base 64 encoded certificate section which shows the CA signing certificate in its base 64 encoded format 7 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to the cl...

Page 112: ...rtificate Status Manager Verifying Certificate Status 102 10 Paste the certificate inside the Base 64 encoded certificate text area 11 Click Check 12 The results page shows the status of the certificate that was submitted ...

Page 113: ...er agent services page also includes a summary of the total processes performed by the subsystem instance like the total number of OCSP requests and its total processing time since the instance was last started This is a useful way to track traffic for an OCSP responder and its performance ...

Page 114: ...e status of the certificate The total time is the sum of the signing and processing times The time per response metrics signing time and total time and responses per second metric show the performance of the OCSP responder Very high response times lasting several seconds could indicate that traffic is heavy for the Online Certificate Status Manager or that the configuration of the subsystem or its...

Page 115: ...NOTE Smart cards are also referred to as tokens in this chapter and in the TPS services pages 9 1 Overview of TPS Roles TPS users are divided into three roles Agents who perform actual token management operations such as setting the token status and changing token policies Administrators who manage users for the TPS subsystem and have limited control over tokens Operators who have no management co...

Page 116: ...cates and activities TPS administrators can view tokens and certificates can add and delete tokens and can add edit and delete TPS users Administrators can also view slightly more activities than agents or operators because they can view both token and user events Each tab is accessed by the roles defined on the user entry and by authenticating to the TPS site with the appropriate certificate The ...

Page 117: ...hing for certificates tokens or activities Setting profiles for users is described in Section 9 4 2 3 Setting Profiles for Users 9 2 1 Searching Tokens To look for all tokens a subset of tokens or a specific token click the List Search Tokens link and fill in the name of the user or the whole or partial token identification number CUID Asterisks can be used in the search fields as wildcards Leavin...

Page 118: ...e is a maximum allowed number of search results configured for the TPS Directory Server database so the number of entries returned is constrained by the search limit Each results page shows 25 records 9 2 2 Viewing Tokens After searching for tokens click the link of the token ID to view the token information ...

Page 119: ...nded or revoked token also has an attribute to show the reason why the token status was changed Policy which sets the user policies for the token such as whether the token can be reused Token Type which is the enrollment profile which is used to enroll the token The system information shows information about the token that is processed by the TPS Key Info the types of keys and bit strength generat...

Page 120: ...cal to the regular token search form As with searching for tokens asterisks can be used in the search fields as wildcards and leaving a field blank returns all tokens There is a maximum allowed number of search results configured for the TPS Directory Server database so the number of entries returned is constrained by the search limit Each results page shows 25 records Figure 9 4 Results for Searc...

Page 121: ...he whole or partial token identification number CUID The certificates search form then appears identical to the regular token search form As with searching for tokens asterisks can be used in the search fields as wildcards and leaving a field blank returns all tokens There is a maximum allowed number of search results configured for the TPS Directory Server database so the number of entries return...

Page 122: ...rned for the operation Created the time that the activity was performed The second line contains a detailed description of what operation was performed 9 3 Performing Agent Tasks Agents perform two important management tasks for tokens setting the token status and setting the token policies They can also edit the token information search certificates and search activities IMPORTANT A user can only...

Page 123: ...tification number CUID Asterisks can be used in the search fields as wildcards NOTE A user can only see entries relating to the profile configured for it including both token operations and tokens themselves For an agent to be able to see a certain token or group of tokens then the agent user entry must be configured to view that token profile Setting profiles for users is described in Section 9 4...

Page 124: ... maximum allowed number of search results configured for the TPS Directory Server database so the number of entries returned is constrained by the search limit Each results page shows 25 records 9 3 2 Viewing Tokens After searching for tokens click the link of the token ID to view the token information ...

Page 125: ...nded or revoked token also has an attribute to show the reason why the token status was changed Policy which sets the user policies for the token such as whether the token can be reused Token Type which is the enrollment profile which is used to enroll the token The system information shows information about the token that is processed by the TPS Key Info the types of keys and bit strength generat...

Page 126: ...d set policies for the token NOTE A user can only see entries relating to the profile configured for it including both token operations and tokens themselves For an agent to be able to see a certain token or group of tokens then the agent user entry must be configured to view that token profile Setting profiles for users is described in Section 9 4 2 3 Setting Profiles for Users Figure 9 8 Managin...

Page 127: ... initiate a PIN reset operation RENEW which allows a user to regenerate their existing certificates using the original key and an extended validity period The supported token policies accept values of either YES or NO To set both policies separate them with a semi colon For example RE_ENROLL NO PIN_RESET YES The default values is for the RE_ENROLL and PIN_RESET parameters to be set to YES If both ...

Page 128: ...lick its ID link Figure 9 10 Editing the Token Policy 9 3 3 3 Changing Token Status Agents can change the status of the token Token status affects key recovery policies the status of the token impacts whether a key should be recovered from the DRM or reissued whether new tokens will be blocked because there are already active existing tokens and whether to issue or revoke temporary tokens The stat...

Page 129: ...icates for the user can be generated on a new token The lost token has been found The TPS takes the certificates off hold and marks the token active The temporary certificates are revoked and the original certificates are taken off hold The lost token cannot be found permanently lost The TPS revokes the certificates and marks the token lost The temporary certificates and the original certificates ...

Page 130: ...icates revoked If the user cannot locate the original token the TPS agent must change the status of the original token to This temporarily lost token cannot be found The certificates on the original token are revoked The status of the temporary token is updated to inactive and its certificates revoked The user is then permitted to enroll for a permanent token 9 3 4 Searching Certificates NOTE It i...

Page 131: ... Last Modified At the timestamp of the last modification to the certificate 9 3 5 Searching Activities Activities are essentially logs for the TPS subsystem and for the actions taken on individual tokens Activities are logs of actions performed on a token so searching for activities means searching for the token and returning its specific log of activities To find all tokens a subset of tokens or ...

Page 132: ...has the following information Activity ID the unique ID of the activity entry Token the ID of the token for which the activity was performed IP the IP address of the client which connected to the TPS and performed the operation User ID the ID of the person who performed the operation Operation the kind of action being taken Result the result returned for the operation Created the time that the act...

Page 133: ...ity logs IMPORTANT A user can only see entries relating to the profile configured for it This means that all results are filtered by the profiles that the user can view including listing and searching for certificates tokens or activities For an administrator to be able to manage all tokens then the user account needs to be set to All profiles Setting profiles for users is described in Section 9 4...

Page 134: ...the token connects to TPS such as connecting through the Enterprise Security Client However it may be necessary to pre populate the tokens with keys or other custom information this can be done by manually adding and editing the token in the TPS 9 4 1 2 Searching Tokens To look for all tokens a subset of tokens or a specific token click the List Search Tokens link and fill in the name of the user ...

Page 135: ...ber of search results configured for the TPS Directory Server database so the number of entries returned is constrained by the search limit Each results page shows 25 records 9 4 1 3 Viewing Tokens After searching for tokens click the link of the token ID to view the token information ...

Page 136: ...pended and any suspended or revoked token also has an attribute to show the reason why the token status was changed Policy which sets the user policies for the token such as whether the token can be reused Token Type which is the enrollment profile which is used to enroll the token The system information shows information about the token that is processed by the TPS Key Info the types of keys and ...

Page 137: ...s For the TPS subsystem users are added and managed through the Administrator Operations page which replaces an administrative console for that subsystem As with other subsystems the TPS administrator can create other users who access the TPS subsystem These users are created through the administrator services tab 9 4 2 1 Searching Users Search for all users a subset of users or specific users by ...

Page 138: ...nd paste in the certificate without the BEGIN CERTIFICATE and END CERTIFICATE lines 4 Select the roles to which the user belongs The user can only see the tabs services pages of the roles to which he belongs 9 4 2 3 Setting Profiles for Users A TPS profile is much like a CA profile it defines rules for processing different types of tokens The profile is assigned automatically to a token based on s...

Page 139: ...s page 2 Scroll to the bottom of the page and select the profile from the drop down menu Only fifteen 15 profiles are listed in the menu if there are more than fifteen profiles available then the last profile is Other which allows the administrator to type in the selected profile manually NOTE If the All Profiles option is added to the user then any other configured profiles are dropped because th...

Page 140: ...n also see non token operations like adding or editing users Activities are logs of actions performed on a token so searching for activities means searching for the token and returning its specific log of activities To find all tokens a subset of tokens or a specific token click the List Search Activities link in the Administrator Operations tab and fill in the name of the user or the whole or par...

Page 141: ...he ID of the person who performed the operation Operation the kind of action being taken a type of no_token means it is an administrative operation Result the result returned for the operation Created the time that the activity was performed The second line contains a detailed description of what operation was performed 9 4 4 Managing the TPS Audit Logs Audit logs are special protected logs that a...

Page 142: ...ther subsystem logs in var log subsystem_name by default Signed audit logs are written to var log subsystem_name signedAudit NOTE For other Certificate System subsystems audit logging is maintained in the Java based administrative console The TPS subsystem however does not use a Java console so administrative tasks are either performed by directly editing the configuration files or as with managin...

Page 143: ...ssed by the authorization servlets ROLE_ASSUME A user assuming a role A user assumes a role after passing through authentication and of administrator auditor and agent are tracked Custom roles are not tracked PIN_RESET Shows when the password used to access the token is reset AUTH_FAIL Shows when a user does not successfully authenticate CONFIG_SIGNED_AUDIT Records when any change is made to the c...

Page 144: ...1 active Through the TPS agent s page however viewing Token 1 shows Signing 1 is active viewing Token 2 shows that Signing 1 is revoked This is because that Signing 1 was still revoked when Token 2 was formatted and that information was not updated when Token 1 was subsequently formatted To find the current status of certificates view an active token and list the certificates Active tokens always ...

Page 145: ...e status 133 Certificate System directory server and 59 overview 1 subsystems 1 certificates conflicting status 133 finding 45 issuing to requester 42 searching for 34 46 taking off hold 54 cloning enrollment requests 30 cryptography concepts v D Data Recovery Manager 81 agent services forms 7 overview 2 Directory Server Certificate System and 59 E end entities 1 enrollment requests approving 40 c...

Page 146: ... enrollment cloning 30 examining 33 handling process 29 listing 31 statuses 32 types of 31 revoking certificates taking certificate off hold 54 S security concepts v servlet XML parameter 13 status of requests 32 subsystems overview 1 T Token Processing System 105 TPS adding users 127 agent services forms 8 certificates conflicting stat 133 certificates and tokens 105 changing token status 118 del...

Reviews: