How Agent-Initiated Key Recovery Works - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
Key Recovery Process
By default, key recovery authorization is local.
Remote Key Recovery Authorization
To authorize key recovery remotely, the required number of recovery agents access the
Data Recovery Manager Agent Services interface at their own locations and use the
Authorize Recovery button to enter each authorization separately.
Before key recovery agents can authorize key recovery remotely, they must be set up to
function as Data Recovery Manager agents. This role gives them the privilege to access the
Data Recovery Manager's Agent Services interface directly.
In remote key recovery authorization, one of the key recovery agents informs all required
recovery agents about an impending remote key recovery process. All recovery agents
access the Key Recovery page hosted by the Data Recovery Manager. One of the agents
initiates the key recovery process. The Data Recovery Manager returns a notification to
each agent. The notification includes a recovery authorization reference number identifying
the particular key recovery request that the agent is required to authorize. Each agent uses
the reference number and authorizes key recovery separately.
The Data Recovery Manager informs the agent who initiated the key recovery process of
the status of the authorizations. When all of the authorizations are entered, the Data
Recovery Manager checks the information. If the information presented is correct, it
retrieves the requested key and returns it along with the corresponding certificate in the
form of a PKCS #12 package to the agent who initiated the key recovery process.
Key recovery agents can switch to remote authorization by deselecting the local
authorization option in the Key Recovery form.
How Agent-Initiated Key Recovery Works
In an agent-initiated key recovery, the key is recovered by the collective efforts of a Data
Recovery Manager agent and authorized key recovery agents. You may need to resort to
this type of key recovery if the owner of a key cannot be reached and the authorities in the
organization need to access that end-entity's encrypted data (for example, S/MIME mail
messages).
Upon retrieving the private encryption key (in the form of a PKCS #12 package), the agents
may forward the key to the original end entity, the manager of the original owner, or some
other authorities. The key (PKCS#12 package) can then be imported into the application for
usage.
Figure 6-2 illustrates how agent-initiated key recovery works.
Chapter 6
Data Recovery Manager
195
Advertisement
Table of Contents
