Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Скачать руководство пользователя страница 175

Страница: 175 / 564

Configuring Symmetric Key Changeover

153

NOTE

If this is being generated on an HSM or other external token, then use the

-h

option

with the command to give the token name.

Generating a new master key on the TKS is described in more detail in

Section 5.6.1, “Generating

Master Keys”

4. Open the TKS's configuration file.

vi /etc/pki-tks/CS.cfg

5. Map the new master key's identifier,

, to its PKCS #11 object nickname in the TKS's

CS.cfg

file by adding the

tks.mk_mappings.#02#01

and

tks.defKeySet.mk_mappings.#02#01

parameters.

tks.mk_mappings.#02#01=

token_name:nickname

tks.defKeySet.mk_mappings.#02#01=

token_name:nickname

Mapping master keys in the TKS configuration is described in more detail in

Section 5.6.4,

“Updating Master Key Versions and Associating the Master Key with Its Version”

6. Start the TKS instance.

service pki-tks start

7. Stop the TPS instance to edit its configuration.

service pki-tps stop

8. Edit the TPS's configuration file.

vi /etc/pki-tps/CS.cfg

9. Change the

symmetricKeys.enable

and

requiredVersion

parameters to use the newly-

generated master keys on the TKS. For example:

op.

operation_type

.update.

symmetricKeys.enable=true

op.

operation_type

profile_name

.update.symmetricKeys.

requiredVersion=2

• For the enroll operation, the lines begin with

op.enroll

. For example, for the

userKey

profile:

op.enroll.userKey.update.symmetricKeys.enable=true
op.enroll.userKey.update.symmetricKeys.requiredVersion=2

• For the format operation, the lines begin with

op.format

. For example, for the

userKey

profile:

op.format.tokenKey.update.symmetricKeys.enable=true

Содержание CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Страница 1: ...Red Hat Certificate System 8 0 Admin Guide Publication date July 22 2009 updated on March 25 2010 ...

Страница 2: ...rmitted by applicable law Red Hat Red Hat Enterprise Linux the Shadowman logo JBoss MetaMatrix Fedora the Infinity Logo and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Linux is the registered trademark of Linus Torvalds in the United States and other countries All other trademarks are the property of their respective owners 1801 Varsity Drive Raleigh NC 2...

Страница 3: ...anager 7 1 2 5 Token Processing System 7 1 2 6 Token Key Service 8 1 2 7 Enterprise Security Client 8 1 3 A Look at Managing Certificates 8 1 4 A Look at the Token Management System 11 1 5 Red Hat Certificate System Services 13 1 5 1 Interfaces for Administrators 13 1 5 2 Agent Interfaces 16 1 5 3 End User Pages 17 1 5 4 Enterprise Security Client 18 I Setting up Certificate Services 21 2 Making R...

Страница 4: ...Key Recovery Schemes 72 3 4 Testing the Key Archival and Recovery Setup 73 4 Requesting Enrolling and Managing Certificates 75 4 1 About Enrolling and Renewing Certificates 75 4 2 Configuring Internet Explorer to Enroll Certificates 75 4 3 Requesting and Receiving Certificates 77 4 3 1 Requesting and Receiving a User or Agent Certificate through the End Entities Page 77 4 3 2 Requesting Certificat...

Страница 5: ... 5 7 Configuring the TPS 154 5 7 1 Enabling SSL for TPS Enterprise Security Client Connections 154 5 7 2 Configuring the Channels between the TPS and Tokens 156 5 7 3 Configuring or Disabling LDAP Authentication 157 5 7 4 Configuring the Token Database 159 5 7 5 Configuring Server Side Key Generation and Archival of Encryption Keys 160 5 7 6 Configuring IPv6 Support 163 5 8 Scaling the TPS and Its...

Страница 6: ...ishers 204 8 1 2 Mappers 205 8 1 3 Rules 205 8 1 4 Publishing to Files 205 8 1 5 OCSP Publishing 205 8 1 6 LDAP Publishing 206 8 2 Setting up Publishing 206 8 2 1 Configuring Publishing to a File 207 8 2 2 Configuring Publishing to an OCSP 210 8 2 3 Configuring Publishing to an LDAP Directory 211 8 2 4 Creating Rules 217 8 2 5 Enabling Publishing 221 8 3 Publishing CRLs over HTTP 222 8 3 1 Configu...

Страница 7: ...omated Jobs 259 11 2 Setting up the Job Scheduler 260 11 3 Setting up Specific Jobs 261 11 3 1 Configuring Specific Jobs Using the Certificate Manager Console 261 11 3 2 Configuring Jobs by Editing the Configuration File 264 11 3 3 Configuration Parameters of certRenewalNotifier 265 11 3 4 Configuration Parameters of requestInQueueNotifier 265 11 3 5 Configuration Parameters of publishCerts 266 11...

Страница 8: ... Number 307 13 4 2 Using a Single SSL Port 308 13 4 3 Updating Existing CAs to Use End Entity Client Authentication Ports Avoiding TLS Related Man in the Middle Attacks 309 13 5 Configuring the LDAP Database 312 13 5 1 Changing the Internal Database Configuration 313 13 5 2 Enabling SSL Client Authentication with the Internal Database 314 13 5 3 Restricting Access to the Internal Database 317 13 6...

Страница 9: ...Tests Log 367 15 3 Configuring Logs Using the UI 367 15 3 1 Configuring Logs in the Console for the CA OCSP DRM and TKS 367 15 3 2 Configuring TPS Audit Logs in the Admin Services Page 368 15 4 Configuring Logs in the CS cfg File 370 15 4 1 Configuring Logs in the CS cfg File for the CA OCSP DRM and TKS 370 15 4 2 Configuring RA Logging 371 15 4 3 Configuring TPS Logging 373 15 5 Managing Signed A...

Страница 10: ...ertificate Request Input 419 A 1 2 CMC Certificate Request Input 419 A 1 3 Dual Key Generation Input 419 A 1 4 File Signing Input 420 A 1 5 Image Input 420 A 1 6 Key Generation Input 420 A 1 7 nsHKeyCertRequest Token Key Input 420 A 1 8 nsNKeyCertRequest Token User Key Input 420 A 1 9 Serial Number Renewal Input 421 A 1 10 Subject DN Input 421 A 1 11 Subject Name Input 421 A 1 12 Submitter Informa...

Страница 11: ...int 453 B 2 5 Key Usage Extension Constraint 453 B 2 6 No Constraint 455 B 2 7 Netscape Certificate Type Extension Constraint 455 B 2 8 Renewal Grace Period Constraint 455 B 2 9 Signing Algorithm Constraint 456 B 2 10 Subject Name Constraint 456 B 2 11 Unique Subject Name Constraint 457 B 2 12 Validity Constraint 457 B 3 Standard X 509 v3 Certificate Extension Reference 457 B 3 1 authorityInfoAcce...

Страница 12: ...ation 496 D 2 5 certServer clone configuration 496 D 2 6 certServer general configuration 496 D 2 7 certServer log configuration 497 D 2 8 certServer log configuration fileName 497 D 2 9 certServer log configuration signedAudit expirationTime 497 D 2 10 certServer log content 498 D 2 11 certServer log content signedAudit 498 D 2 12 certServer registry configuration 499 D 2 13 certServer usrgrp adm...

Страница 13: ...s 511 D 4 1 certServer job configuration 511 D 4 2 certServer kra certificate transport 511 D 4 3 certServer kra configuration 511 D 4 4 certServer kra connector 512 D 4 5 certServer kra GenerateKeyPair 512 D 4 6 certServer kra getTransportCert 512 D 4 7 certServer kra group 513 D 4 8 certServer kra key 513 D 4 9 certServer kra keys 513 D 4 10 certServer kra registerUser 513 D 4 11 certServer kra ...

Страница 14: ...er tks group 519 D 6 3 certServer tks importTransportCert 519 D 6 4 certServer tks keysetdata 519 D 6 5 certServer tks registerUser 520 D 6 6 certServer tks sessionkey 520 D 6 7 certServer tks systemstatus 520 Glossary 521 Index 535 ...

Страница 15: ...e including the following topics Encryption and decryption Public keys private keys and symmetric keys Significance of key lengths Digital signatures Digital certificates including different types of digital certificates The role of digital certificates in a public key infrastructure PKI Certificate hierarchies LDAP and Red Hat Directory Server Public key cryptography and the Secure Sockets Layer ...

Страница 16: ...d Hat Enterprise Linux 5 3 x86_64 64 bit The Enterprise Security Client which manages smart cards for end users is supported on the following platforms Red Hat Enterprise Linux 5 3 x86 32 bit Red Hat Enterprise Linux 5 3 x86_64 64 bit Microsoft Windows Vista 32 bit Microsoft Windows Vista 64 bit Microsoft Windows XP 32 bit Microsoft Windows XP 64 bit 3 2 Supported Web Browsers The services pages f...

Страница 17: ...ard and GemPCKey USB form factor key Gemalto Cyberflex e gate 32K token Safenet 330J Java smart card Smart card testing was conducted using the SCM SCR331 CCID reader The only card manager applet supported with Certificate System is the CoolKey applet which ships with Red Hat Enterprise Linux 5 3 3 4 Supported HSM Red Hat Certificate System supports two hardware security modules HSM Safenet Chrysa...

Страница 18: ... the examples for Red Hat Certificate System commands file locations and other usage are given for Red Hat Enterprise Linux 5 32 bit systems Be certain to use the appropriate commands and files for your platform To start the Red Hat Certificate System service pki ca start Example 1 Example Command 4 2 Tool Locations All of the tools for Red Hat Certificate System are located in the usr bin directo...

Страница 19: ...administrators Certificate System Installation Guide 2 covers the installation process for all Certificate System subsystems This manual is intended for Certificate System administrators Certificate System Administrator s Guide 3 explains all administrative functions for the Certificate System Administrators maintain the subsystems themselves so this manual details backend configuration for certif...

Страница 20: ...portant deployment information for Red Hat Certificate System 8 0 All of the latest information about Red Hat Certificate System and both current and archived documentation is available at http www redhat com docs manuals cert system 6 Giving Feedback If there is any error in this Administrator s Guide or there is any way to improve the documentation please let us know Bugs can be filed against th...

Страница 21: ...ckey Tech edits to the TPS configuration chapter from Jack Magne per Bugzilla 510610 Revision 8 0 10 September 30 2009 Ella Deon Lackey Tech edits to the TPS configuration chapter per Bugzilla 510610 Revision 8 0 9 September 9 2009 Ella Deon Lackey Updating chapter 4 on managing certificates for the tech review per Bugzilla 510988 Tech edits to the ACL reference per Bugzilla 510613 Revision 8 0 8 ...

Страница 22: ... Deon Lackey Beginning tech edits covering chapters 1 2 3 7 10 and 11 and appendices A and B according to Bugzilla 510614 510615 510625 510602 510604 510616 510623 and 510621 Some edits to the subsystems overview chapter based on tech edits for the deployment guide such as Bugzilla 510597 Revision 8 0 1 August 4 2009 Ella Deon Lackey Adding note to the TPS users section about setting all profiles ...

Страница 23: ...col governs server authentication client authentication and encrypted communication between servers and clients SSL is widely used on the Internet especially for interactions that involve exchanging confidential information such as credit card numbers SSL requires an SSL server certificate As part of the initial SSL handshake the server presents its certificate to the client to authenticate the se...

Страница 24: ...l with potential security problems related to the fact that passwords are sent over the network routinely and frequently Solving this problem requires some way for a user to log in once using a single password and get authenticated access to all network resources that user is authorized to use without sending any passwords over the network This capability is known as single sign on Both client SSL...

Страница 25: ...tem instances This list is not exhaustive there are certificate enrollment forms for dual use certificates for LDAP directories file signing certificates and other subsystem certificates These forms are available through the Certificate Manager s end entities page at https server example com 9444 ca ee ca For more detailed information about the different certificates that can be created see the Ce...

Страница 26: ...nate CA is determined by whether its CA signing certificate is self signed or is signed by another CA Self signed root CAs set the policies they use to issue certificates such as the subject names types of certificates that can be issued and to whom certificates can be issued A subordinate CA has a CA signing certificate signed by another CA usually the one that is a level above in the CA hierarch...

Страница 27: ...Certificate System agents can be given client certificates to access special services 1 1 2 5 Dual Key Pairs Dual key pairs are a set of two private and public keys where one set is used for signing and one for encryption These dual keys are used to create dual certificates The dual certificate enrollment form is one of the standard forms listed in the end entities page of the Certificate Manager ...

Страница 28: ...nal tokens like smart cards and manages the keys and certificates on those tokens through a local client the Enterprise Security Client The Enterprise Security Client contacts the TPS when there is a token operation and the TPS interacts with the CA DRM or TKS as required then send the information back to the token by way of the Enterprise Security Client 1 2 1 Certificate Manager The Certificate ...

Страница 29: ...because that compromises the non repudiation properties of signing keys Non repudiation means that a user cannot deny having performed some action such as sending signed email because they are the only possessor of that signing key 1 2 4 Online Certificate Status Manager The Online Certificate Status Manager is an OCSP service external to the Certificate Manager Although the Certificate Manager is...

Страница 30: ...en it is issued issuance and enrollment and the period when the certificates are no longer valid renewal or revocation There are also ways to manage the certificate during its cycle Making information about the certificate available to other applications is publishing the certificate and then backing up the key pairs so that the certificate can be recovered if it is lost The core of the Certificat...

Страница 31: ... has to be verified in person by an agent with supporting documentation This creates a bottleneck for the CA agents to approve requests A registration authority RA is installed at each local office the requests are processed and approved locally and then a central CA issues all of the certificates Figure 1 3 CA and RA Alternatively a site may have a significant number of client requests to verify ...

Страница 32: ... 10 Figure 1 4 CA and OCSP Even with all possible subsystems installed the core of the Certificate System is still the CA or CAs since they ultimately process all certificate related requests The other subsystems connect to the CA or CAs likes spokes in a wheel ...

Страница 33: ... 5 How Certificate System Manages Smart Cards Four Certificate System subsystems are involved with managing tokens The Token Processing System TPS interacts with smart cards to help them generate and store keys and certificates for a specific entity such as a user or device Smart card operations go through the TPS and are forwarded to the appropriate subsystem for action such as the Certificate Au...

Страница 34: ...Certificate System Manages Smart Cards To use the tokens the Token Processing System must be able to recognize and communicate with them The tokens must first be enrolled to format the tokens with required keys and certificates and add the tokens to the Certificate System The Enterprise Security Client provides the user interface for end entities to enroll tokens The token management system is ver...

Страница 35: ...guring logs managing profiles and plug ins and the internal database among many other functions This interface is also the only interface that does not directly deal with certificates tokens or keys meaning it is not used for managing the PKI only the servers There are two types of administrative consoles Java based and HTML based Although the interface is different both are accessed using a serve...

Страница 36: ...m Logs for more information 1 5 1 2 The Administrative Interface for the RA and TPS The RA and TPS subsystems use HTML based administrative interfaces These are accessed by entering the hostname and secure port as the URL authenticating with the administrator s certificate and clicking the appropriate Administrators link NOTE There is a single SSL port for RA and TPS subsystems which is used for b...

Страница 37: ...gure 1 7 RA Admin Page The TPS only allows operations to manage users for the TPS subsystem However the TPS admin page can also list tokens and display all activities including normally hidden administrative actions performed on the TPS ...

Страница 38: ...s 16 Figure 1 8 TPS Admin Page 1 5 2 Agent Interfaces The agent services pages are where almost all of the certificate and token management tasks are performed These services are HTML based and agents authenticate to the site using a special agent certificate ...

Страница 39: ...n the tokens DRM agent services pages process key recovery requests which set whether to allow a certificate to be issued reusing an existing key pair if the certificate is lost The OCSP agent services page allows agents to configure CAs which publish CRLs to the OCSP to load CRLs to the OCSP manually and to view the state of client OCSP requests The RA agent services allows agents to list and app...

Страница 40: ...s Like the CA the enrollment forms are accessed through the End Entities URL Users can submit certificate requests and retrieve their certificates through the RA 1 5 4 Enterprise Security Client The Enterprise Security Client is a tool for Red Hat Certificate System which simplifies managing smart cards End users can use security tokens smart cards to store user certificates used for applications ...

Страница 41: ...curity Client provides the user interface of the token management system The end user can be issued security tokens containing certificates and keys required for signing encryption and other cryptographic functions To use the tokens the TPS must be able to recognize and communicate with them Enterprise Security Client is the method for the tokens to be enrolled Enterprise Security Client communica...

Страница 42: ...20 ...

Страница 43: ...Part I Setting up Certificate Services ...

Страница 44: ......

Страница 45: ...ts include public keys for the certificate request and the certificate subject name requested by the end entity for the certificate Certificate extensions Each issued certificate defines certain information like the name of the entity to which it is assigned the subject name its key fingerprint and its validity period What is included in a certificate is defined in the X 509 standard A certificate...

Страница 46: ...ollment Next the profile lists all of the required inputs for the profile input list i1 i2 i3 input i1 class_id keyGenInputImpl input i2 class_id subjectNameInputImpl input i3 class_id submitterInfoInputImpl For the caUserCert profile this defines the keys to generate the fields to use in the subject name and the fields to use for the person submitting the certificate Key generation specifies that...

Страница 47: ...e policyset userCertSet 6 constraint params keyUsageDataEncipherment false policyset userCertSet 6 constraint params keyUsageKeyEncipherment true policyset userCertSet 6 constraint params keyUsageKeyAgreement false policyset userCertSet 6 constraint params keyUsageKeyCertSign false policyset userCertSet 6 constraint params keyUsageCrlSign false policyset userCertSet 6 constraint params keyUsageEnc...

Страница 48: ...raintsMinPathLen 1 policyset caCertSet 5 constraint params basicConstraintsMaxPathLen 1 NOTE To allow user supplied extensions to be embedded in the certificate requests and ignore the system defined default in the profile the profile needs to contain the User Supplied Extension Default which is described in Section B 1 22 User Supplied Extension Default 2 1 3 Inputs and Outputs Inputs set informa...

Страница 49: ... must disapprove or disable the certificate profile before the administrator can edit that certificate profile Add a certificate profile and modify an existing certificate profile by doing the following 1 Log in to the Certificate System CA subsystem console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager and then select Certificate Profiles The Ce...

Страница 50: ...ance ID This is the ID used by the system to identify the profile Certificate Profile Name This is the user friendly name for the profile Certificate Profile Description End User Certificate Profile This sets whether the request must be made through the input form for the profile This is usually set to true Setting this to false allows a signed request ...

Страница 51: ...ved enrollment the request is submitted to the request queue of the agent services interface 5 Click OK The plug in editor closes and the new profile is listed in the profiles tab 6 Configure the policies inputs and outputs for the new profile Select the new profile from the list and click Edit View 7 Set up policies in the Policies tab of the Certificate Profile Rule Editor window The Policies ta...

Страница 52: ...et ID When issuing dual key pairs separate policy sets define the policies associated with each certificate Then fill in the certificate profile policy ID a name or identifier for the certificate profile policy d Configure any parameters in the Defaults and Constraints tabs ...

Страница 53: ...nes valid values for the defaults See Section B 1 Defaults Reference and Section B 2 Constraints Reference for complete details for each default or constraint To modify an existing policy select a policy and click Edit Then edit the default and constraints for that policy To delete a policy select the policy and click Delete 8 Set inputs in the Inputs tab of the Certificate Profile Rule Editor win...

Страница 54: ...r Issuing Certificates 32 b Choose the input from the list and click OK See Section A 1 Input Reference for complete details of the default inputs c The New Certificate Profile Editor window opens Set the input ID and click OK ...

Страница 55: ...te an input select the input and click Delete 9 Set up outputs in the Outputs tab of the Certificate Profile Rule Editor window Outputs must be set for any certificate profile that uses an automated authentication method no output needs to be set for any certificate profile that uses agent approved authentication The Certificate Output type is set by default for all profiles and is added automatic...

Страница 56: ...and click OK c Give a name or identifier for the output and click OK This output will be listed in the output tab You can edit it to provide values to the parameters in this output To delete an output select the output from list and click Delete 10 Restart the CA to apply the new profile service pki ca start 11 After creating the profile as an administrator a CA agent has to approve the profile in...

Страница 57: ...n only be added to the profile using the command line as described in Section 2 2 3 Creating and Editing Certificate Profiles through the Command Line 2 2 2 Editing Certificate Profiles in the Console To modify an existing certificate profile select a certificate profile click Edit View The Certificate Profile Rule Editor window appears If necessary enlarge the window by pulling out one of the cor...

Страница 58: ...e conf directory with the name profile NOTE Restart the server after editing the profile configuration file for the changes to take effect Section 2 2 3 1 Profile Configuration Parameters Section 2 2 3 2 Modifying Certificate Extensions through the Command Line Section 2 2 3 3 Adding Inputs through the Command Line 2 2 3 1 Profile Configuration Parameters The configuration files are stored in the ...

Страница 59: ...s_id Gives the java class name for the input by input ID the name of the input listed in input l input i1 class_id certReqInputImpl output list Lists the possible output formats for the profile by name For example output list o1 output output_id class_id Gives the java class name for the output format named in output list For example outpu policyset list Lists the configured profile rules For dual...

Страница 60: ...rams keyUsageCrlSign false policyset cmcUserCertSet 6 default params keyUsageDataEncipherment false policyset cmcUserCertSet 6 default params keyUsageDecipherOnly false policyset cmcUserCertSet 6 default params keyUsageDigitalSignature true policyset cmcUserCertSet 6 default params keyUsageEncipherOnly false policyset cmcUserCertSet 6 default params keyUsageKeyAgreement false policyset cmcUserCert...

Страница 61: ...s one important thing to do when creating profiles the Key Default must be added before the Subject Key Identifier Default Certificate System processes the key constraints in the Key Default before creating or applying the Subject Key Identifier Default so if the key has not been processed yet setting the key in the subject name fails For example an object signing profile may define both defaults ...

Страница 62: ...atePoliciesExt enable false ca Policy rule CertificatePoliciesExt implName CertificatePoliciesExt ca Policy rule CertificatePoliciesExt numCertPolicies 1 ca Policy rule CertificatePoliciesExt predicate HTTP_PARAMS certType fbca ca Policy rule CertificatePoliciesExt certPolicy0 cpsURI ca Policy rule CertificatePoliciesExt certPolicy0 noticeRefNumbers ca Policy rule CertificatePoliciesExt certPolicy...

Страница 63: ...s and inputs and outputs By default the profile configuration files are in the var lib subsystem_name profiles ca directory Profile ID Profile Name Description caAdminCert Security Domain Administrator Certificate Enrollment Enrolls Security Domain Administrator s certificates with LDAP authentication against the internal LDAP database caAgentFileSigning Agent Authenticated File Signing This certi...

Страница 64: ...caDirUserRenewal Directory Authenticated User Certificate Self Renew profile Renews user certificates through directory based authentication The user certificate is issued as soon as the requester successfully authenticates to the LDAP directory NOTE Renewal profiles can only be used in conjunction with the profile that issued the original certificate There are two settings that are beneficial It ...

Страница 65: ...t Enrolls a signing certificate to use for signing audit logs used automatically during any subsystem configuration with the exception of the RA caInternalAuthDRMstorageCert Security Domain DRM Storage Certificate Enrollment Enrolls DRM storage certificates for DRMs within a security domain used automatically during a DRM configuration caInternalAuthOCSPCert Security Domain OCSP Manager Signing Ce...

Страница 66: ... time before and after the certificate s expiration date when the user is allowed to renew the certificate There are only a few examples of these in the default profiles and they are mostly not enabled by default caOCSPCert Manual OCSP Manager Signing Certificate Enrollment Enrolls OCSP Manager certificates caOtherCert Other Certificate Enrollment Enrolls other certificates caRAagentCert RA Agent ...

Страница 67: ...r certificates caSignedLogCert Manual Log Signing Certificate Enrollment Enrolls audit log signing certificates caSimpleCMCUserCert Simple CMC Enrollment Enrolls user certificates by using the CMC certificate request with CMC Signature authentication caSSLClientSelfRenewal Self renew user SSL client certificates Renews SSL client certificates using certificate based authentication The certificate ...

Страница 68: ...ry keys valid for about a week and intended to replace a temporarily lost token caTempTokenUserEncryptionKeyEnrollment Temporary Token User Encryption Certificate Enrollment Enrolls an encryption key on a token used by the TPS for smart card enrollment operations These are temporary keys valid for about a week and intended to replace a temporarily lost token caTempTokenUserSigningKeyEnrollment Tem...

Страница 69: ...Enrollment Enrolls a signing key on a token used by the TPS for smart card enrollment operations caTokenUserSigningKeyRenewal smart card token signing cert renewal profile Renews a signing that was enrolled on a token using the caTokenUserSigningKeyEnrollment profile used by a TPS subsystem caTPSCert Manual TPS Server Certificate Enrollment Enrolls TPS server certificates caTransportCert Manual Da...

Страница 70: ...anager Signing Certificate Enrollment Enrolls Registration Manager certificates caRARouterCert RA Agent Authenticated Router Certificate Enrollment Enrolls router certificates after agent approval as opposed to automatic enrollment caRAserverCert RA Agent Authenticated Server Certificate Enrollment Enrolls server certificates with RA agent authentication caRouterCert One Time Pin Router Certificat...

Страница 71: ...Enrollment a li font td tr snip 4 Open the new profile directory cd example 5 The user profile directory has three main sets of files index cgi and index vm are all used to generate the index page renew cgi renew vm renewal cgi and renewal vm are all used to process renewal requests user cgi user vm submit cgi and submit vm are all used to create and submit new certificate requests The index cgi f...

Страница 72: ...f li a href example cgi New Example Cert a li font td tr tr valign TOP td font size 4 face PrimaSans BT Verdana sans serif li a href example renew cgi Renewing an Example Cert a li font td tr table center 8 Edit every cgi and vm so that the specified directories all point to the new example directory For example vim example cgi my result parser execute_file_with_context ee example example vm vim e...

Страница 73: ... var lib pki ra conf CS cfg file There are three ways that a request can be handled created approved and rejected so each profile entry has to define the behaviors of the RA for those three scenarios Much like a profile policy set each operation is defined with a different group of parameters request profile_name approve_request which specifies the plug in to call when a request is approved reques...

Страница 74: ...mple approve_request 1 plugin PKI Request Plugin EmailNotification request example approve_request 1 templateDir usr share pki ra conf request example approve_request 1 templateFile mail_approve_request vm request example approve_request num_plugins 2 request example create_request 0 assignTo agents request example create_request 0 plugin PKI Request Plugin AutoAssign request example create_reques...

Страница 75: ... Certificate Enrollment Token User Signing Certificate Enrollment Token User MS Login Certificate Enrollment Temporary Token Profiles Temporary Device Certificate Enrollment Temporary Token User Encryption Certificate Enrollment Temporary Token User Signing Certificate Enrollment Renewal Profiles 1 Token User Encryption Certificate Enrollment Renewal Token User Signing Certificate Enrollment Renew...

Страница 76: ...l be used in the subject name of the certificate then uid must be listed in the ldapStringAttributes parameter and request uid listed as one of the components in the dnpattern Editing certificate profiles is covered in Section 2 2 Setting up Certificate Profiles 2 4 2 Creating Custom TPS Profiles Certificate profiles are created as normal in the CA but they also have to be configured in the TPS fo...

Страница 77: ...le an ECC signing certificate can sign both ECC and RSA certificate requests as long as both ECC and RSA algorithms are supported by the CA An RSA signing certificate can can sign a PKCS 10 request with EC keys but may not be able to sign CRMF certificate requests with EC keys if the ECC module is not available for the CA to verify the CRMF proof of possession POP NOTE Although Certificate System ...

Страница 78: ...a list of allowed algorithms if the certificate request specifies a different algorithm If no signing algorithms are specified then the profile uses whatever is set as the default for the CA In the profile s cfg file the algorithm is set with two parameters policyset serverCertSet 8 default class_id signingAlgDefaultImpl policyset serverCertSet 8 default name Signing Alg policyset serverCertSet 8 ...

Страница 79: ...ger tree 3 Click the Certificate Profiles item 4 Click the Policies tab 5 Select the Signing Alg policy and click the Edit button 6 To set the default signing algorithm set the value in the Defaults tab If this is set to then the profile uses the CA s default 7 To set a list of allowed signing algorithms which can be accepted in a certificate request open the Constraints tab and set the list of al...

Страница 80: ...sending a signed object As part of the handshake the sender is expected to send the subject certificate and any intermediate CA certificates needed to link the subject certificate to the trusted root For certificate chaining to work properly the certificates should have the following properties CA certificates must have the Basic Constraints extension CA certificates must have the keyCertSign bit ...

Страница 81: ...ation see Section B 1 8 Key Usage Extension Default and Section B 1 5 Extended Key Usage Extension Default 8 Set the constraint values for the CA certificates There are no constraints to be set for a Key Usage extension for an Extended Key Usage extension set the appropriate OID constraints for the CA For more information see Section B 1 5 Extended Key Usage Extension Default 9 When the changes ha...

Страница 82: ...y period longer than the CA signing certificate s validity period it automatically truncates the validity period to end on the day the CA signing certificate expires Certificate Serial Number These fields display the serial number range for certificates issued by the Certificate Manager The server assigns the serial number in the Next serial number field to the next certificate it issues and the n...

Страница 83: ... Names and Subject Alternative Names The subject name of a certificate is a distinguished name DN that contains identifying information about the entity to which the certificate is issued This subject name is built from standard LDAP directory components such as email addresses common names and organizational units These components are defined in X 500 In addition to or even in place of the subjec...

Страница 84: ...f the UidPwdDirAuth authentication plug in d Set the information for the LDAP directory e Set the LDAP attributes to populate f Save the new plug in instance For information on configuring the LDAP authentication modules see Section 9 2 1 Setting up Directory Based Authentication 2 When the new authentication plug in is added the corresponding parameters are added to the CA s CS cfg file For examp...

Страница 85: ... auth_token cn The LDAP common name cn attribute of the user who requested the certificate request auth_token mail The value of the LDAP email mail attribute of the user who requested the certificate request auth_token tokenCertSubject The certificate subject name request auth_token uid The LDAP user ID uid attribute of the user who requested the certificate request auth_token user request auth_to...

Страница 86: ...tificates should match the format of the DNs in the directory It is not necessary that the names match exactly certificate mapping allows the subject DN in a certificate to be different from the one in the directory In the Certificate System the DN is based on the components or attributes defined in the X 509 standard Table 2 7 Allowed Characters for Value Types lists the attributes supported by d...

Страница 87: ...C 2253 netscape security x509 GenericValueConverter converts a string character by character in the following order from the smallest characterset to the largest Printable IA5String BMPString Universal String An attribute entry looks like the following X500Name MY_ATTR oid 1 2 3 4 5 6 X500Name MY_ATTR class netscape security x509 DirStrConverter 2 7 2 1 Adding New or Custom Attributes To add a new...

Страница 88: ...bject names For example enter the following values for the new attributes and look for them in the subject name MYATTR1 a_value MYATTR2 a Value MYATTR3 aValue cn John Doe o Example Corporation 9 Open the agent services page and approve the request 10 When the certificate is issued check the subject name The certificate should show the new attribute values in the subject name 2 7 2 2 Changing the D...

Страница 89: ...o verify that the encoding orders are in effect enroll for a certificate using the manual enrollment form Use John_Doe for the cn 8 Open the agent services page and approve the request 9 When the certificate is issued use the dumpasn1 tool to examine the encoding of the certificate The dumpasn1 tool can be downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 f...

Страница 90: ...form is included at the end of the user vm file For example tr td District td td input type text name district value td tr After making the appropriate changes to the enrollment form edit the user vm file to customize the Subject DN to utilize the information collected from the user WARNING The Subject DN must match the pattern specified in the Subject Name Constraint definition of the enrollment ...

Страница 91: ... set up manually 3 1 About Key Archival and Recovery Key archival requires only two things a client meaning a browser which can generate dual keys and a certificate profile which is configured to support key archival NOTE For user dual key pairs only keys that are used exclusively for encrypting data should be archived signing keys should never be archived Having two copies of a signing key would ...

Страница 92: ...riate stages If the request fails to meet any of the profile constraints the subsystem rejects the request The DRM supports agent initiated key recovery when designated recovery agents use the key recovery form on the DRM agent services page to process and approve key recovery requests With the approval of a specified number of agents an organization can recover keys when the key s owner is unavai...

Страница 93: ...e certutil utility If the transport certificate is signed by a Certificate Manager then a copy of the certificate is available through the Certificate Manager end entities page in the Retrieval tab 3 Add the transport certificate to the CA s CS cfg file ca connector KRA enable true ca connector KRA host server example com ca connector KRA local false ca connector KRA nickName subsystemCert cert pk...

Страница 94: ...overy agents about an impending key recovery All recovery agents access the DRM key recovery page One of the agents initiates the key recovery process The DRM returns a notification to the agent includes a recovery authorization reference number identifying the particular key recovery request that the agent is required to authorize Each agent uses the reference number and authorizes key recovery s...

Страница 95: ...ey Archival and Recovery Setup To test whether a key can be successfully archived 1 Enroll for dual certificates using the CA s Manual User Signing Encryption Certificates Enrollment form 2 Submit the request Log in to the agent services page and approve the request 3 Log into the end entities page and check to see if the certificates have been issued In the list of certificates there should be tw...

Страница 96: ...a link to verify the status of this key recovery initiation request This page keeps refreshing until all agents have completed authorizing the recovery request It is important not to close this browser window Depending on the agent scheme a specified number of agents must authorize this key recovery Send this key recovery request authorization number to each of those agents Once the agents receive...

Страница 97: ...is best The certutil command can be used to generate a certificate request for any certificate type and then this request is submitted to the CA s end entities forms this is most appropriate for server or device certificates Some certificate profiles accept inputs that generate both the request and when approved the certificate this is the easiest method for user certificates Lastly the Java based...

Страница 98: ...e certificate store based on the type of certificate h Once the certificate chain is imported open the Trusted Root Certificate Authorities tab to verify that the certificate chain was successfully imported 3 After the certificate chain is imported Internet Explorer can access the secure end services pages Open the secure site https server example com 9443 ca ee ca 4 There is probably a security e...

Страница 99: ...e user certificates for email and SSL authentication Other enrollment forms are available for adding certificates to tokens and signing files For more information about the end entities enrollment forms see the Certificate System Agent s Guide The following profiles are used to create user certificates Manual User Dual Use Certificate Enrollment Manual User Signing and Encryption Certificates Enro...

Страница 100: ...uest forms support all UTF 8 characters for the common name organizational unit and requester name fields The common name and organization unit fields are included in the subject name of the certificate This support does not include supporting internationalized domain names 4 Click Submit ...

Страница 101: ... is approved and generated the CA sends a notification that you can retrieve the certificate a Open the Certificate Manager end entities page https server example com 9444 ca ee ca b Click the Retrieval tab c Fill in the request ID number that was created when the certificate request was submitted and click Submit d The next page shows the status of the certificate request If the status is complet...

Страница 102: ...ed certificate If this is a client certificate that will be installed directly in the web browser scroll down to the Importing This Certificate section and click the Import your certificate or Import S MIME certificate button f Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the ce...

Страница 103: ...TE REQUEST MIICbTCCAVUCAQAwKDEQMA4GA1UEChMHRXhhbXBsZTEUMBIGA1UEAxMLZXhhbXBs ZSBuZXcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcH3CcFbSWFYCV WrR1pJf8OaLLvTJB45A grnNqCAQHnsOKO7XLuO oLt r1oEtM7o5eXlwZT1BZT5 bodglwJgo GXxElqX49EnPdwyNLiK8bMKRkKnPiIi9jkaGbiTnQLrKMO8 sGKTB DGu1VIsj9a 4tt2Kt5wwhtEMIfeNZ4Alk9UCWpC8r 0I3eNzyyk4pJ9qWDzYEpV3 TVFco 1FWo yangv7ThSnOJprILIOpcir0vm5zPSlON6JHyJq9O94wSqnIYs xqC ...

Страница 104: ...icate enrollment form enter the required information The standard requirements are as follows Certificate Request Type This is either PKCS 10 or CRMF Certificate requests created through the subsystem administrative console are PKCS 10 those created through the certutil tool and other utilities are usually PKCS 10 Certificate Request Paste the base 64 encoded blob including the BEGIN NEW CERTIFICA...

Страница 105: ... the CA signs then and delivers back to the email address specified in the request If the requester has agent access the requester can log in as an agent and approve the request 5 Retrieve the certificate a Open the Certificate Manager end entities page https server example com 9444 ca ee ca b Click the Retrieval tab c Fill in the request ID number that was created when the certificate request was...

Страница 106: ...browser scroll down to the Importing This Certificate section and click the Import your certificate or Import S MIME certificate button f Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 14 3 2 1 Creating Users For infor...

Страница 107: ...Key Usage 6 Email Subject Alternative Name 7 DNS Subject Alternative Name 8 a Outputs the certificate request to an ASCII file instead of binary Table 4 1 Options for Requesting Certificates with certutil 4 4 Enrolling a Certificate on a Cisco Router Simple Certificate Enrollment Protocol SCEP designed by Cisco is a way for a router to communicate a certificate issuing authority like a CA or RA to...

Страница 108: ...EASE SOFTWARE fc1 Before enrolling SCEP certificates on the router make sure that the router is appropriately configured The router must be configured with an IP address DNS server and routing information The router s date time must be correct The router s hostname and dnsname must be configured See the router documentation for instructions on configuring the router hardware 4 4 2 Generating the S...

Страница 109: ...Section 9 2 4 Configuring Flat File Authentication 7 Log into the router s console For this example the router s name is scep scep 8 Enable privileged commands scep enable 9 Enter configuration mode scep conf t 10 Import the CA certificate for every CA in the certificate chain starting with the root For example this imports two CA certificates in the chain into the router scep config crypto ca tru...

Страница 110: ...e enrollment Create a challenge password You will need to verbally provide this password to the CA Administrator in order to revoke your certificate For security reasons your password will not be saved in the configuration Please make a note of it Password secret Re enter password secret The subject name in the certificate will be scep server example com Include the router serial number in the sub...

Страница 111: ...th Subordinate CAs Before the router can authenticate to a CA every CA certificate in the CA s certificate chain must be imported into the router starting with the root For example this imports two CA certificates in the chain into the router scep config crypto ca trusted root1 scep ca root root CEP http server example com 12888 ee scep pkiclient cgi scep ca root crl optional scep ca root exit sce...

Страница 112: ...r provides additional debugging during SCEP operations by enabling the debug statements scep debug crypto pki callbacks Crypto PKI callbacks debugging is on scep debug crypto pki messages Crypto PKI Msg debugging is on scep debug crypto pki transactions Crypto PKI Trans debugging is on scep debug crypto verbose verbose debug output debugging is on 4 5 Performing Bulk Issuance There can be instance...

Страница 113: ...RMF reque like white spaces should be replaced with their HTML coded equivalent like using 20 certPrettyPrint Sets whether to return a pretty print format of the certificate this is either true or false challengePassword and confirmChallengePassword Sets and confirms a challenge password which is used to verify the requester when the Certificate Uses email Sets whether the certificate can be used ...

Страница 114: ...k Issuance POST File 4 5 2 Running the Bulk Issuance Command The POST file is submitted directly to the CA using the bulkissuance command not through the web services pages or console The person performing the bulk issuance authenticates to the CA using his agent s certificate which is also used to approve the certificates automatically The bulkissuance command passes the agent certificate nicknam...

Страница 115: ...ows servers for Server 2000 XP 2003 and Vista all have a feature for automatic certificate enrollment which allows Windows systems within a domain to contact a domain controller find available certificate services and request and receive those services based on their domain credentials That is a technical way of saying that whenever a new identity joins a domain a server a user or an administrator...

Страница 116: ...ss from creating keys to generating and submitting the certificate request In a Windows domain servers and applications poll Active Directory to get the list of available certificate services When the Auto Enrollment Proxy is configured its information is added to Active Directory as one of the available certificate services Then when an enrollee like a server first asks the domain controller for ...

Страница 117: ... enrolling application Figure 4 2 The Auto Enrollment Process At several points in the process the DCOM objects pull information about the proxy service from the registry settings or from the entry in Active Directory 1 The server runs an LDAP search on the root DSE to find the configuration naming context 2 Then it runs an LDAP search under the CN Enrollment Services CN Public Key Services CN Ser...

Страница 118: ...er against information in the domain so the requester must be in the same forest as the proxy Additionally for security the proxy should be run on a dedicated machine in a secure environment with access limited to trusted administrators The simplest configuration is to install the proxy as the same machine as the domain controller This limits the field of the proxy to that single domain Figure 4 3...

Страница 119: ...rangement has the proxy installed within a single domain but accessible to multiple domains within a Windows forest For this configuration see the Windows server and Active Directory documentation to explain how to configure the domain properly Figure 4 5 Using a Single Proxy within a Forest ...

Страница 120: ... be able to cross trust each other Audit logging should be enabled for the group policy DNS must be properly configured the DNS settings can be verified using dcdiag All Windows servers should access the same NTP server so that their dates and times are in sync The Microsoft Management Console must be configured as described in Section 4 6 2 2 Configuring the Microsoft Management Console to Use wi...

Страница 121: ...Installing and Setting up the Auto Enrollment Proxy 99 3 Select the profile to which to add the snap ins It may be beneficial to have a separate profile for the proxy Then click Add ...

Страница 122: ...ates Current User Certificates with the Computer account option to create a snap in for Certificates Local Computer Active Directory users and computers Active Directory domains and trusts DNS Component Services 5 Save the Microsoft Management Console configuration to the desktop this ensures that it is easy to access 6 Verify that the console is properly configured by re opening it and double cli...

Страница 123: ...he CA must be trusted in order to issue certificates meaning the CA certificate has to be loaded a Use IE and connect to the CA s agent page No errors warning should be displayed If they appear make sure they don t appear the next time b Retrieve the CA certificate chain in binary form from the CA s end entities pages Save the certificate chain to the desktop with a name like cacert cer c In the M...

Страница 124: ...le click the exe and go through the installer 5 Configure the Auto Enrollment Proxy by importing the CA certificate setting the CAs to use and setting the Auto Enrollment Proxy settings a Open the Start menu and select Red Hat Auto Enrollment Proxy b Open the CA Certificate tab Click Load from File and import that CA certificate chain from the file Then click Set to apply the certificate ...

Страница 125: ...Installing and Setting up the Auto Enrollment Proxy 103 c Next click the Active Directory tab Click the Populate AD button to create the Active Directory entry for the proxy service ...

Страница 126: ...Chapter 4 Requesting Enrolling and Managing Certificates 104 d Add the connection information for each Certificate Manager which will be used by the proxy Click Add to add each CA ...

Страница 127: ...rmation The fully qualified domain name of the Certificate Manager The port number of the Certificate Manager The Certificate System version number of the Certificate Manager The certificate to use to authenticate to the Certificate Manager e In the Logging tab set any log levels to use for the service ...

Страница 128: ...e configuration settings have been made click Apply to save the settings 6 The last configuration area is setting up the DCOM service a In the Microsoft Management Console select the DCOM Components snap in b Select or expand the Computers folder then My Computer and DCOM Config ...

Страница 129: ...ion Permissions and click the Edit button Make sure that the administrator and that Everyone is selected Then click the Customize radio button under Access Permissions and click the Edit button Make sure that the administrator and that Everyone is selected NOTE The user that launches the proxy and the computer account for the proxy host must be members of the Distributed COM Built in Principals Gr...

Страница 130: ...e user to log into the domain f Save the changes to the DCOM snap in 7 In Administrative Tools open Services and manually start the Auto Enrollment Proxy service This should then be listed in the Task Manager as rhcsproxy exe 4 6 2 4 Troubleshooting and Diagnostic Tips Microsoft supplies several tools that are beneficial for diagnosing and troubleshooting problems with auto enrollment or the Auto ...

Страница 131: ... there are a couple of different possible reasons The hostname in enrollment services is incorrect Use LDP to view the enrollment service in Active Directory for the proxy and verify the dNSHostName attribute This value is automatically populated when the proxy is first configured The proxy host is unreachable Try to ping the above hostname to make sure DNS resolves the hostname to an IP address c...

Страница 132: ... and Adding CAs in the Windows Domain All of the CAs configured for enrollment services for a domain are listed in Active directory in the CN Enrollment Services CN Public Key Services subtree This subtree can be queried to show what Certificate Managers are configured for the proxy and what certificate templates and other settings they have available For example dsquery CN Example RHCS CA CN Enro...

Страница 133: ... certificate templates maintained in the registry under the following key HKEY_LOCAL_MACHINE SOFTWARE Red Hat RHCSProxy Config ProfileMap To add additional certificate profiles to the proxy service add a subkey under the ProfileMap folder which maps a Windows template to the Certificate System profile The Windows template is identified in the key name the corresponding Certificate System profile i...

Страница 134: ...spx mfr true 4 6 4 Manually Requesting Domain Certificates The auto enrollment proxy naturally automatically enrolls servers hardware and even users as soon as the entity is added to the Windows domain However once the auto enrollment proxy for Red Hat Certificate System is configured it is also possible to request and receive certificates manually on a Windows domain through a Certificate System ...

Страница 135: ...Manually Requesting Domain Certificates 113 4 The available types of certificates that can be requested are listed Select the type of certificate to request ...

Страница 136: ...Chapter 4 Requesting Enrolling and Managing Certificates 114 5 Fill in the information to use to configure the certificate such as a name or description ...

Страница 137: ...certificate request such as the certificate profile for the Windows domain the key settings and any extensions For example Version Signature Windows NT NewRequest Subject CN domain example com KeySpec 1 KeyLength 1024 Exportable TRUE MachineKeySet TRUE SMIME False PrivateKeyArchive FALSE UserProtected FALSE UseExistingKeySet FALSE ProviderName Microsoft RSA SChannel Cryptographic Provider Provider...

Страница 138: ... domain example com Certificate Authority SUBCA server example com submit dc cert request req dc cert cer 4 7 Renewing Certificates Renewing a certificate regenerates the certificate using the same public key as the original certificate Renewing a certificate can be preferable to simply generating new keys and installing new certificates for example if a new CA signing certificate is created all o...

Страница 139: ... server identifies the certificate and then maps the renewal request to the initial certificate request entry in the CA database If more than one certificate matches the renewal request then the most recent certificate entry is used The renewal request must be submitted to the same CA which issued the original certificate This is the only way to map the serial number to the appropriate certificate...

Страница 140: ...Wr8ZCIgt2Rr3aR3FqE0tqUXh2RDmq EvfxBza FOTQpwz2EW1ppIXjKNZpi9 3enjMg0rc CsT c1rKeXJzo5mD6n VmET8ZilvSgyq6jt9KgqeVfM Cfl ypQ2u9EW6a0sYflw vPOkcXqRUnKfKjn1lq8CALrGDG71pAlHzXQNMB0YWlKKywhdMfbHPN8 FdFHC6Ro5Ny01DDRBF y3Iqc3flLFJt1Ya3c8hEc version 2 algorithmId 1 2 840 113549 1 1 1 signingAlgorithmId 1 2 840 113549 1 1 5 dateOfCreate 20090624082244Z dateOfModify 20090624082244Z certStatus VALID autoRenew...

Страница 141: ...raints and subject name A renewed certificate is identical to the original except that it has a new expiration date When a certificate is renewed it has to be renewed using a renewal profile that corresponds to the initial enrollment profile Certificate System supports renewals both for tokens and for regular certificates both through the RA and the CA The default configuration profiles cover user...

Страница 142: ...es not need to define any defaults extensions or constraints all of that information is already contained in the original certificate What a renewal profile does define is whether renewal is allowed the input to use to locate the original certificate and the output of the regenerated certificate The renewal option as with the original profile is set to either true or false renewal true The origina...

Страница 143: ...tern This is described in Section 9 2 1 Setting up Directory Based Authentication However for certificate based renewal the certificate is presented directly by the browser being used to open the renewal forms and that certificate is checked in the client database The certificate is used both to verify the identity of the requester and to get the certificate information for renewal For certificate...

Страница 144: ... and the CA draws the information from its current certificate directory entry Certificate based renewal uses the certificate in the browser database to regenerate the new certificate which makes it common for user certificate renewals NOTE Encryption and signing certificates are created in a single step However the renewal process only renews one certificate at a time To renew both certificates i...

Страница 145: ...g Certificates 123 4 Click the renew button 5 The request is submitted For directory based renewals the renewed certificate is automatically returned Otherwise the renewal request will be approved by an agent ...

Страница 146: ...e to renew If a certificate can be renewed then the CA automatically approved and reissued it 1 Open the end entities services page for the CA which issued the certificate or its clone https server example com 9444 ca ee ca 2 Click the name of the renewal form to use 3 There is no input field so click the Renew button 4 When prompted select the certificate to renew 5 The request is submitted and t...

Страница 147: ...al process only renews one certificate at a time To renew both certificates in a certificate pair each one has to be renewed individually 1 Get the password for the token database cat var lib pki ca conf password conf internal 263163888660 2 Open the certificate database directory of the instance that s certificate is being renewed cd var lib pki ca alias 3 List the key and nickname for the certif...

Страница 148: ...o Example Domain a o example req2 txt The difference between generating a new certificate and key pair and renewing the certificate is the value of the k option To generate an entirely new request and key pair then k sets the key type and is used with g which sets the bit length For a renewal request the k option uses the certificate nickname to access the existing key pair stored in the security ...

Страница 149: ...e password PIN on the smart card Upgrading the applet version on the smart card Each of these operations is configured in the TPS instance s CS cfg file similar to a CA enrollment profile 5 1 1 Configuring Format Operations When the TPS is contacted by a smart card for a format operation there are several different operations the TPS can perform depending on the status of the smart card Whether an...

Страница 150: ...nn The TKS connection to use op format tokenType auth id The LDAP authentication instance to use The default value is ldap1 op format tokenType auth enable Specifies whether to authenticate the user information The valid values are tru op format tokenType issuerinfo enable Specifies whether the Phone Home information for the Enterprise Security Clien op format tokenType issuerinfo value Sets the P...

Страница 151: ...covery onHold revokeCert reason 6 op enroll soKey keyGen encryption recovery onHold scheme GenerateNewKey op enroll soKey keyGen encryption revokeCert true key archival information op enroll soKey keyGen encryption serverKeygen archive true op enroll soKey keyGen encryption serverKeygen drm conn drm1 op enroll soKey keyGen encryption serverKeygen enable true NOTE There are a number of other parame...

Страница 152: ...romised 2 CA key compromised 3 Affiliation changed 4 Certificate superseded 5 Cessation of operation 6 Certificate is on hold op enroll tokenType keyGen recovery keyCompromise keyType num The number of key types for recovery for the tokens whose keys are compromis op enroll tokenType keyGen recovery keyCompromise keyType value Specifies keyType The default values are signing encryption op enroll t...

Страница 153: ...ning encryption op enroll tokenType keyGen signing recovery onHold scheme The recovery scheme for signing certificates for tokens that are to be pu op enroll tokenType keyGen signing recovery onHold revokeCert Specifies if the signing certificate should be revoked if the token s key ha op enroll tokenType keyGen signing recovery onHold revokeCert reason Specifies what the signing certificate revoc...

Страница 154: ... token should be overwritten The va op enroll tokenType keyGen encryption ca profileId The CA profile to use for enrolling encryption certificates The default value is c op enroll tokenType keyGen encryption ca conn The CA connection to use to generate encryption certs The default value is ca1 op enroll tokenType update applet emptyToken enable Specifies whether TPS should upload an applet to the ...

Страница 155: ... signing encryption private keyCapabilities unwrap op enroll tokenType keyGen signing encryption private keyCapabilities wrap op enroll tokenType keyGen signing encryption private keyCapabilities verifyRecover op enroll tokenType keyGen signing encryption private keyCapabilities verify op enroll tokenType keyGen signing encryption private keyCapabilities sensitive op enroll tokenType keyGen signin...

Страница 156: ...on the TPS can be configured to upload or update the applet version on the smart card update the symmetric key and required LDAP authentication as well as setting which subsystem instances will process the operation The CS cfg file parameters for resetting the PIN are listed in Table 5 5 PIN Reset Operation Parameters Parameter Description op pinReset tokenType update applet emptyToken enable Spec...

Страница 157: ...ts op enroll userKey update applet encryption true If a smart card only has the card manager then the card manager capability must be enabled by editing the following parameter op operation key_type update applet emptyToken enable true NOTE If the filename set in the update applet requiredVersion parameter contains any alphabetic characters then all of these alphabetic characters must always be up...

Страница 158: ...can be renewed depends on whether the user policy for the token allows it to be renewed Setting the token policy is a TPS agent task and is described in the Agent s Guide 1 Log into the TPS services page as an agent https server example com 7889 tus 2 In the Agent Operations tab search for or list the tokens and click the token s ID number in the results page 3 Click the Edit button at the bottom ...

Страница 159: ...ows a user to re enroll certificates with the same token PIN_RESET which allows the token user to initiate a PIN reset operation RENEW which allows a user to regenerate their existing certificates using the original keys and an extended validity period The token policy settings are configured through the TPS agent services page as described in the Agent s Guide The way to edit the token policy for...

Страница 160: ...e set to YES then the renewal setting takes precedence the token certificates are renewed when they expire The default values for all three parameters can be set in the TPS s CS cfg file in the tokendb defaultPolicy parameter For example tokendb defaultPolicy RE_ENROLL YES NOTE If the PIN_RESET policy is not set then user initiated PIN resets are allowed by default If the policy is present and is ...

Страница 161: ... 4 2 Mapping Token Types to Smart Card Operation Profiles 5 4 1 Default Token Types There are several default token types already configured for smart card operations as listed in Table 5 6 Default Token Types There are several profiles available for security officers regular users and devices Token Type Description cleanToken For operations for any blank token without any other applied token type...

Страница 162: ... tokenCUID end 1 op format mapping 0 filter tokenCUID start 100 op format mapping 0 filter tokenType exampleKey op format mapping 0 target tokenType exampleKey this matches every token op format mapping 6 filter appletMajorVersion op format mapping 6 filter appletMinorVersion op format mapping 6 filter tokenATR op format mapping 6 filter tokenCUID end op format mapping 6 filter tokenCUID start op ...

Страница 163: ...se Security Client prompts for LDAP authentication 4 The format operation completes When the token is selected in the Enterprise Security Client the Enterprise Security Client sends in the applet version CUID ATR and other information about the token to the TPS server TPS server checks the op format mapping section in the CS cfg file and figures out which tokenType to use for the token either devK...

Страница 164: ...ginRequest enable true op format qaKey tks conn tks1 op format qaKey auth id ldap qa op format qaKey auth enable true LDAP Connection settings for devKey auth instance 0 type LDAP_Authentication auth instance 0 libraryName usr lib libldapauth so auth instance 0 libraryFactory GetAuthentication auth instance 0 authId ldap dev auth instance 0 hostport ldap dev example com 1111 auth instance 0 SSLOn ...

Страница 165: ...h the TPS agent services page The TPS agent after affirmatively identifying the user can search for the user s ID in the Search tokens link The TPS agent select the active token and update the status with the appropriate reason to recover the key Agent Status Option Configuration Parameter Default Recovery Scheme This token has been physically damaged reason 0 RecoverLast This token has been perma...

Страница 166: ...en signing recovery onHold revokeCert reason 6 op enroll userKey keyGen signing revokeCert true for the encryption key op enroll userKey keyGen encryption recovery destroyed revokeCert false op enroll userKey keyGen encryption recovery destroyed revokeCert reason 0 op enroll userKey keyGen encryption recovery keyCompromise revokeCert true op enroll userKey keyGen encryption recovery keyCompromise ...

Страница 167: ...material sent from the user the token CUID an agreed on algorithm and a public key to recombine a key that exists on the token that is why the keys are derived rather than generated These derived keys both encrypt sessions between the TPS and the Enterprise Security Client and generate keys for the token enrollment Part of the way that the TKS derives these keys is by using a common master key tha...

Страница 168: ...S Certificate DB Enter Password or Pin for NSS Certificate DB 0 new_master Using the tkstool is explained in more detail in the Certificate System Command Line Tools Guide 5 6 2 Generating and Transporting Wrapped Master Keys If a master key is going to be used on an external token or in multiple locations then that key must be wrapped so that it can be safely transported to the hardware tokens Th...

Страница 169: ... this progress meter is full DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD Continue typing until the progress meter is full Finished Type the word proceed and press enter The next prompts generate a series of session keys For example The next screen generates the first session key share Type the word proceed and press enter to continue or C to break proceed sh tput command not found Generati...

Страница 170: ...n key shares and KCVs are generated as with the initial transport key generation Write down all of this information 5 Use the transport key to generate and wrap a master key and store it in a file called file tkstool W d n new_master t transport o file Enter Password or Pin for NSS Certificate DB Retrieving the transport key for wrapping from the specified token Generating and storing the master k...

Страница 171: ...store the master key on the specified token Naming the master key new_master Successfully unwrapped stored and named the master key 9 Verify that the keys have been added properly to the database tkstool L d slot NSS User Private Key and Certificate Services token NSS Certificate DB Enter Password or Pin for NSS Certificate DB 0 transport 1 new_master Using the tkstool is explained in more detail ...

Страница 172: ...e token or no by default it s true even if it s not settks useSoftToken false mk_mappings maps key version to key name on token name in this example 02 is the version number nethsm is the token name and new_master is the key name tks mk_mappings 02 01 nethsm new_master It is not necessary to change the defaultSlot value it can remain the default value for the software database tks defaultSlot Inte...

Страница 173: ...sistent NOTE Smart cards from the Axalto Web Store come with a default developer key set where all keys are set to 404142434445464748494a4b4c4d4e4f The TKS has this key built in and it is referred to with the master key set 01 The TKS uses key set 01 by default NOTE Always stop a subsystem instance before editing the configuration file 1 Stop the TKS service pki tks stop 2 Generate a new master ke...

Страница 174: ...r symmetric key with the manufacturer The smart card TKS is configured to use these symmetric keys However during enrollment it is desirable to replace these symmetric keys with a set that is not shared by the manufacturer to restrict the set of entities that can manipulate the token NOTE Changing the symmetric keys can render the smart cards unusable if the master key is lost Use key changeover i...

Страница 175: ...ore detail in Section 5 6 4 Updating Master Key Versions and Associating the Master Key with Its Version 6 Start the TKS instance service pki tks start 7 Stop the TPS instance to edit its configuration service pki tps stop 8 Edit the TPS s configuration file vi etc pki tps CS cfg 9 Change the symmetricKeys enable and requiredVersion parameters to use the newly generated master keys on the TKS For ...

Страница 176: ...PS Enterprise Security Client Connections By default the TPS communicates with the Enterprise Security Client over standard HTTP but it is configured to listen over two different secure SSL ports for regular and security officer users of the Enterprise Security Client to connect over SSL The Enterprise Security Client can be configured to connect over these SSL ports 5 7 1 1 Default TPS SSL Config...

Страница 177: ...t 7889 with one exception the NSSVerifyClient directive is set to none This means that client authentication is not required to connect to that port VirtualHost _default_ 7890 SSL Engine Switch NSSEngine on SSL Cipher Suite NSSCipherSuite des desede3 rc2 rc2export rc4 rc4export rsa_3des_sha rsa_des_56_sha rsa_des_sha rsa_null_md5 rsa_null_sha rsa_rc2_40_md5 rsa_rc4_128_md5 rsa_rc4_128_sha rsa_rc4_...

Страница 178: ... to be configured to communicate with the TPS over SSL this is done by setting the Phone Home URL which is the default URL the Enterprise Security Client uses to connect to the TPS Resetting the Enterprise Security Client s Phone Home URL is described in more detail in Managing Smart Cards with the Enterprise Security Client 1 Open the Enterprise Security Client For example usr lib esc 1 0 1 esc 2...

Страница 179: ...an LDAP directory when a smart card operation request is received There are three parameters for this which can be set for each separate token operation op operation key_type auth enable true false op operation key_type auth id ldap_db_config_entry op operation key_type loginRequest enable true false Setting these parameters determines whether LDAP authentication is required which the LDAP directo...

Страница 180: ...uthentication type to use This must be LDAP_Authentication auth instance libraryName The library to use for LDAP authentication Provide the full path to the library The filename mus auth instance libraryFactory The function name to use for LDAP authentication This must be GetAuthentication auth instance authId Specifies this authentication instance ID to use to define operations For example ldap1 ...

Страница 181: ...n database The default value is cn directory manag tokendb bindPassPath The path to a local password file which contains the subsystem passwords The default tokendb templateDir The directory where the templates for the TPS agent page are located tokendb userBaseDN The LDAP suffix where the user entries are tokendb baseDN The LDAP suffix where the token entries should be added and modified by the T...

Страница 182: ... it is not necessary to configure it manually in the CS cfg If however the DRM information has changed or the DRM was not configured during the installation process then the procedure described in this section can be used to set up the DRM The global platform environment prevents removing private keys from the smart card For encryption keys it is often necessary to back up the key material for lat...

Страница 183: ...on and archival 5 7 5 2 Step 2 Adding the TPS as a DRM Recovery Agent 1 Open the DRM Console 2 In the Configuration tab select Users and Groups 3 In the Users tab click Add and create the new user give this user a name such as TPS Recovery Agent Add this user to the Data Recovery Manager Agents group 4 Select the TPS user click Certificates and import the TPS server certificate 5 7 5 3 Step 3 Impo...

Страница 184: ...A and save it to file 2 Import the transport certificate into the TKS security databases in the var lib subsystem_name alias directory In the TKS Console click Subsystem Keys and Certificates in the left navigation panel In the Local Certificates tab click Add and paste in the certificate information Alternatively use the certutil to import the certificate certutil d P cert db prefix A n DRM Trans...

Страница 185: ... 7889 Listen 7890 To restrict the TPS its IPv4 address then edit Listen line to specify an IPv4 style address Listen 0 0 0 0 7889 5 8 Scaling the TPS and Its Support Subsystems When the TPS is configured it is configured to work with a specific instance of a CA TKS and optionally DRM subsystems It is possible after the configuration process to edit the TPS CS cfg file to provide backup CA TKS and ...

Страница 186: ... whole then has very flexible scalability Additionally subsystems and clients can be added to improve performance without affecting the configuration of other subsystem instances 5 8 1 Configuring Failover Support The subsystem instance to which the TPS connects is set in the conn subsystem hostport parameter of the CS cfg configuration file For example the CA instance is set in the following para...

Страница 187: ...is shou conn tks clientNickname The client certificate nickname to use This certificate is used by the TPS when connecti be trusted by the TKS and the client should be a configured TKS agent conn tks retryConnect The number of times the TPS tries to reconnect to the TKS after a connection attempt fa example 3 conn tks SSLOn Sets whether SSL needs to be turned on for the connection to the TKS This ...

Страница 188: ...mple com 9443 conn ca1 keepAlive true conn ca1 retryConnect 3 conn ca1 servlet enrollment ca ee ca profileSubmitSSLClient conn ca1 servlet revoke ca subsystem ca doRevoke conn ca1 servlet unrevoke ca subsystem ca doUnrevoke conn ca1 timeout 100 conn ca2 clientNickname subsystemCert cert pki tps conn ca2 hostport bCA example com 9543 conn ca2 keepAlive true conn ca2 retryConnect 3 conn ca2 servlet ...

Страница 189: ...rVersion 5 op enroll mapping 0 filter tokenATR op enroll mapping 0 filter tokenCUID end 1000 op enroll mapping 0 filter tokenCUID start 4000 op enroll mapping 0 filter tokenType userKey op enroll mapping 0 target tokenType userKey The mapping and filter parameters are listed in Table 5 7 Mapping and Filters 5 9 Potential Token Operation Errors Errors that are returned by smart cards are listed in ...

Страница 190: ...168 ...

Страница 191: ...icate System Agent s Guide When it receives the CRL the Certificate Manager marks the corresponding certificate records in its internal database as revoked and if configured to do so removes the revoked certificates from the publishing directory and updates the CRL in the publishing directory Server and client applications that use public key certificates as ID tokens need access to information ab...

Страница 192: ...et up for this issuing point a delta CRL is also created at this time The full CRL contains all revoked certificate information since the Certificate Manager began collecting this information The delta CRL contains all revoked certificate information since the last update of the full CRL The full CRL and the delta CRL have the same number allowing clients to determine a match between them This num...

Страница 193: ...wing 0 Unspecified no particular reason is given 1 The private key associated with the certificate was compromised 2 The private key associated with the CA that issued the certificate was compromised 3 The owner of the certificate is no longer affiliated with the issuer of the certificate and either no longer has rights to the access gained with the certificate or no longer needs it 4 Another cert...

Страница 194: ... directory or to an OCSP responder Where and how frequently CRLs are published are configured in the Certificate Manager as described in Chapter 8 Publishing Certificates and CRLs Because CRLs can be very large publishing CRLs can take a very long time and it is possible for the process to be interrupted Special publishers can be configured to publish CRLs to a file over HTTP1 1 and if the process...

Страница 195: ...s certificate i is the issuer name of the certificate being revoked s is the serial number of the certificate being revoked in decimal value m is the reason the certificate is being revoked which can be any of the following 0 unspecified 1 the key was compromised 2 the CA key was compromised 3 the employee s affiliation changed 4 the certificate has been superseded 5 cessation of operation 6 the c...

Страница 196: ...te Manager uses its CA signing key to sign CRLs To use a separate signing key pair for CRLs set up a CRL signing key and change the Certificate Manager configuration to use this key to sign CRLs See Section 6 3 4 Setting a CA to Use a Different Certificate to Sign CRLs for more information 2 Set up CRL issuing points An issuing point is already set up and enabled for a master CRL Figure 6 1 Defaul...

Страница 197: ...e information about the issuing point 7 Set up publishing CRLs to files an LDAP directory or an OCSP responder See Chapter 8 Publishing Certificates and CRLs for details about setting up publishing 6 3 1 Configuring Issuing Points Issuing points define which certificates are included in a new CRL A master CRL issuing point is created by default for a master CRL containing a list of all revoked cer...

Страница 198: ...vigation tree Configure CRLs for the new issuing point and set up any CRL extensions that will be used with the CRL See Section 6 3 2 Configuring CRLs for Each Issuing Point for details on configuring an issuing point See Section 6 3 3 Setting CRL Extensions for details on setting up the CRL extensions All the CRLs created appear on the Update Revocation List page of the agent services pages 6 3 2...

Страница 199: ...CRL will be issued The Update Frequency section sets the different intervals when the CRLs are generated and published to the directory Every time a certificate is revoked or released from hold This sets the Certificate Manager to generate the CRL every time it revokes a certificate The Certificate Manager attempts to publish the CRL to the configured directory whenever it is generated Publishing ...

Страница 200: ...ver is configured to update the CRL every 20 minutes with a grace period of 2 minutes and if the CRL is updated at 16 00 the CRL is updated again at 16 18 5 The Cache tab sets whether caching is enabled and the cache frequency Figure 6 3 CRL Cache Tab Enable CRL cache This checkbox enables the cache which is used to create delta CRLs If the cache is disabled delta CRLs will not be created For more...

Страница 201: ...pired certificates This includes revoked certificates that have expired If this is enabled information about revoked certificates remains in the CRL after the certificate expires If this is not enabled information about revoked certificates is removed when the certificate expires CA certificates only This includes only CA certificates in the CRL Selecting this option creates an Authority Revocatio...

Страница 202: ...pen the CA console pkiconsole https server example com 9445 ca 2 In the navigation tree select Certificate Manager and then select CRL Issuing Points 3 Select the issuing point name below the Issuing Points entry and select the CRL Extension entry below the issuing point The right pane shows the CRL Extensions Management tab which lists configured extensions Figure 6 5 CRL Extensions 4 To modify a...

Страница 203: ...illa org projects security pki nss tools 2 When the certificate request has been created submit it through the Certificate Manager end entities page The page has a URL in the following format https hostname port ca ee ca 3 After the request is submitted log into the agent services page 4 Check the request for required extensions The CRL signing certificate must contain the Key Usage extension with...

Страница 204: ...inds of CRLs however The full CRL has a record of every single revoked certificate However the Certificate System also publishes a delta CRL which contains only the certificates that have been revoked since the last CRL delta or full was published By default full and delta CRLs are generated at the same time and every time However it is possible to space out when full CRLs are published and to pub...

Страница 205: ...Select the MasterCRL node 4 Deselect the Extend next update time in full CRLs check box which disables publishing a full CRL every time a CRL is published Then set the new full CRL interval in the Generate full CRL every deltas field 5 Save the changes 6 4 2 Configuring Extended Updated Intervals for CRLs in CS cfg Two parameters need to be configured for setting the full delta CRL publishing inte...

Страница 206: ...system CS cfg configuration file includes a parameter jss ocspcheck enable which sets whether a Certificate Manager should use an OCSP to verify the revocation status of the certificate it receives as a part of SSL client or server authentication Changing the value of this parameter to true means the Certificate Manager reads the Authority Information Access extension in the certificate and verifi...

Страница 207: ... enabled Sets revocation checking true enables checking false disables checking By default the feature is enabled revocationChecking unknownStateInterval Sets how frequently the server checks the revocation status The default interval is 0 seconds revocationChecking validityInterval Sets how long the cached certificates are considered valid Be judicious when choosing the interval For example if th...

Страница 208: ...186 ...

Страница 209: ...not in the certificate chain must be trusted manually To set up the Online Certificate Status Manager for a Certificate Manager outside the security domain do the following 1 Configure the CRLs for every CA that will publish to an OCSP responder See Chapter 6 Revoking Certificates and Issuing CRLs for details 2 Enable publishing set up a publisher and set publishing rules in every CA that the OCSP...

Страница 210: ... the OCSP service is if the CA connects to the Online Certificate Status Manager through SSL authentication when it publishes its CRL Otherwise the Online Certificate Status Manager does not need to have the complete certificate chain However the Online Certificate Status Manager must have the certificate which signed the CRL either a CA signing certificate or a separate CRL signing certificate in...

Страница 211: ...ectory for verifying revocation status of certificate do the following 1 Open the Online Certificate Status Manager Console pkiconsole https server example com 11445 ocsp 2 In the Configuration tab select Online Certificate Status Manager and then select Revocation Info Stores The right pane shows the two repositories the Online Certificate Status Manager can use by default it uses the CRL in its ...

Страница 212: ...operly by doing the following 1 Turn on revocation checking in the browser or client 2 Request a certificate from the CA that has been enabled for OCSP services 3 Approve the request 4 Download the certificate to the browser or client 5 Make sure the CA is trusted by the browser or client 6 Check the status of Certificate Manager s internal OCSP service Open the CA agent services page and select t...

Страница 213: ...anager s internal database publishing does not have to be configured to use this service Clients can query the OCSP service through the non SSL end entity port of the Certificate Manager When queried for the revocation status of a certificate the Certificate Manager searches its internal database for the certificate checks its status and responds to the client Since the Certificate Manager has rea...

Страница 214: ...commented and configured NOTE NSS part of the Apache web server used by the TPS and the RA provides the mechanism for contacting the OCSP service However NSS caches OCSP responses for 60 minutes If the TPS or RA polls again for the revocation status of a certificate within an hour of its being checked NSS returns the cached response even if the revocation status has changed If there is a very impo...

Страница 215: ... ocspSigningCert cert pki ocsp t CTu Cu Cu d var lib pki tps alias a i tmp example cert Importing certificates into the security database is described in Section 16 5 1 2 Installing Certificates Using certutil c Import the OCSP signing certificate into the subsystem s security database certutil A n ocspSigningCert cert pki ocsp t u u u d var lib pki ca alias a i tmp example cert Importing certific...

Страница 216: ...e before the TPS checks the OCSP responder about a certificate OCSP responders have an optional setting to configure it s a good time for the client to query the service The NSSOPCSPMaxCacheEntryDuration attribute overrides the default settings in the OCSP responder and allows you to define whatever window you want The default setting for this is one day For example NSSOCSPCacheSize 1000 NSSOCSPMi...

Страница 217: ...7 1 OCSP Settings for the DRM Agent Interface All of the OCSP checking parameters are listed in Table 7 1 OCSP Parameters for server xml 3 If the given OCSP service is not the CA then the OCSP service s signing certificate must be imported into the subsystem s NSS database This can be done in the console or using certutil both options are covered in Section 16 5 1 Installing Certificates in the Ce...

Страница 218: ...var lib pki ca alias caSigningCert cert pki ca 1 export output txt 1 URI ocsp ee ocsp Data Length 68 Data MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewdDnn8ZgQUbyBZ 44kgy35o7xW5BMzM8FTvyTwCAQE The Certificate System s OCSPClient tool has the format OCSPClient host port path to CA_cert_database CA_signing_cert_nickname serial_number output_file times An OCSP request can also be generated usin...

Страница 219: ... 34 474 43 MB s MEIwQDA MDwwOjAJBgUrDgMCGgUABBT4cyABkyiCIhU4JpmIBewd Dnn8ZgQUbyBZ44kgy35o7xW5BMzM8FTvyTwCAQE saved 2362 2362 3 The status for the specified certificate is written to the OCSP s debug log and can be GoodInfo RevokeInfo or UnknownInfo 16 Jul 2009 16 48 47 http 11443 Processor24 Serial Number 1 Status com netscape cmsutil ocsp GoodInfo For certificates issued by a 7 1 CA with the Auth...

Страница 220: ...r lib cd lib 5 Create a symlink that links back to the usr share java pki cms jar JAR file For example ln s usr share java pki cms jar cms jar 6 Move up to the main web application directory For example cd var lib pki ocsp webapps 7 Rename the current instance ocsp directory For example mv var lib pki ocsp webapps ocsp var lib pki ocsp webapps ocsp2 8 Open the WEB INF directory in the original ocs...

Страница 221: ... param value ocsp2 param value init param init param param name srcContext param name param value ocsp param value init param init param param name destServlet param name param value param value init param init param param name matchURIStrings param name param value ocsp registry ocsp acl ocsp jobsScheduler ocsp ug ocsp server ocsp log ocsp auths ocsp start ocsp ocsp ocsp services ocsp agent ocsp ...

Страница 222: ... ocsp conf context xml changing the following line Context to Context crossContext true 12 Edit the var lib pki ocsp webapps ocsp2 services template file and change the following line result recordSet i uri to result recordSet i uri 13 Start the OCSP instance For example service pki ocsp start ...

Страница 223: ...Part II Additional Configuration to Manage CA Services ...

Страница 224: ......

Страница 225: ...r certificates Disable all rules that will not be used 3 Configure CRLs CRLs must be configured before they can be published See Chapter 6 Revoking Certificates and Issuing CRLs 4 Enable publishing after setting up publishers mappers and rules Once publishing is enabled the server starts publishing immediately If the publishers mappers and rules are not completely configured publishing may not wor...

Страница 226: ... publisher that publishes to the LDAP attribute userCertificate binary attribute the certificate is published to the directory specified when LDAP publishing was enabled in this attribute in the user s entry For rules that specify to publish to a file a new file is created when either a certificate or a CRL is issued in the stipulated directory For rules that specify to publish to an LDAP director...

Страница 227: ...repository such as a relational database When the server is configured to publish certificates and CRLs to file the published files are DER encoded binary blobs base 64 encoded text blobs or both For each certificate the server issues it creates a file that contains the certificate in either DER encoded or base 64 encoded format Each file is named either cert serial_number der or cert serial_numbe...

Страница 228: ...of sync for some reason privileged users administrators and agents can also manually initiate the publishing process For instructions see Section 8 7 2 Manually Updating the CRL in the Directory 8 2 Setting up Publishing The general process to configure publishing involves setting up a publisher to publish the certificates or CRLs to the specific location There can be a single publisher or multipl...

Страница 229: ... rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates There can be different rules for different kinds of certificates or different kinds of CRLs The rule first determines if the object meets the criteria by matching the type and predicate set in the rule The destination of matching objects is determined by the publisher and mapper associate...

Страница 230: ...dd to open the Select Publisher Plug in Implementation window which lists registered publisher modules Figure 8 2 Select Publisher Plug in Implementation Window 4 Select the FileBasedPublisher module then open the editor window This is the module that enables the Certificate Manager to publish certificates and CRLs to files ...

Страница 231: ...file type to publish by selecting the checkboxes for DER encoded files base 64 encoded files or both The format of the timestamp to use to name the published certificate or CRL files For CRLs whether to generate a link in the file to go to the latest CRL If enabled the link assumes that the name of the CRL issuing point to use with the extension will be supplied in the crlLinkExt field For CRLs wh...

Страница 232: ...ishers for publishing CRLs to an OCSP 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Publishers Figure 8 3 Publishers Management Tab 3 Click Add to open the Select Publisher Plug in Implementation window which lists registered publisher modul...

Страница 233: ...ther publishing procedures with additional steps to configure the directory 1 Configure the Directory Server to which certificates will be published Certain attributes have to be added to entries and bind identities and authentication methods have to be configured 2 Configure a publisher for each type of object published CA certificates cross pair certificates CRLs and user certificates The publis...

Страница 234: ...A and CRL mapper instances and enabled by default If the directory restricts the Certificate Manager from creating entries in the directory turn off this option in those mapper instances and add an entry for the CA manually in the directory When adding the CA s entry to the directory select the entry type based on the DN of the CA If the CA s DN begins with the cn component create a new person ent...

Страница 235: ...ser must have read write permissions to the directory to publish certificates and CRLs to the directory so that the Certificate Manager can modify the user entries with certificate related information and the CA entry with CA s certificate and CRL related information The bind DN entry can be either of the following An existing DN that has write access such as the Directory Manager ...

Страница 236: ...e X 500 standard attributes for storing certificates and CRLs and do not need to be changed Publisher Description LdapCaCertPublisher Publishes CA certificates to the LDAP directory LdapCrlPublisher Publishes CRLs to the LDAP directory LdapDeltaCrlPublisher Publishes Delta CRLs to the LDAP directory LdapUserCertPublisher Publishes all types of end entity certificates to the LDAP directory LdapCros...

Страница 237: ...he CA entry in the directory To use other mappers create and configure an instance of the mapper For more information see Section C 2 Mapper Plug in Modules To modify a mapper 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Mappers The Mappers...

Страница 238: ...er instance click Add The Select Mapper Plugin Implementation window opens which lists registered mapper modules Select a module and edit it For complete information about these modules see Section C 2 Mapper Plug in Modules Figure 8 8 Selecting a New Mapper Type 6 Edit the mapper instance and click OK ...

Страница 239: ... In this way the same certificate or CRL can be published to a file to an Online Certificate Status Manager and to an LDAP directory by matching a file based rule an OCSP rule and matching a directory based rule Rules can be set for each object type CA certificates CRLs user certificates and cross pair certificates The rules can be more detailed for different kinds of certificates or different kin...

Страница 240: ...2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing and then Rules The Rules Management tab which lists configured rules opens on the right Figure 8 10 Rules Management Tab 3 To edit an existing rule select that rule from the list and click Edit This opens the Rule Editor window ...

Страница 241: ...le 4 To create a rule click Add This opens the Select Rule Plug in Implementation window Figure 8 12 Select Rule Plugin Implementation Window Select the Rule module This is the only default module If any custom modules have been been registered they are also available 5 Edit the rule ...

Страница 242: ...pper Mappers are not necessary when publishing to a file they are only needed for LDAP publishing If this rule is associated with a publisher that publishes to an LDAP directory select an appropriate mapper here Leave blank for all other forms of publishing publisher Sets the publisher to associate with the rule Table 8 3 Predicate Expressions lists the predicates that can be used to identify CRL ...

Страница 243: ...ior or may fail NOTE Configure CRLs CRLs must be configured before they can be published See Chapter 6 Revoking Certificates and Issuing CRLs 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Publishing The right pane shows the details for publishing to an LDAP com...

Страница 244: ...cate Manager s CS cfg file in the ca publish ldappublish ldap ldapauth bindPWPrompt parameter and it can be edited Client certificate This sets the certificate the Certificate Manager uses for SSL client authentication to the publishing directory By default the Certificate Manager uses its SSL server certificate LDAP version Select LDAP version 3 Authentication The way the Certificate Manager auth...

Страница 245: ... the download progress can be tracked and if it is interrupted the download can resume at the point where it dropped off Using HTTP 1 1 allows the client to avoid fetching a CRL which has already been retrieved To do this the Certificate Manager publishes the CRL to a file and uses the Certificate Manager s web server to handle the HTTP 1 1 downloads Configuring the CA publishing to allow CRL down...

Страница 246: ...Chapter 8 Publishing Certificates and CRLs 224 4 In the Publishers Management tab click Add 5 Select the FileBasedPublisher plug in 6 Fill in the CRL publishing information ...

Страница 247: ...rver to send the latest generated CRL or the most recent partial CRL Set the crlLinkExt to bin which gives the proper file extension to the compressed published CRL Select the zipCrls checkbox to compress the CRL and optionally set the compression level 7 In the left menu select the Rules link 8 Click Add in the Rules Management tab to create a new rule for CRL publishing ...

Страница 248: ...RLs 226 9 Select Rule and click Next 10 In the Rule Editor configure the new rule Set the type to crl Make sure that the enable checkbox is selected Set the mapper to NoMap Select the new CRL file publisher from the publisher drop down menu ...

Страница 249: ...shed CRL location as its docroot by adding a new Context line For example vim var lib pki ca conf server xml Server Context docBase webapps path webapps reloadable false this line is commented out by default Context path ca ee ca crl docBase var lib pki ca webapps ca ee ca crl allowLinking true this is the new line Host Engine Service Server 14 It can be beneficial to test the setup by interruptin...

Страница 250: ...r wget are summarized in Table 8 4 wget Options to Use for Retrieving CRLs Argument Description no argument Retrieves the full CRL N Retrieves the CRL that is newer than the local copy delta CRL c Retrieves a partially downloaded file no check certificate Skips SSL for the connection so it is not necessary to configure SSL between the host and client d Prints debug information Table 8 4 wget Optio...

Страница 251: ...ficate Manager Console by doing the following 1 Open the CA console pkiconsole https server example com 9445 ca 2 In the Configuration tab select the Certificate Manager link in the left pane then the Publishing link 3 Click the Rules link under Publishing This opens the Rules Management pane on the right 4 If the rule exists and has been disabled select the enable checkbox If the rule has been de...

Страница 252: ...DVQQKEyNOZXRzY2FwZSBDb21tdW5pY2F0aWhfyyuougjgjjgmkgjkgmjg fjfgjjjgfyjfyj9ucyBDb3Jwb3JhdGlvbjpMEaMBgGA1UECxMRSXNzdWluZyhgdfhbfdpffjphotoo gdhkBBdXRob3JpdHkwHhcNOTYxMTA4MDkwNzM0WhcNOTgxMTA4MDkwNzMM0WjBXMQswCQYDVQQGEwJ VUzEsMCoGA1UEChMjTmV0c2NhcGUgQ29tbXVuaWNhdGlvbnMgQ29ycG9yY2F0aW9ucyBDb3Jwb3Jhd GlvbjpMEaMBgGA1UECxMRSXNzdWluZyBBdXRob3JpdHkwHh END CERTIFICATE 7 Convert the base 64 encoded certificate...

Страница 253: ...e downloaded at http fedoraproject org extras 4 i386 repodata repoview dumpasn1 0 20050404 1 fc4 html To view the content of a DER encoded file simply run the dumpasn1 PrettyPrintCert or PrettyPrintCRL tool with the DER encoded file For example PrettyPrintCRL example der example crl 8 7 Updating Certificates and CRLs in a Directory The Certificate Manager and the publishing directory can become ou...

Страница 254: ...the appropriate options and click Update Directory The Certificate Manager starts updating the directory with the certificate information in its internal database If the changes are substantial updating the directory can take considerable time During this period any changes made through the Certificate Manager including any certificates issued or any certificates revoked may not be included in the...

Страница 255: ...in modules can be registered in a Certificate Manager s publishing framework Unwanted mapper or publisher plug in modules can be deleted Before deleting a module delete all the rules that are based on this module 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Certificate Manager from the navigation tree on the left Select Pu...

Страница 256: ...234 ...

Страница 257: ...or CMC authentication Automated enrollment is enabled by configuring one of the authentication plug in modules More than one authentication method can be configured in a single instance of a subsystem NOTE An email can be automatically sent to an end entity when the certificate is issued for any authentication method by configuring automated notifications See Chapter 10 Using Automated Notificatio...

Страница 258: ...rtificate is recognized by the subsystem as an agent certificate then the CA automatically processes the certificate request This form of automatic authentication can be associated with the certificate profile for enrolling for server certificates This plug in is enabled by default and has no parameters Flat file based enrollment Used exclusively for router SCEP enrollments a text file is used whi...

Страница 259: ...nal ldapByteAttributes Specifies the list of LDAP byte binary attributes that should be considered authentic for the end entity If specified the values corresponding to these attributes will be copied from the authentication directory into the authentication token for use by other modules such as adding additional information to users certificates Entering values for this parameter is optional lda...

Страница 260: ... PINs to the users and then having the users provide the PIN along with their user ID and password when filling out a certificate request Users are then authenticated both against an LDAP directory using their user ID and password and against the PIN in their LDAP entry When the user successfully authenticates the request is automatically processed and a new certificate is issued The Certificate S...

Страница 261: ...rectory For example setpin host yourhost port 9446 length 11 input infile output outfile write binddn cn pinmanager o example com bindpw password basedn o example com filter uid u g Use the output file for delivering PINs to users after completing setting up the required authentication method After confirming that the PIN based enrollment works deliver the PINs to users so they can use them during...

Страница 262: ...ully qualified DNS host name of the authentication directory ldap ldapconn port Specifies the TCP IP port on which the authentication directory listens to requests from the Certificate System ldap ldapconn secureConn Specifies the type SSL or non SSL of the port on which the authentication directory listens to requests Select if this is an SSL port ldap ldapconn version Specifies the LDAP protocol...

Страница 263: ...rollment forms by configuring the inputs in the certificate profiles Include the information that will be needed by the plug in to authenticate the user If the default inputs do not contain all of the information that needs to be collected submit a request created with a third party tool 9 2 3 Using Certificate Based Authentication Certificate based authentication is when a certificate is presente...

Страница 264: ...at file and its authentication parameters can be edited 1 Open the CA Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Authentication in the navigation tree 3 Select the flatFileAuth authentication module 4 Click Edit View 5 To change the file location and name reset the fileName field To change the authentication name parameter reset the keyAttributes value to...

Страница 265: ...uter assuming that the router contacts the CA directly By default this file is in var lib pki ca conf and specifies two parameters per authentication entry the UID of the site usually its IP address either IPv4 or IPv6 and the random PIN generated by the RA UID 192 168 123 123 PIN HU89dj Each entry must be followed by a blank line For example UID 192 168 123 123 PIN HU89dj UID 12 255 80 13 PIN fio...

Страница 266: ...e Manager When this method is set up the Certificate Manager automatically revokes certificates when a valid request signed with the agent certificate is received To set up CMC enrollment 1 Set up the certificate profile to use to enroll users by setting policies for specific certificates in the certificate profile See Chapter 2 Making Rules for Issuing Certificates for information about profile p...

Страница 267: ...ks 9 3 1 Setting up the Server for Multiple Requests in a Full CMC Request CMC supports multiple CRMF or PKCS 10 requests in a single full CMC request If the numRequests parameter in the cfg file is larger than 1 modify the server s certificate profile by doing the following 1 By default the servlet processing a full CMC request uses the caFullCMCUserCert profile This profile only handles a single...

Страница 268: ...with the same filename with out appended to the filename 5 Submit the signed certificate through the end entities page a Open the end entities page https server example com 9444 ca ee ca b Select the CMC enrollment form from the list of certificate profiles c Paste the content of the output file into the Certificate Request text area of this form d Remove BEGIN NEW CERTIFICATE REQUEST and END NEW ...

Страница 269: ...tication Plug ins Custom authentication plug in modules can be registered through the CA Console Authentication plug in modules can also be deleted through the CA Console Before deleting a module delete instances that are based on that module 1 Log into the console pkiconsole https server example com 9445 ca 2 In the Configuration tab click Authentication in the navigation tree 3 In the right pane...

Страница 270: ...248 ...

Страница 271: ... text and tokens contained in the templates The HTML templates can also be customized for different appearances and formatting 10 1 1 Types of Automated Notifications There are three types of automated notifications Certificate Issued A notification message is automatically sent to users who have been issued certificates A rejection message is sent to a user if the user s certificate request is re...

Страница 272: ...ified RA group such as the default agents group request user create_request 1 assignTo agents request user create_request 1 plugin PKI Request Plugin AutoAssign request user create_request 1 mailTo request user create_request 1 plugin PKI Request Plugin EmailNotification Other RA notifications alert the requester to indicate whether the request was approved or rejected request user approve_request...

Страница 273: ...s in queue only Subject Type the subject title for the notification Content template path Type the path including the filename to the directory that contains the template to use to construct the message content 5 Click Save NOTE Make sure the mail server is set up correctly See Section 10 4 Configuring a Mail Server for Certificate System Notifications 6 Customize the notification message template...

Страница 274: ... 10 2 Setting up Automated Notifications for the CA 4 Save the file 5 Restart the CA instance service pki ca start 6 If a job has been created to send automated messages check that the mail server is correctly configured See Section 10 4 Configuring a Mail Server for Certificate System Notifications 7 The messages that are sent automatically can be customized see Section 10 3 Customizing Notificat...

Страница 275: ...iables for a list of available tokens The contents of any message type can be modified by changing the text and tokens in the message template The appearance of the HTML messages can be changed by modifying the HTML commands in the HTML message template The default text version of the certificate issuance notification message is as follows Your certificate request has been processed successfully S...

Страница 276: ...e_CA html Template for HTML based notification emails to agents when a request enters the queue Table 10 1 Notification Templates Filename Description rnJob1 txt Template for formulating the message content sent to end entities to inform them that their certif the certificates should be renewed or replaced before they expire rnJob1Summary txt Template for constructing the summary report to be sent...

Страница 277: ...sage Status Gives the request status SubjectDN Gives the DN of the certificate subject SummaryItemList Lists the items in the summary notification Each item corresponds to a certificate the job publishing directory SummaryTotalFailure Gives the total number of items in the summary report that failed SummaryTotalNum Gives the total number of certificate requests that are pending in the queue or the...

Страница 278: ... n n Certificate request request_id with the subject name subject_dn for uid has been approved This certificate can be imported by clicking the following link https machineName nonClientAuthSecurePort ee request getcert cgi id request_id Example 10 2 Custom Approved Request Notification for an RA The available notification message tokens are listed in Table 10 4 RA Notification Message Tokens Toke...

Страница 279: ...n which the mail server is installed such as mail example com By default the hostname of the mail server is localhost instead of the actual hostname The default port number on which the SMTP mail server listens is 25 4 Click Save 10 5 Creating Custom Notifications for the CA It can be possible to create custom notification functions to handle other PKI operations such as token enrollments by editi...

Страница 280: ...258 ...

Страница 281: ...Enabling and configuring the Job Scheduler see Section 11 2 Setting up the Job Scheduler for more information Enabling and configuring the job modules and setting preferences for those job modules see Section 11 3 Setting up Specific Jobs for more information Customizing the email notification messages sent with these jobs by changing the templates associated with the types of notification The mes...

Страница 282: ...are not automatically removed from the publishing directory If a Certificate Manager is configured to publish certificates to an LDAP directory over time the directory will contain expired certificates The unpublishExpiredCerts job checks for certificates that have expired and are still marked as published in the internal database at the configured time interval The job connects to the publishing ...

Страница 283: ...t meet the cron specification By default it is set to one minute NOTE The window for entering this information may be too small to see the input Drag the corners of the Certificate Manager Console to enlarge the entire window 5 Click Save 11 3 Setting up Specific Jobs Automated jobs can be configured through the Certificate Manager Console or by editing the configuration file directory It is recom...

Страница 284: ...1 2 Setting up the Job Scheduler for more information 3 In the Configuration tab select Job Scheduler from the navigation tree Then select Jobs to open the Job Instance tab Select the job instance from the list and click Edit View The Job Instance Editor opens showing the current job configuration ...

Страница 285: ...n the fields for this dialog For certRenewalNotifier see Section 11 3 3 Configuration Parameters of certRenewalNotifier For requestInQueueNotifier see Section 11 3 4 Configuration Parameters of requestInQueueNotifier For publishCerts see Section 11 3 5 Configuration Parameters of publishCerts For unpublishExpiredCerts see Section 11 3 6 Configuration Parameters of unpublishExpiredCerts ...

Страница 286: ...figured To configure the certRenewalNotifier job edit all parameters that begin with jobsScheduler job certRenewalNotifier see Section 11 3 3 Configuration Parameters of certRenewalNotifier To configure the requestInQueueNotifier job edit all parameters that begin with jobsScheduler job requestInQueueNotifier see Section 11 3 4 Configuration Parameters of requestInQueueNotifier To configure the pu...

Страница 287: ...report of renewal notifications should be compiled and sent Th false disables it If enabled set the remaining summary parameters these are require summary recipientEmail Specifies the recipients of the summary message These can be agents who need to kn users Set more than one recipient by separating each email address with a comma summary senderEmail Specifies the email address of the sender of th...

Страница 288: ...duler daemon thread expired certificates from the publishing directory This setting must follow the conventions in Sec Automated Jobs For example 00 6 summary enabled Specifies whether a summary of the certificates removed by the job should be compiled and sen summaries false disables them If enabled set the remaining summary parameters these are summary report summary emailSubject Gives the subje...

Страница 289: ... can be agents who need to kn users More than one recipient can be set by separating each email address with a comm Table 11 4 unpublishExpiredCerts Parameters 11 3 7 Frequency Settings for Automated Jobs The Job Scheduler uses a variation of the Unix crontab entry format to specify dates and times for checking the job queue and executing jobs As shown in Table 11 5 Time Values for Scheduling Jobs...

Страница 290: ...nsole Registering a new module involves specifying the name of the module and the full name of the Java class that implements the module To register a new job module 1 Log into the Certificate Manager Console pkiconsole https server example com 9445 ca 2 In the Configuration tab select Job Scheduler in the left navigation tree Select Jobs The Job Instance tab opens which lists any currently config...

Страница 291: ...r Deleting a Job Module 269 If it is necessary to delete a module open the Job Plugin Registration tab as when registering a new module select the module to delete and click Delete When prompted confirm the deletion ...

Страница 292: ...270 ...

Страница 293: ...Part III Managing the Subsystem Instances ...

Страница 294: ......

Страница 295: ...r defined installation directories instead of the default locations in var lib To use custom directory locations install the subsystems through the ISO image with this environment variable set to block the pkicreate script Server instances are somewhat relocatable and have user specific default and customized forms and data Subsystem instances can be stored anywhere on a system When the Certificat...

Страница 296: ... client authentication are based on this subsystem certificate Table 12 1 Default CA Instance Information 12 1 2 Default RA Instance Information The default RA configuration is listed in Table 12 2 Default RA Instance Information Most of these values are unique to the default instance the default certificates and some other settings are true for every RA instance Setting Value Standard Port for En...

Страница 297: ...ubsystem Certificates Transport certificate Storage certificate SSL server certificate Audit log signing certificate Subsystem certificate 2 Security Databases var lib pki kra alias Log Files var log pki kra Install Logs var log pki kra install log Process File var run pki kra pid Web Services Files var lib pki kra webapps kra Running service instance_name status lists all of the configured ports ...

Страница 298: ...faces for the subsystem instance The subsystem certificate is always issued by the security domain so that domain level operations that require client authentication are based on this subsystem certificate Table 12 4 Default OCSP Instance Information 12 1 5 Default TKS Instance Information The default TKS configuration is listed in Table 12 5 Default TKS Instance Information Most of these values a...

Страница 299: ...s Main Directory var lib pki tps Configuration Directory etc pki tps Configuration File etc pki tps CS cfg etc pki tps nss conf etc pki tps password conf Subsystem Certificates SSL server certificate Subsystem certificate Security Databases var lib pki tps alias Log Files var log pki tps Install Logs var log pki tps install log Web Services Files var lib pki tps docroot var lib pki tps cgi bin var...

Страница 300: ...erprise Security Client s esc prefs js configuration file determines which URL to access Setting the Phone Home URL is described in the Managing Smart Cards with the Enterprise Security Client guide 12 1 7 Shared Certificate System Subsystem File Locations There are some directories used by all Certificate System subsystems for general server operations listed in Table 12 7 Subsystem File Location...

Страница 301: ...asiest way to manage the subsystem For example since the TPS and RA subsystems do not use an administrative console all configuration changes must be made by editing the CS cfg file manually 12 2 1 Locating the CS cfg File Each instance of a Certificate System subsystem has its own configuration file CS cfg The contents of the file for each subsystem instance is different depending on the way the ...

Страница 302: ...tance tend to be grouped together into the same block log instance System _000 log instance System _001 System Logging log instance System _002 log instance System bufferSize 512 log instance System enable true log instance System expirationTime 0 log instance System fileName var lib pki ca logs system log instance System flushInterval 5 log instance System level 3 log instance System maxFileSize ...

Страница 303: ...mbers Many of the settings assigned when the instance is first installed or configured are prefaced with pkicreate authType pwd installDate Mon Jul 13 08 13 39 2009 instanceId pki ca instanceRoot var lib pki ca machineName server example com multiroles true passwordClass com netscape cmsutil password PlainPasswordFile passwordFile var lib pki ca conf password conf admin interface uri ca admin cons...

Страница 304: ...ngs for logging into the subsystem For some authorization settings that is all that is required It is also possible to select an authorization method that uses an LDAP database to store user entries in which case the database settings are configured along with the plug in authz impl DirAclAuthz class com netscape cms authorization DirAclAuthz authz instance DirAclAuthz ldap internaldb authz instan...

Страница 305: ...rtAuth class com netscape cms authentication AgentCertAuthentication auths instance AgentCertAuth agentGroup Certificate Manager Agents auths instance AgentCertAuth pluginName AgentCertAuth 12 2 2 4 Security Domain Settings Every instance must belong to a security domain so every instance has a securitydomain definition block securitydomain flushinterval 86400000 securitydomain host server example...

Страница 306: ...rameters except for the TPS which configured it in the tokendb parameters with a lot of other configuration settings internaldb _000 internaldb _001 Internal Database internaldb _002 internaldb basedn dc server example com pki ca internaldb database server example com pki ca internaldb maxConns 15 internaldb minConns 3 internaldb ldapauth authtype BasicAuth internaldb ldapauth bindDN cn Directory ...

Страница 307: ...the configuration file stored in the cache is written to disk Stop the server before editing the configuration file or the changes will be overwritten by the cached version when the server is stopped 2 Open the var lib subsystem_name conf directory 3 Open the CS cfg file in a text editor 4 Edit the parameters in the file and save the changes 5 Start the subsystem instance service subsystem_name st...

Страница 308: ...ts internal LDAP directory internaldb and its replication database The internal password store and replication database have randomly generated PINs which were set when the subsystem was configured the internal LDAP database password was defined by the administrator when the instance was configured internal 376577078151 internaldb secret12 replicationdb 1535106826 12 3 2 Protecting the password co...

Страница 309: ...ssword conf file and create a pipe called password conf 3 Run the regular start script 4 Monitor the Tomcat web server log catalina out and the debug log 5 Provide the passwords to the subsystem instance by running the following unzip c secret zip password conf password conf This is a simple and very flexible way to protect the clear text password file while still allowing passwords to be managed ...

Страница 310: ...me that the instance restarts any external hardware token passwords For the TPS this prompts for three passwords internal for the NSS database tokendbpass for the internal LDAP database any external hardware token passwords All of the passwords which will be prompted for when the subsystem instance starts are listed in the cms passwordlist in the CS cfg file for the instance 12 3 3 1 Configuring N...

Страница 311: ...tem_name conf CS cfg cms passwordlist internaldb replicationdb If publishing has been enabled then make sure the LDAP publishing password is listed For example cms passwordlist internaldb replicationdb CA LDAP Publishing 5 Create a new dtomcat5 file for the instance a Copy the current file in usr share pki type conf For example usr share pki ca conf dtomcat5 tmp dtomcat5 pki old b Edit the copied ...

Страница 312: ...d conf server xml g tmp pki ca old c Copy the file into the etc init d directory cp tmp pki ca old etc init d d Set the proper file owner and permissions for the file chown pkiuser etc init d pki ca old chmod 770 etc init d pki ca old e Remove the temporary file crm rf tmp pki ca old 7 Edit the server xml file For each configured connector add the configFile attribute configFile var lib subsystem_...

Страница 313: ... temporary file into the TPS s conf directory cp tmp perl conf var lib pki tps old conf d Set the proper file owner and permissions for the file chown pkiuser var lib pki tps old conf chmod 660 var lib pki tps old conf e Remove the temporary file rm tmp perl conf f Edit the nss conf file to change the NSSPassPhraseDialog from the password file to builtin original NSSPassPhraseDialog defer var lib ...

Страница 314: ...cgi bin sow cgi 6 If the security officer scripts have been customized then the files need to be updated so that they properly run under mod_perl PerlRun instead of mod_cgi The primary change is to replace any relative file paths with full paths For example replace this line require cfg pl With require var lib pki tps cgi bin sow cfg pl Other changes may be needed to eliminate warnings in the erro...

Страница 315: ...ole LDAP related passwords such as internaldb and tokendbpass for the internal database can be changed in the LDAP server directly using the Directory Server console or tools like ldapmodify LDAP publishing passwords are changed in the LDAP server but that change mmeans that the password must be updated in the Certificate System CA configuration The publishing password is reset in the CA console t...

Страница 316: ...er files in the var lib subsystem_name conf directory for configuring their Tomcat engine The server xml file sets the files and ports to use to access all of their end user agent and even administrative services Connector name Agent port 9443 maxHttpHeaderSize 8192 maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false disableUploadTimeout true acceptCount 100 scheme https secur...

Страница 317: ...icate System user pkiuser 2 Run service specifying the instance name and the action For example service subsystem_name start stop restart 13 1 2 Restarting a Subsystem after a Machine Restart If a computer running a subsystem is shut down unexpectedly more services than just the subsystem must be restarted in the proper order for the subsystem to be available both through the HTML services page an...

Страница 318: ...inux 5 3 has a tool called chkconfig which manages the automatic startup and shutdown settings for each process on the server This means that when a system reboots some services can be automatically restarted chkconfig also defines startup settings for different run levels of the server chkconfig is explained more in the Red Hat Enterprise Linux documentation such as the Deployment Guide 1 Certifi...

Страница 319: ...ult Certificate System chkconfig settings set a start and stop priority for all of the subsystems and their dependent services so that they start and stop in the proper order as listed in Table 13 1 Certificate System Processes and Their chkconfig Start Priority Processes with a low number for their start priority are started first so Directory Server Administration Server and Tomcat are started b...

Страница 320: ...administrators These menu of web services can be accessed by opening the URL to the subsystem host over the subsystem s secure end user s port For example for the CA https server example com 9445 ca services The main web services page for each subsystem has a list of available services pages these are summarized in Table 13 2 Default Web Services Pages To access any service specifically access the...

Страница 321: ...ttings using pkicreate or if the instance was customized or reconfigured later Port Used for SSL Used for Client Authentication 1 Web Services Certificate Manager 9180 No End Entities 9444 Yes No End Entities 9443 Yes Yes Agents 9445 Yes Configuration 9445 Yes No Services 9445 Yes No Console Registration Manager 12888 No End Entities 12889 Yes Yes Agents 12889 Yes Yes Admin 12890 Yes Configuration...

Страница 322: ...lue of No can be reconfigured to require client authentication Services which do not have either a Yes or No value cannot be configured to use client authentication Although this subsystem type does have end entities ports and interfaces these end entity services are not accessible through a web browser as other end entity services are Although the OCSP does have end entities ports and interfaces ...

Страница 323: ...heir web server instead of Tomcat have a docroot directory var lib subsystem_name docroot which contains sub directories for their different interfaces meaning admin agent and end entities for the RA and the different Enterprise Security Client web UIs and admin pages for the TPS While any of the web services pages can be customized the CA and RA end entities pages are the most likely to be edited...

Страница 324: ... 1 face PrimaSans BT Verdana sans serif color white b Red Hat sup font color cccccc size 2 font sup Certificate Manager b this is a test about stuff font td writeln tr writeln table Likewise the template files also use JavaScript to generate the pages and the HTML markup can be edited The profile HTML pages use standard HTML markup with little generated content For example this is from the Manual ...

Страница 325: ...ctory for the end entities pages is var lib pki ra docroot ee Each RA profile has its own sub directory and its own specific cgi and vm file pairs For example the user profile enrollment forms are in var lib pki ra docroot ee user Figure 13 3 RA End Entities Services Page Each web services page uses three files to construct it The header vm and footer vm files give the text and styles for the head...

Страница 326: ...ype text name email value td tr table center Example 13 2 Excerpt from the Default User Enrollment Form 13 3 3 Setting Limits on Searches through the CA End Entities Pages Large PKIs can have tens of thousands even millions of certificates keys and requests maintained in its databases When users search for their certificates or agents list requests then it is possible for thousands or millions of ...

Страница 327: ... parameters in the web xml file which set the search limits are maxResults and timeLimits These parameters are added as param value lines to a servlet entry Either one or both can be set for each entry Each servlet entry is identified in servlet name tags and the interface web services pages that the servlet is used for is identified in the param name interface param name parameter Example 13 3 we...

Страница 328: ...r using a single SSL port depending on the port parameters used with pkicreate The default ports are listed in Table 13 3 Default Port Assignments for Certificate System 8 0 Subsystem Standard End Entity SSL End Entity Client Authentication Agent SSL Admin SSL Tomcat CA 9180 9444 9446 9443 9445 9701 DRM 10180 10443 10445 10701 OCSP 11180 11443 11445 11701 RA 12888 12890 12889 12889 TKS 13180 13443...

Страница 329: ...conf in the Listen parameter Listen 0 0 0 0 7888 The two SSL ports are defined in the nss conf Because there are two SSL ports both ports are listed in the Listen parameter and then defined in two VirtualHost entries For example for the TPS Listen 0 0 0 0 7889 Listen 0 0 0 0 7890 VirtualHost _default_ 7889 VirtualHost VirtualHost _default_ 7890 VirtualHost 13 4 1 Changing a Port Number To change a...

Страница 330: ...ost _default_ 7889 5 Open the CS cfg file and edit the both the SSL and non SSL port numbers For example service securePort 7889 service unsecurePort 7888 op format tokenKey issuerinfo value http server example com 7888 6 Restart the subsystem 13 4 2 Using a Single SSL Port It is possible to use a single SSL port instead of separated ports for subsystem services CAUTION Although using a single SSL...

Страница 331: ...tificate In Certificate System this kind of session renegotiation occurs if a user connects to an end entity port that doesn t require client authentication but then attempts to submit a certificate enrollment form for an enrollment profile that requires client authentication The Certificate System server requests and then parses a client certificate for the user 1 Before making any edits to the C...

Страница 332: ..._WITH_NULL_SHA SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA SSL3_RSA_WITH_RC4_128_SHA SSL3_RSA_EXPORT_WITH_RC4_40_MD5 SSL3_RSA_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_DES_CBC_SHA SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA SSL3_RSA_WITH_NULL_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ...

Страница 333: ...omRequest servlet name url pattern eeca ca getCertFromRequest url pattern servlet mapping 7 Edit the profile selection template to use the URL for the new secure end entities client authentication services port For example assuming the default end entities client authentication SSL port of 9446 vim var lib instance_name webapps ca ee ca ProfileSelect template original uri profileSubmitSSLClient up...

Страница 334: ...se functions include the following Storing and retrieving certificate requests Storing and retrieving certificate records Storing CRLs Storing ACLs Storing privileged user and role information Storing and retrieving end users encryption private key records To fulfill these functions the Certificate System is incorporated with a Red Hat Directory Server referred to as the internal database or local...

Страница 335: ...lled such as certificates example com The Certificate System uses this name to access the directory By default the hostname of the Directory Server instance used as the internal database is shown as localhost instead of the actual hostname This is done to insulate the internal database from being visible outside the system since a server on localhost can only be accessed from the local machine Thu...

Страница 336: ...ling Server Certificates 2 in the Directory Server Administrator s Guide b Configure the Directory Server instance to run over its SSL port This is covered in section 12 4 1 Enabling TLS SSL in the Only Directory Server 3 in the Directory Server Administrator s Guide TIP When SSL is enabled the server prompts for a password to access the NSS security token for the Directory Server every time the i...

Страница 337: ... ldbm database folder and select the plug in instance for the Certificate System subsystem instance This will have a name like server example com instance name j Select Set Access Permissions from the drop down menu k In the bottom left of the Access Control Editor window click the Edit Manually button l Paste in the following ACI with the appropriate LDAP URL for the target and the appropriate us...

Страница 338: ...cate was properly installed For example certutil d var lib subsystem_name alias L Certificate Nickname Trust Attributes SSL S MIME JAR XPI s Example Domain u u u subsystemCert cert instance_name u u u Server Cert cert instance_name u u u auditSigningCert cert instance_name u u u TIP The nickname for user certificates is frequently blank or not friendly To change the nickname of the certificate re ...

Страница 339: ... an entry or icon for the Directory Server instance that the Certificate System uses as its internal database Unlike the Certificate System Console in which access is restricted to users with Certificate System administrator privileges the Directory Server Console can be accessed by any user The user can open the Directory Server Console for the internal database and change to the data stored ther...

Страница 340: ...mpt opens sqlite 2 You can now use standard sqlite commands to query the database for example To display all user information use the following command sqlite select from users To display all request information use the following command sqlite select from requests To display a list of available tables use the following command sqlite tables 13 7 Viewing Security Domain Configuration A security do...

Страница 341: ...ecurity Domain dc server example com pki ca Then there is a list of each subsystem type beneath the security domain organizational group with a special object class pkiSecurityGroup to identify the group type cn KRAList ou Security Domain dc server example com pki ca objectClass top objectClass pkiSecurityGroup cn KRAList Each subsystem instance is then stored as a member of that group with a spec...

Страница 342: ... RPM package pki selinux which is installed as a prerequisite for the other Certificate System subsystem packages Certificate System SELinux policies are already configured when the subsystems are installed and all SELinux policies are updated every time a subsystem is added with pkicreate or removed with pkiremove types that the process runs as and the domain type pki ca_t pki ca_process type pki...

Страница 343: ... SELinux Policies for Subsystems 321 2 Open the Administration menu and select the SELinux Management item 3 To check the version of the Certificate System SELinux policy installed click the Policy Module link ...

Страница 344: ...Certificate System However the Certificate System components can still be archived and restored manually and this can be necessary for deployments where information cannot be accessed if certificate or key information is lost There are three major parts of the Certificate System which need backed up routinely in case of data loss or hardware failure Internal database The Directory Server provides ...

Страница 345: ...ca 3 Restart the subsystem instance service instance_ID start NOTE Stop the subsystem instance before backing up the instance or the security databases The Directory Server database can be restored using Directory Server specific tools see the Directory Server documentation for more information on restoring the LDAP database The Certificate System backup files both the alias database backups and t...

Страница 346: ...e subsystem will run If any critical self tests fail the server will stop 5 The On Demand Self Tests Results window appears showing the logged events for this run of the self tests 13 10 1 Self Test Logging A new log selftest log is added to the log directory that contains reports for both the start up self tests and the on demand self tests This log is configured by changing the setting for the l...

Страница 347: ...the file The default interval is 5 seconds The flushInterval is the amount of time before the contents of the buffer are flushed out and added to the log file level The default selection is 1 this log is not set up for any level beside 1 maxFileSize Specify the file size in kilobytes KB for the error log The default size is 100 KB The maxFileSize determines how large a log file can become before i...

Страница 348: ... Basic Subsystem Management 326 To disable a self test remove it as the value of either the selftests container order onDemand or selftests container order startup parameters 5 Save the file 6 Start the subsystem ...

Страница 349: ...wly created groups Authorization goes through the following process 1 The users authenticate to the interface using either the Certificate System user ID and password or a certificate 2 The server authenticates the user either by matching the user ID and password with the one stored in the database or by checking the certificate against one stored in the database With certificate based authenticat...

Страница 350: ...d trust policies Manage the access controls on the domain services By default the CA administrator of the CA hosting the domain is assigned as the security domai Enterprise CA Administrators Automatically approve any sub CA server and subsystem certificate from any CA in the dom Register and unregister CA subsystem information in the security domain Enterprise DRM Administrators Automatically appr...

Страница 351: ...en assigned end entity certificate and key management privileges Agents can access the agent services interface For a complete list of agent tasks see the Certificate System Agent s Guide Agents are created by assigning a user to the appropriate subsystem agent group and identifying certificates that the agents must use for SSL client authentication to the subsystem for it to service requests from...

Страница 352: ...l users and trust relationships within the domain Each subsystem administrator authenticates to the other subsystems using SSL client authentication with the subsystem certificate issued during configuration by the security domain CA 14 3 Managing Users and Groups for a CA OCSP DRM or TKS Many of the operations that users can perform are dictated by the groups that they belong to for instance agen...

Страница 353: ...d Groups from the navigation tree on the left 3 Click the Groups tab 4 Select the group from the list of names and click Edit 5 Make the appropriate changes To change the group description type a new description in the Group description field To remove a user from the group select the user and click Delete To add users click Add User Select the users to add from the dialog box and click OK 14 3 2 ...

Страница 354: ...he user most basically this field can show whether this is an active user It is necessary to select the group to which the user will belong The user s group membership determines what privileges the user has Assign agents and administrators to the appropriate subsystem group 4 Store the user s certificate a Request a user certificate through the CA or RA end entities service pages b If auto enroll...

Страница 355: ...newed directly in the end user enrollment forms using the serial number of the original certificate 1 Renew the admin user certificates in the CA s end users forms as described in Section 4 7 3 1 2 Certificate Based Renewal This must be the same CA as first issued the certificate or a clone of it Agent certificates can be renewed by using the certificate based renewal form in the end entities page...

Страница 356: ...ust relationships is not necessary except in rare situations when an administrator may want to adjust different values If for some reason it is necessary for one subsystem to trust another subsystem in a different security domain then it is possible to configure a trusted manager essentially a user entry for the subsystem which it can use to connect to another subsystem 1 Log into the administrati...

Страница 357: ...ATE and END CERTIFICATE marker lines d To view the certificate select it and click View Next configure the connector settings of the Certificate Manager This enables the Certificate Manager to utilize the agent port to communicate with the subsystem 1 Log into the administrative console for the Certificate Manager 2 In the navigation tree select Certificate Manager 3 Select the Connectors tab 4 Se...

Страница 358: ...ally An initial user admin is created with both agent and administrator roles and two groups are created to identify agent and administrator users Additional users and additional groups can be added to manage the RA subsystem and PKI operations The RA subsystem does not use a Java console as the other subsystems do so users and groups are created and managed through the administrator s web service...

Страница 359: ...for example must belong to a configured RA agent group to perform agent tasks 14 4 1 1 Listing Groups for an RA 1 Open the RA services page https server example com 12889 services 2 Click the Administrator Services link 3 Click the List Groups link 4 There are two default groups for agents and for administrators To view the details about any group click the GID of the group 14 4 1 2 Creating a New...

Страница 360: ...ice pki ra stop Always stop a subsystem before editing the subsystem configuration files b Open the CS cfg file vim var lib pki ra conf CS conf c Add the new group s GID to the administrator or agent group list admin authorized_groups administrators example agent authorized_groups administrators agents example d Start the RA instance service pki ra start 14 4 1 3 Adding and Removing Users in an RA...

Страница 361: ...s link 4 Click the name of the group for which to change the group membership 5 In the group page each current member of the group is listed with a Delete link next to the name Existing members who are not members of the group are listed in a drop down menu To add a member select them from the name from the menu and click Add ...

Страница 362: ...ks relate to managing the server instance mainly managing users and groups For an RA user to be able to perform their tasks the user entry must be created and then added to the appropriate group A default user is created when the RA is first configured and this admin user belongs to both the agent and administrator groups 14 4 2 1 Listing and Viewing Users for an RA 1 Open the RA services page htt...

Страница 363: ...Managing RA Users 341 5 The user details page shows the person s UID full name email address and user SSL certificate ...

Страница 364: ... 1 Generate a new certificate for the user All access to the RA web services pages is done through certificate based authentication so all RA agents and administrators must have a certificate This is covered in Section 14 4 2 3 Generating Agent Certificates for RA Agents 2 Open the RA services page ...

Страница 365: ...perform any RA agent or administrator functions Adding members to groups is covered in Section 14 4 1 3 Adding and Removing Users in an RA Group 14 4 2 3 Generating Agent Certificates for RA Agents RA agents must have a client certificate that allows them to authenticate to the RA subsystem meaning accessing the RA agent and administrator services pages Any SSL client certificate can be used as lo...

Страница 366: ...r 14 Managing Certificate System Users and Groups 344 c Click PIN Creation Request d Enter an appropriate UID and email address 2 An existing agent must approve the PIN request a Open the agent services page ...

Страница 367: ...the Request ID to display the details of the request d Click Approve to approve the request This generates the PIN the user will use to retrieve the certificate 3 The last step is for the user to use the generated PIN to retrieve his certificate a Open the SSL End Users Services page b Click Request Status Check ...

Страница 368: ...he ID of the PIN request d Click the value in the Import Certificate field to display the one time PIN e Click Agent Enrollment again and then click the Certificate Enrollment link f Enter the user ID and the PIN g When the certificate is successfully generated base 64 encoded blob is displayed ...

Страница 369: ...e This form recognizes and updates the certificate stored in the browser s certificate store directly TIP It is also possible to renew the certificate using certutil as described in Section 4 7 3 2 Renewing Certificates Using certutil Rather than using the certificate stored in a browser to initiate renewal certutil uses an input file with the original key 2 Export the renewed certificate from the...

Страница 370: ...te to use to authenticate the new certificate should be available 14 4 2 5 Deleting Users for an RA 1 Open the RA services page https server example com 12889 services 2 Click the Administrator Services link 3 Click the List Users link 4 All of the configured users for the RA are shown To view a user click the UID for that user 5 At the bottom of the page click the Delete link ...

Страница 371: ... the TPS subsystem users are authenticated against an LDAP directory database that contains their certificate because accessing the TPS s web services requires certificate based authentication and the authentication process checks the TPS group entries ou TUS Agents ou TUS Administrators and ou TUS Operators to see to which roles the user belongs using Apache s mod_tokendb module Users for the TPS...

Страница 372: ...er 4 Requesting Enrolling and Managing Certificates IMPORTANT A TPS administrator must have a signing certificate The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment 2 Click the Add New User link in the Administrator Operations tab 3 Fill in the user s name and ID and paste in the certificate without the BEGIN CERTIFICATE and END CERTIFICATE lines ...

Страница 373: ...les which are assigned to them NOTE A user can only see entries relating to the profile configured for it including both token operations and tokens themselves For an administrator to be able to search and manage all tokens configured in the TPS the administrator user entry should be set to All profiles Setting specific profiles for users is a simple way to control access for operators and agents ...

Страница 374: ...ile manually NOTE If the All Profiles option is added to the user then any other configured profiles are dropped because they are already included in the All Profiles option 3 Click the Add Profile button to add the profile to the user entry The new profile is listed as part of the user entry attributes Up to fifteen profiles are listed on the profile if there are more than fifteen then the profil...

Страница 375: ...as described in Section 4 7 3 1 2 Certificate Based Renewal This must be the same CA as first issued the certificate or a clone of it Agent certificates can be renewed by using the certificate based renewal form in the end entities page Self renew user SSL client certificate This form recognizes and updates the certificate stored in the browser s certificate store directly TIP It is also possible ...

Страница 376: ...ich the user is a member for the users themselves or for the IP address of the user New groups are assigned access control by adding that group to the access control lists For example a new group for administrators who are only authorized to view logs LogAdmins can be added to the ACLs relevant to logs to allow read or modify access to this group If this group is not added to any other ACLs member...

Страница 377: ...n fired It may be necessary to deny access specifically to JohnB if the user cannot be deleted immediately Another situation is that a user BrianC is an administrator but he should not have the ability to change some resource Since the Administrators group must access this resource BrianC can be specifically denied access by creating an ACI that denies this user access The allowed rights are the o...

Страница 378: ...IPv6 address An IPv4 address has the format n n n n or n n n n m m m m with the netmask An IPv6 address uses a 128 bit namespace with the IPv6 address separated by colons and the netmask separated by periods For example ipaddress 0 0 0 0 0 0 13 1 68 3 It is also possible to use regular expressions to specify the IP address such as using wildcard characters like an asterisk For example ipaddress 12...

Страница 379: ...from the list and click Edit The ACL opens in the Access Control Editor window 4 To add an ACI click Add and supply the ACI information To edit an ACI select the ACI from the list in the ACI entries text area of the ACL Editor window Click Edit ...

Страница 380: ...resses specified For more information about allowing or denying access see Section 14 6 1 About Access Control b Set the rights for the access control The options are read and modify To set both use the Ctrl or Shift buttons c Specify the user group or IP address that will be granted or denied access in the Syntax field See Section 14 6 1 About Access Control for details on syntax ...

Страница 381: ...elated to operations within that specific subsystem instance For each subsystem different logs are kept for issues such as installation access and web servers The way that logs are configured can affect Certificate System performance For example log file rotation keeps logs from becoming too large which slows down subsystem performance This section explains the different kinds of logs recorded by ...

Страница 382: ...els and Log Entries NOTE Four of the Certificate System subsystems CA DRM TKS and OCSP have seven log levels 0 to 6 The RA and TPS subsystems have eleven log levels 0 to 10 Log levels are represented by numbers 0 to 6 0 to 10 for TPS and RA each number indicating the level of logging to be performed by the server The level sets how detailed the logging should be A higher priority level means less ...

Страница 383: ...ilter log entries based on the severity of an event By default log level 3 Failure is set for all services The log level is successive specifying a value of 3 causes levels 4 5 and 6 to be logged Log data can be extensive especially at lower more verbose logging levels Make sure that the host machine has sufficient disk space for all the log files It is also important to define the logging level l...

Страница 384: ...nd time have the forms YYYYMMDD year month day and HHMMSS hour minute second Log files especially the audit log file contain critical information These files should be periodically archived to some backup medium by copying the entire logs directory to an archive medium NOTE The Certificate System does not provide any tool or utility for archiving log files The Certificate System provides a command...

Страница 385: ...6 18 CDT 1 1 archival reqID 4 fromAgent agentID CA server example com 9444 authenticated by noAuthManager is completed DN requested UID recoverykey E recoverykey email com CN recover key serial number 0x3 Example 15 2 DRM Transactions Log This log is on by default 15 2 3 Debug Logs Debug logs are maintained for all six subsystems with varying degrees and types of information Debug logs for each su...

Страница 386: ...PuSPOaQmtKBpAEVaQoUwnEytOqDkCkhlZ1nt02w1 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request profile value true 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request cert_request_type value crmf 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmitServlet key request requestversion value 1 0 0 06 Jun 2009 14 59 38 http 9443 Processor24 ProfileSubmit...

Страница 387: ...EoGCCsGAQUFBwEBBD4wPDA6BggrBgEFBQcwAYYuaHR0cDovL3Rlc3Q0LnJl M ZGJ1ZGNvbXB1dGVyLmxvY2FsOjkwODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBeAw M HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMCQGA1UdEQQdMBuBGSRyZXF1 M ZXN0LnJlcXVlc3Rvcl9lbWFpbCQ Example 15 3 CA Certificate Request Log Messages Likewise the OCSP shows OCSP request information 07 Jul 2009 06 25 40 http 11180 Processor25 OCSPServlet OCSP Request 07 Jul 20...

Страница 388: ...ar lib pki ra 2009 05 19 09 30 31 debug Processing PKI security modules for var lib pki ra 2009 05 19 09 30 31 debug Attempting to add hardware security modules to system if applicable 2009 05 19 09 30 31 debug module name lunasa lib usr lunasa lib libCryptoki2 so DOES NOT EXIST 2009 05 19 09 30 31 debug module name nfast lib opt nfast toolkits pkcs11 libcknfast so DOES NOT EXIST 2009 05 19 09 30 ...

Страница 389: ... changing settings in the CS cfg file The information about logs in this section does not pertain to this log See Section 13 10 Self Tests for more information about self tests 15 3 Configuring Logs Using the UI Every subsystem but the RA provides an administrative Interface that allows users to configure logging For the CA OCSP DRM and TKS all logs can be configured using the pkiconsole For the T...

Страница 390: ...nd added to the log file Th maxFileSize The size kilobytes KB a log file can become before it is rotated Once it reaches this size the log file is started new For more information on log file rotation see Section 15 1 4 Log File Ro rolloverInterval The frequency which the server rotates the active log file The available choices are hourly daily default selection is monthly For more information see...

Страница 391: ... Operations tab of the HTML services page The events that can be selected to be recorded in the audit log are listed in Table 15 11 Events Recorded to the TPS Audit Log Figure 15 1 Configuring TPS Audit Logging in the Console The TPS HTML services page is https server example com 7889 tus NOTE Although audit logs for the TPS are configured in the HTML services page they are not viewable through th...

Страница 392: ...nually entered in the field there is no setting is a numeric value as listed in Section 15 1 2 Log Levels Message Categories fileName The full path including the filename to the log file The subsystem user should have read w bufferSize The buffer size in kilobytes KB for the log Once the buffer reaches this size the contents o copied to the log file The default size is 512 KB For more information ...

Страница 393: ... An audit log ra audit log These logs are stored in the var log subsystem_name directory by default Other types of logs such as transaction logs and system logs are not generated by the RA instance 15 4 2 1 About RA Log Settings For each log generated by an RA instance there are three parameters which must be configured in the CS cfg file enable which sets whether the log is generated filename whi...

Страница 394: ...cific log type The valid values are true false logging log_type filename The full path to the log file including its name For example tmp tps debug log logging log_type level The log levels The levels range from 0 to 10 0 No logging 4 LL_PER_SERVER Messages that happen only during startup or shutdown 6 LL_PER_CONNECTION Messages that happen per connection 8 LL_PER_PDU Messages that happen for ever...

Страница 395: ...stems CA OCSP DRM and TKS but the TPS does not use a Java console The TPS maintains three subsystem logs A debug log tps debug log An error log tps error log An audit log tps audit log These logs are stored in the var log subsystem_name directory by default Other types of logs such as transaction logs and system logs are not generated by the TPS instance 15 4 3 1 About TPS Log Parameters For each ...

Страница 396: ... to TPS logging Log rotation Registering and deleting log modules Buffered logging Log level 0 is least verbose 10 is most verbose For example 2009 04 29 13 47 08 b65b9828 Upgradeop applet_upgrade app_ver 1 2 416DA155 new_app_ver 1 3 42659461 2009 04 29 13 47 08 b65b9828 Formatstatus success app_ver 1 3 42659461 key_ver 0 cuid 40900062FF02000065C5 msn FFFFFFFF uid time 45389 msec 2009 04 29 15 56 ...

Страница 397: ...ents that can be record list is displayed in the admin services configuration page logging audit selected events For TPS audit logs only Shows events that are actually selected in the admin services c log regular or signed This parameter s value can be edited directly in the CS cfg file t log Table 15 8 TPS Logging Parameters 15 4 3 2 Configuring TPS Logs 1 Stop the TPS instance service pki tps st...

Страница 398: ...vity Signed audit logs are configured by default when the instance is first created but it is possible to edit the configuration or change the signing certificates after configuration TIP Provide enough space in the filesystem for the signed audit logs since they can be large NOTE The audit logs for an RA subsystem cannot be signed TPS audit log signing is described in Section 15 5 2 Configuring T...

Страница 399: ... tab select the SignedAudit entry 4 Click Edit View 5 There are three fields which must be reset in the Log Event Listener Editor window Fill in the signedAuditCertNickname This is the nickname of the certificate used to sign audit logs An audit signing certificate is created when the subsystem is configured it has a nickname like auditSigningCert cert pki ca ...

Страница 400: ... the auditor group Members of the auditor group are the only users who can view and verify the signed audit log See Section 14 3 2 1 Creating Users for details about setting up auditors Auditors can verify logs by using the AuditVerify tool See the Certificate System Command Line Tools Guide for details about using this tool Event Log Messages AUDIT_LOG_STARTUP The start of the subsystem and thus ...

Страница 401: ...T_PROCESSED Shows when a certificate request is being processed CERT_STATUS_CHANGE_REQUEST Shows when the request is made to change the status of a certificate CERT_STATUS_CHANGE_REQUEST_PROCESSED Shows when a certificate status change is processed AUTHZ_SUCCESS Shows when a user is successfully processed by the authorization servlets AUTHZ_FAIL Shows when a user is not successfully processed by t...

Страница 402: ...radio button to Enable The TPS HTML services page is https server example com 7889 tus 1 Stop the TPS instance service pki tps stop 2 Edit the audit logging configuration The log file parameters are listed in Table 15 10 TPS Signed Audit Log Parameters and the auditable events are listed in Table 15 11 Events Recorded to the TPS Audit Log logging audit enable true logging audit filename var log pk...

Страница 403: ...orded in the audit log All loggable events both required and optional are listed in Table 15 11 Events Recorded to the TPS Audit Log Event Description AUDIT_LOG_STARTUP The start of the subsystem and thus the start of the audit function AUDIT_LOG_SHUTDOWN The shutdown of the subsystem and thus the shutdown of the audit function LOGGING_SIGNED_AUDIT_SIGNING Shows changes in whether the audit log is...

Страница 404: ...anually signs archived logs See Section 15 5 1 Configuring a Signed Audit Log for a CA OCSP DRM or TKS for details about signed audit logs For signing log files use a command line utility called the Signing Tool signtool For details about this utility see http www mozilla org projects security pki nss tools The utility uses information in the certificate key and security module databases of the su...

Страница 405: ... view Choose Current to view the currently active system log file 5 Click Refresh The table displays the system log entries The entries are in reverse chronological order with the most current entry placed at the top Use the scroll arrows on the right edge of the panel to scroll through the log entries Each entry has the following information shown Source The component or resource that logged the ...

Страница 406: ...8 Referenced data not found 6a80 Incorrect values in command data Load Errors 6581 Memory failure 6a84 Not enough memory space 6a86 Incorrect P1 P2 6985 Conditions of use not satisfied Table 15 12 Smart Card Error Codes 15 8 Managing Log Modules The types of logs that are allowed and their behaviors are configured through log module plug ins New logging modules can be created and used to make cust...

Страница 407: ...his class is part of a package include the package name For example registering a class named customLog in a package named com customplugins the class name would be com customplugins customLog 5 Click OK 15 8 2 Deleting a Log Module Unwanted log plug in modules can be deleted through the Console Before deleting a module delete all the listeners based on this module see Section 15 1 4 Log File Rota...

Страница 408: ...386 ...

Страница 409: ...A must be up and available for the other subsystems in a security domain to communicate If the security domain CA goes down for any reason then the communications between servers and authentication using administrator or agent certificates fails Because of the dependency on the security domain it is recommended that subordinate CAs are created within their own security domain rather than relying o...

Страница 410: ...hy which may or may not be a root CA The root CA s signing certificate must be imported into individual clients and servers before the Certificate Manager can be used to issue certificates to them NOTE The CA name cannot be changed or all previously issued certificates are invalidated Similarly reissuing a CA signing certificate with a new key pair invalidates all certificates that were signed by ...

Страница 411: ...ir and Certificate The CA keeps a secure audit log of all events which occurred on the server To guarantee that the audit log has not been tampered with the log file is signed by a special log signing certificate The audit log signing certificate is issued when the server is first configured 16 1 2 RA Certificates An RA only uses two certificates an SSL server certificate and a subsystem certifica...

Страница 412: ...hen the Online Certificate Status Manager was configured The default nickname for the certificate is Server Cert cert instance_ID where instance_ID identifies the Online Certificate Status Manager instance name The Online Certificate Status Manager uses its server certificate for server side authentication for the Online Certificate Status Manager agent services page The Online Certificate Status ...

Страница 413: ...cally trusted by the OCSP Manager when it is configured Every CA in the certificate chain of the CA configured in the CA panel is however trusted automatically by the OCSP Manager Other CAs within the security domain but not in the certificate chain must be added manually 16 1 4 Data Recovery Manager Certificates The DRM uses the following key pairs and certificates Section 16 1 4 1 Transport Key ...

Страница 414: ...ificates can be requested and installed for the DRM 16 1 4 4 Subsystem Certificate Every member of the security domain is issued a server certificate to use for communications among other domain members The Data Recovery Manager is issued the subsystem certificate when the instance is first configured as with its SSL certificate The default nickname for the certificate is subsystemCert cert instan...

Страница 415: ...ficate is generated when the TPS is configured The default nickname for the certificate is Server Cert cert instance_id 16 1 6 2 Subsystem Certificate Every member of the security domain is issued a server certificate to use for communications among other domain members The TPS is issued the subsystem certificate when the instance is first configured as with its SSL certificate The default nicknam...

Страница 416: ...icate enrollment process for subsystem certificates The Console can create submit and install certificate requests and certificates for any of the certificates used by that subsystem These certificates can be a server certificate or subsystem specific certificate such as a CA signing certificate or DRM transport certificate NOTE It is important that the agent or user generate and submit the client...

Страница 417: ...he certificate type to request The types of certificates that can be requested varies depending on the subsystem NOTE If selecting to create an other certificate the Certificate Type field becomes active Fill in the type of certificate to create either caCrlSigning for the CRL signing certificate or client for an SSL client certificate ...

Страница 418: ...er after selecting the type of certificate select which type of CA will sign the request For a CA signing certificate the options are to use a root CA or a subordinate CA For all other certificates the options are to use the local CA signing certificate or to create a request to submit to another CA ...

Страница 419: ...le 397 8 Set the key pair information and set the location to generate the keys the token which can be either the internal security database directory or one of the listed external tokens 9 Select the message digest algorithm the choices are MC2 MD5 SHA1 SHA256 and SHA512 ...

Страница 420: ...omain domain NOTE The CA certificate request forms support all UTF 8 characters for the common name organizational unit and requester name fields This support does not include supporting internationalized domain names 11 Only when requesting a certificate through the Certificate Manager Console and submitting the request to the Certificate Manager automatically Specify the start and end dates of t...

Страница 421: ... certificate through the Certificate Manager Console submitting the request to the Certificate Manager automatically Set the standard extensions for the certificate The required extensions are chosen by default To change the default choices read the guidelines explained in Appendix B Defaults Constraints and Extensions for Certificates and CRLs ...

Страница 422: ...entifying them as either a subordinate SSL CA which allows them to issue certificates for SSL or a subordinate email CA which allows them to issue certificates for secure email Disabling certificate extensions means that CA hierarchies cannot be set up Basic Constraints The associated fields are CA setting and a numeric setting for the certification path length Extended Key Usage Authority Key Ide...

Страница 423: ...nded by the PKIX standard and RFC 2459 See RFC 2459 1 for a description of the Key Usage extension Base 64 SEQUENCE of extensions This is for custom extensions Paste the extension in MIME 64 DER encoded format into the text field To add multiple extensions use the ExtJoiner program For information on using the tools see the Certificate System Command Line Tools Guide 13 The wizard generates the ke...

Страница 424: ...arker lines BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST For example BEGIN NEW CERTIFICATE REQUEST MIICJzCCAZCgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBC6SAwHgYDVQQKExdOZXRzY2FwZSBDb21tdW5pY2 F0aW9uczngjhnMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyNzE5MDAwMFoXDTk5MDIyMzE5MDA wMnbjdgngYoxIDAeBgNVBAoTF05ldHNjYXBlIENvbW11bmljYXRpb25zMQ8wDQYDVQQLEwZQZW9wbGUxFz ...

Страница 425: ...certificate othercsr txt Other certificates such as Certificate Manager CRL signing certificate or SSL client Table 16 1 Files Created for Certificate Signing Requests Do not modify the certificate request before sending it to the CA The request can either be submitted automatically through the wizard or copied to the clipboard and manually submitted to the CA through its end entities page NOTE Th...

Страница 426: ...Chapter 16 Managing Subsystem Certificates 404 e The new certificate information is shown in pretty print format in base 64 encoded format and in PKCS 7 format ...

Страница 427: ...Copy the base 64 encoded certificate including the BEGIN CERTIFICATE and END CERTIFICATE marker lines to a text file Save the text file and use it to store a copy of the certificate in a subsystem s internal database See Section 14 3 2 1 Creating Users 16 3 Renewing Subsystem Certificates There are two methods of renewing a certificate Regenerating the certificate takes its original key and its or...

Страница 428: ...utside a network for external clients to use is a serious not easily resolved issue for any PKI administrator The US government devised a standard for issuing cross pair certificates called the Federal Bridge Certificate Authority These certificates are also called bridge certificates for obvious reasons Bridge or cross pair certificates are CA signing certificate that are framed as dual certifica...

Страница 429: ...n if an external token is used to generate and store key pairs Certificate System always maintains its list of trusted and untrusted CA certificates in its internal token This section explains how to view the contents of the certificate database delete unwanted certificates and change the trust settings of CA certificates installed in the database using the Certificate System window For informatio...

Страница 430: ...ertificate database the wizard replaces the existing certificates with the ones in the chain If the chain includes intermediate CA certificates the wizard adds them to the certificate database as untrusted CA certificates The subsystem console uses the same wizard to install certificates and certificate chains To install certificates in the local security database do the following 1 Open the conso...

Страница 431: ... the correct certificate or use the Back button to go back and submit a different one Give a nickname for the certificate The wizard installs the certificate 6 Any CA that signed the certificate must be trusted by the subsystem Make sure that this CA s certificate exists in the subsystem s certificate database internal or external and that it is trusted If the CA certificate is not listed add the ...

Страница 432: ...ent type used on the object being downloaded For Red Hat servers it depends upon the options selected in the server administration interface Subsequent certificates are all treated the same If the certificates contain the SSL CA bit in the Netscape Certificate Type certificate extension and do not already exist in the local certificate database they are added as untrusted CAs They can be used for ...

Страница 433: ...6 3 Certificate Database Tab 4 The Certificate Database Management table lists the all of the certificates installed on the subsystem The following information is supplied for each certificate Certificate Name Serial Number Issuer Names the common name cn of the issuer of this certificate Token Name the name of the cryptographic token holding the certificate for certificate stored in the database ...

Страница 434: ...se be careful not to delete the intermediate CA certificates which help a subsystem chain up to the trusted CA certificate If in doubt leave the certificates in the database as untrusted CA certificates see Section 16 6 Changing the Trust Settings of a CA Certificate Section 16 5 3 1 Deleting Certificates through the Console Section 16 5 3 2 Deleting Certificates Using certutil 16 5 3 1 Deleting C...

Страница 435: ...ms use the CA certificates in their certificate databases to validate certificates received during an SSL enabled communication It can be necessary to change the trust settings on a CA stored in the certificate database temporarily or permanently For example if there is a problem with access or compromised certificates marking the CA certificate as untrusted prevents entities with certificates sig...

Страница 436: ...Change the trust settings for the certificate by running the certutil with the M option certutil M n cert_nickname t trust d For example certutil M n Certificate Authority Example Domain t TCu TCu TCu d 4 List the certificates again to confirm that the certificate trust was changed certutil L d Certificate Authority Example Domain CTu CTu CTu subsystemCert cert subsystem u u u Server Cert cert exa...

Страница 437: ...bdir nocertdb list 16 7 3 Changing a Token s Password The token internal or external that stores the key pairs and certificates for the subsystems is protected encrypted by a password To decrypt the key pairs or to gain access to them enter the token password This password is set when the token is first accessed usually during Certificate System installation It is good security practice to change ...

Страница 438: ...416 ...

Страница 439: ...Part IV References ...

Страница 440: ......

Страница 441: ...eld to paste the request This input puts the following fields in the enrollment form Certificate Request Type This drop down menu lets the user specify the certificate request type The choices are PKCS 10 or CRMF Certificate Management Messages over Cryptographic Message Syntax CMC enrollment is supported with both PKCS 10 and CRMF Certificate Request This is the text area in which to paste the re...

Страница 442: ...nts This input puts the following fields into the enrollment form Key Generation Request Type This field is a read only field displaying crmf as the request type Key Generation Request This input adds a drop down menu to select the key size to use in the key generation request A 1 7 nsHKeyCertRequest Token Key Input The Token Key input is used to enroll keys for hardware tokens for agents to use l...

Страница 443: ... in the certificate This input puts the following fields into the enrollment form UID the LDAP directory user ID Email Common Name the name of the user Organizational Unit the organizational unit ou to which the user belongs Organization the organization name Country the country where the user is located A 1 12 Submitter Information Input The Submitter Information input collects the certificate re...

Страница 444: ...7 Output This output returns the certificate and the certificate chain in PKCS 7 format PKCS 7 format is the Cryptographic Message Syntax Standard which is used for signing This output cannot be configured or changed A 2 3 CMMF Output This output returns the certificate in Certificate Management Messages Formats CMMF CMMF govern communication between different parts of a PKI and is used for reques...

Страница 445: ...icate This section lists and defines the predefined defaults B 1 1 Authority Info Access Extension Default This default attaches the Authority Info Access extension This extension specifies how an application validating a certificate can access information such as online validation services and CA policy data about the CA that has issued the certificate This extension should not be used to point d...

Страница 446: ...ess OID RFC822Name URIName Location_n Specifies the address or location to get additional information about the CA that has issued the certificate For directoryName the value must be a string form of X 500 name similar to the subject name in a certificate For example cn SubCA ou Research Dept o Example Corporation c US For dNSName the value must be a valid fully qualified domain name For example t...

Страница 447: ... This default attaches the Authority Key Identifier extension to the certificate The extension identifies the public key that corresponds to the private key used by a CA to sign certificates This default has no parameters If used this extension is included in the certificate with the public key information This default takes the following constraint No Constraints see Section B 2 6 No Constraint F...

Страница 448: ...ificate 0 specifies that no subordinate CA certificates are allowed below the subordinate CA certificate only an end entity certificate may follow in the path n must be an integer greater than zero It specifies the maximum number of subordinate CA certificates allowed below the subordinate CA certificate If the field is blank the path length defaults to a value that is determined by the path lengt...

Страница 449: ...URIName or RelativeToIssuer The type must correspond to the value in the Name field Name_n Specifies the name of the CRL distribution point the name can be in any of the following formats An X 500 directory name in the RFC 2253 syntax The name looks similar to the subject name in a certificate like cn CA Central ou Research Dept o Example Corporation c US A URIName such as http testCA example com ...

Страница 450: ...ate For example cn SubCA ou Research Dept o Example Corporation c US For DNSName the value must be a valid fully qualified domain name For example testCA example com For EDIPartyName the value must be an IA5String For example Example Corporation For URIName the value must be a non relative URI following the URL syntax and encoding rules The name must include both a scheme such as http and a fully ...

Страница 451: ...D1 userID2 OtherName must have the format type oid string For example IA5String 1 2 3 4 MyExample The value for this parameter must correspond to the value in the issuerName field Table B 3 CRL Distribution Points Extension Configuration Parameters B 1 5 Extended Key Usage Extension Default This default attaches the Extended Key Usage extension to the certificate For general information about this...

Страница 452: ...tension Constraint Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description Critical Select true to mark this extension critical select false to mark the extension noncritical OIDs Specifies the OID that identifies a key usage purpose The permissible values are a unique valid OID specified in the dot separated numeric componen...

Страница 453: ...me must be a URI an absolute pathname that specifies the host For example http testCA example com get crls here PointIssuerName_n Specifies the name of the issuer that has signed the CRL The name can be in any of the following formats For RFC822Name the value must be a valid Internet mail address For example testCA example com For DirectoryName the value must be a string form of X 500 name similar...

Страница 454: ...pecified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 OtherName is used for names with any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca othername txt KerberosName has the format Rea...

Страница 455: ... to show with which location the parameter is associated Parameter Description Critical Select true to mark this extension critical select false to mark the extension noncritical issuerAltExtType This sets the type of name extension to be used which can be one of the following RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName issuerAltExtPattern Specifies the request attribut...

Страница 456: ...n B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncritical digitalSignature Specifies whether to allow signing SSL client certificates and S MIME signing certificates Select true to set nonRepudiation Specifies whether to use for S MIME signing certificates Select true to set WARNING Using this bit is controversia...

Страница 457: ...ndicate a name space within which the subject names or subject alternative names in subsequent certificates in a certificate chain should be located For general information about this extension see Section B 3 9 nameConstraints The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint This d...

Страница 458: ...llows RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName OtherName PermittedSubtreeNameValue_n Specifies the general name value for the permitted subtree to include in the extension For RFC822Name the value must be a valid Internet mail address For example testCA example com For DirectoryName the value must be a string form of X 500 name similar to the subject name in a certif...

Страница 459: ...IDName the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 OtherName is used for names with any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca ...

Страница 460: ...al name type for the excluded subtree to include in the extension The permissible values are as follows RFC822Name DirectoryName DNSName EDIPartyName URIName IPAddress OIDName OtherName ExcludedSubtreeNameValue_n Specifies the general name value for the permitted subtree to include in the extension For RFC822Name the value must be a valid Internet mail address For example testCA example com For Di...

Страница 461: ...1 43 0 0 0 0 0 0 13 1 68 3 FFFF FFFF FFFF FFFF FFFF FFFF 255 255 and FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 For OIDName the value must be a unique valid OID specified in dot separated numeric component notation For example 1 2 3 4 55 6 5 99 For OtherName the values are names with any other format This supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableSt...

Страница 462: ...n see Section B 4 3 2 netscape comment The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncritical CommentContent Specifies the content of the comment to appear in the cert...

Страница 463: ...two specified fields must be present For general information about this extension see Section B 3 11 policyConstraints The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint Parameter Description critical Select true to mark this extension critical select false to mark the extension noncr...

Страница 464: ...of OIDs each pair identifying two policy statements of two CAs The pairing indicates that the corresponding policies of one CA are equivalent to policies of another CA The extension may be useful in the context of cross certification If supported the extension is included in CA certificates only The default maps policy statements of one CA to that of another by pairing the OIDs assigned to their p...

Страница 465: ...ue by specifying one of the values contained in the signingAlgsAllowed parameter signingAlgsAllowed Specify the signing algorithms that can be used for signing this certificate The algorithms can be any or all of the following MD2withRSA MD5withRSA SHA1withRSA SHA256withRSA SHA512withRSA SHA1withEC if ECC is enabled Table B 14 Signing Algorithm Default Configuration Parameters B 1 17 Subject Alter...

Страница 466: ...ertSet 9 default params subjAltExtType_3 OtherName policyset serverCertSet 9 default params subjAltExtPattern_3 IA5String 1 2 3 4 server source policyset serverCertSet 9 default params subjAltExtSource_3 UUID4 policyset serverCertSet 9 default params subjAltExtGNEnable_3 true policyset serverCertSet 9 default params subjAltExtType_4 RFC822Name policyset serverCertSet 9 default params subjAltExtGNE...

Страница 467: ...nique ID CUID of the smart card token used for requesting the enrollment request upn The Microsoft UPN This has the format UTF8String 1 3 6 1 4 1 311 20 2 3 request up server source Instructs the server to generate a version 4 UUID random number component in the su IA5String 1 2 3 4 server source Table B 15 Variables to Insert Values in the Subject Alternative Name Multiple attributes can be set f...

Страница 468: ...n Select URIName if the request attribute value is a non relative URI that includes both a scheme such as http and a fully qualified domain name or IP address of the host For example http hr example com Certificate System supports both IPv4 and IPv6 addresses Select IPAddress if the request attribute value is a valid IP address specified in dot separated numeric component notation For example 128 ...

Страница 469: ...arameters B 1 18 Subject Directory Attributes Extension Default This default attaches a Subject Directory Attributes extension to the certificate The Subject Directory Attributes extension conveys any desired directory attribute values for the subject of the certificate The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constra...

Страница 470: ...sion is included in the certificate with the public key information The following constraints can be defined with this default Extension Constraint see Section B 2 3 Extension Constraint No Constraints see Section B 2 6 No Constraint B 1 20 Subject Name Default This default attaches a server side configurable subject name to the certificate request A static subject name is used as the subject name...

Страница 471: ...ile can require specific extensions before enrolling a certificate WARNING Be exceptionally cautious about setting this extension default since it allows users to specify an extension in the certificate request If this default is used then Red Hat strongly recommends using a constraint corresponding to the extension to minimize any possible abuse of the User Supplied Extension Default The user def...

Страница 472: ... params exKeyUsageCritical false policyset set1 2 constraint params exKeyUsageOIDs 1 3 6 1 5 5 7 3 2 1 3 6 1 5 5 7 3 4 policyset set1 2 default class_id userExtensionDefaultImpl policyset set1 2 default name User Supplied Extension Default policyset set1 2 default params userExtOID 2 5 29 37 Example B 2 User Supplied Extension Default for the Extended Key Usage Extension In Example B 2 User Suppli...

Страница 473: ...ificate profile it allows a user to supply the validity period subject to the constraints set This default profile preserves that user defined validity in the original certificate request when the certificate is issued No inputs are provided to add user supplied validity date to the enrollment form but it is possible to submit a request that contains this information The following constraints can ...

Страница 474: ... the number of CA certificates used during certificate validation The chain starts with the end entity certificate being validated and moves up This parameter has no effect if the extension is set in end entity certificates The permissible values are 0 or n The value must be less than the path length specified in the Basic Constraints extension of the CA signing certificate 0 specifies that no sub...

Страница 475: ...raint This constraint implements the general extension constraint It checks if the extension is present B 2 4 Key Constraint This constraint checks the key length For example policyset caCertSet 3 constraint params keyType policyset caCertSet 3 constraint params keyMinLength 256 policyset caCertSet 3 constraint params keyMaxLength 4096 Parameter Description keyType Gives a key type this is set to ...

Страница 476: ...stead of key material Select true to allow this to be set select false to keep this from being set select a hyphen to indicate no constraints are placed for this parameter keyAgreement Specifies whether to set the extension whenever the subject s public key is used for key agreement Select true to allow this to be set select false to keep this from being set select a hyphen to indicate no constrai...

Страница 477: ... request satisfies the criteria set in this constraint B 2 8 Renewal Grace Period Constraint The Renewal Grace Period Constraint sets rules on when a user can renew a certificate based on its expiration date For example users cannot renew a certificate until a certain time before it expires or if it goes past a certain time after its expiration date One important thing to remember when using this ...

Страница 478: ... constraint supports all regular expression constructs listed in http java sun com j2se 1 4 1 docs api java util regex Pattern html This allows wildcards such as asterisks to search for any number of the characters and periods to search for any type character For example if the pattern of the subject name constraint is set to uid the certificate profile framework checks if the subject name in the ...

Страница 479: ... long as their key usage settings are different This is either true or false The default is true which allows duplicate subject names Table B 27 Unique Subject Name Constraint Configuration Parameters B 2 12 Validity Constraint The Validity constraint checks if the validity in the certificate request satisfies the criteria Parameter Description range The range of the validity period This is an int...

Страница 480: ... 29 3B 91 D3 EE 24 E9 AF F6 A1 49 E1 96 70 DE 6F B2 BE 3A 07 1A 0B FD FE 2F 75 FD F9 FC 63 69 36 B6 5B 09 C6 84 92 17 9C 3E 64 C3 C4 C9 Extensions Identifier Netscape Certificate Type 2 16 840 1 113730 1 1 Critical no Certificate Usage SSL CA Secure Email CA ObjectSigning CA Identifier Basic Constraints 2 5 29 19 Critical yes Is CA yes Path Length Constraint UNLIMITED Identifier Subject Key Identi...

Страница 481: ...e defined OID for an extension named Netscape Certificate Comment is 2 16 840 1 113730 1 13 The OID assigned to this extension is hierarchical and includes the former Netscape company arc 2 16 840 1 The OID definition entry is http www alvestrand no objectid 2 16 840 1 113730 1 13 html If an OID extension exists in a certificate and is marked critical the application validating the certificate mus...

Страница 482: ...s multiple signing keys such as when a CA certificate is renewed The extension consists of one or both of the following An explicit key identifier set in the keyIdentifier field An issuer set in the authorityCertIssuer field and serial number set in the authorityCertSerialNumber field identifying a certificate If the keyIdentifier field exists it is used to select the certificate with a matching s...

Страница 483: ...es each of which consists of an OID and optional qualifiers The extension can include a URI to the issuer s Certificate Practice Statement or can embed issuer information such as a user notice in text form This information can be used by certificate enabled applications If this extension is present PKIX Part 1 recommends that policies be identified with an OID only or if necessary only certain rec...

Страница 484: ...lications can use these extensions to disallow the use of a certificate in inappropriate contexts Table B 29 PKIX Extended Key Usage Extension Uses lists the uses defined by PKIX for this extension and Table B 30 Private Extended Key Usage Extension Uses lists uses privately defined by Netscape OID 2 5 29 37 Criticality If this extension is marked critical the certificate must be used for one of t...

Страница 485: ... at all set the bits as follows digitalSignature 0 for SSL client certificates S MIME signing certificates and object signing certificates nonRepudiation 1 for some S MIME signing certificates and object signing certificates WARNING Use of this bit is controversial Carefully consider the legal consequences of its use before setting it for any certificate keyEncipherment 2 for SSL server certificat...

Страница 486: ...PKIX Part 1 recommends that it should be marked critical if it is used Purpose of Certificate Required Key Usage Bit CA Signing keyCertSign cRLSign SSL Client digitalSignature SSL Server keyEncipherment S MIME Signing digitalSignature S MIME Encryption keyEncipherment Certificate Signing keyCertSign Object Signing digitalSignature Table B 31 Certificate Uses and Corresponding Key Usage Bits B 3 9 ...

Страница 487: ...itical B 3 11 policyConstraints This extension which is for CA certificates only constrains path validation in two ways It can be used to prohibit policy mapping or to require that each certificate in a path contain an acceptable policy identifier PKIX requires that if present this extension must never consist of a null sequence At least one of the two available fields must be present OID 2 5 29 3...

Страница 488: ...er URI PKIX requires this extension for entities identified by name forms other than the X 500 distinguished name DN used in the subject field PKIX Part 1 describes additional rules for the relationship between this extension and the subject field Email addresses may be provided in the Subject Alternative Name extension the certificate subject name field or both If the email address is part of the...

Страница 489: ...ublication the X 509 standard for CRL formats has been amended to include additional information within a CRL This information is added through CRL extensions The extensions defined by ANSI X9 and ISO IEC ITU for X 509 CRLs X 509 X9 55 allow additional attributes to be associated with CRLs The Internet X 509 Public Key Infrastructure Certificate and CRL Profile available at RFC 5280 4 recommends a...

Страница 490: ...can recognize the ID If it can it uses the extension ID to determine the type of value used B 4 1 2 Sample CRL and CRL Entry Extensions The following is an example of an X 509 CRL version 2 extension The Certificate System can display CRLs in readable pretty print format as shown here As shown in the example CRL extensions appear in sequence and only one instance of a particular extension may appe...

Страница 491: ...gPoint MasterCRL Only Contains User Certificates no Only Contains CA Certificates no Indirect CRL no Signature Algorithm SHA1withRSA 1 2 840 113549 1 1 5 Signature 47 D2 CD C9 E5 F5 9D 56 0A 97 31 F5 D5 F2 51 EB 1F CF FA 9E 63 D4 80 13 85 E5 D8 27 F0 69 67 B5 89 4F 59 5E 69 E4 39 93 61 F2 E3 83 51 0B 68 26 CD 99 C4 A2 6C 2B 06 43 35 36 38 07 34 E4 93 80 99 2F 79 FB 76 E8 3D 4C 15 5A 79 4E E5 3F 7E...

Страница 492: ...dicator 2 5 29 27 Critical yes Base CRL Number 39 Identifier Issuer Alternative Name 2 5 29 18 Critical no Issuer Names DNSName a f8 sjc redhat com Identifier Authority Key Identifier 2 5 29 35 Critical no Key Identifier 50 52 0C AA 22 AC 8A 71 E3 91 0C C5 77 21 46 9C 0F F8 30 60 Identifier CRL Number 2 5 29 20 Critical no Number 41 Identifier Issuing Distribution Point 2 5 29 28 Critical yes Dist...

Страница 493: ...ificate entries in the CRL Section B 4 2 1 Extensions for CRLs Section B 4 2 2 CRL Entry Extensions B 4 2 1 Extensions for CRLs The following CRL descriptions are defined as part of the Internet X 509 v3 Public Key Infrastructure proposed standard Section B 4 2 1 1 authorityInfoAccess Section B 4 2 1 2 authorityKeyIdentifier Section B 4 2 1 3 CRLNumber Section B 4 2 1 4 deltaCRLIndicator Section B...

Страница 494: ... DirectoryName or URI accessLocationn If accessLocationType is set to DirectoryName the value must be a string in the form of an X 500 name similar to the subject name in a certificate For example CN CACentral OU Research Dept O Example Corporation C US If accessLocationType is set to URI the name must be a URI the URI must be an absolute pathname and must specify the host For example http testCA ...

Страница 495: ...ave this extension OID 2 5 29 20 Criticality This extension must not be critical Parameters Parameter Description enable Specifies whether the rule is enabled which is the default critical Sets whether the extension is marked as critical the default is noncritical Table B 34 CRLNumber Configuration Parameters B 4 2 1 4 deltaCRLIndicator The deltaCRLIndicator extension generates a delta CRL a list ...

Страница 496: ...extension must be noncritical Parameters Parameter Description enable Sets whether the extension rule is enabled By default this is disabled critical Marks the extension as critical or noncritical The default is noncritical numPoints Indicates the number of issuing points for the delta CRL from 0 to any positive integer the default is 0 When setting this to an integer other than 0 set the number a...

Страница 497: ...at Section B 3 7 issuerAltName Extension OID 2 5 29 18 Parameters Parameter Description enable Sets whether the extension rule is enabled by default this is disabled critical Sets whether the extension is critical by default this is noncritical numNames Sets the total number of alternative names or identities permitted in the extension Each name has a set of configuration parameters nameType and n...

Страница 498: ... FF01 43 FFFF FFFF FFFF FFFF FFFF FFFF FF00 0000 OID if the name is an object identifier otherName if the name is in any other name form this supports PrintableString IA5String UTF8String BMPString Any and KerberosName namen Specifies the general name value the allowed values depend on the name type specified in the nameType field For rfc822Name the value must be a valid Internet mail address in t...

Страница 499: ...nment comply with the ISO rules for defining OIDs and for registering subtrees of IDs For otherName the names can be any other format this supports PrintableString IA5String UTF8String BMPString Any and KerberosName PrintableString IA5String UTF8String BMPString and Any set a string to a base 64 encoded file specifying the subtree such as var lib pki ca othername txt KerberosName has the format Re...

Страница 500: ...stribution point The name of the distribution point depends on the value specified for the pointType parameter For directoryName the name must be an X 500 name For example cn CRLCentral ou Research Dept o Example Corporation c US For URIName the name must be a URI that is an absolute pathname and specifies the host For example http testCA example com get crls here NOTE The CRL may be stored in the...

Страница 501: ...Internet X 509 v3 Public Key Infrastructure proposed standard All of these extensions are noncritical B 4 2 2 1 certificateIssuer The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL This extension is used only with indirect CRLs which are not supported by the Certificate System OID 2 5 29 29 B 4 2 2 2 invalidityDate The Invalidity Date ext...

Страница 502: ...cate incompatible with other clients B 4 3 1 netscape cert type The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used It has been replaced by the X 509 v3 extensions Section B 3 6 extKeyUsage and Section B 3 3 basicConstraints If the extension exists in a certificate it limits the certificate to the uses specified in it If the extension is no...

Страница 503: ...Netscape Defined Certificate Extensions Reference 481 OID 2 16 840 1 113730 13 ...

Страница 504: ...482 ...

Страница 505: ...blish base 64 encoded files DER encoded files or both depending on the checkboxes selected when the publisher is configured The certificate and CRL content can be viewed by converting the files using the PrettyPrintCert and PrettyPrintCRL tools For details on viewing the content in base 64 and DER encoded certificates and CRLs see Section 8 6 Viewing Certificates and CRLs Published to File By defa...

Страница 506: ...P responder During installation the Certificate Manager automatically creates an instance of the LdapUserCertPublisher module for publishing end entity certificates to the directory Parameter Description certAttr Specifies the directory attribute of the mapped entry to which the Certificate Manager should pu userCertificate binary Table C 3 LdapUserCertPublisher Configuration Parameters C 1 4 Ldap...

Страница 507: ...to publish the CA certificate This must be crossC caObjectClass Specifies the object class for the CA s entry in the directory This must be certificati Table C 6 LdapCertificatePairPublisher Parameters C 1 7 OCSPPublisher The OCSPPublisher plug in module configures a Certificate Manager to publish its CRLs to an Online Certificate Status Manager The Certificate Manager does not create any instance...

Страница 508: ...D CA If the mapper fails to create a second CA entry check the base DN to which the UID Uniqueness plug in is set and check if an entry with the same UID already exists in the directory If necessary adjust the mapper setting remove the old CA entry comment out the plug in or create the entry manually During installation the Certificate Manager automatically creates two instances of the CA certific...

Страница 509: ...ctory and maps the CRL to the CA s entry in the directory By default the mapper is configured to create an entry for the CA in the directory The default DN pattern for locating the CA s entry is as follows uid subj cn ou people o subj o C 2 2 LdapDNExactMap The LdapDNExactMap plug in module configures a Certificate Manager to map a certificate to an LDAP directory entry by searching for the LDAP e...

Страница 510: ...this mapper the directory entries must include the specified LDAP attribute This mapper requires the exact pattern of the subject DN because the Certificate Manager searches the directory for the attribute with a value that exactly matches the entire subject DN For example if the specified LDAP attribute is certSubjectDN and the certificate subject name is uid jdoe o Example Corporation c US the C...

Страница 511: ...izational unit in the directory o represents an organization in the directory l represents a locality city st represents a state c represents a country For example the following DN represents the user named Jane Doe who works for the Sales department at Example Corporation which is located in Mountain View California United States cn Jane Doe ou Sales o Example Corporation l Mountain View st Calif...

Страница 512: ... of certificates can be set to include the uid component NOTE The e l and st components are not included in the standard set of certificate request forms provided for end entities These components can be added to the forms or the issuing agents can be required to insert these components when editing the subject name in the certificate issuance forms C 2 5 1 Configuration Parameters of LdapDNCompsM...

Страница 513: ...erforms a verification For example if filterCom attributes filterComps e uid the server searches the directory for an entry whose information gathered from the certificate The permissible values are valid directory attributes in the certificate DN separated by co need to be attribute names from the certificate not from ones in the LDAP directory For attribute for the user s email address LDAP call...

Страница 514: ...apUserCertRule is used to publish user certificates to an LDAP directory Parameter type predicate enable mapper publisher Table C 13 LdapUserCert Rule Configuration Parameters C 3 4 LdapCRLRule The LdapCRLRule is used to publish CRLs to an LDAP directory Parameter type predicate enable mapper publisher Table C 14 LdapCRL Rule Configuration Parameters ...

Страница 515: ...tion Each rule which allows or denies access to a resource is called an access control instruction ACI The sum of all of the ACIs for a resource is an access control list Before defining the actual ACI the ACL attribute is first applied to a specific plug in class used by the Certificate System subsystem This focuses each ACL to a specific function performed by the subsystem providing both more se...

Страница 516: ...es manage access to basic and common configuration settings such as logging and adding users and groups IMPORTANT These ACLs are common in that the same ACLs are occur in each subsystem instance s acl ldif file These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances As with all other instance configuration these ACLs are maintai...

Страница 517: ...ption import Import a CA administrator certificate Table D 3 certServer admin certificate ACL Summary D 2 3 certServer admin request enrollment Controls access to enrollment processes including submitting enrollment requests and processing and accessing enrollment requests By default anyone can submit a certificate request but only CA agents can process them NOTE This entry is associated with the ...

Страница 518: ...odify authentication instances Table D 5 certServer auth configuration ACL Summary D 2 5 certServer clone configuration Controls who can clone the configuration for an instance The default setting is allow modify read group Enterprise CA Administrators group Enterprise KRA Administrators group Enterprise RA Administrators group Enterprise OCSP Administrators group Enterprise TKS Administrators Ope...

Страница 519: ...Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View log plug in information log plug in configuration and log instance configuration List log plug ins an modify Add and delete log plug ins and log instances Modify log instances Table D 8 certServer log configuration ACL Summary D 2 8 certServer ...

Страница 520: ...istration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors Operations Description read View log content List all logs Table D 11 certServer log content ACL Summary D 2 11 certServer log content signedAudit Explicitly denies access to the signed audit logs for all users except the auditor The default setting is deny read group Administr...

Страница 521: ...tors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View users groups and user s certificates Find users and groups modify Add modify and delete groups and users Add and modify a user certificate Table D 14 certServer usrgrp administrat...

Страница 522: ...tatus of a certificate from revoked revoke Revoke certificates or approve certificate revocation requests read Retrieve certificates based on the request ID and display certificate details based on the request ID Table D 16 certServer ca certificate ACL Summary D 3 3 certServer ca certificates Controls operations for listing or revoking certificates through the agent services interface The default...

Страница 523: ...sions configuration and CRL issuing points configuration modify Add and delete CRL issuing points Modify general CA settings CA connector configuration CRL issuing request notification configuration revocation notification configuration request in queue notification confi Table D 19 certServer ca configuration ACL Summary D 3 6 certServer ca connector Controls operations to submit requests over a ...

Страница 524: ... update Update CRLs Table D 22 certServer ca crl ACL Summary D 3 9 certServer ca directory Controls access to the LDAP directory used for publishing certificates and CRLs allow update group Certificate Manager Agents Operations Description update Publish CA certificates and user certificates to the LDAP directory Table D 23 certServer ca directory ACL Summary D 3 10 certServer ca group Controls ac...

Страница 525: ...cess to certificate profile configuration in the agent services pages allow read approve group Certificate Manager Agents Operations Description read View the details of the certificate profiles approve Approve and enable certificate profiles Table D 26 certServer ca profile ACL Summary D 3 13 certServer ca profiles Controls access to list certificate profiles in the agent services interface allow...

Страница 526: ... user anybody allow read execute assign unassign group Certificate Manager Agents Operations Description submit Submit an enrollment request read View an enrollment request execute Modify the approval state of a request assign Assign a request to a Certificate Manager agent unassign Change the assignment of a request Table D 29 certServer ca request enrollment ACL Summary D 3 16 certServer ca requ...

Страница 527: ...tchain Controls who can access the CA certificate chain in the end entities page allow download read user anybody Operations Description download Download the CA s certificate chain read View the CA s certificate chain Table D 33 certServer ee certchain ACL Summary D 3 20 certServer ee certificate Controls who can access certificates for most operations like importing or revoking certificates thro...

Страница 528: ...ss to CRLs through the end entities page allow read add user anybody Operations Description read Retrieve and view the certificate revocation list add Add CRLs to the OCSP server Table D 36 certServer ee crl ACL Summary D 3 23 certServer ee profile Controls some access to certificate profiles in the end entities page including who can view details about a profile or submit a request through the pr...

Страница 529: ...CL Summary D 3 26 certServer ee request ocsp Controls access based on IP address on which clients submit OCSP requests allow submit ipaddress Operations Description submit Submit OCSP requests Table D 40 certServer ee request ocsp ACL Summary D 3 27 certServer ee request revocation Controls what users can submit certificate revocation requests in the end entities page allow submit user anybody Ope...

Страница 530: ... Summary D 3 30 certServer kra configuration Controls who can view and manage the DRM instance configuration allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View automatic key recovery autom...

Страница 531: ...e D 46 certServer policy configuration ACL Summary D 3 33 certServer profile configuration Controls access to the certificate profile configuration The default setting is allow read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators...

Страница 532: ...any RA associated with the Certificate Manager The default configuration is allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Operations Description read View the RA configuration modify Modify the RA configuration Table...

Страница 533: ...Description read View basic job settings job instance settings and job plug in settings List job plug ins and job instances modify Add and delete job plug ins and job instances Modify job plug ins and job instances Table D 51 certServer job configuration ACL Summary D 4 2 certServer kra certificate transport Controls who can view the transport certificate for the DRM allow read user anybody Operat...

Страница 534: ...overy requests to the DRM The default configuration is allow read submit group Data Recovery Manager Agents Operations Description read View key recovery request information submit Submit or initiate key recovery requests through the agent services pages Table D 55 certServer kra GenerateKeyPair ACL Summary D 4 6 certServer kra getTransportCert Controls who can submit key recovery requests to the ...

Страница 535: ...recover Retrieve key information from the database to perform a recovery operation download Download key information through the agent services pages Table D 58 certServer kra key ACL Summary D 4 9 certServer kra keys Controls who can list archived keys through the agent services pages allow list group Data Recovery Manager Agents Operations Description list Search for and list a range of archived...

Страница 536: ... certServer kra request status Controls who can view the status for a key recovery request in the end entities page allow read group Data Recovery Manager Agents Operations Description read Retrieve the status of a key recovery request in the agents services pages Table D 62 certServer kra request status ACL Summary D 4 13 certServer kra requests Controls who can list key archival and recovery req...

Страница 537: ...rver kra TokenKeyRecovery ACL Summary D 5 Online Certificate Status Manager Specific ACLs This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager The OCSP responder s ACL configuration also includes all of the common ACLs listed in Section D 2 Common ACLs There are access control rules set for each of the OCSP s i...

Страница 538: ...certServer ee request ocsp Controls access based on IP address on which clients submit OCSP requests allow submit ipaddress Operations Description submit Submit OCSP requests Table D 68 certServer ee request ocsp ACL Summary D 5 4 certServer ocsp ca Controls who can add a Certificate Manager to the Online Certificate Status Manager configuration The default setting is allow add group Online Certif...

Страница 539: ...icate Manager s OCSP services The default configuration is allow read group Administrators group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents group Auditors allow modify group Administrators Operations Description read View CRL plug in information general CA configuration CA connector configuration CR...

Страница 540: ...who can read information about the OCSP responder allow read group Online Certificate Status Manager Agents Operations Description read View OCSP responder information Table D 75 certServer ocsp info ACL Summary D 5 11 certServer ocsp systemstatus Controls who can view the statistics for the Online Certificate Status Manager instance read allow read group Online Certificate Status Manager Agents O...

Страница 541: ...istrators Operations Description modify Create or edit user and group entries for the instance read View user and group entries for the instance Table D 78 certServer tks group ACL Summary D 6 3 certServer tks importTransportCert Controls who can import the transport certificate used by the TKS to deliver keys allow modify read group Enterprise CA Administrators group Enterprise KRA Administrators...

Страница 542: ...tions Description read View the user and agent entries and configuration modify Edit existing user and agent entries or create new user accounts Table D 81 certServer tks registerUser ACL Summary D 6 6 certServer tks sessionkey Controls who can view the session keys used by the TKS instance to connections to the TPS allow read group Token Key Service Manager Agents Operations Description read View...

Страница 543: ...ent An enrollment that requires an agent to approve the request before the certificate is issued agent services 1 Services that can be administered by a Certificate System agent through HTML pages served by the Certificate System subsystem for which the agent has been assigned the necessary privileges 2 The HTML pages for administering such services attribute value assertion AVA An assertion of th...

Страница 544: ...dentifies a certificate authority See also certificate authority CA subordinate CA root CA CA hierarchy A hierarchy of CAs in which a root CA delegates the authority to issue certificates to subordinate CAs Subordinate CAs can also expand the hierarchy by delegating issuing status to other CAs See also certificate authority CA subordinate CA root CA CA server key The SSL server key of the server p...

Страница 545: ...ertificate changes even by a single character the same function produces a different number Certificate fingerprints can therefore be used to verify that certificates have not been tampered with Certificate Management Messages over Cryptographic Message Syntax CMC Message format used to convey a request for a certificate to a Certificate Manager A proposed standard from the Internet Engineering Ta...

Страница 546: ...ng the SSL protocol See Secure Sockets Layer SSL CMC See Certificate Management Messages over Cryptographic Message Syntax CMC CMC Enrollment Features that allow either signed enrollment or signed revocation requests to be sent to a Certificate Manager using an agent s signing certificate These requests are then automatically processed by the Certificate Manager CMMF See Certificate Management Mes...

Страница 547: ...very of RSA encryption keys for end entities A Certificate Manager can be configured to archive end entities encryption keys with a Data Recovery Manager before issuing new certificates The Data Recovery Manager is useful only if end entities are encrypting data such as sensitive email that the organization may need to recover someday It can be used only with end entities that support dual key pai...

Страница 548: ...re with the signer s public key and comparison with another hash of the same data provides tamper detection Verification of the certificate chain for the certificate containing the public key provides authentication of the signer See also nonrepudiation encryption distribution points Used for CRLs to define a set of certificates Each distribution point is defined by a set of certificates that are ...

Страница 549: ...e certificate fingerprint FIPS PUBS 140 1 Federal Information Standards Publications FIPS PUBS 140 1 is a US government standard for implementations of cryptographic modules hardware or software that encrypts and decrypts data or performs other cryptographic operations such as creating or verifying digital signatures Many products sold to the US government must comply with one or more of the FIPS ...

Страница 550: ...rvices JSS A Java interface for controlling security operations performed by Netscape Security Services NSS K KEA See Key Exchange Algorithm KEA key A large number used by a cryptographic algorithm to encrypt or decrypt data A person s public key for example allows other people to encrypt messages intended for that person The messages must then be decrypted by using the corresponding private key k...

Страница 551: ...scape Security Services NSS A set of libraries designed to support cross platform development of security enabled communications applications Applications built using the NSS libraries support the Secure Sockets Layer SSL protocol for authentication tamper detection and encryption and the PKCS 11 protocol for cryptographic token interfaces NSS is also available separately as a software development...

Страница 552: ...PKCS 11 module also called a cryptographic module or cryptographic service provider can be implemented in either hardware or software A PKCS 11 module always has one or more slots which may be implemented as physical hardware slots in some form of physical reader such as for smart cards or as conceptual slots in software Each slot for a PKCS 11 module can in turn contain a token which is the hardw...

Страница 553: ...ying and managing certificates Certificate System is comprised of five major subsystems that can be installed in different Certificate System instances in different physical locations Certificate Manager Online Certificate Status Manager Data Recovery Manager Token Key Service and Token Processing System registration See enrollment root CA The certificate authority CA with a self signed certificat...

Страница 554: ...he way to sign on to Red Hat Certificate System by storing the passwords for the internal database and tokens Each time a user logs on he is required to enter this single password 2 The ability for a user to log in once to a single computer and be authenticated automatically by a variety of servers within a network Partial single sign on solutions can take many forms including mechanisms for autom...

Страница 555: ...riginal version of the same data token A hardware or software device that is associated with a slot in a PKCS 11 module It provides cryptographic services and optionally stores certificates and keys tree hierarchy The hierarchical structure of an LDAP directory trust Confident reliance on a person or other entity In a public key infrastructure PKI trust refers to the relationship between the user ...

Страница 556: ...534 ...

Страница 557: ...ertificates 406 buffered logging 361 C CA certificate 4 configuring ECC signing algorithm 55 prompting for subsystem passwords existing instance 289 new instance 288 CA certificate mapper 486 CA certificate publisher 484 485 CA signing certificate 4 388 changing trust settings of 413 deleting 412 nickname 388 requesting 394 viewing details of 411 certificate viewing content 231 certificate chains ...

Страница 558: ...iguration file 279 279 CS cfg 279 format 280 Configuration tab 14 CRL viewing content 231 CRL Distribution Point extension 172 CRL extension modules CRLReason 430 CRL publisher 484 CRL signing certificate 5 170 requesting 394 cRLDistributionPoints 461 CRLNumber 473 CRLReason 479 CRLs defined 169 entering multiple update times 178 entering update period 178 extension specific modules 467 extensions...

Страница 559: ...suer 479 certificatePolicies 461 cRLDistributionPoints 461 CRLNumber 473 CRLReason 479 deltaCRLIndicator 473 extKeyUsage 462 invalidityDate 479 issuerAltName 463 475 issuingDistributionPoint 477 keyUsage 463 nameConstraints 464 netscape cert type 480 Netscape defined 480 policyConstraints 465 policyMappings 465 privateKeyUsagePeriod 466 subjectAltName 466 subjectDirectoryAttributes 466 tool for jo...

Страница 560: ...le 382 services that are logged 359 types of logs 359 Audit 363 Error 366 M mail server used for notifications 257 managing certificate database 407 mapper modules deleting 233 registering new ones 233 mappers created during installation 214 486 488 mappers that use CA certificate 486 DN components 488 modifying privileged user s group membership 331 N Name extension modules Issuer Alternative Nam...

Страница 561: ...privileged users deleting 333 modifying privileges group membership 331 types agents 329 profile variables RA 52 profiles how profiles work 23 prompting for system passwords 287 publisher modules deleting 233 registering new ones 233 publishers created during installation 214 484 484 485 publishers that can publish to CA s entry in the directory 484 484 485 files 483 OCSP responder 485 users entri...

Страница 562: ... requesting 394 viewing details of 411 starting subsystem instance 295 Status tab 14 stopping subsystem instance 295 storage key pair 391 subjectAltName 466 subjectDirectoryAttributes 466 subjectKeyIdentifier subjectKeyIdentifier 467 subsystem certificate 388 390 392 nickname 388 390 392 subsystems configuring password file 286 passwords required at startup 288 subsystems for certificates Certific...

Страница 563: ...288 setting profiles 351 users 349 Windows smart card login 55 transport certificate 391 changing trust settings of 413 deleting 412 viewing details of 411 trusted managers deleting 333 modifying group membership 331 U unbuffered logging 361 user certificate 5 requesting 77 users creating 332 W why to revoke certificates 171 Windows smart card login 55 ...

Страница 564: ...542 ...

Результаты поиска

Содержание CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Отзывы:

Похожие инструкции для CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Бренды по названию

Популярные бренды

Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION, Руководство администратора

Результаты поиска

Содержание CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Отзывы:

Похожие инструкции для CERTIFICATE SYSTEM 8.0 - ADMINISTRATION

Бренды по названию

Популярные бренды