manualshive.com logo in svg

Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION, Руководство администратора

Поделиться
Скачать
Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Скачать руководство пользователя страница 214

Chapter 8. Token Processing System

192

policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User
policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.basedn=ou=people,dc=host,dc=example,dc=com
policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.example.com
policyset.set1.p1.default.params.ldap.ldapconn.port=389

These CA profiles come with LDAP lookup disabled by default. The ldapStringAttributes parameter
tells the CA which LDAP attributes to retrieve from the company directory. For example, if the directory
contains uid as an LDAP attribute name, and this will be used in the subject name of the certificate,
then uid must be listed in the ldapStringAttributes parameter, and request.uid listed as one of the
components in the dnpattern.

8.5.4. Automating Encryption Key Recovery

The Certificate System allows for a semi-automated recovery if a user loses, destroys, or misplaces
a token. The TPS automatically recovers the appropriate encryption keys and certificates for a
permanently or temporarily lost token, depending on the circumstances of the token loss. To prevent
misuse of the recovery feature, the TPS requires that a user must have a single active token.

When a user loses a token, the user must first get a replacement token. If a new enrollment is
attempted with this new token, the TPS blocks the enrollment since the user already has an active
token.

The token status in the database must be changed to 

lost

. This action is performed through the TPS

agent services page. The TPS agent, after affirmatively identifying the user, can search for the user's
ID in the 

Search tokens

 link. The TPS agent select the active token and update the status, with the

appropriate reason to recover the key.

This token has been physically damaged.

 Used if the token is known to be destroyed.

This token has been permanently lost.

 Used if the token is lost or stolen, so the key is compromised.

The certificates on the token are revoked

This token has been temporarily lost.

 Used if the token is mislaid. The certificates on the token are

revoked

There are two different schemes for recovery: 

GenerateNewKey

, to create a new key and certificate,

and 

RecoverLast

, to recover the last encryption key and associated certificate.

The user can enroll for a replacement token. It is preferred that signing keys be generated on the
smart card and not archived so that if the smart card is lost, new signing keys and certificates must be
regenerated on the token, and temporary certificates created. The definition for which keys should be
regenerated and which keys should be recovered is set in the following TPS 

CS.cfg

 parameters:

• For damaged tokens:

op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption

op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert=true
op.enroll.userKey.keyGen.signing.recovery.destroyed.revokeCert.reason=0
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey

Содержание CERTIFICATE SYSTEM 7.3 - ADMINISTRATION

Страница 1: ...Red Hat Certificate System 7 3 Administration Guide Publication date May 2007 updated March 25 2010 ...

Страница 2: ...est extent permitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive...

Страница 3: ...e 4 1 1 12 Certificate Profiles 5 1 1 13 CRLs 5 1 1 14 Publishing 5 1 1 15 Notifications 5 1 1 16 Jobs 5 1 1 17 Dual Key Pairs 6 1 1 18 HSMs and Crypto Accelerators 6 1 1 19 Support for Open Standards 6 1 2 How the Certificate System Works 7 1 2 1 About the Certificate Manager 7 1 2 2 How the Certificate Manager Works 9 1 2 3 Data Recovery Manager 11 1 2 4 Online Certificate Status Manager 11 1 2 ...

Страница 4: ...KS Information Panel 37 2 4 6 DRM Information Panel 38 2 4 7 Authentication Directory Panel 39 2 4 8 Internal Database Panel 39 2 4 9 Key Store Panel 40 2 4 10 Key Pairs Panel 41 2 4 11 Subject Names Panel 42 2 4 12 Requests and Certificates Panel 43 2 4 13 Export Keys and Certificates Panel 44 2 4 14 Administrator Panel 45 2 5 Installing the Certificate System 46 2 5 1 Installing from an ISO Imag...

Страница 5: ...nhanced Linux 74 3 8 Using Java Servlets 75 3 9 Logs 75 3 9 1 About Logs 76 3 9 2 Services That Are Logged 79 3 9 3 Log Levels Message Categories 79 3 9 4 Buffered Versus Unbuffered Logging 81 3 9 5 Log File Rotation 81 3 9 6 Configuring Logs in the Console 82 3 9 7 Configuring Logs in the CS cfg File 83 3 9 8 Configuring TPS Logs 84 3 9 9 Monitoring Logs 85 3 9 10 Signing Log Files 86 3 9 11 Regi...

Страница 6: ...s on CA Certificates through Certificate Extensions 122 4 9 Creating Certificate Manager Agents and Administrators 124 4 10 Checking the Revocation Status of Agent Certificates 125 4 11 CRL Signing Key Pair and Certificate 127 4 12 DNs in the Certificate System 128 4 12 1 Extending Attribute Support 129 5 Registration Authority 133 5 1 Introduction 133 5 1 1 What is a Registration Authority 133 5 ...

Страница 7: ...r Certificates 173 7 2 1 Transport Key Pair and Certificate 174 7 2 2 Storage Key Pair 174 7 2 3 SSL Server Certificate 174 7 3 Forms for Users and Key Recovery Agents 174 7 4 Overview of Archiving Keys 175 7 4 1 Reasons to Archive Keys 175 7 4 2 Where the Keys Are Stored 175 7 4 3 How Key Archival Works 175 7 5 Overview of Key Recovery 177 7 5 1 Key Recovery Agents and Their Passwords 177 7 5 2 K...

Страница 8: ... from the End Entities Page 249 11 3 Managing User Certificates 251 11 3 1 Managing Certificate System User and Agent Certificates 252 11 3 2 Importing Certificates into Mozilla Firefox 253 11 4 Managing the Certificate Database 254 11 4 1 Installing Certificates in the Certificate System Database 254 11 4 2 Viewing Database Content 258 11 4 3 Deleting Certificates from the Database 260 11 4 4 Cha...

Страница 9: ...efault 293 13 7 3 Basic Constraints Extension Default 294 13 7 4 CRL Distribution Points Extension Default 295 13 7 5 Extended Key Usage Extension Default 297 13 7 6 Freshest CRL Extension Default 298 13 7 7 Issuer Alternative Name Extension Default 300 13 7 8 Key Usage Extension Default 301 13 7 9 Name Constraints Extension Default 302 13 7 10 Netscape Certificate Type Extension Default 306 13 7 ...

Страница 10: ...RLs 325 14 3 5 How CRLs Work 325 14 4 Issuing CRLs 326 14 4 1 Configuring Issuing Points 328 14 4 2 Configuring CRLs for Each Issuing Point 329 14 4 3 Setting CRL Extensions 333 14 5 Setting Full and Delta CRL Schedules 334 14 5 1 Configuring Extended Updated Intervals for CRLs in the Console 335 14 5 2 Configuring Extended Updated Intervals for CRLs in CS cfg 336 15 Publishing 337 15 1 About Publ...

Страница 11: ...78 16 3 1 Setting up Directory Based Authentication 379 16 3 2 Setting up PIN based Enrollment 380 16 4 Setting up CMC Enrollment 384 16 4 1 Setting up the Server for Multiple Requests in a Full CMC Request 385 16 4 2 Testing CMCEnroll 385 16 5 Certificate Based Enrollment 386 16 5 1 Setting up Certificate Based Enrollment 387 16 6 Testing Enrollment 388 16 7 Managing Authentication Plug ins 389 1...

Страница 12: ...25 certServer ee profiles 416 17 7 26 certServer ee facetofaceenrollment 417 17 7 27 certServer ee request enrollment 417 17 7 28 certServer ee request facetofaceenrollment 417 17 7 29 certServer ee request ocsp 418 17 7 30 certServer ee request revocation 418 17 7 31 certServer ee requestStatus 418 17 7 32 certServer general configuration 419 17 7 33 certServer job configuration 419 17 7 34 certS...

Страница 13: ...Console 442 19 3 2 Configuring Jobs by Editing the Configuration File 444 19 3 3 Configuration Parameters of requestInQueueNotifier 444 19 3 4 Configuration Parameters of publishCerts 445 19 3 5 Configuration Parameters of unpublishExpiredCerts 446 19 3 6 Frequency Settings for Automated Jobs 447 19 4 Managing Job Plug ins 448 19 4 1 Registering or Deleting a Job Module 448 20 Configuring the Cert...

Страница 14: ...482 A 6 1 netscape cert type 482 A 6 2 netscape comment 482 B Introduction to Public Key Cryptography 485 B 1 Internet Security Issues 485 B 2 Encryption and Decryption 486 B 2 1 Symmetric Key Encryption 486 B 2 2 Public Key Encryption 487 B 2 3 Key Length and Encryption Strength 488 B 3 Digital Signatures 488 B 4 Certificates and Authentication 489 B 4 1 A Certificate Identifies Someone or Someth...

Страница 15: ...xv Index 525 ...

Страница 16: ...xvi ...

Страница 17: ...rtificates including different types of digital certificates The role of digital certificates in a public key infrastructure PKI Certificate hierarchies LDAP and Red Hat Directory Server Public key cryptography and the Secure Sockets Layer SSL protocol including the following SSL cipher suites The purpose of and major steps in the SSL handshake 2 What Is in This Guide This guide contains the follo...

Страница 18: ...rovides information and procedures for configuring profiles Chapter 14 Revocation and CRLs provides information and procedures for configuring CRLs and revoking certificates Chapter 15 Publishing provides information and procedures for publishing certificates Chapter 17 User and Group Authorization provides information and procedures for setting up access control lists ACL that define authorizatio...

Страница 19: ...inux However Red Hat Enterprise Linux systems also include LDAP tools from OpenLDAP in the usr bin directory It is possible to use the OpenLDAP commands as shown in the examples but you must use the x argument to disable SASL which OpenLDAP tools use by default 3 3 Default Port Numbers After Errata RHSA 2009 0007 Certificate System 7 3 supports port separation Port separation means that the differ...

Страница 20: ...ntial data loss as may happen when tuning hardware for maximum performance 4 Additional Reading The Certificate System Administrator s Guide describes how to set up configure and administer the Certificate System subsystems and how to configure backend certificate management functions such as publishing and logging The Administrator s Guide also describes how to configure subsystems to relate to o...

Страница 21: ... there is any error in this Administrator s Guide or there is any way to improve the documentation please let us know Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla http bugzilla redhat com bugzilla Make the bug report as specific as possible so we can be more effective in correcting any issues Select the Red Hat Certificate System product Set the compo...

Страница 22: ...com Removed section on renewing certificates through the console since this is not supported Revision 7 3 7 January 29 2009 Ella Deon Lackey dlackey redhat com Added small note on the new LDAP publishing password configuration parameter to the Enabling Publishing section Added information on configuring port separation Updated pkicreate example to include a port separation example Updated examples...

Страница 23: ...er is an optional subsystem that provides OCSP responder services which means it stored CRLs for CAs and can distribute the load for verifying certificate status See Chapter 6 Online Certificate Status Protocol Responder for details The Data Recovery Manager DRM is an optional subsystem that provides private encryption key storage and retrieval See Chapter 7 Data Recovery Manager for details The T...

Страница 24: ...ces interface for a CA DRM OCSP and TPS are specific to those subsystems End Entity Services Interface The end entity interface is a customizable HTML interface used by end entities to enroll in the PKI request certificates revoke certificates and pick up issued certificates It contains forms for different types of enrollments and for enrolling different types of end entities The Certificate Manag...

Страница 25: ...e CA subsystem which hosts the domain is automatically granted the role of Security Domain Administrator which gives the subsystem the ability to manage the security domain and the subsystem instances within it Other security domain administrator roles can be created for the different subsystem instances These roles are described in Section 4 4 2 Security Domain Roles 1 1 7 Security Enhanced Linux...

Страница 26: ...rieve CA requests Submit a PKCS 10 request Retrieve the issued certificate Queries the request status if the request is pending SCEP suggests two modes of operation RA mode and CA mode In the RA mode the enrollment request is encrypted with the RA signing certificate In the CA mode the request is encrypted with the CA signing certificate The current implementation of RA and CA only supports the CA...

Страница 27: ...e to determine the content of the issued certificate See Chapter 13 Certificate Profiles for details 1 1 13 CRLs The Certificate System can create certificate revocation lists CRLs from a configurable framework which allows user defined issuing points so a CRL can be created for each issuing point Delta CRLs can also be created for any issuing point that is defined CRLs can be issued for each type...

Страница 28: ...nd areas which the Certificate System supports include the following Formulates signs and issues industry standard X 509 version 3 public key certificates version 3 certificates include extensions that make it easy to include organization defined attributes These certificates are used for extranet and Internet authentication Supports the RSA public key algorithm for signing and encryption and the ...

Страница 29: ...e it obtains its signing certificate from another CA 1 2 1 1 Certificate Manager Flexibility and Scalability Multiple CAs can be configured to form a vertical or horizontal chain of CAs A vertical hierarchy has a root CA that is either self signing or subordinate to a public CA and then one or more CAs subordinate to this root CA The subordinate CAs can have more CAs below them forming a chain of ...

Страница 30: ...s by issuing and storing cross signed certificates between these two CAs By using cross signed certificate pairs certificates issued outside the organization s PKI can be trusted within the system 1 2 1 3 Certificate Manager Functionality The Certificate Manager issues and revokes certificates when it receives signed requests These requests can come from its own agents users who are assigned privi...

Страница 31: ...it is an agent approved enrollment an agent of the Certificate Manager must approve the request If it is an automated enrollment the request is approved if the end entity supplies the correct information and authenticates successfully 1 2 2 2 Authentication Methods Authentication plug ins set up automated enrollment and configure the methods for the end entity to authenticate itself For agent appr...

Страница 32: ...issues a certificate the Certificate Manager stores both the certificate and the certificate request in its internal database 1 2 2 8 Revoking Certificates End entities can submit certificate revocation requests in the end entities page if they lose their private key or if their certificate has been compromised When an end entity requests a revocation the request is sent to the agent services inte...

Страница 33: ...ovided by the underlying hardware token In the new scheme CS uses its existing access control scheme to ensure recovery agents are appropiately authenticated via SSL and ensures that the agent belongs to the specific recovery agent group The recovery request is executed only when m of n recovery agents have granted authorization to the request By default the DRM sets up a 1 of 1 ACL based recovery...

Страница 34: ...S also generates transport keys which wrap or encrypt the user s private keys to secure them during transit 1 2 6 Token Processing System The Token Processing System TPS is the conduit between the Enterprise Security Client the user interface for end users to manage their smart cards and the other subsystems in the Certificate System It automatically initiates certificate enrollments with the CA a...

Страница 35: ...ires key archival and recovery capabilities along with the CA for example when encrypted mail is widely used the organization risks data loss if it is unable to recover encryption keys In this case the Certificate System deployment has both the Certificate Manager and a DRM To add key storage and recovery a DRM can be installed on the same machine or on a different machine Figure 1 2 Certificate M...

Страница 36: ... compromised DRM has devastating security consequences for the entire PKI Consider keeping the DRM in a special locked room or building this consideration can affect the deployment strategy 1 3 3 Cloned Certificate Manager A cloned Certificate Manager uses the same CA signing key and certificate as another Certificate Manager the master Certificate Manager Since each Certificate Manager issues cer...

Страница 37: ...rity Client The TKS and TPS subsystems work together to support all token operations such as enrollment through the Enterprise Security Client Additionally the TPS subsystem can be configured to use the DRM subsystem to handle server side key generation and key archival and recovery The interactions between the TPS TKS DRM and CA subsystems to process token operations through the Enterprise Securi...

Страница 38: ...Chapter 1 Overview 16 Figure 1 4 Certificate System Architecture ...

Страница 39: ...or all users and applications to access Certificate System subsystem functions through the different user interfaces administrative console agent services and end entities pages The subsystem pages are accessed over HTTP but they are created by subsystem specific servlets contained in the Certificate System While the HTTP engine provides the connection entry points Certificate System completes the...

Страница 40: ...nd logs including audit logs administrators cannot view audit logs NOTE The TPS subsystem does not have an administrative console administrator tasks are performed through an HTML interface accessed through the agent services URL These servlets can return data in HTML or XML formats making it easier for system administrators to write scripts which interact with these servlets For more information ...

Страница 41: ...ionally stores certificates and keys Two cryptographics modules are included in the Certificate System The default internal PKCS 11 module which comes with two tokens The internal crypto services token which performs all cryptographic operations such as encryption decryption and hashing The internal key storage token Certificate DB token in Figure 1 4 Certificate System Architecture which handles ...

Страница 42: ...session that follows Both of these protocols support using a variety of different cryptographic algorithms or ciphers for operations such as authenticating the server and client transmitting certificates and establishing session keys Clients and servers may support different cipher suites or sets of ciphers Among other functions the SSL handshake determines how the server and client negotiate whic...

Страница 43: ...ring Task Force IETF PKIX working group Certificate Management Message Formats CMMF Message formats to send certificate requests and revocation requests from end entities to a CA and to return information to end entities A proposed standard from the IETF PKIX working group CMMF has been subsumed by another standard CMC Certificate Management Messages over CS CMC A general interface to public key c...

Страница 44: ...ncrypted data This format is used to deliver certificates to end entities Public Key Cryptography Standard PKCS 10 A message format developed by RSA Data Security for certificate requests This format is supported by many server products Public Key Cryptography Standard PKCS 11 Specifies an API used to communicate with devices such as hardware tokens that hold cryptographic information and perform ...

Страница 45: ... as follows 1 Install a Red Hat Directory Server This can be on a different machine from the Certificate System which is the recommended scenario for most deployments 2 Download the Certificate System packages from the Red Hat Network channel Each subsystem has its own packages as well as dependencies and related packages These are listed in Section 2 2 3 Packages Installed 3 Install the Certifica...

Страница 46: ... subsystem can be configured in an installation of Certificate System There can be multiple instances of a type of subsystem on a host or across different hosts For failover support one configuration option is to duplicate or clone an instance so that more than one instance has the same configuration information Clones and masters share the same set of keys and certificates Cloned CAs issue certif...

Страница 47: ...y to a third party and wait for the certificate to be issued Before deploying the full PKI however consider whether to have a root CA how many to have and where both root and subordinate CAs will be located 2 2 Prerequisites This section covers required information such as the supported platforms the packages installed and dependencies and programs Section 2 2 1 Supported Platforms Section 2 2 2 R...

Страница 48: ... Hat Network channel A similar package is available for 64 bit Red Hat Enterprise Linux 4 platforms This package is available through either the Red Hat Enterprise Linux AS v 4 for AMD64 EM64T Extras Red Hat Network channel or the Red Hat Enterprise Linux ES v 4 for AMD64 EM64T Extras Red Hat Network channel As root run usr sbin alternatives config java to insure that the IBM Java 1 5 0 JRE is sel...

Страница 49: ...shtm for more information While almost any JDK is sufficient installing one of these JDKs is recommended For 32 bit Red Hat Enterprise Linux 4 platforms a pre packaged binary distribution of the 32 bit version of the IBM JDK 1 5 0 the java 1 5 0 ibm devel rpm package is available through either the Red Hat Enterprise Linux AS v 4 for x86 Extras Red Hat Network channel or the Red Hat Enterprise Lin...

Страница 50: ... qa queryformat compat libstdc VERSION RELEASE ARCH rpm n grep x86_64 Numerous libraries should be displayed 2 2 3 Packages Installed Multiple packages are installed with the Certificate System in addition to the core Certificate System components Section 2 2 3 1 Red Hat Enterprise Linux RPMs Section 2 2 3 2 Solaris Packages 2 2 3 1 Red Hat Enterprise Linux RPMs RPMs have the format package_name v...

Страница 51: ...ken xpath geronimo specs jdom wsdl4j gnu crypto sasl jdk1 4 jms xalan j2 jakarta commons beanutils jpackage utils xerces j2 jakarta commons collections ldapjdk xml commons jakarta commons daemon log4j xml commons apis jakarta commons dbcp mx4j xml commons resolver jakarta commons digester oldjdom xmlbeans RPMs for Fortitude Web Services fortitude web mod_nss mod_revocator RPMs for Apache Web Servi...

Страница 52: ...condary subpackage name For example the 64 bit packages for dirsec nss include RHATdirsec nssx 3 11 3 1 sparcv9 pkg and RHATdirsec nssx tools 3 11 3 1 sparcv9 pkg Packages for Certificate System RHATosutilx RHATrhpki krax RHATrhpki tksx RHATpkisetupx RHATrhpki managex RHATrhpki tpsx RHATrhpki cax RHATrhpki migratex RHATrhpki utilx RHATrhpki commonx RHATrhpki native toolsx RHATsymkeyx RHATrhpki con...

Страница 53: ...mons discoveryx RHATorox Packages for Fortitude Web Services RHATfortitude webx RHATmod nssx RHATmod revocatorx Packages for Apache Web Services RHATapr utilx RHATmod perlx RHATperl XML Parserx RHATaprx RHATpcrex RHATperl XML SAXx RHATdb4x RHATperl HTML Parserx RHATperl XML Simplex RHATdb4x utils RHATperl HTML Tagsetx RHATperl libwww perlx RHATexpatx RHATperl Parse RecDescentx RHATperlx RHAThttpdx...

Страница 54: ...add an external CA If a Certificate System CA is selected then supply the CA agent username and password Subsystem information When installing a TPS the CA and TKS subsystems must be installed and configured before installing the TPS a DRM subsystem must also be installed and configured if server side key generation is selected When configuring the TPS the TKS and DRM to connect with the TPS are s...

Страница 55: ... tks TPS 7889 7888 var lib rhpki tps Table 2 1 Default Subsystem Instance Ports and File Locations The following certificates are created by default when any of the following subsystem instances are installed Certificate Manager CA signing certificate OCSP signing certificate for the CA s internal OCSP service SSL server certificate Subsystem certificate The subsystem certificate is always issued ...

Страница 56: ...ection 2 4 2 Subsystem Type Panel Section 2 4 3 PKI Hierarchy Panel Section 2 4 4 CA Information Panel Section 2 4 5 TKS Information Panel Section 2 4 6 DRM Information Panel Section 2 4 7 Authentication Directory Panel Section 2 4 8 Internal Database Panel Section 2 4 9 Key Store Panel Section 2 4 10 Key Pairs Panel Section 2 4 11 Subject Names Panel Section 2 4 12 Requests and Certificates Panel...

Страница 57: ... Figure 2 1 Security Domain If the subsystem is being added to an existing domain provide the security domain URL and the administrator UID and password for the domain Figure 2 2 Supplying the Security Domain Bind Information For more information on security domains see Section 4 4 Security Domains 2 4 2 Subsystem Type Panel This panel creates a master subsystem or clones an existing subsystem Cre...

Страница 58: ...of the subsystem information based on the master s configuration and regenerates the master s certificates 2 4 3 PKI Hierarchy Panel This option is only available to CAs this creates the overall arrangement of CAs CAs can be arranged in a hierarchy with root CAs which sign CA signing certificates and set certificate policies and layers of subordinate CAs which have CA signing certificates signed b...

Страница 59: ... and be approved before configuration can be completed 2 4 4 CA Information Panel This panel appears only during TPS configuration This identifies the CA which will work with the TPS to issue and revoke certificates stored on the smart card The TPS must be associated with a CA within the security domain which can perform the token operations the CA is selected from a drop down list of all CAs with...

Страница 60: ...nel is only available when configuring a TPS subsystem The TPS can be associated with an existing DRM subsystem to enable server side key generation Similarly to setting the CA information the DRM is selected from a list of all configured DRM subsystems within the security domain Figure 2 7 Selecting the DRM ...

Страница 61: ...lied in this panel and the appropriate database and suffix must be created before the TPS is configured these are not created by the configuration wizard but are accessed by it Only Red Hat Directory Server 7 1 or higher is supported 2 4 8 Internal Database Panel This panel collects information for the internal directory service used for storing certificate requests and certificates Directory Serv...

Страница 62: ...base and the new clone s internal database 2 4 9 Key Store Panel This panel displays a list of automatically discovered tokens that can be used to store certificates and keys The Certificate System automatically discovers Safenet s LunaSA and nCipher s netHSM hardware security modules HSM and returns them on this screen The discovery process assumes that the client software installations for these...

Страница 63: ...is updated with this information by default The status field in this panel describes the status of the token Found The token was discovered by Certificate System and added to secmod db Not Found The Certificate System was unable to find the supported HSMs Logged In The login attempt to the slot was successful Not Logged In The subsystem is not logged into the slot yet The login button correspondin...

Страница 64: ...ames for all of the certificates issued for the subsystem being installed This panel also sets which CA will issue these certificates If the certificates for the subsystem including certificates for a subordinate CA will be issued by an external CA such as VeriSign or a Certificate System CA which is outside the security domain select External CA from the list ...

Страница 65: ...t except the Server Certificate name field because the server certificate is regenerated 2 4 12 Requests and Certificates Panel This panel has links to the certificate requests and the issued certificates if the certificates were issued successfully The generated certificate requests are stored in the instance s CS cfg configuration file for retrieval later ...

Страница 66: ...ceed past this panel until the new certificates are pasted into the fields In this case the Requests and Certificates panel appears as shown 2 4 13 Export Keys and Certificates Panel This panel offers the option to export the new certificate to a p12 file A p12 backup file of a master subsystem s certificates and keys is required when configuring the clone these files can also be used to restore t...

Страница 67: ...ator user for the instance This user also has agent privileges so the agent certificates and keys for the agent certificate are generated on the browser used to go through the configuration wizard This administrator agent user can use this agent certificate to access the agent interface for managing requests Figure 2 15 CA Administrator ...

Страница 68: ...loaded and installed on Red Hat Enterprise Linux systems using the up2date command Whether downloading and installing the Certificate System from an ISO image or through up2date several packages are also installed for related applications and dependencies not only for the subsystem packages These packages are listed in Section 2 2 3 1 Red Hat Enterprise Linux RPMs and Section 2 2 3 2 Solaris Packa...

Страница 69: ...the Token Key System tps installs the Token Processing System esc installs the Enterprise Security Client The force option bypasses any confirmation prompts that may otherwise appear during the installation For example to install the CA and then the DRM use the following commands rhpki install pki_subsystem ca pki_package_path media cdrom RedHat RPMS force rhpki install pki_subsystem drm pki_packa...

Страница 70: ...te command run a command like the following for each subsystem up2date rhpki subsystem subsystem can be ca for the CA ra for the RA kra for the DRM ocsp for the OCSP tks for the TKS and tps for the TPS up2date is used only for the first subsystem instance any additional subsystem instances should be added using pkicreate To install the client using up2date run the following up2date esc 2 6 Configu...

Страница 71: ... and a corresponding base directory entry base DN to use for the subsystem s entries 6 Select the key store token a list of detected hardware tokens and databases is given To determine whether a token is detected by the Certificate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 7 Set the key size The default RSA key size is 2048 ...

Страница 72: ... subsystem s entries 5 Select the key store token a list of detected hardware tokens and databases is given To determine whether a token is detected by the Certificate System use the TokenInfo tool For more information on this tool see the Certificate System Command Line Tools Guide 6 Set the key size The default RSA key size is 2048 7 Select the CA which will generate the subsystem certificates t...

Страница 73: ...e key generation for tokens enrolled through the TPS If server side key generation is selected supply information about the DRM which will be used to generate keys and archive encryption keys Key and certificate recovery is initiated automatically through the TPS which is a DRM agent Select the DRM from the drop down menu of DRM subsystems within the security domain 7 Fill in the information for t...

Страница 74: ...figuration wizard All additional CA RA DRM OCSP TKS and TPS instances are installed by running a special tool pkicreate After that they are configured through the HTML based administration page For more information on pkicreate see the Certificate System Command Line Tools Guide NOTE Additional subsystems can be duplicates or clones of existing subsystems Cloning can be used for load balancing for...

Страница 75: ...client authentication ee_secure_client_auth_port 1 Run the pkicreate command For example pkicreate pki_instance_root var lib pki ca2 subsystem_type ca pki_instance_name pki ca2 admin_secure_port 9545 agent_secure_port 9544 ee_secure_port 9543 ee_secure_client_auth_port 9546 unsecure_port 9180 tomcat_server_port 1802 verbose 2 When the instance is successfully created the process returns a URL for ...

Страница 76: ... Type panel sets whether to create a new instance or a clone select the clone radio button Figure 2 16 Selecting the Subsystem to Clone 5 Give the path and filename of the PKCS 12 backup file which was saved when the master instance was created If a backup was not created at that time use the pk12util utility to create a PKCS 12 file Figure 2 17 Supplying the Key and Certificate Information ...

Страница 77: ...Red Hat Certificate System 7 3 Red Hat Network channel NOTE Run this tool on a system which already has a subsystem installed since this tool depends on having libraries JRE and core jar files already installed The silent installation tool has the following format perl pkisilent Configuresubsystem_type options The options are slightly different between the subsystems all subsystems except for the ...

Страница 78: ...rtdb_dir tmp client_certdb_pwd redhat preop_pin fS44I6SASGF34FD76WKJHIW4 domain_name testca admin_user admin admin_email admin redhat com admin_password redhat agent_name rhpki tks2 agent ldap_host server ldap_port 389 bind_dn cn directory manager bind_password redhat base_dn o rhpki tps2 db_name rhpki tks2 key_size 2048 key_type rsa agent_key_size 2048 agent_key_type rsa agent_cert_subject tps ag...

Страница 79: ...ample rpm Uvh rhpki java tools 7 3 0 4 noarch rpm 4 Restart the Certificate System instances etc init d instance_ID start Alternatively using the up2date command 1 Stop all Certificate System instances etc init d instance_ID stop 2 Log in as root 3 Run up2date for the package For example up2date rhpki java tools 7 3 0 4 noarch 4 Restart the Certificate System instances etc init d instance_ID start...

Страница 80: ... uninstall pki_subsystem all 5 Remove the actual install and uninstall scripts pkgrm RHATrhpki managex To install the new CA 1 Install the install and uninstall scripts pkgadd d RHATrhpki managex 7 3 0 12 sol9 noarch pkg 2 Use the install script to install the CA rhpki install pki_subsystem ca pki_package_path IMPORTANT Ensure that the current directory contains all the Solaris packages 3 For the ...

Страница 81: ... dir var lib rhpki ca1 Removing file var log rhpki ca1 install log Removing file etc init d rhpki ca1 Removing file usr share applications rhpki ca1 config desktop Removing file usr bin dtomcat5 rhpki ca1 Example 2 4 Removing a CA Instance pkiremove removes the instance and any related files such as the certificate databases certificates keys and associated users It does not uninstall the subsyste...

Страница 82: ...Chapter 2 Installation and Configuration 60 rpm ev rhpki manage ...

Страница 83: ...anually editing the CS cfg file The Console is launched using the pkiconsole utility with the hostname subsystem SSL port and subsystem type specified pkiconsole https hostname SSLport subsystemType For a Certificate Manager running a a host named host example com on the default CA SSL port 9443 the console command would be as follows pkiconsole https host example com 9443 ca When the command is r...

Страница 84: ...tion To enable SSL client authentication both the client and the server need configured to run over SSL First setup the Certificate System server to use SSL client authentication 1 Store the certificates for any administrator using this system The certificate should be either from the CA itself or from whichever CA signed the certificate for the subsystem a Open the subsystem console b Select the ...

Страница 85: ...serverCertNick conf passwordFile var lib rhpki ca conf password conf passwordClass org apache tomcat util net jss PlainPasswordFile certdbDir var lib rhpki ca alias 9 Start the subsystem etc init d instance_ID start After setting up the server then configure the client to use SSL client authentication The Console must have access to the administrator certificate and keys used for SSL client authen...

Страница 86: ...ry The bind password used by the subsystem to access and update the LDAP directory this is required only if the Certificate System instance is configured for publishing certificates and CRLs to an LDAP compliant directory For a TPS instance the bind password used to access and update the token database The password conf file also contains the token passwords needed to open the private keys of the ...

Страница 87: ...ile for password conf is called password bak run cat password bak password conf Repeat this command until the server is fully started this is apparent in the debug log This process still uses a clear text password file password bak but this moves the password store so that it is external to the Certificate System instance and can be stored anywhere such as a smart card This only requires a utility...

Страница 88: ...ectory enforces the quality of the password because it is created and managed by the directory 3 4 Starting Stopping and Restarting Certificate System Subsystems Each Certificate System subsystem instance is started stopped and restarted separately This section describes how to start stop and restart a subsystem instance 3 4 1 Starting a Server Instance A subsystem instance is started like other s...

Страница 89: ...rver The notifications and jobs features use the mail server set in the Certificate System CA instances to send notification messages Set up a mail server by doing the following 1 Open the CA subsystem administrative console For example pkiconsole https host example com 9443 ca 2 In the Configuration tab highlight the instance name at the top and select the SMTP tab 3 Supply the server name and po...

Страница 90: ... Do not edit the configuration file directly without being familiar with the configuration parameters or without being sure that the changes are acceptable to the server The Certificate System fails to start if the configuration file is modified incorrectly Incorrect configuration can also result in data loss To modify the configuration file 1 Stop the subsystem instance The configuration file is ...

Страница 91: ...slashes instead of one Authentication parameters CA only All authentication specific information such as names of registered authentication plug in modules and any configured instances appears in the authentication section of the configuration file Each registered authentication plug in module is identified by its implementation name and the corresponding Java class Each configured instance of an ...

Страница 92: ...c parameters are not adjusted to those required by the new instance The recommended way to create duplicate instances is to clone the instances when the subsystem instance is configured For more information on cloning see Chapter 20 Configuring the Certificate System for High Availability 3 6 5 Other File Locations Certificate System servers consist of subsystems and instances Server subsystems ar...

Страница 93: ...ES x86_64 machines only usr share doc LICENSE and README text files shared by the Certificate System subsystems usr share java rhpki Java archive files shared by the CA RA DRM OCSP and TKS subsystems usr share java rhpki subsystem_type Java archive files shared by all instances of a subsystem type For example usr share java rhpki ca contains files shared by all CA subsystem instances usr share rhp...

Страница 94: ... following are the default instance locations Section 3 6 6 1 CA Default Instance Location Section 3 6 6 2 DRM Default Instance Location Section 3 6 6 3 OCSP Default Instance Location Section 3 6 6 4 TKS Default Instance Location Section 3 6 6 5 TPS Default Instance Location 3 6 6 1 CA Default Instance Location Default Location Type of Object Description etc init d rhpki ca File The script used to...

Страница 95: ...CSP Default Instance Location Default Location Type of Object Description etc init d rhpki ocsp File The script used to start stop or restart the OCSP instance etc rhpki ocsp Directory Contains the configuration file for the OCSP instance var lib rhpki ocsp Directory Contains the user specific default and customized forms and data for the OCSP instance var log rhpki ocsp Directory Contains the log...

Страница 96: ... TPS instance var log rhpki tps install log File A log file containing the configuration steps performed to create the TPS instance var log rhpki tps rhpki tps pid File A file containing the active process ID of the running TPS instance Table 3 6 TPS Default Instance Location 3 7 Using Security Enhanced Linux Security enhanced Linux or SELinux is a collection of mandatory access control rules whic...

Страница 97: ...s an HTML page when the following link is accessed https server example com 9443 ca ee ca displayBySerial op displayBySerial serialNumber 0x1 Appending xml true to the end of the link returns the same page in XML https server example com 9443 ca ee ca displayBySerial op displayBySerial serialNumber 0x1 xml true 3 9 Logs This section explains how to use the Console to configure logs maintained by t...

Страница 98: ...rations performed such as search add and edit and the result of the access such as the number of entries returned This log is on by default 3 9 1 2 Transactions Log This log transactions records messages specific to the certificate service such as certificate requests revocation requests and CRL publication and can detect any unauthorized access or activity This log is on by default 3 9 1 3 Debug ...

Страница 99: ...43 Processor24 ProfileSubmitServlet key request auth_token uid value RA test4 redbudcomputer local 4747 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request auth_token userid value RA test4 redbudcomputer local 4747 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request requestor_name value 06 Jun 2008 14 59 38 http 9443 Processor24 ProfileSubmitServlet ...

Страница 100: ...cords for events that have been set up as recordable events If the logSigning attribute is set to true the audit log is signed with a log signing certificate belonging to the server This certificate can be used by auditors to verify that the log has not been tampered with See Section 3 9 13 Signed Audit Log 3 9 1 7 Apache and Tomcat Error and Access Logs The CA RA DRM OCSP and TKS subsystems use a...

Страница 101: ... to the HTTP activity of the server NOTE HTTP events are actually logged to the errors log belonging to the Apache server incorporated with the Certificate System to provide HTTP services Key Recovery Authority Logs events related to the DRM LDAP Logs events related to activity with the LDAP directory which is used for publishing certificates and CRLs OCSP Logs events related to OCSP such as OCSP ...

Страница 102: ...hese messages are warnings only and do not indicate any failure in the normal operation of the server 3 Failure the default selection for system and error logs These messages indicate errors and failures that prevent the server from operating normally including failures to perform a certificate service operation User authentication failed or Certificate revoked and unexpected situations that can c...

Страница 103: ...red logging is configured the server creates buffers for the corresponding logs and holds the messages in the buffers for as long as possible The server flushes out the messages to the log files only when one of the following conditions occurs The buffer gets full The buffer is full when the buffer size is equal to or greater than the value specified by the bufferSize configuration parameter The d...

Страница 104: ...ed audit logs feature Signed audit logs creates audit logs that are automatically signed using signtool manually signs archived logs See Section 3 9 1 6 Signed Audit Log for details about signed audit logs By default rotated log files are not deleted 3 9 6 Configuring Logs in the Console This procedure describes how to configure system transaction and audit logs To configure logs for a Certificate...

Страница 105: ...ction 3 9 5 Log File Rotation rolloverInterval Sets the frequency at which the server rotates the active error log file The available choices are hourly daily weekly monthly and yearly The default selection is monthly For more information see Section 3 9 5 Log File Rotation The signed audit log has these additional settings logSigning Enables signed logging When this parameter is enabled provide a...

Страница 106: ...e Specify the file size in kilobytes KB for the error log The default size is 100 KB The maxFileSize determines how large a log file can become before it is rotated Once it reaches this size the file is copied to a rotated file and the log file is started anew For more information see Section 3 9 5 Log File Rotation register If this variable is set to false the default value the self test messages...

Страница 107: ...audit level 10 logging debug enable true logging debug filename var lib rhpki tps logs tps debug log logging debug level 7 logging error enable true logging error filename var lib rhpki tps logs tps error log logging error level 10 3 9 9 Monitoring Logs To troubleshoot the subsystem check the error or informational messages that the server has logged Examining the log files can also monitor many a...

Страница 108: ...on which the entry was logged Time The time at which the entry was logged Details A brief description of the log 6 To view a full entry double click it or select the entry and click View 3 9 10 Signing Log Files The Certificate System can digitally sign log files before they are archived or distributed for audit purposes This feature allows files to be checked for tampering This is an alternative ...

Страница 109: ... path to the implementing Java class If this class is part of a package include the package name For example registering a class named customLog in a package named com customplugins the class name would be com customplugins customLog 5 Click OK 3 9 12 Deleting a Log Module Unwanted log plug in modules can be deleted through the Console Before deleting a module delete all the listeners based on thi...

Страница 110: ...emove it from the list Log events are separated by commas with no spaces Logging Event Type of Log Messages Generated AUDIT_LOG_STARTUP The start of the subsystem and thus the start of the audit function AUDIT_LOG_SHUTDOWN The shutdown of the subsystem and thus the shutdown of the audit function ROLE_ASSUME A user assuming a role A user assumes a role after passing through authentication and autho...

Страница 111: ...ould not allow such a change PRIVATE_KEY_ARCHIVE Shows when an encryption private key is requested during enrollment PRIVATE_KEY_ARCHIVE_PROCESSED Shows when a private encryption key is archived in the DRM KEY_RECOVERY_REQUEST Shows when a request is made to recover a private encryption key stored in the DRM KEY_RECOVERY_AGENT_LOGIN Shows when DRM agents log in as recovery agents to approve key re...

Страница 112: ...G Shows when the audit buffer is signed and flushed to disk Table 3 11 Signed Audit Log Events 3 9 13 1 Setting up Signed Audit Logs To set up signed audit logs 1 Set up the caAuditCert certificate profile See Section 13 3 Setting up Certificate Profiles for information about setting up certificate profiles 2 Approve the caAuditCert certificate profile by approving it in the agent services interfa...

Страница 113: ...n this happens administrators and auditors should work together with the operating system administrator to resolve the disk space or file permission issues When the IT problem is resolved the auditor should make sure that the last audit log entries are signed If not they should be preserved by manual signing Section 3 9 10 Signing Log Files archived and removed to prevent audit verification failur...

Страница 114: ... changed by changing those setting in the CS cfg file To turn a self test off remove is from the list of self tests 3 10 3 Modifying Self Test Configuration To modify the configuration settings for self tests 1 Stop the subsystem instance 2 Open the CS cfg file located in the instance s conf directory 3 To edit the settings for the self test log edit the entries that begin with selftests container...

Страница 115: ...thly and yearly The default selection is monthly For more information see Section 3 9 5 Log File Rotation type Set to transaction do not change this 4 To edit the order in which the self test are run specify the order by listing any of the self test as the value of the following parameters separated by a comma and a space To mark a self test critical add a colon and the word critical to the name o...

Страница 116: ... be desirable to use those ports directly Also since the Certificate System is installed as root yet it runs as a non root user the subsystems may not be able to access the restricted ports It is possible to direct traffic to non restricted ports while still using the default port numbers by configuring the iptables settings For example sbin iptables A FORWARD p tcp destination port 443 j ACCEPT s...

Страница 117: ...mber is also used to open the subsystem administrative console pkiconsole https server example com 4430 ca If the port number is ever changed the agents must be informed 3 11 1 4 End Entity Ports For requests from end entities the Certificate System listens on both the SSL encrypted port and non SSL port End entities make requests through the end entities page Both the HTTP port and HTTPS port can...

Страница 118: ...ectory cd var lib instance_ID conf 3 Open the httpd conf file and edit the non SSL port number For example Listen 0 0 0 0 7888 4 Open the nss conf file and edit the SSL port numbers For example Listen 0 0 0 0 7889 VirtualHost _default_ 7889 5 Open the CS cfg file and edit the both the SSL and non SSL port numbers For example service securePort 7889 service unsecurePort 7888 op format tokenKey issu...

Страница 119: ...t and an Host appBase entry to identify the location of the web directory for the service The appBase directory should be something like webapps admin and located in the subsystem s instance directory default entry used as the agent service Service name Catalina Connector port 9080 the insecure port definition which is used by all services Connector port 9444 Engine name Catalina defaultHost local...

Страница 120: ...localhost Realm className org apache catalina realm UserDatabaseRealm resourceName UserDatabase Host name localhost appBase webapps ee unpackWARs true autoDeploy false xmlValidation false xmlNamespaceAware false Valve className org apache catalina valves AccessLogValve directory logs prefix localhost_access_log suffix txt pattern common resolveHosts false Host Engine Service 4 Go up into the insta...

Страница 121: ...sion not the local version is used by the service cd lib mv osutil jar osutil jar orig Do this for all three services 10 Move the osutil jar symlink from common lib to the shared lib directory cd var lib pki ca shared lib cp d var lib pki ca common lib osutil jar rm var lib pki ca common lib osutil jar 11 Restart the subsystem etc init d rhpki ca restart 3 11 4 Redirecting Subsystem Communications...

Страница 122: ...on port for end entities to use and reconfigure client connections for subsystems like the RA TPS and SCEP services to use the new ports IMPORTANT In Certificate System 7 3 no port is configured to require client authentication at the initial connection The workaround here configures the agent secure port to require client authentication and directs requests for profiles that require client authen...

Страница 123: ...ferenced in the ProfileSelect template file mkdir p var lib instance_name webapps ca ee ca cp var lib instance_name webapps ee ca ee ca ProfileSubmit template var lib instance_name webapps ca ee ca cp var lib instance_name webapps ee ca ee ca ProfileSubmit html var lib instance_name webapps ca ee ca ProfileSubmit html chown R pkiuser var lib instance_name webapps ca ee 8 Restart the CA For example...

Страница 124: ...tive in the agent connector to true For example Connector name Agent port 11443 maxHttpHeaderSize 8192 maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false disableUploadTimeout true acceptCount 100 scheme https secure true clientAuth true sslProtocol SSL 4 Restart the subsystem For example etc init d rhpki ocsp restart 3 11 4 4 Updating the TPS 1 Update the NSS packages by inst...

Страница 125: ...instance_name 3 Remove the line LD_PRELOAD usr lib64 dirsec libssl3 so LD_PRELOAD Replace it with the following LD_PRELOAD usr lib64 libssl3 so LD_PRELOAD On 32 bit systems the path is usr lib 4 Restart the subsystem For example etc init d rhpki ra restart 3 12 The Internal LDAP Database The Certificate System performs certificate and key management functions in response to the requests it receive...

Страница 126: ... System to use any other LDAP directory Doing so can result in data loss Additionally do not use the internal LDAP database for any other purpose 3 12 1 Changing the Internal Database Configuration To change the Directory Server instance that a subsystem instance uses as its internal database 1 Log into the subsystem administrative console pkiconsole https hostname SSLport subsystemType 2 In the C...

Страница 127: ...l LDAP Database internaldb ldapconn host ldap_hostname internaldb ldapconn port ldap_httpsport internaldb ldapconn secureConn true internaldb ldapAuthentication clientCertNickname Server Cert cert instance_name 5 Open the Directory Server Console 6 Create an entry for the suffix which matches the subject DN of the Certificate System subsystem certificate for the subsystem using this internal datab...

Страница 128: ...ckbox 6 Click Save The server prompts to restart the server 7 Click the Tasks tab and click Restart the Directory Server 8 Close the Directory Server Console 9 When the server is restarted open the Directory Server Console for the internal database instance The Login to Directory dialog box appears the Distinguished Name field displays the Directory Manager DN enter the password The Directory Serv...

Страница 129: ...ing up the instance or the security databases The Directory Server database can be restored using Directory Server specific tools see the Directory Server documentation for more information on restoring the LDAP database The Certificate System backup files both the alias database backups and the full instance directory backups can be used to replace the current directories if the data are corrupte...

Страница 130: ...Chapter 3 Administrative Basics 108 etc init d instance_ID start NOTE Stop the subsystem instance before restoring the instance or the security databases ...

Страница 131: ...ed by creating certificate profiles for each enrollment type Certificate profiles dynamically generate forms which are customized by configuring the inputs associated with the certificate profile 4 1 1 1 The Certificate Enrollment Process When an end entity enrolls in a PKI by requesting a certificate the following events can occur depending on the configuration of the PKI and the subsystems insta...

Страница 132: ...t did not meet the certificate profile or authentication requirements or a certificate is issued 9 The certificate is delivered to the end entity In automated enrollment the certificate is delivered to the user immediately Since the enrollment is normally through an HTML page the certificate is returned as a response on another HTML page In agent approved enrollment the certificate can be retrieve...

Страница 133: ...ate Manager has a CA signing certificate with a public key corresponding to the private key the Certificate Manager uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The default nickname for the certificate is caSigningCert cert instance_ID where instance_ID identifies the Certificate Manager instance The default va...

Страница 134: ...quested to use for different operations such as configuring the Certificate Manager to use separate server certificates for authenticating to the end entity services interface and agent services interface If the Certificate Manager is configured for SSL enabled communication with a publishing directory it uses its SSL server certificate for client authentication to the publishing directory by defa...

Страница 135: ...or the CA The starting and ending serial numbers that a CA can issue can be set in the Certificate System Console This is useful when installing cloned CAs each cloned CA is given a specific range of serial numbers that it can issue so that none of the cloned CAs can issue the same serial number The serial number range is not set during installation or configuration of the subsystem but can be con...

Страница 136: ...he Certificate System CA to a third party public CA introduces the restrictions that public CAs place on the kinds of certificates the subordinate CA can issue and the nature of the certificate chain For example a CA that chains to a third party CA might be restricted to issuing only Secure Multipurpose Internet Mail Extensions S MIME and SSL client authentication certificates but not SSL server c...

Страница 137: ... xml file is created when the CA is configured as the security domain host and every subsystem which is added to the domain is added as an entry to the registry The domain xml file looks like the following example xml version 1 0 encoding UTF 8 DomainInfo Name Example Domain Name KRAList KRA SubsystemName rhpki kra SubsystemName Host server example com Host SecurePort 10443 SecurePort DomainManage...

Страница 138: ... and browsers The information available in the security domain is used during configuration of a new subsystem which makes the configuration process streamlined and automated For example when a TPS needs to connect to a CA it can consult the security domain to get a list of available CAs A subsystem retrieves information in the security domain through XML messages over HTTPS The subsystem authenti...

Страница 139: ...s Automatically approve any server and subsystem certificate from any CA in the domain Register and unregister TPS subsystem information in the security domain Table 4 1 Security Domain User Roles As necessary the security domain administrator can manage access controls on the security domain and on the individual subsystems For example the security domain administrator can restrict access so that...

Страница 140: ...guration the configuration registers the subsystem information to the security domain 4 4 5 Additional Security Domain Information The following information can be considered when planning the security domain The CA hosting the security domain can be signed by an external authority Multiple security domains can be set up within an organization However each subsystem can belong to only one security...

Страница 141: ...trusted CA Section 11 4 1 3 About CA Certificate Chains Managing hardware security module HSM tokens Section 12 1 Tokens for Storing Certificate System Keys and Certificates Setting up trusted managers Section 17 1 2 5 Trusted Managers Changing the subsystem security settings Section 11 5 Configuring the Server Certificate Use Preferences Changing subsystem passwords Section 3 3 System Passwords M...

Страница 142: ...on from an old CA certificate to a new one 4 7 Changing the Rules for Issuing Certificates The restrictions on the certificates issued are set by default after the subsystem is configured These include Whether certificates can be issued with validity periods longer than the CA signing certificate The default is to disallow this The serial number range the CA is able to use to issue certificates Th...

Страница 143: ...cate expires Certificate Serial Number These fields set the serial number range for certificates issued by the Certificate Manager The server assigns the serial number in the Next serial number field to the next certificate it issues and the number in the Ending serial number to the last certificate it issues NOTE The serial number range cannot be updated manually through the console if the CA is ...

Страница 144: ...s on CA Certificates through Certificate Extensions When a subordinate CA is created the root CA can generate a CA signing certificate with restrictions on the types of certificates that the subordinate CA can sign with that signing certificate These restrictions are set by setting the constraints in the CA signing certificate profile The default CA signing certificate request profile is the caCAC...

Страница 145: ...ificates If the key ID is anything other than the SHA 1 hash of the CA certificates subjectPublicKeyInfo field then the CA certificate should contain the Subject Key Identifier extension This will allow for a smooth transition when the new issuing certificate becomes active These extensions can be configured through the certificate profile enrollment pages To set the default in the CA signing cert...

Страница 146: ...on on modifying certificate profiles see Section 13 3 Setting up Certificate Profiles and the Certificate System Agent s Guide 4 9 Creating Certificate Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access the Console and the agent servi...

Страница 147: ...e to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying Certificate System User Entries 4 10 Checking the Revocation Status of Agent Certificates A Certificate Manager can be configured to check the revoc...

Страница 148: ...he following parameters revocationChecking bufferSize Sets the total number of last checked certificates the server should maintain in its cache For example if the buffer size is 2 the server retains the last two certificates checked in its cache By default the server caches the last 50 certificates revocationChecking subsystem Gives the name of the Certificate System instance subsystem indicates ...

Страница 149: ...l see http www mozilla org projects security pki nss tools 2 When the certificate request has been created submit it through the Certificate Manager end entities page The page has a URL in the following format https hostname port ca ee ca 3 After the request is submitted log into the agent services page 4 Check the request for required extensions The CRL signing certificate must contain the Key Us...

Страница 150: ...tificate System is connected with a Directory Server the format of the DNs in the certificates should match the format of the DNs in the directory It is not necessary that the names match exactly certificate mapping allows the subject DN in a certificate to be different from the one in the directory In the Certificate System the DN is based on the components or attributes defined in the X 509 stan...

Страница 151: ...wing netscape security x509 PrintableConverter converts a string to a PrintableString value The string must have only printable characters netscape security x509 IA5StringConverter converts a string to an IA5String value The string must have only IA5String characters netscape security x509 DirStrConverter converts a string to a DirectoryString The string is expected to be in DirectoryString format...

Страница 152: ...s the new attributes should show up in the form 8 To verify that the new attributes are in effect request a certificate using the manual enrollment form Enter values for the new attributes so that it can be verified that they appear in the certificate subject names For example enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Value MY...

Страница 153: ... end of the configuration file X500Name directoryStringEncodingOrder PrintableString UniversalString 5 Save the changes and close the file 6 Start the Certificate Manager etc init d rhpki ca start 7 To verify that the encoding orders are in effect enroll for a certificate using the manual enrollment form Use John_Doe for the cn 8 Open the agent services page and approve the request 9 When the cert...

Страница 154: ...132 ...

Страница 155: ... then forwards the enrollment request to the designated Certificate Authority CA to generate the certificate Depending on the type of enrollment an RA can be set up with the appropriate authentication plugin to authenticate the request in an automated fashion Alternatively the RA has a local request queue where requests can be stored and reviewed by local RA agents for manual authentication The RA...

Страница 156: ...nstaller enters the URL to the RA and provides the one time PIN The enrollment can then be initiated Enrolling a Server Certificate In a server certificate enrollment scenario a server administrator provides site information and the server certificate request in the enrollment form The RA Agent is notified of the request and after validating the requestor approves it The request is then forwarded ...

Страница 157: ...al of Requests Approval of certificate requests Cancellation of Requests Cancellation of certificate requests Listing of Certificates Provide a listing of current certificates Addition of Further Certificate Information Addition of further information to certificate requests 5 1 4 3 Administrative Interface The Administrative interface provides the following features Listing and Creating New Users...

Страница 158: ...all and configure a CA that is capable of issuing certificates Refer to the following sections for further information Section 2 5 Installing the Certificate System Section 2 6 Configuring the Default Subsystem Instances You can install the RA from the Red Hat Network RHN or by using the rpm command For example rpm ivh rhpki ra 7 3 0 27 el4 Procedure 5 1 Configuring an RA The following procedure d...

Страница 159: ... up to the root certificate Click Next to move to the Security Domain Login page 4 The Security Domain Login page registers the RA subsystem with the Security Domain Enter the CA Administrator UID and Password to authenticate against the Security Domain Click Next to move to the Subsystem Type page 5 If this is the first RA that you are configuring select Configure this Instance as new Registratio...

Страница 160: ...on page that indicates the type of security modules that have been recognized by the system This includes both hardware and software modules Refer to the help text on the page for more information about the supported security modules Click Next to move to the Key Pairs page 9 Use the Key Pairs page to specify information about the key pairs that you want to generate Unless you have a special reaso...

Страница 161: ...mation that the Administrator will use to access the system Click Next to create the Administrator s Certificate and to move to the Import Administrator Certificate page 13 The Import Administrator Certificate page is an information page which indicates that the Administrator s Certificate was created and imported into the browser Click Next to move to the final page of the wizard 14 The final pag...

Страница 162: ...var lib rhpki ra alias NSS security database where keys and certificates are stored var lib rhpki ra docroot ee CGIs and templates for end users EE var lib rhpki ra docroot agent CGIs and templates for agents var lib rhpki ra docroot admin CGIs and templates for administrators Table 5 1 Principle RA Directories File Description etc init d rhpki ra Start stop script var lib rhpki ra conf CS cfg Mai...

Страница 163: ...ebug enable Specifies whether or not to enable debug logging Valid values are true and false logging debug filename Specifies the filename of the debug log file logging debug level Specifies the level to which debug logging should occur logging error enable Specifies whether or not to enable debug logging Valid values are true and false logging error filename Specifies the filename of the error lo...

Страница 164: ...ficate signing request The following variables are currently available request request_type approve_request Specifies which plugins to call when a request is approved request request_type cancel_request Specifies which plugins to call when a request is canceled request request_type create_request Specifies which plugins to call when a request is created For example you may see the following for SC...

Страница 165: ...le for creating enrollment work flow In the RA the CGI that handles the SCEP request is running at http example com 12888 ee scep pkiclient cgi Note The RA only supports CA mode over SCEP 5 3 Working With the Registration Authority The following sections describe how to work with the Registration Authority including listing adding and deleting users and groups and associating users with groups The...

Страница 166: ...rs and Groups and then click Groups c Click Add to display the Edit Group Information dialog box d Enter the group name and description for example Registration Manager2 Agents e Click OK 2 Add the new RA authentication instance in the CA a Change to the CA configuration directory and edit the CS cfg file cd var lib rhpki ca conf vi CS cfg b Search for the lines containing the string raCertAuth c ...

Страница 167: ...e Save and close the file 5 Add a new URI mapping to allow registering the new RA agent with the new RA group for example Registration Manager2 Agent a Change to the CA Web Applications directory and edit the web xml file cd var lib rhpki ca webapps ca WEB INF vi web xml b Search for caRegisterRaUser c Copy everything between the servlet and servlet tags and paste it immediately after the existing...

Страница 168: ..._instance_root var lib subsystem_type ra pki_instance_name rhpki ra2 secure_port 12899 unsecure_port 12898 verbose user pkiuser group pkiuser 2 Edit the configuration file for the new RA instance cd var lib rhpki ra2 conf vi CS cfg 3 Locate the registerRaUser string and change it to registerRa2User Refer to the example below conn ca1 servlet addagent ca admin ca registerRa2User 4 Update the CS con...

Страница 169: ... is no graphical interface for performing this customization Procedure 5 4 Customizing the DN 1 Edit the instance_root docroot ee user user vm file This is typically var lib rhpki ra docroot ee user user vm 2 Locate the validate function and formulate your preferred DN in the var dn statement The default value is var dn uid x e e where x is the UID and e is the email from the user input 3 When you...

Страница 170: ...bmitted CSRs 5 3 3 1 Cisco Router Certificate Enrollment on an RA Using SCEP This section describes the process of using a Cisco router to enroll a certificate on an RA using SCEP 1 Simple Certificate Enrollment Protocol This protocol was designed by Cisco to provide a way for a router to communicate with an RA or a CA for certificate enrollment purposes Normally the Router Administrator enters th...

Страница 171: ...is approved and stored in the SQLite database Consequently no configuration is required Procedure 5 5 Submitting the certificate request After the CA and the RA have been installed and appropriately configured the Router Administrator submits the certificate request 1 On the RA navigate to the SSL End Users Services page and then click SCEP Enrollment 2 Click Request Submission Manager 3 Enter the...

Страница 172: ...sword that you need to enter when performing the Crypto CA enroll CA step on the router Procedure 5 7 Retrieving the Certificate and Enrolling After the certificate request has been approved and the RA has provided the one time PIN the Router Administrator needs to go to the provided URL to complete the certificate enrollment 1 On the RA navigate to the End User interface Click SCEP Enrollment and...

Страница 173: ...submit a new CSR i Click Request Submission User ii Enter the required details for the UID Site ID and email address and then click Submit This sends the CSR to the RA b To submit a certificate renewal request i Click Renewal User ii On the User Renewal Interface click Renewal to submit the current certificate to the RA for renewal 3 When the RA has approved the request the User receives an email ...

Страница 174: ...the Agent Interface 2 Click List Requests The PIN request should be listed in a table with a status of OPEN 3 Click the Request ID to display the details of the request 4 If required you can add an explanatory note in the text box at the bottom of the screen Click Add Note to save the note with the request 5 Click Approve to approve the request This generates the PIN that the new Agent requires to...

Страница 175: ...e The following sections describe the functionality provided by the Administrator Interface This includes the basic procedures for working with users and groups in the Certificate System such as adding and deleting users and groups associating users with groups etc Note These procedures require Administrator access to the Certificate System Listing Users and Groups You can use the Administrator in...

Страница 176: ...rs and groups as described below Procedure 5 16 To delete a user 1 Navigate to the Certificate System Services page and click Administrator Services 2 On the Administrator interface click List Users to display the list of existing users 3 Click the UID of the user that you want to delete 4 Scroll to the bottom of the User Information page and click Delete Procedure 5 17 To delete a group 1 Navigat...

Страница 177: ...d above 2 Add the new user to the required group as described above Note If you create a new group ensure that you modify the admin authorized_groups and agent authorized_groups parameters in CS cfg to include the new group to reflect the required authorization levels for the new group 5 3 6 Command line Operations Most of the day to day RA operations can be performed using the browser based inter...

Страница 178: ...splay all user information use the following command sqlite select from users To display all request information use the following command sqlite select from requests To display a list of available tables use the following command sqlite tables ...

Страница 179: ...rmation Access extension in the certificate being validated 5 The OCSP responder determines if the request contains all the information required to process it If it does not or if it is not enabled for the requested service a rejection notice is sent If it does have enough information it processes the request and sends back a report stating the status of the certificate 6 1 1 OCSP Response Signing...

Страница 180: ...voked 6 2 CA OCSP Services There are two ways to set up OCSP services The OCSP built into the Certificate Manager The Online Certificate Status Manager 6 2 1 The Certificate Manager s Internal OCSP Service The Certificate Manager has a built in OCSP service which can be used by OCSP compliant clients to query the Certificate Manager directly about the revocation status of the certificate When the ...

Страница 181: ...sts can be submitted either to a Certificate Manager or to a third party public CA If the certificate is sent to a third party CA then the certificate must be installed when it is received If the OCSP signing certificate is made when the subsystem is configured and it issued by a Certificate Manager the certificate is installed immediately if the Certificate Setup Wizard is used the request is sub...

Страница 182: ...the certificate chain is imported and marked when the Online Certificate Status Manager is configured No other configuration is required However if the server certificate is signed by an external CA the certificate chain has to be imported for the configuration to be completed NOTE Not every CA within the security domain is automatically trusted by the OCSP Manager when it is configured Every CA i...

Страница 183: ...ng certificates Chapter 14 Revocation and CRLs Configuring cloning Chapter 20 Configuring the Certificate System for High Availability Table 6 1 General Subsystem Configuration Links 6 5 Creating Online Certificate Status Manager Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both adminis...

Страница 184: ...ted b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying Certificate System User Entries 6 6 Configuring the Certificate Manager s Internal OCSP Service Every CA s ...

Страница 185: ...utomatically and its signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if a non security domain CA is selected then the OCSP service must be manually configured after the Online Certificate Status Manager is configured NOTE Not every CA within the security domain to which the OCSP Manager belongs is automatically trusted ...

Страница 186: ...rifies the signature against the stored certificate NOTE If a CA within the security domain is selected when the Online Certificate Status Manager is configured there is no extra step required to configure the Online Certificate Status Manager to recognize the CA the CA signing certificate is automatically added and trusted in the Online Certificate Status Manager s certificate database However if...

Страница 187: ...tamps of the CA s last communication with the Online Certificate Status Manager The Requests Served Since Startup field should still show a value of zero 0 since no client has tried to query the OCSP service for certificate revocation status 6 8 2 Configure the Revocation Info Stores The Online Certificate Status Manager stores each Certificate Manager s CRL in its internal database and uses it as...

Страница 188: ...rtificate binary as it is It is the attribute to which the Certificate Manager publishes its CA signing certificate crlAttr Leave the default value certificateRevocationList binary as it is It is the attribute to which the Certificate Manager publishes CRLs notFoundAsGood Sets the OCSP service to return an OCSP response of GOOD if the certificate in question cannot be found in any of the CRLs If t...

Страница 189: ...the CRL to the Online Certificate Status Manager The browser sent an OCSP response to the Online Certificate Status Manager The Online Certificate Status Manager sent an OCSP response to the browser The browser used that response to validate the certificate and returned its status that the certificate could not be verified 6 10 Submitting OCSP Requests Using the GET Method OCSP requests which are ...

Страница 190: ... pmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE no check certificate 16 34 34 https server example com 11443 ocsp ee ocsp MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABky iCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE Resolving server example com 192 168 123 224 Connecting to server example com 192 168 123 224...

Страница 191: ...es NOTE Setting the redirect is only required to manage certificates issued by a 7 1 CA with the Authority Information Access extension If the certificates are issued by a later version Certificate Manager or do not contain the Authority Information Access extension then this configuration is not necessary 1 Stop the OCSP Responder For example etc init d rhpki ocsp stop 2 Open the OCSP s web appli...

Страница 192: ...l the web xml file in the ROOT directory For example xml version 1 0 encoding ISO 8859 1 web app display name Welcome to Tomcat display name description Welcome to Tomcat description servlet servlet name ocspProxy servlet name servlet class com netscape cms servlet base ProxyServlet servlet class init param param name destContext param name param value ocsp2 param value init param init param param...

Страница 193: ...am param name appendPathInfoOnNoMatch param name param value ocsp param value init param servlet servlet mapping servlet name ocspProxy servlet name url pattern ocsp url pattern servlet mapping servlet mapping servlet name ocspOther servlet name url pattern ocsp url pattern servlet mapping web app 12 Edit the var lib rhpki ocsp conf context xml changing the following line Context to Context crossC...

Страница 194: ...172 ...

Страница 195: ...e PKI configuration must include the following elements Clients that can generate dual keys and that support the key archival option using the CRMF CMMF protocol An installed and configured DRM HTML forms with which end entities can request dual certificates based on dual keys and key recovery agents can request key recovery Only keys that are used exclusively for encrypting data should be archive...

Страница 196: ...Server Certificate Every Certificate System DRM has at least one SSL server certificate The first SSL server certificate is generated when the DRM is configured The default nickname for the certificate is Server Cert cert instance_id where instance_id identifies the DRM instance is installed The DRM s SSL server certificate was issued by the CA to which the certificate request was submitted which ...

Страница 197: ...emains wrapped with the DRM s storage key It can be decrypted or unwrapped only by using the corresponding private key pair of the storage certificate A combination of one or more key recovery or DRM agents certificates authorizes the DRM to complete the key recovery to retrieve its private storage key and use it to decrypt recover an archived private key For details on how this process works see ...

Страница 198: ...e embedded in the enrollment form 2 After approving the certificate request and issuing the certificate the Certificate Manager sends it to the DRM for storage along with the public key The Certificate Manager waits for verification from the DRM that the private key has been received and stored and that it corresponds to the public encryption key 3 The DRM decrypts it with the private key After co...

Страница 199: ...nfigured by the administrator See Section 7 5 2 Key Recovery Agent Scheme However the specified number of key recovery agents must all present their certificates to authorize the recovery of the specific private key 7 5 1 1 Interface for the Key Recovery Process With the key recovery form provided in the DRM agent services page key recovery agents can collectively authorize and retrieve private en...

Страница 200: ...riate delivery mechanism 7 5 2 Key Recovery Agent Scheme The key recovery agent scheme configures the DRM to recognize to which group the key recovery agents belong and specifies how many of these agents are required to authorize a key recovery request before the archived key is restored These parameters set in the CS cfg configuration file determine which group of users and how many users recover...

Страница 201: ...C6yVvaY719hr9EGYuv0Sw6jb3WnEKHpjbUO vhFwTufJHWKXFN3V4pMbHTkqW x5fu 3QyyUre 5IhG0fcEmfvYxIyvZUJx aQBW437ATD99Kuh I FuYdW SqYHznHY8BqOdJwJ1JiJMNceXYAuAdk 9t70RztfAhBmkK0OOP0vH5BZ7RCwE3Y 6ycUdSyPZGGc76a0HrKOz lwVFulFStiuZIaG1pv0NNivzcj0hEYq6AfJ3hgxcC1h87LmCxgRWUCAwEAAaN5MHcwHwYDVR0jBBgwFoAURShCYtSg Oh4rrgmLFB Fg7X3qcwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vY2x5ZGUucmR1LnJlZGhhdC5jb206OTE4MC9j...

Страница 202: ...en successfully archived close the browser window 6 Verify the key Send a signed and encrypted email When the email is received open it and check the message to see if it is signed and encrypted There should be a security icon at the top right corner of the message window that indicates that the message is signed and encrypted 7 Delete the certificate Check the encrypted email again the mail clien...

Страница 203: ...e subsystem is configured there is a default user created with both administrator and agent privileges This user can perform both administrator and agent operations and access the Console and the agent services page To create an additional administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group...

Страница 204: ...certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4 Modifying ...

Страница 205: ...th a DRM instance which will perform server side key generation and key archival and recovery for the keys and certificates stored on the smart cards After the TPS is configured Section 2 6 3 Configuring a TPS it is operational It is possible to further customize the TPS for specific deployments This chapter explains how to customize the TPS instance NOTE Unlike the other subsystems the TPS does n...

Страница 206: ... means that the values of the other configuration parameters are the same between the instances The CA configuration parameters are listed in Table 8 2 CA Connection Settings The TKS configuration parameters are listed in Table 8 3 TKS Connection Settings The DRM configuration parameters are listed in Table 8 4 DRM Connection Settings 8 1 2 Configuring Multiple Instances for Different Functions Al...

Страница 207: ...en userKey but also the type of certificate encryption It would be possible in this case to use different CAs for signing and encryption certificate enrollments The DRM parameters also specify the types of keys being generated and archived op enroll userKey keyGen encryption serverKeygen drm conn drm1 op enroll tokenKey keyGen encryption serverKeygen drm conn drm2 The format operation parameters a...

Страница 208: ...en automatically by setting the appropriate parameters in the CS cfg file The TPS can also be configured with other options such as requiring LDAP authentication and setting which subsystem instances will process the formatting operations The parameters are listed in Table 8 10 Format Operation Preferences 8 3 Resetting the Smart Card PIN The PIN is the password which protects the certificates and...

Страница 209: ...the actual name of the file as well as the update applet requiredVersion parameter The TPS queries the applet version on the smart card before trying to execute any operations If the update feature is enabled and the applet version from the client is different from the one specified by the update applet requiredVersion parameter the TPS updates the applet automatically NOTE The TPS audit log shows...

Страница 210: ... parameters to add to the default virtual host configuration ScriptAlias and DocumentRoot Additionally the NSSVerifyClient parameter is reset to none and the port numbers should be reset to the TPS secure port For example Listen 0 0 0 0 7890 VirtualHost _default_ 7890 ScriptAlias cgi bin var lib rhpki tps cgi bin DocumentRoot var lib rhpki tps docroot ErrorLog var lib rhpki tps logs error1_log Tra...

Страница 211: ...port information For example https server example com 7890 cgi bin home index cgi 8 5 2 Configuring Server Side Key Generation and Archival of Encryption Keys The global platform environment prevents removing private keys from the smart card For encryption keys it is often necessary to back up the key material for later recovery which means the keys should be generated outside the smart card and t...

Страница 212: ...y delivers the session key in two different forms to the TPS The session key wrapped with server transport key which the DRM uses to wrap the generated private key for token The session key wrapped with token s KEK which the token uses to unwrap the private key generated on DRM The TPS then forwards the session key to the DRM wrapped with the KEK and the server transport key along with the server ...

Страница 213: ...e following parameters to enable server side key generation and to archive keys op enroll userKey keyGen encryption serverKeygen enable true op enroll userKey keyGen encryption serverKeygen drm conn drm1 op enroll userKey keyGen encryption serverKeygen archive true op enroll userKey keyGen encryption serverKeygen encryptPrivKey true 4 Restart the TPS subsystem etc init d instance_ID restart 8 5 3 ...

Страница 214: ...ive token The token status in the database must be changed to lost This action is performed through the TPS agent services page The TPS agent after affirmatively identifying the user can search for the user s ID in the Search tokens link The TPS agent select the active token and update the status with the appropriate reason to recover the key This token has been physically damaged Used if the toke...

Страница 215: ... op enroll userKey keyGen signing recovery onHold revokeCert reason 6 op enroll userKey keyGen signing recovery onHold scheme GenerateNewKey op enroll soKey keyGen encryption recovery onHold revokeCert true op enroll soKey keyGen encryption recovery onHold revokeCert reason 6 op enroll soKey keyGen encryption recovery onHold scheme GenerateNewKey Set revokeCert true to revoke certificates if a tok...

Страница 216: ...he company then the administrator can disassociate the user from the token The TPS agent can change the status to This token has been terminated which terminates the certificates and keys on the token and breaks the association between the token and the user The physical token can still be formated and reused afterward but this change of status will mark a record of the termination event 8 5 5 Con...

Страница 217: ...s for the token_name and nickname follow the parameters outlined in Table 8 13 TKS Configuration Parameters for Key Update Mapping master keys in the TKS configuration is described in more detail in Section 9 3 Configuring the TKS to Associate the Master Key with Its Version 5 Start the TKS instance etc init d rhpki tks start 6 Stop the TPS instance to edit its configuration etc init d rhpki tps s...

Страница 218: ...r parameter contains more than one mapping ID then each mapping ID is processed in sequential order until a target is determined or an error is returned If the mapping order parameter is missing then the code returns an error Each mapping ID references a series of parameters called filters Each filter may contain a specific value for the request to be tested against Empty or missing filters act as...

Страница 219: ...mmetricKeys requiredVersion 1 op format qaKey revokeCert true op format qaKey ca conn ca1 op format qaKey loginRequest enable true op format qaKey tks conn tks1 op format qaKey auth id ldap qa op format qaKey auth enable true LDAP Connection settings for devKey auth instance 0 type LDAP_Authentication auth instance 0 libraryName usr lib libldapauth so auth instance 0 libraryFactory GetAuthenticati...

Страница 220: ...hen the token is selected in the Enterprise Security Client the Enterprise Security Client sends in the applet version CUID ATR and other information about the token to the TPS server TPS server checks the op format mapping section in the CS cfg file and figures out which tokenType to use for the token either devKey or qaKey It then uses the appropriate op format section to perform LDAP authentica...

Страница 221: ...10 is most verbose For example 2005 04 29 13 47 08 b65b9828 Upgradeop applet_upgrade app_ver 1 2 416DA155 new_app_ver 1 3 42659461 2005 04 29 13 47 08 b65b9828 Formatstatus success app_ver 1 3 42659461 key_ver 0 cuid 40900062FF02000065C5 msn FFFFFFFF uid time 45389 msec 2005 04 29 15 56 06 b65b9828 Enrollmentstatus success app_ver 1 3 42659461 key_ver 0101 cuid 40900062FF020000649D msn FFFFFFFF ui...

Страница 222: ...All logging logging audit enable Enables audit logging The valid values are true false logging audit filename The full path to the audit log file name For example tmp tps audit log logging audit level The audit log level The levels range from 0 to 10 0 No logging 4 LL_PER_SERVER Messages that happen only during startup or shutdown 6 LL_PER_CONNECTION Messages that happen per connection 8 LL_PER_PD...

Страница 223: ...ostport The Certificate Authority hostname and port number The format is hostname port This should be the CA s end entity SSL port conn can clientNickname The client certificate nickname This certificate is used by the TPS when connecting to the CA This client certificate should be trusted by the CA and the client should be a configured CA agent conn can servlet enrollment The servlet that perform...

Страница 224: ...he connection to the TKS This value must be true conn tksn keepAlive Sets whether to keep the connection to the TKS alive or terminate it after every operation The valid values are true false conn tksn serverKeygen Sets where key generation happens When set to true key generation happens on the server When set to false key generation happens on the client or token conn tks1 servlet computeSessionK...

Страница 225: ... attributes The LDAP attributes of the user entry to be retrieved if attributes are present such as auth instance 0 attributes mail cn uid Once retrieved these attributes can be used in other parameter entries as auth attr name For example op enroll userKey keyGen tokenName userid auth cn auth instance n type The authentication type to use This must be LDAP_Authentication auth instance n libraryNa...

Страница 226: ...ation Parameter Description channel encryption Sets whether the data being transmitted between the TPS and the token is to be encrypted The valid values are true false Table 8 6 Encrypted Channels Between the TPS and Tokens Operation can be enroll PIN reset or format n is an integer Parameter Description op Operation mapping order The order of the mappings The format is n n n For example 0 1 2 The...

Страница 227: ...nType to select for this mapping For example userKey Table 8 7 Mapping and Filters Parameter Description op enroll tokenType temporaryToken tokenType The tokenType to use for temporary tokens tokenType typically refers to the profile defining how many certificates should be generated how keys should be recovered and what format should be used op enroll tokenType keyGen recovery destroyed keyType n...

Страница 228: ...promised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery keyCompromise keyType num The number of key types for recovery for the tokens whose keys are compromised op enroll tokenType keyGen recovery keyCompromise keyType value n Specifies keyType The default values are signing encryption op enr...

Страница 229: ...mised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery onHold keyType num The number of key types for the tokens to put on hold for temporary loss reasons The valid values are integers The default is 2 op enroll tokenType keyGen recovery onHold keyType value n Specifies keyType The default valu...

Страница 230: ...The default value is 0 The valid values are as follows 0 Unspecified 1 Key compromised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen tokenName The name of the token to use The TPS can substitute some special strings For example if using cuid the tokenName is substituted with the CUID of the token if ...

Страница 231: ...ype keyGen signing private keyCapabilities signRecover op enroll tokenType keyGen signing private keyCapabilities decrypt op enroll tokenType keyGen signing private keyCapabilities derive op enroll tokenType keyGen signing private keyCapabilities unwrap op enroll tokenType keyGen signing private keyCapabilities wrap op enroll tokenType keyGen signing private keyCapabilities verifyRecover op enroll...

Страница 232: ...ap op enroll tokenType keyGen encryption public keyCapabilities verifyRecover op enroll tokenType keyGen encryption public keyCapabilities verify op enroll tokenType keyGen encryption public keyCapabilities sensitive op enroll tokenType keyGen encryption public keyCapabilities private op enroll tokenType keyGen encryption public keyCapabilities token op enroll tokenType keyGen encryption private k...

Страница 233: ...fies if applet upgrade is turned on The valid values are true false op enroll tokenType update applet requiredVersion The version of the applet to use It should be the filename of the applet without the ijc extension op enroll tokenType update applet directory The local filesystem directory where the applets are located op enroll tokenType update symmetricKeys enable Specifies if the key changeove...

Страница 234: ...checks to see the key version sent by the token matches symmetricKeys requiredVersion op pinReset tokenType update symmetricKeys requiredVersion The required key version op pinReset tokenType loginRequest enable Specifies if the login request should be sent to the token This parameter enables authentication The valid values are true false op pinReset tokenType pinReset pin minLen The minimum numbe...

Страница 235: ...be sent to the token This parameter enables authentication The valid values are true false op format tokenType tks conn The TKS connection to use op format tokenType auth id The LDAP authentication instance to use The default value is ldap1 op format tokenType auth enable Specifies whether to authenticate the user information The valid values are true false op format tokenType issuerinfo enable Sp...

Страница 236: ...n based activities should be recorded by the TPS The default value is ou Activities baseDN tokendb certBaseDN The LDAP suffix where the certificate entries should be added by the TPS The default value is ou certificates baseDN Change these templates only to change the appearance of the TPS agent page tokendb indexTemplate tokendb indexAdminTemplate tokendb newTemplate tokendb showTemplate tokendb ...

Страница 237: ...These are listed in Table 8 12 TKS Configuration Parameters for Key Generation and Table 8 13 TKS Configuration Parameters for Key Update Parameter Description tks drm_transport_cert_nickname DRM Transport nickname The DRM transport certificate nickname This needs to be set to enable server side key generation Table 8 12 TKS Configuration Parameters for Key Generation Parameter Description tks mk_...

Страница 238: ...216 ...

Страница 239: ...TKS provides the security between tokens and the TPS since the security relies on the relationship between the master key and the token keys The functions provided by the TKS include the following Helps establish a secure channel signed and encrypted between the token and TPS Provides proof of presence for the security token during enrollment Supports key changeover when the master key changes on ...

Страница 240: ...1B9 master key KCV CED9 4A7B computed KCV of the master key residing inside the wrapped data 6 Use the transport key to unwrap a master key called new_master stored in a file called file tksTool U d n new_master t transport i file Enter Password or Pin for NSS Certificate DB Retrieving the transport key from the specified token for unwrapping Reading in the wrapped data and resident master key KCV...

Страница 241: ...efault developer key set where all keys are set to 404142434445464748494a4b4c4d4e4f TKS has this key built in and it is referred to with the master key set 01 TKS uses key set 01 by default 9 4 Using HSM for Generating Keys By default the TKS is configured to use the internal software token to generate and store its master keys but some deployments may require using a hardware security module HSM ...

Страница 242: ... specified in the mk_mappings parameter of TKS s CS cfg op enroll userKey update symmetricKeys enable true op enroll userKey update symmetricKeys requiredVersion 2 6 Restart the TPS instance etc init d rhpki tps restart 9 5 Creating Token Key Service Agents and Administrators When the subsystem is configured there is a default user created with both administrator and agent privileges This user can...

Страница 243: ...the user s certificate a Request and approve an SSL client certificate for the user if one has not already been generated b Copy the base 64 encoded certificate to a local file or to the clipboard c Select the new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate For more information on editing user entries and managing user certificates see Section 17 4...

Страница 244: ...222 ...

Страница 245: ...rprise Security Client is the method for the tokens to be enrolled Enterprise Security Client communicates over an SSL HTTP channel to the backend of the TPS It is based on an extensible Mozilla XULRunner framework for the user interface while retaining a legacy web browser container for a simple HTML based UI After a token is properly enrolled web browsers can be configured to recognize the token...

Страница 246: ...224 ...

Страница 247: ...pes of certificates for different uses and in different formats Planning which certificates are required and planning how to manage them are important to manage both the PKI and the Certificate System instances Section 11 1 1 Types of Certificates Section 11 1 2 Determining Which Certificates to Install Section 11 1 3 Certificate Data Formats Section 11 1 4 Certificate Setup Wizard 11 1 1 Types of...

Страница 248: ...icate Manager has a CA signing certificate with a public private key pair it uses to sign the certificates and CRLs it issues This certificate is created and installed when the Certificate Manager is installed The Certificate Manager s status as a root or subordinate CA is determined by whether its CA signing certificate is self signed or is signed by another CA Self signed root CAs set the polici...

Страница 249: ... is one of the standard forms listed in the end entities page of the Certificate Manager When generating dual key pairs set the certificate profiles to work correctly when generating separate certificates for signing and encryption 11 1 1 6 Cross Pair Certificates The Certificate System can issue import and publish cross pair CA certificates With cross pair certificates one CA signs and issues a c...

Страница 250: ...on occurs if a subordinate CA s CA certificate is replaced by one with a new key pair all certificates issued by that CA are invalidated and will no longer work If the CA is configured to publish to the OCSP and it has a new CA signing certificate or a new CRL signing certificate the CA must be identified again to the OCSP If a new transport certificate is created for the DRM the DRM information m...

Страница 251: ...ownloaded at once 11 1 3 2 Text Any of the binary formats can be imported in text form The text form begins with the following line BEGIN CERTIFICATE Following this line is the certificate data which can be in any of the binary formats described This data should be base 64 encoded as described by RFC 1113 The certificate information is followed by this line END CERTIFICATE 11 1 4 Certificate Setup...

Страница 252: ...new certificate The Certificate System provides three ways to request a certificate Through the enrollment forms of the Certificate Manager end entity pages Through the subsystems administrative console By using the certutil command line tool There are also three ways that the request is submitted the CA to generate a certificate and to add it to the certificate database Through the enrollment for...

Страница 253: ...ertificates client certificates and DRM transport certificates See Section 11 2 1 2 Requesting a Subsystem Server or Signing Certificate through the Console certutil All Certificates The certutil utility can be used by administrators or users to generate any certificate 11 2 1 1 Requesting a User or Agent Certificate through the End Entities Page End entities can use the HTML enrollment forms on t...

Страница 254: ...com 9443 ca ee ca 2 Select the user certificate enrollment form from the list of certificate profiles 3 Fill in the user information Figure 11 1 User Certificate Request Form 4 Click Submit 5 The key pairs for the user certificate are generated and the certificate request is sent to the agent queue Alternatively if automatic enrollment is configured the certificate is approved or rejected by the s...

Страница 255: ... the client request from the computer that will be used later to access the subsystem because part of the request process generates a private key on the local machine If location independence is required the user can also use a hardware token such as a smart card to store the key pair and the certificate To create a certificate request using the subsystem administrative console do the following 1 ...

Страница 256: ... OCSP signing SSL server certificates Other certificate For a DRM Transport certificate OCSP signing SSL server certificates Other certificate For an OCSP or TKS OCSP signing SSL server certificates Other certificate NOTE If selecting to create an other certificate the Certificate Type field becomes active Fill in the type of certificate to create either caCrlSigning for the CRL signing certificat...

Страница 257: ...ficate Manager after selecting the type of certificate select which type of CA will sign the request For a CA signing certificate the options are to use a root CA or a subordinate CA For all other certificates the options are to use the local CA signing certificate or to create a request to submit to another CA ...

Страница 258: ...curity database directory internal or one of the listed external tokens Generate a new key pair Set the key algorithm and size The key algorithm must be RSA The recommended length for an RSA key is 2048 bits or higher to be crytpographically strong 9 Select the message digest algorithm the choices are MC2 MD5 SHA1 SHA256 and SHA512 ...

Страница 259: ...Requesting Certificates 237 Figure 11 5 Setting the Hashing Algorithm 10 Give the subject name Either enter values for individual DN attributes to build the subject DN or enter the full string ...

Страница 260: ... of the Certificate System in the format machine_name domain domain 11 Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically Specify the start and end dates of the validity period for the certificate and the time at which the validity period will start and end on those dates ...

Страница 261: ...equesting a certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically Set the standard extensions for the certificate The required extensions are chosen by default To change the default choices read the guidelines explained in Appendix A Certificate and CRL Extensions ...

Страница 262: ...ying them as either a subordinate SSL CA which allows them to issue certificates for SSL or a subordinate email CA which allows them to issue certificates for secure email Disabling certificate extensions means that CA hierarchies cannot be set up Basic Constraints The associated fields are CA setting and a numeric setting for the certification path length Extended Key Usage Authority Key Identifi...

Страница 263: ...59 See http www ietf org rfc rfc2459 txt for a description of the Key Usage extension Base 64 SEQUENCE of extensions This is for custom extensions Paste the extension in MIME 64 DER encoded format into the text field To add multiple extensions use the ExtJoiner program For information on using the tools see the Certificate System Command Line Tools Guide 13 The wizard generates the key pairs and d...

Страница 264: ...quest The request is in base 64 encoded PKCS 10 format and is bounded by the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST For example BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 ...

Страница 265: ...icates such as Certificate Manager CRL signing certificate or SSL client certificate Table 11 2 Files Created for Certificate Signing Requests Do not modify the certificate request before sending it to the CA The request can either be submitted automatically through the wizard or copied to the clipboard and manually submitted to the CA through its end entities page NOTE The wizard s auto submissio...

Страница 266: ... o The output file to which to save the certificate request v The validity period in months d Certificate database directory this is the directory for the subsystem instance numbers 1 8 These set the available certificate extensions Only eight can be specified through the certutil tool Key Usage 1 Basic Constraints 2 Certificate Authority Key ID 3 CRL Distribution Point 4 Netscape Certificate Type...

Страница 267: ... The Certificate Manager end entities services page has a list of different enrollment forms for submitting certificate requests depending on the subsystem and purpose of the certificate Certificates created through the Console or through the certutil command line utility can be submitted through an enrollment form Through a third party CA Outside CAs such as VeriSign have online or other types of...

Страница 268: ...m CA EE port number The end entity port number Yes it s the SSL secure server port Indicates that the end entity port number specified is the SSL port The certificate wizard returns a request ID for the request which can be used in the end entities page later and the request is queued for agent approval When the request is approved the CA signs the ...

Страница 269: ...he Certificate Manager https ca example com 9443 ca ee ca 3 In Certificate Profiles of the Enrollment tab click on the appropriate form to submit the request Some of the common forms are as follows For user certificates including agent certificates Manual User Dual Use Certificate Enrollment Manual User Signing Encryption Certificates Enrollment For server certificates Manual Server Certificate En...

Страница 270: ...FICATE REQUEST marker lines Requester Name This is the common name of the person requesting the certificate Requester Email This is the email address of the requester The agent or CA system will use this address to contact the requester when the certificate is issued For example jdoe someCompany com Requester Phone This is the contact phone number of the requester The submitted request is queued f...

Страница 271: ...t including the marker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST to a text file or the clipboard 2 Open the external CA s home page in a web browser submit the certificate request in the appropriate form for the certificate type 3 When the CA responds save the information in a text file 4 When the certificate is retrieved from the CA install it following the instructions ...

Страница 272: ...uest was submitted and click Submit 4 The next page shows the status of the certificate request If the status is complete then there is a link to the certificate Click the Issued certificate link Figure 11 13 New Certificate Link 5 The new certificate information is shown in pretty print format in base 64 encoded format and in PKCS 7 format ...

Страница 273: ...ed certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 17 2 Creating Users 11 3 Managing User Certificates User certificates have to be imported into the appropriate applications for users and agents to be able to perform certain operations For sub...

Страница 274: ... click Certificates A list of certificates installed for that user is shown Add users certificates by doing the following 1 Log into the subsystem console pkiconsole https hostname SSLport subsystem 2 In the Configuration tab select Users and Groups 3 In the Users tab select a user and click Certificates 4 In the Manage User Certificates dialog click Import 5 In the text area of the Import Certifi...

Страница 275: ...tificate chain is imported the first certificate in the chain must be the CA certificate Any subsequent certificates in the chain are added to the local database as untrusted CA certificates application x x509 email cert The certificate being downloaded is a user certificate belonging to another user for use with S MIME If a certificate chain is imported the first certificate in the chain must be ...

Страница 276: ...ormation on adding certificates to the database see Section 11 4 1 Installing Certificates in the Certificate System Database NOTE The Certificate System command line utility certutil can be used to manage the certificate database by editing trust settings and adding and deleting certificates For details about this tool see http www mozilla org projects security pki nss tools Administrators should...

Страница 277: ...icate database as untrusted CA certificates The subsystem console uses the same wizard to install certificates and certificate chains To install certificates in the local security database do the following 1 Open the Console pkiconsole https hostname SSLport ca 2 In the Configuration tab select System Keys and Certificates from the left navigation tree 3 There are two tabs where certificates can b...

Страница 278: ...rd installs the certificate 6 Any CA that signed the certificate must be trusted by the subsystem Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted If the CA certificate is not listed add the certificate to the certificate database as a trusted CA If the CA s certificate is listed but untrusted change the trust setting t...

Страница 279: ...ration interface Subsequent certificates are all treated the same If the certificates contain the SSL CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database they are added as untrusted CAs They can be used for certificate chain validation as long as there is a trusted CA somewhere in the chain 11 4 1 4 Importing Cross Pair Certifica...

Страница 280: ... the user entries in the LDAP internal database To view user certificates see Section 11 3 1 Managing Certificate System User and Agent Certificates 11 4 2 1 Viewing Database Content through the Console To view the contents of the database through the administrative console do the following 1 Open the Certificate System Console pkiconsole https hostname SSLport subsystemType 2 In the Configuration...

Страница 281: ...he database this is internal To view more detailed information about the certificate select the certificate and click View This opens a window which shows the serial number validity period subject name issuer name and certificate fingerprint of the certificate 11 4 2 2 Viewing Database Content Using certutil To view the certificates in the subsystem database using certutil open the instance s cert...

Страница 282: ...in doubt leave the certificates in the database as untrusted CA certificates see Section 11 4 4 Changing the Trust Settings of a CA Certificate Section 11 4 3 1 Deleting Certificates through the Console Section 11 4 3 2 Deleting Certificates Using certutil 11 4 3 1 Deleting Certificates through the Console To delete a certificate through the Console do the following 1 Open the Certificate System C...

Страница 283: ...ceived during an SSL enabled communication It can be necessary to change the trust settings on a CA stored in the certificate database temporarily or permanently For example if there is a problem with access or compromised certificates marking the CA certificate as untrusted prevents entities with certificates signed by that CA from authenticating to the Certificate System When the problem is reso...

Страница 284: ...te by running the certutil with the M option certutil M n cert_nickname t trust d For example certutil M n Certificate Authority Example Domain t TCu TCu TCu d 4 List the certificates again to confirm that the certificate trust was changed certutil L d Certificate Authority Example Domain CTu CTu CTu subsystemCert cert subsystem u u u Server Cert cert example u u u For information about using the ...

Страница 285: ...erences 263 The version of SSL used during SSL communication The latest version is SSL version 3 but many older clients use SSL version 2 Because client authentication is required for performing privileged operations enable SSL version 3 ciphers ...

Страница 286: ...264 ...

Страница 287: ...ase is named key3 db These files are located in the instanceID alias directory 12 1 2 External Tokens An external token refers to an external hardware device such as a smart card or hardware security module HSM that the Certificate System uses to generate and store its key pairs and certificates The Certificate System supports any hardware tokens that are compliant with PKCS 11 PKCS 11 is a standa...

Страница 288: ...ted show a status of Found and is individually marked as either Logged in or Not logged in If a token is found but not logged in it is possible to log in using the Login under Operations If the administrator can log into a token successfully the password is stored in a configuration file At the next start or restart of the Certificate System instance the passwords in the password store are used to...

Страница 289: ...w the vendor s instructions When installing a hardware token there is an opportunity to name it Use a name that will help identify the token later 2 Install the PKCS 11 module The PKCS 11 module is installed using the modutil command line utility a Open the alias directory for the subsystem which is being configured with the PKCS 11 module For example cd var lib rhpki ca alias b The required secur...

Страница 290: ... certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them enter the token password This password is set when the token is first accessed usually during Certificate System installation It is good security practice to change the password that protects the server s keys and certificates periodically Changing the password minimizes the ris...

Страница 291: ...tographic accelerators with external tokens Many of the accelerators provide the following security features Fast SSL connections Speed is important to accommodate a high number of simultaneous enrollment or service requests Hardware protection of private keys These devices behave like smart cards by not allowing private keys to be copied or removed from the hardware token This is important as a p...

Страница 292: ...270 ...

Страница 293: ...od of four years the request is rejected since the constraints allow a maximum of two years validity period for this type of certificate A set of certificate profiles have been predefined for the most common certificates issued These certificate profiles define defaults and constraints associate the authentication method and define the needed inputs and outputs for the certificate profile The para...

Страница 294: ...te request is queued in the agent services interface The agent can change some aspects of the enrollment request validate it cancel it reject it update it or approve it The agent is able to update the request without submitting it or validate that the request adheres to the profile s defaults and constraints This validation procedure is only for verification and does not result in the request bein...

Страница 295: ...the values of the parameters set in the defaults or the constraints that control the certificate content Changing the constraints set up by changing the value of the parameters Changing the authentication method Changing the inputs by adding or deleting inputs in the certificate profile which control the fields on the input page Adding or deleting the output Section 13 3 1 Modifying Certificate Pr...

Страница 296: ...a new certificate profile click Add In the Select Certificate Profile Plugin Implementation window select the type of certificate for which the profile is being created Figure 13 2 Certificate Profile Plugin Implementation Window 4 Fill in the profile information in the Certificate Profile Instance Editor ...

Страница 297: ...s usually set to true Setting this to false allows a signed request to be processed through the Certificate Manager s certificate profile framework rather than through the input page for the certificate profile Certificate Profile Authentication This sets the authentication method An automated authentication is set by providing the instance ID for the authentication instance If this field is blank...

Страница 298: ... policies in the Policies tab of the Certificate Profile Rule Editor window The Policies tab lists policies that are already set by default for the profile type a To add a policy click Add Figure 13 4 Certificate Profile Policy Editor b Choose the default from the Default field choose the constraints associated with that policy in the Constraints field and click OK ...

Страница 299: ...lts Tab c Fill in the policy set ID When issuing dual key pairs separate policy sets define the policies associated with each certificate Then fill in the certificate profile policy ID a name or identifier for the certificate profile policy d Configure any parameters in the Defaults and Constraints tabs ...

Страница 300: ...Constraints defines valid values for the defaults See Section 13 7 Defaults Reference and Section 13 8 Constraints Reference for complete details for each default or constraint To modify an existing policy select a policy and click Edit Then edit the default and constraints for that policy To delete a policy select the policy and click Delete 8 Set inputs in the Inputs tab of the Certificate Profi...

Страница 301: ...nsole 279 Figure 13 7 Certificate Profile Inputs b Choose the input from the list and click OK See Section 13 5 Input Reference for complete details of the default inputs c The New Certificate Profile Editor window opens Set the input ID and click OK ...

Страница 302: ...delete an input select the input and click Delete 9 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window Outputs must be set for any certificate profile that uses an automated authentication method no output needs to be set for any certificate profile that uses agent approved authentication The Certificate Output type is set by default for all profiles and is added autom...

Страница 303: ...ose the output from the list and click OK c Give a name or identifier for the output and click OK This output will be listed in the output tab You can edit it to provide values to the parameters in this output To delete an output select the output from list and click Delete 10 To modify an existing certificate profile select a certificate profile click Edit View The Certificate Profile Rule Editor...

Страница 304: ...directory instance_directory profiles ca such as var lib rhpki ca profiles ca The file is named profile_name cfg All of the parameters for profile rules set or modified through the Console such as defaults inputs outputs and constraints are written to the profile configuration file NOTE Restart the server after editing the profile configuration file for the changes to take effect Section 13 3 2 1 ...

Страница 305: ... i1 i2 input input_id class_id Gives the java class name for the input by input ID the name of the input listed in input list For example input i1 class_id certReqInputImpl output list Lists the possible output formats for the profile by name For example output list o1 output output_id class_id Gives the java class name for the output format named in output list For example output o1 class_id cert...

Страница 306: ...class_id keyUsageExtConstraintImpl policyset cmcUserCertSet 6 constraint name Key Usage Extension Constraint policyset cmcUserCertSet 6 constraint params keyUsageCritical true policyset cmcUserCertSet 6 constraint params keyUsageCrlSign false policyset cmcUserCertSet 6 constraint params keyUsageDataEncipherment false policyset cmcUserCertSet 6 constraint params keyUsageDecipherOnly false policyset...

Страница 307: ...hat particular certificate profile form Inputs are the fields in the end entities page enrollment forms There is a parameter input list which lists the inputs included in that profile Other parameters define the inputs these are identified by the format input ID For example this adds a generic input to a profile input list i1 i2 i3 i4 input i4 class_id genericInputImpl input i4 params gi_display_n...

Страница 308: ...rollment ldap minConns auths instance UserDirEnrollment ldap ldapconn host localhost auths instance UserDirEnrollment ldap ldapconn port 389 auths instance UserDirEnrollment ldap ldapconn secureConn false The ldapStringAttributes parameter instructs the authentication plug in to read the value of the mail attribute from the user s LDAP entry and put that value in the certificate request When the v...

Страница 309: ...cn attribute of the suer who requested the certificate request auth_token uid This inserts the LDAP user ID uid attribute of the user who requested the certificate request bodyPartId request profileApprovedBy This inserts the name of the Certificate System agent who approved the certificate request auth_token authMgrImplName This inserts the type of authentication plug in which authenticated the u...

Страница 310: ...to the CA s end entities directory instance_directory webapps ca ee ca directory 5 Customize the form as desired 6 The form can be accessed by going to https server example com 9443 ca ee ca MyServerEnrollment html 13 4 Certificate Profile Reference A set of certificate profiles have been predefined for the types of certificates that are usually issued by a CA All certificate profiles are installe...

Страница 311: ...tificate Request Input The CMC Certificate Request input is used for enrollments using a Certificate Message over CMS CMC certificate request is submitted in the request form The request type is preset to CMC and the only field is the Certificate Request text area in which to paste the request 13 5 3 Dual Key Generation Input The Dual Key Generation input is for enrollments in which dual key pairs...

Страница 312: ... form Token Key CUID This field gives the CUID contextually unique user ID for the token device Token Key User Public Key This field gives the path and name of the file containing the token user s public key 13 5 8 nsNcertificateRequest Token User Key Input The Token User Key input is used to enroll keys for the user of a hardware token for agents to use the token later for certificate based authe...

Страница 313: ... changed It does not display anything other than the certificate in pretty print format This output needs to be specified for any automated enrollment Once a user successfully authenticates using the automated enrollment method the certificate is automatically generated and this output page is returned to the user In an agent approved enrollment the user can get the certificate once it is issued b...

Страница 314: ...should not be used to point directly to the CRL location maintained by a CA the CRL Distribution Points extension Section 13 7 4 CRL Distribution Points Extension Default provides references to CRL locations For general information about this extension see Section A 3 1 authorityInfoAccess The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension ...

Страница 315: ...entifier extension to the certificate The extension identifies the public key that corresponds to the private key used by a CA to sign certificates This default has no parameters If used this extension is included in the certificate with the public key information This default takes the following constraint No Constraints see Section 13 8 6 No Constraint For general information about this extensio...

Страница 316: ...ification process to identify CA certificates and to apply certificate chain path length constraints For general information about this extension see Section A 3 3 basicConstraints The following constraints can be defined with this default Basic Constraints Extension Constraint see Section 13 8 1 Basic Constraints Extension Constraint Extension Constraint see Section 13 8 3 Extension Constraint No...

Страница 317: ...n obtain the CRL information to verify the revocation status of the certificate For general information about this extension see Section A 3 5 CRLDistributionPoints The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines up to five locations with parameters for each ...

Страница 318: ...Chapter 13 Certificate Profiles 296 Parameter IssuerType_n IssuerName_n ...

Страница 319: ...ay be used For example if the key usage extension identifies a signing key the Extended Key Usage extension can narrow the usage of the key for only signing OCSP responses or only Java applets Usage Server authentication Client authentication Code signing Email IPsec end system IPsec tunnel IPsec user Timestamping Table 13 6 PKIX Usage Definitions for the Extended Key Usage Extension Windows 2000 ...

Страница 320: ...y Usage Extension Constraint Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter Critical OIDs Table 13 7 Extended Key Usage Extension Default Configuration Parameters 13 7 6 Freshest CRL Extension Default This default attaches the Freshest CRL extension to the certificate The following constraints can be defined with this default ...

Страница 321: ...Freshest CRL Extension Default 299 Parameter PointName_n PointIssuerName_n ...

Страница 322: ...tive Name extension is used to associate Internet style identities with the certificate issuer The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines five locations with parameters for each location The parameters are marked with an n in the table to show with which...

Страница 323: ... certificate should be used such as data signing key encryption or data encryption which restricts the usage of a key pair to predetermined purposes For general information about this extension see Section A 3 8 keyUsage The following constraints can be defined with this default Key Usage Constraint see Section 13 8 5 Key Usage Extension Constraint Extension Constraint see Section 13 8 3 Extension...

Страница 324: ...ject alternative names in subsequent certificates in a certificate chain should be located For general information about this extension see Section A 3 9 nameConstraints The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint This default defines up to five locations for both the permitt...

Страница 325: ...Name Constraints Extension Default 303 Parameter PermittedSubtreesmax_n PermittedSubtreeNameChoice_n PermittedSubtreeNameValue_n ...

Страница 326: ...Chapter 13 Certificate Profiles 304 Parameter PermittedSubtreeEnable_n ExcludedSubtreesn min ExcludedSubtreeMax_n ExcludedSubtreeNameChoice_n ...

Страница 327: ...Name Constraints Extension Default 305 Parameter ExcludedSubtreeNameValue_n ExcludedSubtreeEnable_n Table 13 11 Name Constraints Extension Default Configuration Parameters ...

Страница 328: ...te is used or viewed For general information about this extension see Section A 6 2 netscape comment The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter critical CommentContent Table 13 12 Netscape Comment Extension Configuration Parameters 13 7 12 No Default Extension This...

Страница 329: ...alidation in two ways either to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier The default can specify both ReqExplicitPolicy and InhibitPolicyMapping PKIX standard requires that if present in a CA certificate the extension must never consist of a null sequence At least one of the two specified fields must be present For general inform...

Страница 330: ...jectDomainPolicy The pairing indicates that the issuing CA considers the issuerDomainPolicy equivalent to the subjectDomainPolicy of the subject CA The issuing CA s users may accept an issuerDomainPolicy for certain applications The policy mapping tells these users which policies associated with the subject CA are equivalent to the policy they accept For general information about this extension se...

Страница 331: ...tes fields defined in the automated enrollment modules If authenticated attributes need to be part of this extension use values from the request token For example to enable the Subject Alternative Name extension in the caDirUserCert profile for the mail LDAP attribute for the user to authenticate against to obtain a certificate use the following configuration policyset serverCertSet 9 constraint n...

Страница 332: ... contains an attribute the profile reads its value and sets it in the extension The extension added to the certificates contain all the configured attributes Multiple attributes can be set for a single extension Up to five subject alternative names can be set the subjAltNameNumGNs parameter controls how many of the listed attributes are required to be added to the certificate This parameter must b...

Страница 333: ... default attaches a Subject Directory Attributes extension to the certificate The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint Parameter Critical Name Patte...

Страница 334: ... key information The following constraints can be defined with this default Extension Constraint see Section 13 8 3 Extension Constraint No Constraints see Section 13 8 6 No Constraint 13 7 20 Subject Name Default This default attaches a server side configurable subject name to the certificate request A static subject name is used as the subject name in the certificate The following constraints ca...

Страница 335: ...enrolling a certificate The user defined extension is validated against whatever constraint is set so it is possible to restrict the kind of extension through the Extension Constraint or to set rules for the key and other basic constraints such as whether this is a CA certificate NOTE If this extension is set on a profile with a corresponding OID Extension Constraint then any certificate request p...

Страница 336: ... User Supplied Extension Default to a profile with the Basic Constraints Extension Constraint The OID specified in the userExtOID parameter is for the Basic Constraints Extension Constraint policyset set1 p5 default params keyUsageNonRepudiation true policyset set1 p6 constraint class_id basicConstraintsExtConstraintImpl policyset set1 p6 constraint name Basic Constraint Extension Constraint polic...

Страница 337: ...he certificate is issued The following constraints can be defined with this default Subject Name Constraint see Section 13 8 9 Subject Name Constraint Unique Subject Name Constraint see Section 13 8 10 Unique Subject Name Constraint No Constraints see Section 13 8 6 No Constraint 13 7 26 User Supplied Validity Default This default attaches a user supplied validity to the certificate request If inc...

Страница 338: ...le contents of a certificate and the values associated with that content This section lists the predefined constraints with complete definitions of each 13 8 1 Basic Constraints Extension Constraint The Basic Constraints extension constraint checks if the basic constraint in the certificate request satisfies the criteria set in this constraint Parameter Critical IsCA PathLen ...

Страница 339: ...xtended Key Usage Extension Constraint Configuration Parameters 13 8 3 Extension Constraint This constraint implements the general extension constraint It checks if the extension is present 13 8 4 Key Constraint This constraint checks the key length Parameter keyType keyMinLength keyMaxLength Table 13 23 Key Constraint Configuration Parameters 13 8 5 Key Usage Extension Constraint The Key Usage ex...

Страница 340: ...apter 13 Certificate Profiles 318 Parameter keyEncipherment dataEncipherment keyAgreement keyCertsign cRLSign encipherOnly decipherOnly Table 13 24 Key Usage Extension Constraint Configuration Parameters ...

Страница 341: ... in the certificate request satisfies the criteria set in this constraint Parameter signingAlgsAllowed Table 13 25 Signing Algorithms Constraint Configuration Parameters 13 8 9 Subject Name Constraint The Subject Name constraint checks if the subject name in the certificate request satisfies the criteria Parameter Pattern Table 13 26 Subject Name Constraint Configuration Parameters The Subject Nam...

Страница 342: ...either ou engineering ou people or ou engineering o Example Corp the pattern is ou engineering ou people ou engineering o Example Corp NOTE For constructing a pattern which uses a special character such as a period escape the character with a back slash For example to search for the string o Example Inc set the pattern to o Example Inc 13 8 10 Unique Subject Name Constraint The Unique Subject Name...

Страница 343: ...r marks the corresponding certificate records in its internal database as revoked and if configured to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory 14 1 1 SSL Client Authenticated Revocation When an end user submits a certificate revocation request the first step in the revocation process is for the Certificate Manager to iden...

Страница 344: ...certificates do the following Set up an instance of the CMCAuth Authentication plug in module An instance is enabled and configured by default Use the agent certificate to sign revocation requests 14 2 1 1 revoker Utility The CMC revocation utility revoker is used to sign a revocation request with an agent s certificate This utility has the following syntax revoker d instance alias n cert_nickname...

Страница 345: ...ick Submit 8 The returned page should confirm that correct certificate was been revoked 14 3 About CRLs Server and client applications that use public key certificates as ID tokens need access to information about the validity of a certificate Because one of the factors that determines the validity of a certificate is its revocation status these applications need to know whether the certificate be...

Страница 346: ...ager can revoke any certificate it has issued There are generally accepted reason codes for revoking a certificate that are often included in the CRL such as the following 0 Unspecified no particular reason is given 1 The private key associated with the certificate was compromised 2 The private key associated with the CA that issued the certificate was compromised 3 The owner of the certificate is...

Страница 347: ...onPoint extension 14 3 4 Delta CRLs Delta CRLs can be issued for any defined issuing point A delta CRL contains information about any certificates revoked since the last update to the full CRL Delta CRLs for an issuing point are created by enabling the DeltaCRLIndicator extension 14 3 5 How CRLs Work CRLs are generated when issuing points are defined and configured and any CRL extensions are enabl...

Страница 348: ...the old CRL in the attribute containing the CRL in the directory entry By default CRLs do not contain information about revoked expired certificates The server can include revoked expired certificates by enabling that option for the issuing point If expired certificates are included information about revoked certificates is not removed from the CRL when the certificate expires If expired certifica...

Страница 349: ...ired in the CRL CRL from certificate profiles which determines the revoked certificates to include based on the profiles used to create the certificates originally 3 Configure the CRLs for each issuing point See Section 14 4 2 Configuring CRLs for Each Issuing Point for details 4 Set up the CRL extensions which are configured for the issuing point See Section 14 4 3 Setting CRL Extensions for deta...

Страница 350: ...d an issuing point click Add The CRL Issuing Point Editor window opens Figure 14 2 CRL Issuing Point Editor NOTE If some fields do not appear large enough to read the content expand the window by dragging one of the corners Fill in the following fields Enable Enables the issuing point if selected deselect to disable CRL Issuing Point name Gives the name for the issuing point spaces are not allowed...

Страница 351: ...icate Manager and then select CRL Issuing Points 3 Select the issuing point name below the Issuing Points entry 4 Configure how and how often the CRLs are updated by supplying information in the Update tab for the issuing point This tab has two sections Update Schema and Update Frequency The Update Schema section has the following options Enable CRL generation This checkbox sets whether CRLs are g...

Страница 352: ...lation This option should be selected to test revocation immediately such as testing whether the server publishes the CRL to a flat file Update the CRL at This field sets a daily time when the CRL should be updated To specify multiple times enter a comma separate list of times such as 01 50 04 55 06 55 Update the CRL every This checkbox enables generating and publishing CRLs at the interval set in...

Страница 353: ...n about the cache see Section 14 3 5 How CRLs Work Update cache every This field sets how frequently the cache is written to the internal database Set to 0 to have the cache written to the database every time a certificate is revoked Enable cache recovery This checkbox allows the cache to be restored 6 The Format tab sets the formatting and contents of the CRLs that are created There are two secti...

Страница 354: ...ch set what types of certificates to include in the CRL Include expired certificates This includes revoked certificates that have expired If this is enabled information about revoked certificates remains in the CRL after the certificate expires If this is not enabled information about revoked certificates is removed when the certificate expires CA certificates only This includes only CA certificat...

Страница 355: ...lidityDate and CRLNumber Other extensions are available but are disabled by default These can be enabled and modified For more information about the available CRL extensions see Section A 5 Standard X 509 v3 CRL Extensions To configure CRL extensions do the following 1 Open the CA Console pkiconsole https hostname SSLport ca 2 In the navigation tree select Certificate Manager and then select CRL I...

Страница 356: ...s for Each Issuing Point First CRLs are issued according to a time based schedule CRLs can be issued every single time a certificate is revoked at a specific time of day or once every so many minutes However this time based publishing schedule applies to every CRL that is generated There are two kinds of CRLs however The full CRL has a record of every single revoked certificate However the Certifi...

Страница 357: ...ll and delta CRL again In other words every third publishing interval has both a full CRL and a delta CRL Interval 1 2 3 4 5 6 7 Full CRL 1 4 7 Delta CRL 1 2 3 4 5 6 7 NOTE For delta CRLs to be published independent of full CRLs the CRL cache must be enabled 14 5 1 Configuring Extended Updated Intervals for CRLs in the Console 1 Open the console pkiconsole https server example com 9443 ca 2 In the...

Страница 358: ...sterCRL updateSchema 1 Stop the CA server etc init d rhpki ca stop 2 Open the CA configuration directory cd var lib subsystem_name conf 3 Edit the CS cfg file and add two lines to set the extended updated interval ca crl extendedNextUpdate false ca crl MasterCRL updateSchema 3 The default interval is 1 meaning a full CRL is published every time a CRL is published The updateSchema interval can be s...

Страница 359: ...cates and different types of CRLs can be published to different places in a directory For example certificates for users from the West Coast division of a company can be published in one branch of the directory while certificates for users in the East Coast division can be published to another branch in the directory Setting up publishing involves configuring publishers mappers and rules 15 1 1 Ab...

Страница 360: ...ate variable of the CRL contained in the file For example the filename for a CRL with This Update Friday January 28 15 36 00 PST 2009 is crl 94 3696899 der 15 1 5 LDAP Publishing In LDAP publishing the server publishes the certificates CRLs and other certificate related objects to a directory using LDAP or LDAPS The branch of the directory to which it publishes is called the publishing directory F...

Страница 361: ... rule if CRL is set as the type Every rule that is matched publishes the certificate or CRL according to the method and location specified in that rule A given certificate or CRL can match no rules one rule more than one rule or all rules The publishing system attempts to match every certificate and CRL issued against all rules When a rule is matched the certificate or CRL is published according t...

Страница 362: ...For details about setting up publishers see Section 15 3 2 Configuring Publishers for Publishing to OCSP 3 For LDAP publishing there are three steps a Configure the Directory Server to which certificates will be published Refer to Section 15 10 Configuring the Directory for LDAP Publishing b Configure a publisher for each type of object published CA certificates cross pair certificates CRLs and us...

Страница 363: ...s Publishers specify the location where a particular object is published There can be a single publisher to publish everything to a single location or multiple publishers for multiple destinations When publishing to a file a publisher sets the directory where the files are published For OCSP publishing a publisher specifies a particular Online Certificate Status Manager to which to publish a CRL F...

Страница 364: ... the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 15 2 Select Publisher Plug in Implementation Window 4 Select the FileBasedPublisher module then open the editor window This is the module that enables the Certificate Manager to publish certificates and CRLs to files ...

Страница 365: ...ystem instance directory For example export CS certificates 15 3 2 Configuring Publishers for Publishing to OCSP A publisher must be created and configured for each publishing location publishers are not automatically created for publishing to the OCSP responder Create a single publisher to publish everything to s single location or create a publisher for every location to which CRLs will be publi...

Страница 366: ...nd then Publishers The Publishers Management tab which lists configured publisher instances opens on the right Figure 15 4 Publishers Management Tab 3 Click Add to open the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 15 5 Select Publisher Plug in Implementation Window 4 Select the OCSPPublisher module then open the editor window ...

Страница 367: ...alified domain name such as ocspResponder example com and port number of the Online Certificate Status Manager and the default path ocsp addCRL 15 3 3 Configuring Publishers for LDAP Publishing The Certificate Manager creates configures and enables a set of publishers that are associated with LDAP publishing as shown in Table 15 1 LDAP Publishers Publisher Description LdapCaCertPublisher Used to p...

Страница 368: ...e entry or set a search for the directory to find the DN of the entry During installation the Certificate Manager automatically creates a set of mappers defining the most common relationships The default mappers are listed in Table 15 2 Default Mappers Mapper Description LdapUserCertMap Locates the correct attribute of user entries in the directory in order to publish user certificates LdapCrlMap ...

Страница 369: ...Configuring Mappers 347 Figure 15 7 Mappers Management Tab 3 In the mapper list select a mapper to modify 4 To edit an existing mapper click Edit View The editor window opens ...

Страница 370: ...ndow 5 To create a new mapper instance click Add The Select Mapper Plugin Implementation window opens which lists registered mapper modules Select a module and edit it For complete information about these modules see Section 15 13 2 Mapper Plug in Modules ...

Страница 371: ...Configuring Mappers 349 Figure 15 9 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...

Страница 372: ...tificate or CRL can be published to a file to an Online Certificate Status Manager and to an LDAP directory by matching a file based rule an OCSP rule and matching a directory based rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates The rules can be more detailed for different kinds of certificates or different kinds of CRLs The rule first...

Страница 373: ...following 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Rules The Rules Management tab which lists configured rules opens on the right Figure 15 11 Rules Management Tab 3 To edit an existing rule select that rule from the list and click Edit...

Страница 374: ...Chapter 15 Publishing 352 Figure 15 12 Using the Rule Editor Window to Edit an Existing Rule 4 To create a rule click Add This opens the Select Rule Plug in Implementation window ...

Страница 375: ... for Certificates and CRLs 353 Figure 15 13 Select Rule Plugin Implementation Window Select the Rule module This is the only default module If any custom modules have been been registered they are also available 5 Edit the rule ...

Страница 376: ...cate value for the type of certificate or CRL issuing point to which this rule applies The predicate values for CRL issuing points delta CRLs and certificates are listed in Table 15 3 Predicate Expressions enable mapper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rule is associated with a publisher that publishes to an LDAP directory select ...

Страница 377: ...h as caServerCert Table 15 3 Predicate Expressions 15 6 Enabling Publishing Publishing can be enabled for only files only LDAP or both Publishing should be enabled after setting up publishers rules and mappers Once enabled the server will attempt to begin publishing If publishing was not configured correctly before being enabled publishing may exhibit undesirable behavior or may fail Enable publis...

Страница 378: ...his DN determines whether the Certificate Manager can perform publishing It is possible to create another DN that has limited read write permissions for only those attributes that the publishing system actually needs to write Password The Certificate Manager saves this password in its password conf file For example CA LDAP Publishing password The parameter name which identifies the publishing pass...

Страница 379: ...e following 1 Open the CA Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select the Certificate Manager link in the left pane then the Publishing link 3 Click the Rules link under Publishing This opens the Rules Management pane on the right 4 If the rule exists and has been disabled select the enable checkbox If the rule has been deleted then click Add and create a ...

Страница 380: ...JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh END CERTIFICATE 7 Convert the base 64 encoded certificate to a readable form using the Pretty Print Certificate tool For more information on this tool refer to the Certificate System Command Line Tools Guid...

Страница 381: ...mple bin 2 Use the PrettyPrintCert or PrettyPrintCRL tool to convert the binary file to pretty print format For example PrettyPrintCert example bin example cert Alternatively the dumpasn1 can be used to convert a binary certificate or CRL to pretty print format The dumpasn1 tool can be downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 fc4 html To view the c...

Страница 382: ... class to the directory entry for the CA if it can find the CA s directory entry 15 10 1 3 Required Schema for Publishing CRLs The Certificate Manager publishes the updated CRL to the CA s directory object under the certificateRevocationList binary attribute This attribute is an attribute of the certificationAuthority object class The value of the attribute is the DER encoded binary X 509 CRL The ...

Страница 383: ...y Server for one of the following methods of communication Publishing with basic authentication Publishing over SSL without client authentication Publishing over SSL with client authentication See the Red Hat Directory Server documentation for instructions on setting up these methods of communication with the server 15 11 Updating Certificates and CRLs in a Directory The Certificate Manager and th...

Страница 384: ...e Manager starts updating the directory with the certificate information in its internal database If the changes are substantial updating the directory can take considerable time During this period any changes made through the Certificate Manager including any certificates issued or any certificates revoked may not be included in the update If any certificates are issued or revoked while the direc...

Страница 385: ...g in modules can be registered in a Certificate Manager s publishing framework Unwanted mapper or publisher plug in modules can be deleted Before deleting a module delete all the rules that are based on this module 1 Log into the Certificate Manager Console pkiconsole https server example com 9443 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select ...

Страница 386: ...dPublisher plug in module configures a Certificate Manager to publish certificates and CRLs to file This mapper can publish base 64 encoded files DER encoded files or both depending on the checkboxes selected when the publisher is configured The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert and PrettyPrintCRL tools For details on viewing the content in...

Страница 387: ...ublish a user certificate to the userCertificate binary attribute of the user s directory entry This module is used to publish any end entity certificate to an LDAP directory Types of end entity certificates include SSL client S MIME SSL server and OCSP responder During installation the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end ent...

Страница 388: ...ilarly it also removes the certificationAuthority object class when unpublishing if the CA has no other certificates During installation the Certificate Manager automatically creates an instance of the LdapCertificatePairPublisher module named LdapCrossCertPairPublisher for publishing the cross signed certificates to the directory Parameter Description crossCertPairAttr Specifies the LDAP director...

Страница 389: ...e certificate to an existing entry or to do both If a CA entry already exists in the publishing directory and the value assigned to the dnPattern parameter of this mapper is changed but the uid and o attributes are the same the mapper fails to create the second CA entry For example if the directory already has a CA entry for uid CA ou Marketing o example com and a mapper is configured to create an...

Страница 390: ...ate does not have the cn component in its subject name adjust the CA certificate mapping DN pattern to reflect the DN of the entry in the directory where the CA certificate is to be published For example if the CA certificate subject DN is o Example Corporation and the CA s entry in the directory is cn Certificate Authority o Example Corporation the pattern is cn Certificate Authority o subj o Exa...

Страница 391: ...id jdoe o Example Corporation c US when searching the directory for the entry the Certificate Manager only searches for an entry with the DN uid jdoe o Example Corporation c US If no matching entries are found the server returns an error and does not publish the certificate This mapper does not require any values for any parameters because it obtains all values from the certificate 15 13 2 3 LdapS...

Страница 392: ...tion Parameters of LdapSubjAttrMap Table 15 12 LdapSubjAttrMap Parameters describes these parameters Parameter Description certSubjNameAttr Specifies the name of the LDAP attribute that contains a certificate subject name as its value The default is certSubjectName but this can be configured to any LDAP attribute searchBase Specifies the base DN for starting the attribute search The permissible va...

Страница 393: ...rks for the Sales department at Example Corporation which is located in Mountain View California United States cn Jane Doe ou Sales o Example Corporation l Mountain View st California c US The Certificate Manager can use some or all of these components cn ou o l st and c to build a DN for searching the directory When creating a mapper rule these components can be specified for the server to use to...

Страница 394: ...uid component NOTE The e l and st components are not included in the standard set of certificate request forms provided for end entities These components can be added to the forms or the issuing agents can be required to insert these components when editing the subject name in the certificate issuance forms 15 13 2 5 1 Configuration Parameters of LdapDNCompsMap With this configuration a Certificat...

Страница 395: ... from the certificate the search is successful and the server optionally performs a verification For example if filterComps is set to use the email and user ID attributes filterComps e uid the server searches the directory for an entry whose values for email and user ID match the information gathered from the certificate The permissible values are valid directory attributes in the certificate DN s...

Страница 396: ...sher Specifies the publisher used with the rule See Section 15 13 1 6 LdapCertificatePairPublisher for details on this publisher Table 15 15 LdapXCert Rule Configuration Parameters 15 13 3 3 LdapUserCertRule The LdapUserCertRule is used to publish user certificates to an LDAP directory Parameter Value Description type certs Specifies the type of certificate that will be published predicate Specifi...

Страница 397: ...apCrlMap Specifies the mapper used with the rule See Section 15 13 2 1 2 LdapCrlMap for details on the mapper publisher LdapCrlPublisher Specifies the publisher used with the rule See Section 15 13 1 4 LdapCrlPublisher for details on the publisher Table 15 17 LdapCRL Rule Configuration Parameters ...

Страница 398: ...376 ...

Страница 399: ...More than one authentication method can be configured in a single instance of a subsystem The HTML registration pages contain hidden values specifying the method used With certificate profiles the end entity enrollment pages are dynamically generated for each enabled profile The authentication method associated with this certificate profile is specified in the dynamically generated enrollment page...

Страница 400: ... they await agent approval This ensures that all requests that lack authentication credentials are sent to the request queue for agent approval 16 2 1 Configuring Agent Approved Enrollment To configure agent approved enrollment 1 Set up the certificate profiles to use to enroll users such as specifying agent approved enrollment and setting policies for specific certificates in the certificate prof...

Страница 401: ...le and configure the instance a Open the CA Console pkiconsole https server example com 9443 ca b In the Configuration tab select Authentication in the navigation tree The right pane shows the Authentication Instance tab which lists the currently configured authentication instances NOTE The UidPwdDirAuth plug in is enabled by default c Click Add The Select Authentication Plug in Implementation win...

Страница 402: ...nimum number of connections permitted to the authentication directory The permissible values are 1 to 3 ldap maxConns Specifies the maximum number of connections permitted to the authentication directory The permissible values are 3 to 10 f Click OK The authentication instance is set up and enabled 2 Set the certificate profiles to use to enroll users by setting policies for specific certificates ...

Страница 403: ...re the Directory Server s host name Directory Manager s bind password and PIN manager s password d Run the setpin command with its optfile option pointing to the setpin conf file setpin optfile usr lib rhpki native tools setpin conf The tool modifies the schema with a new attribute by default pin and a new object class by default pinPerson creates a pinmanager user and sets the ACI to allow only t...

Страница 404: ...ce Editor window Authentication Instance ID Accept the default instance name or enter a new name removePin Sets whether to remove PINs from the authentication directory after end users successfully authenticate Removing PINs from the directory restricts users from enrolling more than once and thus prevents them from getting more than one certificate pinAttr Specifies the authentication directory a...

Страница 405: ...to use for SSL client authentication to the authentication directory to remove PINs Make sure that the certificate is valid and has been signed by a CA that is trusted in the authentication directory s certificate database and that the authentication directory s certmap conf file has been configured to map the certificate correctly to a DN in the directory This is needed for PIN removal only ldap ...

Страница 406: ...ate is received To set up CMC enrollment 1 Set up the certificate profile to use to enroll users by setting policies for specific certificates in the certificate profile See Chapter 13 Certificate Profiles for information about profile policies 2 If necessary set up the CMCAuth authentication plug in An instance of this plug in module is created and enabled by default It has no configuration param...

Страница 407: ...he Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file is larger than 1 modify the server s certificate profile by doing the following 1 By default the servlet processing a full CMC request uses the caFullCMCUserCert profile This profile only handles a single request 2 To use the...

Страница 408: ... ca ee ca b Select the CMC enrollment form from the list of certificate profiles c Paste the content of the output file into the Certificate Request text area of this form d Remove BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST from the pasted content e Fill in the contact information and submit the form 6 The certificate is immediately processed and returned 7 Use the agent page to...

Страница 409: ...ern 3 Three enrollment forms are provided for the certificate based enrollment CertBasedDualEnroll html This form enables end users to request dual certificates one for signing another for encryption by submitting preissued certificates as authentication tokens when a user enrolls for a certificate the server verifies the CA that has issued the certificate used for authentication uses the configur...

Страница 410: ... of generating dual key pairs doSslAuth This variable specifies whether the server requests SSL client authentication Set the value of this parameter to on and make sure that the port number specified in the authentication instance is an SSL port 4 Before modifying a form look at the default certificate based enrollment forms 16 6 Testing Enrollment For information on testing enrollment through th...

Страница 411: ...e https server example com 9443 ca 2 In the Configuration tab click Authentication in the navigation tree 3 In the right pane click the Authentication Plug in Registration tab The tab lists modules that are already registered 4 To delete a registered module select that module and click Delete 5 To register a plug in click Register The Register Authentication Plug in Implementation window appears 6...

Страница 412: ...390 ...

Страница 413: ...1 How Authorization Works Authorization goes through the following process 1 The users authenticate to the interface using either the Certificate System user ID and password or a certificate 2 The server authenticates the user either by matching the user ID and password with the one stored in the database or by checking the certificate against one stored in the database With certificate based auth...

Страница 414: ...hentication method to SSL client authentication See Section 3 2 Enabling SSL Client Authentication for the Certificate System Console for more information 17 1 2 2 Auditors An auditor can view the signed audit logs and is created to audit the operation of the system The auditor cannot administer the server in any way An auditor is created by adding a user to the Auditors group and storing the audi...

Страница 415: ...the domain DRMs to push KRA connector information and CAs to approve certificates generated within the CA automatically Enterprise subsystem administrators are given enough privileges to perform operations on the subsystems in the domain Each subsystem has its own security domain role Enterprise CA Administrators Enterprise DRM Administrators Enterprise OCSP Administrators Enterprise TKS Administr...

Страница 416: ...ystem which trusts it as a trusted manager using its SSL server certificate for SSL client authentication 17 2 Creating Users To create an administrator agent or auditor create a user in the Certificate System instance where the user will have privileges and assign the user to the appropriate group An agent or auditor must have a certificate stored in the subsystem s internal database If the Conso...

Страница 417: ... new user entry and click Certificates d Click Import and paste in the base 64 encoded certificate 17 3 Setting up a Trusted Manager Trusted relationships are set up automatically during subsystem configuration All subsystems within the same security domain are automatically trusted the security domain manager issues each member of the security domain a subsystem certificate which the subsystem us...

Страница 418: ...manager entry the subsystem never uses it The subsystem relies solely on the trusted manager s SSL client certificate for authentication Figure 17 2 Creating the Trusted Manager Account The full name must be the fully qualified host name of the Certificate Manager The group must be set to Trusted Managers do that the CA has trusted manager privileges 4 Store the Certificate Manager s SSL client ce...

Страница 419: ...nector settings of the Certificate Manager This enables the Certificate Manager to utilize the agent port to communicate with the subsystem 1 Log into the administrative console for the Certificate Manager 2 In the navigation tree select Certificate Manager 3 Select the Connectors tab Figure 17 3 The Connector Tab 4 Select the connector from the list and click Edit 5 Select the Enable checkbox to ...

Страница 420: ... System User Entries This section describes how to change a user entry delete the user or change the certificate associated with the user 17 4 1 Changing a Certificate System User s Login Information Change a Certificate System user s login information by doing the following 1 Log into the administrative console ...

Страница 421: ...ATE and END CERTIFICATE marker lines 17 4 3 Changing Members in a Group Members can be added or deleted from all groups The group for administrators must have at least one user entry To change a group s members do the following 1 Log into the administrative console 2 Select Users and Groups from the navigation tree on the left 3 Click the Groups tab 4 Select the group from the list of names and cl...

Страница 422: ...Create a new group by doing the following 1 Log into the administrative console 2 Select Users and Groups from the navigation menu on the left 3 Select the Groups tab 4 Click Edit and fill in the group information Figure 17 5 Creating a New Group It is only possible to add users who already exist in the internal database 5 Edit the ACLs to grant the group privileges See Section 17 6 5 Editing ACLs...

Страница 423: ...eges The privileges of Certificate System users are changed by changing the access control lists ACL that are associated with the group in which the user is a member for the users themselves or for the IP address of the user New groups are assigned access control by adding that group to the access control lists For example a new group for administrators who are only authorized to view logs LogAdmi...

Страница 424: ...ul to specify one For example JohnB a member of the Administrators group has just been fired It may be necessary to deny access specifically to JohnB if the user cannot be deleted immediately Another situation is that a user BrianC is an administrator but he should not have the ability to change some resource Since the Administrators group must access this resource BrianC can be specifically denie...

Страница 425: ...om j2se 1 4 2 docs api java util regex Pattern html sum 17 6 4 3 3 IP Address Syntax The syntax to include an IP address in the ACL is ipaddress ipaddress The syntax to exclude an ID address from the ACL is ipaddress ipaddress An IP address is specified using its numeric value DNS values are not permitted For example ipaddress 12 33 45 99 ipaddress 23 99 09 88 It is also possible to use regular ex...

Страница 426: ...rative console To edit the existing ACLs do the following 1 Log into the administrative console 2 Select Access Control List in the left navigation menu Figure 17 6 Default ACL List 3 Select the ACL to edit from the list and click Edit See Section 17 7 ACL Reference for information about each ACL The ACL opens in the Access Control Editor window ...

Страница 427: ... ACLs 405 Figure 17 7 The ACL Editor Window 4 To add an ACI click Add and supply the ACI information To edit an ACI select the ACI from the list in the ACI entries text area of the ACL Editor window Click Edit ...

Страница 428: ...both use the Ctrl or Shift buttons c Specify the user group or IP address that will be granted or denied access in the Syntax field See Section 17 6 4 3 Syntax for details on syntax 17 7 ACL Reference This section lists all ACL resources defined for all subsystems describes what each resource controls lists the possible operations describing the outcome of those operations and provides the default...

Страница 429: ...try is associated with the CA administration interface and is only available during the configuration of the target of evaluation TOE it is unavailable after the CA is running 17 7 2 1 Operations Operations import 17 7 2 2 Default ACIs allow import user anybody Anyone can import a certificate 17 7 3 certServer admin request enrollment This entry is associated with the CA administration interface a...

Страница 430: ...ations Operations read modify 17 7 4 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read authentication configuration administrators are allowed to modify authentication configuration 17...

Страница 431: ...tServer ca certificates Controls revoke or list operations for certificates in the agent services interface 17 7 6 1 Operations Operations revoke list 17 7 6 2 Default ACIs allow revoke list group Certificate Manager Agents Only Certificate Manager agents can revoke or list certificates 17 7 7 certServer ca configuration Controls operations on the general configuration for a Certificate Manager 17...

Страница 432: ...and agents are allowed to read CA configuration only administrators are allowed to modify CA configuration 17 7 8 certServer ca connector Controls submit operations for a connection to the CA 17 7 8 1 Operations Operations submit 17 7 8 2 Default ACIs allow submit group Trusted Managers A trusted manager can submit requests to this interface 17 7 9 certServer ca clone Controls submit operations fo...

Страница 433: ... read update 17 7 10 2 Default ACIs allow read update group Certificate Manager Agents Certificate Manager agents can read or update CRLs 17 7 11 certServer ca directory Controls update operations to the directory 17 7 11 1 Operations Operations update 17 7 11 2 Default ACIs allow update group Certificate Manager Agents Certificate Manager agents can update the directory 17 7 12 certServer ca grou...

Страница 434: ...ead group Certificate Manager Agents Only Certificate Manager agents can read OCSP usage statistics 17 7 14 certServer ca profiles Controls list operations for certificate profiles in the agent services interface 17 7 14 1 Operations Operations list 17 7 14 2 Default ACIs allow list group Certificate Manager Agents Certificate Manager agents can list certificate profiles 17 7 15 certServer ca prof...

Страница 435: ...ices interface 17 7 16 1 Operations Operations list 17 7 16 2 Default ACIs allow list group Certificate Manager Agents Only Certificate Manager agents can list requests 17 7 17 certServer ca request enrollment Controls submit read execute assign and unassign operations for enrollment requests 17 7 17 1 Operations Operations submit read execute assign unassign 17 7 17 2 Default ACIs allow submit us...

Страница 436: ...e Manager Agents Only Certificate Manager agents can view or modify the approval state of certificate profile based requests 17 7 19 certServer ca systemstatus Controls approve or read operations for viewing statistics 17 7 19 1 Operations Operations read 17 7 19 2 Default ACIs allow read group Certificate Manager Agents Only Certificate Manager agents may view statistics 17 7 20 certServer ee cer...

Страница 437: ...e 17 7 21 certServer ee certificates Controls revoke or list operations in the end entities page 17 7 21 1 Operations Operations revoke list 17 7 21 2 Default ACIs allow revoke list user anybody Anyone can revoke and list certificates 17 7 22 certServer ee certchain Controls download or read operations for the CA s certificate chain in the end entities page 17 7 22 1 Operations Operations download...

Страница 438: ... 24 certServer ee profile Controls submit and read operations for certificate profiles in the end entities page 17 7 24 1 Operations Operations submit read 17 7 24 2 Default ACIs allow submit read user anybody Anyone can read and submit requests through certificate profiles 17 7 25 certServer ee profiles Controls list operations for certificate profiles in the end entities page 17 7 25 1 Operation...

Страница 439: ...ybody Anyone can read the face to face enrollment page 17 7 27 certServer ee request enrollment Controls submit operations for certificate enrollment in the end entities page 17 7 27 1 Operations Operations submit 17 7 27 2 Default ACIs allow submit user anybody Anyone can submit an enrollment request 17 7 28 certServer ee request facetofaceenrollment Controls submitting face to face enrollments 1...

Страница 440: ...n submit OCSP requests 17 7 30 certServer ee request revocation Controls submit operations for certificate revocation requests in the end entities page 17 7 30 1 Operations Operations submit 17 7 30 2 Default ACIs allow submit user anybody Anyone can submit a revocation request 17 7 31 certServer ee requestStatus Controls read operations for the request status available from the end entities page ...

Страница 441: ... Administrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read Certificate System general configuration only administrators are allowed to modify Certificate System general configuration 17 7 33 certServer job configuration Cont...

Страница 442: ...o read job configuration only administrators are allowed to modify job configuration 17 7 34 certServer kra certificate transport Controls actions to display the key transport certificate 17 7 34 1 Operations Operations read 17 7 34 2 Default ACIs allow read user anybody Anyone can view the key transport certificate 17 7 35 certServer kra configuration Controls operations on the DRM configuration ...

Страница 443: ...er kra connector Controls request submissions 17 7 36 1 Operations Operations submit 17 7 36 2 Default ACIs allow submit group Trusted Managers Only trusted managers can submit requests 17 7 37 certServer kra key Controls read recover and download operations for the DRM 17 7 37 1 Operations Operations read recover download 17 7 37 2 Default ACIs allow read recover download group Data Recovery Mana...

Страница 444: ...quest 17 7 39 1 Operations Operations read 17 7 39 2 Default ACIs allow read group Data Recovery Manager Agents DRM agents can read requests 17 7 40 certServer kra requests Controls list operations for a DRM request 17 7 40 1 Operations Operations list 17 7 40 2 Default ACIs allow list group Data Recovery Manager Agents Only DRM agents can list key archival requests 17 7 41 certServer kra request ...

Страница 445: ...ations to display the system status of a DRM 17 7 42 1 Operations Operations read 17 7 42 2 Default ACIs allow read group Data Recovery Manager Agents Only DRM agents can read system status 17 7 43 certServer log configuration Controls operations on the log configuration 17 7 43 1 Operations Operations read modify 17 7 43 2 Default ACIs allow read group Administrators group Auditors group Certific...

Страница 446: ...ministrators group Auditors group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents deny modify user anybody Administrators auditors and agents can read the value of the expirationTime parameter no one is allowed to modify the value of the expirationTime parameter for the signed audit log 17 7 45 certServer log configuration fileName Contr...

Страница 447: ...er Agents group Online Certificate Status Manager Agents Only an auditor is allowed to view the audit log NOTE All other groups need to be specifically denied access to this log since they are given access to all logs in the certServer log content ACL 17 7 47 certServer log content Controls read operations to all logs 17 7 47 1 Operations Operations Description read View log content List all logs ...

Страница 448: ...ager agents can add CAs 17 7 49 certServer ocsp cas Controls list operations for listing the CAs that publish to an Online Certificate Status Manager 17 7 49 1 Operations Operations list 17 7 49 2 Default ACIs allow list group Online Certificate Status Manager Agents Only Online Certificate Status Manager agents can list CAs 17 7 50 certServer ocsp certificate Controls validate operation for check...

Страница 449: ...very Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read OCSP configuration only administrators are allowed to modify OCSP configuration 17 7 52 certServer ocsp crl Controls add operations for posting CRLs to an OCSP 17 7 52 1 Operations Operations add 17 7 52 2 Default ACIs allow add ...

Страница 450: ...ger Agents group Auditors allow modify group Administrators Administrators agents and auditors are allowed to read certificate profile configuration only administrators are allowed to modify certificate profile configuration 17 7 54 certServer publisher configuration Controls read and modify operation for the publishing configuration 17 7 54 1 Operations Operations read modify 17 7 54 2 Default AC...

Страница 451: ...ug in modules Currently this is only used to register certificate profile plug ins 17 7 55 1 Operations Operations read modify 17 7 55 2 Default ACIs allow read group Administrators group Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Administrators auditors and agents are allowed to view...

Страница 452: ... Certificate Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration only administrators are allowed to modify user and group configuration ...

Страница 453: ...be customized for different appearances and formatting 18 1 1 Types of Automated Notifications There are three types of automated notifications Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent to a user if the user s certificate request is rejected Certificate Revocation A notification message is automatically se...

Страница 454: ...he window Figure 18 1 Notification Tabs 4 To enable issued certificate notifications go to the Certificate Issued tab select the enable checkbox and specify information in the following fields Enable Certificate Issued notification Select this checkbox to enable notifications when a certificate is issued or rejected Sender s E mail Address Type the sender s full email address of the user who is no...

Страница 455: ...his checkbox to enable request in queue notifications Sender s E Mail Address Type the sender s full email address of the user who is notified of any delivery problems Subject Type the subject title for the notification Recipient s E Mail Address Type the recipient s full email address these are the email addresses of the agents who will check the queue To list more than one recipient separate the...

Страница 456: ...he parameters for the notification messages are explained in Section 18 2 Setting Up Automated Notifications 4 Save the file 5 Restart the CA instance etc init d rhpki ca start 6 If a job has been created to send automated messages check that the mail server is correctly configured See Section 3 5 Mail Server 7 The messages that are sent automatically can be customized see Section 18 3 Customizing...

Страница 457: ...e HTML commands in the HTML message template The default text version of the certificate issuance notification message is as follows Your certificate request has been processed successfully SubjectDN SubjectDN IssuerDN IssuerDN notAfter NotAfter notBefore NotBefore Serial Number 0x HexSerialNumber To get your certificate please follow this URL https HttpHost HttpPort displayBySerial op displayBySe...

Страница 458: ...s to end entities when a certificate is revoked certRequestRevoked_CA html Template for HTML based notification emails to end entities when a certificate is revoked reqInQueue_CA Template for plain text notification emails to agents when a request enters the queue reqInQueue_CA html Template for HTML based notification emails to agents when a request enters the queue Table 18 1 Notification Templa...

Страница 459: ...pe of certificate these can be any of the following SSL client client SSL server server CA signing certificate ca other other ExecutionTime Gives the time the job was run HexSerialNumber Gives the serial number of the certificate that was issued in hexadecimal format HttpHost Gives the fully qualified host name of the Certificate Manager to which end entities should connect to retrieve their certi...

Страница 460: ...tatus Gives the request status SubjectDN Gives the DN of the certificate subject SummaryItemList Lists the items in the summary notification Each item corresponds to a certificate the job detects for removal from the publishing directory SummaryTotalFailure Gives the total number of items in the summary report that failed SummaryTotalNum Gives the total number of certificate requests that are pend...

Страница 461: ...s The automated jobs feature is set up by doing the following Enabling and configuring the Job Scheduler see Section 19 2 Setting up the Job Scheduler for more information Enabling and configuring the job modules and setting preferences for those job modules see Section 19 3 Setting up Specific Jobs for more information Customizing the email notification messages sent with these jobs by changing t...

Страница 462: ... administrators specified by the configuration NOTE This job automates removing expired certificates from the directory Expired certificates can also be removed manually for more information on this see Section 15 11 Updating Certificates and CRLs in a Directory 19 2 Setting up the Job Scheduler The Certificate Manager can execute a job only if the Job Scheduler is enabled The job settings such as...

Страница 463: ...emon thread wakes up and calls the configured jobs that meet the cron specification By default it is set to one minute NOTE The window for entering this information may be too small to see the input Drag the corners of the Certificate Manager Console to enlarge the entire window 5 Click Save 19 3 Setting up Specific Jobs Automated jobs can be configured through the Certificate Manager Console or b...

Страница 464: ...e pkiconsole https server example com 9443 ca 2 Confirm that the Jobs Scheduler is enabled See Section 19 2 Setting up the Job Scheduler for more information 3 In the Configuration tab select Job Scheduler from the navigation tree Then select Jobs 4 This opens the Job Instance tab Figure 19 2 Job Instance Tab Select the job instance from the list and click Edit View The Job Instance Editor opens s...

Страница 465: ...or this dialog For requestInQueueNotifier see Section 19 3 3 Configuration Parameters of requestInQueueNotifier For publishCerts see Section 19 3 4 Configuration Parameters of publishCerts For unpublishExpiredCerts see Section 19 3 5 Configuration Parameters of unpublishExpiredCerts For more information about setting the cron time frequencies see Section 19 3 6 Frequency Settings for Automated Job...

Страница 466: ... requestInQueueNotifier see Section 19 3 3 Configuration Parameters of requestInQueueNotifier To configure the publishCerts job edit all parameters that begin with jobsScheduler job publishCerts see Section 19 3 4 Configuration Parameters of publishCerts To configure the unpublishExpiredCerts job edit all parameters that begin with jobsScheduler job unpublishExpiredCerts see Section 19 3 5 Configu...

Страница 467: ...ecifies the path including the filename to the directory containing the template to use to create the summary report summary senderEmail Specifies the sender of the notification message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to process pending requests or other users More than one recipient c...

Страница 468: ...ies the sender of the summary message who will be notified of any delivery problems summary recipientEmail Specifies the recipients of the summary message These can be agents who need to know the status of user certificates or other users More than one recipient can be set by separating each email address with a comma Table 19 2 publishCerts Parameters 19 3 5 Configuration Parameters of unpublishE...

Страница 469: ...ertificates or other users More than one recipient can be set by separating each email address with a comma Table 19 3 unpublishExpiredCerts Parameters 19 3 6 Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs As shown in Table 19 4 Time Values for Scheduling Jobs and Fig...

Страница 470: ...er new job plug ins and delete existing plug ins 19 4 1 Registering or Deleting a Job Module Custom job plug ins can be registered through the Certificate Manager Console Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module It is also possible to delete job modules but this is not recommended To register or delete a job ...

Страница 471: ...in module Class name Type the full name of the class for this module this is the path to the implementing Java class If this class is part of a package include the package name For example to register a class named customJob that is in a package named com customplugins type com customplugins customJob 5 Click OK ...

Страница 472: ...450 ...

Страница 473: ...ter and cloned instances are installed on different machines and those machines are placed behind a load balancer The load balancer accepts HTTP and HTTPS requests made to the Certificate System system and directs those requests appropriately between the two machines In the event that one machine fails the load balancer will transparently redirect all requests to the machine that is still running ...

Страница 474: ...lancer can also provide the following advantages as part of a Certificate System system DNS round robin a feature for managing network congestion that distributes load across several different servers Sticky SSL which makes it possible for a user returning to the system to be routed the same host used previously Consult the documentation for the load balancer for more information about the feature...

Страница 475: ... the required keys and certificates except the SSL server key and certificate to the clone instance Keep the nicknames for those certificates the same Additionally copy all the necessary trusted root from the master instance to the clone instance If the token is network based then the keys and certificates simply need to be available to the token the keys and certificates do not need to be copied ...

Страница 476: ...er Conversion At times an existing cloned subsystem may need converted into a new master subsystem such as after catastrophic failure of the existing master First convert the existing offline master subsystem into a clone then convert one of the current existing online cloned subsystems into the new online master subsystem The differences between the master and the clone of the different subsystem...

Страница 477: ...aster CA if it is still running 2 Open the existing master CA configuration directory cd var lib master_ID conf 3 Edit the CS cfg file and change the following Disable control of the database maintenance thread by changing the value of the following line to 0 add the line if it does not already exist ca certStatusUpdateInterval 0 Disable monitoring database replication changes by changing the valu...

Страница 478: ... which begins with the ca crl prefix b Copy each line beginning with the ca crl prefix from the former master CA CS cfg file into the cloned CA s CS cfg file c Enable control of the database maintenance thread by changing the value of the following line to 600 600 is the default value for the master Certificate System This value can be changed to any other non zero number ca certStatusUpdateInterv...

Страница 479: ...y cd var lib master_ID conf 3 Edit the CS cfg and add the following line 21600 is the default value for a cloned OCSP This value can be changed to any other non zero number OCSP Responder store defStore refreshInSec 21600 20 4 4 Converting a Cloned OCSP into a Master OCSP After converting the existing offline master OCSP responder into an offline cloned OCSP one of the online cloned OCSP responder...

Страница 480: ...Chapter 20 Configuring the Certificate System for High Availability 458 4 Start the new master OCSP responder server etc init d instance_ID start ...

Страница 481: ...ication was originally designed to bind public keys to names in an X 500 directory As certificates began to be used on the Internet and extranets and directory lookups could not always be performed problem areas emerged that were not covered by the original specification Trust The X 500 specification establishes trust by means of a strict directory hierarchy By contrast Internet and extranet deplo...

Страница 482: ...d was finalized Netscape and other companies had to address some of the most pressing issues with their own extension definitions For example applications such as Netscape Navigator and Enterprise Server supported an extension known as the Netscape Certificate Type Extension that specifies the type of certificate issued such as client server or email To maintain compatibility with older versions o...

Страница 483: ...tension and accept the certificate An octet string containing the DER encoding of the value of the extension Typically the application receiving the certificate checks the extension ID to determine if it can recognize the ID If it can it uses the extension ID to determine the type of value used Some of the standard extensions defined in the X 509 v3 standard include the following Authority Key Ide...

Страница 484: ...sage SSL CA Secure Email CA ObjectSigning CA Identifier Basic Constraints 2 5 29 19 Critical yes Is CA yes Path Length Constraint UNLIMITED Identifier Subject Key Identifier 2 5 29 14 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85 84 Identifier Authority Key Identifier 2 5 29 35 Critical no Key Identifier 3B 46 83 85 27 BC F5 9D 8E 63 E3 BE 79 EF AF 79 9C 37 85...

Страница 485: ...Netscape defined OID for an extension named Netscape Certificate Comment The OID assigned to this extension is hierarchical and includes the former Netscape company arc 2 16 840 1 http www alvestrand no objectid 2 16 840 1 113730 1 13 html If an OID extension exists in a certificate and is marked critical the application validating the certificate must be able to interpret the extension including ...

Страница 486: ...efines an accessMethod id ad ocsp for using OCSP to verify certificates The accessLocation field then contains a URL indicating the location and protocol used to access an OCSP responder that can validate the certificate A 3 2 The authorityKeyIdentifier A 3 2 1 OID 2 5 29 35 A 3 2 2 Criticality This extension is always noncritical and is always evaluated A 3 2 3 Discussion The Authority Key Identi...

Страница 487: ... apply certificate chain path length constraints The cA component should be set to true for all CA certificates PKIX recommends that this extension should not appear in end entity certificates If the pathLenConstraint component is present its value must be greater than the number of CA certificates that have been processed so far starting with the end entity certificate and moving up the chain If ...

Страница 488: ...xtKeyUsage A 3 6 1 OID 2 5 29 37 A 3 6 2 Criticality If this extension is marked critical the certificate must be used for one of the indicated purposes only If it is not marked critical it is treated as an advisory field that may be used to identify keys but does not restrict the use of the certificate to the indicated purposes A 3 6 3 Discussion The Extended Key Usage extension indicates the pur...

Страница 489: ...ension Uses Use Certificate trust list signing Microsoft Server Gated Crypto SGC Microsoft Encrypted File System Netscape SGC Table A 2 Private Extended Key Usage Extension Uses A 3 7 issuerAltName Extension A 3 7 1 OID 2 5 29 18 A 3 7 2 Criticality PKIX Part 1 recommends that this extension be marked noncritical A 3 7 3 Discussion The Issuer Alternative Name extension is used to associate Interne...

Страница 490: ... is used to encrypt user data instead of key material keyAgreement 4 when the subject s public key is used for key agreement keyCertSign 5 for all CA signing certificates cRLSign 6 for CA signing certificates that are used to sign CRLs encipherOnly 7 if the public key is used only for enciphering data If this bit is set keyAgreement should also be set decipherOnly 8 if the public key is used only ...

Страница 491: ...0 3 Discussion The extension is meant to be included in an OCSP signing certificate The extension tells an OCSP client that the signing certificate can be trusted without querying the OCSP responder since the reply would again be signed by the OCSP responder and the client would again request the validity status of the signing certificate This extension is null valued its meaning is determined by ...

Страница 492: ...oncritical A 3 12 3 Discussion The Policy Mappings extension is used in CA certificates only It lists one or more pairs of OIDs used to indicate that the corresponding policies of one CA are equivalent to policies of another CA It may be useful in the context of cross pair certificates This extension may be supported by CAs and applications A 3 13 privateKeyUsagePeriod A 3 13 1 OID 2 5 29 16 A 3 1...

Страница 493: ...e relationship between this extension and the subject field Email addresses may be provided in the Subject Alternative Name extension the certificate subject name field or both If the email address is part of the subject name it must be in the form of the EmailAddress attribute defined by PKCS 9 Software that supports S MIME must be able to read an email address from either the Subject Alternative...

Страница 494: ...80 txt recommends a set of extensions to be used in CRLs These extensions are called standard CRL extensions The standard also allows custom extensions to be created and included in CRLs These extensions are called private proprietary or custom CRL extensions and carry information unique to an organization or business Applications may not able to validate CRLs that contain private critical extensi...

Страница 495: ...sion may appear per CRL for example a CRL may contain only one Authority Key Identifier extension However CRL entry extensions appear in appropriate entries in the CRL Certificate Revocation List Data Version v2 Extensions Identifier Authority Key Identifier Critical no Key Identifier 2c 22 c6 ae 4e 4b 91 c7 fb 4c cc ae 84 e8 aa 5b 46 6a a0 ad Revoked Certificates Serial Number 0x12 Revocation Dat...

Страница 496: ...suerAltName Section A 5 1 6 issuingDistributionPoint A 5 1 1 authorityKeyIdentifier A 5 1 1 1 OID 2 5 29 35 A 5 1 1 2 Discussion The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL For details see the discussion under certificate extensions at Section A 3 2 The authorityKeyIdentifier The PKIX standard recommends that the ...

Страница 497: ...r Configuration Parameters A 5 1 3 deltaCRLIndicator A 5 1 3 1 OID 2 5 29 27 A 5 1 3 2 Criticality PKIX requires that this extension be critical if it exists A 5 1 3 3 Discussion The deltaCRLIndicator extension generates a delta CRL a list only of certificates that have been revoked since the last CRL it also includes a reference to the base URL This updates the local database while ignoring uncha...

Страница 498: ...s Indicates the number of issuing points for the delta CRL from 0 to any positive integer the default is 0 When setting this to an integer other than 0 set the number and then click OK to close the window Re open the edit window for the rule and the fields to set these points will be present pointTypen Specifies the type of issuing point for the n issuing point For each number specified in numPoin...

Страница 499: ... Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL like binding attributes such as a mail address a DNS name an IP address and a uniform resource indicator URI with the issuer of the CRL For details see the discussion under certificate extensions at Section A 3 7 issuerAltName Extension A 5 1 5 3 Parameters Parameter enable critical numNames...

Страница 500: ...Appendix A Certificate and CRL Extensions 478 Parameter namen Table A 8 IssuerAlternativeName Configuration Parameters ...

Страница 501: ...tribution Point CRL extension identifies the CRL distribution point for a particular CRL and indicates what kinds of revocation it covers such as revocation of end entity certificates only CA certificates only or revoked certificates that have a limited set of reason codes PKIX Part I does not require this extension A 5 1 6 4 Parameters Parameter enable critical pointType pointName onlySomeReasons...

Страница 502: ...xtensions are noncritical A 5 2 1 certificateIssuer A 5 2 1 1 OID 2 5 29 29 A 5 2 1 2 Discussion The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not supported by the Certificate System A 5 2 2 holdInstructionCode A 5 2 2 1 OID 2 5 29 23 A 5 2 2 2 Discussion The Hold Instruction C...

Страница 503: ...n The Invalidity Date extension provides the date on which the private key was compromised or that the certificate otherwise became invalid A 5 2 3 3 Parameters Parameter enable critical Table A 11 InvalidityDate Configuration Parameters A 5 2 4 CRLReason A 5 2 4 1 OID 2 5 29 21 A 5 2 4 2 Discussion The Reason Code extension identifies the reason for certificate revocation ...

Страница 504: ...A 6 1 1 OID 2 16 840 1 113730 1 A 6 1 2 Discussion The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used It has been replaced by the X 509 v3 extensions Section A 3 6 extKeyUsage and Section A 3 3 basicConstraints If the extension exists in a certificate it limits the certificate to the uses specified in it If the extension is not present the...

Страница 505: ...netscape comment 483 A 6 2 2 Discussion The value of this extension is an IA5String It is a comment that can be displayed to the user when the certificate is viewed ...

Страница 506: ...484 ...

Страница 507: ...ins intact but its privacy is compromised For example someone could gather credit card numbers record a sensitive conversation or intercept classified information Tampering Information in transit is changed or replaced and then sent to the recipient For example someone could alter an order for goods or change a person s resume Impersonation Information passes to a person who poses as the intended ...

Страница 508: ...ction used for encryption or decryption Usually two related functions are used one for encryption and the other for decryption With most modern cryptography the ability to keep encrypted information secret is based not on the cryptographic algorithm which is widely known but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encryp...

Страница 509: ...lic key encryption Public key encryption also called asymmetric encryption involves a pair of keys a public key and a private key associated with an entity Each public key is published and the corresponding private key is kept secret For more information about the way public keys are published see Section B 4 Certificates and Authentication Data encrypted with a public key can be decrypted only wi...

Страница 510: ... The RSA cipher can use only a subset of all possible values for a key of a given length due to the nature of the mathematical problem on which it is based Other ciphers such as those used for symmetric key encryption can use all possible values for a key of a given length Thus a 128 bit key with a symmetric key encryption cipher provides stronger encryption than a 128 bit key with the RSA public ...

Страница 511: ...ic key used to decrypt the digital signature corresponds to the private key used to create the digital signature Confirming the identity of the signer also requires some way of confirming that the public key belongs to a particular entity For more information on authenticating users see Section B 4 Certificates and Authentication A digital signature is similar to a handwritten signature Once data ...

Страница 512: ...role of CAs see Section B 4 6 How CA Certificates Establish Trust B 4 2 Authentication Confirms an Identity Authentication is the process of confirming an identity For network interactions authentication involves the identification of one party by another party There are many ways to use authentication over networks Certificates are one of those way Network interactions typically take place betwee...

Страница 513: ...s 1 When the server requests authentication from the client the client displays a dialog box requesting the username and password for that server 2 The client sends the name and password across the network either in plain text or over an encrypted SSL connection 3 The server looks up the name and password in its local password database and if they match accepts them as evidence authenticating the ...

Страница 514: ...re B 4 Using a Password to Authenticate a Client to a Server the authentication process in Figure B 5 Using a Certificate to Authenticate a Client to a Server requires SSL Figure B 5 Using a Certificate to Authenticate a Client to a Server also assumes that the client has a valid certificate that can be used to identify the client to the server Certificate based authentication is preferred to pass...

Страница 515: ...s the certificate and the signed data to authenticate the user s identity 5 The server may perform other authentication tasks such as checking that the certificate presented by the client is stored in the user s entry in an LDAP directory The server then evaluates whether the identified user is permitted to access the requested resource This evaluation process can employ a variety of standard auth...

Страница 516: ...certificates to determine what other certificates can be trusted For more information see Section B 4 6 How CA Certificates Establish Trust The cert corp eac Table B 1 Common Certificates B 4 3 2 SSL The Secure Sockets Layer SSL protocol governs server authentication client authentication and encrypted communication between servers and clients SSL is widely used on the Internet especially for inte...

Страница 517: ...services they use like logging onto the network collecting email using directory services using the corporate calendar program and accessing servers Users have difficulty keeping track of different passwords tend to choose poor ones and tend to write them down in obvious places and administrators must keep track of a separate password database on each server and deal with potential security proble...

Страница 518: ...cate Every X 509 certificate consists of two sections The data section includes the following information The version number of the X 509 standard supported by the certificate The certificate s serial number Every certificate issued by a CA has a serial number that is unique among the certificates issued by that CA Information about the user s public key including the algorithm used and a represen...

Страница 519: ...001 Extensions Identifier Certificate Type Critical no Certified Usage SSL Client Identifier Authority Key Identifier Critical no Key Identifier f2 f2 06 59 90 18 47 51 f5 89 33 5a 31 7a e6 5c fb 36 26 c9 Signature Algorithm PKCS 1 MD5 With RSA Encryption Signature 6d 23 af f3 d3 b6 7a df 90 df cd 7e 18 6c 01 69 8e 54 65 fc 06 30 43 34 d1 63 1f 06 7d c3 40 a8 2a 82 c1 a4 83 2a fb 2e 8f fb f0 6d ff...

Страница 520: ...ich it has a certificate It is also possible for a trusted CA certificate to be part of a chain of CA certificates each issued by the CA above it in a certificate hierarchy The sections that follow explains how certificate hierarchies and certificate chains determine what certificates software can trust Section B 4 6 1 CA Hierarchies Section B 4 6 2 Certificate Chains Section B 4 6 3 Verifying a C...

Страница 521: ...ficates signed by the higher level subordinate CAs Organizations have a great deal of flexibility in how CA hierarchies are set up Figure B 6 Example of a Hierarchy of Certificate Authorities shows just one example B 4 6 2 Certificate Chains CA hierarchies are reflected in certificate chains A certificate chain is series of certificates issued by successive CAs Figure B 7 Example of a Certificate ...

Страница 522: ...at issued that certificate USA CA s DN is also the subject name of the next certificate in the chain Each certificate is signed with the private key of its issuer The signature can be verified with the public key in the issuer s certificate which is the next certificate in the chain In Figure B 7 Example of a Certificate Chain the public key in the certificate for the USA CA can be used to verify ...

Страница 523: ...tops successfully here Otherwise the issuer s certificate is checked to make sure it contains the appropriate subordinate CA indication in the certificate type extension and chain verification starts over with this new certificate Figure B 8 Verifying a Certificate Chain to the Root CA presents an example of this process Figure B 8 Verifying a Certificate Chain to the Root CA Figure B 8 Verifying ...

Страница 524: ...invalid signature or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail Figure B 10 A Certificate Chain That cannot Be Verified shows how verification fails if neither the root CA certificate nor any of the intermediate CA certificates are included in the verifier s local database ...

Страница 525: ...e management issues involved in managing the PKI Section B 5 1 Issuing Certificates Section B 5 2 Certificates and the LDAP Directory Section B 5 3 Key Management Section B 5 4 Revoking Certificates B 5 1 Issuing Certificates The process for issuing a certificate depends on the CA that issues it and the purpose for which it will be used Issuing nondigital forms of identification varies in similar ...

Страница 526: ...ups Issuing certificates and other certificate management tasks can be an integral part of user and group management High performance directory services are an essential ingredient of any certificate management strategy For the Certificate System to function there must be a Red Hat Directory Server installed to support the LDAP directory services B 5 3 Key Management Before a certificate can be is...

Страница 527: ... or moves to a new job in a different unit within the company Certificate revocation can be handled in several different ways Servers can be configured so that the authentication process checks the directory for the presence of the certificate being presented When an administrator revokes a certificate the certificate can be automatically removed from the directory and subsequent authentication at...

Страница 528: ...506 ...

Страница 529: ...uter s hostname and dnsname must be configured Please see Cisco Router Configuration to describe how to accomplish all this C 2 Configuration The router s hostname is scep Log into the router s console you ll see the following prompt scep Now run the following commands in sequence Enable Privileged Commands scep enable Enter Configuration Mode scep conf t Set up a CA identity scep config crypto ca...

Страница 530: ...subject name in the certificate will be scep dsdev sjc redhat com Include the router serial number in the subject name yes no yes The serial number in the certificate will be 57DE391C Include an IP address in the subject name yes no yes Interface Ethernet0 0 Request certificate from CA yes no yes Certificate request sent to Certificate Authority The certificate request fingerprint will be displaye...

Страница 531: ...to ca identity CA Removing an identity will destroy all certificates received from the related Certificate Authority Are you sure you want to do this yes no yes Be sure to ask the CA administrator to revoke your certificates No enrollment sessions are currently active C 2 1 Working with chained subordinate CAs Before running the crypto ca authenticate command above you must import all certificates...

Страница 532: ...RL requirement scep ca root crl optional Set up a CA identity scep config crypto ca identity CA scep ca identity enrollment url http paw sfbay redhat com 12888 ee scep pkiclient cgi scep ca identity crl optional scep ca identity exit Submit enrollment request to subordinate CA in this example scep config crypto ca authenticate CA scep config crypto ca enroll CA C 2 2 DEBUGGING The router will prov...

Страница 533: ...ent An enrollment that requires an agent to approve the request before the certificate is issued agent services 1 Services that can be administered by a Certificate System agent through HTML pages served by the Certificate System subsystem for which the agent has been assigned the necessary privileges 2 The HTML pages for administering such services attribute value assertion AVA An assertion of th...

Страница 534: ...dentifies a certificate authority See also certificate authority CA subordinate CA root CA CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA CA server key The SSL server key of the server p...

Страница 535: ...ertificate changes even by a single character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Certificate Manager A proposed standard from the Internet Engineering Ta...

Страница 536: ... Layer SSL CMC See Certificate Management Messages over Cryptographic Message Syntax CMC CMC Enrollment Features that allow either signed enrollment or signed revocation requests to be sent to a Certificate Manager using an agent s signing certificate These requests are then automatically processed by the Certificate Manager CMMF See Certificate Management Message Formats CMMF Certificate System S...

Страница 537: ...ger before issuing new certificates The Data Recovery Manager is useful only if end entities are encrypting data such as sensitive email that the organization may need to recover someday It can be used only with end entities that support dual key pairs two separate key pairs one for encryption and one for digital signatures Data Recovery Manager agent A user who belongs to a group authorized to ma...

Страница 538: ...er See also nonrepudiation encryption distribution points Used for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are issued A CRL can be created for a particular distribution point distinguished name DN A series of AVAs that identify the subject of a certificate See attribute value assertion AVA dual key pair Two public private key pairs four...

Страница 539: ...set which then dynamically creates the enrollment form from all inputs configured for this enrollment intermediate CA A CA whose certificate is located between the root CA and the issued certificate in a certificate chain IP spoofing The forgery of client IP addresses J JAR file A digital envelope for a compressed collection of files organized according to the Java archive JAR format Java archive ...

Страница 540: ...500 directories LDAP is under IETF change control and has evolved to meet Internet requirements linked CA An internally deployed certificate authority CA whose certificate is signed by a public third party CA The internal CA acts as the root CA for certificates it issues and the third party CA acts as the root CA for certificates issued by other CAs that are linked to the same third party root CA ...

Страница 541: ...ciated private key is used to sign objects using the technology known as object signing OCSP Online Certificate Status Protocol one way hash 1 A number of fixed length generated from data of arbitrary length with the aid of a hashing algorithm The number also called a message digest is unique to the hashed data Any change in the data even deleting or altering a single character results in a differ...

Страница 542: ... name of the Data Recovery Manager subject name of the corresponding certificate and date of archival The signed proof of archival data are the response returned by the Data Recovery Manager to the Certificate Manager after a successful key archival operation See also Data Recovery Manager transport certificate public key One of a pair of keys used in public key cryptography The public key is dist...

Страница 543: ...ts a Certificate System instance both when the instance starts up and on demand server authentication The process of identifying a server to a client See also client authentication server SSL certificate A certificate used to identify a server to a client using the Secure Sockets Layer SSL protocol servlet Java code that handles a particular kind of interaction with end entities on behalf of a Cer...

Страница 544: ...d performs cryptographic operations Smart cards implement some or all of the PKCS 11 interface spoofing Pretending to be someone else For example a person can pretend to have the email address jdoe example com or a computer can identify itself as a site called www redhat com when it is not Spoofing is one form of impersonation See also misrepresentation SSL See Secure Sockets Layer SSL subject The...

Страница 545: ...rity CA that issued the certificate If a CA is trusted then valid certificates issued by that CA can be trusted V virtual private network VPN A way of connecting geographically distant divisions of an enterprise The VPN allows the divisions to communicate over an encrypted channel allowing authenticated confidential transactions that would normally be restricted to a private network ...

Страница 546: ...524 ...

Страница 547: ...h the Console 379 382 384 password based 491 491 See also client authentication 491 See also server authentication 491 authentication modules agent initiated user enrollment 322 386 deleting 389 registering new ones 389 authorityKeyIdentifier 123 464 474 B backing up the Certificate System 107 backups 107 base 64 encoded file viewing content 359 basicConstraints 122 465 buffered logging 81 C CA ce...

Страница 548: ...onfiguring authentication 379 382 384 Certificate System data where it is stored 103 certificate based authentication defined 491 certificate based enrollment 386 forms for 387 what you need 387 when to use 387 certificateIssuer 480 certificatePolicies 465 certificates and LDAP Directory 504 authentication using 491 CA certificate 494 chains 500 contents of 495 extensions for 123 459 how to revoke...

Страница 549: ...pairs and certificates list of 173 storage key pair 174 transport certificate 174 setting up key archival 178 key recovery 179 deleting authentication modules 389 log modules 87 mapper modules 363 privileged users 400 publisher modules 363 deltaCRLIndicator 475 deployment planning CA decisions CA reissuance 120 distinguished name 112 root versus subordinate 25 114 signing certificate 113 signing k...

Страница 550: ...over architecture 451 file based publisher 364 FIPS PUBS 140 1 22 flush interval for logs 81 G groups changing members 399 H hardware accelerators 269 hardware tokens See external tokens 265 265 high availability 451 holdInstructionCode 480 host name for mail server used for notifications 67 how to revoke certificates 324 how to search for keys 175 I installation 23 installing certificates 254 ins...

Страница 551: ...76 Audit 76 Error 78 M mail server used for notifications 67 managing certificate database 254 mapper modules deleting 363 registering new ones 363 mappers created during installation 346 367 369 mappers that use CA certificate 367 DN components 370 master CA 14 modifying privileged user s group membership 399 N Name extension modules Issuer Alternative Name 300 nameConstraints 469 naming conventi...

Страница 552: ...lic key cryptography 485 defined 487 infrastructure 503 management 504 publisher modules deleting 363 registering new ones 363 publishers created during installation 345 365 365 366 publishers that can publish to CA s entry in the directory 365 365 366 files 364 OCSP responder 366 users entries in the directory 365 publishing of certificates to files 338 of CRLs 323 to files 338 to LDAP directory ...

Страница 553: ... starting subsystem instance 66 Status tab 62 stopping subsystem instance 66 storage key pair 174 storing user s certificates 252 subjectAltName 471 subjectDirectoryAttributes 471 subjectKeyIdentifier subjectKeyIdentifier 471 subordinate CA 7 T TCP IP defined 485 templates for notifications 436 timing log rotation 81 Token Key Service 15 217 administrators creating 220 394 agents creating 220 394 ...

Страница 554: ...Index 532 users creating 124 161 181 220 394 storing certificates 252 W why to revoke certificates 324 wTLS CA signing certificate 112 nickname 112 X X 509 certificates 22 ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды