background image

Certificates and Authentication

Appendix

J

Introduction to Public-Key Cryptography

779

known as nonrepudiation. In other words, signed email makes it very difficult for 
the sender to deny having sent the message. This is important for many forms of 
business communication. (For information about the way digital signatures work, 
see “Digital Signatures,” which begins on page 769.)

S/MIME also makes it possible to encrypt email messages. This is also important 
for some business users. However, using encryption for email requires careful 
planning. If the recipient of encrypted email messages loses his or her private key 
and does not have access to a backup copy of the key, for example, the encrypted 
messages can never be decrypted. 

Form Signing

Many kinds of e-commerce require the ability to provide persistent proof that 
someone has authorized a transaction. Although SSL provides transient client 
authentication for the duration of an SSL connection, it does not provide persistent 
authentication for transactions that may occur during that connection. S/MIME 
provides persistent authentication for email, but e-commerce often involves filling 
in a form on a web page rather than sending an email.

The Netscape technology known as form signing addresses the need for persistent 
authentication of financial transactions. Form signing allows a user to associate a 
digital signature with web-based data generated as the result of a transaction, such 
as a purchase order or other financial document. The private key associated with 
either a client SSL certificate or an S/MIME certificate may be used for this 
purpose. 

When a user clicks the Submit button on a web-based form that supports form 
signing, a dialog box appears that displays the exact text to be signed. The form 
designer can either specify the certificate that should be used or allow the user to 
select a certificate from among the client SSL and S/MIME certificates that are 
installed in Communicator. When the user clicks OK, the text is signed, and both 
the text and the digital signature are submitted to the server. The server can then 
use a Netscape utility called the Signature Verification Tool to validate the digital 
signature.

For more information about support for form signing in Netscape products, see 
Netscape Form Signing.

Single Sign-On

Network users are frequently required to remember multiple passwords for the 
various services they use. For example, a user might have to type a different 
password to log into the network, collect email, use directory services, use the 
corporate calendar program, and access various servers. Multiple passwords are an 
ongoing headache for both users and system administrators. Users have difficulty 

Содержание Certificate Management System 6.1

Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...

Страница 2: ...CUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2003 20...

Страница 3: ...er 1 Overview 29 Features 29 Subsystems 29 Certificate Manager Flexibility and Scalability 30 Interfaces 31 Logging 31 Auditing 32 Self Tests 32 Authorization 32 Authentication 32 Certificate Issuance...

Страница 4: ...ta Recovery Manager 53 Certificate Manager Data Recovery Manager and Registration Manager 55 Cloned Certificate Manager 56 System Architecture 57 CMS Component 58 HTTP Engine 59 Service Interfaces 60...

Страница 5: ...115 Changing Subsystem Security Setting 116 Changing Passwords or Storage Settings 116 Configuring Logs 116 Changing Internal Database Settings 116 Configuring Self Test 116 Setting Up a Mail Server 1...

Страница 6: ...s 152 Configuring Authorization 153 Managing Certificates and the Certificate Database 154 Changing Ports and IP Addresses 155 Changing Subsystem Security Setting 155 Changing Passwords or Storage Set...

Страница 7: ...rity Setting 192 Changing Passwords or Storage Settings 192 Configuring Logs 192 Changing Internal Database Settings 193 Configuring Self Test 193 Setting Up Jobs 193 Identifying the CA to the OCSP Re...

Страница 8: ...Stored by the Server 252 Starting Stopping and Restarting CMS Instances 254 Starting a Server Instance 254 Stopping a Server Instance 255 Restarting a Server Instance 256 Subsystem Configuration Overv...

Страница 9: ...the Certificate Database 298 Certificate Setup Wizard 298 Consideration When Getting New Certificates for the Subsystems 314 Tokens for Storing CMS Keys and Certificates 316 Internal Token 316 Extern...

Страница 10: ...Server admin certificate 353 certServer admin request enrollment 353 certServer auth configuration 353 certServer ca certificate 354 certServer ca certificates 355 certServer ca configuration 355 cert...

Страница 11: ...0 certServer log content SignedAudit 370 certServer log content 371 certServer ocsp ca 371 certServer ocsp cas 372 certServer ocsp certificate 372 certServer ocsp configuration 372 certServer ocsp crl...

Страница 12: ...rver Certificates 411 Renewal of Server Certificates 412 Getting Certificates for Netscape Version 4 x and Later Servers 412 CEP Enrollment 414 About CEP Enrollment 414 Setting Up Automated CEP Enroll...

Страница 13: ...gorithm Default 467 Subject Alternative Name Extension Default 467 Subject Key Identifier Extension Default 469 Subject Name Default 470 Token Supplied Subject Name Default 470 User Supplied Extension...

Страница 14: ...ts 501 RenewalValidityConstraints 501 RevocationConstraints 502 RSAKeyConstraints 503 SigningAlgorithmConstraints 504 SubCANameConstraints 505 UniqueSubjectNameConstraints 506 ValidityConstraints 508...

Страница 15: ...bs 577 Setting Up Automated Jobs 578 Types of Automated Jobs 578 Setting Up the Job Scheduler 579 Frequency Settings for Automated Jobs 579 Enabling and Configuring the Job Scheduler 580 Setting Up Sp...

Страница 16: ...ifier 608 CRLNumber 609 CRLReason 609 DeltaCRLIndicator 610 FreshestCRL 610 HoldInstruction 611 InvalidityDate 612 IssuerAlternativeName 612 IssuingDistributionPoint 614 Chapter 15 Publishing 617 Abou...

Страница 17: ...e IT Environment 665 Security Audit FAU 666 Cryptographic support FCS 669 User Data Protection FDP 669 Identification and authentication FIA 670 Security management FMT 671 Protection of the TSF FPT 6...

Страница 18: ...with the Internal Database 690 CMS Administrative Console 690 Backup and Restore of a CMS Subsystem 690 Common Criteria Deployment Scenarios 691 Features That Are Not Part of the Common Criteria Envir...

Страница 19: ...t Formats 712 Importing Certificate Chains 713 Importing Certificates into Netscape Communicator 713 Importing Certificates into Netscape Servers 714 Object Identifiers 714 Appendix G Certificate and...

Страница 20: ...gital Signatures 769 Certificates and Authentication 770 A Certificate Identifies Someone or Something 771 Authentication Confirms an Identity 772 How Certificates Are Used 776 Contents of a Certifica...

Страница 21: ...routers This preface has the following sections Who Should Read This Guide What You Should Know What s in This Guide Conventions Used in This Guide Documentation Who Should Read This Guide This guide...

Страница 22: ...pe Console You are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the...

Страница 23: ...stems including working in the administrative interface starting and stopping the server working with logs working with self test managing the database and managing the certificate database Chapter 8...

Страница 24: ...ng the Common Criteria Evaluated CMS Setup Provides information about running CMS in the Common Criteria Environment Appendix F Certificate Download Specification Provides information about the certif...

Страница 25: ...e Rotation frequency From the drop down list select the interval at which the server should rotate the active error log file The available choices are Hourly Daily Weekly Monthly and Yearly The defaul...

Страница 26: ...e CMS Administrator s Guide this guide Describes how to plan for install and administer CMS CMS Command Line Tools Guide Provides detailed reference information on CMS tools CMS Customization Guide Ex...

Страница 27: ...led reference information on customizing the HTML based agent and end entity interfaces CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information fro...

Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 29: ...obust scalable and high performance certificate management solution for your public key infrastructure PKI extranets and intranets This chapter contains the following sections Features How Certificate...

Страница 30: ...vide flexibility in your PKI including support for multiple registration authorities tied to a single CA the ability to act as a root or subordinate CA and cloning of a CA to allow CAs with identical...

Страница 31: ...nate CAs you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers Because clone CAs use the same CA si...

Страница 32: ...nd can be run on demand It ships with a set of self tests that are configurable and allows you to create additional self tests using the CMS SDK See Self Tests on page 282 for complete details Authori...

Страница 33: ...Support for customized components in subject names Support for CEP enrollment Support for customized extensions Certificate Profiles CMS has a new feature called certificate profiles Certificate Prof...

Страница 34: ...points so a CRL can be created for each issuing point defined You can issue CRLs for each type of certificate you issue or for a specific subset of a type of certificate you issue You can also configu...

Страница 35: ...encrypting mail messages and other data To support separate key pairs for signing and encrypting data CMS supports generation of dual certificates for end entities capable of generating dual key pair...

Страница 36: ...Supports multiple message formats such as KEYGEN SPAC CRMF CMMF CRS CEP SCEP and PKCS 10 and CMC for certificate requests All requests are delivered to CMS over HTTP or HTTPS in the case of CRS CEP SC...

Страница 37: ...a flexible scalable system for issuing renewing and publishing certificates creating and publishing CRLs and providing key storage and retrieval capabilities CMS Basics CMS is installed on each host r...

Страница 38: ...systems have an agent interface specific to that subsystem allowing agents to perform the tasks assigned to them A Certificate Manager and a Registration Manager have an end entity services interface...

Страница 39: ...allowing you to select logging levels as well as what is logged You can also create custom logs so that events can be separated by the categories you choose See Logs on page 263 for complete details A...

Страница 40: ...cial kind of administrator who is able to run the basic operations of the subsystem but is not able to configure any of the features See Chapter 8 Authorization for complete details Self Tests CMS con...

Страница 41: ...is called Federal Bridge Certificate Authority FBCA This feature allows you to trust certificates issued by a CA outside of your PKI that shares a cross signed certificate with the CA in your PKI Cer...

Страница 42: ...e CRLs that contain only the revoked certificates since the last CRL was produced See Chapter 14 Revocation and CRLs for complete details How the Certificate Manager Works This sections details the pr...

Страница 43: ...r and then continues processing the request The Certificate Manger next evaluates the request to ensure that it meets either the policies set for this type of certificate or the certificate profile se...

Страница 44: ...g it If publishing is set up a certificate is published to the correct location s whenever a certificate is issued See Chapter 15 Publishing for complete details Key Archival If you install a Data Rec...

Страница 45: ...ed You can also provide delta CRLs allowing you to publish a list of only those certificates have been revoked since a certain date See Chapter 14 Revocation and CRLs for complete details About the Re...

Страница 46: ...ticates against the authentication method set up See the Netscape Certificate Management System Customization Guide for details about customizing the end entity interface Authentication Methods CMS pr...

Страница 47: ...method and certificate type to a set of constraints and certificate content and values for that content It allows you to configure a single module for a type of certificate that binds to an authentica...

Страница 48: ...s part of the enrollment and stored in the Data Recover Manager See Chapter 6 Data Recovery Manager for complete details Storing Certificate Requests and Certificates When it issues a certificate the...

Страница 49: ...ate encryption key The key is then stored in the Data Recovery Manager The Data Recovery Manager is configured to store keys in an encrypted format that can only be decrypted by several agents request...

Страница 50: ...erification of certificates Note that an online certificate validation authority is often referred to as an OCSP responder The Online Certificate Status Manager can receive CRLs from multiple Certific...

Страница 51: ...d a publishing directory The Certificate Manager can publish both end entity certificates and CRLs to a directory Certificate Manager and Registration Manager Figure 1 2 shows a Registration Manager a...

Страница 52: ...or work in different geographic locations Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager...

Страница 53: ...that the Registration Manager is intended to serve and the physical location of the Certificate Manager agent Registration Manager agent and other persons responsible for administering the Certificat...

Страница 54: ...ing the location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent Da...

Страница 55: ...s Figure 1 4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager a single Registration Manager and a single Data R...

Страница 56: ...Certificate Manager or the Certificate Manager might also handle some end entity interactions It s also possible to set up both Certificate Managers and Registration Managers such that each has a hie...

Страница 57: ...clone and confirm that you want to reuse the CA s signing key and certificate if the clone is on the same server you can also reuse the SSL server certificate If you store the CA key material on a har...

Страница 58: ...t CMS is a set of pure Java classes This component provides a secure application platform where subsystems CA RA DRM and OCSP can be tightly integrated with a PKI infrastructure Depending on the insta...

Страница 59: ...ded Event listeners where event listeners can be extended Publishing where publisher and its mapper can be extended Logging includes signed audit logs where logging mechanism can be extended Self test...

Страница 60: ...derstands the protocol provided by the CMS Administration Interface Service Interfaces Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem All four s...

Страница 61: ...mmands coming from the administrative entry point Based on the information given at each command the administration servlets allow administrators to perform administrative tasks and configure plug in...

Страница 62: ...d software devices intended for such purposes One or more PKCS 11 modules must be available to any CMS subsystem instance As shown in the figure a PKCS 11 module also called a cryptographic module or...

Страница 63: ...tions and communication with the certX db and keyX db files Any PKCS 11 module can be used with CMS The server uses a file called secmod db to keep track of the modules that are available You can modi...

Страница 64: ...AP database while user and group entries are stored in another subtree Except for the creation of a new CMS instances functionalities provided by this component are not fully utilized by CMS Note that...

Страница 65: ...cifies how a device communicates with a CA including how to retrieve the CA s public key how to enroll a device with the CA and how to retrieve a CRL CEP uses PKCS 7 and PKCS 10 Certificate Request Me...

Страница 66: ...nsport Protocol HTTP and Hypertext Transport Protocol Secure HTTPS Protocols used to communicate with web servers KEYGEN tag An HTML tag supported by Netscape browsers that generates a key pair for us...

Страница 67: ...v1 v3 Digital certificate formats recommended by the International Telecommunications Union ITU Secure Sockets Layer SSL 2 0 3 0 A set of rules governing server authentication client authentication a...

Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 69: ...bsystem You then configure the subsystem that will run on that host Once a subsystem is setup you can access its end entity interface agent services interface and its administrative interface and furt...

Страница 70: ...e instructions on installing CMS 2 Configure each subsystem that will be running on each host CMS provides an installation wizard for configuring an instance of each of the subsystems Complete instruc...

Страница 71: ...Once installation is complete you can use Netscape Console to view all your server settings make changes to those settings and configure CMS instances See The Administrative Interface on page 244 abou...

Страница 72: ...nfiguration directory and the administration server The port for the administration server is the port used to log into Netscape Console Port numbers can be any number from 1 to 65535 Keep the followi...

Страница 73: ...nobody account Also you should create a common group for the directory server files again you must not use the nobody group The user and group under which you will run Administration Server For insta...

Страница 74: ...n This is the user ID and password you will use to log into Netscape Console Administration Server User and password You are prompted for this only during custom installations The Administration Serve...

Страница 75: ...uration directory You normally will not store users in this configuration directory You only use this configuration directory to store configuration settings for the Administration Server and allow yo...

Страница 76: ..._____________________ Directory Server Port Number ______________________________________ Directory server identifier myhost ______________________________________ Netscape configuration directory ser...

Страница 77: ...The setup command has the following options The installation program launches The installation program will prompt you for series of configuration settings detailed in the following steps 4 Would you...

Страница 78: ...ts 11 Specify the components you wish to install 1 2 Press Enter to accept the default components 12 Specify the components you wish to install 1 2 Press Enter to accept the default components 13 Spec...

Страница 79: ...ter a unique identifier for the new instance of Directory Server If you are using an existing configuration directory enter its identifier 21 Netscape configuration directory server administrator ID a...

Страница 80: ...directory and creates and starts instances of the Administration Server and Directory Server For specifics on installing each subsystem see Installing a Certificate Manager as a Root CA on page 91 Ins...

Страница 81: ...containing the installed software 3 Type the following command uninstall 4 Specify the components you wish to uninstall All Accept the default value 5 Specify the components you wish to uninstall 1 2...

Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 83: ...allation instructions an overview of the Certificate Manager processes including information on configuring those processes information about FBCA and details on configuring a cloned CA This chapter c...

Страница 84: ...o issue certificates is issued by another CA The CA that issued the subordinate CA signing certificate controls the CA through the contents of the CA signing certificate The CA can constrain the subor...

Страница 85: ...ation it is completely unaware of its parents set up for these configurations A Certificate Manager cannot issue a certificate that has a validity period longer than the validity period of the CAs CA...

Страница 86: ...of the certificate The Certificate Manager s status as a root or subordinate CA is determined by whether its CA signing certificate is self signed or is signed by another CA If the Certificate Manage...

Страница 87: ...ubmitted the certificate signing request You might have submitted the request to the Certificate Manager itself another internally deployed CA or a public CA By default the Certificate Manager uses a...

Страница 88: ...e Corporation ou Engineering c US Many combinations of name value pairs are possible for the Certificate Manager s DN The DN must be unique and readily identifiable since any end entity can examine it...

Страница 89: ...Managing Servers with Netscape Console Certificate Manager Interfaces When you install a Certificate Manager three interfaces are enabled The installation wizard lets you choose the ports these inter...

Страница 90: ...e through either HTTPS or HTTP there are two ports set up by default The default interface provides forms for the various types of enrollment and other tasks an end entity can perform and is completel...

Страница 91: ...ard you can select from a list of already installed and available tokens For example SmartCard For installation instructions see External Token on page 316 Installing a Certificate Manager You install...

Страница 92: ...information Click Next to continue The wizard sets up the new internal database which takes some time 6 Administrator Type the user ID name and password for the CMS administrator This user ID will be...

Страница 93: ...cloned CAs you must make sure that the range of serial numbers does not overlap with any other CA server Click Next to continue 10 Internal OCSP Services Select to enable the internal OCSP services S...

Страница 94: ...Next to continue 16 Validity Period for Certificate Manager CA Signing Certificate Select the validity period for the CA signing certificate The default validity is two years The validity period dete...

Страница 95: ...sword you must do so in this screen See Tokens on page 91 for more information Key Type Choose RSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for D...

Страница 96: ...e Sign on Summary Check the summary and select whether to retain or delete the password conf file For details see Token Password Storage on page 252 Click Next to continue 27 Configuration Status This...

Страница 97: ...nue 6 Administrator Type the user ID name and password for the CMS administrator This user ID will be set up as the administrator who can access the CMS window and control all CMS settings Allow Multi...

Страница 98: ...pecify an upper limit For cloned CAs you must make sure that the range of serial numbers does not overlap with any other CA server Click Next to continue 10 Internal OCSP Services Select to enable the...

Страница 99: ...ertificate Manager CA Signing Certificate Select the validity period for the subordinate CA signing certificate The default validity is two years The validity period determines how soon you will have...

Страница 100: ...must submit to another CA 19 Submission of Request Select whether you want to submit the request manually or send the request to a remote Certificate Manager automatically To automatically submit the...

Страница 101: ...o back to the wizard screen Step 20 To submit your certificate request manually to a remote Certificate Manager follow these steps I Open a web browser window II Go to the end entity URL for the remot...

Страница 102: ...ate request manually to a third party CA follow these steps XI Make sure that the certificate request including BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST is highlighted and click t...

Страница 103: ...uest and know the host name and end entity port number of the remote Certificate Manager that issued the certificate select the The certificate is at the CMS server where the request was sent option a...

Страница 104: ...screen See Tokens on page 91 for more information Key Type Choose RSA Key Length Available key sizes for RSA are 512 768 1024 2048 4096 or Custom Available key sizes for DSA are 512 1024 or Custom whi...

Страница 105: ...nate CA itself the wizard generates the SSL server certificate You ll be presented with the Create Single Sign on Password screen Step 35 If you chose to generate a request for submission to another C...

Страница 106: ...he certificate is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a te...

Страница 107: ...ssue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Select...

Страница 108: ...st to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or weeks before you receive the certificate In this case you should click...

Страница 109: ...ollow these steps a Go to the end entity URL for the remote Certificate Manager that issued the SSL server certificate b Select the Retrieval tab and then in the left hand frame click Import CA Certif...

Страница 110: ...up are controlled by Access Control Instructions ACIs placed in Access Control Lists ACLs ACLs define points that need specific authorization Generally each defines a distinct set of functionality for...

Страница 111: ...Manager See Certificate Manager Certificates on page 85 for more information about these certificates and the things you should consider before getting these certificates CMS contains a Certificate W...

Страница 112: ...or the key pair and install the certificate in the Certificate Manager s certificate database For more information about the Certificate Database tool see http www mozilla org projects security pki ns...

Страница 113: ...anager 3 Update the Certificate Manager s configuration to recognize the new key pair and certificate a In the Certificate Manager host machine go to this directory server_root cert instance_id config...

Страница 114: ...install additional SSL server certificates for the Certificate Manager For example you can configure the Certificate Manager to use separate server certificates for authenticating to the End Entity S...

Страница 115: ...both administrators and users to implement All certificates issued by the old CA including those that have not yet expired must be renewed by the new CA There are advantages and disadvantages to each...

Страница 116: ...it logs that create audit trails that can only be read by a user with auditor privileges The log feature is configurable allowing you to change the settings for some of the logs See Logs on page 263 f...

Страница 117: ...appears 3 Change the following fields in this tab Override validity nesting requirement Specifies if the Certificate Manager can issue certificates with validity periods beyond that of its CA signing...

Страница 118: ...iguration or certificate profile configuration overrides the algorithm you select here 4 To save your changes click Save Setting Up Authentication The first step in configuring enrollment is setting u...

Страница 119: ...w you to set up the kind of authentication you will use for authentication All of the authentication plug ins also enable an automated enrollment when they are enabled You can enable one of the authen...

Страница 120: ...that are applicable to this type of request Any policy that has no predicate is evaluated against all certificate requests Those with predicates are evaluated against certificates requests that match...

Страница 121: ...erated based on the inputs set in the certificate profile Each certificate profile that will be used is configured by an administrator The administrator configures defaults and constraints inputs outp...

Страница 122: ...nder for information about both of these services Setting Up CRLs The CRL feature allows you to set up CRLs that are issued on a periodic basis You can also define issuing points so that a CRL from th...

Страница 123: ...nd entity You can customize this interface by changing which forms are available and by changing the forms themselves You might change the look and feel of the form to fit in with your intranet you mi...

Страница 124: ...icate profile You customize the dynamically created certificate profile forms by configuring the inputs associated with the certificate profile The Certificate Enrollment Process When an end entity en...

Страница 125: ...that are used to collect this information The policies or certificate profile associated with the form determine aspects of the certificate that is issued Depending on the policies or certificate prof...

Страница 126: ...tificates that have been issued and for the CA certificate chain Renewal The Certificate Manager allows for the renewal of certificates Certificates can be renewed if the policies associated with rene...

Страница 127: ...of certificates by looking them up in the internal database and reporting on the status of the certificate You can set up an automated notifications that send an email message to the end entity when...

Страница 128: ...ir Certificates CMS provides the capability to import the cross pair certificates from each of the CAs You use the Certificate Setup wizard to import both certificates When both certificates have been...

Страница 129: ...KI to be a CA hierarchy comprising root and subordinate CAs you can create multiple clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of...

Страница 130: ...tificates such as the CA signing certificate SSL server certificate agent s certificate and so on The master Certificate Manager will also need distinct serial numbers in the future for example when y...

Страница 131: ...Certificate Manager to each clone Certificate Manager If the master Certificate Manager s keys and certificates are stored in the internal software token you need to copy the certificate and key datab...

Страница 132: ...e master Certificate Manager Select the token name where the keys and certificate are stored and enter the token s password if required Clone key and certificate materials On this screen you choose wh...

Страница 133: ...t expects a certificate that was already issued and chains properly to be presented when you access its agent interface 5 Restart the clone CA 6 Use Netscape Console and open the CMS window for the cl...

Страница 134: ...t form for requesting the certificate the request you submitted is waiting in the agent queue for approval by an agent 3 Download the certificate to the browser 4 Revoke the certificate 5 Check master...

Страница 135: ...ployment Considerations Installing a Registration Manager Configuring a Registration Manager How a Registration Manager Works Registration Manager Deployment Considerations This section describes the...

Страница 136: ...all has a certificate identified as the Registration Manager signing certificate whose public key corresponds to the private key the Registration Manager uses to authenticate itself to the Certificate...

Страница 137: ...ors using the Java based CMS Console GUI application An Agent Services interface that is accessible by default only to members of the Registration Manager Agent group Agents are users who can perform...

Страница 138: ...ase Each Registration Manager instance contains an internal database that stores certificates certificate requests and the like During installation you set up this database by either choosing to creat...

Страница 139: ...th to 4096 bits for certificates that provide access to highly sensitive data or services However the question of key length has no simple answers Every organization must make its own decision based o...

Страница 140: ...ator who can access the CMS window and control all CMS settings Allow Multiple Roles for Users Select if you want to allow users to belong to more than one group thus assuming more than one role Desel...

Страница 141: ...ts only See Signing Key Type and Length on page 138 for more information Click Next to continue 12 Message Digest Algorithm Select the algorithm to use for computing the certificate signature The choi...

Страница 142: ...equest in PKCS 10 format select the Generate PKCS10 request option If you want the wizard to generate the certificate request in CMC format select the Generate CMC full enrollment request option This...

Страница 143: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Страница 144: ...Manager Note that you must be a designated CMS administrator as well as an agent for this option to work correctly X Type a user ID for the new Registration Manager This user ID can be the same that y...

Страница 145: ...ith the configuration and resume after you receive the certificate The default selection is No Select Yes if you have the certificate ready in its base 64 encoded format Click Next to continue If you...

Страница 146: ...server option and then click Submit d In the resulting page locate the CA certificate chain in its base 64 encoded format and copy the certificate chain to the clipboard e Return to the Installation W...

Страница 147: ...given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select the...

Страница 148: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Страница 149: ...nd issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Sel...

Страница 150: ...Wizard screen click Yes or No Select No if you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days o...

Страница 151: ...e from which you requested the singing certificate Follow these steps to import the remote Certificate Manager s CA chain a Go to the web browser window b Enter the end entity URL for the remote Certi...

Страница 152: ...relationship when you issued this certificate by selecting this option in the agent services interface on the request page used to approve the request If you have done this you do not need to further...

Страница 153: ...ACL Configuration The configuration set up for the Certificate Manager gives the following privileges to members of the following groups Members of the Administrator group can perform any operations...

Страница 154: ...database and they must be configured as trusted see Changing the Trust Settings of a CA Certificate on page 296 and Installing a New CA Certificate in the Certificate Database on page 297 Certificate...

Страница 155: ...r each of the interfaces when you install the Registration Manager You can change the ports that any of the interfaces listen on and you can remove the HTTP non SSL end entity port if you will not use...

Страница 156: ...Settings You can change the configuration of the internal database after installation including restricting access to the internal database see The Internal Database on page 290 for information on doi...

Страница 157: ...tion method to be agent approved or automated The agent approved enrollment in person agent initiated enrollment and CMC enroll methods are enabled and configured when you install the Registration Man...

Страница 158: ...you like The authentication methods that you can configure are Directory Based Enrollment End entities are authenticated against an LDAP directory using their user ID or DN and password See Setting Up...

Страница 159: ...rmation see Chapter 11 Policies If you set up and enable policies in the Registration Manager you must be careful how you set up policies in the Certificate Manager that issues certificates for this R...

Страница 160: ...es interface for processing The agent can change some aspects of the request as long as they are within the constraints set in the certificate profile reject the request change the status of the reque...

Страница 161: ...set up a trusted relationship between a Data Recovery Manager and a Registration Manager so that the end entities private encryption keys are archived during the certificate request See Chapter 6 Data...

Страница 162: ...m The form creates a request that is then submitted to the Registration Manger The enrollment form can trigger the creation of the public and private keys for this request or for dual key pairs The en...

Страница 163: ...ate request is either rejected at some point in the process either by an agent because it did not meet the policy certificate profile or authentication requirements or the request is signed and sent t...

Страница 164: ...set up for a single method of renewal All requests are made to the renewal page of the end entity interface The end entity presents their old certificate and if they meet the policies for renewal a ne...

Страница 165: ...agents can approve requests made by end entities to revoke their certificates but agents cannot revoke certificates on their own The Certificate Manager agent for the CA that issued the certificate w...

Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 167: ...with OCSP Service Online Certificate Status Manager Deployment Considerations Installing an Online Certificate Status Manager Setting Up the OCSP Responder Configuring the Online Certificate Status M...

Страница 168: ...ins all the information required by the responder to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it proces...

Страница 169: ...st is subjected to policy checking see Configuring Policy Rules for a Subsystem on page 491 For more information about the certificates associated with OCSP see SSL Server Key Pair and Certificate on...

Страница 170: ...real time status of all certificates it has issued this method of revocation checking is most accurate Since the internal OCSP service checks the status of certificates stored in the Certificate Mang...

Страница 171: ...ublish the CRL As explained earlier the Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as the default CRL store for verifying certificates...

Страница 172: ...you will have to create this policy and configure it for this service If you installed the Certificate Manager s with its OCSP service feature disabled a default policy rule named AuthInfoAccessExt i...

Страница 173: ...alled The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request SSL Server Key Pair and Certificate Every Online Certifica...

Страница 174: ...I application An Agent Services interface that is accessible by default only to members of the Online Certificate Status Manager Agent group The agent s services interface is an HTML interface accessi...

Страница 175: ...formation such as certificates and certificate requests used by the subsystem you will be installing in this CMS instance By default a separate internal database is created for each subsystem you conf...

Страница 176: ...ngth to 4096 bits for certificates that provide access to highly sensitive data or services CMS signing keys up to 2048 bits in length are not subject to export restrictions However the question of ke...

Страница 177: ...assuming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor roles Click Nex...

Страница 178: ...manager Certificate Manager or Registration Manager automatically The wizard creates a certificate request that you must submit to a CA To automatically submit the request to a remote Certificate Man...

Страница 179: ...u re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 13 Also note that you might be required to past...

Страница 180: ...ght all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded...

Страница 181: ...p 17 14 Location of Certificate Specify the location of the certificate You can use one of these options If you noted the file path to the file that contains the certificate in its base 64 encoded for...

Страница 182: ...o a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the...

Страница 183: ...icate Extensions for SSL Server Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64...

Страница 184: ...nd entity port uses SSL III Click Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response m...

Страница 185: ...entities III Click Manual Server Certificate Enrollment or click Agent Based Server Certificate Enrollment if you have an agent certificate If you choose Agent Based Server Certificate Enrollment and...

Страница 186: ...click Approve Request 22 SSL Server Certificate Installation Depending on whether you have the certificate ready for pasting into the Installation Wizard screen click Yes or No If you have submitted...

Страница 187: ...continue 25 Import Certificate Chain This screen appears only if you need to import the CA certificate chain Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser...

Страница 188: ...et up to read from that LDAP publishing directory 3 You must configure your policies or certificate profiles for every CA that will publish to the OCSP Responder to include the Authority Information A...

Страница 189: ...can configure for the Online Certificate Status Manager and points you to specific information on configuring those sets of features Adding Users Once the Online Certificate Status Manager is installe...

Страница 190: ...the signed audit log and can view configuration settings but cannot perform any other operations on configuration settings and do not have any access to the agent services interface Online Certificate...

Страница 191: ...the Certificate Database on page 298 OCSP Certificates Depending on who signed your Online Certificate Status Manager s SSL server certificate you may need to perform the following actions to get that...

Страница 192: ...during or after installation See Changing an IP Addresses on page 289 for details Changing Subsystem Security Setting You can configure the security of each subsystem by changing the SSL version used...

Страница 193: ...Online Certificate Status Manager contains the framework for jobs but does not contain any prebuilt jobs You can build jobs using the CMS SDK For detailed information on setting up publishing see Cha...

Страница 194: ...a value of zero 0 Verify Certificate Manager and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s en...

Страница 195: ...ificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its internal databas...

Страница 196: ...window to see the updated fields host n Type the fully qualified DNS hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 example com port n...

Страница 197: ...ement tab 7 Click Refresh Testing Your OCSP Setup To test whether the Certificate Manager can service OCSP requests properly follow these steps 1 Turn On Revocation Checking in your browser or client...

Страница 198: ...cate Manager s OCSP service status again to verify that these things happened The browser sent an OCSP query to the Certificate Manager this response was initiated when you clicked the View button The...

Страница 199: ...ply it for example has left the organization that owns the data This chapter explains how to use the Data Recovery Manager to archive end entity s encryption private keys and how to use the archived k...

Страница 200: ...used to impersonate the digital identity of the original key owner Clients that generate single key pairs use the same private key for both signing and encrypting data so you cannot archive and recove...

Страница 201: ...ce of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 231 Initiating the key recovery process also requires its own HTML...

Страница 202: ...stored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Data Recovery Manager s Key Pairs and Certificates on page 215 It can...

Страница 203: ...ata Recovery Manager uses two special key pairs A transport key pair and corresponding certificate A storage key pair Figure 6 1 illustrates how the key archival process occurs when an end entity s re...

Страница 204: ...r decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key corresponds to the end entity s public encryption ke...

Страница 205: ...tate this by allowing each recovery agent to enter a password in the Data Recovery Manager during configuration They must be available to retrieve your end entity s encryption private keys if the need...

Страница 206: ...y recovery agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the...

Страница 207: ...ery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recovery Auth...

Страница 208: ...g the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered by the collective efforts of a Data Recovery Ma...

Страница 209: ...anager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be recovered an...

Страница 210: ...sword for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key r...

Страница 211: ...orage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key Recove...

Страница 212: ...rator s Guide February 2003 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery sch...

Страница 213: ...ion click Done You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Recovery Mana...

Страница 214: ...ars 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n ca...

Страница 215: ...ing key pairs and certificates Transport Key Pair and Certificate Storage Key Pair SSL Server Key Pair and Certificate Transport Key Pair and Certificate Every Data Recovery Manager you have installed...

Страница 216: ...used see Chapter 6 Data Recovery Manager Note that the public component of the storage key pair is not certified there is no certificate that corresponds to the public key Keys encrypted with the sto...

Страница 217: ...of already installed and available tokens For example SmartCard For installation instructions see External Token on page 316 Internal Database Each subsystem uses an internal database to store inform...

Страница 218: ...tions permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services Howeve...

Страница 219: ...ant to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager roles Click Next to continue 7 Subsystems...

Страница 220: ...rtificate extension text field accepts a single extension blob If you want to add multiple extensions you should use the ExtJoiner program which is also provided in the tools directory For details on...

Страница 221: ...it for the remote Certificate Manager s agent to approve your request IV Open a web browser window V Enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent...

Страница 222: ...tificate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests click Show Pending Requests and click Find VIII In the pending request list locate your reques...

Страница 223: ...inue as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes only if you have the certificate ready in its base 64 encoded format Click Next...

Страница 224: ...n PKCS 7 for importing into a server option and click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installa...

Страница 225: ...fied host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 24 Certificate Extensions for SSL Server Certificate Select the required extensions The defaul...

Страница 226: ...you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the remote Certificate Manager s age...

Страница 227: ...f you used the Agent Based Server Certificate Enrollment and you have an agent certificate the certificate will be automatically issued once you submit the request If you used the Manual Server Certif...

Страница 228: ...tificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certifica...

Страница 229: ...red details Click Next to continue 29 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate...

Страница 230: ...See Agent Certificates on page 337 for details Configuring Key Archival and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end entity s encryption privat...

Страница 231: ...t it initiates the key archival process and requests the service of the Data Recovery Manager for archiving the key For the enrollment authority to be able to request the service of the Data Recovery...

Страница 232: ...required to update the following information only The Data Recovery Manager s transport certificate The algorithm length type and usage for end entity s key pairs When you update this information the...

Страница 233: ...marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb...

Страница 234: ...es BEGIN CERTIFICATE and END CERTIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNj...

Страница 235: ...BvcmF0aW9uMREw DwYDVQQ LEwhIYXJkY29yZTEnMCUGA1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2Vy dmVyIEl JMB4XDTk4MTExOTIzNDIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMC VVMxETA PBgNVBAoTCG5ldHNjYXBlMQwwCgYDVQQDEwNL...

Страница 236: ...ess on page 205 In particular you should be familiar with how the key archival process works If you are not see How Agent Initiated Key Recovery Works on page 208 The Data Recovery Manager supports ag...

Страница 237: ...ode for Key Recovery The Data Recovery Manager allows key recovery agents to authorize recovery of an end entity s encryption private key locally or remotely The default configuration is local authori...

Страница 238: ...ss using Netscape Communicator 4 7 with Personal Security Manager version 1 01 Step A Test Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll...

Страница 239: ...the value of the E attribute e Locate and approve the request 3 Check if the certificates have been issued To do this a Click the List Requests link again b In the form that appears select the Show co...

Страница 240: ...gned and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do thi...

Страница 241: ...Recovery Works on page 208 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this information...

Страница 242: ...ocess 242 Netscape Certificate Management System Administrator s Guide February 2003 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate databa...

Страница 243: ...the internal database This chapter contains the following sections The Administrative Interface System Passwords Starting Stopping and Restarting CMS Instances Subsystem Configuration Overview Mail Se...

Страница 244: ...u to configure CMS through Netscape Console You access Administration Server by entering its URL in the Netscape Console login screen and providing the user ID and password of the administrative user...

Страница 245: ...d administration interface to the user directory You can accomplish various CMS specific tasks from the Console tab Launch the CMS console Install instances of CMS Remove an instance of CMS Clone an i...

Страница 246: ...eges with Directory Server but does not allow you to create CMS server instances Password Type the password for this user ID Administration URL Specify the URL for the Administration Server you want t...

Страница 247: ...e choices available in this tab will change depending on which subsystem is installed in this server instance The specifics of setting these configuration settings is contained in the appropriate sect...

Страница 248: ...resented with a list of your certificates to choose from in order to login You will not be presented with the userID Password entry dialog 4 The CMS console opens Viewing Information About a CMS insta...

Страница 249: ...rver s status whether it is started stopped or unknown normally unknown indicates that the server hasn t been configured properly 3 To change the name of the instance or its description Select the ins...

Страница 250: ...you need to use certutil to initialize cert8 db and key3 db and to create certificate request make sure to set the LD_LIBRARY_PATH correctly To do this issue the following command setenv LD_LIBRARY_P...

Страница 251: ...lientauth authType sslclientauth 20 Save the file 21 Open the file server xml 22 Change the clientauth off attribute to clientauth on in the SSLPARAMS section of the LS id admin LS id admin ip 0 0 0 0...

Страница 252: ...d manages Passwords you enter for LDAP directory access are not subjected to quality checks The reason for this is the password quality is handled by the system that creates and manages the password I...

Страница 253: ...rds because this file stores the passwords in a plain text file If you do delete the password conf file you must start the server instance using the command line You will be prompted for the token pas...

Страница 254: ...CMS Instances Each instance of CMS is started stopped and restarted separately This section describes how to start stop and restart CMS instances and how to check its current status Starting a Server...

Страница 255: ...etting in the CMS cfg file that allows you to set the absolute time out the amount of time before the between issuing the shutdown command and actual shutdown If this time is reached before all proces...

Страница 256: ...ine To stop a CMS instance from the command line 1 Log in either as root or with the server s user account 2 Go to the following directory server_root cert instance_id 3 Type the following command sto...

Страница 257: ...Managers you should install the root CA first You might also want to install a Certificate Manager that will develop a trusted relationship with other subsystems first Configuring Multiple CMS Instanc...

Страница 258: ...a CMS instance from your host Removing a CMS instance is not the same as uninstalling CMS For instructions on uninstalling CMS see Uninstalling CMS on page 81 To remove a CMS instance 1 Log in to Net...

Страница 259: ...k Save Configuration Files The runtime properties of CMS are governed by a set of configuration parameters These parameters are stored in a file that is read by the server during startup When you inst...

Страница 260: ...editing the configuration file because your changes will be overwritten by the cached version when the server is stopped or restarted 2 Go to the following directory server_root cert instance_id conf...

Страница 261: ...er The parameter names and their values are strings The parameter names can be hierarchically structured with notation with multiple levels for example ca Policy rule RSAKeyRule maxSize The entries co...

Страница 262: ...enrollment form so that the server is able to determine the authentication method during end user enrollment Job Scheduler parameters All job specific information such as registered job modules and c...

Страница 263: ...e Registration Managers and you want all these instances to have the same configuration you can accomplish this by configuring one of the instances and then replacing the configuration files of the ot...

Страница 264: ...stance_id logs signedAudit You can change the default location for logs by modifying it in the configuration Error and Access Logs The error and access logs are created by Netscape Enterprise Server w...

Страница 265: ...during this installation and configuration System Log This log records information about requests to the server all HTTP and HTTPS requests and the responses from the server Information recorded in t...

Страница 266: ...Specifies logged events related to the Certificate Manager Database Specifies logged events related to this server s activity with the internal database HTTP Specifies logged events related to the HTT...

Страница 267: ...l Message category Description 0 Debugging These messages contain debugging information Generally you would not want to set a log to the debugging level since it would yield far too much information f...

Страница 268: ...logs and it holds the messages in these buffers for as long as possible The server flushes out the messages to the log files only when either of the following conditions occurs The buffer gets full t...

Страница 269: ...the old file is named using the name of the file with an appended time stamp The appended time stamp is an integer that indicates the date and time the corresponding active log file was rotated The da...

Страница 270: ...e a Click Add in the Log Event Listener Management tab The Select Log Event Listener Plug in Implementation window appears It lists registered log modules b Select a plug in module c Click Next The Lo...

Страница 271: ...rval in seconds to flush the buffer to the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file ma...

Страница 272: ...er Management tab 6 Click Refresh Configuring Logs in the CMS cfg File To modify the configuration settings for logs 1 Stop the CMS instance 2 Open the CMS cfg file located in the directory server_roo...

Страница 273: ...for Security The default selection is 1 For more information see Log Levels Message Categories on page 267 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100...

Страница 274: ...at match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Source Select the...

Страница 275: ...udit Log on page 265 for details about signed audit logs For signing log files you use a command line utility called Netscape Signing Tool signtool For details about this utility check this site http...

Страница 276: ...avigation tree select Logs and then in the right pane select the Log Event Listener Plug in Registration tab 4 Click Register The Register Log Event Listener Plug in Implementation window appears 5 Sp...

Страница 277: ...d audit log feature is disabled by default You can also set this audit log up as a signed audit log You enable this by setting the logSigning parameter to enable and providing the nickname of the cert...

Страница 278: ...ROFILE A change is made to the configuration settings for the CRL framework in other words any of the settings for CRLs including extensions frequency and CRL format CONFIG_OCSP_PROFILE A change is ma...

Страница 279: ...stored in the Data Recovery Manager KEY_RECOVERY_AGENT_LOGIN DRM agents log in as recovery agents to approve key recovery requests KEY_RECOVERY_PROCESSED A key recovery has been processed KEY_GEN_ASYM...

Страница 280: ...ed in the end entity interface of a Registration Manager enable the raAuditCert profile in that Registration Manager and enable the raAuditCert profile in that Certified Manager that processes the req...

Страница 281: ...as the value of the signedAuditCertNickname parameter and specify the events that will be logged in the events parameter 6 Assign auditor users if you have not done so by creating the user and assigni...

Страница 282: ...e self tests are run at start up and can also be run on demand The start up self tests run when the server starts up and will keep the server from starting up if a critical self test fails The on dema...

Страница 283: ...se associated with which type of subsystem has been configured with this server instance You turn the self test off or change which self tests are considered critical by changing those setting in the...

Страница 284: ...nes how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Log File Rotation on p...

Страница 285: ...Save the file 6 Start CMS Ports About Ports CMS listens on different ports for requests from different types of users As illustrated in Figure 7 1 it listens on an administration port an agent port a...

Страница 286: ...se requests from the appropriate Agent Services interface The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end en...

Страница 287: ...initiated PKI requests such as enrollment renewal and revocation enrollment requests can include requests from Cisco routers using the CEP protocol general certificate retrieval requests such as retri...

Страница 288: ...this line and edit the value of the port attribute LS id agent ip 0 0 0 0 port 8100 security on acceptorthreads 1 blocking no To change the end entity HTTP port locate this line and edit the value of...

Страница 289: ...ne IP address and the Data Recovery Manager is served on another address if the host is configured with more than one IP address To configure a CMS instance to listen to specific IP addresses 1 Stop t...

Страница 290: ...between two or more instances You can change the internal database used by a CMS instance This section describes how to change that instance and how to restrict access to the internal database About...

Страница 291: ...when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems use the da...

Страница 292: ...he host name of the machine in which Directory Server is installed Port number Type a TCP IP port number CMS uses this port for non SSL communications with the Directory Server instance that is functi...

Страница 293: ...dministrators group 9 Click set Access Control Permission and then Click Add 10 Fill in the following information ACIName clientauth Check all the rights in the Rights tab Click This Entry in the Targ...

Страница 294: ...tab 4 In the navigation tree expand Plug ins and then select Pass Through Authentication 5 In the right pane deselect Enable plugin option 6 Click Save to save your changes You are prompted to restart...

Страница 295: ...ts of the certificate database and make sure that it doesn t include any unwanted CA certificates For example if the database includes CA certificates that you don t ever want to trust in your PKI set...

Страница 296: ...anges click Save Changing the Trust Settings of a CA Certificate CMS relies on the CA certificates in its certificate database for validating certificates it receives during an SSL enabled communicati...

Страница 297: ...utton named Change to Trusted 5 Click Change to Untrusted or Change to Trusted as appropriate 6 Click Close You are returned to the Certificate Database Management window The certificate now shows a d...

Страница 298: ...CA Certificate Chain in the Certificate Database Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database These CA certifi...

Страница 299: ...presents you with the screens appropriate to your choice and walks you through the entire process For installing certificates except for cases when the certificate is self signed by the CA you will ne...

Страница 300: ...s CA signing OCSP signing and SSL server certificates If a Registration Manager is installed the list includes the Registration Manager s signing and SSL server certificates If a Data Recovery Manager...

Страница 301: ...nformation Specify the key pair information for the certificate to be requested You need to identify the following The token that contains the key pair for generating the certificate request the drop...

Страница 302: ...gth of the key pair you are required to provide this information only if you chose to generate the certificate request based on a new key pair For key type you can choose RSA or DSA Be sure to select...

Страница 303: ...s is located For example Mountain View State or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your...

Страница 304: ...e type select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting When you select the option the associated fields are enabled You...

Страница 305: ...in a base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST An example is show below BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZC...

Страница 306: ...m Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the reque...

Страница 307: ...d to Install a Certificate or Certificate Chain on page 309 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is a Certificate Manager and t...

Страница 308: ...t yourself 9 When you receive the certificate from the CA you ll need to install it following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 309 Sending the...

Страница 309: ...currently selected CMS instance Any of the certificates used by a Certificate Manager Registration Manager Data Recovery Manager and Online Certificate Status Manager Any other trusted CA certificate...

Страница 310: ...ion briefly explains the data formats recognized by the wizard Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats DER encoded certificate This...

Страница 311: ...install a certificate Step 2 Select the Certificate or Certificate Chain Select the certificate you want to install The drop down list shows various options Depending on whether you want to install a...

Страница 312: ...me information that will help you decide on the location Keeping the certificate or certificate chain in a text file the wizard can import a certificate or certificate chain from a text file in text a...

Страница 313: ...ificate Chain The wizard shows the certificate or certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for...

Страница 314: ...quest and install the new certificate Determine which certificate you want to get You can get CA signing OCSP signing CRL signing and SSL server certificates for the Certificate Manager signing and SS...

Страница 315: ...e for a Registration Manager check whether the Registration Manager has been set up as a trusted manager for a Certificate Manager and Data Recovery Manager that is you must identify the subsystems th...

Страница 316: ...ficates Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time These files were created f...

Страница 317: ...be sure to use a name that will help you identify the token later Install the PKCS 11 Module PKCS 11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors...

Страница 318: ...LL to add a UNIX shared dynamic library which on a Solaris machine is identified with the so extension e Click OK To install the PKCS 11 module using the modutil tool a Locate the CMS instance for whi...

Страница 319: ...The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them you must enter that...

Страница 320: ...gistration Manager or Certificate Manager Configuring the Server s Security Preferences Configuring a CMS manager s security preferences involves identifying the following The SSL server certificates...

Страница 321: ...the list of SSL server certificates in the Encryption tab of the CMS window Step 2 Update the Configuration After you verify that the certificates are installed configure the server as follows 1 Stop...

Страница 322: ...structions for requesting and installing an SSL client certificate for a Certificate Manager and configuring it to use that certificate for SSL client authentication to the publishing directory 1 Log...

Страница 323: ...instance_id identifies the CMS instance in which the Certificate Manager is installed 9 After you ve installed the certificate successfully go to the Tasks tab and stop the Certificate Manager 10 Con...

Страница 324: ...Configuring the Server s Security Preferences 324 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 325: ...ing access to certain tasks associated with Netscape Certificate Management System CMS The authorization model is very flexible allowing you to configure it to your needs In order to authorize users y...

Страница 326: ...the database With certificate based authentication the server also checks that the certificate is valid and finds the group membership of the user by associating the DN of the certificate with a user...

Страница 327: ...and adding them to the group called Administrators every member of this group has administrative privileges for this instance of CMS At least one administrator must be defined for each CMS instance t...

Страница 328: ...its own agents whose role is defined by the subsystem Each subsystem installed in a CMS instance must have at least one agent and there is no limit to the number of agents a subsystem can have Authent...

Страница 329: ...subsystem it trusts allowing it to communicate with the subsystem It does this by specifying the agent services port information for that subsystem Possible Trusted Relationships The Registration Man...

Страница 330: ...ivileges For an agent or auditor you also need to get a certificate and store the certificate in the internal database If you set up the CMS console for SSL client authentication you must also import...

Страница 331: ...list of users and the user ID now has the privileges of the group they are assigned in this instance of CMS 5 Click Refresh to view the updated configuration 6 Store the user s certificate if the user...

Страница 332: ...st their certificate using the manual enrollment form The automated process is built into the request approval form in the Agent Services interface and it enables those who have both Certificate Manag...

Страница 333: ...roups The user ID you specified for the new agent will be listed there 12 To view the certificate issued to the new agent select the user ID and click Certificates Setting Up a Trusted Manager You can...

Страница 334: ...ppen The subsystem that will be trusted makes its signing certificate request to the Certificate Manager A user who has both administrator and agent privileges with the Certificate Manager providing t...

Страница 335: ...you just added appears in the list of users Next you need to store the Registration Manager s signing certificate or Certificate Manager s SSL client certificate in the internal database of the subsy...

Страница 336: ...n tree select Registration Manager or Certificate Manager The General Settings tab appears in the right pane 13 Select the Connectors tab 14 In the List of connectors select the connector If you are c...

Страница 337: ...ement System on page 340 You can set up a feature that checks the revocation status of agent certificates See Revocation Status Checking of Agent Certificates on page 341 for details about setting up...

Страница 338: ...istrator agent Organization unit Type the name of the organization unit to which the administrator agent belongs Organization Type the name of the company or organization the administrator agent works...

Страница 339: ...ilable again Getting an Agent s Certificate from a Public CA The following general guidelines explain how a user can get a client certificate from a public CA and how you can copy that certificate in...

Страница 340: ...t certificate in base 64 encoded form to the internal database of a subsystem 1 The user sends a client certificate request to CMS from the computer that they will use to access the subsystem from the...

Страница 341: ...ntaining the user s certificate in base 64 encoded form 9 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file 10 Save the text file and...

Страница 342: ...CMS cfg includes a parameter named jss ocspcheck enable which enables you to specify whether a CMS manager should use Online Certificate Status Protocol OCSP to verify the revocation status of the ce...

Страница 343: ...default the feature is enabled revocationChecking unknownStateInterval The default interval is 0 seconds revocationChecking validityInterval Specifies how long in seconds the cached certificates are...

Страница 344: ...47 2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user whose certificate information you want to change and click Certificate...

Страница 345: ...Group description field To remove a user from the group select the user and click Delete To add users click Add User In the Select window that appears select the users you want to add and click OK You...

Страница 346: ...on tree select Users and Groups 3 Select the Group tab 4 Click Edit The Edit Group Information window appears 5 Specify information in the following fields Group name Type a name for this group Group...

Страница 347: ...CI also contains an evaluator expression The default implementation of ACLs specifies only users groups and IP addresses as possible evaluator types although you could create others using the CMS SDK...

Страница 348: ...S console interface you create or modify ACIs in an editor that allows you to do this in a graphical environment You choose from allow or deny in the Allow and Deny field then you choose one of the op...

Страница 349: ...cess to more than one operator in a single ACI select the first operator from the list and then hold down Ctrl while selecting other operators Syntax The syntax field of the ACI editor is where you sp...

Страница 350: ...ion specified An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 Stringing Values You can create a string with more...

Страница 351: ...ation specified in this ACI to the group s user s or IP address es specified For more information about allowing or denying access see Allow and Deny on page 348 b Select one operator from the possibl...

Страница 352: ...efault ACIs for each ACL resource defined Each subsystem you install will contain only those ACLs that are relevant to that subsystem certServer acl configuration Allow or deny a read or modify operat...

Страница 353: ...uation TOE it is unavailable after the CA is up and running Allow or deny submit read or execute operations for an administrator enrollment request Operations Default ACIs allow submit user anybody al...

Страница 354: ...interface Operations Default ACIs allow import unrevoke revoke read group Certificate Manager Agents Certificate Manager Agents can import unrevoke revoke and read a certificate read Viewing authenti...

Страница 355: ...certificate revocation requests list Listing certificates based on a search Retrieving details about a range of certificates based on providing a range of serial numbers read Viewing CRL plug in info...

Страница 356: ...Default ACIs allow submit group Trusted Managers Trusted Manager can submit requests to this interface certServer ca clone Allow or deny a submit operation for a connection to the CA by a cloned CA Op...

Страница 357: ...ertificate Manager Agents Certificate Manager agents can update the directory certServer ca group Allow or deny an update operation to add a group Operations Default ACIs allow add group Administrator...

Страница 358: ...group Certificate Manager Agents Certificate Manager agents can list certificate profiles certServer ca profile Allow or deny a read or approve operation for certificate profiles in the agent service...

Страница 359: ...assign unassign group Certificate Manager Agents Anyone can submit an enrollment request only Certificate Manager Agents can read or execute enrollment requests certServer ca request profile Allow or...

Страница 360: ...view statistics certServer ee certificate Allow or deny a renew revoke read or import operation in the end entity interface Operations Default ACIs allow renew revoke read import user anybody approve...

Страница 361: ...ver ee certchain Allow or deny a download or read operation for the CA s certificate chain in the end entity interface Operations Default ACIs allow download read user anybody Anyone can read or downl...

Страница 362: ...e profiles certServer ee profiles Allow or deny a list operation for certificate profiles in the end entity interface Operations Default ACIs allow list user anybody Anyone can list certificate profil...

Страница 363: ...ions Default ACIs allow submit user anybody Anyone can submit an enrollment request certServer ee request facetofaceenrollment Allow or deny to submit face to face enrollment Operations Default ACIs a...

Страница 364: ...ne can submit a revocation request certServer ee requestStatus Allow or deny a read operation for the request status available from the end entity interface Operations Default ACIs allow read user any...

Страница 365: ...ng environment LDAP configuration SMTP configuration server statistics encryption token names subject name of certificates certificate nicknames all subsystems that have been loaded by the server get...

Страница 366: ...iguration Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Страница 367: ...can read recover or retrieve key information certServer kra keys Allow or deny a list operation for the Data Recovery Manager Operations Default ACIs allow list group Data Recovery Manager Agents Onl...

Страница 368: ...group Data Recovery Manager Agents Only Data Recovery Manager Agents can list key archival requests certServer kra request status Allow or deny a read operation for a Data Recovery Manager request Op...

Страница 369: ...up Online Certificate Status Manager Agents allow modify group Administrators Administrators Agents and auditors are allowed to read the log configuration only administrators are allowed to modify the...

Страница 370: ...me parameter of a log instance Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Age...

Страница 371: ...all logs Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Страница 372: ...icate Authorities certServer ocsp certificate Allow or deny a validate operation for checking certificate revocation information Operations Default ACIs allow validate group Online Certificate Status...

Страница 373: ...o modify OCSP configuration certServer ocsp crl Allow or deny an add operation for posting CRL to an OCSP Operations Default ACIs allow add group Online Certificate Status Manager Agents Online Certif...

Страница 374: ...a Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators read Viewing policy plug ins and instances Listing policy plug ins and instanc...

Страница 375: ...and agents are allowed to read publisher configuration only administrators are allowed to modify publisher configuration certServer ra configuration Allow or deny a read or modify operation for the c...

Страница 376: ...import unrevoke revoke read group Registration Manager Agents Registration Manager agents can import unrevoke revoke and read certificates certServer ra connector Allow or deny a submit operation for...

Страница 377: ...enable disable face to face enrollment certServer ra facetofaceenrollment enableHosts Allow or deny reading all hosts enabled for face to face registration Operations Default ACIs allow read group Re...

Страница 378: ...can read and approve certificate profiles certServer ra profiles Allow or deny a list operation to certificate profiles in the agent services interface in a Registration Manager Operations Default AC...

Страница 379: ...fault ACIs allow approve read group Registration Manager Agents Registration Manager agents can view and approve certificate profile based requests certServer ra requests Allow or deny a list operatio...

Страница 380: ...stration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowe...

Страница 381: ...tration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user a...

Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 383: ...rollment Automated Enrollment Agent Initiated End User Enrollment Certificate Based Enrollment Issuing and Managing Server Certificates CEP Enrollment Testing Your Enrollment Setup Managing Authentica...

Страница 384: ...g an instance of one of the authentication plug in modules You can also create plug ins for automatic enrollment using other forms of authentication such as a secure ID card or a relational database u...

Страница 385: ...ficate Manager If the subsystem where the request is submitted is a Registration Manager the request must pass the policies and certificate profiles of both the Registration Manager and the Certificat...

Страница 386: ...tyConstraints on page 501 If the renewal lead time does not permit renewing the server rejects the renewal request Also if the policy is disabled renewal of certificates fails If the certificate being...

Страница 387: ...ent s approval An agent can change some aspects of the request change the status of the request reject the request or approve the request Once the request is approved the signed request is sent to the...

Страница 388: ...and a pin you set up in their directory entry and then given to the end entity See Setting Up Pin Based Enrollment on page 395 Portal Enrollment End users are registered into an LDAP directory and iss...

Страница 389: ...onality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles for information about policies In the case of policy based enrollments customize the H...

Страница 390: ...and entry DN See DNs in Certificate Management System on page 750 ldapStringAttributes Specifies the list of LDAP string attributes that should be considered authentic for the end entity If specified...

Страница 391: ...Specifies the minimum number of connections permitted to the authentication directory Permissible values 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authenticatio...

Страница 392: ...SAuth Authentication plug in module and configure the instance See Setting Up the NISAuth Authentication on page 392 for details Customize the HTML enrollment forms Make sure the proper authentication...

Страница 393: ...ctory attributes and entry DN See DNs in Certificate Management System on page 750 extendedDN Specifies the suffix that the server should add to the default subject DN when an LDAP directory is not sp...

Страница 394: ...apconn port Specifies the TCP IP port on which the authentication LDAP directory listens to requests from CMS ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authen...

Страница 395: ...t policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles fo...

Страница 396: ...Open the setpin conf file in a text editor 3 Follow the instructions outlined in the file and make the appropriate changes Typically you will need to update the Directory Server s host name Directory...

Страница 397: ...need to enable the AttributePresentConstraints policy in the Certificate Manager that actually issues the certificates see AttributePresentConstraints on page 495 This policy forces the Certificate M...

Страница 398: ...hould be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token that is values...

Страница 399: ...password cache and uses it for subsequent start ups You need to specify this parameter only if you ve selected removePin ldap ldapauth clientCertNickname Specifies the nickname of the certificate to b...

Страница 400: ...not presently exist for that user and to issue the user a certificate Portal enrollment is useful when you have a portal and want to register users and have them later authenticate using a certificate...

Страница 401: ...s Create an instance of the PortalEnroll Authentication plug in module and configure the instance See Setting Up the PortalEnroll Authentication on page 401 for details Customize the HTML enrollment f...

Страница 402: ...e fully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from CMS ldap ldapconn secureConn...

Страница 403: ...N from the ldap ldapauth bindDN attribute to bind to the directory default SslClientAuth specifies SSL client authentication If you choose this option be sure to set the value of the ldap ldapconn sec...

Страница 404: ...bout policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles...

Страница 405: ...C Enroll Utility The CMC Enroll utility CMCEnroll is used to sign a certificate request with an agent s certificate It is installed along with CMS and is available in the following directory server_ro...

Страница 406: ...er 1 Go to the directory server root cert instance web apps ee ra 2 Open the file CMCEnrollment html 3 Find the following line form method post action enrollment onSubmit return validate document form...

Страница 407: ...le the End Entity pages for CMC Enrollment on page 406 7 Submit your signed certificate using the end entity port a Go the End Entity port b Select CMC Enrollment from the main end entity page c Paste...

Страница 408: ...ntDirEnrollment plug in is an instance of the HashAuth plug in You can turn this feature off by disabling or deleting the AgentDirEnrollment instance CMS provides the following form for agent initiate...

Страница 409: ...e them available to users by some means Basically a user can get and use any pre initialized and certificate loaded hardware token Next each user uses the randomly picked token to enroll for a pair of...

Страница 410: ...asedSingleEnroll html this form is provided as a sample It enables end users to request signing certificates by submitting pre issued certificates as authentication tokens when a user enrolls for a ce...

Страница 411: ...o other servers and end users and to encrypt data In order to issue SSL server certificates the signing certificate for the Certificate Manager must be enabled for such issuance If the Certificate Man...

Страница 412: ...y and in the internal database of CMS CMS allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager The renew...

Страница 413: ...for approval by the Certificate Manager agent To submit the server certificate request to CMS manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager...

Страница 414: ...support for IPSec see the information available at this URL http www cisco com warp public cc cisco mkt security encryp prodlit 821_pp htm You can issue certificates to routers and CEP compliant Virt...

Страница 415: ...configure the plug in See Authentication Token File on page 415 and Setting Up the CEP Plug In on page 416 Authentication Token File You create a text file with CEP enrollee information that is used...

Страница 416: ...CMS SDK See the SDK documentation for information about this plug in and any additional programming you may need to do to it 2 Register the plug in the CMS authentication framework See the CMS SDK for...

Страница 417: ...path name keyAttributes Specifies a comma separated list of attributes in the request which together uniquely identify an entry in the authentication token file The list of attributes you specify her...

Страница 418: ...teway cep cep1 entryObjectClass cep eeGateway cep cep1 url cgi bin pkiclient exe eeGateway cep cep1 authName flatfile_router VPN configuration eeGateway cep cep2 url vpnenroll eeGateway cep cep2 authN...

Страница 419: ...chema can accommodate VPN clients You may need to update the Directory Server s schema The reason for this is if you plan on publishing certificates from routers they may need to be published with the...

Страница 420: ...nstance of the policy plug in named CRLDistributionPointsExt for router certificates This extension if present in a certificate enables the user of the certificate to find revocation information perta...

Страница 421: ...cate an entry must already exist for the DN in the directory Enter true if you want the Certificate Manager to create an entry if one does not already exist true false Enter false if an entry already...

Страница 422: ...ey length such as 512 or 1024 The longer the key length the more time the router takes to generate the key pair 6 Request the CA s Certificate In this part of the operation you identify the CA to the...

Страница 423: ...authentication for routers the request will get processed by the CA The CA may return the certificate to the router in the same transaction If it doesn t the router checks with the CA at periodic inte...

Страница 424: ...tity exit router config crypto ca authenticate test ca Certificate has the following attributes Fingerprint 24D34656 EB830C39 DD9E8179 0A4EBA98 Do you accept this certificate yes no yes router config...

Страница 425: ...do it through profiles please read the instructions in Chapter 10 Certificate Profiles To test whether your end users can successfully enroll for a certificate using the authentication method you ve...

Страница 426: ...ch the Directory Server is listening to authentication requests from the Certificate Manager base_dn with the DN to start searching for the user s entry and user_id with the ID of the user for whom yo...

Страница 427: ...this class is part of a package be sure to include the package name For example if you are registering a class named customAuth and if this class is in a package named com customplugins type com custo...

Страница 428: ...sers need to generate Software Publishing File SPC files for their object signing certificates you should ask them to use the Microsoft tool named cert2spc The SPC file enables them to execute command...

Страница 429: ...ls AtoB cert b64 cert der converts the base 64 encoded certificate in the cert b64 file to its DER encoded format and writes the DER encoded certificate to a file named cert der 8 Next use the Microso...

Страница 430: ...Generating Files Required By Third Party Object Signing Tools 430 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 431: ...content that can be contained in this type of certificate and the contents of the input and output forms associated with the certificate profile Enrollments requests are submitted to a particular cert...

Страница 432: ...efaults the constraints used in each policy the values assigned to any of the parameters in a policy or the input and output You can also create other certificate profiles either for other types of ce...

Страница 433: ...interface where end entity can enroll for a certificate using the certificate profile The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has be...

Страница 434: ...aluated with the first certificate request and the second set is evaluated with the second certificate request There is no need for more than one set if you are issuing a single certificate or more th...

Страница 435: ...by adding or deleting inputs in the certificate profile thus defining the fields on the input page Add or delete the single output Optionally you can modify existing defaults constraints inputs and o...

Страница 436: ...his window Certificate Profile Instance ID Specify the instance ID of the certificate profile This name or number will be used by the system to identify the instance Certificate Profile Name Specify a...

Страница 437: ...bmitted request is queued in the request queue of the agent services interface e Click Ok The new certificate profile appears in the Certificate Profile Instances Management tab 6 To modify an existin...

Страница 438: ...e Certificate Profile Authentication Specify the authentication method Specify an automated authentication by providing the instance ID for the authentication instance that will be used If this field...

Страница 439: ...the policies associated with each certificate Certificate Profile Policy ID Type a name or identifier for this certificate profile policy d Configure any parameters in the Default or Constraint tab S...

Страница 440: ...e constraint applied to this policy Some values can be edited by clicking into the value field and changing the entry others have pull down menus associated with them where you can pick the values ava...

Страница 441: ...puts tab of the Certificate Profile Rule Editor window You need to set up outputs for any certificate profile that uses an automated authentication method you do not need to set up outputs for any cer...

Страница 442: ...for the types of certificates that are usually issued by a RA and a CA All certificate profiles are installed with a CA only those certificate profiles beginning with ra are installed with and RA The...

Страница 443: ...red for enrollments for end user certificates using directory based authentication in a Certificate Manager caAgentServerCert Configured for enrollments for server certificates allowing for automatic...

Страница 444: ...te profile up to match the certificate profile set up in the RA the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhe...

Страница 445: ...certificate used by a subsystem to sign the signed audit logs Input Reference An input puts certain fields on the enrollment page associated with a particular certificate profile You define inputs fo...

Страница 446: ...s field will display Not Supported on browsers other than Netscape 7 and above Key Generation Input The Key Generation Input input is used for enrollments in which a single key pair will be generated...

Страница 447: ...certificate Requestor Phone This field is used to enter the phone number of the requestor of this certificate Output Reference An output represents the response to the end user of a successful enrollm...

Страница 448: ...allows you to provide references to CRL locations For general information about this extension see authorityInfoAccess on page 723 You can define the following constraints with this default Extension...

Страница 449: ...ue must be a valid domain name in the fully qualified DNS format For example testCA example com If you selected EDIPartyName the value must be an IA5String For example Example Corporation If you selec...

Страница 450: ...uring the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see basicConstraints on...

Страница 451: ...tension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing cert...

Страница 452: ...arked with an n in the table to distinguish that the parameter is associated with one of the five possible locations Table 10 3 CRL Distribution Points Extension Configuration Parameters Parameter Des...

Страница 453: ...any of the following formats An X 500 directory name in the RFC 2253 syntax For example CN CA Central OU Research Dept O Example Corporation C US A URIName for example it would look similar to this h...

Страница 454: ...IDs 1 3 6 1 4 1 311 10 3 4 this OID is for the EFS certificate 1 3 6 1 4 1 311 10 3 4 1 this OID is for the EFS recovery certificate The EFS recovery certificate is used by a recovery agent when a use...

Страница 455: ...f the five possible locations Table 10 5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark t...

Страница 456: ...nt Select from DirectoryName and URIName PointName_ n If pointType is set to directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example CN CAC...

Страница 457: ...efully consider the legal consequences of its use before setting it for any certificate Select true to set select false to not set keyEncipherment Specifies whether to set the extension for SSL server...

Страница 458: ...ify parameters for each of these location The parameters are marked with an n in the table to distinguish that the parameter is associated with one of the five possible locations decipherOnly Specifie...

Страница 459: ...ed RFC822Name the value must be a valid Internet mail address in fully qualified DNS format For example testCA example com If you selected DirectoryName the value must be a string form of X 500 name s...

Страница 460: ...nc othername txt PermittedSubtree Enable_ n Select true to enable this permitted subtree entry select false to disable this permitted subtree entry ExcludedSubtrees n min Specifies the minimum number...

Страница 461: ...encoding rules The name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected IPAddress the value...

Страница 462: ...e certificate type for example it identifies whether the certificate is a CA certificate server SSL certificate client SSL certificate object signing certificate or S MIME certificate and thus enables...

Страница 463: ...tions Select true to include this capability select false to not include this capability CertEmail Specifies that the certificate can be used to send secure email messages Select true to include this...

Страница 464: ...sion Constraint on page 477 Extension Constraint see Extension Constraint on page 475 No Constraints see No Constraint on page 477 Policy Constraints Extension Default This default populates a policy...

Страница 465: ...It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required Note that the number you specify affects the number of CA certificates to be used d...

Страница 466: ...icy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associa...

Страница 467: ...me on page 732 The standard suggests that if the certificate subject field contains an empty sequence then the subject alternative name extension must contain the subject s alternative name and that t...

Страница 468: ...checks the certificate request for configured attributes If the request contains an attribute the policy reads its value and sets it in the extension This way the extension that gets to added to cert...

Страница 469: ...tory name similar to the subject name in a certificate For example CN Jane Doe OU Sales Dept O Example Corporation C US Select DNSName if the request attribute value is a DNS name For example corpDire...

Страница 470: ...on page 477 Subject Name Default This default populates server side configurable subject name into the certificate request You provide a static subject name that is used as the subject name in the ce...

Страница 471: ...certificate profile allows a user to define extensions No inputs are provided to add user supplied extensions to the enrollment form You can create an input for this purpose using the CMS SDK You can...

Страница 472: ...d Subject Name Default This default populates a user supplied subject name into the certificate request If included in the certificate profile allows a user to supply a subject name for the certificat...

Страница 473: ...if the basic constraint in the certificate request satisfies the criteria set in this constraint Table 10 17 Validity Default Configuration Parameters Parameter Description range Specifies the validi...

Страница 474: ...ion of the CA signing certificate owned by the CA that will issue these certificates 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued that...

Страница 475: ...guration Parameters Parameter Description Critical Specifies whether the extension can be marked critical or noncritical Select true to allow the extension to be marked critical select false to disall...

Страница 476: ...constraints are placed for this parameter keyEncipherment Specifies whether to set the extension for SSL server certificates and S MIME encryption certificates Select true to allow this to be set sel...

Страница 477: ...cifies whether to set the extension if the public key is to be used only for deciphering data If this bit is set keyAgreement should also be set Select true to allow this to be set select false to not...

Страница 478: ...ch as Java applets and plug ins Select true to allow this capability select false to not allow this capability select to indicate no constraints are placed for this parameter CertSSLCA Specifies that...

Страница 479: ...all of the following MD2withRSA MD5withRSA SHA1withRSA Table 10 24 Subject Name Constraint Configuration Parameters Parameter Description Pattern Specifies a regular expression specified as a string a...

Страница 480: ...scape Certificate Management System Administrator s Guide February 2003 Table 10 25 Validity Constraint Configuration Parameters Parameter Description range The range parameter is of type integer And...

Страница 481: ...ewer default certificate enrollment feature Certificate Enrollment Profiles see Chapter 10 Certificate Profiles The policies feature will be discontinued in the future release s To enable the feature...

Страница 482: ...e revocation key archival and key recovery requests For example in the case of a certificate issuance request the outcome would be the certificate content A Certificate Manager s policy can include ru...

Страница 483: ...o fall within a predetermined range say between 6 and 24 months A subsystem s policy configuration can consist of one or more policy rules each performing one or more of the following operations Valid...

Страница 484: ...les on the request based on the request type The policy processor also filters the rules based on predicates see Using Predicates in Policy Rules on page 485 Note that the policy processor applies onl...

Страница 485: ...rs AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates for certificates for users in differen...

Страница 486: ...in the request Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving...

Страница 487: ...Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication token what the authentication su...

Страница 488: ...ificate server SSL server certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enroll...

Страница 489: ...name attribute_name value attribute_value Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differ...

Страница 490: ...s policy plug in implementation 2 Enter the appropriate values for all the attributes Assume you named the instance ValidityRule1 set the minimum validity period to 10 days set the maximum validity pe...

Страница 491: ...AND HTTP_PARAMS orgunit Sales The new configuration would result in certificates with a validity period of six months for users in the Sales organizational unit and a validity period of three months...

Страница 492: ...ameter In this way you can avoid re creating the rule in the future Because the subsystems subject end entity requests only to rules that are currently enabled keeping unwanted rules in the disabled s...

Страница 493: ...f required To add a new policy rule to the CMS configuration 1 In the Policy Rules Management tab click Add The Select Policy Plugin Implementation window appears It lists registered policy plug in mo...

Страница 494: ...onfigured policy rules in the order in which they are executed by the subsystem 2 To change the order of a rule select it in the list and click the Up or Down button as appropriate Keep in mind that t...

Страница 495: ...ic Policy Module Reference Constraints specific policy plug in modules help you define rules or constraints that CMS uses to evaluate an incoming certificate enrollment renewal or revocation request E...

Страница 496: ...olicy during installation Table 11 3 describes the configuration parameters of the AttributePresentConstraints policy Table 11 3 AttributePresentConstraints Configuration Parameters Parameter Descript...

Страница 497: ...ntication type basic authentication or SSL client authentication required in order to check attributes in the LDAP directory BasicAuth specifies basic authentication default If you choose this option...

Страница 498: ...maxConns Specifies the maximum number of connections permitted to the LDAP directory when needed connection pool can grow to this many multiplexed connections Permissible values 3 to 10 the default v...

Страница 499: ...ize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 or 1...

Страница 500: ...ts Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predicate expression for...

Страница 501: ...rmissible values RSA or RSA Table 11 7 RenewalConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable the rule default Dese...

Страница 502: ...instance of the revocation constraints policy named RevocationConstraintsRule that is enabled by default Table 11 9 describes the configuration parameters of the RevocationConstraints policy Table 11...

Страница 503: ...ion parameters of the RSAKeyConstraints policy predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default...

Страница 504: ...and renewal requests During installation CMS automatically creates an instance of the signing algorithm constraints policy named SigningAlgRule that is enabled by default minSize Specifies the minimum...

Страница 505: ...rly You may apply this policy to CA certificate enrollment and renewal requests Table 11 11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description enable Specifies whether the rule...

Страница 506: ...he server accordingly using the policy Alternatively if you want to allow your users to own multiple certificates each for a different use all having the same subject name you can do so easily using t...

Страница 507: ...g Specifies whether the certificate request must be checked for the Key Usage extension Note that the policy can check the certificate request for the Key Usage extension only if you deselect the enab...

Страница 508: ...implementation The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the fu...

Страница 509: ...me when the policy rule is run The notBefore attribute value specifies the date on which the certificate validity begins validity dates through the year 2049 are encoded as UTCTime dates in 2050 or la...

Страница 510: ...lications most likely will not understand your extension By default only noncritical extensions are added to certificates This ensures that the resulting certificates can be used with all clients If y...

Страница 511: ...ation Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you w...

Страница 512: ...pecifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears Specifying the information based on the following If you sel...

Страница 513: ...Pv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the add...

Страница 514: ...16 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predi...

Страница 515: ...ng up the chain The maxPathLen parameter has no effect if the extension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length spe...

Страница 516: ...r this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 485 critical Speci...

Страница 517: ...isplayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notice If you want to embed a textual statement for example y...

Страница 518: ...To form a predicate expression see Using Predicates in Policy Rules on page 485 critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to ma...

Страница 519: ...r future time in seconds by which the certificate must be renewed the endTime field of the extension will be set to the specified time since certificate issuance You can specify the time period in sec...

Страница 520: ...ificate for client authentication the extension enables the certificate using application to restrict the release of individual certificates to web sites requesting SSL client authentication The certi...

Страница 521: ...ry name Select dNSName if the site is a DNS name default Select ediPartyName if the site is a EDI party name Select URL if the site is a uniform resource identifier Select iPAddress if the site is an...

Страница 522: ...40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Ex...

Страница 523: ...ion points to be included in the extension it must be an integer greater than zero The default is 3 Note that when you set a number other than O each distribution point has its own set of configuratio...

Страница 524: ...constants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold issuerName n Specifies the name of the issuer that has signed the CRL maintained at distr...

Страница 525: ...he private key and the data encrypted with that key needs to be used CMS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs Normal...

Страница 526: ...ecifying that no key usage purposes can be contained in the extension or n specifies the total number of key usage purposes to be included in the extension it must be an integer greater than zero The...

Страница 527: ...ting and testing the server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs See Appendix H Object Identifiers for information on...

Страница 528: ...allation CMS automatically creates an instance of the generic ASN 1 extension policy named GenericASN1Ext that is disabled by default Configuration Parameters of GenericASN1Ext The configuration defin...

Страница 529: ...values A valid OID specified in dot separated numeric component notation see the example Although you can invent your own OIDs for the purposes of evaluating and testing this server in a production e...

Страница 530: ...tring for extensions that have ASN 1 PrintableString values It s case insensitive and accepts any normal string as value Select UTCTime for site defined extensions that have ASN 1 UTCTime values Selec...

Страница 531: ...ue For example 1234567890 If the data type is IA5String enter a normal string as value For example Test of IA5String If the data type is OctetString and if the data source is Value enter the value in...

Страница 532: ...whether the extension should be marked critical or noncritical Select to mark critical default deselect to mark noncritical numGeneralNames Specifies the total number of alternative names or identiti...

Страница 533: ...If you selected rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt...

Страница 534: ...rmat For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples...

Страница 535: ...6 lists the bits and their designated purposes You can restrict the purposes for which a key pair and thus the corresponding certificate should be used by setting the appropriate key usage bits For ex...

Страница 536: ...ing by editing the enrollment forms as you can do this easily by making the appropriate changes to the policy instance bits set on the server side override the ones set on the client side However if y...

Страница 537: ...e enrollment form ManRAEnroll html for requesting Registration Manager signing certificates ServerCertKeyUsageExt This rule is for setting the appropriate key usage bits in SSL server certificates and...

Страница 538: ...whether to set the digitalSignature bit or bit 0 of the key usage extension in certificates specified by the predicate parameter Permissible values true false or HTTP_INPUT Select true if you want the...

Страница 539: ...e server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable correspon...

Страница 540: ...ue if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input v...

Страница 541: ...u don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the decipherOnly bit and set the bit accor...

Страница 542: ...ber of permitted subtrees to be included in the extension it must be an integer greater than zero The default value is 8 numExcludedSubtrees Specifies the total number of subtrees to be excluded in th...

Страница 543: ...ryName permittedSubtrees n base generalNameValue Specifies the general name value for the permitted subtree you want to include in the extension Permissible values Depends on the general name type you...

Страница 544: ...4 IPv4 the address should be in the form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be i...

Страница 545: ...are allowed excludedSubtrees n base generalNameChoice Specifies the general name type for the excluded subtree you want to include in the extension Permissible values rfc822Name directoryName dNSName...

Страница 546: ...9 For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org...

Страница 547: ...FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected otherNa...

Страница 548: ...ee section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Administrator s Guide Example HTTP_PARAMS certType client critical Specifies whether the extension should be marked...

Страница 549: ...o default value displayText Specifies the textual statement that should be included in certificates If you want to embed a textual statement for example your company s legal notice in certificates the...

Страница 550: ...d the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Bits set in the Netscape certif...

Страница 551: ...quested using the form For example the server enrollment form embeds the ssl_server variable whereas the subordinate CA Certificate Manager enrollment form embeds the ssl_client email_ca ssl_ca and ob...

Страница 552: ...tificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 485 setDefaultBits Specifies whether to set the Netscape certificate type ex...

Страница 553: ...nt For general information about this extension see policyConstraints on page 731 During installation CMS automatically creates an instance of the policy constraints extension policy named PolicyConst...

Страница 554: ...set in end entity certificates Permissible values 1 0 or n 1 specifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the pa...

Страница 555: ...he rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the...

Страница 556: ...u can invent your own OIDs for the purposes of evaluating and testing this server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs...

Страница 557: ...t this extension see subjectAltName on page 732 notBefore Specifies the date on which the validity period for the private key associated with the certificate begins Permissible values A valid date spe...

Страница 558: ...AMS in section JavaScript Used By All Interfaces of CMS Customization Guide You can also distinguish the attributes based on their origin that is whether they originated from the enrollment form or wh...

Страница 559: ...ribute whose value is to be included in the extension The attribute value must conform to any of the supported general name types specified by the generalName n generalNameChoice parameter If the serv...

Страница 560: ...uthentication instance is set to mail or mailalternateaddress or to both The third attribute HTTP_PARAMS csrRequestorEmail is the email component of the subject name in an enrollment request it is an...

Страница 561: ...e extension you need to specify the attribute name and its value the name must be the X 500 directory attribute name itself and the attribute value can be derived from the request or directly entered...

Страница 562: ...integer derived from the value you assign in this field For example if you set the numAttributes parameter to 2 n would be 0 and 1 attribute n attrib uteName Specifies the name of the directory attrib...

Страница 563: ...s section explains how to use the CMS window to perform the following operations Table 11 41 SubjectKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is...

Страница 564: ...rk 1 Log in to the CMS window see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you want to register 4...

Страница 565: ...y framework 1 Log in to the CMS window see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select the subsystem that registers the module you want to d...

Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 567: ...d Notifications The automated notifications feature is an event driven system that sends email notifications when the specified event occurs The system uses listeners that monitor the system to determ...

Страница 568: ...s of automated notifications are available Certificate Issued Request In Queue Certificate Revocation Certificate Issued A notification message is automatically sent to users who have been issued cert...

Страница 569: ...d the notification is sent to the email address specified in the Sender s Email Address field specified when you set up this notifications as undeliverable notification You can customize the email res...

Страница 570: ...is is the email address of the person who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address th...

Страница 571: ...r notification message are explained in the procedure in the section Setting Up Automated Notifications on page 569 5 Save the file 6 Restart the server instance 7 If you set up a job that sends autom...

Страница 572: ...e of HTML templates Tokens are variables identified with the dollar sign character in the message that are replaced by the current value when the message is constructed See Token Definitions on page 5...

Страница 573: ...website http IT if you have any problems Notification Message Templates Notification message templates are located in the following directory server_root cert instance_id emails You can change the na...

Страница 574: ...ir certificate is revoked certRequestRevoked_CA html Template for the Certificate Manager to send HTML based notifications to end entities when their certificate is revoked certRequestRevoked_RA Templ...

Страница 575: ...he time the job instance was run HexSerialNumber Specifies the serial number of the certificate that has been issued in hexidecimal format HttpHost Specifies the fully qualified host name of the Certi...

Страница 576: ...be displayed as a hexadecimal value in the resulting message Status Specifies the status of the request SubjectDN Specifies the distinguished name of the certificate subject SummaryItemList Specifies...

Страница 577: ...execute specific jobs at specified times The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time...

Страница 578: ...bs The types of automated jobs are RenewalNotification RequestInQueue and UnpublishExpired RenewalNotificationJob The RenewalNotification job checks for certificates that are about to expire in the in...

Страница 579: ...tlined in section Updating Certificates and CRLs in a Directory on page 660 You can create additional automated jobs using the CMS SDK Setting Up the Job Scheduler The Certificate Manager and Registra...

Страница 580: ...k to be valid For example the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday 0 0 1 15 1 To specify one day type without the ot...

Страница 581: ...hat meet the cron specification By default it is set to one minute See Frequency Settings for Automated Jobs on page 579 The window for entering this information may appear too small Drag the corners...

Страница 582: ...in to the CMS console see Logging Into the CMS Console on page 247 3 Select the Configuration tab 4 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears showing t...

Страница 583: ...Configuration Parameters of UnpublishExpiredJob on page 587 for details about these parameters 8 Click Ok 9 Click Refresh 10 If you set up a job that sends automated messages check that your have corr...

Страница 584: ...ith jobsScheduler job unpublishExpiredCerts see Configuration Parameters of UnpublishExpiredJob on page 587 for details about these parameters 5 Save the file 6 Restart the server instance 7 If you se...

Страница 585: ...ery problems emailSubject Specifies the text of the subject line of the notification message emailTemplate Specifies the path including the filename to the directory that contains the template to be u...

Страница 586: ...template to be used for formulating the summary report email notification For details see Customizing Notification Messages on page 589 Table 13 3 RequestInQueueJob Parameters Parameter Description e...

Страница 587: ...e summary emailTemplate Specifies the path including the filename to the directory that contains the template to be used for creating the summary report For details see Customizing Notification Messag...

Страница 588: ...he server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename to the directory that contai...

Страница 589: ...essages by modifying the HTML commands included in the HTML template for that message type Templates for Summary Notifications Notification message templates are located in the following directory ser...

Страница 590: ...to be sent to agents and administrators Uses the rnJob1Item txt template to format items in the message rnJob1Item txt Template for formatting the items to be included in the summary report Table 13 6...

Страница 591: ...Date Specifies the date the certificate was revoked SenderEmail Specifies the email address of the sender SerialNumber Specifies the serial number of the certificate the serial number will be displaye...

Страница 592: ...he Configuration tab 3 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears It lists any currently configured jobs 4 Select the Job Plugin Registration tab The Job...

Страница 593: ...cate a server administrator or by a Certificate Manager agent End users can revoke certificates by using the Revocation form provided in the end entity services interface Agents can revoke end entity...

Страница 594: ...d to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Authentication of End Users During Certificate Revocation When an end user sub...

Страница 595: ...ial number of the certificate the user wants to revoke and the challenge password associated with the certificate The server verifies the authenticity of a revocation request by mapping the serial num...

Страница 596: ...nd then send the signed request to the Certificate Manager The enabled instance of the CMCAuth plug in module also activates CMC revoke when it is enabled the default When this method is setup the Cer...

Страница 597: ...hat exists d The directory where cert8 db key3 db and secmod db containing the agent certificate are located n The nickname of the agent s certificate i The issuer name of the certificate being revoke...

Страница 598: ...rned page confirms that the certificate 22 has been revoked About CRLs Server and client applications that use public key certificates as tokens of identification need access to information about the...

Страница 599: ...directory or an OCSP responder Note that the Registration Manager cannot create or publish CRLs although it can take revocation requests and pass them on to the Certificate Manager A CRL is issued and...

Страница 600: ...he server End users are also required to authenticate to the server in order to revoke their certificate Whenever a certificate is revoked the Certificate Manager updates the status of the certificate...

Страница 601: ...L issuing points specified in the certificate instead of the master or main CRL the application would check the CRL maintained at the issuing point which would be smaller in size compared to the maste...

Страница 602: ...ince its creation For example if the numbering were as simple as 1 2 3 the first CRL would be CRL 1 The second CRL would be CRL 2 and the delta would be deltaCRL 2 The deltaCRL 2 would reference CRL 1...

Страница 603: ...revoked certificates from the entire CA ARL Authority Revocation List containing only revoked CA certificates Master CRL and Expired Certificates Containing the list of revoked certificates from the...

Страница 604: ...ect that issuing point and click Edit You can only change the description for the issuing point and change the status from enabled to disabled 4 To add an issuing point click Add The CRL Issuing Point...

Страница 605: ...dragging at one of the corners some fields in this window do not appear large enough to read the content In the Update Frequency section specify the interval for publishing the CRL to the directory E...

Страница 606: ...ed Include expired certificates Select if you want the server to include revoked certificates that have expired in the CRL If this is enabled information about revoked certificates will remain in the...

Страница 607: ...n this step you modify the default rules to suit your organization s requirements To specify the CRL extensions 1 In the navigation tree select Certificate Manager and then select CRL Issuing Points N...

Страница 608: ...ion is used to identify the public key that corresponds to the private key used by a CA to sign CRLs The PKIX standard recommends that the CA must include this extension in all CRLs it issues The reas...

Страница 609: ...of a certificate included in the CRL For general guidelines on setting the CRL reason code in CRL entries see reasonCode on page 741 For a list of reason codes see Reasons for Revoking a Certificate o...

Страница 610: ...efault critical Select if you want the server to mark the extension critical default deselect if you want the server to mark the extension noncritical Table 14 5 FreshestCRL Configuration Parameters P...

Страница 611: ...olute pathname and must specify the host For example http testCA example com get your crls here Table 14 6 HoldInstruction Configuration Parameters Parameter Description enable Specifies whether the r...

Страница 612: ...n enables binding of or associating alternative identities such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For general guidelines on set...

Страница 613: ...directoryName if the name is an X 500 directory name Select dNSName if the name is a DNS name Select ediPartyName if the name is a EDI party name Select URL if the name is a uniform resource identifi...

Страница 614: ...suing distribution point extension in CRLs see issuingDistributionPoint on page 739 If the type is URL the value must be a non relative universal resource identifier URI For example http testCA exampl...

Страница 615: ...he pointType parameter If the pointType attribute is set to DirectoryName the name must be an X 500 Name For example CN CRLCentral OU Research Dept O Example Corporation C US If the pointType attribut...

Страница 616: ...es of revoked certificates default onlyContainsUserCerts Select if the distribution point contains user certificates only deselect if the distribution point contains all types of certificates default...

Страница 617: ...an online validation authority using the appropriate protocol This chapter explains how to configure the Certificate Manager or Registration Manger to publish certificates and CRLs to a file to a dire...

Страница 618: ...types of CRL files For example you can publish CA certificates to one location while publishing user certificates to a completely different location Similarly you can publish different types of certif...

Страница 619: ...in LDAP publishing Mappers allow you to construct the DN for an entry based on information from the certificate or the certificate request The server needs to figure out the DN of the entry in which t...

Страница 620: ...00 PST 2000 will be crl 949102696899 der About LDAP Publishing The ability of a server to publish certificates CRLs and other certificate related objects to a directory using the LDAP or LDAPS protoc...

Страница 621: ...issued updated or revoked the publishing system is invoked and the certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule The type setting specifies...

Страница 622: ...l replace any certificate or CRL that is already published to this attribute For rules that specify to publish to an Online Certificate Status Manager a CRL is published to this manager certificates a...

Страница 623: ...you want to publish all CRLs If you are publishing different types of CRLS to separate locations create a publisher for each location you will publish to specifying the location you will publish You...

Страница 624: ...You can set up rules for each object type CA certificate CRL user certificate and cross pair certificate or you can even further divide the rules so that you have different rules for different kinds...

Страница 625: ...configure Publishers for LDAP publishing Configuring Publishers for Publishing to a File You need to create and configure a Publisher for each publishing location publishers are not automatically cre...

Страница 626: ...he Select Publisher Plug in Implementation window appears It lists registered publisher modules 5 Select the module named FileBasedPublisher This is the only Publisher module that enables the Certific...

Страница 627: ...s certificates 8 Click OK You are returned to the Publishers Management tab It should now list the publisher you just created 9 Repeat this procedure creating all the publishers you will need Configur...

Страница 628: ...or the Certificate Manager see Logging Into the CMS Console on page 247 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager select Publishing and then select Publishers...

Страница 629: ...lphanumeric string with no spaces For example Ca1CrlToOcspResponder host Type the fully qualified DNS host name of the Online Certificate Status Manager For example ocspResponder example com port Type...

Страница 630: ...o publish cross signed certificates to the LDAP directory The publishers are enabled and configured using the X 500 standard attributes for storing certificates and CRLs You do not need to modify the...

Страница 631: ...lation the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory that is already enabled and configured Table 15 1...

Страница 632: ...the directory LdapCrlPublisher The LdapCrlPublisher plug in module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList binary attribute of...

Страница 633: ...s not one already Similarly it also removes the certificationAuthority object class on unpublish if the CA has no other certificates During installation the Certificate Manager automatically creates...

Страница 634: ...ate or some other input information This relationship can either be one in which the exact DN of the entry can be derived from the information using the mapper to derive this DN or one in which the in...

Страница 635: ...each of these macros specifying the DN pattern used and whether or not you want CMS to create the CA entry in the directory To use other mappers create an instance of the mapper you want to use and th...

Страница 636: ...ion window appears It lists registered mapper modules b Select a module For complete information about these modules see Mapper Plug in Modules Reference on page 637 c Click Next The Mapper Editor win...

Страница 637: ...n AVAs check the directory documentation The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry or to do both Note th...

Страница 638: ...you select the Certificate Manager first attempts to create an entry for the CA in the directory If the Certificate Manager succeeds in creating the entry it then attempts to publish the CA s certific...

Страница 639: ...automatically creates this mapper during installation You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA s entry in the directory By default th...

Страница 640: ...a certificate to an LDAP directory entry by deriving the entry s DN from components specified in the certificate request certificate s subject name certificate extension and attribute variable assert...

Страница 641: ...re subject DN specified in the mapper configuration For example assume the certificate subject name is this UID jdoe O Example Corporation C US When searching the directory for the entry the Certifica...

Страница 642: ...ents and filter components match an error is returned If the filter components are null a base search is performed Note that both DNComps and filterComps parameters accept valid DN components or attri...

Страница 643: ...ll of these components CN OU O L ST and C to build a DN for searching the directory When creating a mapper rule you can specify the components the server should use to build a DN that is components to...

Страница 644: ...nsider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute Assume that the two Jane Doe entries are distinguished by the value...

Страница 645: ...specified by that DN for entries matching the filter specified by filterComps parameter values Permissible values Valid DN components or attributes separated by commas filterComps Specifies component...

Страница 646: ...ule and then where it is to be published Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself Determining where matching object...

Страница 647: ...ter 15 Publishing 647 4 To edit an existing rule select that rule from the list and click Edit The Rule Editor window appears 5 To create a rule a Click Add The Select Rule Plugin Implementation windo...

Страница 648: ...the only module If you have registered any custom modules they too will be available for selection c Click Next The Rule Editor window appears 6 Enter the appropriate information Rule ID Type a name...

Страница 649: ...lisher you created that will be associated with this rule For example if this rule publishes user certificates to a file chose the publisher that publishes to a file in the location set up for user ce...

Страница 650: ...r CRL set isDeltaCRL false in order to publish only the master CRL For example issuingPointId MasterCRL isDeltaCRL false To publish only the delta CRL set isDeltaCRL true in order to publish only the...

Страница 651: ...Rule Configuration Parameters Parameter Value Description type xcert Specifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this p...

Страница 652: ...LdapUserCertMap Specifies the mapper used with this rule See LdapSimpleMap on page 640 for details on this mapper publisher LdapUserCertPublisher specifies the publisher used with this rule See LdapU...

Страница 653: ...To enable LDAP publishing select both Enable Publishing and Enable Default LDAP Connection options In the Destination section identify the Directory Server instance Host name Type the fully qualified...

Страница 654: ...certificate for this purpose LDAP version Select the version of LDAP protocol appropriate to your version of Directory Server If the directory you want the Certificate Manager to publish to is based...

Страница 655: ...You should see a file with name similar to cert serial_number der where serial_number specifies the serial number of the certificate contained in the file 5 Convert the DER encoded certificate to its...

Страница 656: ...orm using the Pretty Print Certificate tool see Chapter 9 Pretty Print Certificate Tool of CMS Command Line Tools Guide To convert the base 64 encoded certificate to a human readable form a Check the...

Страница 657: ...e value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 10 Convert the DER encoded CRL to its base 64 enc...

Страница 658: ...tes If the directory object that it finds does not allow the userCertificate binary attribute the addition or removal of that specific certificate fails If you have created user entries as inetOrgPers...

Страница 659: ...CA s distinguished name begins with the OU component create a new organizational unit entry for the CA Note that the entry you create doesn t have to be in the certificationAuthority object class The...

Страница 660: ...ing methods of communication Publishing With Basic Authentication Publishing Over SSL Without Client Authentication Publishing Over SSL With Client Authentication See the Netscape Directory Server doc...

Страница 661: ...ht be down for a while and be unable to receive changes from the Certificate Manager In such a situation use the forms provided in the Certificate Manager Agent Services interface to manually update t...

Страница 662: ...te Manager is installed as a root CA when using the agent interface to update the directory with valid certificates the CA signing certificate may get published using the publishing rule set up for us...

Страница 663: ...d in the update When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to check log...

Страница 664: ...a plug in click Register 7 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the impleme...

Страница 665: ...omponents Security Audit FAU FAU_GEN 1 Audit data generation iteration 1 FAU_GEN 2 User identity association iteration 1 FAU_SAR 1 Audit Review FAU_SAR 3 Selectable audit review FAU_SEL 1 Selective au...

Страница 666: ...ity functions behavior iteration 1 FMT_MSA 1 Management of security attributes FMT_MSA 2 Secure security attributes FMT_MSA 3 Static attribute initialization FMT_MTD 1 Management of TSF data FMT_SMR 2...

Страница 667: ...itionally the audit shall not include plaintext private or secret keys or other critical security parameters Table A 2 Auditable Events and Audit Data Section Function Component Event Additional Detai...

Страница 668: ...The IT environment shall provide the ability to perform searches of audit data based on the type of event the user responsible for causing the event and as specified in Table A 3 below FAU_SEL 1 Selec...

Страница 669: ...generation FCS_CKM 1 1 The FIPS 140 1 validated cryptographic module shall generate cryptographic keys in accordance with any FIPS approved or recommended cryptographic key generation algorithm that...

Страница 670: ...tly deny access of subjects to objects based on the none FDP_ITT 1 Basic internal transfer protection iteration 1 FDP_ITT 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Po...

Страница 671: ...r security attributes FIA_UAU 1 Timing of authentication iteration 1 FIA_UAU 1 1 The IT environment shall allow HTTP and LDAP based services1 on behalf of the user to be performed before the user is a...

Страница 672: ...onment Access Control Policy specified in CIMC TOE Access Control Policy on page 675 to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The IT e...

Страница 673: ...machine testing FPT_AMT 1 1 The IT environment shall run a suite of tests other conditions during initial start up periodically during normal operation or at the request of an authorized user to demo...

Страница 674: ...ence and tampering by untrusted subjects FPT_SEP 1 2 Each operating system in the IT environment shall enforce separation between the security domains of subjects in its scope of control FPT_STM 1 Rel...

Страница 675: ...he security objective O Integrity protection of user data and software and O Periodically check integrity Trusted path channels FTP FTP_TRP 1 Trusted path FTP_TRP 1 1 The IT environment shall provide...

Страница 676: ...Individuals with different access authorizations Roles with different access authorizations Individuals assigned to one or more roles with different access authorizations Access type with explicit al...

Страница 677: ...hapter contains the following sections PKI Overview Security Objectives TOE Security Environment Assumptions Security Requirements for the IT Environment IT Environment Assumptions CMS Privileged User...

Страница 678: ...erified Implement automated notification or other responses to the TSF discovered attacks in order to identify attacks and create an attack deterrent Require inspection for downloads Respond to possib...

Страница 679: ...vate and Secret Keys CMS certificate private keys and secret keys are to be generated and stored in a FIPS 140 1 level 3 certified hardware cryptographic token The CMS private asymmetric keys are Priv...

Страница 680: ...bsystem and depend on which CMS subsystem has been installed All of the privileged roles see About Roles on page 683 for more information about privileges require SSL client authentication by presenti...

Страница 681: ...on authorization mechanism Conceptually this role is not an actual privileged role that a user can be assigned to Rather the Trusted Manager role is a means of establishing trust between two CMS subsy...

Страница 682: ...the subsystem from the command line Data Recovery Manager Agents Can approve recovery of subject private keys via SSL capable browsers to the DRM Agent interface Can export recovered subject private...

Страница 683: ...command line Online Certificate Status Manager Agents Can add CRLs to the OCSP Responder Agent interface via SSL capable browsers Can define supported CAs via SSL capable browsers to the OCSP Responde...

Страница 684: ...ment Setup and Installation Guide Understanding Setup of Common Criteria Evaluated Netscape CMS Appendix C Understanding the Common Criteria Evaluated CMS Setup provides a high level description of th...

Страница 685: ...CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment Setup and Operations 685...

Страница 686: ...CMS Common Criteria Environment Setup and Installation Guide 686 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 687: ...contained in the document CMS Common Criteria Setup Procedure Understanding the Common Criteria Environment This section describes the environment before CMS is installed and configured Secure Enviro...

Страница 688: ...or example the user Joe cannot be both the CA Administrator and Agent for the same CA subsystem See CMS Privileged Users and Groups Roles on page 680 for a description of the various CMS privileged ro...

Страница 689: ...ser ID account preventing users from logging in with this user ID Understanding CMS Installation You must install CMS on each host on which a CMS subsystem is installed You can set up the environment...

Страница 690: ...see The Administrative Interface on page 244 For instructions on how to set up SSL client authorization for the CMS console see Appendix I Introduction to SSL Backup and Restore of a CMS Subsystem CM...

Страница 691: ...Recovery Manager to a Registration Manager is one possible CMS deployment scenario it is not currently part of the Common Criteria Evaluation You can install and configure an OCSP responder to any CA...

Страница 692: ...he main guidance documents where detailed information is provided for each feature but you will need to follow the CMS Common Criteria Setup Procedure in order to set up a Netscape CMS Common Criteria...

Страница 693: ...the Access Control feature are not part of the Common Criteria Environment Audit Logs The Common Criteria Environment requires that the signed audit log file feature be enabled and configured Signed...

Страница 694: ...g up the CRL feature you cannot set up a CRL that does not have an update frequency specified in the Update at this frequency field Compliant CRLs must contain the nextUpdateTime extension which will...

Страница 695: ...g it is highly recommended that you set it up using SSL client authentication and that you set up the Directory Server in SSL mode as well For information about publishing see Chapter 15 Publishing Se...

Страница 696: ...t also provides features to recover the user private keys that it has archived Key recovery requires Data Recovery Manager Agents to work in cooperation You will be instructed to configure the key rec...

Страница 697: ...es including security objectives for the TOE security objectives for the environment and security objectives for both the TOE and environment 1 1 Security Objectives for the TOE This section includes...

Страница 698: ...tion Provide sufficient backup storage and effective restoration to ensure that the system can be recreated 1 1 3 Cryptography O Non repudiation Prevent user from avoiding accountability for sending a...

Страница 699: ...s histories variations etc through enforced authentication data management Note this objective is not applicable to biometric authentication data O Communications Protection Protect the system against...

Страница 700: ...sical Protection Those responsible for the TOE must ensure that the security relevant components of the TOE are protected from physical attack that might compromise IT security O Social Engineering Tr...

Страница 701: ...y in accordance with security requirements recommended by the National Institute of Standards and Technology O Periodically check integrity Provide periodic integrity checks on both system and softwar...

Страница 702: ...backup data O Individual accountability and audit records Provide individual accountability for audited events Record in audit records date and time of action and the entity responsible for the action...

Страница 703: ...n the system O Require inspection for downloads Require inspection of downloads transfers O Respond to possible loss of stored audit records Respond to possible loss of audit records when audit trail...

Страница 704: ...nt 704 Netscape Certificate Management System Administrator s Guide February 2003 O React to detected attacks Implement automated notification or other responses to the TSF discovered attacks in an ef...

Страница 705: ...n Security Policies 1 1 Secure Usage Assumptions The usage assumptions are organized in three categories personnel assumptions about administrators and users of the system as well as any threat agents...

Страница 706: ...nt CPS under which the TOE is operated A Disposal of Authentication Data Proper disposal of authentication data and associated privileges is performed after access has been removed e g job termination...

Страница 707: ...y this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs This assumption has been copied directly from the CIMC PP In the context of this ST app...

Страница 708: ...lure of one or more system components results in the loss of system critical functionality T Malicious code exploitation An authorized user IT system or hacker downloads and executes malicious code wh...

Страница 709: ...undetected access to a system due to missing weak and or incorrectly implemented access control causing potential violations of integrity confidentiality or availability T Hacker physical access A ha...

Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 711: ...Importing Certificate Chains Importing Certificates into Netscape Communicator on page 713 Importing Certificates into Netscape Servers on page 714 Object Identifiers on page 714 Data Formats Netscape...

Страница 712: ...s It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 714 while the con...

Страница 713: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Страница 714: ...a the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted into...

Страница 715: ...Object Identifiers Appendix F Certificate Download Specification 715 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 717: ...Extensions Netscape Defined Certificate Extensions CA Certificates and Extension Interactions Introduction to Certificate Extensions An X 509 v3 certificate contains an extensions field that permits a...

Страница 718: ...ways possible to check a certificate s revocation status against a directory or with the original certificate authority it is useful for certificates to include information about where to check CRLs E...

Страница 719: ...ned with the international telecommunications network The Internet Engineering Task Force IETF which controls many of the standards that underlie the Internet is currently developing public key infras...

Страница 720: ...he application must reject the certificate If the extension is not critical and the certificate is sent to an application that does not understand the extension based on the extension s ID the applica...

Страница 721: ...9 1 1 5 Issuer CN Certificate Manager OU netscape O aol L MV ST CA C US Validity Not Before Friday February 21 2003 12 00 00 AM PST America Los_Angeles Not After Monday February 21 2005 12 00 00 AM PS...

Страница 722: ...itical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Key Usage 2 5 29 15 Critical yes Key Usage Digital Signature Key CertSign Crl Sign Signature Algorithm S...

Страница 723: ...For other clients see their web sites for information Each extension in a certificate can be designated as critical or noncritical A certificate using system such as browser software must reject the...

Страница 724: ...sion The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate This extension is useful when an issuer has multiple signing keys for...

Страница 725: ...ed during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints The cA component should be set to true for all CA certificates P...

Страница 726: ...n page 516 CRLDistributionPoints OID 2 5 29 31 Criticality PKIX recommends that this extension be marked noncritical and that it be supported for all certificates Discussion This extension defines how...

Страница 727: ...an OCSP responder s certificate unless the CA signing key that signed the certificates validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly...

Страница 728: ...The Issuer Alternative Name extension is used to associate Internet style identities with the certificate issuer Names must use the forms defined for subjectAltName CMS Version Support Supported sinc...

Страница 729: ...carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificates and S MIME encryption certificates dataEncipherment 3 when the...

Страница 730: ...cates for users who have separate certificates and key pairs for these operations CMS Version Support Supported since CMS 4 1 Refer to KeyUsageExt on page 535 nameConstraints OID 2 5 29 30 Criticality...

Страница 731: ...fully If the OCSP signing key is compromised the entire process of validating certificates in the PKI will be compromised for the duration of the validity period of the certificate Therefore certifica...

Страница 732: ...pecify a different validity period for the private key than for the certificate itself This extension is intended for use with digital signature keys PKIX Part 1 recommends against the use of this ext...

Страница 733: ...by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative Name extension or from the subject name field CMS Version Support Supported since CMS...

Страница 734: ...xtension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recompute the key identifier in this cas...

Страница 735: ...encoded structure appears as the value of the octet string extnValue see the examples in Sample Certificate Extensions on page 721 A flag or boolean field called critical The true or false value assi...

Страница 736: ...r example a CRL may contain only one authority key identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Ide...

Страница 737: ...associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and extensions to individual certificate entries in the CRL Extensions for CRLs CRL Entry Exte...

Страница 738: ...each CRL issued by a CA It allows users to easily determine when a particular CRL supersedes another CRL PKIX requires that all CRLs have this extension CMS Version Support Supported since CMS 4 2 Re...

Страница 739: ...issuerAltName OID 2 5 29 18 Discussion The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL For details see the discussion under certificate e...

Страница 740: ...uer OID 2 5 29 29 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not...

Страница 741: ...ndard All Netscape extensions should be tagged as noncritical so that their presence in a certificate does not make that certificate incompatible with other clients The specifications for all Netscape...

Страница 742: ...cate bit 6 S MIME CA certificate bit 7 Object signing CA certificate CMS Version Support Supported since CMS 4 1 Refer to NSCertTypeExt on page 549 netscape comment OID 2 16 840 1 113730 13 Discussion...

Страница 743: ...or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in the subject certifi...

Страница 744: ...ys for their CA they must add the authorityKeyIdentifier extension to all subject certificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field the...

Страница 745: ...extension or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to...

Страница 746: ...ny arc http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The s...

Страница 747: ...or the most part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string represe...

Страница 748: ...rg rfc rfc2253 txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table I 2 Table I 1 Definitions o...

Страница 749: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Страница 750: ...absence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so that it can search the directory in order to publish to or up...

Страница 751: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Страница 752: ...v3 UTF 8 String Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to es...

Страница 753: ...order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 Di...

Страница 754: ...at you can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a...

Страница 755: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Страница 756: ...nual enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER enc...

Страница 757: ...rm Use John_Doe for CN 7 Go to the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the du...

Страница 758: ...ple CN corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s su...

Страница 759: ...s the certificate subject name The dnpattern configuration variable supports escaped commas and multiple attribute variable assertions AVAs in a RDN Below is the syntax for the DN pattern followed by...

Страница 760: ...this example O the first o value in the user s entry DN C the string US Example 3 If the configured DN pattern is CN attr cn rdn 2 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example com LDA...

Страница 761: ...ue in the user s entry OU the second ou value in the user s entry DN followed by the first ou value in the user s entry note the multiple AVAs in a RDN in this example O the first o value in the user...

Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 763: ...tion Digital Signatures Certificates and Authentication Managing Certificates For more information on these topics and other aspects of cryptography see Security Resources at the following URL http de...

Страница 764: ...tion is known as spoofing Misrepresentation A person or organization can misrepresent itself For example suppose the site www netscape com pretends to be a furniture store when it is really just a sit...

Страница 765: ...it is intelligible again A cryptographic algorithm also called a cipher is a mathematical function used for encryption or decryption In most cases two related functions are employed one for encryptio...

Страница 766: ...etric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the decrypted...

Страница 767: ...ly distribute a public key and only you will be able to read data encrypted using this key In general to send encrypted data to someone you encrypt the data with that person s public key and the perso...

Страница 768: ...rs used with SSL see Appendix K Introduction to SSL Different ciphers may require different key lengths to achieve the same level of encryption strength The RSA cipher used for public key encryption f...

Страница 769: ...ics The value of the hash is unique for the hashed data Any change in the data even deleting or altering a single character results in a different value The content of the hashed data cannot for all p...

Страница 770: ...ublic key presented by the signer If the two hashes match the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digit...

Страница 771: ...their own certificate issuing server software such as Netscape Certificate Management System The methods used to validate an identity vary depending on the policies of a given CA just as the methods...

Страница 772: ...entified by that certificate did indeed send that message Similarly a digital signature on an HTML form combined with a certificate that identifies the signer can provide evidence after the fact that...

Страница 773: ...onse to an authentication request from the server the client displays a dialog box requesting the user s name and password for that server The user must supply a name and password separately for each...

Страница 774: ...d with some data can be thought of as evidence provided by the client to the server The server authenticates the user s identity on the strength of this evidence Like Figure J 4 Figure J 5 assumes tha...

Страница 775: ...on the basis of input from both the client and the server This data and the digital signature constitute evidence of the private key s validity The digital signature can be created only with that pri...

Страница 776: ...ms based on the authenticated user identity are not affected How Certificates Are Used Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign On Object Signing Types of...

Страница 777: ...company deploys combined S MIME and SSL certificates solely for the purpose of authenticating employee identities thus permitting signed email and client SSL authentication but not encrypted email Ano...

Страница 778: ...to the server to authenticate the client s identity before the encrypted SSL session can be established For an overview of client authentication over SSL and how it differs from password based authen...

Страница 779: ...the need for persistent authentication of financial transactions Form signing allows a user to associate a digital signature with web based data generated as the result of a transaction such as a purc...

Страница 780: ...over the network This approach simplifies access for users because they don t need to enter passwords for each new server It also simplifies network management since administrators can control access...

Страница 781: ...pported by Netscape and many other software companies are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an...

Страница 782: ...r s public key including the algorithm used and a representation of the key itself The DN of the CA that issued the certificate The period during which the certificate is valid for example between 1 0...

Страница 783: ...8 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31...

Страница 784: ...r which it has a certificate It s also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow...

Страница 785: ...onsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure J 6 Figure J 6 Example of a Hierarchy of Certificate Authorities In this...

Страница 786: ...through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure J 6 Figure J 7 Example of a Certificate Chain A certificate chain traces a path...

Страница 787: ...scape software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked...

Страница 788: ...A Figure J 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure J 8 such as Engineering CA is found in t...

Страница 789: ...ows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database Figure J 10 A Certificate Chain That Can t Be Ve...

Страница 790: ...identity such as a utility bill with your address on it and a student identity card If you want to get a regular driving license you also need to take a test a driving test when you first get the lice...

Страница 791: ...nd renewing and revoking certificates can be partially or fully automated with the aid of the directory Information stored in the directory can also be used with certificates to control access to vari...

Страница 792: ...r authentication before or after its validity period will fail Therefore mechanisms for managing certificate renewal are essential for any certificate management strategy For example an administrator...

Страница 793: ...ntities of end entities before responding to the requests In addition some requests need to be approved by authorized administrators or managers before being services As previously discussed the means...

Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...

Страница 795: ...support the protocol in future versions This document is primarily intended for administrators of Netscape server products but the information it contains may also be useful for developers of applicat...

Страница 796: ...rtant if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s identity...

Страница 797: ...use in operations such as authenticating the server and client to each other transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of...

Страница 798: ...the use of the strongest ciphers available And when an domestic client or server is dealing with an international server or client it will negotiate the use of those ciphers that are permitted under...

Страница 799: ...phers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible k...

Страница 800: ...ported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC2 40 bit...

Страница 801: ...te is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented...

Страница 802: ...using SSL 2 The server sends the client the server s SSL version number cipher settings randomly generated data and other information the client needs to communicate with the server over SSL The serve...

Страница 803: ...the client informing it that future messages from the server will be encrypted with the session key It then sends a separate encrypted message indicating that the server portion of the handshake is f...

Страница 804: ...server authentication or cryptographic validation by a client of the server s identity As explained in Step 2 of The SSL Handshake which begins on page 802 the server sends the client a certificate t...

Страница 805: ...a on the right side of Figure K 3 This list determines which server certificates the client will accept If the distinguished name DN of the issuing CA matches the DN of a CA on the client s list of tr...

Страница 806: ...son the server identified by the certificate cannot be authenticated and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be established If the...

Страница 807: ...erver of the client s identity When a server configured this way requests client authentication see Step 6 of The SSL Handshake which begins on page 802 the client sends the server both a certificate...

Страница 808: ...to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has not yet b...

Страница 809: ...icate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL prot...

Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...

Страница 811: ...les to be evaluated when a server receives a request for access to a particular resource See access control instructions ACI administrator The person who installs and configures one or more CMS manage...

Страница 812: ...tication module A set of rules implemented as a Java class for authenticating an end entity agent administrator or any other entity that needs to interact with a CMS manager In the case of typical end...

Страница 813: ...ntities enrolled in the PKI certificate authority CA A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify A CA also r...

Страница 814: ...re defined certificate fingerprint A one way hash associated with a certificate The number is not part of the certificate itself but is produced by applying a hash function to the contents of the cert...

Страница 815: ...ity by allowing you to set up policies for a particular type of enrollment along with an authentication method in a certificate profile Certificate Request Message Format CRMF Format used for messages...

Страница 816: ...administrator to control configuration settings for the corresponding CMS instance Common Criteria Environment The configuration settings used for the Common Criteria certification of CMS configurati...

Страница 817: ...and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to manage agent services for a Data Recovery Manager including managing the request queue and autho...

Страница 818: ...r s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication o...

Страница 819: ...s to each other and storing the two cross pair certificates as a certificate pair fingerprint See certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is...

Страница 820: ...cations and applets using the Java programming language Java Native Interface JNI A standard programming interface that provides binary compatibility across different implementations of the Java Virtu...

Страница 821: ...eue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy processing and certificate issuance can proceed MD5...

Страница 822: ...rivate key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash A number of fixed length generated from data of arbitrary length wi...

Страница 823: ...c key cryptography The private key is kept secret and is used to decrypt data encrypted with the corresponding public key proof of Archival POA Data signed with the private Data Recovery Manager trans...

Страница 824: ...s the certificates to the end entities and typically publishes them to the appropriate directory Registration Manager agent A user who belongs to a group authorized to manage agent services for a Regi...

Страница 825: ...udit log See audit log signing certificate A certificate whose public key corresponds to a private key used to create digital signatures For example Certificate Manager must have a signing certificate...

Страница 826: ...can identify itself as a site called www netscape com when it is not Spoofing is one form of impersonation See also misrepresentation impersonation SSL See Secure Sockets Layer SSL subject The entity...

Страница 827: ...thority CA that issued the certificate If you trust a CA you can generally trust valid certificates issued by that CA virtual private network VPN A way of connecting geographically distant divisions o...

Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...

Страница 829: ...ting 345 modifying group membership 345 port used for operations 286 See also ports tools provided CMS console 247 Netscape Console 245 Agent Services interface URL for 286 AgentDirEnrollment instance...

Страница 830: ...cate 86 88 changing trust settings of 296 deleting 295 getting a new one 299 314 nickname 86 renewing 299 viewing details of 295 CEP 65 CEP enrollment 414 setting up multiple services 418 certificate...

Страница 831: ...s applications 92 97 how to revoke 600 installing 711 715 issuing of 790 and LDAP Directory 791 management formats and protocols 66 object signing 777 publishing to files 620 publishing to LDAP direct...

Страница 832: ...Manager support for 34 defined 599 extensions for 737 extension specific modules 734 issuing or distribution points 601 publishing of 598 publishing to files 620 publishing to LDAP directory 600 620 r...

Страница 833: ...rypted file system EFS 454 525 encryption defined 765 public key 767 symmetric key 766 end entities port used for operations 287 See also ports end entity certificate publisher 632 end entity certific...

Страница 834: ...ware tokens See external tokens HashAuth authentication plug in 408 holdInstructionCode 740 host name for mail server used for notifications 259 how to revoke certificates 600 how to search for keys 2...

Страница 835: ...eys defined 765 management and recovery 791 keyUsage 728 L LDAP 66 LDAP publishing defined 620 manual updates 661 when to do 661 who can do this 661 See CRLs linked CA 31 local vs remote key recovery...

Страница 836: ...6 173 216 for transport certificate 215 for wTLS signing certificate 86 NIS server based authentication 391 notifications configuring the mail server host name 259 port 259 to agents about unpublishin...

Страница 837: ...84 naming convention 493 predicates in 485 reordering 493 significance of ordering 493 See also predicates types of 483 what each rule does 483 policyConstraints 731 policyMappings 731 ports 285 for a...

Страница 838: ...cate 215 Remove Basic Constraints extension policy 557 renewal of certificates See certificate renewal reordering policy rules 493 significance of ordering 493 restarting Certificate Management System...

Страница 839: ...7 tasks you can accomplish 247 TCP IP defined 763 templates for notifications 573 589 timing log rotation 269 tokens changing password of 319 external 316 See also external tokens internal 316 managin...

Страница 840: ...t System Administrator s Guide February 2003 wireless certificates 92 97 wizard See Certificate Setup Wizard writing policies in JavaScript 495 wTLS CA signing certificate 86 nickname 86 wTLS certific...

Отзывы: