Connectors For Linking Trusted Managers - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

Privileged-User Types and Responsibilities

Connectors for Linking Trusted Managers

Certificate Management System supports proprietary HTTPS connectors for
linking CMS subsystems. You can use these connectors to make the following
connections:
• Registration Manager to Certificate Manager
• Registration Manager to Data Recovery Manager
• Certificate Manager to Data Recovery Manager
• Certificate Manager to Certificate Manager (in a cloned-CA setup, which is
explained in "Cloning a Certificate Manager" on page 282)
Figure 13-2 illustrates how a trusted Registration Manager communicates with a
Certificate Manager.
Figure 13-2
Keep in mind that a trusted manager does not take on the main functions of the
subsystem that trusts it. For example, if a Registration Manager is connected to a
Certificate Manager, the Registration Manager has no authority to issue (sign)
certificates or CRLs. It receives end-entity requests, authenticates them, and
forwards them to the Certificate Manager for signing. After receiving a response
from the Certificate Manager, it notifies the end entity of the results.
Similarly, a Certificate Manager or Registration Manager connected to a Data
Recovery Manager has no authority to archive and recover end users' encryption
private keys.
You can configure a subsystem to trust one or more managers. You do this by
adding these managers as privileged users to the internal database of that
subsystem, assigning them memberships in the appropriate group, and identifying
the certificates the managers must use for SSL client authentication to the
subsystem they report to. For information about adding a trusted manager, see
"Setting Up Trusted Managers" on page 397.
382 Netscape Certificate Management System Installation and Setup Guide • March 2002
Connectivity service between a trusted Registration Manager and other
subsystems