Overview of Constraints-Specific Policy Modules
Chapter
3
Constraints Policy Plug-in Modules
85
Table 3-1 lists constraints-specific policy modules that are installed with a
Certificate Manager. An installation of a Registration Manager also includes all
these modules, expect for the ones noted below:
•
IssuerConstraints
•
SubCANameConstraints
•
UniqueSubjectNameConstraints
Note that the name of the Java class for a policy plug-in module is in this format:
com.netscape.cms.policy.<plugin_name>
where
<plugin_name>
is the name of a plug-in module. For example, the Java class
for the
AttributePresentConstraints
module would be:
com.netscape.cms.policy.AttributePresentConstraints
You can use whichever modules you need in order to define policy rules for a
Certificate Manager or Registration Manager. Note that no modules are provided
for the Data Recovery Manager. Both Certificate Manager and Registration
Manager subject a request to policy checking as explained in section “Policy
Processor” in Chapter 18, “Setting Up Policies” of CMS Installation and Setup Guide.
Keep in mind that the changes made to a request by a Registration Manager may
be overwritten by a Certificate Manager when it subjects the request to its own
policy checks.
Table 3-1
Default constraints-specific policy plug-in modules
Plug-in module name
Function
AttributePresentConstraints
Rejects a request if an LDAP attribute is not present in the enrolling
user’s directory entry or if the attribute does not have a specified
value. For details, see “AttributePresentConstraints Plug-in
Module” on page 86.
DSAKeyConstraints
Certifies only those DSA keys that have specific key lengths. For
details, see “DSAKeyConstraints Plug-in Module” on page 91.
IssuerConstraints
Checks for certificates that have been issued by a particular CA.
For details, see “IssuerConstraints Plug-in Module” on page 94.
KeyAlgorithmConstraints
Certifies only those keys that are generated using one of the
permitted algorithms, such as RSA or DSA. For details, see
“KeyAlgorithmConstraints Plug-in Module” on page 97.
RenewalConstraints
Allows or rejects requests for renewal of expired certificates. For
details, see “RenewalConstraints Plug-in Module” on page 99.
Содержание Certificate Management System 6.0
Страница 1: ...Plug Ins Guide Netscape Certificate Management System Version6 0 March 2002...
Страница 10: ...10 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 62: ...Enrollment Forms 62 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 126: ...ValidityConstraints Plug in Module 126 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 266: ...LdapSubjAttrMap Plug in Module 266 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 308: ...NTEventLog Plug in Module 308 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 324: ...DNs in Certificate Management System 324 Netscape Certificate Management System Plug Ins Guide March 2002...
Страница 370: ...CA Certificates and Extension Interactions 370 Netscape Certificate Management System Plug Ins Guide March 2002...