Policy Rules; Types Of Policy Rules - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual

Policy Rules

A policy rule refers to a uniquely configured instance of any policy plug-in
implementation. For example, you can use the plug-in module provided for setting
validity periods on certificates to configure a policy rule that forces validity periods
for all client certificates issued by a Certificate Manager to fall within a
predetermined range, say between 6 and 24 months. A subsystem's policy
configuration can consist of one or more policy rules, each performing one or more
of the following operations:
• Validate the request content by comparing it with configured criteria; reject,
modify, or defer (for agent approval) the request if any of the request
parameters are invalid.
• Build certificate content—for example, set common extensions and the validity
period.
• Enforce organizational constraints, such as subject name, key algorithm, key
size, and validity period.
• Determine whether the private key should be archived.
Keep in mind that the server applies the rules when processing end-entity requests
and after agent approval (for deferred requests).

Types of Policy Rules

Certificate Management System supports distinct policy rules for each of the
operations that end entities perform—certificate enrollment, renewal, and
revocation, and key archival and recovery. Consequently, there are five broad
categories of policies, corresponding to these types of operations:
• Enrollment policies
• Renewal policies
• Revocation policies
• Key-archival policies
• Key-recovery policies
To facilitate this classification, Certificate Management System supports a parent
interface for a generic policy rule and other operation-specific interfaces that
extend the parent interface. Check the CMS SDK, available in the form of Javadocs
at this location:
<server_root>/cms_sdk/cms_jdk/javadocs
Introduction to Policy
Chapter 18 Setting Up Policies 561