Chapter 7.
151
Token Processing System
The Token Processing System (TPS) serves as the conduit between the Enterprise Security Client and
the other subsystems (CA, TKS, DRM) in the Certificate System and is the only means for the client
to communicate with the other subsystems. It provides the following functionalities for users managing
their smart cards through the Enterprise Security Client:
• Working with multiple instances of a subsystem
• Formatting smart cards
• Resetting the PIN on smart card tokens
• Upgrading the applet for smart card tokens
• Enrolling smart cards through the Enterprise Security Client
• Performing LDAP authentication
• Managing the token database
• Logging token events
The TPS must be configured to work with two Certificate System subsystems: the CA, which will
process all of the certificate enrollment and revocation requests initiated through the Enterprise
Security Client, and the Token Key Service, which generates a master key which is used to derive
secret keys specific to each smart card, which are used to wrap (encrypt) the certificates and
commands transmitted between the TPS and the client. The TPS can be optionally configured to work
with a DRM instance, which will perform server-side key generation and key archival and recovery for
the keys and certificates stored on the smart cards.
After the TPS is configured (
Section 2.6.3, “Configuring a TPS”
), it is operational. It is possible to
further customize the TPS for specific deployments. This chapter explains how to customize the TPS
instance.
NOTE
Unlike the other subsystems, the TPS does not have a Java
™
-based Console to change
configuration parameters. The TPS configuration file,
CS.cfg
, must be edited directly. For
more information on editing the
CS.cfg
file, see
Section 3.6.2, “Editing the Configuration
File”
.
7.1. Working with Multiple Instances of a Subsystem
The TPS must be configured to work with a specific instance of a CA and TKS subsystem. It can
optionally be configured to work with a DRM subsystem. While the TPS is configured to work with a
single instance of each subsystem when it is initially installed, it can work with multiple instances for
one of two reasons:
•
To provide fail-over support.
The TPS can be configured to communicate with multiple instances
of CA, TKS, or DRM subsystems, so if one instance is unavailable, the TPS can still process user
operations initiated through the Enterprise Security Client. The instances in these cases all have the
same policies in effect. This is described in
Section 7.1.1, “Configuring Failover Support”
.
Содержание CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE
Страница 36: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...
Страница 144: ...124 ...
Страница 160: ...140 ...
Страница 208: ...188 ...
Страница 210: ...190 ...
Страница 256: ...236 ...
Страница 282: ...Chapter 12 Certificate Profiles 262 Parameter IssuerName_n IssuerType_n ...
Страница 285: ...Freshest CRL Extension Default 265 Parameter PointName_n PointIssuerName_n ...
Страница 335: ...Configuring Mappers 315 Figure 14 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...
Страница 362: ...342 ...
Страница 376: ...356 ...
Страница 436: ...416 ...
Страница 490: ...470 ...
Страница 504: ...484 ...