1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 8 - AGENTS GUIDE
  6. Agents manual

Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Agents Manual

Using web-based agent services
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate
System 8.0
Agents Guide
Using Web-Based Agent Services
Ella Deon Lackey
Publication date: July 22, 2009, updated April 30, 2010

Advertisement

Table of Contents
loading

Related Manuals for Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE

Summary of Contents for Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE

  • Page 1 Red Hat Certificate System 8.0 Agents Guide Using Web-Based Agent Services Ella Deon Lackey Publication date: July 22, 2009, updated April 30, 2010...
  • Page 2 Agents Guide Red Hat Certificate System 8.0 Agents Guide Using Web-Based Agent Services Edition 8.0.5 Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    About This Guide 1. Required Concepts ......................v 2. What Is in This Guide ..................... v 3. Examples and Formatting ....................vi 3.1. Formatting for Examples and Commands .............. vi 3.2. Tool Locations ..................... vi 3.3. Guide Formatting ....................vi 4.
  • Page 4 Agents Guide 4.5.2. Updating the CRL .................... 56 5. CA: Publishing to a Directory 5.1. Automatically Updating the Directory ................59 5.2. Manually Updating the Directory .................. 59 6. RA: Requesting and Receiving Certificates Locally 6.1. Listing Certificate Requests ..................63 6.2.

  • Page 5: About This Guide

    About This Guide The web-based interfaces for Certificate System allow end users, agents, and administrators to perform common tasks, such as requesting, approving, and revoking certificates. Additionally, administrators for RA and TPS subsystems can perform administrative tasks such as creating users and groups.

  • Page 6: Examples And Formatting

    About This Guide Chapter 4, CA: Finding and Revoking Certificates • Explains how to use the agent services page to find and examine a specific certificate issued by Certificate System, how to retrieve a list of certificates that match specified criteria, how to revoke certificates, and how to manage the certificate revocation list.

  • Page 7: Additional Reading

    Additional Reading Formatting Style Italicized text Bolded text Other formatting styles draw attention to important text. NOTE A note provides additional information that can help illustrate the behavior of the system or provide more detail for a specific issue. IMPORTANT Important information is necessary, but possibly unexpected, such as a configuration change that will not persist after a reboot.

  • Page 8: Giving Feedback

    If there is any error in this Agent's Guide or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues: •...

  • Page 9: Document History

    Document History 6. Document History Revision 8.0.5 April 30, 2010 Ella Deon Lackey Added a section for taking on-hold certificates off hold, as requested in Bugzilla #570906. Revision 8.0.4 August 22, 2009 Ella Deon Lackey Rephrased method for sending notifications to users about issued certificates. Revision 8.0.3 August 3, 2009 Ella Deon Lackey...

  • Page 11: Agent Services

    Chapter 1. Agent Services This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also introduces the tools that agents use to administer service requests. 1.1. Overview of Certificate System The Red Hat Certificate System is a highly configurable set of software components and tools for creating, deploying, and managing certificates.
  • Page 12 Chapter 1. Agent Services 1.1.1.2. Registration Manager A registration authority is an intermediary between a user or location and a CA. The registration authority processes and authenticates enrollment requests; approved requests are then sent to the CA for it to issue the new certificate. Breaking the approval and issuance steps into separate subsystems takes some of the burden off centralized CAs.

  • Page 13: Certificate System Users

    Certificate System Users 1.1.2. Certificate System Users Three kinds of users can access Certificate System subsystems: administrators, agents, and end entities. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can also assign agent status to users. Agents manage day-to-day interactions with end entities, which can be users or servers and clients, and other aspects of the PKI.

  • Page 14: Certificate Manager Agent Services

    Chapter 1. Agent Services • Registration Manager Agents process certificate requests; any approved requests are automatically forwarded to the configured CA to issue the certificate. RA agents can also revoke certificates which have been issued through the RA. • Data Recovery Manager Agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.
  • Page 15 Certificate Manager Agent Services Figure 1.2. Certificate Manager Agent Services Page A Certificate Manager agent performs the following tasks: • Handles certificate requests. An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject or cancel requests, and approve requests for certificate enrollment. See Chapter 3, CA: Handling Certificate Requests.

  • Page 16: Registration Manager Agent Services

    Chapter 1. Agent Services The Certificate System can be configured to publish certificates and CRLs to an LDAP directory. This information is usually published automatically, but the Certificate Manager agent services page Section 5.2, “Manually Updating the Directory”. can be used to update the directory manually. See •...

  • Page 17: Data Recovery Manager Agent Services

    Data Recovery Manager Agent Services administrative tasks. For the RA, those administrative tasks relate to managing users and groups. 1.2.3. Data Recovery Manager Agent Services Only designated DRM agents, with a valid certificate installed in their browser, are authorized to access the agent services pages.

  • Page 18: Token Processing System Agent Services

    Chapter 1. Agent Services Figure 1.5. Online Certificate Status Manager Agent Services Page An Online Certificate Status Manager agent performs the following tasks: • Checks that CAs are currently configured to publish their CRLs to the Online Certificate Status Manager. •...
  • Page 19 Token Processing System Agent Services Figure 1.6. TPS Agent Services Page A TPS agent performs the following tasks: • Lists and searches enrolled tokens by user ID or token CUID. • Lists and searches certificates associated with enrolled tokens. • Searches token operations by CUID. •...

  • Page 20: Accessing Agent Services

    Chapter 1. Agent Services Figure 1.7. TPS Administrator Operations Tab A TPS administrator performs the following tasks: • Lists and searches enrolled tokens by user ID or token CUID. • Edits token information, including the token owner's user ID. • Adds tokens. •...
  • Page 21 Accessing Agent Services can access and use the forms. Operations are performed over SSL, so the server connection uses HTTPS on the SSL agent port. The agent services URLs use the following format: https://hostname:port/subsystem_type/agent/subsystem_type The hostname can be a fully-qualified domain name, simply the hostname (if it is on an intranet), or an IPv4 or IPv6 address.

  • Page 22: Using And Recovering Agent Certificates

    Chapter 1. Agent Services Figure 1.8. Certificate Manager Services Page NOTE The services pages are written in HTML and are intended to be customized. This document describes the default pages. If an administrator has customized the agent services pages, those pages may differ from those described here. Check with the Certificate System administrator for information on the local installation.

  • Page 23: Using Java Servlets With Subsystem Web Forms

    Using Java Servlets with Subsystem Web Forms 1.5. Using Java Servlets with Subsystem Web Forms Each subsystem Java™ servlet supports a parameter called xml, which can have a value of either true or false. This parameter sets what kind of data the servlet returns; by default all of the subsystem interfaces, like the agent services page or the end-entities page, returns data in HTML.

  • Page 24: Configuring Internet Explorer To Enroll Certificates

    Chapter 1. Agent Services • Additional notes (comments appended by the agent to the certificate) NOTE This support does not include supporting internationalized domain names. 1.8. Configuring Internet Explorer to Enroll Certificates Because of the security settings in Microsoft Windows Vista, requesting and enrolling certificates through the end entities pages using Internet Explorer 7 and 8 requires extra browser configuration.
  • Page 25 Configuring Internet Explorer to Enroll Certificates 4. There is probably a security exception when opening the end services pages. Add the CA services site to Internet Explorer's Trusted Sites list. a. In the Internet Explorer menu, click Tools, and select Internet Options. b.

  • Page 27: Ca: Working With Certificate Profiles

    Chapter 2. CA: Working with Certificate Profiles A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. Certificate Manager agents also manage and approve certificate requests that come from profile-based enrollments. 2.1.

  • Page 28: Example Causercert Profile

    Chapter 2. CA: Working with Certificate Profiles A manual enrollment is a request when no authentication plug-in is configured. When the end entity submits a certificate request with a manual enrollment profile, the certificate request is queued in the agent services page as a certificate enrollment request. The agent can change the request, reject it, change the status, or approve it.
  • Page 29 Example caUserCert Profile Next, the profile lists all of the required inputs for the profile: input.list=i1,i2,i3 input.i1.class_id=keyGenInputImpl input.i2.class_id=subjectNameInputImpl input.i3.class_id=submitterInfoInputImpl For the caUserCert profile, this defines the keys to generate, the fields to use in the subject name, and the fields to use for the person submitting the certificate. •...
  • Page 30 Chapter 2. CA: Working with Certificate Profiles The profile next must define the output, meaning the format of the final certificate. There are several pre-defined outputs. More than one of these can be used, but none of the values of the output can be modified.

  • Page 31: List Of Certificate Profiles

    List of Certificate Profiles policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint policyset.userCertSet.6.constraint.params.keyUsageCritical=true policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl policyset.userCertSet.6.default.name=Key Usage Default policyset.userCertSet.6.default.params.keyUsageCritical=true policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false policyset.userCertSet.6.default.params.keyUsageCrlSign=false policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false The policy sets are summarized on the agent services Managing Certificate Profiles page. 2.3.
  • Page 32 Chapter 2. CA: Working with Certificate Profiles Profile ID Profile Name Description caAgentServerCert Agent-Authenticated Server Enrolls server certificates with Certificate Enrollment agent authentication. caCACert Manual Certificate Manager Enrolls Certificate Authority Signing Certificate Enrollment certificates. caCMCUserCert Signed CMC-Authenticated Enrolls user certificates by User Certificate Enrollment using the CMC certificate request with CMC Signature...
  • Page 33 List of Certificate Profiles Profile ID Profile Name Description caManualRenewal Renew certificate to be Renews a certificate, with manually approved by agents manual agent approval. caOCSPCert Manual OCSP Manager Enrolls OCSP Manager Signing Certificate Enrollment certificates. caOtherCert Other Certificate Enrollment Enrolls other certificates.
  • Page 34 Chapter 2. CA: Working with Certificate Profiles Profile ID Profile Name Description to replace a temporarily lost token. caTempTokenUserSigningKeyEnrollment Temporary Token User Signing Enrolls a signing key on Certificate Enrollment a token; used by the TPS for smart card enrollment operations.

  • Page 35: Enabling And Disabling Certificate Profiles

    Enabling and Disabling Certificate Profiles Profile ID Profile Name Description caUUIDdevicecert Manual device Dual-Use Enrolls certificates for devices Certificate Enrollment to which must contain a unique contain UUID in SAN user ID number (UUID) as a component in the certificate's subject alternate name extension.
  • Page 36 Chapter 2. CA: Working with Certificate Profiles profile and allows an agent to approve a certificate profile or disable a previously-approved certificate profile. An approved certificate profile can only be disabled by the agent who originally approved it. To view a profile, open its Approve Certificate Profile page: 1.

  • Page 37: Enabling Or Disabling A Certificate Profile

    Enabling or Disabling a Certificate Profile The policy set table in the policy information sections contains the following information for the policy set: • #. The policy ID number (#) for this set of defaults and constraints. • Defaults [Extensions/Fields]. The defaults set to define certificate content, including extensions. •...

  • Page 39: Ca: Handling Certificate Requests

    Chapter 3. CA: Handling Certificate Requests A Certificate Manager agent is responsible for handling both manual enrollment requests made by end entities (end users, server administrators, and other Certificate System subsystems) and automated enrollment requests that have been deferred. This chapter describes the general procedure for handling requests and explains how to handle different aspects of certificate request management.
  • Page 40 Chapter 3. CA: Handling Certificate Requests Action Description only results in the certificate request values being changed but does not change its state. Validate the request A request that uses a certificate profile can be checked, or validated, to see if the request complies with the defaults and constraints set by the certificate profile.

  • Page 41: Listing Certificate Requests

    Listing Certificate Requests Figure 3.1. Certificate Request Management Process 3.2. Listing Certificate Requests The Certificate Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected. Three types of requests can be in the queue: •...
  • Page 42 Chapter 3. CA: Handling Certificate Requests To see a list of requests: 1. Go to the Certificate Manager agent services page. https://server.example.com:9443/ca/agent/ca NOTE An agent must have the proper client certificate to access this page. 2. Click List Requests to view the queue of certificates requests. The List Requests form appears.

  • Page 43: Selecting A Request

    Selecting a Request • Show canceled requests. These are requests that have been manually canceled by an agent. Users do not receive automatic notification of canceled requests. Cancellation can be useful if the user has left the company since submitting the request or if the user has already been contacted about a problem and does not need to be notified about the request status.

  • Page 44: Searching For Certificates (Advanced)

    Chapter 3. CA: Handling Certificate Requests 3. If a desired request not shown, scroll to the bottom of the list, specify an additional number of requests to be listed, and click Find. That number of additional requests matching original search criteria is shown.
  • Page 45 Searching for Certificates (Advanced) 2. Click Search for Certificates to display the Search for Certificates form to specify search criteria. 3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. •...
  • Page 46 Chapter 3. CA: Handling Certificate Requests • Revoked and Expired. The certificate has passed its validity period and been revoked. • Revocation Information. Lists certificates that have been revoked during a particular period or by a particular agent. For example, an agent can list all certificates revoked between July 2005 and April 2006 or all certificates revoked by the agent with the username admin.
  • Page 47 Searching for Certificates (Advanced) It is also possible to list certificates that have a validity period of a certain length of time, such as all certificates that are valid for less than one month. • To list certificates that become effective or expire within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
  • Page 48 Chapter 3. CA: Handling Certificate Requests information. For each type, choose from the drop-down list to find certificates where that type is On, Off, or Do Not Care. 4. To find a certificate with a specific subject name, use the Subject Name section. Select the check box, then enter the subject name criteria.
  • Page 49 Searching for Certificates (Advanced) • State. Narrows the search by state or province. • Country. Narrows the search by country; use the two-letter country code, such as US. NOTE Certificate System certificate request forms support all UTF-8 characters for the common name and organizational unit fields.

  • Page 50: Approving Requests

    Chapter 3. CA: Handling Certificate Requests 7. The Search Results form appears, showing a list of the certificates that match the search criteria. Select a certificate in the list to examine it in more detail. For more information, refer to Section 4.3, “Examining Certificate Details”.
  • Page 51 Approving Requests • Request Information. Lists basic information about the request. • Certificate Profile Information. Lists the certificate profile being used, along with basic information about that certificate profile. • Certificate Profile Inputs. Lists the inputs contained in the enrollment form for this certificate profile as well as the values set by the requester.

  • Page 52: Sending An Issued Certificate To The Requester

    Chapter 3. CA: Handling Certificate Requests NOTE For more information on how to adjust parameters associated with certificate profiles, Chapter 2, CA: Working with Certificate Profiles. such as defaults and constraints, see 5. Choose an action from the menu at the bottom of the page, and, optionally, add any comments about the certificate.
  • Page 53 Sending an Issued Certificate to the Requester certificates, in client software. Server administrators install servers certificates in the servers that they manage. Depending on how the Certificate System is configured, an end user who requests a certificate might receive automatic email notification of the success of the request; this email message contains either the certificate itself or a URL from which the user can get the certificate.
  • Page 54 Chapter 3. CA: Handling Certificate Requests 2. Insert in a URL that the requester can use to access the issued certificate. This has the following form: https://hostname:port/ca/ee/ca/displayBySerial?serialNumber=serial_number When the requester follows that link, he only has to click the Import button to import the certificate into a browser.

  • Page 55: Ca: Finding And Revoking Certificates

    Chapter 4. CA: Finding and Revoking Certificates A Certificate Manager agent can use the agent services page to find a specific certificate issued by the Certificate System or to retrieve a list of certificates that match specified criteria. The certificates which are retrieved can be examined or revoked by the agent.

  • Page 56: Searching For Certificates (Advanced)

    Chapter 4. CA: Finding and Revoking Certificates • To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range in decimal or hexadecimal form. Leaving either the lower limit or upper limit field blank displays the certificate with the specified number, plus all certificates before or after it in sequence.
  • Page 57 Searching for Certificates (Advanced) 3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. • Serial Number Range. Finds a certificate with a specific serial number or lists all certificates within a range of serial numbers.
  • Page 58 Chapter 4. CA: Finding and Revoking Certificates • Subject Name. Lists certificates belonging to a particular owner; it is possible to use wildcards in this field. NOTE Certificate System certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are included in the subject name of the certificate.
  • Page 59 Searching for Certificates (Advanced) • Type. Lists certain types of certificates, such as all certificates for subordinate CAs. This search works only for certificates containing the Netscape Certificate Type extension, which stores type information. For each type, choose from the drop-down list to find certificates where that type is On, Off, or Do Not Care.

  • Page 60: Examining Certificate Details

    Chapter 4. CA: Finding and Revoking Certificates NOTE Placing a single asterisk in a search field means that the component must be in the certificate's subject name but may have any value. Leave the field blank if it does not matter if the field is present. 6.

  • Page 61: Revoking Certificates

    Revoking Certificates 3. After selecting a certificate, click the Details button at the left side of its entry. 4. The Certificate page shows the detailed contents of the selected certificate and instructions for installing the certificate in a server or in a web browser. Figure 4.2.

  • Page 62: Revoking Certificates

    Chapter 4. CA: Finding and Revoking Certificates 4.4.1. Revoking Certificates 1. Open the Certificate Manager agent services page. 2. Click Revoke Certificates. NOTE The search form that appears has the same search criteria sections as the Search for Certificates form. 3.
  • Page 63 Revoking Certificates Verify that all of the certificates returned by the search should be revoked, not only those displayed on the current page. 7. Click the Revoke button next to the certificate to be revoked. CAUTION Whether revoking a single certificate or a list of certificates, be extremely careful that the correct certificate has been selected or that the list contains only certificates which should be revoked.

  • Page 64: Taking Ceritificates Off Hold

    Chapter 4. CA: Finding and Revoking Certificates • Key compromised • CA key compromised • Affiliation changed • Certificate superseded • Cessation of operation • Certificate is on hold 10. Enter any additional comment. The comment is included in the revocation request. When the revocation request is submitted, it is automatically approved, and the certificate is revoked.

  • Page 65: Managing The Certificate Revocation List

    Managing the Certificate Revocation List 4.5. Managing the Certificate Revocation List Revoking a certificate notifies other users that the certificate is no longer valid. This notification is done by publishing a list of the revoked certificates, called the certificate revocation list (CRL), to an LDAP directory or to a flat file.

  • Page 66: Updating The Crl

    Chapter 4. CA: Finding and Revoking Certificates • Base 64 Encoded. Retrieves and displays the CRL in base-64 encoded format. • Delta CRL. Retrieves and displays a delta CRL, which is a subset of the CRL showing only new revocations since the last CRL was published. This option is available only if delta CRL generation is enabled.
  • Page 67 Updating the CRL Figure 4.3. Update Certificate Revocation List 3. Select the CRL issuing point which will update the CRL. There can be multiple issuing points configured for a single CA. 4. Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make sure that any system or network applications that need to read or view this CRL support the algorithm.

  • Page 69: Ca: Publishing To A Directory

    Chapter 5. CA: Publishing to a Directory A Red Hat Directory Server installation is required for the Certificate System subsystems to be installed; this directory instance maintains user information and certificate and key information. The Certificate System can be configured to publish certificates and CRLs to that directory, or other LDAP directories, for other applications to access.
  • Page 70 Chapter 5. CA: Publishing to a Directory 1. Open the Certificate Manager agent services page. https://server.example.com:9443/ca/agent/ca 2. Click Update Directory Server to open the publishing page. 3. Select Skip certificates already marked as updated to ignore certificates in the internal database that have already been published or removed, in the case of revoked certificates.
  • Page 71 Manually Updating the Directory 4. Select the type of update to perform. • To publish the latest CRL, select Update the certificate revocation list to the publishing directory. • To update information on valid certificates to the publishing directory, select Update valid certificates to the directory.

  • Page 73: Ra: Requesting And Receiving Certificates Locally

    Chapter 6. RA: Requesting and Receiving Certificates Locally The Registration Authority (RA) subsystem allows certificates to be requested and approved locally. Locally can encompass any kind of division: different departments, geographical locations, or employee types. The purpose of a Registration Manager is to bring the approval process for certificates to a grassroots level, where people who actually know or are responsible for a requester are capable of assessing their certificate requests.
  • Page 74 Chapter 6. RA: Requesting and Receiving Certificates Locally 4. Click the Request ID for the request to view it. 5. The top part of the request details contains the data used for the request and the base-64 encoded blob of the certificate request.
  • Page 75 Listing Certificate Requests The bottom half of the details page shows information like notes for the request, the time it was submitted and, if it has been processed, the time and agent who reviewed it.

  • Page 76: Approving Certificate Requests

    Chapter 6. RA: Requesting and Receiving Certificates Locally 6.2. Approving Certificate Requests After the certificate request has been received, it needs to be approved by the RA agent. Approved requests are immediately sent to the CA to be issued. To approve the certificate request: 1.

  • Page 77: Listing Certificates

    Listing Certificates Once the request is approved, the method for delivering the approved certificate varies. For example, for RA agent requests, the CA immediately returns a PIN to use to claim the approved certificate. Other users may be able to access their certificate request in the end-entities page and retrieve the certificate immediately.

  • Page 78: Revoking Certificates

    Chapter 6. RA: Requesting and Receiving Certificates Locally 6.4. Revoking Certificates RA agents can revoke certificates that were approved through that Registration Manager instance. 1. Open the RA agent services page.
  • Page 79 Revoking Certificates https://server.example.com:12889/agent/index.cgi 2. Click the List Certificates link. 3. All of the certificates which have been processed through the RA are listed. 4. Open the certificate to revoke by clicking its Serial# in the certificate list. 5. At the bottom of the certificate's details page, click the Revoke link.

  • Page 80: Creating And Managing Users And Groups For An Ra

    Chapter 6. RA: Requesting and Receiving Certificates Locally 6. Select the reason that the certificate is being revoked, and then confirm the revocation. 6.5. Creating and Managing Users and Groups for an RA When an RA is first created, certain default users and groups with default roles are created automatically.
  • Page 81 Managing RA Groups 6.5.1.2. Creating a New Group for an RA 1. Open the RA services page. https://server.example.com:12889/services 2. Click the Administrator Services link. 3. Click the New Group link. 4. Fill in the group ID and the name of the group; the name can be longer than the GID, more like a description, to help differentiate the group.
  • Page 82 Chapter 6. RA: Requesting and Receiving Certificates Locally 5. Click the Add New Group link at the top of the form. 6. After the group is created, add it to the RA configuration so that the group has agent or administrative functions.
  • Page 83 Managing RA Groups 5. In the group page, each current member of the group is listed, with a [Delete] link next to the name. Existing members who are not members of the group are listed in a drop-down menu. To add a member, select them from the name from the menu, and click Add.

  • Page 84: Managing Ra Users

    Chapter 6. RA: Requesting and Receiving Certificates Locally 6.5.2. Managing RA Users RAs have two distinct types of users: agents and administrators. There is a division between agent tasks and administrative tasks, even though both sets of functions are accessed through web serivces pages. RA agent tasks manage operations related to issuing certificates, like approving requests.
  • Page 85 Managing RA Users 6.5.2.2. Creating a New User for an RA 1. Generate a new certificate for the user. All access to the RA web services pages is done through certificate-based authentication, so all RA agents and administrators must have a certificate. This Section 6.5.2.3, “Generating Agent Certificates for RA Agents”.
  • Page 86 Chapter 6. RA: Requesting and Receiving Certificates Locally https://server.example.com:12889/services 3. Click the Administrator Services link. 4. Click the New User link. 5. Fill in the user ID, full name, and email address of the user, and paste in the base 64-encoded certificate requested in the first step.
  • Page 87 Managing RA Users c. Click PIN Creation Request. d. Enter an appropriate UID and email address. By default, notifications are enabled for the RA subsystem, so as soon as the certificate request is submitted, a notification is sent to the agent queue. 2.
  • Page 88 Chapter 6. RA: Requesting and Receiving Certificates Locally a. Open the agent services page. b. Click List Requests. The PIN request is listed in a table with a status of OPEN. c. Click the Request ID to display the details of the request. d.
  • Page 89 Managing RA Users b. Click Request Status Check. c. In the Request ID field, enter the ID of the PIN request. d. Click the value in the Import Certificate field to display the one-time PIN. e. Click Agent Enrollment again, and then click the Certificate Enrollment link. Enter the user ID and the PIN.
  • Page 90 Chapter 6. RA: Requesting and Receiving Certificates Locally...

  • Page 91: Drm: Recovering Encrypted Data

    Chapter 7. DRM: Recovering Encrypted Data This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only when the DRM subsystem is installed. 7.1.
  • Page 92 Chapter 7. DRM: Recovering Encrypted Data There are three request types: • Show Key Archivals requests • Show Key Recovery requests • Show Token Key requests • Show all requests 4. Select the status of requests from the Request status menu. •...
  • Page 93 Listing Requests 7. The DRM displays a list of the key service requests that match the search criteria. Select a request from the list to examine it in more detail. 8. On the Key Service Request Queue form, find a particular request. If the desired request is not shown, scroll to the bottom of the list, and use the arrows to move to another page of search results.

  • Page 94: Finding And Recovering Keys

    Chapter 7. DRM: Recovering Encrypted Data NOTE If the system changes the state of the displayed request, using the browser's Back or Forward buttons or the history to navigate through the pages can cause the data shown to become out of date. To refresh the data, click the highlighted key identifier at the top of the page.

  • Page 95: Finding Archived Keys

    Finding Archived Keys In the old scheme, the password for the storage token was split and protected by individual recovery agent passwords. This made it hard to access the storage private, but it did not allow CS to fully leverage the key protection facility provided by the underlying hardware token. In the new scheme, CS uses its existing access control scheme to ensure recovery agents are appropriately authenticated via SSL, and ensures that the agent belongs to the specific recovery agent group.
  • Page 96 Chapter 7. DRM: Recovering Encrypted Data Figure 7.1. Search for Keys Page 3. To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information.
  • Page 97 Finding Archived Keys • To find a key with a specific key identifier, enter the key identifier in both the upper limit and lower limit fields in decimal or hexadecimal form. Use 0xto indicate the beginning of a hexadecimal number; for example, 0x2A. Key identifiers are displayed in hexadecimal form in the Search Results and Details pages.
  • Page 98 Chapter 7. DRM: Recovering Encrypted Data Figure 7.2. Search Results Page 5. In the Search Results form, select a key. If a desired key is not shown, scroll to the bottom of the list and use the arrows to move to another page of search results.

  • Page 99: Recovering Keys

    Recovering Keys Figure 7.3. Key Details Page 7.2.2. Recovering Keys If the search was initiated through the Recover Keys button, the Search Results page also allows the agent to initiate the recovery of any key found. 7.2.2.1. Initiating Key Recovery 1.
  • Page 100 Chapter 7. DRM: Recovering Encrypted Data The number of key recovery agent authorizations required to recover a key is configured by the DRM administrator by setting the following parameters in the CS.cfg file. kra.noOfRequiredRecoveryAgents=1 kra.recoveryAgentGroup=Data Recovery Manager Agents 4. Set the PKCS #12 token password that the requester uses to import the recovered certificate/key pair package.
  • Page 101 Recovering Keys Selecting this option notifies the key recovery agents that a recovery has been initiated and gives them the recovery authorization reference number. The recovery authorization reference number is listed at the bottom of the page, by the certificate text box. NOTE Do not close the browser after initiating the key recovery.
  • Page 102 Chapter 7. DRM: Recovering Encrypted Data 7.2.2.2. Getting Agent Approval for Key Recovery Every DRM agent must approve the key recovery once the agent receives the recovery authorization number. 1. Open the DRM agent services page. https://server.example.com:10443/kra/agent/kra 2. Select Authorize Recovery. 3.
  • Page 103 Recovering Keys 4. Select Examine to examine the key being recovered. 5. Select Grant to complete the key recovery.
  • Page 104 Chapter 7. DRM: Recovering Encrypted Data 7.2.2.3. Recovering the Key 1. Once all agents have authorized the recovery, then the agent who initiated the key recovery request is given a link download (import) the PKCS #12 file. 2. When selecting the PKCS #12 file, a dialog box appears. Specify the path and filename to save the encrypted file containing the recovered certificate and key pair.

  • Page 105: Online Certificate Status Manager: Verifying Certificate Status

    Chapter 8. Online Certificate Status Manager: Verifying Certificate Status This chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks, such as identifying a CA to the Online Certificate Status Manager and adding a CRL to the Online Certificate Status Manager's internal database.

  • Page 106: Identifying A Ca To The Online Certificate Status Manager

    Chapter 8. Online Certificate Status Manager: Verifying Certificate Status Figure 8.1. OCSP List Certificate Authorities Page 8.2. Identifying a CA to the Online Certificate Status Manager The Online Certificate Status Manager can be configured to receive CRLs from multiple Certificate Managers.
  • Page 107 Identifying a CA to the Online Certificate Status Manager 5. Click on the subject name. 6. In the certificate contents page, scroll to the Base 64 encoded certificate section, which shows the CA signing certificate in its base 64-encoded format. 7.
  • Page 108 Chapter 8. Online Certificate Status Manager: Verifying Certificate Status Figure 8.2. Add Certificate Authority Page 11. Click Add. The certificate is added to the internal database of the Online Certificate Status Manager. NOTE If the CA contains multiple CRL distribution points, always publish the master CRL (the CRL that contains all revoked certificates from that CA) to the OCSP responder.

  • Page 109: Adding A Crl To The Online Certificate Status Manager

    Adding a CRL to the Online Certificate Status Manager 12. To verify that the certificate is added successfully, click List Certificate Authorities in the left frame. The next page shows information about the Certificate Manager that was added. NOTE If the deployment contains chained CAs, such as a root CA and then several subordinate CAs, add each CA certificate separately to the OCSP responder.

  • Page 110: Checking The Revocation Status Of A Certificate

    Chapter 8. Online Certificate Status Manager: Verifying Certificate Status 9. Click Add. The CRL is added to the internal database of the Online Certificate Status Manager. 8.4. Checking the Revocation Status of a Certificate The revocation status of a certificate is checked by submitting the certificate in its base-64 encoded format to the Online Certificate Status Manager.
  • Page 111 Checking the Revocation Status of a Certificate NOTE The easiest way to get the certificate to verify is to retrieve it from the issuing CA. It is also possible to export it from the client using it, like a browser. 2.
  • Page 112 Chapter 8. Online Certificate Status Manager: Verifying Certificate Status 10. Paste the certificate inside the Base 64 encoded certificate text area. 11. Click Check. 12. The results page shows the status of the certificate that was submitted.

  • Page 113: Ocsp Responder Summary

    OCSP Responder Summary 8.5. OCSP Responder Summary The Online Certificate Status Manager agent services page also includes a summary of the total processes performed by the subsystem instance, like the total number of OCSP requests and its total processing time since the instance was last started. This is a useful way to track traffic for an OCSP responder and its performance.
  • Page 114 Chapter 8. Online Certificate Status Manager: Verifying Certificate Status Figure 8.3. OCSP Summary The signing time is the amount of processing time spent signing responses. The processing time is the time spent verifying the status of the certificate. The total time is the sum of the signing and processing times.

  • Page 115: Tps: Managing Token And Smart Card Operations

    Chapter 9. TPS: Managing Token and Smart Card Operations The Token Processing System (TPS) interacts with the Enterprise Security Client to format tokens, issue certificates on them, and manage the tokens. These tasks are performed by TPS agents using the TPS agent services pages. The TPS, like the RA, has no separate administrative console;...

  • Page 116: Performing Operator Tasks

    Chapter 9. TPS: Managing Token and Smart Card Operations NOTE There is no HTML end entities page for TPS services since end entity tasks are performed through the Enterprise Security Client. The TPS services pages manage four areas for tokens: •...

  • Page 117: Searching Tokens

    Searching Tokens Figure 9.2. Operator Tasks IMPORTANT A user can only see entries relating to the profile configured for it. This means that all results are filtered by the profiles that the user can view, including listing and searching for certificates, tokens, or activities.

  • Page 118: Viewing Tokens

    Chapter 9. TPS: Managing Token and Smart Card Operations Figure 9.3. Results for Searching for Tokens There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records.
  • Page 119 Viewing Tokens The token information shows the current definition and state of the token: • Token, the token ID number entered in the TPS. • User ID, user of the token. • Status and Reason, the current state of the token. •...

  • Page 120: Searching Certificates

    Chapter 9. TPS: Managing Token and Smart Card Operations • Clicking the Show Certificates button lists the certificates which are stored on the token. • Clicking the Show Activities button lists the operations which have been performed on the token. 9.2.3.

  • Page 121: Searching Activities

    Searching Activities • User ID, the user ID of the person who is associated with the token • Last Modified At, the timestamp of the last modification to the certificate 9.2.4. Searching Activities Activities are essentially logs for the TPS subsystem, and for the actions taken on individual tokens. To find all tokens, a subset of tokens, or a specific token, click the List/Search Activities link in the Operator Operations tab, and fill in the name of the user or the whole or partial token identification number (CUID).

  • Page 122: Performing Agent Tasks

    Chapter 9. TPS: Managing Token and Smart Card Operations The activities entries are formatted with two lines of information. The first line has the following information: • Activity ID, the unique ID of the activity entry • Token, the ID of the token for which the activity was performed •...

  • Page 123: Searching Tokens

    Searching Tokens Figure 9.6. Agent Tasks 9.3.1. Searching Tokens To look for all tokens, a subset of tokens, or a specific token, click the List/Search Tokens link, and fill in the name of the user or the whole or partial token identification number (CUID). Asterisks (*) can be used in the search fields as wildcards.

  • Page 124: Viewing Tokens

    Chapter 9. TPS: Managing Token and Smart Card Operations Figure 9.7. Searching for Tokens There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records.
  • Page 125 Viewing Tokens The token information shows the current definition and state of the token: • Token, the token ID number entered in the TPS. • User ID, user of the token. • Status and Reason, the current state of the token. •...

  • Page 126: Managing Tokens

    Chapter 9. TPS: Managing Token and Smart Card Operations • Clicking the Show Certificates button lists the certificates which are stored on the token. • Clicking the Show Activities button lists the operations which have been performed on the token. Section 9.3.3, “Managing Tokens”.
  • Page 127 Managing Tokens Figure 9.9. Editing the Token Information 9.3.3.2. Changing the Token Policy The policy sets rules on what the user can do after the token is enrolled. There are three supported token policies: • RE_ENROLL, which allows a user to re-enroll certificates with the same token •...
  • Page 128 Chapter 9. TPS: Managing Token and Smart Card Operations NOTE If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once;...
  • Page 129 Managing Tokens Figure 9.11. Changing Status There are six possible token statuses. Status Meaning Action The token is physically The TPS revokes the user The original certificates are damaged. certificates and marks the token revoked, and new certificates lost. for the user can be generated on a new token.

  • Page 130: Searching Certificates

    Chapter 9. TPS: Managing Token and Smart Card Operations Changing the status of the token to anything other than active has two possible actions. If the token is permanently taken offline (permanently lost, damaged, or terminated), then the certificates on the token are revoked and the token is inactivated. However, if the token is temporarily lost or inaccessible, then the token is essentially suspended, the certificates on it are inactivated, and a new token with temporary certificates is issued.

  • Page 131: Searching Activities

    Searching Activities Figure 9.12. Results for Searching for Certificates The results show all of the information about the certificate: • ID, the unique entry ID for the certificate • Serial number, the serial number of the certificate, which is assigned by the CA which issued it •...

  • Page 132: Performing Administrator Tasks

    Chapter 9. TPS: Managing Token and Smart Card Operations There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records.
  • Page 133 Performing Administrator Tasks • Adding and deleting tokens manually in the token database • Creating and editing users for the TPS subsystem • Managing audit logging for the TPS instance An administrator can also perform common tasks, like viewing tokens and activity logs. IMPORTANT A user can only see entries relating to the profile configured for it.

  • Page 134: Managing Tokens

    Chapter 9. TPS: Managing Token and Smart Card Operations 9.4.1. Managing Tokens Administrators cannot manage token information the way that agents can, but they can manually create or delete token entries from the token database, the repository which the TPS uses to identify and manage tokens.
  • Page 135 Managing Tokens Figure 9.15. Searching for Tokens There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records. 9.4.1.3.
  • Page 136 Chapter 9. TPS: Managing Token and Smart Card Operations The token information shows the current definition and state of the token: • Token, the token ID number entered in the TPS. • User ID, user of the token. • Status and Reason, the current state of the token. •...

  • Page 137: Managing Tps Users

    Managing TPS Users • Clicking the Show Certificates button lists the certificates which are stored on the token. • Clicking the Show Activities button lists the operations which have been performed on the token. 9.4.1.4. Deleting the Token 1. Search for the token, and click its ID link. 2.
  • Page 138 Chapter 9. TPS: Managing Token and Smart Card Operations IMPORTANT A TPS administrator must have a signing certificate. The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment. 2. Click the Add New User link in the Administrator Operations tab. 3.
  • Page 139 Managing TPS Users NOTE A user can only see entries relating to the profile configured for it, including both token operations and tokens themselves. For an administrator to be able to search and manage all tokens configured in the TPS, the administrator user entry should be set to All profiles.

  • Page 140: Searching Activities

    Chapter 9. TPS: Managing Token and Smart Card Operations 2. Near the top of the page is a series of check boxes for the different roles, Operator, Agent, and Administrator. Check the boxes to assign the roles. 3. Click the Update button to save the new role settings. 9.4.2.5.

  • Page 141: Managing The Tps Audit Logs

    Managing the TPS Audit Logs Figure 9.16. Results for Searching Activities The activities entries are formatted with two lines of information. The first line has the following information: • Activity ID, the unique ID of the activity entry • Token, the ID of the token for which the activity was performed •...
  • Page 142 Chapter 9. TPS: Managing Token and Smart Card Operations TPS audit log settings are managed by clicking the Configuring Signed Audit Logging link in the Administrator Operations tab. Figure 9.17. Configuring TPS Audit Logging Audit logs are stored with the other subsystem logs in /var/log/subsystem_name (by default). Signed audit logs are written to /var/log/subsystem_name/signedAudit.

  • Page 143: Conflicting Token Certificate Status Information

    Conflicting Token Certificate Status Information The are two parts for enabling audit logging. The first is enabling the audit log itself, using the Enable| Disable radio buttons. The second part is enabling signed audit logging. This signs the audit log after every entry with a special signing certificate as a sign that the log has not been tampered with.
  • Page 144 Chapter 9. TPS: Managing Token and Smart Card Operations • Signing #1 - revoked • Signing #2 - active • Encrypt #1 - active If Token #1 is found, then the the certificates for Token #2 are revoked and the certificates for Token #1 are reactivated.

  • Page 145: Index

    Index cryptography concepts , v Data Recovery Manager , 81 agent services forms , 7 accessing end-entity gateways , 3 overview , 2 accessing forms, 10 Directory Server agent services forms Certificate System and , 59 accessing , 10 Certificate Manager , 4 Data Recovery Manager , 7 end entities , 1 Online Certificate Status Manager , 7...
  • Page 146 Index enabling and disabling , 25 how profiles work , 17 working with , 17 Registration Manager agent services forms , 6 overview , 2 Request details form , 34 Request Queue form , 33 request status, on List Requests form , 32 requests approving , 40 requests, enrollment...

This manual is also suitable for:

Certificate system 8.0 - administration

Table of Contents