Table of Contents
Advertisement
Password and Certificate Storage
Plan for the storage of any passwords and certificates. Also plan your user
password policy. Make sure everyone knows and adheres to these policies.
Hardware Token
This environment requires a FIPS 140-1 level 3 certified hardware cryptographic
module.
You need to install the software and hardware for this hardware token before
installing and configuring the subsystems. You will also setup the hardware token
for use with CMS after installing CMS, but before installing a subsystem. Use the
hardware token to create subsystem certificates during installation of each
subsystem.
Protection of Private and Secret Keys
CMS certificate private keys and secret keys are to be generated and stored in a
FIPS 140-1 level 3 certified hardware cryptographic token.
The CMS private (asymmetric) keys are:
•
Private key associated with the CA signing certificate.
•
Private key associated with the RA-to-CA SSL client certificate.
•
Private key associated with the OCSP Responder signing certificate.
•
Private key associated with the CA-to-DRM SSL client certificate.
•
Private key associated with the DRM transport certificate.
•
Private key associated with the CA, RA, DRM, and OCSP SSL server
certificates.
•
Private key associated with the audit log signing certificate.
•
Private key associated with the DRM storage certificate used for encrypting
user subject encryption private keys (for DRM key archival).
The CMS secret (symmetric) key is:
•
Symmetric key used to encrypt passwords for password cache (single-sign-on).
See "Password Cache," on page 253.
Appendix B
Common Criteria Environment: Setup and Operations
IT Environment Assumptions
679
Advertisement
Table of Contents
