manualshive.com logo in svg

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5, Инструкция по установке и настройке

Управление системой Netscape 4.5 - это инновационное программное обеспечение, которое облегчает управление вашей сетью. С помощью нашего руководства по установке и настройке, вы сможете быстро и легко скачать и установить программу бесплатно. Загрузите его с manualshive.com и начните управлять вашей сетью сегодня.

Поделиться
Скачать
background image

16

Netscape Certificate Management System Installation and Setup Guide • October 2001

Publishing of CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

What’s a CRL? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Reasons for Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
Revocation Checking by Netscape Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Revocation Checking by Netscape Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Publishing of CRLs to an LDAP Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
CRL Issuing Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Configuring a Certificate Manager to Publish Certificates and CRLs . . . . . . . . . . . . . . . . . . . . . . . . . 615

Step 1. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Step 2. Set Up the Directory for Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

Step A. Verify the Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Step B. Add an Entry for the CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Step C. Identify an Entry That Has Write Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Step D. Verify Entries for End Entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Step E. Specify the Directory Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Step F. Modify the Certificate Mapping File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Step G. Restart Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636

Step 3. Configure the Certificate Manager to Publish Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 636

Step A. Modify the Default Mappers, Publishers, and Publishing Rules . . . . . . . . . . . . . . . . . 636
Step B. Add Mappers, Publishers, and Publishing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Step 4. Configure the Certificate Manager to Publish CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

Step A. Specify CRL Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Step B. Set the CRL Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Step C. Create a Mapper for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Step D. Create a Publisher for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
Step E. Create a Publishing Rule for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

Step 5. Identify the Publishing Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Step 6. Test Certificate and CRL Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Step A. Decide a Directory Entry for Requesting a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Step B. Request a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Step C. Approve the Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
Step D. Download the Certificate to the Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Step E. Check if the Directory Has the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
Step F. Revoke the Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Step G. Check the Directory for the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

Manually Updating Certificates and CRLs in a Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

Manually Updating Certificates in the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Manually Updating the CRL in the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

Chapter

20 Publishing Certificates and CRLs to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Configuring Certificate Manager to Publish to Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Step 1. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Step 2. Configure the Certificate Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Содержание NETSCAPE MANAGEMENT SYSTEM 4.5

Страница 1: ...Installation and Setup Guide Netscape Certificate Management System Version4 5 October 2001...

Страница 2: ...ING FROM ANY ERROR IN THIS DOCUMENTATION INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS PROFITS USE OR DATA Software applications 2001 Sun Microsystems Inc Some software code 1999 2...

Страница 3: ...ew of Key Features 34 Flexible end entity registration services framework 38 System Overview 41 Public Key Infrastructure 43 CMS Subsystems or Managers 44 Certificate Manager 45 Registration Manager 4...

Страница 4: ...nt Formats and Protocols 77 Security and Directory Protocols 78 Chapter 2 Certificate Enrollment and Life Cycle Management 81 Steps in End Entity Enrollment 81 Some Enrollment Scenarios 84 Firewall Co...

Страница 5: ...145 Step 1 Enable Directory Based Authentication 146 Step 2 Add a User to the Directory 147 Step 3 Enroll with Directory Based Authentication 149 Publish Certificates to an LDAP Directory 150 Configur...

Страница 6: ...icate Status Manager Certificates 182 Authentication Decisions 183 Policy Decisions 183 Deployment Strategy and Port Assignments 184 Chapter 5 Installation Worksheet 187 Information for UNIX Installat...

Страница 7: ...r Transport Certificate 204 Extensions for Transport Certificate 205 Transport Certificate Request 206 Storage Key and Recovery Agent Configuration 206 Storage Key Creation 206 Data Recovery Scheme 1...

Страница 8: ...278 Stage 4 Further Configuration Options 281 Stage 5 Creating Additional Instances or CA Clones 282 Chapter 7 Installing and Uninstalling CMS Instances 283 Installing Multiple CMS Instances 284 Clon...

Страница 9: ...Console 317 Starting From the Command Line 318 Starting From the Windows NT Services Panel 319 Stopping Certificate Management System 320 Stopping From Netscape Console 320 Stopping From the Command L...

Страница 10: ...heck the Port Numbers 366 Step 3 Verify Key Pair and Certificates 366 Step 4 Set up Privileged Users 367 Step 5 Customize End Entity and Agent Forms 367 Step 6 Setup Authentication for End Users 367 S...

Страница 11: ...03 Step 1 Find the Required Information 403 Step 2 Add the Information to the Internal Database 403 Setting Up Agents 406 Setting up Agents Using the Automated Process 406 Setting up Agents Using the...

Страница 12: ...454 Changing a Token s Password 455 Hardware Cryptographic Accelerators 455 Certificate Setup Wizard 456 Using the Wizard to Request a Certificate 457 Step 1 Select the Operation 457 Step 2 Choose th...

Страница 13: ...ager s Renewed CA Signing Certificate 498 Deploying Registration Manager s Renewed Signing Certificate 498 Deploying Data Recovery Manager s Renewed Transport Certificate 499 Deploying a Subsystem s R...

Страница 14: ...542 Step 8 Test Your Authentication Setup 542 Step 9 Deliver PINs to End Users 544 Managing Authentication Instances 544 Deleting an Authentication Instance 544 Modifying an Authentication Instance 5...

Страница 15: ...upport for Predicates 582 Attributes for Predicates 584 Policy Processor 588 Configuring Policy Rules for a Subsystem 589 Step 1 Before You Begin 590 Step 2 Modify Existing Policy Rules 590 Step 3 Del...

Страница 16: ...and Publishing Rules 636 Step B Add Mappers Publishers and Publishing Rules 642 Step 4 Configure the Certificate Manager to Publish CRLs 648 Step A Specify CRL Details 649 Step B Set the CRL Extensio...

Страница 17: ...692 How Online Certificate Status Manager Works 693 How to Get OCSP Compliant Clients 694 Setting Up a Certificate Manager with OCSP Service 695 Step 1 Before You Begin 695 Step 2 Install OCSP Complia...

Страница 18: ...Step C Approve the Request 730 Step D Download the Certificate to the Browser 731 Step E Make Sure the CA is Trusted by the Browser 731 Step F Verify the Certificate in the Browser 732 Step G Check t...

Страница 19: ...up 760 Step B Verify the Key 762 Step C Delete the Certificate 762 Step D Test Your Key Recovery Setup 762 Step D Restore the Key in the Browser s Database 763 Chapter 23 Managing CMS Logs 765 Introdu...

Страница 20: ...te Request 801 Step 2 Submit the Server Certificate Request 802 Step 3 Install Your Server s SSL Certificate 803 Step 4 Accept a CA as Trusted in Your Server 803 Step 5 Verify Your Server s SSL and CA...

Страница 21: ...Specification 829 Data Formats 829 Binary Formats 829 Text Formats 830 Importing Certificate Chains 831 Importing Certificates into Netscape Communicator 831 Importing Certificates into Netscape Serv...

Страница 22: ...22 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 23: ...s in This Guide This guide covers topics that are listed below You should use this guide in conjunction with the other CMS documentation such as the ones that explain all the plug ins and command lin...

Страница 24: ...ling CMS Instances Describes how to create multiple instances delete unwanted instances clone instances upgrade from a previous CMS version and so on Chapter 8 Starting and Stopping CMS Instances Desc...

Страница 25: ...ificate content such as key size signing algorithm validity period extensions and so on Chapter 19 Setting Up LDAP Publishing Provides an overview of LDAP publishing and describes how to configure a C...

Страница 26: ...tes This guide assumes that you Are familiar with the basic concepts of public key cryptography and the Secure Sockets Layer SSL protocol SSL cipher suites The purpose of and major steps in the SSL ha...

Страница 27: ...rmissions the superadministrator has set up for you Text within quotation marks Indicates cross references to other topics within this guide Example For more information see Issuing a Certificate to a...

Страница 28: ...Sidebar text marks important information Make sure you read the information before continuing with a task Examples Where to Go for Related Information This section summarizes the documentation that s...

Страница 29: ...ide open this file server_root manual en cert plugin_guide contents htm To view the PDF version of this guide open this file server_root manual en cert pdf cms45plugin pdf CMS Command Line Tools Guide...

Страница 30: ...etailed reference information on CMS end entity interfaces To access this information from the end entity pages click any help button To view the HTML version of this guide open this file server_root...

Страница 31: ...31 Part 1 Overview and Demo Installation Chapter 1 Introduction to Certificate Management System Chapter 2 Certificate Enrollment and Life Cycle Management Chapter 3 Default Demo Installation...

Страница 32: ...32 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 33: ...looking for a security solution for your enterprise or setting up an independent certificate authority CA service Certificate Management System offers a robust customizable and scalable foundation fo...

Страница 34: ...with wireless applications Supports RSA public key algorithm for signing and encryption DSA public key algorithm for signing and MD2 MD5 and SHA 1 for hashing Supports signature key lengths of up to 1...

Страница 35: ...n sign and revoke certificates and generate CRLs It can accept certificate requests directly from end entities and via Registration Managers to which it has delegated certain certificate management fu...

Страница 36: ...he Certificate Manager located inside a firewall For more information see Trusted Managers on page 394 Ability to function as both a root and a subordinate CA in a CA hierarchy Certificate Management...

Страница 37: ...nager and Data Recovery Manager key pairs reduces the risk of key compromise because hardware tokens don t reveal keys or provide means for them to be revealed once the keys are generated in the hardw...

Страница 38: ...nts come with a set of default modules that enable you to configure Certificate Management System for your PKI requirements For example you can configure policy modules to determine the outcome of ope...

Страница 39: ...certificate generation for dual key pairs separate key pairs for signing and encrypting mail messages To support separate key pairs for signing and encrypting data Certificate Management System suppo...

Страница 40: ...rized key recovery agents The key repository is encrypted using a Data Recovery Manager s storage private key which is protected with one or more recovery agents passwords Only these designated recove...

Страница 41: ...e from previous versions of Certificate Management System Certificate Management System provides an easy upgrade path from its previous version GUI based server installation and management An installa...

Страница 42: ...e customized and configured to fit widely varying deployment scenarios permitting rapid integration with existing client and server software customer databases security systems and authentication proc...

Страница 43: ...frastructure PKI In any PKI a certificate authority CA is a trusted entity that issues renews and revokes certificates An end entity EE is a person router server or other entity that uses a certificat...

Страница 44: ...dependent installation of these four subsystems and each subsystem plays a distinct role in a PKI Each subsystem consists of built in system level components such as authentication framework for vario...

Страница 45: ...ocument as Certificate Manager agent or automatically based entirely on customizable policies and procedures When set up to work with a separate Registration Manager the Certificate Manager processes...

Страница 46: ...rtificates and CRLs RSA with MD2 RSA with MD5 RSA with SHA 1 and DSA with SHA 1 The Certificate Manager can issue X 509 v1 or v2 CRLs A CRL can be automatically updated whenever a certificate is revok...

Страница 47: ...on Manager then distributes the certificates to the end entities Note that you can run multiple Registration Managers remotely all reporting to a single CA a Certificate Manager to verify user identit...

Страница 48: ...w an end entity to get a new signing certificate and signing key pair without changing the encryption certificate or encryption key pair Note that the Data Recovery Manager archives encryption keys It...

Страница 49: ...tificate validation authority is often referred to as an OCSP responder Table 1 1 Key pairs used by end entities and key pairs used by the Data Recovery Manager End entity key pairs Data Recovery Mana...

Страница 50: ...the four independent CMS managers and various kinds of end entities To keep things simple the figure assumes that each manager is installed in a different CMS instance and on a different machine The...

Страница 51: ...ed by Cisco Systems and VeriSign Inc CEP governs communication between routers or VPN clients and a Registration Manager or Certificate Manager KEYGEN tag An HTML tag supported by Netscape browsers th...

Страница 52: ...covery Manager performs the long term archival and recovery of end users private encryption keys A Certificate Manager or Registration Manager can be configured to archive end users private encryption...

Страница 53: ...Manager 6 The Certificate Manager issues the signing and encryption certificates and sends them back to the Registration Manager 7 The Registration Manager delivers the certificates to the end entity...

Страница 54: ...ance of Directory Server replacing the Relational Database Management System RDBMS used in Certificate Server 1 0x Some deployments require installation of two subsystems in a single CMS instance on a...

Страница 55: ...o CMS Plug ins Guide To locate this guide see Where to Go for Related Information on page 28 Authentication Plug in Modules An authentication module is a set of rules implemented as a Java class for a...

Страница 56: ...ion module is hardwired you cannot configure it This ensures that when the server receives requests that lack authentication credentials it sends them to the request queue for agent approval It also m...

Страница 57: ...adjusts the subject name in the request accordingly A validity constraints policy checks that the certificate validity period falls within a specified period and it rejects defers or adjusts the valid...

Страница 58: ...me uniqueness and prevents issuance of multiple subordinate CA certificates with same issuer names UniqueSubjectNameConstraints Allows the server to check for certificate subject name uniqueness and p...

Страница 59: ...ocations from where the application that is validating the certificate can obtain the CRL information ExtendedKeyUsageExt Adds the Extended Key Usage extension to certificates The extension identifies...

Страница 60: ...f OIDs each pair identifying two policy statements of two CAs The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA PrivateKeyUsagePeriodExt Adds the...

Страница 61: ...much the same way that you can write your own authentication and policy modules Plug in classes are provided out of the box for scheduling the following jobs Table 1 5 Plug in modules for schedulable...

Страница 62: ...d CRLs to a directory The advantage of publishing certificates and CRLs to the directory is multifold You can keep users certificate related information with the rest of the user information This way...

Страница 63: ...nfigure a Certificate Manager to publish certificates and CRLs to the mapped directory entries to files or to the Online Certificate Status Manager Table 1 6 Default mapper plug in modules for mapping...

Страница 64: ...utilities or tools and Software Development Kit Table 1 7 Default publisher plug in modules for publishing certificates and CRLs Plug in module name Function FileBasedPublisher Publishes certificates...

Страница 65: ...de of various plug in modules that are included in Certificate Management System out of the box This source code has been included for reference purposes only and is only used to demonstrate how a par...

Страница 66: ...ation of ObjectSigning capabilities Examples of how to use Certificate Management System with some third party products Entry Points for Various Types of Users Certificate Management System provides e...

Страница 67: ...nager or Online Certificate Status Manager serves the appropriate HTML forms for agent tasks For details see Agent Services Interface on page 68 Accessing Agent Services is a privileged operation agen...

Страница 68: ...ces you made during installation a combination of the following agent services will be installed Certificate Manager Agent Services Registration Manager Agent Services Data Recovery Manager Agent Serv...

Страница 69: ...es and process them Listing certificates issued by the server Searching for certificates issued by the server Revoking certificates issued by the server Updating certificates and certificate revocatio...

Страница 70: ...ce Using the default forms a Registration Manager agent can list deferred certificate requests from end entities and process them Data Recovery Manager Agent Services The Data Recovery Manager Agent S...

Страница 71: ...tion private keys from the key archive Key recovery requires authorization from key recovery agents see Key Recovery Process on page 741 Online Certificate Status Manager Agent Services Interface The...

Страница 72: ...des HTML forms for various entities people routers servers and others that use certificates to identify themselves and that need to be able to request certificate issuance and management operations Th...

Страница 73: ...services interface Note that the Data Recovery Manager and Online Certificate Status Manager do not provide end entity interfaces because end entities do not directly interact with these servers For a...

Страница 74: ...hitecture PKCS 11 Public Key Cryptography Standard PKCS 11 specifies an API used to communicate with devices that hold cryptographic information and perform cryptographic operations Because it support...

Страница 75: ...te Management System Default Netscape Internal PKCS 11 Module This comes with two built in tokens The Internal Crypto Services token performs all cryptographic operations such as encryption decryption...

Страница 76: ...r Java layers JSS and the Java JNI Layer Java Security Services JSS provides a Java interface for security operations performed by NSS JSS and higher levels of the Certificate Management System archit...

Страница 77: ...ters pkix charter html under Internet Drafts Certificate Enrollment Protocol CEP A certificate management protocol jointly developed by Cisco Systems and VeriSign Inc CEP is an early implementation of...

Страница 78: ...parts as they are finalized For more information about PKIX Part 1 see ftp ftp isi edu in notes rfc2459 txt Security and Directory Protocols Certificate Management System supports the following securi...

Страница 79: ...ed by RSA Data Security for certificate requests This format is supported by many server products and by Microsoft Internet Explorer Public Key Cryptography Standard PKCS 11 Specifies an API used to c...

Страница 80: ...Standards Summary 80 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 81: ...nagement System Steps in End Entity Enrollment The following steps take place when a Registration Manager or a Certificate Manager handles an enrollment request from an end user Figure 2 1 shows a sim...

Страница 82: ...d to the request for the purpose of formulating the contents of the certificate to be issued and to enforce certain rules such as name constraints Custom policy modules can be used to enforce speciali...

Страница 83: ...Steps in End Entity Enrollment Chapter 2 Certificate Enrollment and Life Cycle Management 83 Figure 2 1 Roles of servlets authentication modules and policy modules in end entity enrollment...

Страница 84: ...nd Revocation Router Enrollment and Revocation For the sake of simplicity these examples do not show the role of the Data Recovery Manager For more information about data recovery see Data Recovery Ma...

Страница 85: ...cations each with their own firewalls In general Netscape recommends that the Certificate Manager handle all certificate and CRL publishing functions If it s necessary for some entries in a directory...

Страница 86: ...personal details stored in the existing customer database 2 Custom authentication The Registration Manager uses a custom authentication module to verify the customer s account and status against the...

Страница 87: ...tication to validate every certificate request personally before issuing the certificate Figure 2 3 illustrates the steps in this process 1 Request certificate The customer fills in and submits a cert...

Страница 88: ...If all authentication procedures are successful the agent approves the request 4 Request certificate The Registration Manager performs policy processing and if the processing is successful sends the a...

Страница 89: ...ct workers suppliers employees and others who routinely access parts of the company s internal network In general this can be achieved by using Kerberos or other non PKI security systems as the authen...

Страница 90: ...ting extranet fills in and submits a certificate request over SSL using a customized form that requires a Kerberos ID and password 2 Authentication The Registration Manager uses a third party authenti...

Страница 91: ...eed access to the extranet To register all these people at once Atlas uses the directory based PIN Generator tool that comes with Certificate Management System to generate PINs in bulk The PINs are th...

Страница 92: ...em payroll stub invoice form or other out of band delivery mechanism 4 Request certificate using PIN The user goes to a specified Registration Manager URL fills in name and PIN and submits a certifica...

Страница 93: ...ns on a user s desktop outside the firewall and uses the IP Key Management Protocol IPKMP or IP Security IPSec protocol to establish encrypted communication with VPN hardware that straddles the firewa...

Страница 94: ...an be used during enrollment to authenticate the client 2 Issue certificate The Certificate Manager issues the certificate and the Registration Manager delivers it to the VPN client The VPN client can...

Страница 95: ...nt and Life Cycle Management 95 Figure 2 6 VPN client enrollment and revocation The certificate includes information about a CRL distribution point which is a directory that the VPN hardware can check...

Страница 96: ...tificates As part of the issuing process the Certificate Manager publishes the certificates to the directory Publishing occurs only if the router s DN exists in the publishing directory This is import...

Страница 97: ...Some Enrollment Scenarios Chapter 2 Certificate Enrollment and Life Cycle Management 97 Figure 2 7 Router enrollment and revocation...

Страница 98: ...ms that use different protocols and life cycle management procedures for different kinds of end entities For example end entities running Navigator 3 x and versions of Communicator earlier than 4 5 ne...

Страница 99: ...th CMS subsystems occur over HTTPS Table 2 1 End entities message formats algorithms and key pairs supported by Certificate Management System End entity software Enrollment message format over HTTP or...

Страница 100: ...entity interactions can take place over HTTP or HTTPS For example routers using CEP which includes its own encryption scheme uses HTTP rather than HTTPS For a more detailed discussion of these ports...

Страница 101: ...The authentication module is used by the servlet to authenticate the end entity the output template is an HTML page that returns information from the servlet to the end entity Figure 2 9 shows the def...

Страница 102: ...ular Personal Security Manager simplifies certificate deployment with Certificate Management System by taking advantage of the following CMS features One click issuance of certificates Forced certific...

Страница 103: ...ards PKCS 12 Export and import of certificates and associated private keys CRMF CMMF Direct commmunication between Personal Security Manager and a CA simplifying enrollment processes and making one cl...

Страница 104: ...End Entities and Life Cycle Management 104 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 105: ...scape Certificate Management System CMS procedures This chapter has the following sections System Requirements page 106 Overview of the Default Demo page 108 Installing the Default Demo page 112 Using...

Страница 106: ...s Sun Solaris 8 for SPARC 32 bit operating environment with relevant Java 2 patches Microsoft Windows NT 4 0 Server with Service Pack 6a x86 only Other required software Netscape Administration Server...

Страница 107: ...ack 6a Pentium 350 or faster NTFS or FAT 128 MB of RAM recommended Total required is approximately 350 MB broken down as follows Total transient space required during installation 100 MB Hard disk sto...

Страница 108: ...otentially be separate from the user directory Netscape Administration Server This lightweight HTTP server acts as the back end to Netscape Console An instance of Administration Server manages operati...

Страница 109: ...for information on the locations and contents of server groups on the network It also interacts with the Administration Server for each server group to perform some tasks such as managing SSL encrypt...

Страница 110: ...ssigned for the default demo You will also be asked to provide additional information such as the name of each server instance to be installed the names and passwords of various types of administrator...

Страница 111: ...if you plan to remove it after testing you should maintain the security of the demo system For this reason the installation procedure does not give specific passwords for each administrative user Howe...

Страница 112: ...Run the Installation Script Windows NT Step 2 Run the Installation Wizard Step 3 Get the First User Certificate Step 1 Run the Installation Script UNIX These instructions assume that you have the init...

Страница 113: ...the configuration user Directory Server process will run as Where your system supports it accept the default user nobody creating that user as necessary 12 System Group nobody Enter the group that the...

Страница 114: ...installation is now complete The installation script has installed Netscape Console installed and started an Administration Server and its configuration directory and copied the files for Certificate...

Страница 115: ...fault Demo Chapter 3 Default Demo Installation 115 2 Welcome Click Next 3 Software License Agreement Click Yes 4 Select Server or Console Installation Leave the default setting Netscape Servers select...

Страница 116: ...e Management System Installation and Setup Guide October 2001 5 Choose the Installation Type Leave the default setting Typical selected and click Next 6 Choose Installation Directory Leave the default...

Страница 117: ...er 3 Default Demo Installation 117 7 Select Products Leave all four components selected and click Next 8 Directory Server 4 13 Leave the default setting This instance will be the configuration directo...

Страница 118: ...ted and click Next 10 Directory Server 4 13 Server Settings Type the following values then click Next Server identifier configdir Server port Accept the default which should be 389 Suffix Accept the d...

Страница 119: ...ator ID admin Password admin password Password again admin password 12 Directory Server 4 13 Administration Domain Accept the default which should be your company s domain name in the form your_domain...

Страница 120: ...tificate Management System Installation and Setup Guide October 2001 Directory Manager DN cn Directory Manager Password dir mgr password Password again dir mgr password 14 Administration Server Port S...

Страница 121: ...e the value demoCA and click Next 16 Configuration Summary Click Next 17 Setup At this point the installation script extracts and installs the binaries for all of the servers in the server root direct...

Страница 122: ...on of Certificate Management System by running the Installation Wizard Step 2 Run the Installation Wizard To begin running the Installation Wizard follow these steps 1 If Netscape Console is not runni...

Страница 123: ...it alternatively you can also click the Open button on the Certificate Management System panel on the right After a few moments the Installation Wizard appears You use the wizard to get the initial ce...

Страница 124: ...Setup Guide October 2001 1 Introduction Click Next 2 Internal Database Type the following values then click Next Instance ID Accept the default demoCA db Port number Accept the default 38900 Director...

Страница 125: ...ation 125 At this point the system creates the internal database which can take some time 3 Administrator Type the following values then click Next Administrator ID CMSadmin Full name Accept the defau...

Страница 126: ...ms Click Next to accept the default selection Certificate Manager only 5 Remote Data Recovery Manager Click Next to accept the default selection No At this point the system configures the internal dat...

Страница 127: ...ity gateway then accept the default values listed below If one of the default ports is unavailable a different randomly selected port will appear in the form SSL administration port 8200 SSL agent por...

Страница 128: ...ificate Manager CA Signing Certificate Type the following values then click Next Token Accept the default value Internal Password token password Password again token password Key type Accept the defau...

Страница 129: ...CA Organization Unit OU CMS Demo Organization O name of your company Locality L name of your locality State ST name of your state province or territory Country C two letter code for your country 13 V...

Страница 130: ...14 Certificate Extensions for Certificate Manager CA Signing Certificate Click Next to accept the default selections 15 Certificate Manager CA Signing Certificate Creation Click Next 16 SSL Server Cer...

Страница 131: ...Next 18 Message Digest Algorithm Click Next to accept the default SHA1 19 Subject Name for SSL Server Certificate Type the following values then click Next Common name CN hostname in the machine domai...

Страница 132: ...tificate Management System Installation and Setup Guide October 2001 20 Validity Period for SSL Server Certificate Modify year and month values of Expire on date to allow a validity period of one mont...

Страница 133: ...te Click Next to accept the default selections 22 SSL Server Certificate Creation Click Next The generation of the certificate can take some time 23 Set Up Single Signon Password Type the following va...

Страница 134: ...Installing the Default Demo 134 Netscape Certificate Management System Installation and Setup Guide October 2001 24 Configuration Status Click Done Certificate Management System starts automatically...

Страница 135: ...cate that Certificate Management System issues The initial user is both an administrator and an agent This person can use Netscape Console to create additional agents with the appropriate user privile...

Страница 136: ...ertificate that you just created during installation Because you just created it it is not on your list of trusted certificates A series of dialog boxes now appears that lets you add the CMS server ce...

Страница 137: ...has now been designated as the first agent The certificate you just created allows you to access the Agent Services pages As an agent you can approve enrollment requests and start issuing new certifi...

Страница 138: ...and issue a certificate Create a Policy page 143 Configuring the Certificate Manager to reject certificate requests that do not use at least 1024 bit key lengths Use an LDAP Directory page 145 Adding...

Страница 139: ...use HTTPS to go to the URL for the SSL agent port that you specified For example https hostname 8100 2 Because this is an SSL connection you are prompted to present your client SSL certificate for aut...

Страница 140: ...ur initial agent certificate CN CMS administrator 7 Use the browser s Back button to go back to the Services Summary page For example when using Communicator press and hold the mouse button while it s...

Страница 141: ...cate your identity 2 If a dialog box appears requesting that you select a certificate select the certificate name that begins with CMS Administrator The first form for the Agent Services gateway appea...

Страница 142: ...re the system Setting Your Browser to Use the Agent Certificate To verify that the User1 certificate really can access the agent pages you must first set your browser to use the User1 certificate to i...

Страница 143: ...formulate your policies before installing any software and configure how the policies will be implemented before issuing any certificates For this demonstration you will implement a simple but very u...

Страница 144: ...lect the CMS instance cert demoCA 5 In the Certificate Management System panel at the right click Open 6 Log in as CMSadmin giving the password CMS password Netscape Console s CMS window appears showi...

Страница 145: ...to this Certificate Manager by setting enabled to true 11 Click OK to save the changes The RSAKeyRule should now be listed as enabled in the Policy Rules Management tab That is all you need to do The...

Страница 146: ...Up End User Authentication Step 1 Enable Directory Based Authentication To enable directory based authentication for the Certificate Manager 1 If the CMS console window is not still open start Netsca...

Страница 147: ...irectory s user and groups subtree Notice that this is a different operation from adding a user or group to the Certificate Manager s internal database NOTE If you leave the dnpattern field blank the...

Страница 148: ...ole again or go back to the main window 2 Select the Users and Groups tab and click Create in the lower right corner 3 In the Select Organization Unit dialog box select People and click OK 4 In the Cr...

Страница 149: ...he key length policy working you will request the certificate using a 512 bit key first then change the request to use a 1024 bit key 1 Open a browser window and go to the Certificate Manager s end en...

Страница 150: ...ued Publish Certificates to an LDAP Directory In any PKI there are things that you need to publish to make them available to entities Certificate revocation lists CRLs for example can be made availabl...

Страница 151: ...conditions The conditions may simply require a certain type of object such as a client certificate A condition may also assert some additional requirement a predicate that must be true about that type...

Страница 152: ...rd again dir mgr password Version 3 Authentication Basic authentication 5 Click Save A dialog box appears that indicates whether Certificate Management System is able to connect authenticate and bind...

Страница 153: ...in domain directory tree using the user ID from the certificate request To configure Certificate Management System to publish user certificates to an LDAP directory 1 Open the CMS console window and s...

Страница 154: ...button and the LdapUserCertPublisher under Publishers Update the Publishing Directory Your Certificate Manager is now configured to automatically publish newly issued client certificates If you want t...

Страница 155: ...e the Property Editor dialog box but leave the Edit Entry dialog box open if you can you will open the Property Editor again after you manually publish certificates To publish certificates to the dire...

Страница 156: ...ficate expires In a real deployment of course you would probably not start reminding certificate holders to renew until 30 days before expiration You will see the email that is sent to a certificate h...

Страница 157: ...r server uses for SMTP in the Port Number field If you are certain that your server uses a port number other than 25 for SMTP enter it in the Port number field However it is unlikely that any server u...

Страница 158: ...expires so you will get notices for the certificates issued during this demonstration You will also send notices every minute instead of every day so that you get an immediate message and send a summa...

Страница 159: ...eceiving email after one minute 11 After the scheduler has been running for a few minutes deselect the Enable Jobs Scheduler checkbox 12 Click Save 13 Check your email You will have at least two messa...

Страница 160: ...set parameter and whether or not the Certificate Manager succeeded in sending a renewal notice The message content format and subject are all customizable so in a real deployment you can create messag...

Страница 161: ...tallation Chapter 4 Planning Your Deployment Chapter 5 Installation Worksheet Chapter 6 Installing Certificate Management System Chapter 7 Installing and Uninstalling CMS Instances Chapter 8 Starting...

Страница 162: ...162 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 163: ...of whether a Certificate Manager is subordinate affects its distinguished name DN as well as its validity period extensions and place in the CA hierarchy As you begin to make decisions about your depl...

Страница 164: ...anager and Registration Manager page 166 Certificate Manager and Data Recovery Manager page 168 Certificate Manager Data Recovery Manager and Registration Manager page 170 Cloned Certificate Manager S...

Страница 165: ...pabilities This Certificate Manager can use a signing certificate issued by a public certificate authority or its own self signed CA signing certificate to sign all the certificates it issues Figure 4...

Страница 166: ...accept requests from both end entities and Registration Managers For example end entities at the home office might deal directly with the Certificate Manager while end entities at a branch office mig...

Страница 167: ...a particular geographic area or within an organizational group Decisions about the number of locations of and relationships among Certificate Managers and Registration Managers depend on many factors...

Страница 168: ...scenario sketched in Figure 4 2 a Data Recovery Manager can be installed either in the same CMS instance in which the Certificate Manager is installed or in a different CMS instance which can be loca...

Страница 169: ...rowser that is using Netscape Personal Security Manager which supports dual keys The decision to keep the Data Recovery Manager in the same instance as the Certificate Manager or in a different instan...

Страница 170: ...he Registration Manager is configured to request the end entity s private encryption key in encrypted form and send it to the Data Recovery Manager during the enrollment process Before the Registratio...

Страница 171: ...tificate Management System assumes that most deployments will rely on a single Data Recovery Manager associated with either a Registration Manager or a Certificate Manager However it is also possible...

Страница 172: ...trative effort and it creates more potential areas where the CA could become compromised so it should only be used when absolutely necessary The advantage of cloning is the ability to distribute the C...

Страница 173: ...icate Manager s own identity The signing unit digitally signs certificates requested by end entities that use a specified enrollment process to establish their identities Regardless of how related Reg...

Страница 174: ...lly strong Export and other regulations permitting it may be a good rule of thumb to start with 1024 bits and consider increasing the length to 2048 bits for certificates that provide access to highly...

Страница 175: ...le for getting your root certificate into all the browsers used with the certificates you issue If you are using Netscape Communicator as your client you can accomplish this task within an intranet by...

Страница 176: ...ew CA certificate with the same subject name and public and private key material as the old CA certificate but with an extended validity period As long as the new CA certificate is distributed to all...

Страница 177: ...for a PKCS 11 module can in turn contain a token which is the hardware or software device that actually provides cryptographic services and optionally stores certificates and keys As shown in Figure 1...

Страница 178: ...in the specified manner Note that it s not possible to configure the Registration Manager to publish certificates or CRLs The Certificate Manager has the complete record of issued certificates and th...

Страница 179: ...SL For detailed information on LDAP publishing see Chapter 19 Setting Up LDAP Publishing Publishing CRLs to the Online Certificate Status Manager Certificate Management System supports the Online Cert...

Страница 180: ...lled in a single instance they normally share a single SSL server certificate If one or more subsystems are installed in a separate instance from the other subsystems each instance requires a separate...

Страница 181: ...ger also generates a few other certificates transparently during installation For details see Certificate Manager s Key Pairs and Certificates on page 437 Registration Manager Certificates Every Regis...

Страница 182: ...d at the same time by m of n authorized agents The Data Recovery Manager also requires at least one SSL server certificate The Data Recovery Manager s SSL server certificate or certificates can be uni...

Страница 183: ...ticated especially for operations related to certificate enrollment requires careful planning and control throughout the lifetime of a PKI deployment For examples of some different approaches to authe...

Страница 184: ...tration Managers which can be configured to apply the policies uniformly in different geographic locations For a detailed discussion of policy management see Chapter 18 Setting Up Policies Deployment...

Страница 185: ...Deployment Strategy and Port Assignments Chapter 4 Planning Your Deployment 185 Figure 4 5 Deploying servers on a single host...

Страница 186: ...orts for each CMS instance to listen on That is each CMS instance will require at least four unique ports Internal database port for communication with internal database SSL administration port for co...

Страница 187: ...te Management System This chapter has the following sections Information for UNIX Installation Script page 188 Information for NT Installation Script page 191 Initial Configuration page 194 Certificat...

Страница 188: ...the fully qualified host name of the machine on which the installation is taking place For example mydirectory siroe com Do not attempt to install remotely Configuration Directory Server System user...

Страница 189: ...must also supply the following information User directory host name___________________________________________ User directory port_____________________________________________ Bind as________________...

Страница 190: ...uffix configured for your directory It also should not correspond to an actual entry stored in your directory For example cn Directory Manager Directory Manager password ________________________ The p...

Страница 191: ...f Certificate Management System you must also install an Administration Server and Netscape Console application and have access to a configuration and user group directory For more information on the...

Страница 192: ...s directory server _______________________________________ If you choose this option the installation script either adds a user group directory to the newly installed instance of Directory Server if y...

Страница 193: ...u specify must not be used for any other purpose Suffix ____________________________________ If you are creating a new directory this should be the domain name of the current host For example o siroe...

Страница 194: ...t the default number Certificate Management System Identifier You must specify a unique identifier for the CMS server instance that you are installing Certificate Management System server identifier__...

Страница 195: ...logged in as root Directory Manager DN ____________________________________________ The default is CN Directory Manager You can enter something more meaningful such as CN Internal Directory Manager In...

Страница 196: ...er___________________________________ Enable issuance of wTLS certificates _____________________ Registration Manager__________________________________ Data Recovery Manager___________________________...

Страница 197: ...anager Configuration This section summarizes information required to configure a Certificate Manager as a root or subordinate CA either by itself or as part of a joint installation with a Data Recover...

Страница 198: ...tokens For example SmartCard For installation instructions see Installing External Tokens on page 451 Token password_________________________________________________ The password for the token must b...

Страница 199: ...Signing Certificate You can specify the validity period for a self signed CA signing certificate only The validity period for a subordinate CA signing certificate is determined by the issuing CA Valid...

Страница 200: ..._________ S MIME CA Yes _________ S MIME No _________ Object signing CA Yes _________ SSL CA Yes _________ Authority Key Identifier Yes ________________ Subject Key Identifier Yes ________________ Ke...

Страница 201: ...he certificate that the Registration Manager will use to sign certificate requests This certificate also functions as the Registration Manager s SSL client certificate The Installation Wizard formulat...

Страница 202: ...Name CN _____________________________________ Organizational Unit OU ___________________________________ Organization O ________________________________________ Locality L ____________________________...

Страница 203: ...Type and Length on page 174 Token for storing the transport certificate signing certificate and private key________________________________________ Enter either internal if you plan to use the intern...

Страница 204: ...________________________________________ Locality L _____________________________________________ State ST ______________________________________________ Country C ___________________________________...

Страница 205: ...sion by pasting its base 64 encoding in the space provided on this screen For more information about extensions see Appendix C Certificate and CRL Extensions of CMS Plug ins Guide Confirm that you wan...

Страница 206: ...If you are submitting your certificate request to a Certificate Manager you need to know its URL End entity URL for issuing Certificate Manager___________________________ Enter the URL for the end en...

Страница 207: ..._____________________ Password_________________________ User ID______________________ Password_________________________ User ID______________________ Password_________________________ User ID_________...

Страница 208: ...ssword for the token must be at least one character long Key type_________________________________________________ RSA or DSA Key length_______________________________________________ Available key si...

Страница 209: ...certificate For example http hostname 17006 Cloned Certificate Manager Configuration This section summarizes information required to configure a clone of a Certificate Manager You must have installed...

Страница 210: ...enter the starting serial number When you configure cloned CAs you must specify upper and lower bounds for the serial numbers on all CAs and you must make sure the ranges do not overlap CA s starting...

Страница 211: ...Management System you must supply information for the SSL server certificate used by that instance to identify itself The same SSL certificate is shared by all subsystems installed in that instance SS...

Страница 212: ...__________________________________ Country C ____________________________________________ A DN is a series of name value pairs that in combination uniquely identify an entity The subject DN identifies...

Страница 213: ...Guide Confirm that you want to include the following extensions Check off all that apply defaults are indicated in parentheses Basic constraints No _____________ CA Nos _________ Certification path le...

Страница 214: ...instructions provided by that CA If you are submitting your certificate request to another Certificate Manager you need to know its URL End entity URL for issuing Certificate Manager__________________...

Страница 215: ...d page 225 Stage 3 Enrolling for Administrator Agent Certificate page 275 Stage 4 Further Configuration Options page 281 Stage 5 Creating Additional Instances or CA Clones page 282 Installation Overvi...

Страница 216: ...em in a single server root directory involves four stages Stage 1 Run the installation script setup on UNIX setup exe on NT to install Administration Server and Directory Server as necessary and perfo...

Страница 217: ...which you ll submit the subordinate CA s CA signing certificate and SSL server certificate requests Make sure the CA is running and if required identify the forms you ll use to submit these requests I...

Страница 218: ...e requests Make sure the CA is running and if required identify the forms you ll use to submit these requests For Online Certificate Status Manager s signing certificate to work properly it must conta...

Страница 219: ...alization file and the installation prompts resume at the point in which you left off This initialization file applies only to the installation of the Administration Server and Directory Server If you...

Страница 220: ...ts you wish to install 1 2 Enter the numbers corresponding to the Administration Services components you wish to install or press Enter to accept the default components 9 Specify the components you wi...

Страница 221: ...If you are using an existing configuration directory enter its identifier 17 Netscape configuration directory server administrator ID admin Enter the name and password of the user who will authenticat...

Страница 222: ...rver Directory Server Netscape Console and Certificate Management System and installs the binaries under the server root directory you have specified It creates one instance of Administration Server o...

Страница 223: ...ice unless you want to set up the Directory Server Synchronization Service Click Next to accept the default selection 6 Directory Server 4 13 This instance will be the configuration directory server i...

Страница 224: ...ou are using an existing configuration directory enter its administrator ID and password Click Next to continue 10 Directory Server 4 13 Administration Domain Click Next to accept the default value Th...

Страница 225: ...onfiguration for this instance of Certificate Management System The Installation Wizard is the same for both UNIX and Windows NT In the last step of the installation script you were given an opportuni...

Страница 226: ...rnal database which takes some time If you have previously installed an internal database for this instance the Recreate Internal Database screen appears In the Recreate Internal Database specify whet...

Страница 227: ...r If you have already installed a remote Data Recovery Manager that you want the Certificate Manager to use for archiving end users encryption private keys select Yes Then enter the remote Data Recove...

Страница 228: ...validity is two years The validity period determines how soon you will have to renew the certificate which can be a complex procedure Click Next to continue 10 Certificate Extensions for Certificate M...

Страница 229: ...tinue 15 Subject Name for SSL Server Certificate Type the values for the subject DN components these values identify the root CA s SSL server certificate The CN must be the fully qualified host name o...

Страница 230: ...Subordinate CA To install the Certificate Manager as a subordinate CA 1 Subsystems Select Certificate Manager If you want the Certificate Manager to issue certificates for wireless applications select...

Страница 231: ...lect the Create subordinate CA certificate request option Click Next to continue 6 Key Pair Information for Certificate Manager CA signing certificate Select the token to store the CA signing certific...

Страница 232: ...e Creation This is an informational screen that tells you that the wizard has all the information required to generate the key pair and certificate request In the previous screen if you chose to inclu...

Страница 233: ...then click Show Pending Requests and click Find The pending request list is displayed g Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form and...

Страница 234: ...s Agent interface you can follow the instructions below to issue the certificate Otherwise you ll have to wait till the remote Certificate Manager s agent approves your request f In the web browser wi...

Страница 235: ...n Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait days or weeks...

Страница 236: ...If the CA that issued the certificate is a Certificate Manager follow these steps a Go to the end entity URL for the Certificate Manager that issued the subordinate CA s signing certificate b Select...

Страница 237: ...d on this screen For details see Step 10 of this section Click Next to continue 22 SSL Server Certificate Request Creation This is an informational screen that tells you that the wizard has all the in...

Страница 238: ...rtificate Manager s agent If you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the rem...

Страница 239: ...n the CMC format click CMC Enrollment In the resulting form paste the request from the clipboard into the text area and fill in any other required information Be sure to select Server SSL Certificate...

Страница 240: ...You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s SSL server certificate b Submit your certificate request to...

Страница 241: ...sent option and then specify the required details Click Next to continue 26 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the...

Страница 242: ...3 Enrolling for Administrator Agent Certificate on page 275 to create the first agent user for the Certificate Manager Installing a Standalone Registration Manager To install a standalone Registratio...

Страница 243: ...er Signing Certificate Select the required extensions The default settings should work for most deployments If necessary you can add an additional extension by pasting its base 64 encoding in the spac...

Страница 244: ...t number of the remote Certificate Manager and specify whether the end entity port is SSL enabled c Click Next to submit the request The Certificate Request Result screen appears confirming that the r...

Страница 245: ...entities c In the left hand frame of the Enrollment tab choose the form appropriate for the request type If the request is in the PKCS 10 format under Server click Registration Manager In the resulti...

Страница 246: ...ATE and END CERTIFICATE and copy it to the clipboard or to a text file Be sure to not make any changes to the certificate You re required to paste the encoded certificate into the Installation Wizard...

Страница 247: ...he filename in the text field If you copied the certificate to the clipboard select the The certificate is located in the text area below option and then paste in a base 64 encoded certificate includi...

Страница 248: ...ame for SSL Server Certificate Type the values for the subject DN components these values identify the Registration Manager s SSL server certificate The CN must be the fully qualified host name of the...

Страница 249: ...ult screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to retrieve the certificate once it has been issued from the...

Страница 250: ...c In the left hand frame of the Enrollment tab choose the form appropriate for the request type If the request is in the PKCS 10 format under Server click SSL Server In the resulting form paste the r...

Страница 251: ...ies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the certificate request has been saved to a file You can use either the copy on the cl...

Страница 252: ...request was sent option and then specify the required details Click Next to continue 23 Certificate Details This is an informational screen that displays the certificate so you can inspect its content...

Страница 253: ...step Stage 3 Enrolling for Administrator Agent Certificate on page 275 to create the first agent user for the Registration Manager Installing a Standalone Data Recovery Manager To install a standalone...

Страница 254: ...Joiner Tool of CMS Command Line Tools Guide Click Next to continue 7 Data Recovery Manager Transport Certificate Request Creation This informational screen tells you that the wizard has all the infor...

Страница 255: ...k Show Pending Requests and click Find g In the pending request list locate your request click Details to see the request and make any changes Then scroll down to the bottom of the form and click Do I...

Страница 256: ...access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate f In the web browser window enter the URL for the remote Certificate Manager s Agent S...

Страница 257: ...Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait da...

Страница 258: ...of the remote Certificate Manager a Go to the web browser window b Enter the end entity URL for the remote Certificate Manager that issued the transport certificate c Select the Retrieval tab and the...

Страница 259: ...st be the fully qualified host name of the machine on which you re installing the Data Recovery Manager Click Next to continue 19 Certificate Extensions for SSL Server Certificate Select the required...

Страница 260: ...t Certificate Manager s agent If you ve permission to access that Certificate Manager s Agent interface you can follow the instructions below to issue the certificate Otherwise you should wait for the...

Страница 261: ...d information If the request is in the CMC format click CMC Enrollment In the resulting form paste the request from the clipboard into the text area and fill in any other required information Be sure...

Страница 262: ...tificate request has been saved to a file You can use either the copy on the clipboard or the copy in the file to transfer your request to the CA that will issue the subordinate CA s signing certifica...

Страница 263: ...e required details Click Next to continue 24 Certificate Details This is an informational screen that displays the certificate so you can inspect its contents Notice the nickname assigned to the certi...

Страница 264: ...a Online Certificate Status Manager To install a standalone Online Certificate Status Manager 1 Subsystems Select Online Certificate Status Manager Click Next to continue 2 Network Configuration Type...

Страница 265: ...Next to submit the request The Certificate Request Result screen appears confirming that the request has been submitted Note the request ID provided in the response message You can use it later to ret...

Страница 266: ...rtificate For example if you assigned the port number 17006 to the non SSL end entity port for your CA you would go to the URL http hostname 17006 to bring up the Certificate Manager page for end enti...

Страница 267: ...REQUEST is highlighted and click the Copy to Clipboard button This action copies the certificate request to the clipboard In addition to the copy on the clipboard the screen informs you that the cert...

Страница 268: ...ficate is at the CMS where the request was sent option and supply the host name end entity port number and request ID Click Next to continue 9 Certificate Details This is an informational screen that...

Страница 269: ...ect the token to store the SSL server certificate and key pair If you have not previously initialized the token s password you must do so in this screen Also specify the key type and length Click Next...

Страница 270: ...rtificate you ll be given the choice to select the format for the certificate request Otherwise the request format will be PKCS 10 If you want the wizard to generate the certificate request in PKCS 10...

Страница 271: ...sts then click Show Pending Requests and click Find The pending request list is displayed f Locate your request click Details to see it and make any changes Then scroll down to the bottom of the form...

Страница 272: ...ce you can follow the instructions below to issue the certificate Otherwise you ll have to wait for the Certificate Manager s agent to approve your request and issue the certificate f In the web brows...

Страница 273: ...he Installation Wizard screen click Yes or No If you have submitted your request to a third party CA or to a remote Certificate Manager for which you do not have agent privileges you may have to wait...

Страница 274: ...owser window b Enter the end entity URL for the Certificate Manager that issued the SSL server certificate c Select the Retrieval tab and then choose Import CA Certificate Chain d Select the Display t...

Страница 275: ...icate automatically Follow the appropriate procedure for the subsystem you installed Agent Certificate for a Certificate Manager Agent Certificate for Other CMS Managers For more information about set...

Страница 276: ...ion Because you just created it it is not on your browser s list of trusted certificates Before you see the Administrator Agent Certificate Enrollment form a series of dialog boxes appears that lets y...

Страница 277: ...er who was named as the initial administrator for Certificate Management System during installation has been automatically designated as the first agent This certificate allows you to access the Agent...

Страница 278: ...est to the CA and then install the certificate in the certificate database of the CMS instance Alternatively if you have agent privileges to any of the CMS managers for example to a Certificate Manage...

Страница 279: ...instance for which you want to create the agent user and double click the icon The login screen for the CMS window appears 9 Enter your administrator ID and password The CMS window for the subsystem...

Страница 280: ...de the text area and paste the agent s certificate in base 64 encoded form If you haven t copied the certificate go back to the browser window copy the certificate and then paste the certificate here...

Страница 281: ...tance For more information about setting up and managing agents see Agents on page 387 Stage 4 Further Configuration Options When you have completed the initial configuration and installation of a CMS...

Страница 282: ...Creating Additional Instances or CA Clones After the initial installation you can use Netscape Console to create additional instances of Certificate Management System in the same server root director...

Страница 283: ...lation you specified a port number for the Administration Server instance you will use to administer Certificate Management System If Administration Server is shut down be sure to start it at this por...

Страница 284: ...hen you install additional CMS instances on the same machine you are required to specify different ports for each CMS instance to listen on For example you will have to set up one server to listen on...

Страница 285: ...entifier for the new instance For the name you can use any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen other characters and spaces are not allowed For example you can ty...

Страница 286: ...e same CA functions you create another instance of a Certificate Manager and configure it to use the same CA signing key and certificate and issue certificates with serial numbers that do not conflict...

Страница 287: ...ng a Certificate Manager s OCSP service see Setting Up a Certificate Manager with OCSP Service on page 695 So CAs organized in a flat structure using the cloning method eliminate the need for you to i...

Страница 288: ...t s recommended that you start with say 0x100 as the starting lowest serial number This will ensure that the master Certificate Manager has sufficient serial numbers for its own certificates such as t...

Страница 289: ...ending on your master Certificate Manager s installation there are three possible scenarios to install a clone Certificate Manager Installing Clone CA in Master CA s Server Group In this case you inst...

Страница 290: ...spaces are not allowed For example you can type Clone1_of_root CA as the instance name but not Clone1 of root CA 5 Click OK The instance you created appears in the navigation tree Note that the instan...

Страница 291: ...ance When prompted to specify a configuration directory select the option for an existing directory and specify the host name and port number of the Directory Server instance used by the master Certif...

Страница 292: ...irectory server_root cert instance_id config b Locate files named cert7 db and key3 db c In the clone Certificate Manager s host machine go to this directory server_root cert instance_id config d Copy...

Страница 293: ...erver certificate or create a new one If you created the clone Certificate Manager on the same host as the master Certificate Manager you can reuse the SSL server certificate To reuse the SSL server c...

Страница 294: ...ther CA for example a third party CA you can locate the certificate in the certificate database by using the certutil command line tool For more information about this tool see Chapter 11 Certificate...

Страница 295: ...ZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6IqD2q8DBs9lRQu9 END CERTIFICATE To locate the SSL server certificate in the master Certificat...

Страница 296: ...5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngjn jgnagwJjAOBgNVHQ8BAf8EBAMCBLAwFAYJYIZIAYb4QgEBAQHBAQDAgCAMA0GCSqGSIb3DQEBBAUAA4GBA Fi9FzyJlLmS kzsue0kTXawbwamGdYql2w4hIBgdR jWeLmD4CP4xzmKdvQ6...

Страница 297: ...ter Certificate Manager relies solely on its SSL server certificate which you will add in Step 3 for authentication User ID Type an ID that will help you identify this user in the list of privileged u...

Страница 298: ...rt Certificate window appears 9 Click inside the text area and paste the master Certificate Manager s SSL server certificate in its base 64 encoded form Be sure to include the BEGIN CERTIFICATE and EN...

Страница 299: ...onfigured the clone Certificate Manager for automated certificate issuance for example for directory based enrollment you may use the appropriate form and request a certificate To request a client or...

Страница 300: ...e required attributes of a client certificate 6 Scroll to the bottom of the request form and approve the request You should see a confirmation page indicating that the certificate has been issued If y...

Страница 301: ...okes the certificate updates the certificate status in its internal database and sends details about the revoked certificate to the master Certificate Manager Step E Check Master CA s CRL for the Revo...

Страница 302: ...latest certificate revocation information use the browser s Back button to return to the previous page and click Update Step 10 Use Master CA s Agent Certificate in Clone CAs This step is optional Th...

Страница 303: ...paste it as the agent certificate in the clone CA For step by step instructions to create an agent user see Setting up Agents Using the Manual Process on page 407 8 After creating the agent entry for...

Страница 304: ...e You can change this description see Changing the Name of an Instance on page 305 Installation Date The date the server was installed Server Root The directory that holds all the files for the select...

Страница 305: ...llation the name of a CMS instance is in the form CMS cert instance_id instance_id is the ID for this instance of Certificate Management System You first specified this when you installed this server...

Страница 306: ...l help you identify this instance of Certificate Management System 4 Click OK You are returned to the previous screen The new name appears in the right pane Removing an Instance From a System If you a...

Страница 307: ...elow 4 When the server has stopped from the Object menu choose Remove Server As shown in the figure below you can also right click to choose this option from the pop up menu 5 When prompted confirm th...

Страница 308: ...From the command line locally only On a Windows NT system by using the Windows NT Add Remove Programs Utility Uninstalling From the Command Line To uninstall Certificate Management System from the com...

Страница 309: ...ling CMS Instances 309 3 In the Add Remove Programs Properties window choose Netscape Server Products 4 2 server_root and click Add Remove 4 In the Netscape Server Uninstall window make sure all the c...

Страница 310: ...Uninstalling Certificate Management System 310 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 311: ...12 Stopping Certificate Management System page 320 Restarting Certificate Management System page 322 Checking System Status page 324 Attending to an Unresponsive Server page 325 CMS Watchdog Process p...

Страница 312: ...ate key pairs for the server The bind password used by Certificate Management System to access and update the internal database The bind password used by Certificate Management System to access and re...

Страница 313: ...out the CMS keys and certificates see Chapter 14 Managing CMS Keys and Certificates Note that during CMS installation the watchdog stores all the passwords required by the server for starting up in a...

Страница 314: ...a File Every time you start Certificate Management System you are required to enter either the single sign on password or all the passwords required by the server to startup see Required Start up Info...

Страница 315: ...sr netscape server4 bin cert admin bin start i testCA r usr netscape server4 e classpath usr netscape server4 bin cert classes usr netscape server4 bin cert jars jss jar usr netscape server4 bin cert...

Страница 316: ...cert jars certsrv jar usr netscape server4 java ldapjdk jar usr netscape server4 bin cert jre lib rt jar usr netscape server4 bin cert jre lib i18n jar usr netscape server4 bin cert jars jssjdk12 jar...

Страница 317: ...jar C Netscape Server4 bin cert jre lib i18n jar C Netscape Server4 bin cert jars jssjdk12 jar C Netscape Server4 java swingall jar e Save your changes 5 Use your operating system s security feature t...

Страница 318: ...for the server 5 Type the single sign on password you specified during installation and click OK Certificate Management System won t start until you provide this password For more information see Req...

Страница 319: ...you installed this server 4 When prompted enter the single sign on password Certificate Management System won t start until you provide this password For more information see Required Start up Informa...

Страница 320: ...cate Management System You can stop Certificate Management System in several ways From Netscape Console locally and remotely From the command line locally only On a Windows NT system from the Windows...

Страница 321: ...m from the command line 1 Open a terminal window to your server 2 In a Unix system log in either as root or using the server s user account if that is how you started the server 3 At the command line...

Страница 322: ...Services 4 Select the CMS instance and click Stop 5 When prompted click Yes The server is stopped Restarting Certificate Management System Whenever you change the CMS configuration you must save your...

Страница 323: ...single sign on password you specified during installation and click OK Certificate Management System won t restart until you provide this password For more information see Required Start up Informatio...

Страница 324: ...stance_id is the ID for this instance of Certificate Management System You first specified this when you installed this server 4 When prompted enter the single sign on password Certificate Management...

Страница 325: ...ign on password In addition it manages the start up stop and restart states of Certificate Management System The watchdog process identified as cms_watchdog implements the following operations Starts...

Страница 326: ...the password cache could look like this Password Cache Internal LDAP Database myIdbPwd Internal Key Storage Token myTokenPwd Authentication myPinAuthPwd LDAP Publishing myLdapPubPwd Note that in the...

Страница 327: ...ality of passwords set within the CMS system All passwords used in Certificate Management System are checked by the password quality checker which by default checks that the length of a password is at...

Страница 328: ...Password Quality Checker 328 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 329: ...tting Up Ports Chapter 12 Setting Up Internal Database Chapter 13 Managing Privileged Users and Groups Chapter 14 Managing CMS Keys and Certificates Chapter 15 Setting Up End User Authentication Chapt...

Страница 330: ...allation and Setup Guide October 2001 Chapter 19 Setting Up LDAP Publishing Chapter 20 Publishing Certificates and CRLs to a File Chapter 21 Setting Up an OCSP Responder Chapter 22 Setting Up Key Arch...

Страница 331: ...o enable system administrators to accomplish these server specific tasks quickly and easily Certificate Management System provides a GUI based administration tool called the CMS window within Netscape...

Страница 332: ...tion interface to the user directory Figure 9 1 Netscape Console window with a CMS instance selected in the Console tab Console Tab For any given instance of Netscape Console the limits of the network...

Страница 333: ...ment System uses file based configuration which is stored locally on the host system during installation the server registers only its SIE in the configuration directory For details about this file se...

Страница 334: ...including Certificate Management System through Netscape Console Administration Server and the configuration directory must be running before you can configure any of these servers It is included with...

Страница 335: ...g installation for monitoring Certificate Management System If you stopped Administration Server after installation you must start it before you can administer Certificate Management System from the C...

Страница 336: ...ter the following line server_root admin instance_id stop admin Administration Server runs as a service in a Windows NT system you can use the Windows NT Services panel to stop the service directly Lo...

Страница 337: ...password that you specified when you installed Administration Server on your computer during CMS installation Administration URL This field should show the URL to Administration Server If it doesn t o...

Страница 338: ...to day operational and managerial duties for Certificate Management System You launch the CMS window from within Netscape Console Figure 9 3 Figure 9 3 Certificate Management System window launched f...

Страница 339: ...perform tasks such as starting stopping and restarting the server and running the Certificate Setup Wizard For details see Chapter 8 Starting and Stopping CMS Instances and Certificate Setup Wizard on...

Страница 340: ...tions such as the following Entering information about privileged users administrators agents and trusted managers into the CMS internal database Modifying user information Deleting users from the dat...

Страница 341: ...tificate issuance and management policies This involves operations such as the following Viewing currently registered policy plug in modules for a Certificate Manager or Registration Manager Configuri...

Страница 342: ...end users encryption private keys For details see Chapter 22 Setting Up Key Archival and Recovery Managing CMS logs This involves configuring system error and audit logs maintained by Certificate Mana...

Страница 343: ...the Console tab select the Server Group that contains the CMS instance you want to use as your source 3 In the navigation tree locate the CMS instance you want to administer 4 Select the instance and...

Страница 344: ...CMS window without having to create privileged user entries Otherwise type your privileged user ID administrator ID Password If you are logging in for the first time type the Certificate Administrator...

Страница 345: ...plains how the installation affects the number of configuration files created in your machine and their contents It also explains ways in which you can modify the configuration and precautions you sho...

Страница 346: ...e configuration files for the instances running on Host A one for each CMS instance Although the names of both the configuration files are the same the information included in the files differs accord...

Страница 347: ...ration 347 Figure 10 1 How installation affects configuration Duplicating Configuration From One Instance to Another If you have deployed a large number of CMS instances that are identical for example...

Страница 348: ...ck way of deploying multiple Registration Managers with the same configuration Figure 10 2 Duplicating a configuration Locating the Configuration File Each instance of Certificate Management System ha...

Страница 349: ...how to change the various configuration parameter values from the CMS window Changing the Configuration by Editing the Configuration File This section explains how to change the CMS configuration by e...

Страница 350: ...util Properties The following guidelines may help you interpret the information in the configuration file The format of the configuration file is as follows comment parameter value value parameter mul...

Страница 351: ...is processed by the server all the parameters beginning with ca will be used The configuration file supports Unix style file separator the forward slash If the backward slash file separator is requir...

Страница 352: ...ile Note the following All policy specific information such as registered policy plug in implementations configured rules and ordering appear in the Policy section of the configuration file If you hav...

Страница 353: ...cessTemplate ca EnrollSuccess template agentGateway bulkissuance errorTemplate ca bulkissuance template agentGateway bulkissuance pendingTemplate ca bulkissuance template agentGateway bulkissuance rej...

Страница 354: ...ca Policy impl _002 ca Policy impl AuthInfoAccessExt class com netscape certsrv policy AuthInfoAccessExt ca Policy impl AuthorityKeyIdentifierExt class com netscape certsrv policy AuthorityKeyIdentifi...

Страница 355: ...ca Policy impl ValidityConstraints class com netscape certsrv policy ValidityConstraints ca Policy rule AuthorityKeyIdentifierExt enable true ca Policy rule AuthorityKeyIdentifierExt implName Authori...

Страница 356: ...geExt implName KeyUsageExt ca Policy rule ClientCertKeyUsageExt keyEncipherment true ca Policy rule ClientCertKeyUsageExt nonRepudiation true ca Policy rule ClientCertKeyUsageExt predicate certType cl...

Страница 357: ...le GenericASN1Ext attribute 5 value ca Policy rule GenericASN1Ext attribute 6 source ca Policy rule GenericASN1Ext attribute 6 type ca Policy rule GenericASN1Ext attribute 6 value ca Policy rule Gener...

Страница 358: ...olicy rule NameConstraintsExt permittedSubtrees0 max 1 ca Policy rule NameConstraintsExt permittedSubtrees0 min 0 ca Policy rule NameConstraintsExt permittedSubtrees0 valueType ca Policy rule NameCons...

Страница 359: ...eyRule implName RSAKeyConstraints ca Policy rule RSAKeyRule maxSize 2048 ca Policy rule RSAKeyRule minSize 512 ca Policy rule RSAKeyRule predicate ca Policy rule RenewalConstraintsRule enable true ca...

Страница 360: ...reqInQueue html ca notification requestInQ enabled false ca notification requestInQ recipientEmail ca notification requestInQ senderEmail ca publish mapper impl LdapDNCompsMap class com netscape certs...

Страница 361: ...publish rule instance LdapCrlRule mapper LdapCrlMap ca publish rule instance LdapCrlRule pluginName Rule ca publish rule instance LdapCrlRule predicate ca publish rule instance LdapCrlRule publisher L...

Страница 362: ...Internal LDAP Database internaldb ldapconn host testCA siroe com internaldb ldapconn port 3602 internaldb ldapconn secureConn false jobsScheduler _000 jobsScheduler _001 jobScheduler jobsScheduler _0...

Страница 363: ...eNotifier summary recipientEmail jobsScheduler job requestInQueueNotifier summary senderEmail jobsScheduler job unpublishExpiredCerts cron 0 0 6 jobsScheduler job unpublishExpiredCerts enabled false j...

Страница 364: ...error log instance Error flushInterval 5 log instance Error level 3 log instance Error maxFileSize 100 log instance Error pluginName file log instance Error rolloverInterval 2592000 log instance Erro...

Страница 365: ...9 8 oidmap netscape_comment class netscape security x509 NSCCommentExtension oidmap netscape_comment oid 2 16 840 1 113730 1 13 oidmap ocsp_no_check class com netscape certsrv cert OCSPNoCheckExtensi...

Страница 366: ...install a CMS instance the server prompts you to create the certificates required for the subsystems in that instance to function You should check the certificates used by each subsystem and determine...

Страница 367: ...es cannot interact with the Data Recovery Manager Similarly agents can interact with the appropriate subsystem using the agent forms Certificate Management System provides HTML forms based interfaces...

Страница 368: ...expiration of a certificate that require action on the part of users and periodic activities such as removing expired certificates from the publishing directory For scheduling jobs follow the instruct...

Страница 369: ...a Remote OCSP Responder on page 708 Step 11 Set up Key Archival and Recovery If you have installed the Data Recovery Manager follow the instructions in Configuring Key Archival and Recovery Process o...

Страница 370: ...tep 13 Plan for Backing up CMS Configuration and Data It is a good practice to periodically back up the CMS data on to some backup media Creating backups will help you use them for data restoration in...

Страница 371: ...nternal token and trust database for PKI operations SSL ciphers during SSL negotiation privileged users and log files to log messages to This chapter explains how to configure the ports for a CMS inst...

Страница 372: ...cessible services are usually maintained in a file named services On Unix if you are not running as root or superuser when you install or start the server you will have to use a port number higher tha...

Страница 373: ...ber can be any number between 1 and 65535 The number you choose for the agent port affects your agent users all agents access Certificate Management System by specifying the name of the server the CMS...

Страница 374: ...ocation General certificate retrieval requests such as retrieving a single certificate identified by a serial number listing certificates based on certain criteria for example an LDAP search filter de...

Страница 375: ...at can be waiting to be serviced at the administration port The default number is 15 The number you enter in this field is passed to the operating system s listen call To change the agent port number...

Страница 376: ...te Manager is configured to service OCSP requests from OCSP compliant clients then this port must be enabled so that OCSP compliant clients can successfully query the Certificate Manager for the revoc...

Страница 377: ...address and the Data Recovery Manager is served on another address To clarify this further consider the machine that hosts the Certificate Manager and Data Recovery Manager has two Ethernet cards tha...

Страница 378: ...example If you entered an IP address as the value the parameter would look similar to this radm https host 197 1 137 98 If you entered the host name as the value the parameter would look similar to th...

Страница 379: ...vileged users and log files to log messages to This chapter explains how to configure the internal database for a CMS instance The chapter has the following sections Internal Database page 379 Configu...

Страница 380: ...ified this when you installed this server If you check the files installed under server_root the internal database instance appears like this slapd cms_instance_id db Keep in mind that the subsystems...

Страница 381: ...the machine on which Netscape Directory Server is installed Certificate Management System uses this name to access the directory The format for the host name is as follows machine_name your_domain do...

Страница 382: ...access control set up for this DN determines whether Certificate Management System can communicate with the directory Typically you would want to enter the directory manager s DN the root DN because t...

Страница 383: ...n Chapter 2 Password Cache Utility of CMS Command Line Tools Guide 1 Log in to Netscape Console see Logging In to the CMS Window on page 343 2 In the Console tab select the server group that contains...

Страница 384: ...e Directory Server window 10 When the server is restarted from Netscape Console open the Directory Server window The Login to Directory dialog box appears the Distinguished Name field displays the Dir...

Страница 385: ...ted manager and granting access permissions to various CMS resources by adding the user to appropriate groups This chapter describes the types of privileged users you need to set up for a CMS instance...

Страница 386: ...stration Manager For details see Trusted Managers on page 394 The role of a privileged user whether administrator agent or trusted manager is determined by the group to which the user belongs This is...

Страница 387: ...red in a publishing directory Manage key archival and retrieval requests Manually add CRLs to the Online Certificate Status Manager See the list of OCSP requests processed by the Online Certificate St...

Страница 388: ...stem for it to service requests from the agents For information about agents certificates see Agent s Certificate for SSL Client Authentication on page 389 For information on creating agents for a CMS...

Страница 389: ...e exists in the subsystem s certificate or trust database and that the certificate is valid and trusted To check whether or not the CA s certificate exists in a subsystem s trust database follow the i...

Страница 390: ...YXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFzA VBgoJkiaJkIsZAEBEwdzdXByaXlhMRcwFQYDVQQDEw5TdXByaXlhIFNoZXR0eTEjMCEGCSqGSIb3DbndgJ ARYUc3Vwcml5YUBuZXRzY2FwZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoYiYgthgtbbnjfngj...

Страница 391: ...fter the user imports the certificate into the web browser you need to copy the certificate in base 64 encoded form in order to be able to add it to a subsystem s internal database To copy an agent s...

Страница 392: ...figure a Certificate Manager and Registration Manager to check the revocation status of an agent s certificate the server receives during SSL client authentication You can configure a Data Recovery Ma...

Страница 393: ...onChecking ra ra auths revocationChecking unknownStateInterval 0 auths revocationChecking validityInterval 120 If you have a Data Recovery Manager installed in the same instance in addition to the abo...

Страница 394: ...erforming specific functions depending on the subsystem to which it is connected You establish this trust between the two subsystems by configuring them to function in certain way revocationChecking u...

Страница 395: ...requests sent by this Registration Manager For example as illustrated in the figure below you might deploy one or more Registration Managers to process approve and forward certificate signing requests...

Страница 396: ...Certificate Managers or Registration Managers to send key archival or recovery requests to a Data Recovery Manager Connectors for Linking Trusted Managers Certificate Management System supports propr...

Страница 397: ...ers as privileged users to the internal database of that subsystem assigning them memberships in the appropriate group and identifying the certificates the managers must use for SSL client authenticat...

Страница 398: ...nstallation the issuer is the CA from which you requested the renewed certificate Check the signing certificate for its issuer s name see Viewing the Certificate Database Content on page 502 You can a...

Страница 399: ...e administrator ID of the CMS administrator you specified during installation If you don t remember this name see the installation worksheet you completed in preparation for installing the system see...

Страница 400: ...tomatically adds the initial administrator as the agent and stores a copy of the agent certificate against that user entry The user ID for this agent user is the same as the certificate administrator...

Страница 401: ...s a single user entry when you get the very first agent certificate from the Certificate Manager the server automatically adds the initial administrator as the agent and stores a copy of the agent cer...

Страница 402: ...e Status Manager you need to do additional configurations See Setting Up Agents on page 406 Group for Trusted Managers When the Certificate Manager Registration Manager or Data Recovery Manager is ins...

Страница 403: ...ors Setting Up Agents Setting Up Trusted Managers Setting Up Administrators You need at least one administrator for each instance of Certificate Management System To understand the role of an administ...

Страница 404: ...rs 404 Netscape Certificate Management System Installation and Setup Guide October 2001 2 In the navigation tree select Users and Groups The Users tab appears on the right pane 3 Click Add The Select...

Страница 405: ...o eight characters for the user Give this password to the user The user is required to enter this password in the login screen of the CMS window Confirm password Retype the password exactly as you typ...

Страница 406: ...requests must belong to both Certificate Manager Agents and Administrators groups in the internal database of the Certificate Manager The request approval form includes a checkbox labeled This certif...

Страница 407: ...pies the user s client certificate to the database and associates the certificate with the new user s entry 11 To verify log in to the CMS window for the Certificate Manager 12 In the navigation tree...

Страница 408: ...If the user does not own a client certificate either issue the user a certificate or ask the user to get a certificate For details see Agent s Certificate for SSL Client Authentication on page 389 Id...

Страница 409: ...ere is to help you keep track of your agent users the user never sees or uses it The server relies solely on the agent s client certificate which you will add next for authentication User ID Type the...

Страница 410: ...r you have the agent s certificate If you copied the user s certificate in base 64 encoded form to a text file proceed to Step 3 For details on getting the user s certificate see Agent s Certificate f...

Страница 411: ...k inside the text area and paste the user s certificate in base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE marker lines 4 Click OK You are returned to the Manage User...

Страница 412: ...sts from the agent Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted To check whether the CA s certificate exists in your...

Страница 413: ...ves the subsystems certificate requests must belong to both the Certificate Manager Agents and Administrators groups in the user and group database of the Certificate Manager For more information abou...

Страница 414: ...to function as a trusted manager to another CMS subsystem Note identifying information such as the instance ID and host name of the Registration Manager Make sure that the Registration Manager has th...

Страница 415: ...is step you create a privileged user entry for the Registration Manager in the internal database of the subsystem As a part of creating this entry you also add the user entry to the Trusted Managers g...

Страница 416: ...ely on the Registration Manager s SSL client certificate which you will add in Step 3 for authentication User ID Type the Registration Manager s instance ID or any other ID that will help you identify...

Страница 417: ...skip to Step 5 You can add the certificate later following the instructions in Changing a Privileged User s Certificate on page 430 Step 3 Copy the Registration Manager s Certificate to the Internal...

Страница 418: ...01 3 Click inside the text area and paste the Registration Manager s certificate in base 64 encoded form Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE marker lines 4 Click OK You are re...

Страница 419: ...trusted To check whether the CA s certificate exists in the subsystem s certificate database follow the instructions in Viewing the Certificate Database Content on page 502 If the CA certificate isn t...

Страница 420: ...ab 4 In the List of connectors select the connector If you are connecting the Registration Manager to a Certificate Manager select Certificate Manager Connector and click Edit If you are connecting th...

Страница 421: ...e number of the TCP IP port at which the Certificate Manager will listen to requests from the trusted Registration Manager The default port designated for communication between a trusted Registration...

Страница 422: ...ant it to use for SSL client authentication to the Data Recovery Manager that will trust it by default the Certificate Manager uses its SSL server certificate for this purpose The certificate must be...

Страница 423: ...y with appropriate access privileges for a Certificate Manager 1 Log in to the CMS window for the Data Recovery Manager see Logging In to the CMS Window on page 343 2 In the navigation tree select Use...

Страница 424: ...haracters Host name Type the fully qualified host name of the Certificate Manager The host name can be an alphanumeric string of up to 255 characters It must be in this form machine_name your_domain d...

Страница 425: ...er s SSL server certificate in the internal database of the subsystem 1 In the Users tab select the user entry you just added for the Certificate Manager and click Certificates The Manage User Certifi...

Страница 426: ...rchival requests initiated by the Certificate Manager Make sure that this CA s certificate exists in the Data Recovery Manager s certificate database internal and that it is trusted To check whether t...

Страница 427: ...on of a Data Recovery Manager you were prompted to specify the host name and port number of the Certificate Manager to which the Data Recovery Manager will be connected If you specified this informati...

Страница 428: ...domain domain form Port Type the number of the TCP IP port at which the Data Recovery Manager will listen to requests from the trusted Certificate Manager The port designated for communication between...

Страница 429: ...To change the group membership or access permissions of a privileged user see Changing Members in a Group on page 431 Changing a Privileged User s Login Information To change a privileged user s login...

Страница 430: ...certificate information you want to change and click Certificates The Manage User Certificate window appears 4 Take the appropriate action To view a certificate select the certificate and click View...

Страница 431: ...remove members from all groups Keep in mind that the group for administrators must have at least one user entry For details see Groups and Their Privileges on page 398 To change a group s members 1 L...

Страница 432: ...the users you want to add and click OK You are returned to the Edit Group Information window 6 Click OK when you are done with the changes You are returned to the Groups tab 7 Click Refresh to view t...

Страница 433: ...tree select Users and Groups The Users tab appears in the right pane 3 In the User ID list select the user you want to delete and click Delete 4 When prompted confirm your action If you click OK the...

Страница 434: ...Deleting a Privileged User 434 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 435: ...to install This chapter provides an overview of those certificates and it explains how to perform operations such as renewing the existing certificates before their validity period expires getting new...

Страница 436: ...g them from unauthorized access or use The passwords that protect the tokens containing these keys must also be carefully guarded Access to the token itself should be limited If the keys are in the in...

Страница 437: ...cate identified as the Certificate Manager CA signing certificate whose public key corresponds to the private key the Certificate Manager uses to sign the X 509 certificates it issues The first time y...

Страница 438: ...t you generated for the CA signing certificate which is explained in section CA Signing Key Pair and Certificate on page 437 The subject name and validity period of the wTLS CA signing certificate wil...

Страница 439: ...ager uses the private key that corresponds to the public key used to generate the OCSP signing certificate to sign the OCSP responses it sends to the OCSP compliant clients when queried about the revo...

Страница 440: ...ing certificate in the Certificate Selection window select Other and specify caCrlSigning as the certificate type in the associated text field f Once you have the certificate request ready submit it t...

Страница 441: ...th MD5withRSA MD2withRSA or SHA1withRSA if the key type is RSA or SHA1withDSA if the key type is DSA token_name with the name of the token used for generating the key pair and the certificate If you u...

Страница 442: ...n configure the Certificate Manager to use separate server certificates for authenticating to the End Entity Services interface and Agent Services interface For instructions see Configuring the Server...

Страница 443: ...e certificate is Remote Admin Server Cert cert instance_id where instance_id identifies the CMS instance in which the Certificate Manager is installed The CN component in both the subject name and iss...

Страница 444: ...Public Key Modulus 00 f6 9e 71 37 62 af 7c 46 af cb bf 1e d8 1a 64 0b 5e 71 e2 d8 ec 88 18 6d eb 32 65 6f f2 18 4b ef b3 70 ae 61 de 6f 21 d5 4e 0e 7b 9b b7 42 98 94 1c d7 46 42 53 39 db 10 07 6c b8...

Страница 445: ...cate was issued by the CA to which you submitted the certificate signing request You might have submitted the request to an internally deployed CA or a public CA To find out the issuer name follow the...

Страница 446: ...ates for authenticating to Netscape Console the end entity services interface and the Registration Manager Agent Services interface For instructions see Configuring the Server to Use Separate SSL Serv...

Страница 447: ...est You might have submitted the request to the Certificate Manager that is installed in the same instance internally deployed another CA or a public CA To find out the issuer name follow the instruct...

Страница 448: ...ger uses its SSL server certificate to do SSL server side authentication to the following The end entity services interface the HTTPS port The Data Recovery Manager Agent Services interface By default...

Страница 449: ...ch the Online Certificate Status Manager is installed The Online Certificate Status Manager s signing certificate was issued by the CA to which you submitted the certificate signing request You might...

Страница 450: ...details see section Remote Administration Server Certificate on page 443 Tokens for Storing CMS Keys and Certificates A token is a hardware or software device that performs cryptographic functions and...

Страница 451: ...ate Management System uses to generate and store its key pairs and certificates Certificate Management System supports any hardware tokens that are compliant with PKCS 11 version 2 01 For details see...

Страница 452: ...support cryptographic devices supplied by many different manufacturers Specifically it allows Certificate Management System to plug in shared libraries or DLLs supplied by manufacturers of external en...

Страница 453: ...indow c Go to the configuration directory of Administration Server it is located here server_root admin serv config d At the prompt enter this command server_root shared bin modutil dbdir nocertdb cre...

Страница 454: ...d Viewing Tokens To view a list of the tokens currently installed for a CMS instance 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab and then in...

Страница 455: ...the single sign on password cache stores the passwords for tokens in order to start the server using a single password for details see Required Start up Information on page 312 Whenever you change th...

Страница 456: ...ublic and private key pair Install CA certificates in the certificate or trust database of a CMS instance Install CA certificate chains in the certificate database of a CMS instance When you start the...

Страница 457: ...in the currently selected CMS instance Using the wizard to request a certificate involves the following steps Step 1 Select the Operation Step 2 Choose the Certificate Step 3 Specify the Key Pair Inf...

Страница 458: ...may see a combination of the following options If a Certificate Manager is installed the list includes the Certificate Manager s CA signing OCSP signing remote administration server and SSL server ce...

Страница 459: ...ery Manager installed in the currently selected CMS instance Online Certificate Status Manager Signing Certificate choose this option if you want to request a signing certificate for the Online Certif...

Страница 460: ...e drop down list shows the names of tokens currently installed for the selected CMS instance these are the tokens you can use now The internal token is identified as internal You should choose this op...

Страница 461: ...hose private key has been compromised To generate a certificate request based on a new key pair select the token that can generate the key pair you want to use for generating the request For example i...

Страница 462: ...nstructs the subject DN string If you want to enter values for individual DN components provide the following information Common name enter the name as appropriate Except for the SSL server certificat...

Страница 463: ...te or province enter the name of the state or province where your business is located For example California Country enter the name of the country where your business is located For example US Step 5...

Страница 464: ...de Also note that certificate extensions are required if you are setting up a hierarchy of certificate authorities CAs Subordinate CAs must have certificates that include the extension identifying the...

Страница 465: ...critical as recommended by the PKIX standard and RFC 2459 see http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Extension in MIME 64 DER encoding select this option if yo...

Страница 466: ...gYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz...

Страница 467: ...Sending the CSR Automatically to a CMS Manager To send the certificate signing request CSR automatically to a Certificate Manager 1 Type the appropriate values in the following fields Send the request...

Страница 468: ...following the instructions in Using the Wizard to Install a Certificate or Certificate Chain on page 471 Sending the CSR Manually to an Internal CA The following instructions assume that your interna...

Страница 469: ...rker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST 7 Submit the request 8 When the CA sends you a response save the information in a text file for future reference or inquiry Not...

Страница 470: ...uired information and paste the CSR from the text file 6 Submit the request 7 When the CA sends you a response save the information in a text file for future reference or inquiry 8 When you receive th...

Страница 471: ...ate in the chain is encoded as a separate DER encoded object When the wizard imports a certificate chain it imports these objects one after the other all the way up the chain to the last certificate w...

Страница 472: ...g package surrounded by the delimiters BEGIN CERTIFICATE and END CERTIFICATE Netscape Certificate Sequence This is a simpler format for downloading certificate chains It consists of a PKCS 7 ContentIn...

Страница 473: ...ing CMS Keys and Certificates 473 Step 1 Select the Operation Indicate whether you want to request a certificate or install a certificate For the sake of completing the instructions that follow assume...

Страница 474: ...ted CMS instance OCSP Signing Certificate choose this option if you want to install an OCSP signing certificate for the Certificate Manager installed in the currently selected CMS instance Registratio...

Страница 475: ...CMS instance Trusted CA Certificate Chain choose this option if you want to install a trusted CA certificate chain the CA certificate will be included in the chain Untrusted CA Certificate Chain choo...

Страница 476: ...ed by the wizard This is a text input field so you can paste the certificate or certificate chain in text format only For example if you are installing a certificate it base 64 encoded certificate blo...

Страница 477: ...r certificate chain information you have selected for installing You should check the information to make sure that you have chosen the correct one for installing After verifying that the certificate...

Страница 478: ...lves identifying the following The SSL server certificates a server must use for authenticating to the end entity agent and administration interfaces For details see Configuring the Server to Use Sepa...

Страница 479: ...particular CMS instance For instructions see Getting New Certificates for the Subsystems on page 485 Once you have installed the certificates you should be able to see them in the list of SSL server c...

Страница 480: ...r authenticating to the administration interface Netscape Console locate the radm https nickName parameter and change its value to the nickname of the new SSL server certificate For example if the nic...

Страница 481: ...equest and check the request for required extensions If you submitted the request to any other CA you must ask the person managing that CA to make the same changes to the request before approving it M...

Страница 482: ...use the same ciphers A number of ciphers are available your server needs to be able to use the most popular ones SSL Ciphers Supported in Certificate Management System Figure 14 1 shows the ciphers s...

Страница 483: ...s see Ciphers Used with SSL in Appendix E of Managing Servers with Netscape Console Previous US law prohibited the export of software with strong encryption so most browsers still in use outside of th...

Страница 484: ...wsers to establish strong SSL sessions with domestic SSL servers if they have the appropriate step up certificates Because many of the features such as issuance of dual certificates for dual key pairs...

Страница 485: ...L Communications on page 482 4 Click OK You are returned to the Encryption tab 5 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the se...

Страница 486: ...server and remote administration certificates for the Certificate Manager signing SSL server and remote administration certificates for the Registration Manager transport SSL server and remote adminis...

Страница 487: ...anager and if you have configured it to publish CRLs to a Online Certificate Status Manager you will need to identify the Certificate Manager to the Online Certificate Status Manager again For details...

Страница 488: ...ailable read it it may help you decide whether to request the certificate from this CA Is the public CA s certificate already installed in the trusted CA in the trust database of Certificate Managemen...

Страница 489: ...you want generate Also decide on details such as the key algorithm key size extensions and validity period for the certificate Step 2 Request the New Certificate Once you have all the information go...

Страница 490: ...icates issued by the CA using its old key will work For example if the CA has issued certificates to subordinate Certificate Managers Registration Managers Data Recovery Managers Online Certificate St...

Страница 491: ...trust this Registration Manager Here s what you must do 1 Install the new signing certificate in the subsystems certificate databases Because the Registration Manager uses its signing certificate for...

Страница 492: ...base on page 507 If you find the CA certificate verify its trust status If it is untrusted change the status to trusted For instructions on changing the trust setting of a CA certificate see Changing...

Страница 493: ...e listed there 4 Repeat steps 1 through 3 for any additional enrollment or key archival pages Deploying a Subsystem s SSL Server Certificate By default the Certificate Manager and Registration Manager...

Страница 494: ...tificate Manager Registration Manager Data Recovery Manager or Online Certificate Status Manager before they expire For example if you generated these certificates during CMS installation with a valid...

Страница 495: ...tects the token If the token is external make sure that the token is installed properly see Installing External Tokens on page 451 Decide on the validity period of the renewed certificate Decide on th...

Страница 496: ...s located here server_root cert instance_id config The names of the text files vary depending on the certificate you choose for renewal Table 14 2 lists them NOTE When renewing a certificate be sure t...

Страница 497: ...Renewed Certificate When you receive the renewed certificate from the CA you must install it in the token that contains the key pair for the certificate this is the token you used to generate the req...

Страница 498: ...ends on this certificate for validation For example you ll need to add the renewed CA certificate to the certificate databases of clients that trust this CA Similarly if you have configured the Certif...

Страница 499: ...or the CA certificate that signed the Registration Manager s renewed certificate If the subsystem does not find the CA as a trusted CA in its trust database it rejects the Registration Manager For ins...

Страница 500: ...nd identify the parameter that corresponds to the Data Recovery Manager s transport certificate The default enrollment forms for end users embed this feature Figure 14 3 shows the default directory ba...

Страница 501: ...thentication to all the CMS ports If a Certificate Manager is configured for SSL client authenticated communication with the publishing directory it also uses the SSL server certificate for authentica...

Страница 502: ...ternal token You may need to add new certificates to the database remove unwanted certificates from the database or change the trust settings of CA certificates in the database This section explains h...

Страница 503: ...e Database Chapter 14 Managing CMS Keys and Certificates 503 2 Select the Configuration tab and then in the right pane select the Encryption tab 3 Click Manage Certificate The Certificate Database Man...

Страница 504: ...Database By default the CMS certificate database includes a few public or third party CA certificates As an administrator you should periodically check the contents of the certificate database and mak...

Страница 505: ...that has sent a certificate signing request the Certificate Manager checks its certificate database to see whether the CA that has signed the certificate presented by the Registration Manager is inclu...

Страница 506: ...ne select the Encryption tab 3 Click Manage Certificate The Certificate Database Management window appears The window lists the certificates currently installed for the selected CMS instance the list...

Страница 507: ...server Installing a New CA Certificate in the Certificate Database You may need to install new trusted CA certificates in the certificate database of a CMS instance For example assume that you renewe...

Страница 508: ...rusted CA certificates in its certificate database These CA certificates determine which other certificates the software can validate in other words which issuers of certificates the software can trus...

Страница 509: ...ation for End User Enrollment page 521 Managing Authentication Instances page 544 Managing Authentication Plug in Modules page 547 Introduction to Authentication Authentication is the process of verif...

Страница 510: ...System uses built in authentication mechanisms Authentication of Administrators When an administrator makes an administrative request to Certificate Management System from the CMS window within Netsca...

Страница 511: ...its internal database 2 If the user ID and password bind successfully to a user entry authentication succeeds otherwise it fails If authentication fails the server logs an error message and sends a re...

Страница 512: ...ssociating them with the corresponding users identification information for details see Setting Up Agents on page 406 When an agent makes a request to perform a privileged operation the server request...

Страница 513: ...1 An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager The server requests the client for SSL client authentication T...

Страница 514: ...nd that it has been issued by a CA that the Registration Manager trusts For details on configuring the Certificate Manager or Registration Manager to check the revocation status of its agents certific...

Страница 515: ...ile Authentication of End Users During Certificate Renewal When an end user submits a certificate renewal request the first step in the renewal process is for the Certificate Manager or Registration M...

Страница 516: ...d the server displays the URL for downloading the certificate This situation may occur if the end user forgets to download the renewed certificate It can also happen if the end user maintains two iden...

Страница 517: ...or her own certificate not a certificate belonging to someone else Both Certificate Manager and Registration Manager support the following methods of revocation SSL client authenticated revocation Th...

Страница 518: ...rds certificate revocation requests to this Certificate Manager For information on trusted managers see Trusted Managers on page 394 The certificate the user attempts to revoke must be currently valid...

Страница 519: ...ates the password with the certificate stores both the certificate and password in its internal database and uses them later for authenticating any revocation requests In the challenge password based...

Страница 520: ...a mismatch between the challenge password and serial number the server rejects the revocation request Certificate Revocation Forms The End Entity Services interface of the Certificate Manager and Reg...

Страница 521: ...ble by clicking the Help button on the form For more information on customizing the form see CMS Customization Guide Configuring Authentication for End User Enrollment To set up a Certificate Manager...

Страница 522: ...module note the authentication directory credentials such as the host name port number based DN the user entry to bind as and the corresponding password LDAP version number and minimum and maximum nu...

Страница 523: ...t Complete this step only if you want to configure the server to use the directory and PIN based authentication method with or without PIN removal Otherwise skip to the next step To set up a directory...

Страница 524: ...PIN from the directory after Certificate Management System successfully authenticates that user and thus prevents the user from enrolling for another certificate ACIs must be set up on the directory t...

Страница 525: ...ACI for ou people o siroe com successful Step C Prepare the Input File This step is optional If you want to generate PINs for specific user entries or want to provide your own PINs use an input file t...

Страница 526: ...put file for delivering PINs to users after you complete setting up the required authentication method see Step 9 Deliver PINs to End Users on page 544 Step 3 Enable the AttributePresentConstraints Po...

Страница 527: ...utes When a user enrolls for a certificate using the End Entity Services interface of the Registration Manager it authenticates the user against the replica of the corporate directory If the user pres...

Страница 528: ...n Chapter 3 Constraints Policy Plug in Modules of CMS Plug ins Guide Note that unlike some of the other policy rules Certificate Management System does not create an instance of the Attribute Present...

Страница 529: ...configuration You are returned to the Policy Rules Management tab If required click the Reorder button and order the rules as appropriate For details see Step 5 Reorder Policy Rules on page 599 Step...

Страница 530: ...instances are not created by default only the instance names are embedded in the forms for your convenience If you create authentication instances with the default names you can skip the step Step A...

Страница 531: ...31 Figure 15 5 Authentication information in the default directory based enrollment form For information on locating and customizing the default end entity forms see CMS Customization Guide To add an...

Страница 532: ...authentication instances 3 Click Add The Select Authentication Plugin Implementation window appears It lists the currently registered authentication plug in modules 4 Select a plug in module The follo...

Страница 533: ...h Select this if you want to use the NIS server based authentication module PortalEnroll Select this if you want to use the portal authentication module For the purposes of this instruction assume tha...

Страница 534: ...nges Step 5 Set Up the Enrollment Interface This step explains how to customize the end entity interface for the enrollment method you ve chosen for your users Step A Associate the Authentication Inst...

Страница 535: ...tribute the VALUE field Make sure that it is same as the name or ID you assigned to the authentication instance you created in Step 5 If it is different replace it with the name of the authentication...

Страница 536: ...r_root cert instance_id web ee 2 Locate the index html file 3 Open the file in a text editor 4 Follow instructions as appropriate If you want to enable the CertBasedDualEnroll html form search for Cer...

Страница 537: ...w menuItem item CertBasedSingleEnroll html Certificate Uncomment the lines and then add lines for using the automated enrollment module you configured the server with Your edited lines should look lik...

Страница 538: ...odules a link for the corresponding form is automatically created under the Browser section For example if you create an instance of the directory based authentication module you will notice a new lin...

Страница 539: ...rtificate Manager is configured for end entity interaction the Registration Manager is not configured for end entity interaction Depending on the subsystem you re configuring follow the instructions i...

Страница 540: ...wal request with validity period beyond June 10 2004 will have validity period truncated to end on June 10 2004 Validity periods of certificates during enrollment is determined by the policy explained...

Страница 541: ...r s policy configuration overrides the algorithm you select here For information on a Certificate Manager s policy configuration see SigningAlgorithmConstraints policy plug in module in CMS Plug ins G...

Страница 542: ...s you made require you to restart the server you will be prompted accordingly In that case restart the server Step 7 Turn on Automated Notification Both the Certificate Manager and the Registration Ma...

Страница 543: ...ample you can point your browser to the portal directory and find out if an entry for the user for whom you requested the certificate exists In the URL field type ldap host_name port base_dn sub uid u...

Страница 544: ...nge a secure means of delivering the password to the user or ask the user to collect it from you in person Managing Authentication Instances This section explains how to use the CMS window to do the f...

Страница 545: ...cordingly In that case restart the server Modifying an Authentication Instance You can modify an authentication instance by editing its configuration parameter values you cannot edit the name of an in...

Страница 546: ...pane shows the Authentication Instance tab which lists configured authentication instances 4 In the Instance Name list select the instance you want to modify and click Edit The Configure Authenticatio...

Страница 547: ...the Configuration by Editing the Configuration File on page 349 Registering an Authentication Module You can register custom authentication plug in modules from the CMS window Registering a new authen...

Страница 548: ...tered 4 Click Register The Register Authentication Plugin Implementation window appears 5 Specify which module you want to register Plugin name Type a name for the module Class name Type the full name...

Страница 549: ...n Instance on page 544 You should also update the appropriate end entity enrollment forms To delete an authentication module from the CMS authentication framework 1 Log in to the CMS window see Loggin...

Страница 550: ...Managing Authentication Plug in Modules 550 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 551: ...mizing Notification Messages page 554 Configuring a Subsytem to Send Notifications page 559 Automated Notifications You can configure the Certificate Manager and Registration Manager to send automated...

Страница 552: ...ed as ca notification certIssued and for the Registration Manager it is defined as ra notification certIssued For more information on listeners check the samples directory server_root cms_sdk cms_jdk...

Страница 553: ...roblems The location of the notification email template The subject line of the notification message Notification of New Request in Queue When a deferred end entity request enters the request queue of...

Страница 554: ...ion message The email addresses of message recipients these should be subsystem agents whose task is to review deferred enrollment requests Customizing Notification Messages Notification and summary e...

Страница 555: ...n text notifications to end entities upon issuance of certificates certIssued_RA html Template for the Registration Manager to send HTML based notifications to end entities upon issuance of certificat...

Страница 556: ...tration Manager notification_name specifies the name of the event triggered notification certIssued for the certificate issuance notifications to end entities and requestInQ for the request in queue n...

Страница 557: ...ems please send an email to cert_central siroe com Thank you Tokens Available in Message Templates This section explains the tokens provided in the templates used by the default job plug in and event...

Страница 558: ...s This token enables you to construct the URL from which end entities can download their certificates see the example in Customizing Message Templates on page 556 InstanceID Specifies the ID assigned...

Страница 559: ...on is sent by a Certificate Manager this will be ca If the notification is sent by a Registration Manager this will be ra RequestId Specifies the request ID Table 16 4 Tokens for the request in queue...

Страница 560: ...Messages on page 554 and customize the message templates for the notifications your want to turn on Step 2 Turn On Certificate Issuance Notification Skip to the next step if you don t want to turn thi...

Страница 561: ...at contains the template to be used for formulating the message content 6 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server yo...

Страница 562: ...subject title for the notification for example End Entity Request in Queue Recipient s E Mail Address Type the recipient s full email address this is the person who will check the queue You can speci...

Страница 563: ...erwise type the full host name of the machine on which your mail server is installed Certificate Management System uses this name to access the mail server The format for the host name is as follows m...

Страница 564: ...esses in the notification configuration to your email address 2 Go to the end entity interface and request a certificate using the manual enrollment form When the request gets queued for agent approva...

Страница 565: ...for various job items appear in the configuration file The chapter has the following sections Configuring a Subsystem to Run Automated Jobs page 565 Managing Job Plug in Modules page 575 Configuring...

Страница 566: ...tion Massages section to get familiar with the templates the server uses for formulating notification messages If you want to customize them do that before you start configuring a job plug in check th...

Страница 567: ...ternatively you may keep it in the disabled state If you want to create a new job follow the instructions in Step 4 Add New Jobs on page 569 Figure 17 1 Default jobs created for a Certificate Manager...

Страница 568: ...17 1 showing the default jobs 4 In the Instance Name list select a job that you want to modify For the purposes of this instruction assume that you selected the job named unpublishExpiredCerts 5 Clic...

Страница 569: ...need to create a new job because jobs for all the default plug ins are created for you during installation However in certain circumstances for example if you deleted a default instance you might hav...

Страница 570: ...nager To add a job to the CMS configuration 1 In the Job Instance tab click Add The Select Job Plugin Implementation window appears Table 17 2 Job modules registered with a Certificate Manager and Reg...

Страница 571: ...n Job Instance ID Type a unique name that will help you identify the job Be sure to formulate the name using any combination of letters aA to zZ digits 0 to 9 an underscore _ and a hyphen For example...

Страница 572: ...plate to be used for formulating the message content For example C Netscape Server4 cert testCA emails renewJob txt summary enabled Type true if you want the server to compile a summary report of rene...

Страница 573: ...steps 1 through 5 and create additional rules if required Step 5 Schedule the Frequency The Certificate Manager and Registration Manager can execute a job only if the Job Scheduler is turned on or ena...

Страница 574: ...ration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Step 6 Verify Mail Server Settings The Certificate Manager...

Страница 575: ...uests Otherwise type the port number 3 To save your changes click Save The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In t...

Страница 576: ...of the Java class that implements the module For example you can add a job implementation named as follows com netscape jobscheduler unpublishUserCert Before registering a module be sure to put the Ja...

Страница 577: ...type com myCompany myJob 7 Click OK The CMS configuration is modified If the changes you made require you to restart the server you will be prompted accordingly In that case restart the server Deleti...

Страница 578: ...Job Plugin Registration tab appears It lists currently registered job modules 5 In the Plugin Name list select the module you want to delete and click Delete 6 When prompted confirm the delete action...

Страница 579: ...Modules page 602 Introduction to Policy You can configure the main subsystems of Netscape Certificate Management System CMS the Certificate Manager Registration Manager and Data Recovery Manager to a...

Страница 580: ...nd revocation requests from end entities in order to formulate the certificate content before forwarding the requests to a Certificate Manager for signing For example you can configure a Registration...

Страница 581: ...validity period Enforce organizational constraints such as subject name key algorithm key size and validity period Determine whether the private key should be archived Keep in mind that the server app...

Страница 582: ...using variables and relational operators AND or OR For example you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates or set different validity dates...

Страница 583: ...equest Other attributes regarding the end entity such as the user ID are set on the request after successful authentication The servlets also interpret the form content for example retrieving the key...

Страница 584: ...ca Attributes for Predicates Attributes for predicates can come from any of the following Input form that is the HTML form that end entities use for submitting certificate requests Authentication tok...

Страница 585: ...ver certificate Enrollment doSslAuth Specifies whether the client is required to do SSL client authentication during enrollment Default values include the following on off Enrollment certauthEnroll Sp...

Страница 586: ...Guide Enrollment cepsubstore Specifies the name of the CEP service for example cep1 and cep2 When setting up multiple CEP services you can use predicates to differentiate one service for another see...

Страница 587: ...issue certificates with the appropriate validity periods you must formulate your predicate expression with the attribute you added Here s how you do this 1 Create a new instance of the ValidityConstra...

Страница 588: ...lidityRule2 maxValidity 60 ca Policy rule ValidityRule2 minValidity 10 ca Policy rule ValidityRule2 predicate HTTP_PARAMS certType client AND HTTP_PARAMS orgunit Sales The new configuration would resu...

Страница 589: ...es on the request 2 If at least one of the policy rules requires agent approval for the request that is if any of the policy rules returned a PolicyResult DEFERRED value the processor stores the reque...

Страница 590: ...ed Information on page 28 This planning will help you configure a Certificate Manager and Registration Manager with the appropriate policy rules so that your end entities get the right kind of certifi...

Страница 591: ...s certificate renewal requests if DefaultRenewalValidityRule is disabled If you don t want to use a rule delete it from the configuration as explained in Step 3 Delete Unwanted Policy Rules on page 59...

Страница 592: ...fierExt Yes Yes CertificatePoliciesExt Yes Yes NSCCommentExt Yes Yes OCSPNoCheckExt No No OCSPSigningExt Yes Yes CODESigningExt Yes Yes GenericASN1Ext Yes Yes CRLDistributionPointsExt Yes Yes SubjectA...

Страница 593: ...Select Policies The Policy Rules Management tab appears It lists configured policy rules 5 In the Policy Rule list select a rule that you want to modify For the purposes of this instruction assume tha...

Страница 594: ...estart the server you will be prompted accordingly Don t restart the server yet you can do so after you ve made all the required changes Step 4 Add New Policy Rules Adding a policy rule to the CMS con...

Страница 595: ...policy modules registered with a Certificate Manager Table 18 4 Policy modules of a Certificate Manager and Registration Manager Policy plug in module name Certificate Manager Registration Manager Att...

Страница 596: ...No PrivateKeyUsagePeriodExt Yes Yes RemoveBasicConstraintsExt Yes No RenewalConstraints Yes Yes RenewalValidityConstraints Yes Yes RevocationConstraints Yes Yes RSAKeyConstraints Yes Yes SigningAlgor...

Страница 597: ...plementation window appears It lists registered policy plug in modules If you have registered any custom policy modules see Registering a Policy Module on page 602 they too will be listed here 2 Selec...

Страница 598: ...ficates The value must be an integer greater than zero and also greater than the value you typed for the minValidity parameter The default value is 730 days leadTime Type the lead time in minutes for...

Страница 599: ...y category in the configuration file a policy configuration with a lower priority precedes one with a higher priority This simple linear listing avoids the need to have explicit locking on request att...

Страница 600: ...to restart the server in any of the previous steps To restart the server from the CMS window 1 Click the Tasks tab 2 Click Restart the Server Step 7 Test Policy Configuration To make sure that you ve...

Страница 601: ...generation process Step B Approve the Request This step is required if you used the manual enrollment form for requesting the certificate The request you submitted is waiting in the agent queue for ap...

Страница 602: ...rhino To learn more about how to use JavaScript in Certificate Management System consult the sample policy js file included in the distribution server_root bin cert js policy js Managing Policy Plug...

Страница 603: ...s policy framework 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab 3 In the navigation tree select the subsystem that will use the module you wan...

Страница 604: ...onfiguration click Refresh Deleting a Policy Module You can delete unwanted policy plug in modules using the CMS window Before deleting a module be sure to delete all the policy rules that are based o...

Страница 605: ...er explains how to configure the Certificate Manager to publish certificates and CRLs to an LDAP directory The chapter also tells you how to update the directory manually if the need arises The chapte...

Страница 606: ...ates to a directory for distribution Note that configuring the Certificate Manager for LDAP publishing is optional you can turn this feature off without affecting any of the certificate issuance renew...

Страница 607: ...ia a Registration Manager get published to the directory Figure 19 3 Publishing of certificates requested via a Registration Manager Timing of Directory Updates If the LDAP directory is properly confi...

Страница 608: ...y You need to configure the server to run the appropriate job For details see Configuring a Subsystem to Run Automated Jobs on page 565 When the certificate revocation list is created or updated eithe...

Страница 609: ...ly published or not Directory Update Process As indicated in Table 19 1 on page 608 when a Certificate Manager is requested to issue a certificate update certificate information or publish a CRL it au...

Страница 610: ...you can use the Update Directory option in the Certificate Manager Agent Services interface to synchronize the publishing directory with the internal database The following choices are available for s...

Страница 611: ...two separate key pairs one for signing certificates and another one for signing CRLs The CA s function includes creating the CRLs periodically and distributing them to other applications For example t...

Страница 612: ...o longer has the right to use the certificate The private key of a certificate owner has been compromised The certificate owner doesn t want to use the certificate The private key of the CA that issue...

Страница 613: ...e Retrieval tab of the CMS end entity interface Netscape client users can manually check the revocation status of a particular certificate and automatically import the latest version of the CRL into t...

Страница 614: ...matically updated in the publishing directory Note that the server publishes the CRL to the certificateRevocationList binary attribute of the CA s entry in the directory To locate the correct director...

Страница 615: ...CRL and thus speed up the revocation status checking process CRL distribution points can be associated with certificates by setting the CRLDistributionPoint extension in them By default the Certifica...

Страница 616: ...hes certificates and CRLs to the directory Read Chapter 5 Mapper Plug in Modules and Chapter 6 Publisher Plug in Modules of CMS Plug ins Guide Be sure to take a look at the default mappers and publish...

Страница 617: ...rtificate Manager s Key Pairs and Certificates on page 437 By default the server uses its SSL server certificate see SSL Server Key Pair and Certificate on page 441 Depending on your PKI setup you may...

Страница 618: ...ired Schema for Publishing End Entity Certificates The Certificate Manager publishes an end entity s certificate to the userCertificate binary attribute within the end entity s or subject s directory...

Страница 619: ...ateRevocationList binary This attribute is an attribute of the object class certificationAuthority The value of the attribute is the DER encoded binary X 509 certificate revocation list The CA s entry...

Страница 620: ...tes and CRLs 3 Double click the instance or select the instance and click Open This opens the Directory Server window 4 Select the Directory tab 5 Select the domain name right click select New and the...

Страница 621: ...For example it may look like this CN testCA OU Research Dept O Siroe Corporation ST California C US For instructions on giving write access to the Certificate Manager s entry see your LDAP directory...

Страница 622: ...Publishing With Basic Authentication To configure Directory Server for basic authentication 1 Go to the Directory Server window 2 Select the Configuration tab and then in the right pane select the En...

Страница 623: ...rver certificate Trust the CA that issued the certificate the Certificate Manager will use for SSL client authentication Use a valid secure port number for communication with the Certificate Manager H...

Страница 624: ...ctory Server from a CA that is trusted by the Certificate Manager You may get this certificate from the Certificate Manager itself The instructions that follow Step 2 through Step 9 explain how to do...

Страница 625: ...select the Tasks tab and then click the Certificate Setup Wizard button b Select the token for generating the key pair and for storing the certificate Since you don t have the certificate select No If...

Страница 626: ...anges to it As indicated in the message a copy of this information is also saved to the temp file in the host machine s file system BEGIN NEW CERTIFICATE REQUEST MMIIBnzCCAQgCAQAwXzELMAkGA1UEBhMCVXMxE...

Страница 627: ...who will process this request e Click Submit 4 Approve the request you submitted Skip to the next step if you submitted the CSR to an external CA Complete this step if you submitted the CSR to the Ce...

Страница 628: ...ls scroll down to the section that says Installing this certificate in a server b Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file o...

Страница 629: ...Go to the end entity interface of the Certificate Manager or to the Registration Manager that s connected to the Certificate Manager b Click the Retrieval tab c In the left frame click Import CA Cert...

Страница 630: ...ry Server listens for incoming requests a In the Directory Server window select the Configuration tab and then in the navigation tree select the root the topmost item b Select the Settings tab in the...

Страница 631: ...section select the appropriate option Do not allow client authentication Select this if you want to configure the directory for basic authentication or for SSL based communication without client auth...

Страница 632: ...ing the entry in the directory What certificate attributes the server should use as search criteria when searching for the entry in the directory Whether the server needs to go through any additional...

Страница 633: ...the entire LDAP tree for entries matching the filter If there isn t a DNComps entry in the mapping the server uses either the CmapLdapAttr setting if present or the entire subject DN in the Certifica...

Страница 634: ...MyGroup O MyCompany C US MyCA dnComps OU O C MyCA filterComps E MyCA verifycert on This file has two mappings a default one and another for MyCA When the Directory Server gets a certificate from anyo...

Страница 635: ...r SSL client authentication by the Certificate Manager is myCA and that the issuer name or DN of the CA is CN rootCA O siroe com the server should use the FilterComps attributes to locate the entry If...

Страница 636: ...and supply the PIN or password that protects the key pair you generated for the Directory Server s certificate For security reasons the dialog box that prompts you for this PIN appears only on the se...

Страница 637: ...default publishers are as follows LdapCaCertPublisher LdapCrlPublisher LdapUserCertPublisher The Certificate Manager also creates a set of publishing rules using the default mappers and publishers The...

Страница 638: ...hing and then select Mappers The right pane shows the Mappers Management tab which lists configured mappers 4 In the Mapper list select a mapper that you want to modify For the purposes of completing...

Страница 639: ...e Corporation the pattern should look like this cn Certificate Authority o subj o This rule applies to all mappers 7 To modify the remaining mappers repeat steps Step 4 through Step 6 8 Click Refresh...

Страница 640: ...w appears showing how this publisher is currently configured 4 Make the necessary changes and click OK You are returned to the Publishers Management tab 5 To modify the remaining publishers repeat ste...

Страница 641: ...t Publishing and then select Rules The right pane shows the Rules Management tab which lists configured publishing rules 2 In the Rule list select a publishing rule that you want to modify For the pur...

Страница 642: ...ublishers and publishing rules for a CA certificate and for end entity certificates Creating of new mappers publishers and publishing rules for CRLs is covered in Step 4 Configure the Certificate Mana...

Страница 643: ...fied in the certificate subject name and attribute variable assertion AVA constants LdapSubjAttrMap Select this if you want the server to locate the CA s entry by searching for an LDAP attribute whose...

Страница 644: ...ick the Help button 6 Click OK The Mappers Management tab appears listing the new mapper Creating a Mapper for End Entity Certificates Creating a mapper for end entity certificates involves creating a...

Страница 645: ...y the object class for the CA s entry in the directory Leave it as it is If the field is empty type certificationAuthority 6 Click OK The Publishers Management tab appears listing the new publisher Cr...

Страница 646: ...r the appropriate information Rule ID Type a unique name for the rule use an alphanumeric string with no spaces enable Select this option predicate Type HTTP_PARAMS certType ca indicating that the rul...

Страница 647: ...appears It lists registered modules that enable creating of publishing rules 3 Select the module named Rule This is the default module If you have registered any custom modules they too will be avail...

Страница 648: ...e directory that is currently configured for publishing the CA and end entity certificates A configured Certificate Manager will publish the CRL to the CA s entry in the specified directory replacing...

Страница 649: ...er for the CRL Step D Create a Publisher for the CRL Step E Create a Publishing Rule for the CRL Step A Specify CRL Details You can specify information such as the publishing interval the CRL version...

Страница 650: ...s at regular intervals In this case the server publishes the CRL to the configured directory at the interval you specify In the adjoining text field type the interval in minutes at which the Certifica...

Страница 651: ...type is RSA select MD2 with RSA MD5 with RSA or SHA 1 with RSA If the Certificate Manager s signing key type is DSA select SHA 1 with DSA 5 To save your changes click Save If the changes you made requ...

Страница 652: ...modify a rule select it and then click Edit View 3 Change the information as appropriate Be sure to supply all the required values Click the Help button for detailed information on individual paramet...

Страница 653: ...ting an instance of the publisher module that enables the Certificate Manager to publish the CRL to the correct attribute in the CA s directory entry In the next step described in Step E Create a Publ...

Страница 654: ...e module named LdapCrlPublisher Only this publisher module enables the Certificate Manager to publish the CRL to the certificateRevocationList binary attribute of the CA s directory entry If you have...

Страница 655: ...r and publisher created for publishing CRLs n To create a new publishing rule 1 In the navigation tree click Rules The right pane shows the Rules Management tab which lists any currently configured pu...

Страница 656: ...Rules Management tab appears listing the new rule Step 5 Identify the Publishing Directory To identify the directory to which the Certificate Manager should publish the CA certificate end entity cert...

Страница 657: ...onfigured the Directory Server for basic authentication or for SSL communication without client authentication select Basic authentication and specify values for the Directory manager DN and password...

Страница 658: ...nt the Certificate Manager to publish to is based on Netscape Directory Server 1 x select version 2 For Directory Server versions 3 x and later select LDAP version 3 4 To save your changes click Save...

Страница 659: ...nt you can use the appropriate form and request a certificate To request a client or personal certificate from the Certificate Manager 1 Open a web browser window 2 Go to the end entity interface of t...

Страница 660: ...s Installing this certificate in a client 2 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is from...

Страница 661: ...host name is corpDirectory port number is 389 base DN is O siroe com and user s ID is jdoe the URL would look like this ldap corpDirectory 389 O siroe com sub uid jdoe In the resulting page look for...

Страница 662: ...ishing directory 2 Locate the CA s entry 3 Check the certificateRevocationList binary attribute You should find the CRL published Manually Updating Certificates and CRLs in a Directory Normally you do...

Страница 663: ...it the proper certificate to get access to this page 3 Select the Update Directory Server link The Update Directory Server page appears 4 Select the appropriate options 5 When you are done specifying...

Страница 664: ...certificates by changing the value of the predicate parameter to HTTP_PARAMS certType ca Use the LdapCaCertPublisher publisher plug in module to add another rule with the predicate parameter set to HT...

Страница 665: ...Up LDAP Publishing 665 When the directory is updated the Certificate Manager will display a status report If the process gets interrupted for some reason the server logs an error message Be sure to c...

Страница 666: ...Manually Updating Certificates and CRLs in a Directory 666 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 667: ...ficates and CRLs to a file Note that configuring the Certificate Manager for publishing is optional you can turn this feature off without affecting any of the certificate issuance and management opera...

Страница 668: ...es follow these steps Step 1 Before You Begin Step 2 Configure the Certificate Manager Step 3 Test Publishing Step 1 Before You Begin Before configuring a Certificate Manager to publish the CA certifi...

Страница 669: ...RLs Step D Specify CRL Details Step E Set the CRL Extensions Step F Make Sure Publishing is Enabled Step A Create a Publisher for the File Creating a publisher for the file involves creating an instan...

Страница 670: ...pears It lists registered publisher modules 5 Select the module named FileBasedPublisher Only this publisher module enables the Certificate Manager to publish certificates and CRLs to flat files 6 Cli...

Страница 671: ...create another publisher for example PublishCrlsToFile with the value of the directory parameter set to the file path to the other directory for example C crls Step B Create Publishing Rules for Certi...

Страница 672: ...certType ca enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A For example PublishCertsToFile 6 Click OK The Rules Management tab appea...

Страница 673: ...ct the module named Rule This is the default module If you have registered any custom modules they too will be available for selection Table 20 1 Certificate types and predicate expressions End entity...

Страница 674: ...or example PublishCertsToFile type Select crl predicate Leave this field blank enable Select this option mapper Select NONE publisher Select the publisher you created in the previous step Step A 6 Cli...

Страница 675: ...this case every time a certificate is revoked Publishing a CRL can be time consuming if the CRL is large Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may eng...

Страница 676: ...Include expired certificates Check this box if you want the server to include revoked certificates that have expired in the CRL Allow extensions Check this box if you want to allow extensions in the C...

Страница 677: ...e CRL extensions the Certificate Manager should set 1 In the navigation tree select Certificate Manager and then select CRL Extensions The right pane shows the CRL Extensions Management tab which list...

Страница 678: ...to publish certificates and CRLs to an LDAP directory 3 If you changed anything click Save to save the changes If the changes you made require you to restart the server you are prompted accordingly In...

Страница 679: ...he client generates the key pair Do not interrupt the key generation process Step B Approve the Request Skip this step if you requested the certificate using any of the automated enrollment methods in...

Страница 680: ...ate it automatically attempts to publish the certificate to the configured repository in this case the file To check whether the Certificate Manager published the correct certificate you need to do th...

Страница 681: ...ZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ V...

Страница 682: ...ing the certificate make sure that you ve configured the Certificate Manager to publish the CRL every time a certificate is revoked In Step D Specify CRL Details on page 674 if you didn t configure th...

Страница 683: ...specifies the value derived from the time dependent variable named This Update of the CRL contained in the file If you don t see the file check your configuration 2 Convert the DER encoded CRL to its...

Страница 684: ...Tools Guide To convert the base 64 encoded CRL to a human readable form a Check the command window to make sure that your are at this directory server_root bin cert tools b At the prompt enter this P...

Страница 685: ...example you can add a mapper implementation named as follows to the Certificate Manager s policy framework com netscape publishing customMapper Before registering a plug in module be sure to put the...

Страница 686: ...6 Specify information as appropriate Plugin name Type a name for the plug in module Class name Type the full name of the class for this module that is the path to the implementing Java class If this...

Страница 687: ...g framework 1 Log in to the CMS window see Logging In to the CMS Window on page 343 2 Select the Configuration tab 3 In the navigation tree select Certificate Manager and then select Publishing To del...

Страница 688: ...Managing Mapper and Publisher Plug in Modules 688 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 689: ...CSP service built into the Certificate Manager for real time verification of certificates issued by the Certificate Manager The chapter also explains how to configure one or more Certificate Managers...

Страница 690: ...applications which when trying to validate a certificate query the appropriate OCSP responder using the OCSP protocol for the status of the certificate The applications determine the location of the...

Страница 691: ...following The CA that issued the certificate and whose status is being verified by the responder A responder whose public key which corresponds to the private key it uses to sign responses is trusted...

Страница 692: ...d by the client Based on the status the client decides whether to validate the certificate How to Get an OCSP Responder To aid you in the process of setting up a OCSP compliant PKI setup Certificate M...

Страница 693: ...to publish their CRLs to the Online Certificate Status Manager The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses the appropriate CRL to ver...

Страница 694: ...ant to set up an OCSP compliant PKI setup For this purpose you can use clients such as Netscape 6 or Netscape Communicator with Netscape Personal Security Manager Personal Security Manager is an OCSP...

Страница 695: ...his If you are unfamiliar with Online Certificate Status Protocol OCSP read the PKIX draft RFC 2560 available at this web site http www ietf org rfc rfc2560 txt Read section What s an OCSP Compliant P...

Страница 696: ...ains how to install the product and lists known issues and restrictions You must read this first for installation instructions Make sure you also have the cmcjavascriptapi html file handy It describes...

Страница 697: ...formation Access extension in certificates a Select the Advanced tab b On the left side select Options and then click the OCSP Settings button c In the OCSP Settings window select the Use OCSP to veri...

Страница 698: ...he CMS Window on page 343 2 Select the Configuration tab The Network tab appears 3 In the End Entity section select the Enable option and in the adjoining field type a TCP IP port number that is uniqu...

Страница 699: ...need to follow the instructions below and enable the service To enable a Certificate Manager s OCSP service 1 In the navigation tree select Certificate Manager The General Setting tab appears 2 In the...

Страница 700: ...to add the required extensions to these certificates During the installation of a Certificate Manager if you chose to enable its OCSP service a default policy rule named AuthInfoAccessExt is created...

Страница 701: ...anager to add the extensions required in an OCSP compliant client certificate 1 In the navigation tree select Certificate Manager and then select Policies The Policy Rules Management tab appears It li...

Страница 702: ...ample if the hostname of your Certificate Manager is demoCA siroe com and the end entity port number is 8000 the URL to type in the field would be http demoCA siroe com 8000 ocsp If you need details a...

Страница 703: ...the Browser Step F Verify the Certificate in the Browser Step G Check the Status of Certificate Manager s OCSP Service Step H Revoke the Certificate Step I Verify the Certificate in the Browser Step...

Страница 704: ...tificate Manager you configured or to the Registration Manager that s connected to this Certificate Manager The URL is in this form https hostname end_entity_HTTPS_port or http hostname end_entity_HTT...

Страница 705: ...tificate details for the required extensions 3 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is t...

Страница 706: ...a message that says that the certificate is verified generally it s at the top Step G Check the Status of Certificate Manager s OCSP Service The Certificate Manager s Agent interface contains a form...

Страница 707: ...OK The Certificate Manager revokes the certificate and updates the certificate status in its internal database Step I Verify the Certificate in the Browser To verify that the certificate has been revo...

Страница 708: ...responder waits for queries about revocation status of certificates This section explains how to set up a Certificate Manager functioning as a root CA to publish CRLs to a remote Online Certificate St...

Страница 709: ...cies Step 6 Configure the Online Certificate Status Manager Step 7 Restart the Certificate Manager Step 8 Restart the Online Certificate Status Manager Step 9 Verify Certificate Manager and Online Cer...

Страница 710: ...whether you want the Certificate Manager to publish version 1 or version 2 CRLs to the directory If you decide to publish version 2 CRLs read Chapter 4 Certificate Extension Plug in Modules of CMS Pl...

Страница 711: ...tificates in the CA certificate chain you can download the CA chain from the Retrieval tab of a Certificate Manager s end entity interface The steps below explain how to store the Certificate Manager...

Страница 712: ...d in the left frame click Import CA Certificate Chain d In the resulting form select the Display certificates in the CA certificate chain for importing individually into a server option A list of cert...

Страница 713: ...g that the Certificate Manager can communicate with the Online Certificate Status Manager Step 4 Configure the Certificate Manager to Publish CRLs In this step you configure the Certificate Manager to...

Страница 714: ...te Frequency section select the Every time a certificate is revoked or taken off hold option This option enables the Certificate Manager to generate the CRL every time it revokes a certificate Keep in...

Страница 715: ...CRL extensions as described in Step B Set the CRL Extensions on page 715 Revocation list signing algorithm Select the algorithm the server should use to sign the CRL If the Certificate Manager s signi...

Страница 716: ...e Be sure to supply all the required values Click the Help button for detailed information on individual parameters 4 Click OK You are returned to the CRL Extensions Management tab 5 To modify other r...

Страница 717: ...publisher instances 2 Click Add The Select Publisher Plugin Implementation window appears It lists registered publisher modules 3 Select the module named OCSPPublisher Only this publisher module enabl...

Страница 718: ...ld shows the default path ocsp addCRL If necessary type it in 6 Click OK The Publishers Management tab appears listing the new publisher Step D Create a Publishing Rule for the CRL Creating a publishi...

Страница 719: ...be sure to use an alphanumeric string with no spaces For example PublishCa1CrlToOcspResponder type Select crl predicate Leave this field blank enable Select this option mapper Select NONE publisher Se...

Страница 720: ...DAP compliant directory to files or to an online validation authority 2 Make sure that the Enable Publishing option is selected If it is already selected leave it as it is If it isn t select it Leave...

Страница 721: ...ificate it issues only if the corresponding policy is enabled and configured properly Hence before issuing the OCSP compliant client certificate you must verify that the Certificate Manager is configu...

Страница 722: ...TP_PARAMS certType client critical Leave this option unchecked numADs Type 1 ad0_method Type ocsp or 1 3 6 1 5 5 7 48 1 ad0_location_type Select URL ad0_location Type the complete path to the location...

Страница 723: ...default CRL store for verifying the revocation status of certificates You can also configure the Online Certificate Status Manager to use the CRL published to an LDAP directory instead of the CRL in...

Страница 724: ...atabase 4 Select the appropriate option If you want to configure the Online Certificate Status Manager to use the CRLs in its internal database select defStore and click Edit View If you want to confi...

Страница 725: ...e response will be UNKNOWN which when encountered by Netscape Personal Security Manager an OCSP compliant client results in an error message includeNextUpdate The Online Certificate Status Manager can...

Страница 726: ...lds host n Type the fully qualified hostname of the LDAP directory The name must be in the machine_name your_domain domain form For example corpDir1 siroe com port n Type the nonSSL port of the LDAP d...

Страница 727: ...ding to the OCSP protocol it is optional to include the time stamp of next CRL update in an OCSP response Select this option if you want the OCSP response to contain information about the next CRL upd...

Страница 728: ...and Online Certificate Status Manager Connection When you restart the Certificate Manager it tries to connect to the Online Certificate Status Manager s agent port you specified this in Step C Create...

Страница 729: ...the Browser Step F Verify the Certificate in the Browser Step G Check the Status of Online Certificate Status Manager Step H Revoke the Certificate Step I Verify the Certificate in the Browser Step J...

Страница 730: ...he Registration Manager that s connected to this Certificate Manager The URL is in this form https hostname end_entity_HTTPS_port or http hostname end_entity_HTTP_port 2 In the left frame under Browse...

Страница 731: ...details for the required extensions 3 Follow the on screen instructions and download the certificate to your browser s certificate database An alternative way to download the certificate is to go to...

Страница 732: ...t says that the certificate is verified generally it s at the top Step G Check the Status of Online Certificate Status Manager To go to the Online Certificate Status Manager s status page and verify t...

Страница 733: ...to revoke 5 Select the certificate you downloaded and click OK The Certificate Manager revokes the certificate constructs the CRL and publishes the CRL to the Online Certificate Status Manager Step I...

Страница 734: ...not be verified To check the Online Certificate Status Manager status for verification 1 Go to the Online Certificate Status Manager s status page 2 Reload the page hold down the Shift key and click o...

Страница 735: ...he organization that owns the data This chapter explains how to use the Data Recovery Manager to archive users encryption private keys and how to use the archived keys later in place of missing encryp...

Страница 736: ...u cannot archive and recover a private key deriving from a single key pair By contrast clients that can generate dual key pairs use one private key for encrypting data and the other for signing data B...

Страница 737: ...matically requests the service of the Data Recovery Manager For information on customizing this form see Step C Customize the Certificate Enrollment Form on page 753 Initiating the key recovery proces...

Страница 738: ...se each key is stored as a key record The archived copy of the key remains encrypted or wrapped with the Data Recovery Manager s storage key see Storage Key Pair on page 447 It can be decrypted or unw...

Страница 739: ...ager receives an encrypted copy of the user s private key and stores the key in its key repository To archive the key the Data Recovery Manager uses two special key pairs A transport key pair and corr...

Страница 740: ...the Registration Manager the Data Recovery Manager decrypts it with the private key that corresponds to the public key in its transport certificate After confirming that the private encryption key co...

Страница 741: ...You facilitate this by allowing each recovery agent to enter a password in the Data Recovery Manager configuration They must be available to retrieve your users encryption private keys if the need ar...

Страница 742: ...ry agents m provide their identifiers and passwords After verifying the passwords the Data Recovery Manager reconstructs the PIN for the token based on the given information Interface for the Key Reco...

Страница 743: ...ta Recovery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS 12 package By default key recovery authorization is local Remote Key Recov...

Страница 744: ...n switch to remote authorization by deselecting the local authorization option in the Key Recovery form How Agent Initiated Key Recovery Works In an agent initiated key recovery the key is recovered b...

Страница 745: ...ecovery Manager agent accesses the Key Recovery form using the appropriate client certificate types the identification information pertaining to the person whose encryption private key needs to be rec...

Страница 746: ...sword for the PKCS 12 package and their individual identifiers and passwords The Data Recovery Manager agent submits the page to the Data Recovery Manager 5 The Data Recovery Manager matches the key r...

Страница 747: ...al storage key password Each password retrieves only a part of the private storage key You first specified the key recovery agent scheme when you installed the Data Recovery Manager Changing the Key R...

Страница 748: ...n and Setup Guide October 2001 3 In the navigation tree select the Data Recovery Manager and in the right pane click the Scheme Management tab The Scheme Management tab shows the current key recovery...

Страница 749: ...nformation click Finish You are returned to the Scheme Management tab Changing Key Recovery Agents Passwords As administrator you have the responsibility of safeguarding the security of each Data Reco...

Страница 750: ...ppears 5 Allow the agent to enter the appropriate information During installation the Data Recovery Manager prompts you to enter key recovery agent passwords by default they are set to agent n where n...

Страница 751: ...and Recovery Process By default the Data Recovery Manager is not configured to archive or recover end users encryption private keys This section explains how to set up key archival and recovery proces...

Страница 752: ...lment form served by an enrollment authority which can be either a Certificate Manager or a Registration Manager When the enrollment authority detects the key archival option in the request it initiat...

Страница 753: ...fail to archive users keys All the end user enrollment forms provided by Certificate Management System for example the directory based enrollment form DirUserEnroll html directory and PIN based enroll...

Страница 754: ...tificate in its base 64 encoded format The transport certificate is stored in the Data Recovery Manager s certificate database If the transport certificate is signed by a Certificate Manager then a co...

Страница 755: ...y the base 64 encoded certificate excluding the marker lines BEGIN CERTIFICATE and END CERTIFICATE to a text file An example is shown below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMC...

Страница 756: ...TIFICATE to a text file The copied information should look like the example below MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCVVMxLDAqBgNVBAoTI0 5ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvc...

Страница 757: ...dHNjYXBlMQwwCgYDVQQDEwNLUmEwXDANBgkqhkiG9w0BAQEFAANLADB IAkEArrbDiYUI5SCdlCKKa0bEBn1m83kX6bdhytRYNkdHB95Bp85SR g Pass the kraTransportCert variable to the JavaScript method Replace null the fourth lin...

Страница 758: ...initiated key recovery process in which end users encryption private keys are recovered by designated key recovery agents This section explains how to set up the key recovery process To set up agent...

Страница 759: ...of an end user s encryption private key locally or remotely The default configuration is local authorization It is important that you evaluate both the authorization modes and choose the one that is...

Страница 760: ...est Your Key Archival Setup To test whether you can successfully archive a key follow these instructions 1 Enroll for dual certificates To do this a Open a web browser window b Go to the end entity in...

Страница 761: ...ests link again b In the form that appears select the Show completed requests option and click Find You should see two new certificates with consecutive serial numbers c Download the certificates to t...

Страница 762: ...signed and encrypted There should be a security icon at the top right corner of the message window and it should indicate that the message is signed and encrypted Step C Delete the Certificate To do...

Страница 763: ...ted Key Recovery Works on page 744 The base 64 encoded certificate that corresponds to the private key you want to recover use the enrollment authority s end entity or agent interface to get this info...

Страница 764: ...ss 764 Netscape Certificate Management System Installation and Setup Guide October 2001 3 Open the test email that you couldn t verify after deleting the certificate from the browser s certificate dat...

Страница 765: ...ts The chapter has the following sections Introduction to Logs page 765 Configuring CMS Logs page 773 Monitoring CMS Logs page 779 Archiving of Rotated Log Files page 789 Managing Log Modules page 792...

Страница 766: ...messages to these files For example if you installed a Certificate Manager and a Data Recovery Manager together you will find log messages for both the subsystems in the same log file Table 23 1 Type...

Страница 767: ...vents related to this server s administration activities that is HTTPS communication between the CMS window and Certificate Management System All Specifies logged events related to all the services Au...

Страница 768: ...it means less detail because only events of high priority are logged A lower priority level a smaller digit means greater detail because more kinds of events are recorded in the log file Request Queue...

Страница 769: ...server cannot send back the request it processed for a client through the same channel the request came from the client 4 Misconfiguration These messages indicate that a misconfiguration in the serve...

Страница 770: ...mes the current log file and then creates a new log file with the original name The rotated log file is saved with the original file type and an appended timestamp The name of a rotated log file is in...

Страница 771: ...out messages as they are generated to the log files Because the server performs an I O operation writing to the log file each time a message is generated configuring the server for unbuffered logging...

Страница 772: ...cally Because the rotated log files are also saved in your local file system these files eventually take up a considerable amount of disk space You can avoid this problem by doing one of the following...

Страница 773: ...e 765 Read Chapter 8 Log Plug in Modules of CMS Plug ins Guide Step 2 Modify the Existing Listeners When you create a CMS instance a set of log event listeners that you would most likely want to use a...

Страница 774: ...exactly like the listener you want to rename except with a new name and delete the old listener As a part of editing a listener you can change its status from enabled to disabled or vice versa by chec...

Страница 775: ...Listener Editor window appears showing how this listener is configured An example is shown below 5 Make the necessary changes and click OK You are returned to the Log Event Listener Management tab 6 R...

Страница 776: ...gistered log plug in module assigning a unique name for the instance and entering appropriate values for the parameters that define the module you want to create an instance of When you add a listener...

Страница 777: ...te Manager To add a new listener to the CMS configuration 1 In the Log Event Listener Management tab click Add The Select Log Event Listener Plugin Implementation window appears It lists registered lo...

Страница 778: ...see Logs Maintained by the Server on page 766 enabled Select this box level From the drop down list select a log level The choices are Debug Information Warning Failure Misconfiguration Catastrophe a...

Страница 779: ...n you have problems with Certificate Management System that require troubleshooting you may find it helpful to check the error or informational messages that the server has logged Also by examining th...

Страница 780: ...ntered such as authentication failures malformed universal resource indicators URIs invalid database password indications and server start up and shut down messages Messages related to the status of c...

Страница 781: ...has located that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit regardless of the number found Sou...

Страница 782: ...try you see the following details Source Indicates the CMS component or resource that logged the message Level Indicates the severity of the corresponding entry explained Table 23 3 on page 768 Date I...

Страница 783: ...ted that match the search request If you enter zero 0 no messages are returned If you leave the field blank the server returns every matching entry no limit to the client regardless of the number foun...

Страница 784: ...in Table 23 3 on page 768 Date Indicates the date on which the entry was logged Time Indicates the time at which the entry was logged Details Provides a brief description of the log 6 To view an entry...

Страница 785: ...ction specify your viewing preferences Entries Type the maximum number of entries to be displayed When this limit is reached Certificate Management System returns any entries it has located that match...

Страница 786: ...logical order with the most current log placed at the top Use the scroll arrows on the right edge of the panel to scroll through the log entries For each entry you see the following details Source Ind...

Страница 787: ...r events related to your server For more information about the Event Viewer check your system documentation To monitor Certificate Management System by using Event Viewer 1 In the Administrative Tools...

Страница 788: ...3 6 Error message indicating event log is full If you see this dialog box you must clean up the application log immediately Here s what you should do 1 From the Start menu on your desktop select Progr...

Страница 789: ...ption 5 Click OK 6 Close the Event Viewer window Archiving of Rotated Log Files Log files especially the audit log file contain critical information So it is good practice to periodically archive rota...

Страница 790: ...n signing the log files follow these guidelines Determine the key pair you want to use for signing the log directory Typically you should use the Certificate Manager s the CA s signing key pair Also f...

Страница 791: ...e databases for the CA This must be the same path you used to copy the security module database in step 2 cert_nickname specifies the nickname of the certificate you want the utility to use for signin...

Страница 792: ...dule be sure to put the Java class for the module in the classes directory the implementation must be on the class path To register a log plug in module with a CMS instance 1 Log in to the CMS window...

Страница 793: ...a module be sure to delete all the listeners that are based on this module see Step 3 Delete Unwanted Listeners on page 775 To delete a module 1 Log in to the CMS window see Logging In to the CMS Wind...

Страница 794: ...Managing Log Modules 794 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 795: ...795 Part 4 Issuing and Managing Certificates Chapter 24 Issuing and Managing Server Certificates Chapter 25 Setting Up CEP Enrollment...

Страница 796: ...796 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 797: ...must receive the certificate signing request CSR from the server that needs the certificate This request must be initiated by the administrator of the specific server requiring the certificate SSL en...

Страница 798: ...ry for the appropriate information On the other hand if the enrollment form specifies manual authentication the request gets queued and awaits approval by an agent 2 Subjects the request to policy che...

Страница 799: ...er enrollment 2 The Registration Manager verifies the authenticity of the request Because the request requires manual authentication the Registration Manager stores the request in the queue for agent...

Страница 800: ...s specified in the enrollment form Optionally the Registration Manager may publish the certificate to the corporate directory Getting Server SSL Certificates for Netscape Servers To enable a server to...

Страница 801: ...r see the documentation for your server 4 Once you have generated a key pair follow the directions presented to generate a certificate signing request CSR 5 In the Certificate Authority field enter yo...

Страница 802: ...NEW CERTIFICATE REQUEST marker lines In the contact information section enter values to identify yourself These values will be used by the CA if the need arises For example if there are any questions...

Страница 803: ...ends with END CERTIFICATE and paste it into the text area in the form The encryption alias Enter the alias for your server 4 Follow the prompts and add the certificate to your server s certificate dat...

Страница 804: ...dW5pY2F0aW9ucyBDb3Jwb3JhdGlvbjEaMBgGA1UE CxMRSXNzdWluZyBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzM0WjBXMQswCQYDVQ QGEwJVUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yYXRpb24xGjAYBg...

Страница 805: ...For Netscape version 4 x servers you can use the Certificate Setup Wizard provided by Netscape Console to get new certificates renew existing certificates and install certificates in the database of a...

Страница 806: ...Manager agent To submit the server certificate request to Certificate Management System manually 1 Open a web browser window 2 Go to the End Entity Services interface of the Certificate Manager or a...

Страница 807: ...rocess is similar to the enrollment process in that the administrators must manually generate the certificate signing request using the server s key pair paste that request in the manual enrollment fo...

Страница 808: ...n revoke certificates based on a range of serial numbers or based on one or more subject name components Upon submission of the revocation request the agent receives a list of certificates from which...

Страница 809: ...outers support the use of certificates for authentication encryption and tamper detection by using the IP Security IPSec protocol Certificate Management System supports Cisco s PKI protocol the Certif...

Страница 810: ...irectory Server which is an LDAP compliant directory When you install Certificate Management System two instances of Netscape Directory Server are automatically created in the same server group in whi...

Страница 811: ...ue 5 Follow the on screen instructions to set up CEP enrollment Setting up CEP Enrollment Manually The information covered in this section explains how to set up CEP enrollment manually Note that the...

Страница 812: ...icate Manager publishes end entity certificates and CRLs For the configuration directory to support publishing of certificates and CRLs you need to verify two things The Directory Server schema verify...

Страница 813: ...Once you create these instances you should create a publishing rule for publishing router certificates For instructions see Step B Add Mappers Publishers and Publishing Rules on page 642 Note that th...

Страница 814: ...to the DN the router requests You must have a constant component in the DN which exists in the certificate to be able to publish createEntry Specifies whether to create an entry in the directory befo...

Страница 815: ...st have already created three 3 directory entries for C US O Company C US OU Accounting O Company C US You can do this with the help of the ldapmodify command and an LDIF file with the following infor...

Страница 816: ...figure the Certificate Manager to use either the challenge password or the subject name all or a part of it as an authentication token during a CEP enrollment thus enabling users to get router certifi...

Страница 817: ...stance authentication plug in described in the auths instance configuration parameters If you want to turn off automated enrollment for CEP based requests delete this parameter from the configuration...

Страница 818: ...uld set the keyAttributes parameter as follows auths instance flatfile keyAttributes UNSTRUCTUREDNAME UNSTRUCTURED ADDRESS This will force the server to use both these attributes to locate an entry in...

Страница 819: ...n named pwd for the challenge password In this case you would set the authAttributes parameter as follows auths instance flatfile authAttributes pwd In summary to implement the automated CEP enrollmen...

Страница 820: ...fy the full path to your authentication file and save your changes 4 Restart the Certificate Manager After changing the configuration file you must restart the server for the changes to take effect If...

Страница 821: ...tance flatfile_VPN fileName full_path_to_the_authentication_file auths instance flatfile_VPN authAttributes pwd auths instance flatfile_VPN keyAttributes CN OU O auths instance flatfile_VPN pluginName...

Страница 822: ...S window and verify whether the HTTP port is enabled If it isn t enable it for instructions see Configuring Port Numbers on page 374 If you are requesting the certificate for an earlier version of rou...

Страница 823: ...gorithm and the key length for the certificate you want to request Find out the password that enables you to access the router in privileged mode In your router documentation locate instructions for r...

Страница 824: ...nrollment URL you identified in Step 1 2 The router gets the CA certificate and displays its fingerprint on your screen 3 Verify the fingerprint on your screen with the one you noted down in Step 1 If...

Страница 825: ...rollment or authentication the request gets queued and awaits approval by an agent Example The example below shows the commands and associated outputs for a Cisco router To perform certificate enrollm...

Страница 826: ...e of it Password Re enter password The subject name in the certificate will be router domain com Include the router serial number in the subject name yes no yes The serial number in the certificate wi...

Страница 827: ...827 Part 5 Appendix Appendix A Certificate Download Specification...

Страница 828: ...828 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 829: ...ins page 831 Importing Certificates into Netscape Communicator page 831 Importing Certificates into Netscape Servers page 832 Object Identifiers page 832 Data Formats Netscape products can accept cert...

Страница 830: ...ains It consists of a PKCS 7 ContentInfo structure wrapping a sequence of certificates The value of the contentType field should be netscape cert sequence see Object Identifiers on page 832 while the...

Страница 831: ...n as long as there is a trusted CA somewhere along the chain Importing Certificates into Netscape Communicator Communicator imports certificates via HTTP There are several MIME content types that are...

Страница 832: ...via the server administration interface Certificates are pasted into a text input field in an HTML form and then the form is submitted to the administration server Since the certificates are pasted i...

Страница 833: ...Object Identifiers Appendix A Certificate Download Specification 833 netscape data type OBJECT IDENTIFIER netscape 2 netscape cert sequence OBJECT IDENTIFIER netscape data type 5...

Страница 834: ...Object Identifiers 834 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 835: ...y ACE administrator The person who installs and configures one or more CMS managers and sets up privileged users or agents for them See also agent agent A user who belongs to a group authorized to man...

Страница 836: ...f configuring a CMS manager that allows automatic authentication for the purposes of end entity enrollment without human intervention With this form of authentication a certificate request that comple...

Страница 837: ...series of certificates signed by successive certificate authorities A CA certificate identifies a certificate authority CA and is used to sign certificates issued by that authority A CA certificate ca...

Страница 838: ...subsumed by another proposed standard Certificate Management Messages over Cryptographic Message Syntax CMC For detailed information see http www ietf org internet drafts draft ietf pkix cmmf 02 txt C...

Страница 839: ...CMS instance An instance of a CMS subsystem comprising both code and data and treated as a discrete entity CMS subsystem One of the three CMS Managers Certificate Manager Registration Manager or Data...

Страница 840: ...gistration Manager can be configured to archive end entities encryption keys with a Data Recovery Manager before issuing new certificates The Data Recovery Manager is useful only if end entities are e...

Страница 841: ...div897 pubs fip46 2 htm digital ID See certificate digital signature To create a digital signature the signing software first creates a one way hash from the data to be signed such as a newly issued c...

Страница 842: ...ificate for use in a public key infrastructure PKI Also known as registration end entity In a public key infrastructure PKI a person router server or other entity that uses a certificate to identify i...

Страница 843: ...programming interface that provides binary compatibility across different implementations of the Java Virtual Machine JVM on a given platform allowing existing code written in a language such as C or...

Страница 844: ...rvlet forwards a certificate request to a request queue after successful authentication module processing An agent with appropriate privileges must then approve each request individually before policy...

Страница 845: ...hash A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm The number also called a message digest has two characteristics 1 It is unique to the hashed d...

Страница 846: ...f archival The signed proof of archival data is the response returned by the Data Recovery Manager to the Registration Manager or Certificate Manager after a successful key archival operation See also...

Страница 847: ...certificate at the top of a certificate chain See also CA certificate subordinate CA RSA algorithm Short for Rivest Shamir Adleman a public key algorithm for both encryption and authentication It was...

Страница 848: ...plus an encryption key and its equivalent public key constitute a dual key pair single sign on 1 In Certificate Management System a password that simplifies the way you sign on to Netscape Certificat...

Страница 849: ...decrypt a given message tamper detection A mechanism ensuring that data received in electronic form has not been tampered with that is that the data received entirely corresponds with the original ve...

Страница 850: ...850 Netscape Certificate Management System Installation and Setup Guide October 2001...

Страница 851: ...nship to Netscape Console 334 relationship to server root 334 starting 335 from Netscape Console 335 from the command line 335 from the Windows NT Services panel 335 stopping 336 from Netscape Console...

Страница 852: ...ned 509 during certificate enrollment 515 during certificate renewal 515 during certificate revocation 517 for administrators 510 for agents 512 managing from CMS window 532 authentication instances a...

Страница 853: ...422 Data Recovery Manager and 168 173 Data Recovery Manager and Registration Manager and 170 173 demo and 108 enabling interaction with end entities 539 enabling OCSP service 699 features of 45 insta...

Страница 854: ...oning 37 cloning a CA 286 CMC 78 CMMF 77 CMS administrator defined 54 CMS agent defined 54 CMS certificates renewal 436 CMS data where it s stored 379 CMS feature list 34 CMS instance changing the nam...

Страница 855: ...gning certificate 439 611 nickname 439 481 CRLs Certificate Manager support for 46 defined 611 issuing or distribution points 615 publishing of 39 611 publishing to files 667 publishing to LDAP direct...

Страница 856: ...A renewalCA renewal 176 177 distinguished name 173 extensions 175 176 root versus subordinate 174 signing certificate 174 signing key 174 certificate decisions Certificate Manager 180 Data Recovery Ma...

Страница 857: ...rver certificate 213 214 tool for joining 465 tools for generating 465 transport certificate 205 external tokens defined installing 451 viewing contents of 502 F filenames for active log files 770 for...

Страница 858: ...rksheet for 188 191 Installation Wizard initial configuration steps 194 197 procedures for using 225 running for demo 122 135 installing certificates 829 833 installing external hardware tokens 451 in...

Страница 859: ...ternal CMS database demo and 109 publishing decisions 178 179 testing authentication with 145 160 LDAP publishing advantages 606 defined 605 manual updates 662 when to do 663 who can do this 662 See C...

Страница 860: ...ries 63 master CA 172 message templates for notifications 554 modifying authentication instances 545 jobs 566 log event listeners 774 mappers 637 policy rules 590 privileged user s group membership 43...

Страница 861: ...ace for agents 71 introduced 44 49 key pairs and certificates list of 449 protecting 436 remote admin server certificate 450 signing certificate 449 SSL server certificate 449 logging to Windows NT ev...

Страница 862: ...ministration 372 for the mail server used for notifications 563 575 how to choose numbers 372 predicates attributes for 584 expression support 582 operators for 582 sample expressions 582 584 what are...

Страница 863: ...certificate 448 450 Remote administration server certificate 443 nickname 443 removing unwanted CMS instances 306 renewal of certificates See certificate renewal renewal of CMS certificates 436 renew...

Страница 864: ...12 when required 312 when specified 313 why change periodically 313 SMTP settings 563 574 575 software requirements for CMS installation 106 Solaris requirements for installation 107 Solaris requireme...

Страница 865: ...ntents of 502 viewing which tokens are installed 454 what are they 450 topology decisions for deployment 164 173 transport certificate 447 changing trust settings of 505 deleting 504 getting a new one...

Страница 866: ...25 when the server was installed 304 why should you revoke certificates 612 Windows NT event log logging audit and system messages 787 Windows NT requirements for installation 107 wireless CA certific...

Отзывы:

Нет отзывов

Похожие инструкции для NETSCAPE MANAGEMENT SYSTEM 4.5

Blackberry MAIL - BROWSING SMARTPHONE User Manual preview
MAIL - BROWSING SMARTPHONE
Бренд: Blackberry Страницы: 25
M-Audio Afro-Cuban Percussion Quick Start Manual preview
Afro-Cuban Percussion
Бренд: M-Audio Страницы: 5
ACRONIS BACKUP AND RECOVERY 10 ADVANCED SERVER VIRTUAL EDITION - COMMAND LINE REFERENCE UPDATE 3 Cli Reference Manual preview
BACKUP AND RECOVERY 10 ADVANCED SERVER VIRTUAL EDITION - COMMAND LINE REFERENCE UPDATE 3
Бренд: ACRONIS Страницы: 54
Blackberry TICKETMASTER - LEARN MORE User Manual preview
TICKETMASTER - LEARN MORE
Бренд: Blackberry Страницы: 7
ESET SMART SECURITY User Manual preview
SMART SECURITY
Бренд: ESET Страницы: 38
VDO TIS OFFICE Brochure preview
TIS OFFICE
Бренд: VDO Страницы: 8
APPLIED ACOUSTICS SYSTEMS STRINGSTUDIO User Manual preview
STRINGSTUDIO
Бренд: APPLIED ACOUSTICS SYSTEMS Страницы: 70
SimpleTech SimpleDrive SP-U25/120 Quick Start Manual preview
SimpleDrive SP-U25/120
Бренд: SimpleTech Страницы: 8
Techniques Avancees CODESOFT Sentinel Print Pack User Manual preview
CODESOFT Sentinel Print Pack
Бренд: Techniques Avancees Страницы: 50
Juniper TePM Agent Release Note preview
TePM Agent
Бренд: Juniper Страницы: 9
UNIBLUE SpeedUpMyPC 2010 Product Manual preview
SpeedUpMyPC 2010
Бренд: UNIBLUE Страницы: 11
MACROMEDIA COLDFUSION MX 61 - CONFIGURING AND ADMINISTERING COLDFUSION... Manual preview
COLDFUSION MX 61 - CONFIGURING AND ADMINISTERING COLDFUSION...
Бренд: MACROMEDIA Страницы: 168
KAPERSKY ANTI-VIRUS 5.5 - FOR MICROSOFT EXCHANGE SERVER... Administrator'S Manual preview
ANTI-VIRUS 5.5 - FOR MICROSOFT EXCHANGE SERVER...
Бренд: KAPERSKY Страницы: 143
Access VIRUS|POWERCORE User'S Reference Manual preview
VIRUS|POWERCORE
Бренд: Access Страницы: 124
Datalogic PDA User Manual preview
PDA
Бренд: Datalogic Страницы: 100
Vector PC-Duo Manual preview
PC-Duo
Бренд: Vector Страницы: 148
Canon Selphy CP510 Printer Software Manual preview
Selphy CP510
Бренд: Canon Страницы: 28
Sans Digital Web GUI RAID Management Tools Default Setting preview
Web GUI RAID Management Tools
Бренд: Sans Digital Страницы: 1

Бренды по названию

Популярные бренды

Загрузить еще бренды