manualshive.com logo in svg

Netscape Certificate Management System 6.2, Руководство администратора

Поделиться
Скачать
Netscape Certificate Management System 6.2 Скачать руководство пользователя страница 204

Key Recovery Process

204

Netscape Certificate Management System Administrator’s Guide • June 2003

whereby it splits the PIN that protects the token in which the storage key pair 
resides among n number of key recovery agents and reconstructs the PIN only if m 
number of recovery agents provide their individual passwords; n must be an 
integer greater than 1 and must be an integer less than or equal to n.

Here’s how the m of n secret splitting mechanism gets built and works:

During the installation of a Data Recovery Manager, you generate the storage key 
pair and specify the hardware token in which the key pair is to be stored. At this 
time, the system generates a PIN and splits it into n pieces to protect the token, the 
total number of key recovery agents (n), and how many of these agents (m) are 
required to perform a key recovery operation. You can change the m of n secret 
splitting later; for details, see “Key Recovery Agent Scheme” on page 209.

The Data Recovery Manager splits the PIN for the token into parts or pieces by 
using the Bloom/Shamir secret-sharing algorithm. It then encrypts these parts with 
the passwords that are provided by the authorized key recovery agents.

During the key recovery procedure, the required number of key recovery agents 
(m) provide their identifiers and passwords. After verifying the passwords, the 
Data Recovery Manager reconstructs the PIN for the token based on the given 
information.

Interface for the Key Recovery Process

With the Key Recovery form provided in the Data Recovery Manager Agent 
Services interface, key recovery agents can collectively unlock the storage key of 
the Data Recovery Manager and retrieve end-entity’s encryption private keys and 
associated certificates in a PKCS #12 package, which can then be imported into the 
client. For an overview of this process, see “How Agent-Initiated Key Recovery 
Works” on page 206.

Because key recovery agents use the Data Recovery Manager Agent Services 
interface, agent-initiated key recovery invariably involves the Data Recovery 
Manager agent and key recovery agents. The Data Recovery Manager agent’s 
certificate is required to access the Key Recovery form, and key recovery agents’ 
passwords are required to unlock the key repository. For information on Data 
Recovery Manager agents, see “Agents” on page 326.

Your organization’s PKI policy may require that the key recovery process be 
restricted to authorized recovery agents only, preventing any Data Recovery 
Manager agent from being involved. If so, you should ask all key recovery agents 
to get client certificates and set them up as Data Recovery Manager agents. For 
instructions, see “Setting up Administrators, Agents, and Auditors” on page 328.

Содержание Certificate Management System 6.2

Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 2 June 2003...

Страница 2: ...CUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA The Software and documentation are copyright 2001 Sun Microsystems Inc Portions copyright 1999 2003 20...

Страница 3: ...er 1 Overview 31 Features 31 Subsystems 31 Certificate Manager Flexibility and Scalability 32 Interfaces 33 Logging 34 Auditing 34 Self Tests 34 Authorization 34 Authentication 35 Certificate Issuance...

Страница 4: ...Recovery Manager 55 Certificate Manager Data Recovery Manager and Registration Manager 57 Cloned Certificate Manager 58 System Architecture 59 CMS Component 60 HTTP Engine 61 Service Interfaces 62 JS...

Страница 5: ...118 Changing Subsystem Security Setting 118 Changing Passwords or Storage Settings 119 Configuring Logs 119 Changing Internal Database Settings 119 Configuring Self Test 119 Setting Up a Mail Server 1...

Страница 6: ...Setting 153 Changing Passwords or Storage Settings 153 Configuring Logs 154 Changing Internal Database Settings 154 Configuring Self Test 154 Setting Up a Mail Server 154 Setting Up Authentication 15...

Страница 7: ...the CA to the OCSP Responder 191 Configure the Revocation Info Stores 193 Testing Your OCSP Setup 195 Chapter 6 Data Recovery Manager 197 PKI Setup for Key Archival and Recovery 197 Clients That Can G...

Страница 8: ...Restarting a Server Instance 254 Subsystem Configuration Overview 255 Configuring Multiple CMS Instances 255 Removing an Instance From a System 256 Mail Server 257 Configuration Files 257 Locating the...

Страница 9: ...al Token 314 External Token 314 Managing Tokens Used by the Subsystems 317 Hardware Cryptographic Accelerators 318 Configuring the Server s Security Preferences 318 Configuring the Server to Use Separ...

Страница 10: ...r ca connector 354 certServer ca clone 354 certServer ca crl 354 certServer ca directory 355 certServer ca group 355 certServer ca ocsp 355 certServer ca profiles 356 certServer ca profile 356 certSer...

Страница 11: ...sp configuration 370 certServer ocsp crl 371 certServer policy configuration 371 certServer profile configuration 372 certServer publisher configuration 373 certServer ra configuration 373 certServer...

Страница 12: ...ted CEP Enrollment 413 Setting Up Publishing of CEP Certificates and CRLs 417 Certificate Issuance to Routers or VPN Clients 419 Example 421 Testing Your Enrollment Setup 423 Managing Authentication P...

Страница 13: ...Default 469 User Supplied Key Default 469 User Signing Algorithm Default 470 User Supplied Subject Name Default 470 User Supplied Validity Default 470 Validity Default 471 Constraints Reference 471 Ba...

Страница 14: ...04 ValidityConstraints 506 Extension Specific Policy Module Reference 508 AuthInfoAccessExt 508 AuthorityKeyIdentifierExt 511 BasicConstraintsExt 512 CertificatePoliciesExt 514 CertificateRenewalWindo...

Страница 15: ...uler 578 Setting Up Specific Jobs 579 Enabling and Configuring Specific Jobs Using the CMS Console 580 Enabling Configuring Specific Jobs By Editing the Configuration File 581 Configuration Parameters...

Страница 16: ...616 About Publishers 617 About Mappers 617 About Rules 617 About Publishing to Files 618 About LDAP Publishing 618 About OCSP Publishing 619 How Publishing Works 619 Setting Up Publishing 620 Publish...

Страница 17: ...ng the Online Certificate Status Manager 684 Preparing to Clone the Online Certificate Status Manager 685 Cloning the OCSP Responder 686 Testing the OCSP Cloned Master Connection 690 Cloned Master OCS...

Страница 18: ...Setup of Common Criteria Evaluated Netscape CMS 718 CMS Common Criteria Environment Setup and Installation Process 718 Appendix C Understanding the Common Criteria Evaluated CMS Setup 721 Understandin...

Страница 19: ...IT security objectives for the environment 735 1 3 Security Objectives for both the TOE and the Environment 735 Appendix E Common Criteria Environment TOE Security Environment Assumptions 739 1 1 Secu...

Страница 20: ...stration of Object Identifiers 779 Appendix I Distinguished Names 781 What Is a Distinguished Name 781 Distinguished Name Components 782 DNs in Certificate Management System 784 Extending Attribute Su...

Страница 21: ...pendix K Introduction to SSL 829 The SSL Protocol 829 Ciphers Used with SSL 831 Cipher Suites With RSA Key Exchange 832 Fortezza Cipher Suites 834 The SSL Handshake 836 Server Authentication 838 Man i...

Страница 22: ...22 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 23: ...routers This preface has the following sections Who Should Read This Guide What You Should Know What s in This Guide Conventions Used in This Guide Documentation Who Should Read This Guide This guide...

Страница 24: ...Console You are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the S...

Страница 25: ...stems including working in the administrative interface starting and stopping the server working with logs working with self test managing the database and managing the certificate database Chapter 8...

Страница 26: ...up CMS in the Common Criteria Environment Appendix C Understanding the Common Criteria Evaluated CMS Setup Provides information about running CMS in the Common Criteria Environment Appendix F Certific...

Страница 27: ...e Rotation frequency From the drop down list select the interval at which the server should rotate the active error log file The available choices are Hourly Daily Weekly Monthly and Yearly The defaul...

Страница 28: ...CMS Administrator s Guide this guide Describes how to plan for install and administer CMS CMS Command Line Tools Guide Provides detailed reference information on CMS tools CMS Customization Guide Exam...

Страница 29: ...led reference information on customizing the HTML based agent and end entity interfaces CMS Agent s Guide Provides detailed reference information on CMS agent interfaces To access this information fro...

Страница 30: ...Documentation 30 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 31: ...obust scalable and high performance certificate management solution for your public key infrastructure PKI extranets and intranets This chapter contains the following sections Features How Certificate...

Страница 32: ...to provide flexibility in your PKI Features include support for multiple registration authorities tied to a single CA the ability to act as a root or subordinate CA high availability cloning to allow...

Страница 33: ...inate CAs you can create clones of a Certificate Manager and configure each clone to issue certificates that fall within a distinct range of serial numbers Because cloned CAs and master CAs use the sa...

Страница 34: ...who is the only user who can view the audit logs This user s certificate is used to sign and encrypt the logs See Signed Audit Log on page 275 for complete details Self Tests CMS provides the framewor...

Страница 35: ...icates that conform to X 509 version 3 standard The Certificate Manager can issue certificates with the following characteristics Certificates that are X 509 version 3 compliant Unicode support for ce...

Страница 36: ...ils CRLs CMS is capable of creating certificate revocation lists This configurable framework allows you to define issuing points so a CRL can be created for each issuing point defined You can issue CR...

Страница 37: ...encrypting mail messages and other data To support separate key pairs for signing and encrypting data CMS supports generation of dual certificates for end entities capable of generating dual key pair...

Страница 38: ...pports multiple message formats such as KEYGEN SPAC CRMF CMMF CRS CEP SCEP and PKCS 10 and CMC for certificate requests All requests are delivered to CMS over HTTP or HTTPS in the case of CRS CEP SCEP...

Страница 39: ...a flexible scalable system for issuing renewing and publishing certificates creating and publishing CRLs and providing key storage and retrieval capabilities CMS Basics CMS is installed on each host r...

Страница 40: ...stems have an agent interface specific to that subsystem allowing agents to perform the tasks assigned to them A Certificate Manager and a Registration Manager have an end entity services interface al...

Страница 41: ...allowing you to select logging levels as well as what is logged You can also create custom logs so that events can be separated by the categories you choose See Logs on page 261 for complete details A...

Страница 42: ...al kind of administrator who is able to run the basic operations of the subsystem but is not able to configure any of the features See Chapter 8 Authorization for complete details Self Tests CMS conta...

Страница 43: ...is called Federal Bridge Certificate Authority FBCA This feature allows you to trust certificates issued by a CA outside of your PKI that shares a cross signed certificate with the CA in your PKI Cer...

Страница 44: ...RLs that contain only the revoked certificates since the last CRL was produced See Chapter 14 Revocation and CRLs for complete details How the Certificate Manager Works This sections details the proce...

Страница 45: ...r and then continues processing the request The Certificate Manager next evaluates the request to ensure that it meets either the policies set for this type of certificate or the certificate profile s...

Страница 46: ...f publishing is set up a certificate is published to the correct location s whenever a certificate is issued See Chapter 15 Publishing for complete details Key Archival If you install a Data Recovery...

Страница 47: ...hed You can also provide delta CRLs allowing you to publish a list of only those certificates have been revoked since a certain date See Chapter 14 Revocation and CRLs for complete details About the R...

Страница 48: ...ticates against the authentication method set up See the Netscape Certificate Management System Customization Guide for details about customizing the end entity interface Authentication Methods CMS pr...

Страница 49: ...method and certificate type to a set of constraints and certificate content and values for that content It allows you to configure a single module for a type of certificate that binds to an authentic...

Страница 50: ...part of the enrollment and stored in the Data Recover Manager See Chapter 6 Data Recovery Manager for complete details Storing Certificate Requests and Certificates When it issues a certificate the Ce...

Страница 51: ...ate encryption key The key is then stored in the Data Recovery Manager The Data Recovery Manager is configured to store keys in an encrypted format that can only be decrypted by several agents request...

Страница 52: ...ification of certificates Note that an online certificate validation authority is often referred to as an OCSP responder The Online Certificate Status Manager can receive CRLs from multiple Certificat...

Страница 53: ...d a publishing directory The Certificate Manager can publish both end entity certificates and CRLs to a directory Certificate Manager and Registration Manager Figure 1 2 shows a Registration Manager a...

Страница 54: ...work in different geographic locations Each group of end entities interacts with a designated Registration Manager that processes requests from end entities and sends them to a Certificate Manager Th...

Страница 55: ...that the Registration Manager is intended to serve and the physical location of the Certificate Manager agent Registration Manager agent and other persons responsible for administering the Certificat...

Страница 56: ...g the location of a Data Recovery Manager be sure to look into firewall considerations the physical security required for each subsystem and the physical location of the Certificate Manager agent Data...

Страница 57: ...s Figure 1 4 illustrates some of the issues involved in deploying all three subsystems by showing the relationships among a single Certificate Manager a single Registration Manager and a single Data R...

Страница 58: ...ertificate Manager or the Certificate Manager might also handle some end entity interactions It s also possible to set up both Certificate Managers and Registration Managers such that each has a hiera...

Страница 59: ...lone and confirm that you want to reuse the CA s signing key and certificate if the clone is on the same server you can also reuse the SSL server certificate If you store the CA key material on a hard...

Страница 60: ...CMS is a set of pure Java classes This component provides a secure application platform where subsystems CA RA DRM and OCSP can be tightly integrated with a PKI infrastructure Depending on the install...

Страница 61: ...ded Event listeners where event listeners can be extended Publishing where publisher and its mapper can be extended Logging includes signed audit logs where logging mechanism can be extended Self test...

Страница 62: ...rstands the protocol provided by the CMS Administration Interface Service Interfaces Each of the subsystems contains interfaces allowing interaction with various portions of the subsystem All four sub...

Страница 63: ...mmands coming from the administrative entry point Based on the information given at each command the administration servlets allow administrators to perform administrative tasks and configure plug in...

Страница 64: ...software devices intended for such purposes One or more PKCS 11 modules must be available to any CMS subsystem instance As shown in the figure a PKCS 11 module also called a cryptographic module or cr...

Страница 65: ...tions and communication with the certX db and keyX db files Any PKCS 11 module can be used with CMS The server uses a file called secmod db to keep track of the modules that are available You can modi...

Страница 66: ...database while user and group entries are stored in another subtree Except for the creation of a new CMS instances functionalities provided by this component are not fully utilized by CMS Note that a...

Страница 67: ...cifies how a device communicates with a CA including how to retrieve the CA s public key how to enroll a device with the CA and how to retrieve a CRL CEP uses PKCS 7 and PKCS 10 Certificate Request Me...

Страница 68: ...port Protocol HTTP and Hypertext Transport Protocol Secure HTTPS Protocols used to communicate with web servers KEYGEN tag An HTML tag supported by Netscape browsers that generates a key pair for use...

Страница 69: ...v1 v3 Digital certificate formats recommended by the International Telecommunications Union ITU Secure Sockets Layer SSL 2 0 3 0 A set of rules governing server authentication client authentication a...

Страница 70: ...Support for Open Standards 70 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 71: ...an access its end entity interface agent services interface and its administrative interface and further configure the instance to match the needs of your PKI Note To install Netscape CMS and configur...

Страница 72: ...instructions on installing CMS 2 Configure each subsystem that will be running on each host CMS provides an installation wizard for configuring an instance of each of the subsystems Complete instructi...

Страница 73: ...nce installation is complete you can use Netscape Console to view all your server settings make changes to those settings and configure CMS instances See The Administrative Interface on page 242 about...

Страница 74: ...iguration directory and the administration server The port for the administration server is the port used to log into Netscape Console Port numbers can be any number from 1 to 65535 Keep the following...

Страница 75: ...nobody account Also you should create a common group for the directory server files again you must not use the nobody group The user and group under which you will run Administration Server For insta...

Страница 76: ...This is the user ID and password you will use to log into Netscape Console Administration Server User and password You are prompted for this only during custom installations The Administration Server...

Страница 77: ...uration directory Normally you will not store users in this configuration directory You only use this configuration directory to store configuration settings for the Administration Server that allow y...

Страница 78: ...___________________ Directory Server Port Number ______________________________________ Directory server identifier myhost ______________________________________ Netscape configuration directory serve...

Страница 79: ...setup The setup command has the following options The installation program launches The installation program will prompt you for series of configuration settings detailed in the following steps 4 Woul...

Страница 80: ...11 Specify the components you wish to install 1 2 Press Enter to accept the default components 12 Specify the components you wish to install 1 2 Press Enter to accept the default components 13 Specif...

Страница 81: ...ter a unique identifier for the new instance of Directory Server If you are using an existing configuration directory enter its identifier 21 Netscape configuration directory server administrator ID a...

Страница 82: ...rectory and creates and starts instances of the Administration Server and Directory Server For specifics on installing each subsystem see Installing a Certificate Manager as a Root CA on page 94 Insta...

Страница 83: ...containing the installed software 3 Type the following command uninstall 4 Specify the components you wish to uninstall All Accept the default value 5 Specify the components you wish to uninstall 1 2...

Страница 84: ...Uninstalling CMS 84 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 85: ...allation instructions an overview of the Certificate Manager processes including information on configuring those processes information about FBCA and details on configuring a cloned CA This chapter c...

Страница 86: ...issue certificates is issued by another CA The CA that issued the subordinate CA signing certificate controls the CA through the contents of the CA signing certificate The CA can constrain the subordi...

Страница 87: ...cy and certificate profile configuration it is completely unaware of its parents set up for these configurations A Certificate Manager cannot issue a certificate that has a validity period longer than...

Страница 88: ...d for the certificate is two years The subject name of the CA signing certificate reflects the name of your certificate authority CA as specified during the installation All certificates signed or iss...

Страница 89: ...certificate The first time you generated this certificate is when you installed the Certificate Manager The default nickname for the certificate is Server Cert cert instance_id where instance_id ident...

Страница 90: ...egistration Managers or Data Recovery Managers are configured any Certificate Manager must have its own distinguished name DN which is listed in every certificate it issues Like any other X 509 versio...

Страница 91: ...igning key pair For more information about the way they are used see the following document http www itl nist gov div897 pubs fip186 htm In general longer keys are considered to be cryptographically s...

Страница 92: ...e status change the details reject or approve certificate and revocation requests revoke certificates and approve and configure certificate profiles The agent s services interface is an HTML interface...

Страница 93: ...mation in a separate internal database for each subsystem or use one internal database for all subsystems installed on the host It s recommended that you do not use this Directory Server instance for...

Страница 94: ...then either click Open or double click this instance The Installation Wizard launches 3 Installation Wizard Introduction Click Next to continue 4 Logon Token Choose either internal if you plan to use...

Страница 95: ...te Manager Click Next to continue 8 Remote Data Recovery Manager Select the appropriate options Select No if you don t want to connect the Certificate Manager to a remote Data Recovery Manager Select...

Страница 96: ...ir Information for Certificate Manager CA Signing Certificate Token Enter either internal if you plan to use the internal software token or the name of an external token to store the Certificate Manag...

Страница 97: ...n page 90 for more information Click Next to continue 17 Certificate Extensions for Certificate Manager CA Signing Certificate Select the required extensions The default settings should work for most...

Страница 98: ...must be in increments of 64 bits only See Signing Key Type and Length on page 91 for more information Click Next to continue 21 Message Digest Algorithm Select the algorithm to use for computing the c...

Страница 99: ...to create the first agent user for the Certificate Manager See Agent Certificates on page 335 for details Installing a Certificate Manager as a Subordinate CA To install the Certificate Manager as a...

Страница 100: ...ming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager...

Страница 101: ...the CMS instance See Certificate Manager Interfaces on page 91 for more information Click Next to continue 12 CA Signing Certificate Select the Create subordinate CA certificate request option Click...

Страница 102: ...extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64 encoding in the space provided on this screen CMS provides com...

Страница 103: ...t to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to retrie...

Страница 104: ...stname 17006 to bring up the Certificate Manager page for end entities III Click Manual Certificate Manager Signing Certificate Enrollment In the resulting form choose the request type from the pull d...

Страница 105: ...ther the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate II Submit your certificate request to a third party C...

Страница 106: ...ormational screen that shows the certificate so you can inspect its contents Notice the nickname assigned to the certificate and verify that you re installing the correct certificate Click Next to con...

Страница 107: ...the certificate signature The choices are SHA 1 MD2 or MD5 Click Next to continue 27 Subject Name for SSL Server Certificate Type the values for the subject DN components these values identify the sub...

Страница 108: ...ly submit the request to a remote Certificate Manager or for automatic enrollment follow these steps I Select the Send the request to a remote CMS now option II Enter the host name and end entity port...

Страница 109: ...ollow these steps I Open a web browser window II Go to the end entity URL for the remote Certificate Manager that will issue the subordinate CA s SSL server certificate For example if you assigned the...

Страница 110: ...form select the appropriate action VI After the certificate is generated click Show Certificate VII When the certificate is displayed scroll down to the base 64 encoded version of the certificate hig...

Страница 111: ...icate screen appears Step 32 If you selected No you will be presented with the Create Single Sign on Password screen Step 35 32 Location of Certificate Specify the location of the certificate You can...

Страница 112: ...certificate chain in its base 64 encoded format to the clipboard e Return to the Installation Wizard f Paste the certificate chain into the text box Click Next to continue 35 Single Sign on Summary C...

Страница 113: ...n or cannot be performed by a user group or IP address for that particular ACL You can change the default ACIs set up in the ACLs to change the privileges of a user group or IP address You can also cr...

Страница 114: ...a Certificate Wizard that allows you to create additional certificates or to renew or replace a certificate for the Certificate Manager See Certificate Setup Wizard on page 296 for details of using th...

Страница 115: ...ons a Log in to the CMS console see Logging Into the CMS Console on page 245 b Select the Configuration tab and then select the Encryption tab c Click Certificate Setup Wizard to launch the wizard d S...

Страница 116: ...ng_algorithm ca crl_signing tokenname token_name Where For example your edited entries might look like this ca crl_signing cacertnickname crlSigningCert cert demoCA ca crl_signing defaultSigningAlgori...

Страница 117: ...a publishing directory the Certificate Manager also uses its SSL server certificate for SSL client authentication to the publishing directory This is the default configuration You can configure the Ce...

Страница 118: ...t the transition from an old CA certificate to a new one You should begin planning for CA renewal or reissuance before you install any CMS managers consider any ramifications your planned procedures m...

Страница 119: ...ion about the logs and details of the configuration options for logs Changing Internal Database Settings You can change the configuration of the internal database after installation including restrict...

Страница 120: ...CA receives a request with validity period extending beyond that of its CA signing certificate it automatically truncates the validity period to end on the day the CA signing certificate expires Valid...

Страница 121: ...y generated with the content being determined by the inputs you set for a particular certificate profile You can even set up the same method of authentication and associated more than one form with it...

Страница 122: ...therwise you can customize the form as you like If you are using the certificate profile feature the forms are dynamically generated using the inputs you specify for a certificate profile The authenti...

Страница 123: ...be configured to collect other information about an end entity from an LDAP directory and place that information in the certificate A default set of policies is created Some of these are enabled and s...

Страница 124: ...te is issued following the constraints and extensions set in that certificate profile For detailed information see Chapter 10 Certificate Profiles Configuring Publishing You can publish certificates a...

Страница 125: ...ications The notification feature that allows you to send automated notifications is disabled after installation You can set up three types of automatic notifications Certificate Issuance An email is...

Страница 126: ...and Publishing of certificates and CRLs to help you better understand what configuration you will need to perform for your PKI Enrollment An end entity can enroll in your PKI by submitting an enrollme...

Страница 127: ...ication or NIS based authentication The request may be submitted using an agent approved enrollment process or an automated process The agent approved process which involves no end entity authenticati...

Страница 128: ...issued The certificate is delivered to the end entity In automated for example directory based enrollment the certificate is delivered to the user immediately Normally the enrollment is via HTML page...

Страница 129: ...ate is revoked When an end entity makes the request they are asked to present their certificate If they have the certificate and the key materials the request is processed and sent to the Certificate...

Страница 130: ...predicate value and then set up any other necessary policies for this kind of certificate You would then associate an end entity enrollment page customized to enroll for cross pair certificates provid...

Страница 131: ...try This is set to crossCertificatePair binary See Chapter 15 Publishing for more information about publishing Cloning a CA Cloning a Certificate Manager is the process of creating two server processe...

Страница 132: ...abases See Appendix Configuring CMS for High Availability for information on how to set up cloned instances replication between the cloned certificate databases If you enable the OCSP service feature...

Страница 133: ...ployment Considerations Installing a Registration Manager Configuring a Registration Manager How a Registration Manager Works Registration Manager Deployment Considerations This section describes the...

Страница 134: ...l has a certificate identified as the Registration Manager signing certificate whose public key corresponds to the private key the Registration Manager uses to authenticate itself to the Certificate M...

Страница 135: ...ors using the Java based CMS Console GUI application An Agent Services interface that is accessible by default only to members of the Registration Manager Agent group Agents are users who can perform...

Страница 136: ...e Each Registration Manager instance contains an internal database that stores certificates certificate requests and the like During installation you set up this database by either choosing to create...

Страница 137: ...th to 4096 bits for certificates that provide access to highly sensitive data or services However the question of key length has no simple answers Every organization must make its own decision based o...

Страница 138: ...or who can access the CMS window and control all CMS settings Allow Multiple Roles for Users Select if you want to allow users to belong to more than one group thus assuming more than one role Deselec...

Страница 139: ...ts only See Signing Key Type and Length on page 136 for more information Click Next to continue 12 Message Digest Algorithm Select the algorithm to use for computing the certificate signature The choi...

Страница 140: ...uest in PKCS 10 format select the Generate PKCS10 request option If you want the wizard to generate the certificate request in CMC format select the Generate CMC full enrollment request option This op...

Страница 141: ...te is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be s...

Страница 142: ...nager Note that you must be a designated CMS administrator as well as an agent for this option to work correctly X Type a user ID for the new Registration Manager This user ID can be the same that you...

Страница 143: ...ith the configuration and resume after you receive the certificate The default selection is No Select Yes if you have the certificate ready in its base 64 encoded format Click Next to continue If you...

Страница 144: ...rver option and then click Submit d In the resulting page locate the CA certificate chain in its base 64 encoded format and copy the certificate chain to the clipboard e Return to the Installation Wiz...

Страница 145: ...given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10 format select the...

Страница 146: ...is displayed scroll down to the base 64 encoded version of the certificate highlight all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sur...

Страница 147: ...nd issue the certificate To approve the request do the following In the web browser window enter the URL for the Certificate Manager s Agent Services page You must have a valid agent s certificate Sel...

Страница 148: ...zard screen click Yes or No Select No if you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or...

Страница 149: ...e from which you requested the singing certificate Follow these steps to import the remote Certificate Manager s CA chain a Go to the web browser window b Enter the end entity URL for the remote Certi...

Страница 150: ...elationship when you issued this certificate by selecting this option in the agent services interface on the request page used to approve the request If you have done this you do not need to further c...

Страница 151: ...ACL Configuration The configuration set up for the Certificate Manager gives the following privileges to members of the following groups Members of the Administrator group can perform any operations...

Страница 152: ...atabase and they must be configured as trusted see Changing the Trust Settings of a CA Certificate on page 294 and Installing a New CA Certificate in the Certificate Database on page 295 Certificate C...

Страница 153: ...r each of the interfaces when you install the Registration Manager You can change the ports that any of the interfaces listen on and you can remove the HTTP non SSL end entity port if you will not use...

Страница 154: ...ttings You can change the configuration of the internal database after installation including restricting access to the internal database see The Internal Database on page 288 for information on doing...

Страница 155: ...tion method to be agent approved or automated The agent approved enrollment in person agent initiated enrollment and CMC enroll methods are enabled and configured when you install the Registration Man...

Страница 156: ...u like The authentication methods that you can configure are Directory Based Enrollment End entities are authenticated against an LDAP directory using their user ID or DN and password See Setting Up D...

Страница 157: ...rmation see Chapter 11 Policies If you set up and enable policies in the Registration Manager you must be careful how you set up policies in the Certificate Manager that issues certificates for this R...

Страница 158: ...interface for processing The agent can change some aspects of the request as long as they are within the constraints set in the certificate profile reject the request change the status of the request...

Страница 159: ...set up a trusted relationship between a Data Recovery Manager and a Registration Manager so that the end entities private encryption keys are archived during the certificate request See Chapter 6 Data...

Страница 160: ...he form creates a request that is then submitted to the Registration Manager The enrollment form can trigger the creation of the public and private keys for this request or for dual key pairs The end...

Страница 161: ...ate request is either rejected at some point in the process either by an agent because it did not meet the policy certificate profile or authentication requirements or the request is signed and sent t...

Страница 162: ...t up for a single method of renewal All requests are made to the renewal page of the end entity interface The end entity presents their old certificate and if they meet the policies for renewal a new...

Страница 163: ...agents can approve requests made by end entities to revoke their certificates but agents cannot revoke certificates on their own The Certificate Manager agent for the CA that issued the certificate w...

Страница 164: ...How a Registration Manager Works 164 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 165: ...with OCSP Service Online Certificate Status Manager Deployment Considerations Installing an Online Certificate Status Manager Setting Up the OCSP Responder Configuring the Online Certificate Status M...

Страница 166: ...s all the information required by the responder to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it processe...

Страница 167: ...st is subjected to policy checking see Configuring Policy Rules for a Subsystem on page 489 For more information about the certificates associated with OCSP see SSL Server Key Pair and Certificate on...

Страница 168: ...eal time status of all certificates it has issued this method of revocation checking is most accurate Since the internal OCSP service checks the status of certificates stored in the Certificate Manage...

Страница 169: ...publish the CRL As explained earlier the Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as the default CRL store for verifying certificate...

Страница 170: ...ou will have to create this policy and configure it for this service If you installed the Certificate Manager s with its OCSP service feature disabled a default policy rule named AuthInfoAccessExt is...

Страница 171: ...alled The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request SSL Server Key Pair and Certificate Every Online Certifica...

Страница 172: ...application An Agent Services interface that is accessible by default only to members of the Online Certificate Status Manager Agent group The agent s services interface is an HTML interface accessibl...

Страница 173: ...formation such as certificates and certificate requests used by the subsystem you will be installing in this CMS instance By default a separate internal database is created for each subsystem you conf...

Страница 174: ...th to 4096 bits for certificates that provide access to highly sensitive data or services CMS signing keys up to 2048 bits in length are not subject to export restrictions However the question of key...

Страница 175: ...assuming more than one role Deselect if you want to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor roles Click Nex...

Страница 176: ...anager Certificate Manager or Registration Manager automatically The wizard creates a certificate request that you must submit to a CA To automatically submit the request to a remote Certificate Manag...

Страница 177: ...u re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the wizard screen Step 13 Also note that you might be required to past...

Страница 178: ...t all the text including BEGIN CERTIFICATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded ce...

Страница 179: ...p 17 14 Location of Certificate Specify the location of the certificate You can use one of these options If you noted the file path to the file that contains the certificate in its base 64 encoded for...

Страница 180: ...a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard next So once you ve copied the certificate go back to the w...

Страница 181: ...icate Extensions for SSL Server Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64...

Страница 182: ...entity port uses SSL III Click Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response mes...

Страница 183: ...entities III Click Manual Server Certificate Enrollment or click Agent Based Server Certificate Enrollment if you have an agent certificate If you choose Agent Based Server Certificate Enrollment and...

Страница 184: ...lick Approve Request 22 SSL Server Certificate Installation Depending on whether you have the certificate ready for pasting into the Installation Wizard screen click Yes or No If you have submitted yo...

Страница 185: ...continue 25 Import Certificate Chain This screen appears only if you need to import the CA certificate chain Follow these steps to import the CA chain of a Certificate Manager a Go to the web browser...

Страница 186: ...up to read from that LDAP publishing directory 3 You must configure your policies or certificate profiles for every CA that will publish to the OCSP Responder to include the Authority Information Acc...

Страница 187: ...can configure for the Online Certificate Status Manager and points you to specific information on configuring those sets of features Adding Users Once the Online Certificate Status Manager is installe...

Страница 188: ...e signed audit log and can view configuration settings but cannot perform any other operations on configuration settings and do not have any access to the agent services interface Online Certificate S...

Страница 189: ...the Certificate Database on page 296 OCSP Certificates Depending on who signed your Online Certificate Status Manager s SSL server certificate you may need to perform the following actions to get that...

Страница 190: ...ring or after installation See Changing an IP Addresses on page 287 for details Changing Subsystem Security Setting You can configure the security of each subsystem by changing the SSL version used by...

Страница 191: ...Online Certificate Status Manager contains the framework for jobs but does not contain any prebuilt jobs You can build jobs using the CMS SDK For detailed information on setting up publishing see Chap...

Страница 192: ...value of zero 0 Verify Certificate Manager and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s end...

Страница 193: ...ificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its internal databas...

Страница 194: ...ndow to see the updated fields host n Type the fully qualified DNS hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 example com port n T...

Страница 195: ...ement tab 7 Click Refresh Testing Your OCSP Setup To test whether the Certificate Manager can service OCSP requests properly follow these steps 1 Turn On Revocation Checking in your browser or client...

Страница 196: ...te Manager s OCSP service status again to verify that these things happened The browser sent an OCSP query to the Certificate Manager this response was initiated when you clicked the View button The C...

Страница 197: ...ply it for example has left the organization that owns the data This chapter explains how to use the Data Recovery Manager to archive end entity s encryption private keys and how to use the archived k...

Страница 198: ...ed to impersonate the digital identity of the original key owner Clients that generate single key pairs use the same private key for both signing and encrypting data so you cannot archive and recover...

Страница 199: ...ce of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 229 Initiating the key recovery process also requires its own HTML...

Страница 200: ...tored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Data Recovery Manager s Key Pairs and Certificates on page 213 It can b...

Страница 201: ...ata Recovery Manager uses two special key pairs A transport key pair and corresponding certificate A storage key pair Figure 6 1 illustrates how the key archival process occurs when an end entity s re...

Страница 202: ...decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key corresponds to the end entity s public encryption key...

Страница 203: ...tate this by allowing each recovery agent to enter a password in the Data Recovery Manager during configuration They must be available to retrieve your end entity s encryption private keys if the need...

Страница 204: ...recovery agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the Ke...

Страница 205: ...ery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recovery Auth...

Страница 206: ...the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered by the collective efforts of a Data Recovery Mana...

Страница 207: ...anager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be recovered an...

Страница 208: ...ord for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key rec...

Страница 209: ...orage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key Recove...

Страница 210: ...strator s Guide June 2003 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery schem...

Страница 211: ...ion click Done You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Recovery Mana...

Страница 212: ...s 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n can...

Страница 213: ...ing key pairs and certificates Transport Key Pair and Certificate Storage Key Pair SSL Server Key Pair and Certificate Transport Key Pair and Certificate Every Data Recovery Manager you have installed...

Страница 214: ...sed see Chapter 6 Data Recovery Manager Note that the public component of the storage key pair is not certified there is no certificate that corresponds to the public key Keys encrypted with the stora...

Страница 215: ...of already installed and available tokens For example SmartCard For installation instructions see External Token on page 314 Internal Database Each subsystem uses an internal database to store inform...

Страница 216: ...ons permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 4096 bits for certificates that provide access to highly sensitive data or services However...

Страница 217: ...ant to restrict users from being able to belong to more than one role This setting only applies to the default administrator agent auditor and trusted manager roles Click Next to continue 7 Subsystems...

Страница 218: ...ificate extension text field accepts a single extension blob If you want to add multiple extensions you should use the ExtJoiner program which is also provided in the tools directory For details on us...

Страница 219: ...it for the remote Certificate Manager s agent to approve your request IV Open a web browser window V Enter the URL for the remote Certificate Manager s Agent Services page You must have a valid agent...

Страница 220: ...ficate Manager s Agent Services page You must have a valid agent s certificate VII Select List Requests click Show Pending Requests and click Find VIII In the pending request list locate your request...

Страница 221: ...inue as far as you can with the configuration and resume after you receive the certificate The default is No Select Yes only if you have the certificate ready in its base 64 encoded format Click Next...

Страница 222: ...PKCS 7 for importing into a server option and click Submit e In the resulting page locate the CA certificate chain in its base 64 encoded format and copy it to the clipboard f Return to the Installati...

Страница 223: ...fied host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 24 Certificate Extensions for SSL Server Certificate Select the required extensions The defaul...

Страница 224: ...u ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the remote Certificate Manager s agent...

Страница 225: ...f you used the Agent Based Server Certificate Enrollment and you have an agent certificate the certificate will be automatically issued once you submit the request If you used the Manual Server Certif...

Страница 226: ...ficate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certificate...

Страница 227: ...red details Click Next to continue 29 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certificate...

Страница 228: ...e Agent Certificates on page 335 for details Configuring Key Archival and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end entity s encryption private...

Страница 229: ...t it initiates the key archival process and requests the service of the Data Recovery Manager for archiving the key For the enrollment authority to be able to request the service of the Data Recovery...

Страница 230: ...quired to update the following information only The Data Recovery Manager s transport certificate The algorithm length type and usage for end entity s key pairs When you update this information the ke...

Страница 231: ...marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb...

Страница 232: ...BEGIN CERTIFICATE and END CERTIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCV VMxLDAqBgNVBAoTI0 5ldHNjYX...

Страница 233: ...BvcmF0aW9uMREw DwYDVQQ LEwhIYXJkY29yZTEnMCUGA1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2Vy dmVyIEl JMB4XDTk4MTExOTIzNDIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMC VVMxETA PBgNVBAoTCG5ldHNjYXBlMQwwCgYDVQQDEwNL...

Страница 234: ...s on page 203 In particular you should be familiar with how the key archival process works If you are not see How Agent Initiated Key Recovery Works on page 206 The Data Recovery Manager supports agen...

Страница 235: ...ode for Key Recovery The Data Recovery Manager allows key recovery agents to authorize recovery of an end entity s encryption private key locally or remotely The default configuration is local authori...

Страница 236: ...using Netscape Communicator 4 7 with Personal Security Manager version 1 01 Step A Test Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll f...

Страница 237: ...the value of the E attribute e Locate and approve the request 3 Check if the certificates have been issued To do this a Click the List Requests link again b In the form that appears select the Show co...

Страница 238: ...ed and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do this...

Страница 239: ...Recovery Works on page 206 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this information...

Страница 240: ...Process 240 Netscape Certificate Management System Administrator s Guide June 2003 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate database...

Страница 241: ...the internal database This chapter contains the following sections The Administrative Interface System Passwords Starting Stopping and Restarting CMS Instances Subsystem Configuration Overview Mail Se...

Страница 242: ...to configure CMS through Netscape Console You access Administration Server by entering its URL in the Netscape Console login screen and providing the user ID and password of the administrative user Ad...

Страница 243: ...d administration interface to the user directory You can accomplish various CMS specific tasks from the Console tab Launch the CMS console Install instances of CMS Remove an instance of CMS Clone an i...

Страница 244: ...es with Directory Server but does not allow you to create CMS server instances Password Type the password for this user ID Administration URL Specify the URL for the Administration Server you want to...

Страница 245: ...e choices available in this tab will change depending on which subsystem is installed in this server instance The specifics of setting these configuration settings is contained in the appropriate sect...

Страница 246: ...sented with a list of your certificates to choose from in order to login You will not be presented with the userID Password entry dialog 4 The CMS console opens Viewing Information About a CMS instanc...

Страница 247: ...rver s status whether it is started stopped or unknown normally unknown indicates that the server hasn t been configured properly 3 To change the name of the instance or its description Select the ins...

Страница 248: ...ou need to use certutil to initialize cert8 db and key3 db and to create certificate request make sure to set the LD_LIBRARY_PATH correctly To do this issue the following command setenv LD_LIBRARY_PAT...

Страница 249: ...lientauth authType sslclientauth 20 Save the file 21 Open the file server xml 22 Change the clientauth off attribute to clientauth on in the SSLPARAMS section of the LS id admin LS id admin ip 0 0 0 0...

Страница 250: ...manages Passwords you enter for LDAP directory access are not subjected to quality checks The reason for this is the password quality is handled by the system that creates and manages the password In...

Страница 251: ...rds because this file stores the passwords in a plain text file If you do delete the password conf file you must start the server instance using the command line You will be prompted for the token pas...

Страница 252: ...S Instances Each instance of CMS is started stopped and restarted separately This section describes how to start stop and restart CMS instances and how to check its current status Starting a Server In...

Страница 253: ...etting in the CMS cfg file that allows you to set the absolute time out the amount of time before the between issuing the shutdown command and actual shutdown If this time is reached before all proces...

Страница 254: ...e To stop a CMS instance from the command line 1 Log in either as root or with the server s user account 2 Go to the following directory server_root cert instance_id 3 Type the following command stop...

Страница 255: ...Managers you should install the root CA first You might also want to install a Certificate Manager that will develop a trusted relationship with other subsystems first Configuring Multiple CMS Instanc...

Страница 256: ...CMS instance from your host Removing a CMS instance is not the same as uninstalling CMS For instructions on uninstalling CMS see Uninstalling CMS on page 83 To remove a CMS instance 1 Log in to Netsc...

Страница 257: ...k Save Configuration Files The runtime properties of CMS are governed by a set of configuration parameters These parameters are stored in a file that is read by the server during startup When you inst...

Страница 258: ...diting the configuration file because your changes will be overwritten by the cached version when the server is stopped or restarted 2 Go to the following directory server_root cert instance_id config...

Страница 259: ...er The parameter names and their values are strings The parameter names can be hierarchically structured with notation with multiple levels for example ca Policy rule RSAKeyRule maxSize The entries co...

Страница 260: ...nrollment form so that the server is able to determine the authentication method during end user enrollment Job Scheduler parameters All job specific information such as registered job modules and con...

Страница 261: ...e Registration Managers and you want all these instances to have the same configuration you can accomplish this by configuring one of the instances and then replacing the configuration files of the ot...

Страница 262: ...ance_id logs signedAudit You can change the default location for logs by modifying it in the configuration Error and Access Logs The error and access logs are created by Netscape Enterprise Server whi...

Страница 263: ...during this installation and configuration System Log This log records information about requests to the server all HTTP and HTTPS requests and the responses from the server Information recorded in t...

Страница 264: ...ecifies logged events related to the Certificate Manager Database Specifies logged events related to this server s activity with the internal database HTTP Specifies logged events related to the HTTP...

Страница 265: ...l Message category Description 0 Debugging These messages contain debugging information Generally you would not want to set a log to the debugging level since it would yield far too much information f...

Страница 266: ...ogs and it holds the messages in these buffers for as long as possible The server flushes out the messages to the log files only when either of the following conditions occurs The buffer gets full the...

Страница 267: ...the old file is named using the name of the file with an appended time stamp The appended time stamp is an integer that indicates the date and time the corresponding active log file was rotated The da...

Страница 268: ...a Click Add in the Log Event Listener Management tab The Select Log Event Listener Plug in Implementation window appears It lists registered log modules b Select a plug in module c Click Next The Log...

Страница 269: ...rval in seconds to flush the buffer to the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file ma...

Страница 270: ...Management tab 6 Click Refresh Configuring Logs in the CMS cfg File To modify the configuration settings for logs 1 Stop the CMS instance 2 Open the CMS cfg file located in the directory server_root...

Страница 271: ...for Security The default selection is 1 For more information see Log Levels Message Categories on page 265 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100...

Страница 272: ...match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Source Select the CM...

Страница 273: ...udit Log on page 263 for details about signed audit logs For signing log files you use a command line utility called Netscape Signing Tool signtool For details about this utility check this site http...

Страница 274: ...igation tree select Logs and then in the right pane select the Log Event Listener Plug in Registration tab 4 Click Register The Register Log Event Listener Plug in Implementation window appears 5 Spec...

Страница 275: ...d audit log feature is disabled by default You can also set this audit log up as a signed audit log You enable this by setting the logSigning parameter to enable and providing the nickname of the cert...

Страница 276: ...FILE A change is made to the configuration settings for the CRL framework in other words any of the settings for CRLs including extensions frequency and CRL format CONFIG_OCSP_PROFILE A change is made...

Страница 277: ...stored in the Data Recovery Manager KEY_RECOVERY_AGENT_LOGIN DRM agents log in as recovery agents to approve key recovery requests KEY_RECOVERY_PROCESSED A key recovery has been processed KEY_GEN_ASYM...

Страница 278: ...in the end entity interface of a Registration Manager enable the raAuditCert profile in that Registration Manager and enable the raAuditCert profile in that Certified Manager that processes the reque...

Страница 279: ...as the value of the signedAuditCertNickname parameter and specify the events that will be logged in the events parameter 6 Assign auditor users if you have not done so by creating the user and assigni...

Страница 280: ...self tests are run at start up and can also be run on demand The start up self tests run when the server starts up and will keep the server from starting up if a critical self test fails The on demand...

Страница 281: ...se associated with which type of subsystem has been configured with this server instance You turn the self test off or change which self tests are considered critical by changing those setting in the...

Страница 282: ...s how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Log File Rotation on pag...

Страница 283: ...Save the file 6 Start CMS Ports About Ports CMS listens on different ports for requests from different types of users As illustrated in Figure 7 1 it listens on an administration port an agent port a...

Страница 284: ...requests from the appropriate Agent Services interface The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end enti...

Страница 285: ...initiated PKI requests such as enrollment renewal and revocation enrollment requests can include requests from Cisco routers using the CEP protocol general certificate retrieval requests such as retri...

Страница 286: ...his line and edit the value of the port attribute LS id agent ip 0 0 0 0 port 8100 security on acceptorthreads 1 blocking no To change the end entity HTTP port locate this line and edit the value of t...

Страница 287: ...ne IP address and the Data Recovery Manager is served on another address if the host is configured with more than one IP address To configure a CMS instance to listen to specific IP addresses 1 Stop t...

Страница 288: ...etween two or more instances You can change the internal database used by a CMS instance This section describes how to change that instance and how to restrict access to the internal database About th...

Страница 289: ...when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems use the da...

Страница 290: ...host name of the machine in which Directory Server is installed Port number Type a TCP IP port number CMS uses this port for non SSL communications with the Directory Server instance that is function...

Страница 291: ...dministrators group 9 Click set Access Control Permission and then Click Add 10 Fill in the following information ACIName clientauth Check all the rights in the Rights tab Click This Entry in the Targ...

Страница 292: ...b 4 In the navigation tree expand Plug ins and then select Pass Through Authentication 5 In the right pane deselect Enable plugin option 6 Click Save to save your changes You are prompted to restart t...

Страница 293: ...ts of the certificate database and make sure that it doesn t include any unwanted CA certificates For example if the database includes CA certificates that you don t ever want to trust in your PKI set...

Страница 294: ...ges click Save Changing the Trust Settings of a CA Certificate CMS relies on the CA certificates in its certificate database for validating certificates it receives during an SSL enabled communication...

Страница 295: ...utton named Change to Trusted 5 Click Change to Untrusted or Change to Trusted as appropriate 6 Click Close You are returned to the Certificate Database Management window The certificate now shows a d...

Страница 296: ...Certificate Chain in the Certificate Database Any client or server software that supports certificates maintains a collection of trusted CA certificates in its certificate database These CA certifica...

Страница 297: ...presents you with the screens appropriate to your choice and walks you through the entire process For installing certificates except for cases when the certificate is self signed by the CA you will ne...

Страница 298: ...CA signing OCSP signing and SSL server certificates If a Registration Manager is installed the list includes the Registration Manager s signing and SSL server certificates If a Data Recovery Manager i...

Страница 299: ...nformation Specify the key pair information for the certificate to be requested You need to identify the following The token that contains the key pair for generating the certificate request the drop...

Страница 300: ...h of the key pair you are required to provide this information only if you chose to generate the certificate request based on a new key pair For key type you can choose RSA or DSA Be sure to select a...

Страница 301: ...s is located For example Mountain View State or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your...

Страница 302: ...type select this option if you want to set any of the Netscape Certificate Type extension bits in the certificate you are requesting When you select the option the associated fields are enabled You sh...

Страница 303: ...in a base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST An example is show below BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZC...

Страница 304: ...Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the request...

Страница 305: ...d to Install a Certificate or Certificate Chain on page 307 Sending the CSR Manually to an Internal CA The following instructions assume that your internally deployed CA is a Certificate Manager and t...

Страница 306: ...yourself 9 When you receive the certificate from the CA you ll need to install it following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 307 Sending the C...

Страница 307: ...currently selected CMS instance Any of the certificates used by a Certificate Manager Registration Manager Data Recovery Manager and Online Certificate Status Manager Any other trusted CA certificate...

Страница 308: ...n briefly explains the data formats recognized by the wizard Binary Formats The wizard can recognize certificates and certificate chains in the following binary formats DER encoded certificate This is...

Страница 309: ...install a certificate Step 2 Select the Certificate or Certificate Chain Select the certificate you want to install The drop down list shows various options Depending on whether you want to install a...

Страница 310: ...information that will help you decide on the location Keeping the certificate or certificate chain in a text file the wizard can import a certificate or certificate chain from a text file in text as...

Страница 311: ...ificate Chain The wizard shows the certificate or certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for...

Страница 312: ...est and install the new certificate Determine which certificate you want to get You can get CA signing OCSP signing CRL signing and SSL server certificates for the Certificate Manager signing and SSL...

Страница 313: ...for a Registration Manager check whether the Registration Manager has been set up as a trusted manager for a Certificate Manager and Data Recovery Manager that is you must identify the subsystems tha...

Страница 314: ...cates Certificate Management System automatically generates these files in the file system of its host machine when you choose to use the internal token for the first time These files were created for...

Страница 315: ...be sure to use a name that will help you identify the token later Install the PKCS 11 Module PKCS 11 is a standard set of APIs and shared libraries used by Netscape and a number of encryption vendors...

Страница 316: ...to add a UNIX shared dynamic library which on a Solaris machine is identified with the so extension e Click OK To install the PKCS 11 module using the modutil tool a Locate the CMS instance for which...

Страница 317: ...The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them you must enter that...

Страница 318: ...stration Manager or Certificate Manager Configuring the Server s Security Preferences Configuring a CMS manager s security preferences involves identifying the following The SSL server certificates a...

Страница 319: ...the list of SSL server certificates in the Encryption tab of the CMS window Step 2 Update the Configuration After you verify that the certificates are installed configure the server as follows 1 Stop...

Страница 320: ...ructions for requesting and installing an SSL client certificate for a Certificate Manager and configuring it to use that certificate for SSL client authentication to the publishing directory 1 Log in...

Страница 321: ...instance_id identifies the CMS instance in which the Certificate Manager is installed 9 After you ve installed the certificate successfully go to the Tasks tab and stop the Certificate Manager 10 Con...

Страница 322: ...Configuring the Server s Security Preferences 322 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 323: ...ing access to certain tasks associated with Netscape Certificate Management System CMS The authorization model is very flexible allowing you to configure it to your needs In order to authorize users y...

Страница 324: ...e database With certificate based authentication the server also checks that the certificate is valid and finds the group membership of the user by associating the DN of the certificate with a user an...

Страница 325: ...and adding them to the group called Administrators every member of this group has administrative privileges for this instance of CMS At least one administrator must be defined for each CMS instance t...

Страница 326: ...s own agents whose role is defined by the subsystem Each subsystem installed in a CMS instance must have at least one agent and there is no limit to the number of agents a subsystem can have Authentic...

Страница 327: ...subsystem it trusts allowing it to communicate with the subsystem It does this by specifying the agent services port information for that subsystem Possible Trusted Relationships The Registration Man...

Страница 328: ...ileges For an agent or auditor you also need to get a certificate and store the certificate in the internal database If you set up the CMS console for SSL client authentication you must also import a...

Страница 329: ...list of users and the user ID now has the privileges of the group they are assigned in this instance of CMS 5 Click Refresh to view the updated configuration 6 Store the user s certificate if the user...

Страница 330: ...their certificate using the manual enrollment form The automated process is built into the request approval form in the Agent Services interface and it enables those who have both Certificate Manager...

Страница 331: ...oups The user ID you specified for the new agent will be listed there 12 To view the certificate issued to the new agent select the user ID and click Certificates Setting Up a Trusted Manager You can...

Страница 332: ...en The subsystem that will be trusted makes its signing certificate request to the Certificate Manager A user who has both administrator and agent privileges with the Certificate Manager providing tru...

Страница 333: ...you just added appears in the list of users Next you need to store the Registration Manager s signing certificate or Certificate Manager s SSL client certificate in the internal database of the subsy...

Страница 334: ...tree select Registration Manager or Certificate Manager The General Settings tab appears in the right pane 13 Select the Connectors tab 14 In the List of connectors select the connector If you are con...

Страница 335: ...ement System on page 338 You can set up a feature that checks the revocation status of agent certificates See Revocation Status Checking of Agent Certificates on page 339 for details about setting up...

Страница 336: ...trator agent Organization unit Type the name of the organization unit to which the administrator agent belongs Organization Type the name of the company or organization the administrator agent works f...

Страница 337: ...ilable again Getting an Agent s Certificate from a Public CA The following general guidelines explain how a user can get a client certificate from a public CA and how you can copy that certificate in...

Страница 338: ...certificate in base 64 encoded form to the internal database of a subsystem 1 The user sends a client certificate request to CMS from the computer that they will use to access the subsystem from the A...

Страница 339: ...ntaining the user s certificate in base 64 encoded form 9 Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file 10 Save the text file and...

Страница 340: ...MS cfg includes a parameter named jss ocspcheck enable which enables you to specify whether a CMS manager should use Online Certificate Status Protocol OCSP to verify the revocation status of the cert...

Страница 341: ...default the feature is enabled revocationChecking unknownStateInterval The default interval is 0 seconds revocationChecking validityInterval Specifies how long in seconds the cached certificates are...

Страница 342: ...2 In the navigation tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user whose certificate information you want to change and click Certificates...

Страница 343: ...Group description field To remove a user from the group select the user and click Delete To add users click Add User In the Select window that appears select the users you want to add and click OK You...

Страница 344: ...tree select Users and Groups 3 Select the Group tab 4 Click Edit The Edit Group Information window appears 5 Specify information in the following fields Group name Type a name for this group Group de...

Страница 345: ...CI also contains an evaluator expression The default implementation of ACLs specifies only users groups and IP addresses as possible evaluator types although you could create others using the CMS SDK...

Страница 346: ...console interface you create or modify ACIs in an editor that allows you to do this in a graphical environment You choose from allow or deny in the Allow and Deny field then you choose one of the oper...

Страница 347: ...cess to more than one operator in a single ACI select the first operator from the list and then hold down Ctrl while selecting other operators Syntax The syntax field of the ACI editor is where you sp...

Страница 348: ...n specified An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 Stringing Values You can create a string with more t...

Страница 349: ...ation specified in this ACI to the group s user s or IP address es specified For more information about allowing or denying access see Allow and Deny on page 346 b Select one operator from the possibl...

Страница 350: ...ault ACIs for each ACL resource defined Each subsystem you install will contain only those ACLs that are relevant to that subsystem certServer acl configuration Allow or deny a read or modify operatio...

Страница 351: ...uation TOE it is unavailable after the CA is up and running Allow or deny submit read or execute operations for an administrator enrollment request Operations Default ACIs allow submit user anybody al...

Страница 352: ...nterface Operations Default ACIs allow import unrevoke revoke read group Certificate Manager Agents Certificate Manager Agents can import unrevoke revoke and read a certificate read Viewing authentica...

Страница 353: ...certificate revocation requests list Listing certificates based on a search Retrieving details about a range of certificates based on providing a range of serial numbers read Viewing CRL plug in info...

Страница 354: ...fault ACIs allow submit group Trusted Managers Trusted Manager can submit requests to this interface certServer ca clone Allow or deny a submit operation for a connection to the CA by a cloned CA Oper...

Страница 355: ...ertificate Manager Agents Certificate Manager agents can update the directory certServer ca group Allow or deny an update operation to add a group Operations Default ACIs allow add group Administrator...

Страница 356: ...roup Certificate Manager Agents Certificate Manager agents can list certificate profiles certServer ca profile Allow or deny a read or approve operation for certificate profiles in the agent services...

Страница 357: ...assign unassign group Certificate Manager Agents Anyone can submit an enrollment request only Certificate Manager Agents can read or execute enrollment requests certServer ca request profile Allow or...

Страница 358: ...iew statistics certServer ee certificate Allow or deny a renew revoke read or import operation in the end entity interface Operations Default ACIs allow renew revoke read import user anybody approve M...

Страница 359: ...ver ee certchain Allow or deny a download or read operation for the CA s certificate chain in the end entity interface Operations Default ACIs allow download read user anybody Anyone can read or downl...

Страница 360: ...profiles certServer ee profiles Allow or deny a list operation for certificate profiles in the end entity interface Operations Default ACIs allow list user anybody Anyone can list certificate profiles...

Страница 361: ...ions Default ACIs allow submit user anybody Anyone can submit an enrollment request certServer ee request facetofaceenrollment Allow or deny to submit face to face enrollment Operations Default ACIs a...

Страница 362: ...can submit a revocation request certServer ee requestStatus Allow or deny a read operation for the request status available from the end entity interface Operations Default ACIs allow read user anybo...

Страница 363: ...ng environment LDAP configuration SMTP configuration server statistics encryption token names subject name of certificates certificate nicknames all subsystems that have been loaded by the server get...

Страница 364: ...uration Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certif...

Страница 365: ...can read recover or retrieve key information certServer kra keys Allow or deny a list operation for the Data Recovery Manager Operations Default ACIs allow list group Data Recovery Manager Agents Onl...

Страница 366: ...roup Data Recovery Manager Agents Only Data Recovery Manager Agents can list key archival requests certServer kra request status Allow or deny a read operation for a Data Recovery Manager request Oper...

Страница 367: ...up Online Certificate Status Manager Agents allow modify group Administrators Administrators Agents and auditors are allowed to read the log configuration only administrators are allowed to modify the...

Страница 368: ...parameter of a log instance Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agent...

Страница 369: ...all logs Operations Default ACIs allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Cert...

Страница 370: ...ate Authorities certServer ocsp certificate Allow or deny a validate operation for checking certificate revocation information Operations Default ACIs allow validate group Online Certificate Status Ma...

Страница 371: ...o modify OCSP configuration certServer ocsp crl Allow or deny an add operation for posting CRL to an OCSP Operations Default ACIs allow add group Online Certificate Status Manager Agents Online Certif...

Страница 372: ...Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators read Viewing policy plug ins and instances Listing policy plug ins and instances...

Страница 373: ...and agents are allowed to read publisher configuration only administrators are allowed to modify publisher configuration certServer ra configuration Allow or deny a read or modify operation for the c...

Страница 374: ...mport unrevoke revoke read group Registration Manager Agents Registration Manager agents can import unrevoke revoke and read certificates certServer ra connector Allow or deny a submit operation for a...

Страница 375: ...enable disable face to face enrollment certServer ra facetofaceenrollment enableHosts Allow or deny reading all hosts enabled for face to face registration Operations Default ACIs allow read group Re...

Страница 376: ...an read and approve certificate profiles certServer ra profiles Allow or deny a list operation to certificate profiles in the agent services interface in a Registration Manager Operations Default ACIs...

Страница 377: ...fault ACIs allow approve read group Registration Manager Agents Registration Manager agents can view and approve certificate profile based requests certServer ra requests Allow or deny a list operatio...

Страница 378: ...ration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed...

Страница 379: ...tration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user a...

Страница 380: ...ACL Reference 380 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 381: ...rollment Automated Enrollment Agent Initiated End User Enrollment Certificate Based Enrollment Issuing and Managing Server Certificates CEP Enrollment Testing Your Enrollment Setup Managing Authentica...

Страница 382: ...an instance of one of the authentication plug in modules You can also create plug ins for automatic enrollment using other forms of authentication such as a secure ID card or a relational database usi...

Страница 383: ...ficate Manager If the subsystem where the request is submitted is a Registration Manager the request must pass the policies and certificate profiles of both the Registration Manager and the Certificat...

Страница 384: ...Constraints on page 499 If the renewal lead time does not permit renewing the server rejects the renewal request Also if the policy is disabled renewal of certificates fails If the certificate being p...

Страница 385: ...ent s approval An agent can change some aspects of the request change the status of the request reject the request or approve the request Once the request is approved the signed request is sent to the...

Страница 386: ...d a pin you set up in their directory entry and then given to the end entity See Setting Up Pin Based Enrollment on page 393 Portal Enrollment End users are registered into an LDAP directory and issue...

Страница 387: ...onality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles for information about policies In the case of policy based enrollments customize the H...

Страница 388: ...nd entry DN See DNs in Certificate Management System on page 784 ldapStringAttributes Specifies the list of LDAP string attributes that should be considered authentic for the end entity If specified t...

Страница 389: ...Specifies the minimum number of connections permitted to the authentication directory Permissible values 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authenticatio...

Страница 390: ...uth Authentication plug in module and configure the instance See Setting Up the NISAuth Authentication on page 390 for details Customize the HTML enrollment forms Make sure the proper authentication m...

Страница 391: ...ctory attributes and entry DN See DNs in Certificate Management System on page 784 extendedDN Specifies the suffix that the server should add to the default subject DN when an LDAP directory is not sp...

Страница 392: ...conn port Specifies the TCP IP port on which the authentication LDAP directory listens to requests from CMS ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authenti...

Страница 393: ...t policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles fo...

Страница 394: ...pen the setpin conf file in a text editor 3 Follow the instructions outlined in the file and make the appropriate changes Typically you will need to update the Directory Server s host name Directory M...

Страница 395: ...need to enable the AttributePresentConstraints policy in the Certificate Manager that actually issues the certificates see AttributePresentConstraints on page 493 This policy forces the Certificate M...

Страница 396: ...uld be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token that is values r...

Страница 397: ...password cache and uses it for subsequent start ups You need to specify this parameter only if you ve selected removePin ldap ldapauth clientCertNickname Specifies the nickname of the certificate to b...

Страница 398: ...t presently exist for that user and to issue the user a certificate Portal enrollment is useful when you have a portal and want to register users and have them later authenticate using a certificate S...

Страница 399: ...s Create an instance of the PortalEnroll Authentication plug in module and configure the instance See Setting Up the PortalEnroll Authentication on page 399 for details Customize the HTML enrollment f...

Страница 400: ...fully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from CMS ldap ldapconn secureConn S...

Страница 401: ...N from the ldap ldapauth bindDN attribute to bind to the directory default SslClientAuth specifies SSL client authentication If you choose this option be sure to set the value of the ldap ldapconn sec...

Страница 402: ...ut policies Alternatively you can enroll users through the certificate profile functionality setting policies for specific certificates in the certificate profile see Chapter 10 Certificate Profiles f...

Страница 403: ...C Enroll Utility The CMC Enroll utility CMCEnroll is used to sign a certificate request with an agent s certificate It is installed along with CMS and is available in the following directory server_ro...

Страница 404: ...1 Go to the directory server root cert instance web apps ee ra 2 Open the file CMCEnrollment html 3 Find the following line form method post action enrollment onSubmit return validate document forms...

Страница 405: ...le the End Entity pages for CMC Enrollment on page 404 7 Submit your signed certificate using the end entity port a Go the End Entity port b Select CMC Enrollment from the main end entity page c Paste...

Страница 406: ...DirEnrollment plug in is an instance of the HashAuth plug in You can turn this feature off by disabling or deleting the AgentDirEnrollment instance CMS provides the following form for agent initiated...

Страница 407: ...e them available to users by some means Basically a user can get and use any pre initialized and certificate loaded hardware token Next each user uses the randomly picked token to enroll for a pair of...

Страница 408: ...edSingleEnroll html this form is provided as a sample It enables end users to request signing certificates by submitting pre issued certificates as authentication tokens when a user enrolls for a cert...

Страница 409: ...o other servers and end users and to encrypt data In order to issue SSL server certificates the signing certificate for the Certificate Manager must be enabled for such issuance If the Certificate Man...

Страница 410: ...and in the internal database of CMS CMS allows server administrators to renew their certificates by using the server enrollment form hosted by a Certificate Manager or Registration Manager The renewal...

Страница 411: ...for approval by the Certificate Manager agent To submit the server certificate request to CMS manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager...

Страница 412: ...upport for IPSec see the information available at this URL http www cisco com warp public cc cisco mkt security encryp prodlit 821_pp htm You can issue certificates to routers and CEP compliant Virtua...

Страница 413: ...configure the plug in See Authentication Token File on page 413 and Setting Up the CEP Plug In on page 414 Authentication Token File You create a text file with CEP enrollee information that is used...

Страница 414: ...S SDK See the SDK documentation for information about this plug in and any additional programming you may need to do to it 2 Register the plug in the CMS authentication framework See the CMS SDK for d...

Страница 415: ...path name keyAttributes Specifies a comma separated list of attributes in the request which together uniquely identify an entry in the authentication token file The list of attributes you specify her...

Страница 416: ...way cep cep1 entryObjectClass cep eeGateway cep cep1 url cgi bin pkiclient exe eeGateway cep cep1 authName flatfile_router VPN configuration eeGateway cep cep2 url vpnenroll eeGateway cep cep2 authNam...

Страница 417: ...chema can accommodate VPN clients You may need to update the Directory Server s schema The reason for this is if you plan on publishing certificates from routers they may need to be published with the...

Страница 418: ...tance of the policy plug in named CRLDistributionPointsExt for router certificates This extension if present in a certificate enables the user of the certificate to find revocation information pertain...

Страница 419: ...cate an entry must already exist for the DN in the directory Enter true if you want the Certificate Manager to create an entry if one does not already exist true false Enter false if an entry already...

Страница 420: ...length such as 512 or 1024 The longer the key length the more time the router takes to generate the key pair 6 Request the CA s Certificate In this part of the operation you identify the CA to the ro...

Страница 421: ...authentication for routers the request will get processed by the CA The CA may return the certificate to the router in the same transaction If it doesn t the router checks with the CA at periodic inte...

Страница 422: ...ty exit router config crypto ca authenticate test ca Certificate has the following attributes Fingerprint 24D34656 EB830C39 DD9E8179 0A4EBA98 Do you accept this certificate yes no yes router config cr...

Страница 423: ...do it through profiles please read the instructions in Chapter 10 Certificate Profiles To test whether your end users can successfully enroll for a certificate using the authentication method you ve...

Страница 424: ...the Directory Server is listening to authentication requests from the Certificate Manager base_dn with the DN to start searching for the user s entry and user_id with the ID of the user for whom you...

Страница 425: ...this class is part of a package be sure to include the package name For example if you are registering a class named customAuth and if this class is in a package named com customplugins type com custo...

Страница 426: ...rs need to generate Software Publishing File SPC files for their object signing certificates you should ask them to use the Microsoft tool named cert2spc The SPC file enables them to execute commands...

Страница 427: ...ls AtoB cert b64 cert der converts the base 64 encoded certificate in the cert b64 file to its DER encoded format and writes the DER encoded certificate to a file named cert der 8 Next use the Microso...

Страница 428: ...Generating Files Required By Third Party Object Signing Tools 428 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 429: ...content that can be contained in this type of certificate and the contents of the input and output forms associated with the certificate profile Enrollments requests are submitted to a particular cert...

Страница 430: ...aults the constraints used in each policy the values assigned to any of the parameters in a policy or the input and output You can also create other certificate profiles either for other types of cert...

Страница 431: ...interface where end entity can enroll for a certificate using the certificate profile The Certificate Profile enrollment page contains links to each type of certificate profile enrollment that has be...

Страница 432: ...uated with the first certificate request and the second set is evaluated with the second certificate request There is no need for more than one set if you are issuing a single certificate or more than...

Страница 433: ...by adding or deleting inputs in the certificate profile thus defining the fields on the input page Add or delete the single output Optionally you can modify existing defaults constraints inputs and o...

Страница 434: ...s window Certificate Profile Instance ID Specify the instance ID of the certificate profile This name or number will be used by the system to identify the instance Certificate Profile Name Specify a n...

Страница 435: ...bmitted request is queued in the request queue of the agent services interface e Click Ok The new certificate profile appears in the Certificate Profile Instances Management tab 6 To modify an existin...

Страница 436: ...Certificate Profile Authentication Specify the authentication method Specify an automated authentication by providing the instance ID for the authentication instance that will be used If this field is...

Страница 437: ...the policies associated with each certificate Certificate Profile Policy ID Type a name or identifier for this certificate profile policy d Configure any parameters in the Default or Constraint tab S...

Страница 438: ...constraint applied to this policy Some values can be edited by clicking into the value field and changing the entry others have pull down menus associated with them where you can pick the values avail...

Страница 439: ...puts tab of the Certificate Profile Rule Editor window You need to set up outputs for any certificate profile that uses an automated authentication method you do not need to set up outputs for any cer...

Страница 440: ...r the types of certificates that are usually issued by a RA and a CA All certificate profiles are installed with a CA only those certificate profiles beginning with ra are installed with and RA The de...

Страница 441: ...red for enrollments for end user certificates using directory based authentication in a Certificate Manager caAgentServerCert Configured for enrollments for server certificates allowing for automatic...

Страница 442: ...profile up to match the certificate profile set up in the RA the value of the End User Certificate Profile needs to be set to false in order for the CA to be able to accept the request from somewhere...

Страница 443: ...certificate used by a subsystem to sign the signed audit logs Input Reference An input puts certain fields on the enrollment page associated with a particular certificate profile You define inputs fo...

Страница 444: ...field will display Not Supported on browsers other than Netscape 7 and above Key Generation Input The Key Generation Input input is used for enrollments in which a single key pair will be generated ge...

Страница 445: ...certificate Requestor Phone This field is used to enter the phone number of the requestor of this certificate Output Reference An output represents the response to the end user of a successful enrollm...

Страница 446: ...llows you to provide references to CRL locations For general information about this extension see authorityInfoAccess on page 757 You can define the following constraints with this default Extension C...

Страница 447: ...ue must be a valid domain name in the fully qualified DNS format For example testCA example com If you selected EDIPartyName the value must be an IA5String For example Example Corporation If you selec...

Страница 448: ...ing the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see basicConstraints on p...

Страница 449: ...tension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length specified in the Basic Constraints extension of the CA signing cert...

Страница 450: ...ked with an n in the table to distinguish that the parameter is associated with one of the five possible locations Table 10 3 CRL Distribution Points Extension Configuration Parameters Parameter Descr...

Страница 451: ...any of the following formats An X 500 directory name in the RFC 2253 syntax For example CN CA Central OU Research Dept O Example Corporation C US A URIName for example it would look similar to this h...

Страница 452: ...s 1 3 6 1 4 1 311 10 3 4 this OID is for the EFS certificate 1 3 6 1 4 1 311 10 3 4 1 this OID is for the EFS recovery certificate The EFS recovery certificate is used by a recovery agent when a user...

Страница 453: ...f the five possible locations Table 10 5 Extended Key Usage Extension Default Configuration Parameters Parameter Description Critical Select true to mark this extension critical select false to mark t...

Страница 454: ...Select from DirectoryName and URIName PointName_ n If pointType is set to directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example CN CACen...

Страница 455: ...efully consider the legal consequences of its use before setting it for any certificate Select true to set select false to not set keyEncipherment Specifies whether to set the extension for SSL server...

Страница 456: ...y parameters for each of these location The parameters are marked with an n in the table to distinguish that the parameter is associated with one of the five possible locations decipherOnly Specifies...

Страница 457: ...ed RFC822Name the value must be a valid Internet mail address in fully qualified DNS format For example testCA example com If you selected DirectoryName the value must be a string form of X 500 name s...

Страница 458: ...c othername txt PermittedSubtree Enable_ n Select true to enable this permitted subtree entry select false to disable this permitted subtree entry ExcludedSubtrees n min Specifies the minimum number o...

Страница 459: ...encoding rules The name must include both a scheme for example http and a fully qualified domain name or IP address of the host For example http testCA example com If you selected IPAddress the value...

Страница 460: ...certificate type for example it identifies whether the certificate is a CA certificate server SSL certificate client SSL certificate object signing certificate or S MIME certificate and thus enables y...

Страница 461: ...tions Select true to include this capability select false to not include this capability CertEmail Specifies that the certificate can be used to send secure email messages Select true to include this...

Страница 462: ...on Constraint on page 475 Extension Constraint see Extension Constraint on page 473 No Constraints see No Constraint on page 475 Policy Constraints Extension Default This default populates a policy co...

Страница 463: ...It specifies at the most n subordinate CA certificates are allowed in the path before an explicit policy is required Note that the number you specify affects the number of CA certificates to be used d...

Страница 464: ...y equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associate...

Страница 465: ...me on page 766 The standard suggests that if the certificate subject field contains an empty sequence then the subject alternative name extension must contain the subject s alternative name and that t...

Страница 466: ...hecks the certificate request for configured attributes If the request contains an attribute the policy reads its value and sets it in the extension This way the extension that gets to added to certif...

Страница 467: ...tory name similar to the subject name in a certificate For example CN Jane Doe OU Sales Dept O Example Corporation C US Select DNSName if the request attribute value is a DNS name For example corpDire...

Страница 468: ...n page 475 Subject Name Default This default populates server side configurable subject name into the certificate request You provide a static subject name that is used as the subject name in the cert...

Страница 469: ...certificate profile allows a user to define extensions No inputs are provided to add user supplied extensions to the enrollment form You can create an input for this purpose using the CMS SDK You can...

Страница 470: ...Subject Name Default This default populates a user supplied subject name into the certificate request If included in the certificate profile allows a user to supply a subject name for the certificate...

Страница 471: ...if the basic constraint in the certificate request satisfies the criteria set in this constraint Table 10 17 Validity Default Configuration Parameters Parameter Description range Specifies the validi...

Страница 472: ...n of the CA signing certificate owned by the CA that will issue these certificates 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate being issued that is...

Страница 473: ...guration Parameters Parameter Description Critical Specifies whether the extension can be marked critical or noncritical Select true to allow the extension to be marked critical select false to disall...

Страница 474: ...onstraints are placed for this parameter keyEncipherment Specifies whether to set the extension for SSL server certificates and S MIME encryption certificates Select true to allow this to be set selec...

Страница 475: ...cifies whether to set the extension if the public key is to be used only for deciphering data If this bit is set keyAgreement should also be set Select true to allow this to be set select false to not...

Страница 476: ...as Java applets and plug ins Select true to allow this capability select false to not allow this capability select to indicate no constraints are placed for this parameter CertSSLCA Specifies that th...

Страница 477: ...all of the following MD2withRSA MD5withRSA SHA1withRSA Table 10 24 Subject Name Constraint Configuration Parameters Parameter Description Pattern Specifies a regular expression specified as a string a...

Страница 478: ...etscape Certificate Management System Administrator s Guide June 2003 Table 10 25 Validity Constraint Configuration Parameters Parameter Description range The range parameter is of type integer And th...

Страница 479: ...ewer default certificate enrollment feature Certificate Enrollment Profiles see Chapter 10 Certificate Profiles The policies feature will be discontinued in the future release s To enable the feature...

Страница 480: ...revocation key archival and key recovery requests For example in the case of a certificate issuance request the outcome would be the certificate content A Certificate Manager s policy can include rule...

Страница 481: ...o fall within a predetermined range say between 6 and 24 months A subsystem s policy configuration can consist of one or more policy rules each performing one or more of the following operations Valid...

Страница 482: ...s on the request based on the request type The policy processor also filters the rules based on predicates see Using Predicates in Policy Rules on page 483 Note that the policy processor applies only...

Страница 483: ...rs AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates for certificates for users in differen...

Страница 484: ...n the request Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving t...

Страница 485: ...Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication token what the authentication su...

Страница 486: ...icate server SSL server certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollme...

Страница 487: ...name attribute_name value attribute_value Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differ...

Страница 488: ...policy plug in implementation 2 Enter the appropriate values for all the attributes Assume you named the instance ValidityRule1 set the minimum validity period to 10 days set the maximum validity peri...

Страница 489: ...AND HTTP_PARAMS orgunit Sales The new configuration would result in certificates with a validity period of six months for users in the Sales organizational unit and a validity period of three months...

Страница 490: ...eter In this way you can avoid re creating the rule in the future Because the subsystems subject end entity requests only to rules that are currently enabled keeping unwanted rules in the disabled sta...

Страница 491: ...f required To add a new policy rule to the CMS configuration 1 In the Policy Rules Management tab click Add The Select Policy Plugin Implementation window appears It lists registered policy plug in mo...

Страница 492: ...figured policy rules in the order in which they are executed by the subsystem 2 To change the order of a rule select it in the list and click the Up or Down button as appropriate Keep in mind that the...

Страница 493: ...ic Policy Module Reference Constraints specific policy plug in modules help you define rules or constraints that CMS uses to evaluate an incoming certificate enrollment renewal or revocation request E...

Страница 494: ...icy during installation Table 11 3 describes the configuration parameters of the AttributePresentConstraints policy Table 11 3 AttributePresentConstraints Configuration Parameters Parameter Descriptio...

Страница 495: ...ntication type basic authentication or SSL client authentication required in order to check attributes in the LDAP directory BasicAuth specifies basic authentication default If you choose this option...

Страница 496: ...axConns Specifies the maximum number of connections permitted to the LDAP directory when needed connection pool can grow to this many multiplexed connections Permissible values 3 to 10 the default val...

Страница 497: ...ize Specifies the minimum length in bits for the key the length of the modulus in bits The value must be smaller than or equal to the one specified by the maxSize parameter Permissible values 512 or 1...

Страница 498: ...Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable default deselect to disable predicate Specifies the predicate expression for t...

Страница 499: ...rmissible values RSA or RSA Table 11 7 RenewalConstraints Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable the rule default Dese...

Страница 500: ...nstance of the revocation constraints policy named RevocationConstraintsRule that is enabled by default Table 11 9 describes the configuration parameters of the RevocationConstraints policy Table 11 8...

Страница 501: ...ion parameters of the RSAKeyConstraints policy predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the field blank default...

Страница 502: ...d renewal requests During installation CMS automatically creates an instance of the signing algorithm constraints policy named SigningAlgRule that is enabled by default minSize Specifies the minimum l...

Страница 503: ...rly You may apply this policy to CA certificate enrollment and renewal requests Table 11 11 SigningAlgorithmConstraintsConfiguration Parameters Parameter Description enable Specifies whether the rule...

Страница 504: ...server accordingly using the policy Alternatively if you want to allow your users to own multiple certificates each for a different use all having the same subject name you can do so easily using the...

Страница 505: ...g Specifies whether the certificate request must be checked for the Key Usage extension Note that the policy can check the certificate request for the Key Usage extension only if you deselect the enab...

Страница 506: ...mplementation The ability to configure the value of the leadTime parameter in the policy rule allows you to prohibit end entities from requesting certificates whose validity starts too far in the futu...

Страница 507: ...me when the policy rule is run The notBefore attribute value specifies the date on which the certificate validity begins validity dates through the year 2049 are encoded as UTCTime dates in 2050 or la...

Страница 508: ...cations most likely will not understand your extension By default only noncritical extensions are added to certificates This ensures that the resulting certificates can be used with all clients If you...

Страница 509: ...ation Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you w...

Страница 510: ...cifies the address or location to get additional information about the CA that has issued the certificate in which this extension appears Specifying the information based on the following If you selec...

Страница 511: ...Pv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the add...

Страница 512: ...6 AuthorityKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predica...

Страница 513: ...ng up the chain The maxPathLen parameter has no effect if the extension is set in end entity certificates Permissible values 0 or n Make sure that the value you choose is less than the path length spe...

Страница 514: ...this rule If you want this rule to be applied to all certificate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 483 critical Specifi...

Страница 515: ...isplayText Specifies the textual statement to be included in certificates this parameter corresponds to the explicitText field of the user notice If you want to embed a textual statement for example y...

Страница 516: ...form a predicate expression see Using Predicates in Policy Rules on page 483 critical Specifies whether the extension should be marked critical or noncritical Select to mark critical deselect to mark...

Страница 517: ...r future time in seconds by which the certificate must be renewed the endTime field of the extension will be set to the specified time since certificate issuance You can specify the time period in sec...

Страница 518: ...icate for client authentication the extension enables the certificate using application to restrict the release of individual certificates to web sites requesting SSL client authentication The certifi...

Страница 519: ...ry name Select dNSName if the site is a DNS name default Select ediPartyName if the site is a EDI party name Select URL if the site is a uniform resource identifier Select iPAddress if the site is an...

Страница 520: ...0 IPv4 address with netmask must be in the n n n n m m m m format For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form with netmask separated by a comma Exam...

Страница 521: ...ion points to be included in the extension it must be an integer greater than zero The default is 3 Note that when you set a number other than O each distribution point has its own set of configuratio...

Страница 522: ...nstants unused keyCompromise cACompromise affiliationChanged superseded cessationOfOperation certificateHold issuerName n Specifies the name of the issuer that has signed the CRL maintained at distrib...

Страница 523: ...he private key and the data encrypted with that key needs to be used CMS supports the above two OIDs and allows you to issue certificates containing extended key usage extension with these OIDs Normal...

Страница 524: ...ifying that no key usage purposes can be contained in the extension or n specifies the total number of key usage purposes to be included in the extension it must be an integer greater than zero The de...

Страница 525: ...ting and testing the server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs See Appendix H Object Identifiers for information on...

Страница 526: ...lation CMS automatically creates an instance of the generic ASN 1 extension policy named GenericASN1Ext that is disabled by default Configuration Parameters of GenericASN1Ext The configuration defines...

Страница 527: ...values A valid OID specified in dot separated numeric component notation see the example Although you can invent your own OIDs for the purposes of evaluating and testing this server in a production e...

Страница 528: ...ing for extensions that have ASN 1 PrintableString values It s case insensitive and accepts any normal string as value Select UTCTime for site defined extensions that have ASN 1 UTCTime values Select...

Страница 529: ...ue For example 1234567890 If the data type is IA5String enter a normal string as value For example Test of IA5String If the data type is OctetString and if the data source is Value enter the value in...

Страница 530: ...hether the extension should be marked critical or noncritical Select to mark critical default deselect to mark noncritical numGeneralNames Specifies the total number of alternative names or identities...

Страница 531: ...If you selected rfc822Name the value must be a valid Internet mail address in the local part domain format see the definition of an rfc822Name as defined in RFC 822 http www ietf org rfc rfc0822 txt...

Страница 532: ...at For example 128 21 39 40 255 255 255 00 For IP version 6 IPv6 the address should be in the form described in RFC 1884 http www ietf org rfc rfc1884 txt with netmask separated by a comma Examples of...

Страница 533: ...6 lists the bits and their designated purposes You can restrict the purposes for which a key pair and thus the corresponding certificate should be used by setting the appropriate key usage bits For ex...

Страница 534: ...g by editing the enrollment forms as you can do this easily by making the appropriate changes to the policy instance bits set on the server side override the ones set on the client side However if you...

Страница 535: ...e enrollment form ManRAEnroll html for requesting Registration Manager signing certificates ServerCertKeyUsageExt This rule is for setting the appropriate key usage bits in SSL server certificates and...

Страница 536: ...ether to set the digitalSignature bit or bit 0 of the key usage extension in certificates specified by the predicate parameter Permissible values true false or HTTP_INPUT Select true if you want the s...

Страница 537: ...e server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable correspon...

Страница 538: ...if you want the server to set the bit default Select false if you don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input var...

Страница 539: ...u don t want the server to set the bit Select HTTP_INPUT if you want the server to check the certificate request for the HTTP input variable corresponding to the decipherOnly bit and set the bit accor...

Страница 540: ...r of permitted subtrees to be included in the extension it must be an integer greater than zero The default value is 8 numExcludedSubtrees Specifies the total number of subtrees to be excluded in the...

Страница 541: ...ryName permittedSubtrees n base generalNameValue Specifies the general name value for the permitted subtree you want to include in the extension Permissible values Depends on the general name type you...

Страница 542: ...IPv4 the address should be in the form specified in RFC 791 http www ietf org rfc rfc0791 txt IPv4 address must be in the n n n n format for example 128 21 39 40 IPv4 address with netmask must be in...

Страница 543: ...are allowed excludedSubtrees n base generalNameChoice Specifies the general name type for the excluded subtree you want to include in the extension Permissible values rfc822Name directoryName dNSName...

Страница 544: ...For example CN SubCA OU Research Dept O Example Corporation C US If you selected dNSName the value must be a valid domain name in the preferred name syntax as specified by RFC 1034 http www ietf org r...

Страница 545: ...FFFF FFFF FFFF FFFF FFFF FF00 0000 If you selected OID the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 If you selected otherNa...

Страница 546: ...section Using Predicates in Policy Rules in Chapter 18 Setting Up Policies of CMS Administrator s Guide Example HTTP_PARAMS certType client critical Specifies whether the extension should be marked c...

Страница 547: ...o default value displayText Specifies the textual statement that should be included in certificates If you want to embed a textual statement for example your company s legal notice in certificates the...

Страница 548: ...the extension by enabling the Netscape certificate type extension policy and which bits are to be set by adding the appropriate HTTP variables to the enrollment forms Bits set in the Netscape certific...

Страница 549: ...quested using the form For example the server enrollment form embeds the ssl_server variable whereas the subordinate CA Certificate Manager enrollment form embeds the ssl_client email_ca ssl_ca and ob...

Страница 550: ...ficate requests leave the field blank default To form a predicate expression see Using Predicates in Policy Rules on page 483 setDefaultBits Specifies whether to set the Netscape certificate type exte...

Страница 551: ...nt For general information about this extension see policyConstraints on page 765 During installation CMS automatically creates an instance of the policy constraints extension policy named PolicyConst...

Страница 552: ...t in end entity certificates Permissible values 1 0 or n 1 specifies that the field should not be set in the extension default 0 specifies that no subordinate CA certificates are permitted in the path...

Страница 553: ...he rule is enabled or disabled Select to enable deselect to disable predicate Specifies the predicate expression for this rule If you want this rule to be applied to all certificate requests leave the...

Страница 554: ...can invent your own OIDs for the purposes of evaluating and testing this server in a production environment you should comply with the ISO rules for defining OIDs and for registering subtrees of IDs S...

Страница 555: ...t this extension see subjectAltName on page 766 notBefore Specifies the date on which the validity period for the private key associated with the certificate begins Permissible values A valid date spe...

Страница 556: ...S in section JavaScript Used By All Interfaces of CMS Customization Guide You can also distinguish the attributes based on their origin that is whether they originated from the enrollment form or wher...

Страница 557: ...ribute whose value is to be included in the extension The attribute value must conform to any of the supported general name types specified by the generalName n generalNameChoice parameter If the serv...

Страница 558: ...hentication instance is set to mail or mailalternateaddress or to both The third attribute HTTP_PARAMS csrRequestorEmail is the email component of the subject name in an enrollment request it is an HT...

Страница 559: ...e extension you need to specify the attribute name and its value the name must be the X 500 directory attribute name itself and the attribute value can be derived from the request or directly entered...

Страница 560: ...teger derived from the value you assign in this field For example if you set the numAttributes parameter to 2 n would be 0 and 1 attribute n attrib uteName Specifies the name of the directory attribut...

Страница 561: ...s section explains how to use the CMS window to perform the following operations Table 11 41 SubjectKeyIdentifierExt Configuration Parameters Parameter Description enable Specifies whether the rule is...

Страница 562: ...1 Log in to the CMS window see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you want to register 4 Se...

Страница 563: ...y framework 1 Log in to the CMS window see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select the subsystem that registers the module you want to d...

Страница 564: ...Managing Policy Plug in Modules 564 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 565: ...d Notifications The automated notifications feature is an event driven system that sends email notifications when the specified event occurs The system uses listeners that monitor the system to determ...

Страница 566: ...of automated notifications are available Certificate Issued Request In Queue Certificate Revocation Certificate Issued A notification message is automatically sent to users who have been issued certif...

Страница 567: ...d the notification is sent to the email address specified in the Sender s Email Address field specified when you set up this notifications as undeliverable notification You can customize the email res...

Страница 568: ...is the email address of the person who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address this...

Страница 569: ...r notification message are explained in the procedure in the section Setting Up Automated Notifications on page 567 5 Save the file 6 Restart the server instance 7 If you set up a job that sends autom...

Страница 570: ...of HTML templates Tokens are variables identified with the dollar sign character in the message that are replaced by the current value when the message is constructed See Token Definitions on page 573...

Страница 571: ...website http IT if you have any problems Notification Message Templates Notification message templates are located in the following directory server_root cert instance_id emails You can change the na...

Страница 572: ...certificate is revoked certRequestRevoked_CA html Template for the Certificate Manager to send HTML based notifications to end entities when their certificate is revoked certRequestRevoked_RA Templat...

Страница 573: ...he time the job instance was run HexSerialNumber Specifies the serial number of the certificate that has been issued in hexidecimal format HttpHost Specifies the fully qualified host name of the Certi...

Страница 574: ...e displayed as a hexadecimal value in the resulting message Status Specifies the status of the request SubjectDN Specifies the distinguished name of the certificate subject SummaryItemList Specifies t...

Страница 575: ...execute specific jobs at specified times The job scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time...

Страница 576: ...The types of automated jobs are RenewalNotification RequestInQueue and UnpublishExpired RenewalNotificationJob The RenewalNotification job checks for certificates that are about to expire in the inte...

Страница 577: ...tlined in section Updating Certificates and CRLs in a Directory on page 658 You can create additional automated jobs using the CMS SDK Setting Up the Job Scheduler The Certificate Manager and Registra...

Страница 578: ...to be valid For example the following entry specifies a job execution time of midnight on the first and fifteenth of every month and on every Monday 0 0 1 15 1 To specify one day type without the othe...

Страница 579: ...hat meet the cron specification By default it is set to one minute See Frequency Settings for Automated Jobs on page 577 The window for entering this information may appear too small Drag the corners...

Страница 580: ...n to the CMS console see Logging Into the CMS Console on page 245 3 Select the Configuration tab 4 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears showing the...

Страница 581: ...Configuration Parameters of UnpublishExpiredJob on page 585 for details about these parameters 8 Click Ok 9 Click Refresh 10 If you set up a job that sends automated messages check that your have corr...

Страница 582: ...h jobsScheduler job unpublishExpiredCerts see Configuration Parameters of UnpublishExpiredJob on page 585 for details about these parameters 5 Save the file 6 Restart the server instance 7 If you set...

Страница 583: ...ery problems emailSubject Specifies the text of the subject line of the notification message emailTemplate Specifies the path including the filename to the directory that contains the template to be u...

Страница 584: ...emplate to be used for formulating the summary report email notification For details see Customizing Notification Messages on page 587 Table 13 3 RequestInQueueJob Parameters Parameter Description ena...

Страница 585: ...e summary emailTemplate Specifies the path including the filename to the directory that contains the template to be used for creating the summary report For details see Customizing Notification Messag...

Страница 586: ...server to send the summary report summary emailSubject Specifies the subject line of the summary message summary emailTemplate Specifies the path including the filename to the directory that contains...

Страница 587: ...essages by modifying the HTML commands included in the HTML template for that message type Templates for Summary Notifications Notification message templates are located in the following directory ser...

Страница 588: ...be sent to agents and administrators Uses the rnJob1Item txt template to format items in the message rnJob1Item txt Template for formatting the items to be included in the summary report Table 13 6 T...

Страница 589: ...Date Specifies the date the certificate was revoked SenderEmail Specifies the email address of the sender SerialNumber Specifies the serial number of the certificate the serial number will be displaye...

Страница 590: ...Configuration tab 3 In the navigation tree select Job Scheduler then select Jobs The Job Instance tab appears It lists any currently configured jobs 4 Select the Job Plugin Registration tab The Job P...

Страница 591: ...cate a server administrator or by a Certificate Manager agent End users can revoke certificates by using the Revocation form provided in the end entity services interface Agents can revoke end entity...

Страница 592: ...to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Authentication of End Users During Certificate Revocation When an end user submi...

Страница 593: ...ial number of the certificate the user wants to revoke and the challenge password associated with the certificate The server verifies the authenticity of a revocation request by mapping the serial num...

Страница 594: ...then send the signed request to the Certificate Manager The enabled instance of the CMCAuth plug in module also activates CMC revoke when it is enabled the default When this method is setup the Certi...

Страница 595: ...hat exists d The directory where cert8 db key3 db and secmod db containing the agent certificate are located n The nickname of the agent s certificate i The issuer name of the certificate being revoke...

Страница 596: ...ed page confirms that the certificate 22 has been revoked About CRLs Server and client applications that use public key certificates as tokens of identification need access to information about the va...

Страница 597: ...directory or an OCSP responder Note that the Registration Manager cannot create or publish CRLs although it can take revocation requests and pass them on to the Certificate Manager A CRL is issued and...

Страница 598: ...server End users are also required to authenticate to the server in order to revoke their certificate Whenever a certificate is revoked the Certificate Manager updates the status of the certificate i...

Страница 599: ...L issuing points specified in the certificate instead of the master or main CRL the application would check the CRL maintained at the issuing point which would be smaller in size compared to the maste...

Страница 600: ...ce its creation For example if the numbering were as simple as 1 2 3 the first CRL would be CRL 1 The second CRL would be CRL 2 and the delta would be deltaCRL 2 The deltaCRL 2 would reference CRL 1 a...

Страница 601: ...revoked certificates from the entire CA ARL Authority Revocation List containing only revoked CA certificates Master CRL and Expired Certificates Containing the list of revoked certificates from the...

Страница 602: ...t that issuing point and click Edit You can only change the description for the issuing point and change the status from enabled to disabled 4 To add an issuing point click Add The CRL Issuing Point E...

Страница 603: ...dragging at one of the corners some fields in this window do not appear large enough to read the content In the Update Frequency section specify the interval for publishing the CRL to the directory E...

Страница 604: ...Include expired certificates Select if you want the server to include revoked certificates that have expired in the CRL If this is enabled information about revoked certificates will remain in the CR...

Страница 605: ...n this step you modify the default rules to suit your organization s requirements To specify the CRL extensions 1 In the navigation tree select Certificate Manager and then select CRL Issuing Points N...

Страница 606: ...n is used to identify the public key that corresponds to the private key used by a CA to sign CRLs The PKIX standard recommends that the CA must include this extension in all CRLs it issues The reason...

Страница 607: ...of a certificate included in the CRL For general guidelines on setting the CRL reason code in CRL entries see reasonCode on page 775 For a list of reason codes see Reasons for Revoking a Certificate o...

Страница 608: ...ault critical Select if you want the server to mark the extension critical default deselect if you want the server to mark the extension noncritical Table 14 5 FreshestCRL Configuration Parameters Par...

Страница 609: ...olute pathname and must specify the host For example http testCA example com get your crls here Table 14 6 HoldInstruction Configuration Parameters Parameter Description enable Specifies whether the r...

Страница 610: ...enables binding of or associating alternative identities such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For general guidelines on setti...

Страница 611: ...directoryName if the name is an X 500 directory name Select dNSName if the name is a DNS name Select ediPartyName if the name is a EDI party name Select URL if the name is a uniform resource identifi...

Страница 612: ...ing distribution point extension in CRLs see issuingDistributionPoint on page 773 If the type is URL the value must be a non relative universal resource identifier URI For example http testCA example...

Страница 613: ...he pointType parameter If the pointType attribute is set to DirectoryName the name must be an X 500 Name For example CN CRLCentral OU Research Dept O Example Corporation C US If the pointType attribut...

Страница 614: ...of revoked certificates default onlyContainsUserCerts Select if the distribution point contains user certificates only deselect if the distribution point contains all types of certificates default in...

Страница 615: ...an online validation authority using the appropriate protocol This chapter explains how to configure the Certificate Manager or Registration Manager to publish certificates and CRLs to a file to a dir...

Страница 616: ...pes of CRL files For example you can publish CA certificates to one location while publishing user certificates to a completely different location Similarly you can publish different types of certific...

Страница 617: ...in LDAP publishing Mappers allow you to construct the DN for an entry based on information from the certificate or the certificate request The server needs to figure out the DN of the entry in which t...

Страница 618: ...0 PST 2000 will be crl 949102696899 der About LDAP Publishing The ability of a server to publish certificates CRLs and other certificate related objects to a directory using the LDAP or LDAPS protocol...

Страница 619: ...s issued updated or revoked the publishing system is invoked and the certificate or CRL is evaluated by the rules to see if it matches the type and predicate set in the rule The type setting specifies...

Страница 620: ...replace any certificate or CRL that is already published to this attribute For rules that specify to publish to an Online Certificate Status Manager a CRL is published to this manager certificates are...

Страница 621: ...you want to publish all CRLs If you are publishing different types of CRLS to separate locations create a publisher for each location you will publish to specifying the location you will publish You...

Страница 622: ...ou can set up rules for each object type CA certificate CRL user certificate and cross pair certificate or you can even further divide the rules so that you have different rules for different kinds of...

Страница 623: ...configure Publishers for LDAP publishing Configuring Publishers for Publishing to a File You need to create and configure a Publisher for each publishing location publishers are not automatically cre...

Страница 624: ...Select Publisher Plug in Implementation window appears It lists registered publisher modules 5 Select the module named FileBasedPublisher This is the only Publisher module that enables the Certificat...

Страница 625: ...s certificates 8 Click OK You are returned to the Publishers Management tab It should now list the publisher you just created 9 Repeat this procedure creating all the publishers you will need Configur...

Страница 626: ...the Certificate Manager see Logging Into the CMS Console on page 245 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager select Publishing and then select Publishers Th...

Страница 627: ...lphanumeric string with no spaces For example Ca1CrlToOcspResponder host Type the fully qualified DNS host name of the Online Certificate Status Manager For example ocspResponder example com port Type...

Страница 628: ...publish cross signed certificates to the LDAP directory The publishers are enabled and configured using the X 500 standard attributes for storing certificates and CRLs You do not need to modify the pr...

Страница 629: ...lation the Certificate Manager automatically creates an instance of the LdapCaCertPublisher module for publishing the CA certificate to the directory that is already enabled and configured Table 15 1...

Страница 630: ...he directory LdapCrlPublisher The LdapCrlPublisher plug in module enables you to configure a Certificate Manager to publish or unpublish the CRL to the certificateRevocationList binary attribute of a...

Страница 631: ...s not one already Similarly it also removes the certificationAuthority object class on unpublish if the CA has no other certificates During installation the Certificate Manager automatically creates...

Страница 632: ...e or some other input information This relationship can either be one in which the exact DN of the entry can be derived from the information using the mapper to derive this DN or one in which the info...

Страница 633: ...each of these macros specifying the DN pattern used and whether or not you want CMS to create the CA entry in the directory To use other mappers create an instance of the mapper you want to use and th...

Страница 634: ...n window appears It lists registered mapper modules b Select a module For complete information about these modules see Mapper Plug in Modules Reference on page 635 c Click Next The Mapper Editor windo...

Страница 635: ...n AVAs check the directory documentation The CA certificate mapper allows you to specify whether to create an entry for the CA or to just map the certificate to an existing entry or to do both Note th...

Страница 636: ...u select the Certificate Manager first attempts to create an entry for the CA in the directory If the Certificate Manager succeeds in creating the entry it then attempts to publish the CA s certificat...

Страница 637: ...automatically creates this mapper during installation You can use this mapper for creating an entry for the CA in the directory and for mapping the CRL to the CA s entry in the directory By default th...

Страница 638: ...certificate to an LDAP directory entry by deriving the entry s DN from components specified in the certificate request certificate s subject name certificate extension and attribute variable assertio...

Страница 639: ...re subject DN specified in the mapper configuration For example assume the certificate subject name is this UID jdoe O Example Corporation C US When searching the directory for the entry the Certifica...

Страница 640: ...ts and filter components match an error is returned If the filter components are null a base search is performed Note that both DNComps and filterComps parameters accept valid DN components or attribu...

Страница 641: ...ll of these components CN OU O L ST and C to build a DN for searching the directory When creating a mapper rule you can specify the components the server should use to build a DN that is components to...

Страница 642: ...ider another example that shows how two directory entries with similar DNs can be differentiated by the value of the UID attribute Assume that the two Jane Doe entries are distinguished by the value o...

Страница 643: ...specified by that DN for entries matching the filter specified by filterComps parameter values Permissible values Valid DN components or attributes separated by commas filterComps Specifies component...

Страница 644: ...e and then where it is to be published Determining if the object meets the rule is done by matching the type and predicate set up in the rule with the object itself Determining where matching objects...

Страница 645: ...ter 15 Publishing 645 4 To edit an existing rule select that rule from the list and click Edit The Rule Editor window appears 5 To create a rule a Click Add The Select Rule Plugin Implementation windo...

Страница 646: ...he only module If you have registered any custom modules they too will be available for selection c Click Next The Rule Editor window appears 6 Enter the appropriate information Rule ID Type a name fo...

Страница 647: ...lisher you created that will be associated with this rule For example if this rule publishes user certificates to a file chose the publisher that publishes to a file in the location set up for user ce...

Страница 648: ...CRL set isDeltaCRL false in order to publish only the master CRL For example issuingPointId MasterCRL isDeltaCRL false To publish only the delta CRL set isDeltaCRL true in order to publish only the de...

Страница 649: ...Rule Configuration Parameters Parameter Value Description type xcert Specifies the type of certificate that will be published Select from the pull down menu predicate Specifies a predicate for this p...

Страница 650: ...dapUserCertMap Specifies the mapper used with this rule See LdapSimpleMap on page 638 for details on this mapper publisher LdapUserCertPublisher specifies the publisher used with this rule See LdapUse...

Страница 651: ...To enable LDAP publishing select both Enable Publishing and Enable Default LDAP Connection options In the Destination section identify the Directory Server instance Host name Type the fully qualified...

Страница 652: ...ertificate for this purpose LDAP version Select the version of LDAP protocol appropriate to your version of Directory Server If the directory you want the Certificate Manager to publish to is based on...

Страница 653: ...You should see a file with name similar to cert serial_number der where serial_number specifies the serial number of the certificate contained in the file 5 Convert the DER encoded certificate to its...

Страница 654: ...m using the Pretty Print Certificate tool see Chapter 9 Pretty Print Certificate Tool of CMS Command Line Tools Guide To convert the base 64 encoded certificate to a human readable form a Check the co...

Страница 655: ...e value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 10 Convert the DER encoded CRL to its base 64 enc...

Страница 656: ...s If the directory object that it finds does not allow the userCertificate binary attribute the addition or removal of that specific certificate fails If you have created user entries as inetOrgPerson...

Страница 657: ...CA s distinguished name begins with the OU component create a new organizational unit entry for the CA Note that the entry you create doesn t have to be in the certificationAuthority object class The...

Страница 658: ...g methods of communication Publishing With Basic Authentication Publishing Over SSL Without Client Authentication Publishing Over SSL With Client Authentication See the Netscape Directory Server docum...

Страница 659: ...ht be down for a while and be unable to receive changes from the Certificate Manager In such a situation use the forms provided in the Certificate Manager Agent Services interface to manually update t...

Страница 660: ...Manager is installed as a root CA when using the agent interface to update the directory with valid certificates the CA signing certificate may get published using the publishing rule set up for user...

Страница 661: ...d in the update When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to check log...

Страница 662: ...plug in click Register 7 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implement...

Страница 663: ...tion about how to install and configure each of the subsystem clones CMS High Availability Overview Cloning the Certificate Manager Cloning the Online Certificate Status Manager Cloning the Data Recov...

Страница 664: ...ime as the other machine is brought back online The cloning feature in CMS also supports scalability by assigning the same task to separate instances on different machines e g handling certificate req...

Страница 665: ...an generate the CRLs See Cloned Master CA Conversion on page 681 for more information about configuring a clone for CRL generation during failover Load balancing The load balancer in front of a CMS sy...

Страница 666: ...create a clone you must make sure that the instance you are cloning has been properly installed and configured since some of that configuration data is copied over to the new instance In particular y...

Страница 667: ...ple as the Starting certificate number This will ensure that the master Certificate Manager has sufficient serial numbers for its own certificates such as the CA signing certificate SSL server certifi...

Страница 668: ...ue keys obtained by using the renewal process this scenario requires advanced manual configuration and therefore is not recommended Cloning the CA To setup cloning for a Certificate Manager CA subsyst...

Страница 669: ...the Certificate Manager Chapter 16 Configuring CMS for High Availability 669 3 The Installation Wizard asks you to copy the key and certificates from the master CA to the clone if you have not already...

Страница 670: ...cate Manager you need to make the keys and certificates used by the master Certificate Manager available to the Certificate Manager clone If the master Certificate Manager s keys and certificates are...

Страница 671: ...ertificate Manager s keys and certificates are stored in the hardware token you must also copy the keys and certificates following the instructions provided by the hardware token vendor 5 Open the Ser...

Страница 672: ...e Manager System Administrator s Guide June 2003 8 In the Local Consumer Database dialog specify what type of database you are creating a Either select Create a local consumer database to create a new...

Страница 673: ...xisting LDAP server as the internal database for the cloned Certificate Manager instance If you select the remote database make sure that you have already created an LDAP server containing a base suff...

Страница 674: ...ng the Certificate Manager 674 Netscape Certificate Manager System Administrator s Guide June 2003 9 Configure replication between the cloned CA database and the master CA database in the following di...

Страница 675: ...ion Manager role in the Master database the password for the Replication Manager role in the Consumer database and the agreement names between the master and clone s databases See Configuring the Cert...

Страница 676: ...Ending certificate number field specify the highest serial number available for this CA For both the fields you can enter the number in decimal or hexadecimal 0xnn CA s request number range On this s...

Страница 677: ...eld so that the clone can redirect Update CRL requests to the master CA see About CRLs on page 596 for more information about CRLs 12 Choose the cloned CA s signing certificate the OCSP s signing cert...

Страница 678: ...s in the pull down menus follow the instructions in Step 4 above to copy the key and certificate database material over correctly 13 Configure the master CA s CRL cache to accept changes from the new...

Страница 679: ...cloned CA or the master CA Additionally for the purpose of high availability it is strongly encouraged that CRL publishing is enabled in this cloned CA presuming that CRL publishing has been enabled i...

Страница 680: ...lly most CRLs contain a field that specifies the next update time for both full and delta CRLs By default for full CRLs this field indicates the generation time of the next full CRL However full CRLs...

Страница 681: ...itor database replication changes Master CAs maintain the CRL cache Master CAs generate the CRL Cloned CAs redirect CRL generation requests Converting a Master CA into a Cloned CA Since only one maste...

Страница 682: ...t ca crl IssuingPointId enableCRLCache false d To disable CRL generation modify all of the enableCRLUpdates lines if they exist by changing true to false adding each line in if it does not already exi...

Страница 683: ...lled serverRoot cert masterID config CMS cfg and copying each line beginning with the ca crl prefix into this selected cloned CA s serverRoot cert cloneID config CMS cfg file ca crl c To enable contro...

Страница 684: ...ice internal to the Certificate Manager which responds to status requests by going to the Certificate Manager s internal database and a separate Online Certificate Status Manager subsystem When you cr...

Страница 685: ...sure that the instance you are cloning has been properly installed and configured since some of that configuration data is copied over to the new instance In particular you must verify the following a...

Страница 686: ...r the cloned Online Certificate Status Manager since the SSL server certificate DN should contain the hostname of the load balancer as the common name CN attribute If the cloned Online Certificate Sta...

Страница 687: ...ster available to the Online Certificate Status Manager clone If the master Online Certificate Status Manager s keys and certificates are stored in the internal software token you need to copy the cer...

Страница 688: ...ready created an LDAP server containing a base suffix of o netscapeCertificateServer on the host whose host name and port number you specify in the fields in the lower portion of the Installation Wiza...

Страница 689: ...ectly Once the configuration for the clone is done the cloned Online Certificate Status Manager will be available in the Netscape Console Follow the instructions in the next section to verify that the...

Страница 690: ...an existing cloned OCSP Responder into a new master OCSP Responder e g a catastrophic failure of the existing master OCSP Responder one needs to first convert the master existing offline master OCSP R...

Страница 691: ...ed OCSP Responders must now be converted into the new online master OCSP Responder First ensure that the master master OCSP Responder is no longer running and has already been converted into an offlin...

Страница 692: ...he following aspects of the master Data Recovery Manager that you want to clone 1 Make sure that the master Data Recovery Manager is configured and working properly Also verify the following a Check t...

Страница 693: ...Data Recovery Manager If you are not using a load balancer and your master and cloned Data Recovery Managers exist on separate machines e g a proprietary configuration which expects usernames A M usi...

Страница 694: ...machine_name key3 db III On the host machine of the clone go to this directory server_root alias IV Copy the certificate and key database files from the master Data Recovery Manager to the clone If th...

Страница 695: ...eating a Either select Create a local consumer database to create a new clone database local to the cloned Data Recovery Manager b Or select Connect to the existing remote LDAP server to use the exist...

Страница 696: ...hives it creates in the Starting key number field In the Ending key number field specify the highest key number available for this DRM DRM s request number range On this screen specify the lowest requ...

Страница 697: ...nd configuration files over correctly 13 Once the configuration for the cloned DRM instance is done the cloned DRM instance will be available for data recovery Follow the instructions in the next sect...

Страница 698: ...and functional 1 Go to the DRM agent page 2 Click List Requests 3 Select Show all requests from the pull down menu for Request type Select Show all requests from the pull down menu from Request statu...

Страница 699: ...omponents Security Audit FAU FAU_GEN 1 Audit data generation iteration 1 FAU_GEN 2 User identity association iteration 1 FAU_SAR 1 Audit Review FAU_SAR 3 Selectable audit review FAU_SEL 1 Selective au...

Страница 700: ...y functions behavior iteration 1 FMT_MSA 1 Management of security attributes FMT_MSA 2 Secure security attributes FMT_MSA 3 Static attribute initialization FMT_MTD 1 Management of TSF data FMT_SMR 2 R...

Страница 701: ...itionally the audit shall not include plaintext private or secret keys or other critical security parameters Table A 2 Auditable Events and Audit Data Section Function Component Event Additional Detai...

Страница 702: ...e IT environment shall provide the ability to perform searches of audit data based on the type of event the user responsible for causing the event and as specified in Table A 3 below FAU_SEL 1 Selecti...

Страница 703: ...generation FCS_CKM 1 1 The FIPS 140 1 validated cryptographic module shall generate cryptographic keys in accordance with any FIPS approved or recommended cryptographic key generation algorithm that...

Страница 704: ...y deny access of subjects to objects based on the none FDP_ITT 1 Basic internal transfer protection iteration 1 FDP_ITT 1 1 The IT environment shall enforce the CIMC IT Environment Access Control Poli...

Страница 705: ...r security attributes FIA_UAU 1 Timing of authentication iteration 1 FIA_UAU 1 1 The IT environment shall allow HTTP and LDAP based services1 on behalf of the user to be performed before the user is a...

Страница 706: ...ment Access Control Policy specified in CIMC TOE Access Control Policy on page 709 to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The IT env...

Страница 707: ...machine testing FPT_AMT 1 1 The IT environment shall run a suite of tests other conditions during initial start up periodically during normal operation or at the request of an authorized user to demo...

Страница 708: ...ce and tampering by untrusted subjects FPT_SEP 1 2 Each operating system in the IT environment shall enforce separation between the security domains of subjects in its scope of control FPT_STM 1 Relia...

Страница 709: ...he security objective O Integrity protection of user data and software and O Periodically check integrity Trusted path channels FTP FTP_TRP 1 Trusted path FTP_TRP 1 1 The IT environment shall provide...

Страница 710: ...ndividuals with different access authorizations Roles with different access authorizations Individuals assigned to one or more roles with different access authorizations Access type with explicit allo...

Страница 711: ...hapter contains the following sections PKI Overview Security Objectives TOE Security Environment Assumptions Security Requirements for the IT Environment IT Environment Assumptions CMS Privileged User...

Страница 712: ...ified Implement automated notification or other responses to the TSF discovered attacks in order to identify attacks and create an attack deterrent Require inspection for downloads Respond to possible...

Страница 713: ...vate and Secret Keys CMS certificate private keys and secret keys are to be generated and stored in a FIPS 140 1 level 3 certified hardware cryptographic token The CMS private asymmetric keys are Priv...

Страница 714: ...ystem and depend on which CMS subsystem has been installed All of the privileged roles see About Roles on page 717 for more information about privileges require SSL client authentication by presenting...

Страница 715: ...on authorization mechanism Conceptually this role is not an actual privileged role that a user can be assigned to Rather the Trusted Manager role is a means of establishing trust between two CMS subsy...

Страница 716: ...he subsystem from the command line Data Recovery Manager Agents Can approve recovery of subject private keys via SSL capable browsers to the DRM Agent interface Can export recovered subject private ke...

Страница 717: ...command line Online Certificate Status Manager Agents Can add CRLs to the OCSP Responder Agent interface via SSL capable browsers Can define supported CAs via SSL capable browsers to the OCSP Responde...

Страница 718: ...nt Setup and Installation Guide Understanding Setup of Common Criteria Evaluated Netscape CMS Appendix C Understanding the Common Criteria Evaluated CMS Setup provides a high level description of the...

Страница 719: ...CMS Common Criteria Environment Setup and Installation Guide Appendix B Common Criteria Environment Setup and Operations 719...

Страница 720: ...CMS Common Criteria Environment Setup and Installation Guide 720 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 721: ...contained in the document CMS Common Criteria Setup Procedure Understanding the Common Criteria Environment This section describes the environment before CMS is installed and configured Secure Enviro...

Страница 722: ...example the user Joe cannot be both the CA Administrator and Agent for the same CA subsystem See CMS Privileged Users and Groups Roles on page 714 for a description of the various CMS privileged role...

Страница 723: ...ser ID account preventing users from logging in with this user ID Understanding CMS Installation You must install CMS on each host on which a CMS subsystem is installed You can set up the environment...

Страница 724: ...ee The Administrative Interface on page 242 For instructions on how to set up SSL client authorization for the CMS console see Appendix I Introduction to SSL Backup and Restore of a CMS Subsystem CMS...

Страница 725: ...Recovery Manager to a Registration Manager is one possible CMS deployment scenario it is not currently part of the Common Criteria Evaluation You can install and configure an OCSP responder to any CA...

Страница 726: ...main guidance documents where detailed information is provided for each feature but you will need to follow the CMS Common Criteria Setup Procedure in order to set up a Netscape CMS Common Criteria e...

Страница 727: ...the Access Control feature are not part of the Common Criteria Environment Audit Logs The Common Criteria Environment requires that the signed audit log file feature be enabled and configured Signed...

Страница 728: ...up the CRL feature you cannot set up a CRL that does not have an update frequency specified in the Update at this frequency field Compliant CRLs must contain the nextUpdateTime extension which will no...

Страница 729: ...g it is highly recommended that you set it up using SSL client authentication and that you set up the Directory Server in SSL mode as well For information about publishing see Chapter 15 Publishing Se...

Страница 730: ...also provides features to recover the user private keys that it has archived Key recovery requires Data Recovery Manager Agents to work in cooperation You will be instructed to configure the key reco...

Страница 731: ...es including security objectives for the TOE security objectives for the environment and security objectives for both the TOE and environment 1 1 Security Objectives for the TOE This section includes...

Страница 732: ...on Provide sufficient backup storage and effective restoration to ensure that the system can be recreated 1 1 3 Cryptography O Non repudiation Prevent user from avoiding accountability for sending a m...

Страница 733: ...s histories variations etc through enforced authentication data management Note this objective is not applicable to biometric authentication data O Communications Protection Protect the system against...

Страница 734: ...cal Protection Those responsible for the TOE must ensure that the security relevant components of the TOE are protected from physical attack that might compromise IT security O Social Engineering Trai...

Страница 735: ...y in accordance with security requirements recommended by the National Institute of Standards and Technology O Periodically check integrity Provide periodic integrity checks on both system and softwar...

Страница 736: ...ckup data O Individual accountability and audit records Provide individual accountability for audited events Record in audit records date and time of action and the entity responsible for the action O...

Страница 737: ...n the system O Require inspection for downloads Require inspection of downloads transfers O Respond to possible loss of stored audit records Respond to possible loss of audit records when audit trail...

Страница 738: ...ment 738 Netscape Certificate Management System Administrator s Guide June 2003 O React to detected attacks Implement automated notification or other responses to the TSF discovered attacks in an effo...

Страница 739: ...n Security Policies 1 1 Secure Usage Assumptions The usage assumptions are organized in three categories personnel assumptions about administrators and users of the system as well as any threat agents...

Страница 740: ...CPS under which the TOE is operated A Disposal of Authentication Data Proper disposal of authentication data and associated privileges is performed after access has been removed e g job termination c...

Страница 741: ...y this CIMC to counter the perceived threats for the appropriate Security Level identified in this family of PPs This assumption has been copied directly from the CIMC PP In the context of this ST app...

Страница 742: ...re of one or more system components results in the loss of system critical functionality T Malicious code exploitation An authorized user IT system or hacker downloads and executes malicious code whic...

Страница 743: ...undetected access to a system due to missing weak and or incorrectly implemented access control causing potential violations of integrity confidentiality or availability T Hacker physical access A ha...

Страница 744: ...1 3 Organization Security Policies 744 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 745: ...Importing Certificate Chains Importing Certificates into Netscape Communicator on page 747 Importing Certificates into Netscape Servers on page 748 Object Identifiers on page 748 Data Formats Netscape...

Страница 746: ...It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 748 while the conte...

Страница 747: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Страница 748: ...the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted into t...

Страница 749: ...Object Identifiers Appendix F Certificate Download Specification 749 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Страница 750: ...Object Identifiers 750 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 751: ...Extensions Netscape Defined Certificate Extensions CA Certificates and Extension Interactions Introduction to Certificate Extensions An X 509 v3 certificate contains an extensions field that permits a...

Страница 752: ...ys possible to check a certificate s revocation status against a directory or with the original certificate authority it is useful for certificates to include information about where to check CRLs Eve...

Страница 753: ...ned with the international telecommunications network The Internet Engineering Task Force IETF which controls many of the standards that underlie the Internet is currently developing public key infras...

Страница 754: ...application must reject the certificate If the extension is not critical and the certificate is sent to an application that does not understand the extension based on the extension s ID the applicati...

Страница 755: ...9 1 1 5 Issuer CN Certificate Manager OU netscape O aol L MV ST CA C US Validity Not Before Friday February 21 2003 12 00 00 AM PST America Los_Angeles Not After Monday February 21 2005 12 00 00 AM PS...

Страница 756: ...ical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Key Usage 2 5 29 15 Critical yes Key Usage Digital Signature Key CertSign Crl Sign Signature Algorithm SHA...

Страница 757: ...For other clients see their web sites for information Each extension in a certificate can be designated as critical or noncritical A certificate using system such as browser software must reject the...

Страница 758: ...on The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate This extension is useful when an issuer has multiple signing keys for ex...

Страница 759: ...ed during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints The cA component should be set to true for all CA certificates P...

Страница 760: ...page 514 CRLDistributionPoints OID 2 5 29 31 Criticality PKIX recommends that this extension be marked noncritical and that it be supported for all certificates Discussion This extension defines how C...

Страница 761: ...an OCSP responder s certificate unless the CA signing key that signed the certificates validated by the responder is also the OCSP signing key The OCSP responder s certificate must be issued directly...

Страница 762: ...he Issuer Alternative Name extension is used to associate Internet style identities with the certificate issuer Names must use the forms defined for subjectAltName CMS Version Support Supported since...

Страница 763: ...carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificates and S MIME encryption certificates dataEncipherment 3 when the...

Страница 764: ...tes for users who have separate certificates and key pairs for these operations CMS Version Support Supported since CMS 4 1 Refer to KeyUsageExt on page 533 nameConstraints OID 2 5 29 30 Criticality P...

Страница 765: ...fully If the OCSP signing key is compromised the entire process of validating certificates in the PKI will be compromised for the duration of the validity period of the certificate Therefore certifica...

Страница 766: ...cify a different validity period for the private key than for the certificate itself This extension is intended for use with digital signature keys PKIX Part 1 recommends against the use of this exten...

Страница 767: ...by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative Name extension or from the subject name field CMS Version Support Supported since CMS...

Страница 768: ...ension of the certificate being verified should match the key identifier of the CA s Subject Key Identifier extension It is not necessary for the verifier to recompute the key identifier in this case...

Страница 769: ...encoded structure appears as the value of the octet string extnValue see the examples in Sample Certificate Extensions on page 755 A flag or boolean field called critical The true or false value assi...

Страница 770: ...example a CRL may contain only one authority key identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Ident...

Страница 771: ...associating additional attributes with Internet CRLs These are of two kinds extensions to the CRL itself and extensions to individual certificate entries in the CRL Extensions for CRLs CRL Entry Exte...

Страница 772: ...ach CRL issued by a CA It allows users to easily determine when a particular CRL supersedes another CRL PKIX requires that all CRLs have this extension CMS Version Support Supported since CMS 4 2 Refe...

Страница 773: ...issuerAltName OID 2 5 29 18 Discussion The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL For details see the discussion under certificate e...

Страница 774: ...r OID 2 5 29 29 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not s...

Страница 775: ...ndard All Netscape extensions should be tagged as noncritical so that their presence in a certificate does not make that certificate incompatible with other clients The specifications for all Netscape...

Страница 776: ...te bit 6 S MIME CA certificate bit 7 Object signing CA certificate CMS Version Support Supported since CMS 4 1 Refer to NSCertTypeExt on page 547 netscape comment OID 2 16 840 1 113730 13 Discussion T...

Страница 777: ...or both as described above If CAs issue multiple certificates for the same identity for example for separate signing and encryption keys they must include the keyUsage extension in the subject certifi...

Страница 778: ...for their CA they must add the authorityKeyIdentifier extension to all subject certificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field then...

Страница 779: ...extension or a company s certificate practice statement OIDs are controlled by the International Standards Organization ISO registration authority In some cases this authority is delegated by ISO to...

Страница 780: ...arc http www isi edu cgi bin iana enterprise pl To understand why you need to have a company arc check the information at this site http www alvestrand no objectid 2 16 840 1 113730 1 13 html The sit...

Страница 781: ...or the most part the information presented in this appendix is specific to Netscape Directory Server an LDAP compliant directory What Is a Distinguished Name Distinguished names DNs are string represe...

Страница 782: ...rfc rfc2253 txt Note that if used in conjunction with an LDAP compliant directory Certificate Management System by default recognizes components that are listed in Table I 2 Table I 1 Definitions of...

Страница 783: ...he search base For example if you specify a base DN of OU people O example com for a client the LDAP search operation initiated by the client examines only the OU people subtree in the O example com d...

Страница 784: ...bsence of a base DN value Certificate Management System uses DN components in the certificate s subject name to construct the base DN so that it can search the directory in order to publish to or upda...

Страница 785: ...E IA5String 1 2 840 113549 1 9 1 DC IA5String 0 9 2342 19200300 100 1 2 25 SERIALNUMBER for CEP support Printable String 2 5 4 5 UNSTRUCTUREDNAME for CEP support IA5String 1 2 840 113549 1 9 2 UNSTRU...

Страница 786: ...3 UTF 8 String Representation of Distinguished Names see http www ietf org rfc rfc2253 txt Certificate Management System conforms to all of this standard including support of using hex numbers to esca...

Страница 787: ...order from smaller character sets to broadest character set Printable IA5String BMPString Universal String For example X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 Di...

Страница 788: ...you can verify whether they appear in certificate subject names For example you can enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a V...

Страница 789: ...gn TOP input type TEXT name DC size 30 onchange formulateDN this form this form subject td tr 4 Save your changes and close the file 5 Go to this directory server_root cert instance_id web apps ee 6 O...

Страница 790: ...al enrollment form in the browser and verify your changes 10 To verify that the Enroll for a certificate using the new attribute value Changing the DER Encoding Order You can also change the DER encod...

Страница 791: ...rm Use John_Doe for CN 7 Go to the agent interface and approve your request 8 When you receive the certificate use the dumpasn1 tool to examine the encoding of the certificate For details about the du...

Страница 792: ...e CN corpDirectory example com OU Human Resources O Example Corporation C US When clients such as Netscape Navigator receive a server certificate they expect the CN component of the certificate s subj...

Страница 793: ...s the certificate subject name The dnpattern configuration variable supports escaped commas and multiple attribute variable assertions AVAs in a RDN Below is the syntax for the DN pattern followed by...

Страница 794: ...his example O the first o value in the user s entry DN C the string US Example 3 If the configured DN pattern is CN attr cn rdn 2 O dn o C US LDAP entry dn UID jdoe OU IS OU people O example com LDAP...

Страница 795: ...ue in the user s entry OU the second ou value in the user s entry DN followed by the first ou value in the user s entry note the multiple AVAs in a RDN in this example O the first o value in the user...

Страница 796: ...DNs in Certificate Management System 796 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 797: ...tion Digital Signatures Certificates and Authentication Managing Certificates For more information on these topics and other aspects of cryptography see Security Resources at the following URL http de...

Страница 798: ...mpersonation is known as spoofing Misrepresentation A person or organization can misrepresent itself For example suppose the site www netscape com pretends to be a furniture store when it is really ju...

Страница 799: ...it is intelligible again A cryptographic algorithm also called a cipher is a mathematical function used for encryption or decryption In most cases two related functions are employed one for encryptio...

Страница 800: ...er symmetric key Thus as long as the symmetric key is kept secret by the two parties using it to encrypt communications each party can be sure that it is communicating with the other as long as the de...

Страница 801: ...ly distribute a public key and only you will be able to read data encrypted using this key In general to send encrypted data to someone you encrypt the data with that person s public key and the perso...

Страница 802: ...r ciphers used with SSL see Appendix K Introduction to SSL Different ciphers may require different key lengths to achieve the same level of encryption strength The RSA cipher used for public key encry...

Страница 803: ...ics The value of the hash is unique for the hashed data Any change in the data even deleting or altering a single character results in a different value The content of the hashed data cannot for all p...

Страница 804: ...o the public key presented by the signer If the two hashes match the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create th...

Страница 805: ...their own certificate issuing server software such as Netscape Certificate Management System The methods used to validate an identity vary depending on the policies of a given CA just as the methods...

Страница 806: ...rson identified by that certificate did indeed send that message Similarly a digital signature on an HTML form combined with a certificate that identifies the signer can provide evidence after the fac...

Страница 807: ...onse to an authentication request from the server the client displays a dialog box requesting the user s name and password for that server The user must supply a name and password separately for each...

Страница 808: ...sociated with some data can be thought of as evidence provided by the client to the server The server authenticates the user s identity on the strength of this evidence Like Figure J 4 Figure J 5 assu...

Страница 809: ...on the basis of input from both the client and the server This data and the digital signature constitute evidence of the private key s validity The digital signature can be created only with that pri...

Страница 810: ...mechanisms based on the authenticated user identity are not affected How Certificates Are Used Types of Certificates SSL Protocol Signed and Encrypted Email Form Signing Single Sign On Object Signing...

Страница 811: ...company deploys combined S MIME and SSL certificates solely for the purpose of authenticating employee identities thus permitting signed email and client SSL authentication but not encrypted email Ano...

Страница 812: ...ificate to the server to authenticate the client s identity before the encrypted SSL session can be established For an overview of client authentication over SSL and how it differs from password based...

Страница 813: ...the need for persistent authentication of financial transactions Form signing allows a user to associate a digital signature with web based data generated as the result of a transaction such as a purc...

Страница 814: ...sswords over the network This approach simplifies access for users because they don t need to enter passwords for each new server It also simplifies network management since administrators can control...

Страница 815: ...pported by Netscape and many other software companies are organized according to the X 509 v3 certificate specification which has been recommended by the International Telecommunications Union ITU an...

Страница 816: ...the user s public key including the algorithm used and a representation of the key itself The DN of the CA that issued the certificate The period during which the certificate is valid for example bet...

Страница 817: ...8 ce 7f 47 50 2c 93 36 7c 01 6e cb 89 06 41 72 b5 e9 73 49 38 76 ef b6 8f ac 49 bb 63 0f 9b ff 16 2a e3 0e 9d 3b af ce 9a 3e 48 65 de 96 61 d5 0a 11 2a a2 80 b0 7d d8 99 cb 0c 99 34 c9 ab 25 06 a8 31...

Страница 818: ...e CAs for which it has a certificate It s also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections tha...

Страница 819: ...onsibilities to subordinate CAs The X 509 standard includes a model for setting up a hierarchy of CAs like that shown in Figure J 6 Figure J 6 Example of a Hierarchy of Certificate Authorities In this...

Страница 820: ...entity through two subordinate CA certificates to the CA certificate for the root CA based on the CA hierarchy shown in Figure J 6 Figure J 7 Example of a Certificate Chain A certificate chain traces...

Страница 821: ...scape software uses the following procedure for forming and verifying a certificate chain starting with the certificate being presented for authentication 1 The certificate validity period is checked...

Страница 822: ...Root CA Figure J 8 shows what happens when only Root CA is included in the verifier s local database If a certificate for one of the intermediate CAs shown in Figure J 8 such as Engineering CA is fou...

Страница 823: ...ows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database Figure J 10 A Certificate Chain That Can t Be Ve...

Страница 824: ...f your identity such as a utility bill with your address on it and a student identity card If you want to get a regular driving license you also need to take a test a driving test when you first get t...

Страница 825: ...nd renewing and revoking certificates can be partially or fully automated with the aid of the directory Information stored in the directory can also be used with certificates to control access to vari...

Страница 826: ...icate for authentication before or after its validity period will fail Therefore mechanisms for managing certificate renewal are essential for any certificate management strategy For example an admini...

Страница 827: ...ntities of end entities before responding to the requests In addition some requests need to be approved by authorized administrators or managers before being services As previously discussed the means...

Страница 828: ...Managing Certificates 828 Netscape Certificate Manager System Administrator s Guide June 2003...

Страница 829: ...support the protocol in future versions This document is primarily intended for administrators of Netscape server products but the information it contains may also be useful for developers of applicat...

Страница 830: ...be important if the user for example is sending a credit card number over the network and wants to check the receiving server s identity SSL client authentication allows a server to confirm a user s i...

Страница 831: ...use in operations such as authenticating the server and client to each other transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of...

Страница 832: ...gotiate the use of the strongest ciphers available And when an domestic client or server is dealing with an international server or client it will negotiate the use of those ciphers that are permitted...

Страница 833: ...phers have 128 bit encryption they are the second strongest next to Triple DES Data Encryption Standard with 168 bit encryption RC4 and RC2 128 bit encryption permits approximately 3 4 1038 possible k...

Страница 834: ...the supported ciphers Both SSL 2 0 and SSL 3 0 support this cipher Netscape Console supports only the SSL 3 0 version of this cipher suite RC2 With 40 Bit Encryption and MD5 Message Authentication RC...

Страница 835: ...te is supported by SSL 3 0 but not by SSL 2 0 RC4 With SKIPJACK 80 Bit Encryption and SHA 1 Message Authentication The SKIPJACK cipher is a classified symmetric key cryptographic algorithm implemented...

Страница 836: ...client using SSL 2 The server sends the client the server s SSL version number cipher settings randomly generated data and other information the client needs to communicate with the server over SSL Th...

Страница 837: ...the client informing it that future messages from the server will be encrypted with the session key It then sends a separate encrypted message indicating that the server portion of the handshake is f...

Страница 838: ...equires server authentication or cryptographic validation by a client of the server s identity As explained in Step 2 of The SSL Handshake which begins on page 836 the server sends the client a certif...

Страница 839: ...a on the right side of Figure K 3 This list determines which server certificates the client will accept If the distinguished name DN of the issuing CA matches the DN of a CA on the client s list of tr...

Страница 840: ...any reason the server identified by the certificate cannot be authenticated and the user will be warned of the problem and informed that an encrypted and authenticated connection cannot be establishe...

Страница 841: ...erver of the client s identity When a server configured this way requests client authentication see Step 6 of The SSL Handshake which begins on page 836 the client sends the server both a certificate...

Страница 842: ...ey used to create the signature and that the data has not been tampered with since it was signed At this point however the binding between the public key and the DN specified in the certificate has no...

Страница 843: ...icate the user s identity If the CA s digital signature can be validated the server treats the user s certificate as a valid letter of introduction from that CA and proceeds At this point the SSL prot...

Страница 844: ...The SSL Handshake 844 Netscape Certificate Manager System Administrator s Guide June 2003...

Страница 845: ...les to be evaluated when a server receives a request for access to a particular resource See access control instructions ACI administrator The person who installs and configures one or more CMS manage...

Страница 846: ...cation module A set of rules implemented as a Java class for authenticating an end entity agent administrator or any other entity that needs to interact with a CMS manager In the case of typical end u...

Страница 847: ...ntities enrolled in the PKI certificate authority CA A trusted entity that issues a certificate after verifying the identity of the person or entity the certificate is intended to identify A CA also r...

Страница 848: ...defined certificate fingerprint A one way hash associated with a certificate The number is not part of the certificate itself but is produced by applying a hash function to the contents of the certif...

Страница 849: ...ity by allowing you to set up policies for a particular type of enrollment along with an authentication method in a certificate profile Certificate Request Message Format CRMF Format used for messages...

Страница 850: ...dministrator to control configuration settings for the corresponding CMS instance Common Criteria Environment The configuration settings used for the Common Criteria certification of CMS configuration...

Страница 851: ...and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to manage agent services for a Data Recovery Manager including managing the request queue and autho...

Страница 852: ...s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication of...

Страница 853: ...s to each other and storing the two cross pair certificates as a certificate pair fingerprint See certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is...

Страница 854: ...tions and applets using the Java programming language Java Native Interface JNI A standard programming interface that provides binary compatibility across different implementations of the Java Virtual...

Страница 855: ...eue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy processing and certificate issuance can proceed MD5...

Страница 856: ...vate key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash A number of fixed length generated from data of arbitrary length with...

Страница 857: ...c key cryptography The private key is kept secret and is used to decrypt data encrypted with the corresponding public key proof of Archival POA Data signed with the private Data Recovery Manager trans...

Страница 858: ...the certificates to the end entities and typically publishes them to the appropriate directory Registration Manager agent A user who belongs to a group authorized to manage agent services for a Regist...

Страница 859: ...udit log See audit log signing certificate A certificate whose public key corresponds to a private key used to create digital signatures For example Certificate Manager must have a signing certificate...

Страница 860: ...n identify itself as a site called www netscape com when it is not Spoofing is one form of impersonation See also misrepresentation impersonation SSL See Secure Sockets Layer SSL subject The entity id...

Страница 861: ...thority CA that issued the certificate If you trust a CA you can generally trust valid certificates issued by that CA virtual private network VPN A way of connecting geographically distant divisions o...

Страница 862: ...862 Netscape Certificate Management System Administrator s Guide June 2003...

Страница 863: ...ting 343 modifying group membership 343 port used for operations 284 See also ports tools provided CMS console 245 Netscape Console 243 Agent Services interface URL for 284 AgentDirEnrollment instance...

Страница 864: ...ificate 88 90 changing trust settings of 294 deleting 293 getting a new one 297 312 nickname 88 renewing 297 viewing details of 293 CEP 67 CEP enrollment 412 setting up multiple services 416 certifica...

Страница 865: ...wireless applications 95 100 how to revoke 598 installing 745 749 issuing of 824 and LDAP Directory 825 management formats and protocols 68 object signing 811 publishing to files 618 publishing to LD...

Страница 866: ...istributionPoint 612 CRL publisher 630 631 CRL signing certificate 597 nickname 321 cRLDistributionPoints 760 CRLNumber 772 CRLs Certificate Manager support for 36 defined 597 extensions for 771 exten...

Страница 867: ...ntions followed 27 downloading certificates 745 749 DSA 91 136 173 215 E email resolver 567 email signed and encrypted 812 encrypted file system EFS 452 523 encryption defined 799 public key 801 symme...

Страница 868: ...gning defined 813 G getting new certificates for subsystems 312 groups changing members 343 H hardware accelerators 318 hardware tokens See external tokens HashAuth authentication plug in 406 high ava...

Страница 869: ...203 when specified the first time 203 responsibilities 203 role defined 203 KEYGEN tag 68 keys defined 799 management and recovery 825 keyUsage 762 L LDAP 68 LDAP publishing defined 618 manual updates...

Страница 870: ...g certificate 321 for OCSP signing certificate 89 for signing certificate 134 171 for SSL server certificate 89 134 171 214 for transport certificate 213 for wTLS signing certificate 89 NIS server bas...

Страница 871: ...se it for 480 policy modules deleting 563 registering new ones 562 policy rules adding new 490 defined 481 deleting 490 how policy processor applies them 482 naming convention 491 predicates in 483 re...

Страница 872: ...s getting new ones 312 remote admin server certificate 213 signing certificate 134 SSL server certificate 134 specifying IP address for 287 Remote admin server certificate 213 Remove Basic Constraints...

Страница 873: ...rage key pair 214 secret sharing 203 subjectAltName 766 subjectDirectoryAttributes 767 subjectKeyIdentifier 767 subordinate CA 33 support for DN characters in CMS 784 T Tasks tab 245 tasks you can acc...

Страница 874: ...etting certificates for 412 W when the server was installed 247 why should you revoke certificates 597 wireless CA certificate 95 100 wireless certificates 95 100 wizard See Certificate Setup Wizard w...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды