Audit Logs; Certificate Profiles - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Understanding Subsystem Setup
You can also configure new groups and assign them privileges other than the
default privileges assigned to the default groups, thus creating new roles in the
subsystem. You do this by creating a group, setting up ACIs for this group in the
ACLs pertinent to the privileges you want to define for this group.
For complete information on creating users, assigning them to groups, creating
groups, and changing the ACLs, see Chapter 8, "Authorization."
Note that while you have the flexibility to add groups and change the ACLs under
the Common Criteria Environment, you have to be extra cautious about creating
scenarios that are not secure, for example allowing anyone access to the agent
services interface. You also need to be careful when making changes to the default
roles, or when adding roles that you do not create security holes or vulnerabilities.
Any custom plug-ins for the Access Control feature are not part of the Common
Criteria Environment. Also recall that any custom plug-ins for the Access Control
feature are not part of the Common Criteria Environment.

Audit Logs

The Common Criteria Environment requires that the signed audit log file feature
be enabled and configured. "Signed Audit Log" on page 277 provides complete
information about how to set up the signed audit feature.

Certificate Profiles

In the Common Criteria Environment, you must set up the certificate profiles
feature for certificate enrollment in a CA or RA subsystem. You can set up and
enable any or all of the prebuilt certificate profiles. You can also create other
certificate profiles in the CMS Administrative console using the defaults,
constraints, inputs, and outputs that are defined. Custom plug-ins for any of the
components of the certificate profile feature are not supported as part of the
Common Criteria Environment. It is important to note that only the CMS (CA, RA)
administrators are allowed to configure the certificate enrollment profiles (setting
ranges for fields, enabling extensions, etc.), and it is the CMS (CA, RA) agents'
responsibility to approve the fields and extensions in the certificate profiles
enabled by the Administrators. You will be instructed on how to perform these
operations.
See the Chapter 10, "Certificate Profiles" for complete information about certificate
profiles.
Appendix C Understanding the Common Criteria Evaluated CMS Setup 693