Configuring Tps Enrollment Operations - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
op.format.tokenKey.revokeCert=true
The different format operations can be configured to happen automatically by setting the appropriate
parameters in the CS.cfg file. The TPS can also be configured with other options, such as requiring
LDAP authentication and setting which subsystem instances will process the formatting operations.
The parameters are listed in
Parameter
op.format.tokenType.update.applet.emptyToken.enable
op.format.tokenType.update.applet.requiredVersion
op.format.tokenType.update.applet.directory
op.format.tokenType.update.symmetricKeys.enable
op.format.tokenType.update.symmetricKeys.requiredVersion
op.format.tokenType.revokeCert
op.format.tokenType.ca.conn
op.format.tokenType.loginRequest.enable
op.format.tokenType.tks.conn
op.format.tokenType.auth.id
op.format.tokenType.auth.enable
op.format.tokenType.issuerinfo.enable
op.format.tokenType.issuerinfo.value
Table 5.1. Format Operation Parameters

5.1.2. Configuring TPS Enrollment Operations

Enrollment covers nearly every step of managing certificates on the token, from issuing them to
recovering them if they are lost to revoking them.
Most enrollment parameters occur in pairs, one for signing certificates and one for encryption
certificates. The processes for both can be slightly different, as in the case of recovery, even for the
same certificate pair. For example:
op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollment
op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
Each token type, such as soKey for security officers or userKey for regular users, has its own
op.enroll profile definition.
Each enrollment profile definition has two parts for managing keys: how to generate new keys for the
enrollment type and how to recover lost keys for the enrollment type. The profile also defines the CA to
connection to, the CA profile to use, the LDAP instance to authenticate to, and whether to perform key
archival. For example:
... LDAP authentication connection ...
op.enroll.soKey.auth.enable=true
op.enroll.soKey.auth.id=ldap2
128
Table 5.1, "Format Operation
Description
Specifies whether TPS should upload an applet to the token when it does
The version of the applet to use. It should be the file name of the applet w
The local (to the TPS) filesystem directory where the applets are located
Specifies if the key changeover feature should be enabled. The valid valu
sent by the token matches symmetricKeys.requiredVersion.
The required key version.
Specifies if TPS should revoke the certificates associated with the token d
true|false.
The CA connection to use.
Specifies if the login request should be sent to the token. This parameter
The TKS connection to use.
The LDAP authentication instance to use. The default value is ldap1.
Specifies whether to authenticate the user information. The valid values a
Specifies whether the Phone Home information for the Enterprise Securit
Sets the Phone Home URL; this is the URL for the TPS which the Enterp
token when it is formatted. For example, https://tps.example.com:
Parameters".