1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM ENTERPRISE - SECURITY...
  6. Manual

Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate System Enterprise
Security Client Guide
Red Hat Author(s): Red Hat, Inc.
ISBN: N/A
Publication date:

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE and is the answer not in the manual?

Questions and answers

Related Manuals for Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Summary of Contents for Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

  • Page 1 Red Hat Certificate System Enterprise Security Client Guide Red Hat Author(s): Red Hat, Inc. ISBN: N/A Publication date:...
  • Page 2 Red Hat Certificate System Enterprise Security Client Guide...
  • Page 3 Red Hat Certificate System Enterprise Security Client Guide: Copyright © 2006 Red Hat, Inc. All rights reserved. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0. A copy of this license is available at http://www.opencontent.org/openpub .
  • Page 4 Red Hat Certificate System Enterprise Security Client Guide...

  • Page 5: Table Of Contents

    1. Introduction ......................1 1. Features ......................1 2. Platform Support ....................5 3. Installation ......................7 1. Installation on Windows .................. 7 2. Installation on Red Hat Enterprise Linux ............15 3. Installation on Mac OS X ................16 4. Using the Enterprise Security Client ...............21 1.

  • Page 7: Introduction

    Chapter 1. Introduction The Red Hat Certificate System creates, manages, renews, and deletes certificates and keys within an organization. There are five subsystems which govern the behavior of the public-key infrastructure (PKI) of the organization: • The Certificate Authority (CA), which creates, renews, and revokes certificates. •...
  • Page 8 Chapter 1. Introduction interface URL without requiring any user configuration. • Enterprise Security Client has diagnostic logging that records common access and events and records potential errors such as interruptions with the connection between the Enterprise Security Client and TPS server. •...
  • Page 9 Features On most operating systems, many programs maintain an icon in the tray or notification area. These icons can be used to control the operation of the program, usually through context menus when the icon is right-clicked. In the default Enterprise Security Client configuration, Enterprise Security Client launches and automatically minimizes to the tray.

  • Page 11: Platform Support

    Chapter 2. Platform Support Enterprise Security Client supports the following platforms: • Red Hat Enterprise Linux 4 AS (Intel x86) • Red Hat Enterprise Linux 4 ES (Intel x86) • Microsoft Windows XP • Apple MAC OS X 10.4.x (Tiger) Smart Card Support.

  • Page 13: Installation

    Chapter 3. Installation Enterprise Security Client is packaged as a set of RPMs and other files that are part of the complete Certificate System distribution. These are listed in the installation chapter of the Certificate System Administrator's Guide. The first step for installing Enterprise Security Client is successfully obtaining the needed Enterprise Security Client packages.
  • Page 14 Chapter 3. Installation Figure 3.1. Launching the Installation Wizard 3. The wizard displays the list of packages which will be installed.
  • Page 15 Installation on Windows Figure 3.2. Launching the Installation Wizard 4. The wizard screen asks for the final installation directory for Enterprise Security Client. The default is C:\Program Files\Red Hat\ESC...
  • Page 16 Chapter 3. Installation Figure 3.3. Installation Directory 5. The wizard screen asks for the start menu directory for Enterprise Security Client. The default Red Hat...
  • Page 17 Installation on Windows Figure 3.4. Start Menu Directory 6. Proceed through the Enterprise Security Client installation wizard. Click Install to begin installing the Enterprise Security Client components. NOTE The installation process also installs the CoolKey PKCS #11 driver and Egate drivers needed for Certificate System-supported keys and automatically installs the Certificate System PKCS #11 module in any Mozilla browsers it can locate.
  • Page 18 Chapter 3. Installation Figure 3.5. Beginning Installation...
  • Page 19 Installation on Windows Figure 3.6. Installation Progress 7. Once the installation has completed, Enterprise Security Client will prompt for the user to insert a token and can be launched for immediate use.
  • Page 20 Chapter 3. Installation Figure 3.7. Launching the Smart Card Manager 8. Click the Finish button to complete the installation.

  • Page 21: Installation On Red Hat Enterprise Linux

    Installation on Red Hat Enterprise Linux Figure 3.8. Completing Installation 2. Installation on Red Hat Enterprise Linux To install Enterprise Security Client and its supporting components on Red Hat Enterprise Linux, do the following: NOTE If the utility was already used to install Enterprise Security Client, there up2date is no need for further installation;...

  • Page 22: Installation On Mac Os X

    Chapter 3. Installation rpm -ivh ccid-1.0.1-5.i386.rpm rpm -ivh pcsc-lite-1.3.1-7.i386.rpm rpm -ivh pcsc-lite-libs-1.3.1-7.i386.rpm rpm -ivh ifd-egate-0.05-15.i386.rpm rmp -ivh coolkey-1.0.1-4.i386.rpm rpm -ivh esc-1.0.0-19.i386.rpm The version numbers for the different packages may be different than those listed here because of updates, patches or other releases. These are included as an example. The Enterprise Security Client installation is located in .
  • Page 23 Installation on Mac OS X Figure 3.9. Mac Installation Program b. Select the location to install the CoolKey package. Figure 3.10. Installation Location c. Click the Upgrade button to begin installation.
  • Page 24 Chapter 3. Installation Figure 3.11. Launch Installation d. Supply the Mac administrator password. Figure 3.12. Mac Admin Password...
  • Page 25 Installation on Mac OS X e. Click the Close button to complete the installation. Figure 3.13. Finish Installation When the process is completed, the Egate token drivers, the PKCS11 module, and the TokenD software are installed on the local system.

  • Page 27: Using The Enterprise Security Client

    Chapter 4. Using the Enterprise Security Client The following section contains basic instructions on using the Enterprise Security Client for token enrollment, formating, and password reset operations. 1. Launching Enterprise Security Client • On Red Hat Enterprise Linux 4, launch Enterprise Security Client by typing at the command prompt;...
  • Page 28 Chapter 4. Using the Enterprise Security Client Since the Enterprise Security Client is based on Mozilla XULRunner, each user has a profile similar to the user profiles used by Mozilla Firefox or Thunderbird. The Enterprise Security Client accesses the configuration preferences file. When the Enterprise Security Client caches information for each token, the information is stored in the user's configuration file.
  • Page 29 Phone Home "http://www.test.example.com" The Phone Home feature and the different type of information used by it only work when the TPS has been properly configured to use Phone Home. If the TPS is not configured for Phone Home, then this feature is ignored. Example 4.1, “TPS Phone Home Configuration File”...

  • Page 30: Windows Cryptographic Service Provider

    Chapter 4. Using the Enterprise Security Client Figure 4.1. Prompt for Phone Home Information The TPS configuration URI is the URL of the TPS server which returns the rest of the Phone Home information to the Enterprise Security Client. An example of this URL is .

  • Page 31: Smart Card Auto Enrollment

    Smart Card Auto Enrollment The CAPI store is a repository controlled by Windows that houses a collection of digital certificates associated with a given CSP. CAPI oversees the certificates, while each CSP controls the cryptographic keys belonging to the certificates. The Certificate System CSP is designed to provide cryptographic functions on behalf of Windows using our supported smart cards.
  • Page 32 Chapter 4. Using the Enterprise Security Client traditional full-sized smart card into a smart card reader. 3. When the system recognizes the smart card, it displays a message indicating it has detected an uninitiated smart card. Figure 4.2. Smart Card Enrollment with a Card This screen gives the option either to close the dialog or to proceed with enrolling the smart card.
  • Page 33 Smart Card Auto Enrollment Figure 4.3. Smart Card Enrollment Message When the Card Is Removed Reinserting the card brings the previous dialog back with the option to enroll the smart card. Click Enroll My Smart Card to continue with the enrollment process. 4.
  • Page 34 Chapter 4. Using the Enterprise Security Client Figure 4.4. Smart Card Enrollment Page 5. This example is the default enrollment UI included with the TPS server. This UI is a standard HTML form, so simple modifications, such as setting the company logo or adding extra text or changing field text, is possible.
  • Page 35 Smart Card Auto Enrollment NOTE The LDAP user ID and password refer to the fact that the TPS server is usually associated with a Directory Server which stores user information and to which the TPS refers to authenticate users. • Password. This sets the smart card's password, used to protect the card information. •...

  • Page 36: Customizing The Smart Card Enrollment User Interface

    Chapter 4. Using the Enterprise Security Client Figure 4.5. Smart Card Enrollment Success Message 5. Customizing the Smart Card Enrollment User Interface The Certificate System TPS subsystem has a generic external smartcard enrollment user interface which is formatted in standard HTML and Javascript. This makes the interface page appearance easy to customize.
  • Page 37 Customizing the Smart Card Enrollment The default HTML page, shown in Example 4.2, “Customizing the Smart Card Enrollment User Interface”, can be edited to change the colors, images, and layout. <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel=stylesheet href="/home/style.css" type="text/css"> <!-- Change the title if desired -->...

  • Page 38: Managing Smart Cards

    Chapter 4. Using the Enterprise Security Client <td><input type="password" id="snamepwd" value=""></td> </tr> </table> <p class="bodyText"> Before you can use your smartcard, you need a password to protect it.</p> <table> <tr> <td><p >Password:</p></td> <td><input type="password" id="pintf" name="pintf" value=""></td> <td><p >Re-Enter Password:</p></td> <td><input type="password"...

  • Page 39: Formatting The Smart Card

    User Interface Figure 4.6. Manage Smart Cards Page 6.1. Formatting the Smart Card Formatting the card brings the smart card to the uninitialized state, which removes all the user keypairs previously generated and erases the password set on the smart card during enrollment.

  • Page 40: Reset Smart Card Password

    Chapter 4. Using the Enterprise Security Client 6.2. Reset Smart Card Password If a user forgets the password for a smart card after the card is enrolled, it is possible to reset the password by doing the following: 1. Place a supported smart card into the USB slot of the computer. Make sure the smart card shows up in the Active Smart Cards table.

  • Page 41: Enrolling Smart Cards

    Enrolling Smart Cards The View Certificates button shows basic information about the selected smart card, including the keys and certificates stored on it. 1. Place a supported smart card into the USB slot of the computer. Make sure the card shows up in the Active Smart Cards table.
  • Page 42 Chapter 4. Using the Enterprise Security Client Figure 4.9. Manual Enrollment Form Enrolling a token with the user key pairs means the token can be used for certificate-based operations such as SSL client authentication and S/MIME. NOTE The TPS server can be configured to generate the user key pairs on the server and then archived in the DRM subsystem for recovery if the token is lost.

  • Page 43: Diagnosing Problems

    Diagnosing Problems 5. The TPS server can be configured to authenticate the enrollment operation. If the TPS has been configured for authentication, enter the user credentials when the dialog box appears, and click OK. Figure 4.10. LDAP Authentication Prompt 6. The enrollment process will begin generating and archiving keys, if the TPS is configured to archive keys to the DRM.
  • Page 44 Chapter 4. Using the Enterprise Security Client • Problems occur during a smart card operation, such as a certificate enrollment, password reset, or format operation. • The Enterprise Security Client loses the connection to the smart card. This can happen when problems communicating with the PCSC daemon.
  • Page 45 Diagnosing Problems Figure 4.11. Diagnostics Screen The diagnostics screen displays the following information: • The Enterprise Security Client version number. • The version information for the system upon which the client is running. • The number of cards detected by the Enterprise Security Client. For each card detected, the following information is shown:...
  • Page 46 Chapter 4. Using the Enterprise Security Client • The version of the applet running inside the smart card. • The alpha-numeric ID of the card. • The card's status, which can be (no key is detected), (the key is NO_APPLET UNINITIALIZED detected, but no certificates have been enrolled), or (the detected card has been...

  • Page 47: Using Enterprise Security Client Keys For Ssl Client Authentication And S/Mime

    Chapter 5. Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME After a token is enrolled, the token can be used for SSL client authentication and S/MIME email applications. The PKCS #11 module has different names and locations depending on the operating system. Platform Module Name Location...
  • Page 48 Chapter 5. Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME 3. If the CA is not yet trusted, download and import the CA certificate. a. Open the SSL End Entity page on the CA. For example: https://example.com:9443/ca/ee/ca b.

  • Page 49: S/Mime Applications

    S/MIME Applications The certificates can be used for SSL. 2. S/MIME Applications To enable S/MIME on mail applications such as Mozilla Thunderbird: 1. In Mozilla Thunderbird, open the Edit menu, and select Account Settings. 2. Select Security on the left. 3.
  • Page 50 Chapter 5. Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME 6. In the Encryption of the Security panel, click Select to choose the certificate to encrypt and decrypt messages.

  • Page 51: Uninstalling Enterprise Security Client

    Chapter 6. Uninstalling Enterprise Security Client This section provides platform-specific instructions to uninstall Enterprise Security Client. 1. Uninstalling on Windows 1. Unplug all USB tokens. 2. Stop Enterprise Security Client. 3. Open the Control Panel, and select the Add Remove Programs icon. 4.
  • Page 52 Chapter 6. Uninstalling Enterprise Security Client NOTE There is no uninstallation program for the Mac.

  • Page 53: Enterprise Security Client Configuration

    Appendix A. Enterprise Security Client Configuration Previously, Enterprise Security Client relied on an application-specific configuration file. Enterprise Security Client is now based on Mozilla XULRunner technology, which allows the preferences facility built into Mozilla to be used for simple configuration of the Enterprise Security Client.

  • Page 54: Enterprise Security Client Mac Tokend

    Appendix A. Enterprise Security Client Configuration • Windows: C:\Documents and Settings\$USER\Application Data\RedHat\ESC\Profiles • Red Hat Enterprise Linux: ~/.redhat/esc • Mac: ~/Library/Application Support/ESC/Profiles file section below shows the Enterprise Security Client-supported esc-prefs.js configuration values. ################################################################# #The entry below is the XUL chrome page where Enterprise Security #Client proceeds on startup.

  • Page 55: Verifying The Tokend Is Working

    Verifying the TokenD Is Working on smart cards or keys. CoolKey TokenD allows a Certificate System key to show as a KeyChain. 2.1. Verifying the TokenD Is Working 1. Make sure Enterprise Security Client has been installed on the Mac computer. 2.

  • Page 56: Quick Javascript Ui Guide

    //ESC.js : Core Enterprise Security Client functionality ..// Attach to the Enterprise Security Client XPCOM object on load try { netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); netkey = Components.classes["@redhat.com/rhCoolKey"].getService(); netkey = netkey.QueryInterface(Components.interfaces.rhICoolKey); gNotify = new jsNotify; netkey.rhCoolKeySetNotifyCallback(gNotify); } catch(e) { alert("Can't get UniversalXPConnect: " + e);...

  • Page 57: Windows

    Windows • Windows: C:\Program Files\Red Hat\ESC • Red Hat Enterprise Linux: /usr/lib/esc-1.0.0/esc • Mac: User preference for the directory, usually the desktop ESC.app 4.1. Windows On Windows, Enterprise Security Client uses the following directories and files: • Main directory: C:\Program Files\Red Hat\ESC •...
  • Page 58 Appendix A. Enterprise Security Client Configuration • Privately deployed XUL framework in Contents/ • Info.plist • Frameworks/ • XUL.framework/ • Resources • Enterprise Security Client XULRunner application configuration file: application.ini • Enterprise Security Client XPCOM components: components/ • Directory for Chrome components and additional application files for Enterprise Security Client XUL and Javascript: chrome/ •...

  • Page 59: Index

    Index...

Table of Contents