Red Hat Certificate System 7.1
Administrator's Guide Addendum

Last updated: June 30, 2005


Table of Contents


Simple Smartcard Management with Certificate System

Introduction

Certificate System includes the capability to manage Global Platform Smartcards - also referred to as tokens. This requires setting up two additional CS subsystems:

TPS: Token Processing System - The client software will interact with the TPS subsystem. TPS is an application which runs on a Netscape Enterprise Server (web server). The TPS must be configured to define the contents of the smartcard, and to interact with other CS subsystems, such as the CA (for issuing certificates) and the DRM (for archival and recovery of user private key material) and the TKS, described below.

TKS: Token Key Service - Performs derivation of symmetric keys defined by the Global Platform specification. These symmetric keys are used by the TPS to encrypt commands and keys sent to the smartcard, to verify that a smartcard is issued by an appropriate authority, and by the card to validate that privileged commands sent to it are from an appropriate entity (the TPS).


The following instructions lead the administrator through a basic TPS and TKS installation.  Once this process is complete, a user will be able to enroll with a smartcard, which can then be used to authenticate to a website or to sign/decrypt email.

For more advanced capability, such as private key archival, high-availability features, applet and symmetric key versioning, customizing certificate profiles, see the section below "Advanced Smartcard Management with Certificate System".


Prerequisites

1. Product binaries

All product binaries for all CS subsystems currently are delivered in a single package - either a tar.gz or RPM format.


2. Blank smartcards for testing

You can install the token management software, and complete all the instructions in this guide without actually having any smartcards on hand, but you will need smartcards later for testing.

The Certificate System Token Management capability has been tested with Axalto e-gate Cyberflex 32k tokens. Small quantities of tokens for testing are available directly from the Axalto website (http://scmegastore.com)

3. Certificate Authority

Having a running certificate authority is a requirement to get the TPS installation completed. If you do not have  Certificate Authority, you can create one immediately after completing the 'setup' program.


Architecture Decisions

The CS architecture is modular, in that subsystems can, (and should) be placed on separate hosts. This allows for stronger separation of system roles, and more flexibility in terms of firewalling and controlling access. However, such a separation is a deployment decision, and is in no way mandated by CS. For a test deployment, for example, it is acceptable to run all subsystems on a single host.


Port numbers / running as root

It is not necessary to run any CS component as root. This is only required if a subsystem needs to listen on a privileged port (such as 80 or 443). If this is the case, it is recommended to install as root and run as root (dropping privileges to the 'nobody' user has been seen to cause some problems).


Installation Procedure

STEP 1: Installation of binaries

The tar.gz and RPM installation procedures differ. The RPM install procedure creates a 'server-root' automatically, with the appropriate binaries.


TAR.GZ format


If you are using the *.tar.gz format of the distribution, unpack with:

  mkdir
  /opt/redhat-cs-installer
  cd /opt/redhat-cs-installer
  gzip -dc /path../*.tar.gz | tar zxvf -

In the /opt/redhat-cs-installer directory, you will see a setup program, which you will run:

   cd /opt/redhat-cs-installer
   ./setup
 
The setup program will ask for the location of the 'server-root' (we suggest /opt/redhat-cs) - the installation directory to which all the installation files are extracted to.


RPM format


If you are using the *RPM format of the distribution, install with:

  rpm --install redhat-cs-7.1-2.RHEL4.i386.rpm

You will find that the product binaries have been installed into a server-root in the /opt/redhat-cs directory.  The setup program (invoked with setup/setup) is used to configure the server in the server-root, and create default instances of the servers.
NOTE: If using the RPM format of the distribution, you will need to run all the server configurations as root.

   cd /opt/redhat-cs
   setup/setup



Result

After running the setup program (you can accept the defaults in most cases), there will be three  servers configured:

1) Directory server (slapd-xxxx). This server is used for two things:
   a) storing information about servers installed in this instance
   b) as a database of users used in our simple smartcard deployment (one of which is the 'admin' user, used to log into console)

  You will need to make a note of:
     the Directory Manager password
     the LDAP port number (we will refer to this when setting up the TPS as the 'authentication directory')

2) Admin server.  This web server is what the management console communicates with in order to configure and manage the servers.

  You will need to make note of:
      the administrator user ID and password.
      the administration URL given at the end of the setup process.

3) Certificate server (cert-xxx). This server is only a default instance. You will complete configuration of this server in the upcoming steps.


STEP 2: Setting up a CA, DRM and TKS

Setting up a CA (Certificate Authority)


If you do not have a CA set up, start the console and configure the default 'cert-xxx' instance to be a CA.

Make a note of:
   the Agent, and EE (SSL) port numbers (the other details are not necessary
   the CA admin user ID and password in the wizard
   the CA admin URL at the end of the installation wizard, which is needed to enroll for the initial agent certificate. The URL looks like this: https://<hostname>:<admin-port>/ca/adminEnroll.html


Visit the above URL in your browser, and enroll for the initial agent certificate, which will allow you to view the request queue and approve certificates for the next steps.

Modifying CA Certificate Profiles


Modify the following CA profiles to include the user's email address in the subjectAltName extension. The email address for the user is retrieved from the authentication directory. Fill in the configuration information for the authentication directory in the following four profiles on the CA:

caTokenUserEncryptionKeyEnrollment.cfg
caTokenUserSigningKeyEnrollment.cfg
caTempTokenUserEncryptionKeyEnrollment.cfg
caTempTokenUserSigningKeyEnrollment.cfg


Edit the profile files on the CA in the following directory <server-root>/cert-<id>/profiles/ca/

policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.basedn=ou=people,dc=sfbay,dc=redhat,dc=com [CHANGE AS NEEDED]
policyset.set1.p1.default.params.ldap.ldapconn.host=localhost.example.com        [CHANGE AS NEEDED]
policyset.set1.p1.default.params.ldap.ldapconn.port=389                          [CHANGE AS NEEDED]


[Note: These CA profiles come with ldap lookup disabled by default. The String.Attributes parameter tells CA which ldap attributes to retrieve from your company directory. For example, if your company directory contains "uid" as an ldap attribute name, and you wish to put it in the subject name of the certificate, then you need to have "uid" in the ldapAttributes, and "$request.uid$ as one of the components in the dnpattern.]

Setting up a DRM

It is not necessary to set up a DRM for server-side key generation at this point. However, if you do, the TPS installation in step 3 will let you configure TPS to connect to the DRM. You can also set up TPS manually later, following the instructions in the Advanced section of this guide.

Setting up a TKS (Token Key Service)

Use the console to set up a TKS.  If you have previously configured the default 'cert-xxx' instance as the CA, you will need to create a new instance by right-clicking on  'Server group' and 'Create new instance of Red Hat Certificate System'. Give the new instance the name 'tks'.

If the TKS is the only subsystem in this server-root, you can just go ahead and configure the default 'cert-xxx' instance as the TKS.

Double click the instance to open the configuration wizard.

Configure the new instance by opening the instance, and running through the installation wizard. Select "Token Key Service Manager" in the Subsystem panel.

You will need to submit a certificate request to the CA during the installation process:
  - choose 'send the request to a remote CS now'
  - specify the host/port of the CA
  - approve the request in the CA agent interface
  - go back to the wizard and press next twice
  - select 'the certificate is at the CS where your request was sent' - TKS will pick up the certificate automatically


STEP 3: Setting up a TPS (Token Processing System)

TPS files are in the <server-root>/bin/cert/tps directory.

A setup program to help configure the TPS is provided. Run the TPS setup program now, with the following commands:

   cd <server-root>/bin/cert/tps/setup
   perl create.pl


For reference, an example create.pl has been reproduced in appendix A of this document.


NOTES:

When you are asked to submit the certificate request for the TPS's System Certificate to the CA, submit it to the CA's SSL EE port, under the 'Manual Server Certificate Enrollment' profile. Then login to the agent interface, view the request, and add the requested OID's to the extended key usage field. (this enables the certificate to be used for SSL client-auth from the TPS to the CA, TKS, or DRM)

When you are asked to paste in a CA certificate, you can retrieve this from the CA's EE 'retrieval' tab. Click 'import ca certificate chain', then 'Display certificates in the CA certificate chain for importing individually into a server'.

When you are asked to paste in the TPS Agent Certificate, you can simply re-use the Agent certificate you created for the CA. Find the Certificate using the CA's EE retrieval tab 'List Certificates' interface. (if you used the defaults, your certificate will be called "CN=CS Agent, UID=admin, C=US")

The TPS Agent Interface is a web-based user interface to TPS, which allows certain privileged operations to be performed. You will use this your agent certificate to authenticate to the TPS agent port with SSL client-auth.

Make a note of the URL's printed at the end of the create.pl output.



STEP 4: Configuring TPS/CA/TKS Trust relationships


Configuring the CA to accept requests from the TPS

You must configure the CA with the TPS's credential, so that the CA will issue certificates if they are submitted by the TPS. To do this, follow the following steps:

1. Start the console, and open the CA window

2. Add a special "agent" user:
 - click Configuration -> Users and Groups -> Users -> Add
 - At "Edit User Information", enter all info (phone number and email are optional), including full name (e. g. "TPS Trust Entity").  Select the "Certificate Manager Agents" group.
 - Select the TPS user, Click Certificates, Import the TPS system (SSL) certificate

Configuring the TKS to trust the TPS

1. Open the TKS console window

2. Add a special "agent" user:
 - click Configuration -> Users and Groups -> Users -> Add
 - At "Edit User Information", enter all info, including full name ("TPS Trust Entity"). Select the 'Token Key Service Manager Agents" group.
 - Select the TPS user, Click Certificates, Import the TPS system (SSL) certificate



STEP 5: Verification

Now, start the TPS system by running the <server-root>/tps-xxxx/start program.

Verify that the TPS is running by visiting the TPS Agent page with you browser. You'll need to authenticate with the Agent Certificate.

Next, you can perform an enrollment using the ESC Application. Instructions for this are in the Enterprise Security Client Guide.

Advanced Smartcard Management with Certificate System


Server-side Generation and Archival of Encryption Keys


The Global Platform environment prevents the removal of private keys from the smartcard. In the case of keys used for encryption, it is often necessary to back up the key material for later recovery. This necessitates generating of the keys in an external entity, followed by importing the keys into the smartcard.

In the case of Certificate System, the keys are generated in the DRM subsystem, where archival also (optionally) takes place. The TPS, TKS and DRM must all be configured appropriately, as described below:

The TPS setup script will handle step 4 of this script, if the DRM was configured at the time create.pl was run.

STEP 1: Set up a DRM


Follow the regular DRM setup instructions in the main CS Administrator's Guide



STEP 2: Configuring the DRM to trust the TPS


In this 7.1 release, the DRM key recovery policy is set so that 1-of-n recovery agents can recover a key. In this case, the TPS is set as one of the recovery agents.

1. Open the DRM console window

2. Add a special "agent" user:
 - click Configuration -> Users and Groups -> Users -> Add
 - At "Edit User Information", enter all info, including full name ("TPS Trust Entity"). Select the 'Data Recovery Manager Agents" group.
 - Select the TPS user, Click Certificates, Import the TPS system (SSL) certificate




STEP 3: Set up TKS with DRM transport key


After generating the keys on the DRM, the DRM will encrypt the keys with a Key Transport Key (KTK) before sending to the smartcard. This key is generated on TKS and transmitted to the DRM (via the TPS). In order to accomplish this securely, the KTK is encrypted with the public key in the DRM's transport certificate.

Install the DRM's transport certificate into the TKS:

Create a file with the DRM Transport Certificate (retrieve this from the CA)

On the TKS host:

cd <server-root>/alias
../bin/cert/tools/certutil -d . -P <cert-db-prefix> -A -n "DRM Transport" -t ",," -a -i <certfilename>
cd <server-root>/cert-tks/config

edit the CS.cfg file, modifying the following line:

tks.drm_transport_cert_nickname=DRM Transport

Restart TKS:

cd <server-root>/cert-tks
./restart-cert


STEP 4: Configure TPS to do key generation and archival

1) TPS must be configured to connect to the DRM

cd <server-root>/tps-xxx/config

edit CS.cfg, setting the following parameters (use Fully Qualified Host Names where appropriate)

conn.drm.totalConns=1
conn.drm1.hostport=[DRM_HOST]:[DRM_AGENT_PORT]
conn.drm1.clientNickname=Server-Cert
conn.drm1.servlet.GenerateKeyPair=/kra/GenerateKeyPair
conn.drm1.servlet.TokenKeyRecovery=/kra/TokenKeyRecovery
conn.drm1.retryConnect=3
conn.drm1.SSLOn=true
conn.drm1.keepAlive=false


The TPS CS.cfg files has a section defining each type of smartcard profile you want to maintain. In the default configuration, the profile 'userKey' is defined under the op.enroll.userKey subsection.

In the keyGen subsection of the userKey Profile, is a subsection for each type of key/certificate pair which is defined for that type of smartcard. In the default configuration, one of the key/certificate pairs is labelled 'encryption'. Set the following parameters to enable server-side key generation, and to archive keys.

op.enroll.userKey.keyGen.encryption.serverKeygen.enable=true
op.enroll.userKey.keyGen.encryption.serverKeygen.drm.conn=drm1
op.enroll.userKey.keyGen.encryption.serverKeygen.archive=true
op.enroll.userKey.keyGen.encryption.serverKeygen.encryptPrivKey=true


Restart the TPS subsystem after this step

cd <server-root>/tps-*
./stop
./start


Configuring  TPS to use HSM  (Hardware Security Modules)

Certificate System allows the TPS sub-system to use hardware security modules like nCipher,LunaSA for better SSL performance. If you need to store the TPS sub-system's
server certificate  and its keys on hardware please use the following steps:

Step 1: Connect secmod.db to the HSM.

Use modutil command to perform this. An example for adding 'nCipher nethsm' to secmod.db would look like this.

Goto the <server-root>/alias/ directory
modutil -dbdir . -nocertdb -add nethsm -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so

Step 2: Verify that you can list 'any' certs/keys on the hardware

Use certutil command to perform this. An example would look like this,

certutil -L -d <server-root>/alias/ -h nethsm -P <cert-prefix>

Step 3: edit create.pl the TPS installation script.

Edit <server-root>/bin/cert/tps/setup/create.pl.
Edit the line that starts with 'my $hsm="";' to add the HSM slot name. An example would look like this.

my $hsm = "nethsm";

Save this file and execute this perl script to install the TPS sub-system.

NOTE: CA Signing certs are always stored only on 'internal' software tokens and not on hardware when you import the CA signing cert with this 'create.pl' for configuring TPS.


Automating Recovery of Encryption Keys

Certificate System allows for a semi-automated recovery if a user loses, destroys, or misplaces their token.

TPS automatically recovers the appropriate encryption keys and certificates for a permanent or temporarily lost token, depending on various circumstances leading to the token loss.

In order to prevent misuse of the recovery feature, TPS requires that a user must have a single active token. In order to track which tokens are assigned to users, TPS maintains a database of tokens. When a user enrolls a token, the database is updated to reflect the token state, and the fact that it is assigned to a user.

1. User gets replacement token

When a user loses a token, the user must first get a replacement token through some defined process. If a new enrollment is attempted with this new token, TPS will block the enrollment, since the user already has an active token.

2.  The token status must be updated

In order for the enrollment to succeed, the token's state in the database must be changed to 'lost'. This action is performed through the web browser and the TPS agent interface.

The TPS Agent will query the user in order to identify the user to his satisfaction, then search for the user's id in the TPS Agent interface 'Search Tokens' link.

The TPS Agent will select the 'active' token assigned to the user, and update the status with the drop-down list with the appropriate status. Each selection in this list leads to different behavior in the TPS:

"This Token Has Been Physically Damaged"  [Use this if the token is known to be destroyed]
status: updated to 'lost'
reason: destroyed

"This Token Has been Permanently Lost": [Use this if the token has been stolen]
status: updated to 'lost'
reason: keyCompromised
The certificates on the token are revoked

"This Token Has been Temporarily Lost":  [Use this if the user left their token at home]
status: updated to 'lost'
reason: keyCompromised
The certificates on the token are revoked


The user will then be able to Enroll for a replacement token.


In typical PKI deployments, it is preferred that signing keys be generated on the smartcard, and not archived. Therefore, if the smartcard is lost, new signing keys and certificates must be regenerated on the token, and temporary certificates created.

The policy describing which keys should be regenerated and which keys should be recovered is defined in the TPS CS.cfg parameters below:

The following parameters are for different recovery scheme based on different lost reason: 

# The following is for a replacement for a token which is physically damaged:
op.enroll.userKey.keyGen.recovery.destroyed.keyType.num=2
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.destroyed.keyType.value.1=encryption
op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey
op.enroll.userKey.keyGen.encryption.recovery.destroyed.scheme=RecoverLast

# The following is for a replacement for a token which is permanently lost:
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.num=2
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.0=signing
op.enroll.userKey.keyGen.recovery.keyCompromise.keyType.value.1=encryption
op.enroll.userKey.keyGen.signing.recovery.keyCompromise.scheme=GenerateNewKey
op.enroll.userKey.keyGen.encryption.recovery.keyCompromise.scheme=GenerateNewKey

# The following is for a temporary replacement for a temporarily lost token:
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.num=2
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.0=signing
op.enroll.userKeyTemporary.keyGen.recovery.onHold.keyType.value.1=encryption
op.enroll.userKeyTemporary.keyGen.signing.recovery.onHold.scheme=GenerateNewKey
op.enroll.userKeyTemporary.keyGen.encryption.recovery.onHold.scheme=GenerateNewKey

There are two different schemes for recovery:
- GenerateNewKey is to create new key and certificate for recovery.
- RecoverLast is to recover the last encryption key and associated certificate for recovery.

# set revokeCert=true to revoke certificates if a token's certificates are replaced
op.enroll.userKey.keyGen.signing.revokeCert=true
op.enroll.userKey.keyGen.encryption.revokeCert=true



Dealing with replacements for lost or stolen smartcards


If the smartcard loss is temporary, the user can be enrolled for a temporary replacement.

In this CS release, the profile of the temporary replacement smartcard is defined in the userKeyTemporary profile in the TPS CS.cfg. The certificates used in this profile is valid for 7 days by default.

Original smartcard was found

If the user locates the original token, he must return to the TPS Agent to reactivate the original token. The TPS Agent must perform an operation on the original token. When the status is updated, it will also automatically update the status of the temporary token.

The Agent will locate the original token (marked as lost), and select:

"This Temporarily Lost Token Has Been Found":
status: updated to 'active'
reason:
The certificates on the token are taken off hold

The TPS will update the status of the temporary token:
status: updated to 'inactive'
reason:
The certificates on the temporary token are revoked.




Original token was not found

If the user cannot locate the original token, the TPS Agent must update the status of the original token, then update the status of the temporary token.


The agent will locate the original token (marked as 'lost') and select:

"This Temporarily Lost Token Cannot Be Found":
status: lost
reason: keyCompromised
The certificates on the original token are revoked

The TPS will update the status of the temporary token:
status: updated to 'inactive'
reason:
The certificates on the temporary token are revoked.

The user is now permitted to enroll for a permanent token. He can use the temporary token to do this.






Setting Up Connection Failover in TPS


The TPS can be configured with alternates for each of the CA, DRM, TKS subsystems it connects to.  After setting up clones of the appropriate subsystems, edit the TPS CS.cfg file to reflect the clone hostnames:

For each of the conn.tks1, conn.ca1, conn.drm1 config options, add space-separated host:port details.

conn.tks1.hostport=tks1.redhat.com:2000 tks2.redhat.com:2000 tks3.redhat.com:2000
conn.ca1.hostport=ca1.redhat.com:2000 ca2.redhat.com:2000 ca2.redhat.com:2000
conn.drm1.hostport=drm1.redhat.com:2000 drm2.redhat.com:2000 drm3.redhat.com:2000

Each host port grouping is separated by a white space.





Setting Up Symmetric Key Changeover in TPS


When global platform compliant smartcards are made, the manufacturer will burn a set of symmetric keys onto the token. The smartcard deployer will share a master symmetric key with the manufacturer. The smartcard TKS is configured to use these symmetric keys. However, during enrollment, it is desirable to replace these symmetric keys with a set that is not shared by the manufacturer, to restrict the set of entities that  can manipulate the token.

Note:  using Key Changeover can render the smartcards unusable - if you lose the master key. Use key changeover in controlled conditions, and be sure of the implications of erasing a TKS instance. See below to see how it is possible to set up TPS to return the keys back to the factory state.

Setting up Key Changeover requires that a new symmetric key be generated on the TKS, and that the TPS be set to change the token's key.

Creating a new master key on the TKS

We recommend that you do the masterKey generation by following these steps.

Step 1: Generate a Transport Key and store in either the hardware or software token

cd <tks-server-root>/alias/
../bin/cert/tools/tksTool.sh -T -n <transportKeyName> -d . -h <token_name> -p <certDBPrefix>

For example,
../bin/cert/tools/tksTool.sh -T -n "test-transport-key" -d . -h internal -p cert-tks-

Note : When executing the above command, tksTool, prints out the KCV values for each of the session keys that are generated. Three symmetric keys are generated here. Please save them as it is required to re-generate the transport key if you lose it. For more information on tksTool, please go to the Red Hat Certificate System - Command-Line Tools Guide

Step 2: Generate the master key. Wrap the Master Key with the Transport Key and store the output to a local file on disk.

cd <tks-server-root>/alias/
../bin/cert/tools/tksTool.sh -W -n <masterKeyId> -d . -t <transport_keyname> -o <wrapped_master_key_outfile> -h <token_name> -p <certDBPrefix>

For example,
../bin/cert/tools/tksTool.sh -W -n "test-master-key" -d . -t "test-transport-key" -o "wrapped_test-master-key" -h "internal" -p cert-tks-

Note: When executing the above command, tksTool, generates a new master key, wraps it with the transport_key and then extracts it to the output_file so that we can save this extracted file to serve as backup in case you lose the master key.


Configure TKS - to associate masterkey with its version


In global platform parlance, master keys have a numeric identifier such as 01, 02, 03. TKS needs to map these to PKCS#11 object nicknames (which you specified above by 'masterKeyId').

Add the following to the CS.cfg located in <tks-server-root>/cert-<tks-id>/config: 
              tks.mk_mappings.#02#01=<tokenname>:<masterKeyId>
If you used the software database, you would use 'internal' for <tokenname>.

This sets master key set #02 to map to the given TKS PKCS#11 module token name, and corresponding masterKeyId object nickname. All numeric key identifiers in mapping configurations must be suffixed with '#01'.

Note that "#02" represents the master key version.


Note: Smartcards purchased from the Axalto Web Store will come with a default developer key set where all keys are set to "404142434445464748494a4b4c4d4e4f".
TKS has this key built-in, and it is referred to with the master key set #01. TKS will use key set #01 by default.


After making configuration changes to TKS, restart it.


Configure TPS - for key change over

Edit the TPS CS.cfg file

Modify the following two parameters as follows:

To enable key changeover during enrollment, change these parameters to contain the following values: 
          op.enroll.userKey.update.symmetricKeys.enable=true
          op.enroll.userKey.update.symmetricKeys.requiredVersion=2

Similarly, to enable key changeover during 'format', change these parameters: 

          op.format.tokenKey.update.symmetricKeys.enable=true
          op.format.tokenKey.update.symmetricKeys.requiredVersion=2

requiredVersion is the Global Platform numeric key set identifier which is required for the specified operation (enroll, format) to proceed.  If the smartcard does not have the key set specified by the requiredVersion parameter, key changeover will occur, then the operation processing will continue. In this example, the requiredVersion=2 parameter maps to the #02 value given in the TKS setup above.

After changing this configuration, restart TPS.

NOTE: The TPS audit log contains information denoting whether or not the key changeover worked successfully.

While testing this feature, you may want to change an Axalto Web Store smartcard back to the original static '4041...' key set.  You can do this by changing the 'requiredVersion' parameter back to '1', and doing a new format. You should do this before removing your TKS instance, or else you will not be able to manage your smartcard.




Setting Up Applet Upgrade in TPS

TPS communicates with an applet on the smartcard.  The smartcards may be manufactured with both a card manager applet and a vendor applet, or with only the card manager applet. If the cards only have the card manager applet, TPS can install the CS applet onto the smartcard.

Similarly, an old applet can be replaced with a new applet during a format or enrollment operation. Any keys or certificates created or managed with the old applet are destroyed.


Configuring applet upgrade

TPS should be configured to update the applet if necessary. To do this, put the new applet in the applet directory, and set the 'update.applet.enable' parameter to true.

op.enroll.userKey.update.applet.enable=true
op.enroll.userKey.update.applet.emptyToken.enable=false
op.enroll.userKey.update.applet.requiredVersion=1.3.4255CC01
op.enroll.userKey.update.applet.directory=<server-root>/bin/cert/tps/applets
op.enroll.userKey.update.applet.encryption=true



Card-Manager applet only smartcards

If a smartcard only has the card manager, you must specifically enable the capability. Edit the following parameter in TPS's CS.cfg

op.enroll.userKey.update.applet.emptyToken.enable=true



NOTE: If the file name value associated with the "op.enroll.userKey.update.applet.requiredVersion" parameter contains ANY alphabetic characters, then ALL of these alphabetic characters MUST ALWAYS be uppercase letters; this applies to the actual name of the file, as well as to the value of the "op.update.userKey.applet.requiredVersion" parameter.


Remember to restart TPS after making changes to the CS.cfg file.


Verification


The TPS queries the applet version on the smartcard before the execution of any operations such as enrollment and format.

If the update feature is enabled, and the applet version from the client is different from the one that is specified by this 'op.<operation>.<token type>.update.applet.requiredVersion' parameter, the CS TPS will update the applet automatically.


NOTE: The TPS audit log contains information denoting whether or not the applet update worked successfully.





Setting Up Token Types for Specified Smartcards

TPS can be configured to use specific token profiles based on the smartcard ATR and/or a range of serial numbers for the smartcards.  This may be useful if you want to manage two types of smartcard profile in a single deployment, and you want to determine the smartcard profile based on physical distribution of those cards, rather than some software process change.


The TPS configuration allows you to configure a mapping where you specify the types of tokens, ATRs, and range of serial numbers (CUID)

Each type of operation (op.enroll, op.format) contains a parameter called "op.<op>.mapping.order" containing one or more mapping IDs.

NOTE: If the "op.<op>.mapping.order" parameter contains more than one mapping ID, then each mapping ID is processed in sequential order until a target is determined, or else an error is returned. If the "op.<op>.mapping.order" parameter is missing, or not set in the CS.cfg, then the code will return an error.


Each mapping ID references a series of parameters associated with the requested operation called "filters".

NOTE: Each filter may contain a specific value for the request to be tested against. Empty or missing "filters" equate to a "wildcard" rule which allows the request to contain any value, and are thus inherently "true".

If the request passes all filters, the the specified target token profile is used..

See the CS.cfg for more details on the mapping configuration parameters


An Example with 2 different Token Types


In this section we will attempt to describe how you could setup TPS to accept operations ( like , format, enroll , pin reset etc.. ) from two different sets of tokens that are distinguished based on their CUIDs.  The following example illustrates usage just with the format operation. The same can be achieved for the enroll and pin reset operations.

This example assumes the following:

Configuring the format operation in TPS for the above scenario would involve the following changes to the TPS configuration file ( CS.cfg ):


##########################################################################
# Create 2 mappings as shown below
##########################################################################
op.format.mapping.order=0,1

op.format.mapping.0.filter.tokenType=
op.format.mapping.0.filter.tokenATR=
op.format.mapping.0.filter.tokenCUID.start=1000000000000000
op.format.mapping.0.filter.tokenCUID.end=1000000000000100
op.format.mapping.0.filter.appletMajorVersion=
op.format.mapping.0.filter.appletMinorVersion=
op.format.mapping.0.target.tokenType=devKey
##########################################################################
op.format.mapping.1.filter.tokenType=
op.format.mapping.1.filter.tokenATR=
op.format.mapping.1.filter.tokenCUID.start=2000000000000000
op.format.mapping.1.filter.tokenCUID.end=20000000000001000
op.format.mapping.1.filter.appletMajorVersion=
op.format.mapping.1.filter.appletMinorVersion=
op.format.mapping.1.target.tokenType=qaKey
##########################################################################
# create 2 separate profiles
##########################################################################
# Profile for DevKey
##########################################################################
op.format.devKey.update.applet.emptyToken.enable=true
op.format.devKey.update.applet.requiredVersion=1.3.427BDDB8
op.format.devKey.update.applet.directory=<server-root>/bin/cert/tps/applets
op.format.devKey.update.applet.encryption=true
op.format.devKey.update.symmetricKeys.enable=false
op.format.devKey.update.symmetricKeys.requiredVersion=1
op.format.devKey.revokeCert=true
op.format.devKey.ca.conn=ca1
op.format.devKey.loginRequest.enable=true
op.format.devKey.tks.conn=tks1
op.format.devKey.auth.id=ldap-dev
op.format.devKey.auth.enable=true
##########################################################################
# Profile for QAKey
##########################################################################
op.format.qaKey.update.applet.emptyToken.enable=true
op.format.qaKey.update.applet.requiredVersion=1.3.427BDDB8
op.format.qaKey.update.applet.directory=<server-root>/bin/cert/tps/applets
op.format.qaKey.update.applet.encryption=true
op.format.qaKey.update.symmetricKeys.enable=false
op.format.qaKey.update.symmetricKeys.requiredVersion=1
op.format.qaKey.revokeCert=true
op.format.qaKey.ca.conn=ca1
op.format.qaKey.loginRequest.enable=true
op.format.qaKey.tks.conn=tks1
op.format.qaKey.auth.id=ldap-qa
op.format.qaKey.auth.enable=true
##########################################################################
# LDAP Connection settings for devKey
##########################################################################
auth.instance.0.type=LDAP_Authentication
auth.instance.0.libraryName=<server-root>/bin/cert/tps/lib/libldapauth.so
auth.instance.0.libraryFactory=GetAuthentication
auth.instance.0.authId=ldap-dev
auth.instance.0.hostport=ldap-dev.example.com:1111
auth.instance.0.SSLOn=false
auth.instance.0.retries=1
auth.instance.0.retryConnect=3
auth.instance.0.baseDN=o=dev
auth.instance.0.ui.title.en=LDAP Authentication
auth.instance.0.ui.description.en=This authenticates user against the DEV LDAP directory.
auth.instance.0.ui.id.UID.name.en=LDAP User ID
auth.instance.0.ui.id.PASSWORD.name.en=LDAP Password
auth.instance.0.ui.id.UID.description.en=DEV LDAP User ID
auth.instance.0.ui.id.PASSWORD.description.en=DEV LDAP Password
##########################################################################
# LDAP Connection settings for qaKey
##########################################################################
auth.instance.1.type=LDAP_Authentication
auth.instance.1.libraryName=<server-root>/bin/cert/tps/lib/libldapauth.so
auth.instance.1.libraryFactory=GetAuthentication
auth.instance.1.authId=ldap-qa
auth.instance.1.hostport=ldap-qa.example.com:2222
auth.instance.1.SSLOn=false
auth.instance.1.retries=1
auth.instance.1.retryConnect=3
auth.instance.1.baseDN=o=qa
auth.instance.1.ui.title.en=LDAP Authentication
auth.instance.1.ui.description.en=This authenticates user against the QA LDAP directory.
auth.instance.1.ui.id.UID.name.en=LDAP User ID
auth.instance.1.ui.id.PASSWORD.name.en=LDAP Password
auth.instance.1.ui.id.UID.description.en=QA LDAP User ID
auth.instance.1.ui.id.PASSWORD.description.en=QA LDAP Password
##########################################################################

So, we have now defined the following in order to get this scenario to work.
What happens during a format operation for a devKey:

Step 1: TPS is restarted with the above config.
Step 2: User inserts token devKey ( for example, CUID = 1000-0000-0000-0001 ) using ESC client. Token is recognized by ESC.
Step 3: User selects token and clicks 'format'
Step 4. ESC prompts for LDAP authentcation. Enter dev_userid and dev_password
Step 5: Format operation completes.

During Step 3, ESC sends in the applet version,CUID,ATR etc about the token to the TPS server. TPS server checks the op.format.mapping... section in the CS.cfg and figures out that the 'TokenType' for this token is 'devKey'. It then uses the op.format.devKey... section to perform LDAP authentication ( with ldap-dev ) and to the corresponding TKS for generating session keys etc.. Optionally, TPS can also be configured to do applet upgrade and key change over for this format operation.

What happens during a format operation for a qaKey:

Step 1: TPS is restarted with the above config.
Step 2: User inserts token qaKey ( for example, CUID = 2000-0000-0000-0001 ) using ESC client. Token is recognized by ESC.
Step 3: User selects token and clicks 'format operation'
Step 4: ESC prompts for LDAP authentcation. Enter qa_userid and qa_password
Step 5: Format operation completes.

During Step 3, ESC sends in the applet version,CUID,ATR etc about the token to the TPS server. TPS server checks the op.format.mapping... section in the CS.cfg and figures out that the 'TokenType' for this token is 'qaKey'. It then uses the op.format.qaKey... section to perform LDAP authentication ( with ldap-qa ) and to the corresponding TKS for generating session keys etc.. Optionally, TPS can also be configured to do applet upgrade and key change over for this format operation.




Configuring TPS logging

By default, five log files are created by the TPS subsystem. All log files get written to the <server-root>/tps-XXX/logs directory.

Two of the files: 'access' and 'errors', are created by the Netscape Enterprise Server web server:
The rest of the files:<> 'tps-audit.log' 'tps-debug.log' and 'tps-errors.log' are created by the tps subsytsem itself.

Log files are configured by changing the relevent lines in the CS.cfg file:

logging.[audit|error|debug].enable=[true|false]
logging.[audit|error|debug]=[SERVER_ROOT]/[INSTANCE_ID]/logs/[filename]
logging.[audit|error|debug].level=[level number]

Log level 0 is least verbose, 10 is most verbose.


Audit message examples:

[2005-04-29 13:47:08] b65b9828 Upgrade - op='applet_upgrade' app_ver='1.2.416DA155' new_app_ver='1.3.42659461'
[2005-04-29 13:47:08] b65b9828 Format - status='success' app_ver='1.3.42659461' key_ver='0' cuid='40900062FF02000065C5' msn='FFFFFFFF' uid='' time='45389 msec'
[2005-04-29 15:56:06] b65b9828 Enrollment - status='success' app_ver='1.3.42659461' key_ver='0101' cuid='40900062FF020000649D' msn='FFFFFFFF' uid='Steve Parkinson' time='21058 msec'

[key_ver] indicates the key set version ID.  A Key Version of 0101 is mapped to the TKS key version identifier #01#01.
[cuid] indicates the Card Unique Identifier - the unique serial number of the smartcard.
[app_ver] indicates the applet version number
[time] indicates the elapsed time of the operation.


Thread correlation

In the above example, b65b9828 is the thread ID number. All interactions performed with a particular smartcard are done on a single thread, so the operations should all have the same thread ID. In the case where TPS is interacting with multiple smartcards simultaneously, log messages pertaining to the smartcard operations will be interleaved. In this case, the thread ID can be used to correlate messages for a single smartcard.





Appendix A -  create.pl - sample output

************************************************
Token Processing Service (TPS) Setup
************************************************
This script will assist you in setting up TPS.
Before running this script, you should already
install a certificate authority (CA), a token key
service (TKS), an authentication directory and a token
database.

CA is responsible for issuing certificates while TKS
ensures a secure channel between the client and
the backend. User requests are authenticated against
the authentication directory which contain user
information. The token database collects statistics
on token activities.

The authentication database and the token base are
regular directory server instances that can be created
via Console.

If you need other advance options such as hardware
token support, you need to modify the advance option
section of this script manually.

************************************************
GENERAL SETUP SECTION

This script is about to create your TPS instance in your
existing CS installation.
************************************************

Enter the path to the server root of your existing cs installation (i.e. /export/home/cs):
Error: '/export/home/cs' directory does not exit.
Enter the path to the server root of your existing cs installation (i.e. /export/home/cs): /export/cs/71
Enter the path to the TPS release (i.e. /export/cs/71/bin/cert/tps):
Enter the hostname of this machine (i.e. chico):
Enter the fully-qualified hostname of this machine (i.e. chico.sfbay.redhat.com):
Enter the instance ID of your new TPS instance (i.e. tps-chico):

************************************************
SERVICE PORTS SECTION

TPS listens on the following ports. Please make
sure you specify unused ports.
************************************************

Enter the end entity port number of your TPS (i.e. 8000): 3907
Enter the agent port number of your TPS (i.e. 8001): 3908

************************************************
AUTHENTICATION (LDAP) DIRECTORY SECTION

TPS verifies the user IDs and
passwords against this LDAP database before executing
requests from users.
************************************************

Enter the hostname of the authentication directory (i.e. chico.sfbay.redhat.com):
Enter the port number of the authentication directory (i.e. 389): 3900
Enter the root suffix of the authentication directory (i.e. dc=people, dc=com): ou=people,dc=sfbay,dc=redhat,dc=com

************************************************
CA CONNECTION SECTION

TPS submits certificate requests
to CA for signing.
************************************************

Enter the hostname of the CA (i.e. chico.sfbay.redhat.com):
Enter the secure end entity port number of the CA (i.e. 443): 3904

************************************************
TKS CONNECTION SECTION

TPS obtains session keys from TKS
for establishing secure channels.
************************************************

Enter the hostname of the TKS (i.e. chico.sfbay.redhat.com):
Enter the secure agent port number of the TKS (i.e. 8100): 3909



Do you want to perform server-side key generation optionally: (i.e. yes or no)
yes

************************************************
DRM CONNECTION SECTION

TPS submits archival and recovery requests
to DRM.
************************************************

Enter the hostname of the DRM (i.e. chico.sfbay.redhat.com): chico.sfbay.redhat.com
Enter the secure agent port number of the DRM (i.e. 8100): 8102


************************************************
TOKEN DATABASE (LDAP) CONNECTION SECTION

TPS sends statistics information to the database
for auditing purposes.
************************************************

Enter the hostname of the token database (i.e. chico.sfbay.redhat.com):
Enter the port number of the token database (i.e. 3890): 3900
Enter the root suffix of the token database (i.e. dc=com): dc=sfbay,dc=redhat,dc=com
Enter the password of the directory manager: redhat

************************************************
TPS INSTANCE CREATION
************************************************
This program is about to create the TPS instance.
If there is any error, please ctrl-C to exit and restart the process.

Please enter 'proceed' to continue.
proceed

Creating /export/cs/71/tps-chico ...
Creating /export/cs/71/tps-chico/config ...
Creating /export/cs/71/tps-chico/logs ...
Copying ./templates/start to /export/cs/71/tps-chico/start ...
Copying ./templates/stop to /export/cs/71/tps-chico/stop ...
Copying ./templates/config/contexts.properties to /export/cs/71/tps-chico/config/contexts.properties ...
Copying ./templates/config/jvm12.conf to /export/cs/71/tps-chico/config/jvm12.conf ...
Copying ./templates/config/magnus.conf to /export/cs/71/tps-chico/config/magnus.conf ...
Copying ./templates/config/magnus.conf.clfilter to /export/cs/71/tps-chico/config/magnus.conf.clfilter ...
Copying ./templates/config/mime.types to /export/cs/71/tps-chico/config/mime.types ...
Copying ./templates/config/obj.conf to /export/cs/71/tps-chico/config/obj.conf ...
Copying ./templates/config/obj.conf.clfilter to /export/cs/71/tps-chico/config/obj.conf.clfilter ...
Copying ./templates/config/rules.properties to /export/cs/71/tps-chico/config/rules.properties ...
Copying ./templates/config/server.dtd to /export/cs/71/tps-chico/config/server.dtd ...
Copying ./templates/config/server.xml to /export/cs/71/tps-chico/config/server.xml ...
Copying ./templates/config/server.xml.clfilter to /export/cs/71/tps-chico/config/server.xml.clfilter ...
Copying ./templates/config/servlets.properties to /export/cs/71/tps-chico/config/servlets.properties ...
Copying ./templates/config/web-apps.xml to /export/cs/71/tps-chico/config/web-apps.xml ...
Copying ./templates/config/web-apps.xml.clfilter to /export/cs/71/tps-chico/config/web-apps.xml.clfilter ...
Copying /export/cs/71/bin/cert/tps/config/CS.cfg to /export/cs/71/tps-chico/config/CS.cfg ...
Creating /export/cs/71/cgi-bin ...
Copying files from /export/cs/71/bin/cert/tps/forms/esc to /export/cs/71/cgi-bin ...
Copying files from /export/cs/71/bin/cert/tps/forms/tus to /export/cs/71/cgi-bin ...

************************************************
SECURITY DATABASE CREATION (OPTIONAL)

Keys and certificates will be stored in the security
databases.
************************************************
This program is about to create the security databases.
Do you want to create the security databases automatically: (i.e. yes or no)
yes

This program is about to create the security databases.
Please enter 'proceed' to continue.
proceed

Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
netscape
This program is about to generate the certificate request.
Please enter 'proceed' to continue.
proceed


A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue:
Enter Password or Pin for "NSS Certificate DB":


Generating key.  This may take a few moments...


Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: chico.sfbay.redhat.com
Email: (not specified)
Organization: (not specified)
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBYDCBygIBADAhMR8wHQYDVQQDExZjaGljby5zZmJheS5yZWRoYXQuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEJBL1JDs/xElJNa4TC1T+f6I14jVD
RF6bgkBMkagW0pDKoNwpwgv0idKz3rUb9+JUAm7SxxeXyorKxxVbldY3jkzL6Kvq
KdFW5sb0CRUPDlVGz8fH22aS9C/iVC7HAmEAdQaB+c6wcu3CO7hsIDvsU2y8nwAL
ldh5tR8IBxtbMQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAPjiQrzGKZYASlcFy
iAiJB/JlZ/QGzovrJYqB1WXakpyWj+9+Z4ZMMKFLUyi++ni5hzaKuXf2t7m349ks
VeTnuZBuaC7Xn8hprbZapvRgeGZmOppOXB+TdZ2xOKFD8OLcJEBsPlsM16zFlvaD
8lny7cXNiiNRlQSiCJeBu2lAxf4=
-----END NEW CERTIFICATE REQUEST-----

Please submit the certificate request to the CA for signing.
Note that correct OIDs (i.e. 1.3.6.1.5.5.7.3.2 and 1.3.6.1.5.5.7.3.4) must be populated in the
extended key usage extension of the certificate.
In addition, this certificate must be added to
CA and TKS as trusted agent.

This program is about to import the server certificate.
Please paste in your certificate (including header and footer).

-----BEGIN CERTIFICATE-----
MIICdjCCAd+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEP
MA0GA1UEChMGcmVkaGF0MRwwGgYDVQQDExNDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4X
DTA1MDQxNTAyMzMwOVoXDTA3MDQwNTAyMzMwOVowITEfMB0GA1UEAxMWY2hpY28u
c2ZiYXkucmVkaGF0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxCQS
9SQ7P8RJSTWuEwtU/n+iNeI1Q0Rem4JATJGoFtKQyqDcKcIL9InSs961G/fiVAJu
0scXl8qKyscVW5XWN45My+ir6inRVubG9AkVDw5VRs/Hx9tmkvQv4lQuxwJhAHUG
gfnOsHLtwju4bCA77FNsvJ8AC5XYebUfCAcbWzECAwEAAaOBojCBnzAfBgNVHSME
GDAWgBTv06nx5OJhG32vkwjJbfxSb/iiNTBDBggrBgEFBQcBAQQ3MDUwMwYIKwYB
BQUHMAGGJ2h0dHA6Ly9jaGljby5zZmJheS5yZWRoYXQuY29tOjM5MDMvb2NzcDAO
BgNVHQ8BAf8EBAMCBPAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
BgEFBQcDBDANBgkqhkiG9w0BAQUFAAOBgQBZ7r0thFivn5ithNImv4oB5Jbskbhn
3CAKlpP/en01USscJ7Do1gfVzBhHARSp890wG4jbw1LFiJLBIK8FXBykKdH8TKTB
qmAaR3BEBDHSQPjHPtK66BjPlZe18OgEwXJB7BotuwaMBy6cntmZFo8esvUVTn7b
E76TeN98+LZZlA==
-----END CERTIFICATE-----

This program is about to import one or more CA certificates.
Do you have CA certificate to import: (i.e. yes or no)
yes

Please paste in your CA certificate (including header and footer).

-----BEGIN CERTIFICATE-----
MIICUTCCAbqgAwIBAgIBATANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEP
MA0GA1UEChMGcmVkaGF0MRwwGgYDVQQDExNDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4X
DTA1MDQxNDA3MDAwMFoXDTEwMDQxNDA3MDAwMFowPDELMAkGA1UEBhMCVVMxDzAN
BgNVBAoTBnJlZGhhdDEcMBoGA1UEAxMTQ2VydGlmaWNhdGUgTWFuYWdlcjCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsuXSmqkDyRZqcArpHwjWDo1gyzia6nt6
43MM4I9GYqhuu7an0G5JpFfDjJUqIt709Cs9IEnj9p1ne8x7Bk+CWUg1WtBT7uve
M6MCDDMdts6ioNVgrKyBWSaoKvNsfQPIRh44+sNuaqlIUTU5PpS1Dr4beDR8aJeJ
Eu3H4uZaUBcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU79Op
8eTiYRt9r5MIyW38Um/4ojUwHwYDVR0jBBgwFoAU79Op8eTiYRt9r5MIyW38Um/4
ojUwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAG8OYMm8k4oo+aFg
f1MHo2nGn5FwaFMCxOlWpQh0UvJq2AhDjBpDP4gko8jMCZ/tyQMiFcs76bMXhXZv
8C7qzpqKSbsyE5IyJwaguO7FEEAZZ4QDlzfGyNehMsZYFyrOX88dmu+MNQpmg8/v
Ruh88MCvdvG808DstYoxgth0/Ytr
-----END CERTIFICATE-----

Do you have CA certificate to import: (i.e. yes or no)
no

The following shows all imported certificates.
Server-Cert                                                  u,u,u
caCert0                                                      CT,C,C

Please enter 'proceed' to continue.
proceed
************************************************
TOKEN DATABASE POPULATION (OPTIONAL)

Token database's Schema and default structure will be setup.
Your first authorized agent certificate will be
imported into the database. TPS agent port can
be accessed by browser that contain the authorized
agent certificate.
************************************************
This program is about to populate the token database.
Do you want to populate the token database automatically: (i.e. yes or no)
yes

Please paste in your TUS Admin certificate (including header and footer).

-----BEGIN CERTIFICATE-----
MIICMDCCAZmgAwIBAgIBBTANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEPMA0GA1UEChMG
cmVkaGF0MRwwGgYDVQQDExNDZXJ0aWZpY2F0ZSBNYW5hZ2VyMB4XDTA1MDQxNTAxNDg0MVoXDTA2
MDQxNTAxNDg0MVowODELMAkGA1UEBhMCVVMxFTATBgoJkiaJk/IsZAEBEwVhZG1pbjESMBAGA1UE
AxMJQ01TIEFnZW50MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCAnPDFRHu9qUiVkvZzPQL
2EHC4aUmYYWnEqdZIqNan8qKJjgr5pmz6tefv2mvNdV97wVoqqBAjuUnEClMrjkqDNWf/m+nR16z
uRxidAzIokf99Ynk6w4GBwappYAGUt3KozMpwcG/uqI0w/YPWO6Ol+V1ktW76DvgrMHcU2uYIwID
AQABo0YwRDAOBgNVHQ8BAf8EBAMCBeAwEQYJYIZIAYb4QgEBBAQDAgeAMB8GA1UdIwQYMBaAFO/T
qfHk4mEbfa+TCMlt/FJv+KI1MA0GCSqGSIb3DQEBBQUAA4GBACPozFK75lg88fshgfBh33Huad5c
Sp2v6PyQmw+uAxSAfY1xL6Lw+qoQ85zwBgi08Lzw2Hnm4zHDmBsam4P/pxeTLkMqtW3llkHjaGZr
rZLVkOMXjz9ituDgAETjDYZk/umpojS8/L6orGmEAe0gdHNVSuItaG2WVGQR8I6d447P
-----END CERTIFICATE-----

Please enter 'proceed' to continue.
proceed

Copying /export/cs/71/bin/cert/tps/scripts/schemaMods.ldif to /export/cs/71/tps-chico/config/schemaMods.ldif ...
Copying /export/cs/71/bin/cert/tps/scripts/addTokens.ldif to /export/cs/71/tps-chico/config/addTokens.ldif ...
Copying /export/cs/71/bin/cert/tps/scripts/addIndexes.ldif to /export/cs/71/tps-chico/config/addIndexes.ldif ...
Copying /export/cs/71/bin/cert/tps/scripts/addAgents.ldif to /export/cs/71/tps-chico/config/addAgents.ldif ...
modifying entry cn=schema

adding new entry ou=Tokens,dc=sfbay,dc=redhat,dc=com

adding new entry ou=Activities,dc=sfbay,dc=redhat,dc=com

adding new entry ou=Certificates,dc=sfbay,dc=redhat,dc=com

adding new entry ou=People,dc=sfbay,dc=redhat,dc=com
ldap_add: Already exists

adding new entry cn=tokenUserID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=tokenID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

adding new entry cn=dateOfCreate,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
ldap_add: Already exists

adding new entry uid=admin,ou=People,dc=sfbay,dc=redhat,dc=com

adding new entry cn=TUS Agents,ou=Groups,dc=sfbay,dc=redhat,dc=com

adding new entry cn=TUS Adminstrators,ou=Groups,dc=sfbay,dc=redhat,dc=com


************************************************
SETUP IS DONE
************************************************
You should manually start your TPS by
running the start script in the TPS instance.

  /export/cs/71/tps-chico/start

You can use your ESC client to access TPS's
end entity port.

  http://chico.sfbay.redhat.com:3907/nk_service

You can use your browser to access TPS's
agent port for agent/administrator operations.

  https://chico.sfbay.redhat.com:3908/tus





Appendix B - TPS configuration Parameters

This section outlines all the TPS configuration parameters, their descriptions and valid values that are typically used for the SmartCard Certificate Enrollments,Key Archivals,Key Recovery , Formatting Smartcards and Pin Reset Operations.

Logging

logging.debug.enable

Enable or disable debug logging. Valid values are true|false

logging.debug.filename

Specify the full path to the debug log file name. For example, /tmp/tps-debug.log

logging.debug.level

Specify the debug log levels. The various levels that you can specify range from 0...10.
0 - no logging,
4 - LL_PER_SERVER - messages that happen only during startup or shutdown
6 - LL_PER_CONNECTION - Messages that happen on a per connection basis
8 - LL_PER_PDU - messages that happen for every single transaction
9 - LL_ALL_DATA_IN_PDU - dumps all data in PDU
10 - all logging

logging.audit.enable

Enable or disable audit logging. Valid values or true | false

logging.audit.filename

Specify the full path to the audit log file name. For example, /tmp/tps-audit.log

logging.audit.level

Specify the audit log level. The various levels that you can specify range from 0...10.
0 - no logging,
4 - LL_PER_SERVER - messages that happen only during startup or shutdown
6 - LL_PER_CONNECTION - Messages that happen on a per connection basis
8 - LL_PER_PDU - messages that happen for every single transaction
9 - LL_ALL_DATA_IN_PDU - dumps all data in PDU
10 - all logging

logging.error.enable

Enable or disable error logging.  Valid values are true | false

logging.error.filename

Specify the full path to the error log file name. For example, /tmp/tps-error.log

logging.error.level

Specify the error log level. The various levels that you can specify range from 0...10.
0 - no logging,
4 - LL_PER_SERVER - messages that happen only during startup or shutdown
6 - LL_PER_CONNECTION - Messages that happen on a per connection basis
8 - LL_PER_PDU - messages that happen for every single transaction
9 - LL_ALL_DATA_IN_PDU - dumps all data in PDU
10 - all logging

failover.pod.enable

Specify whether or not to use a pod type failover mechanism. Valid values are true | false.

NOTE: If you have 2 ca connections, 2 tks connections, 2 drm connections configured from TPS and when pod type failover is enabled, if TPS fails to connect to the first ca, for the next enrollment it will use the 2nd pod whereby it will use the 2nd CA,DRM,TKS host:port for connection.

CA Connection Settings

conn.ca<n>.hostport

Specify the Certificate Authority hostname and port number. Format is as follows <ca-hostname>:<ca-portnumber>

NOTE: please use the CA's eeSSL port for this.

conn.ca<n>.clientNickname

Specify the Client certificate nickname to use. This Certificate is used by TPS when connecting to the CA. This Client certificate should be trusted by the CA and the client should actually be a configured CA agent.

conn.ca<n>.servlet.enrollment

Specify the servlet that performs Profile based Certificate Enrollment. Value must be /ca/profileSubmitSSLClient

conn.ca<n>.retryConnect

Specify the number of times TPS tries to re-connect to the CA upon connection failure. Valid values are in 'integer'. For example, 3.

conn.ca<n>.timeout

Specify the number of seconds after which TPS times out failing to connect to the CA. For example, 30 seconds

conn.ca<n>.SSLOn

Specify if SSL needs to be turned on for the Connection to the CA. This value must be 'true'.

conn.ca<n>.keepAlive

Specify if you want to the keep the connection to the CA alive or terminate it after every operation. Valid values are true | false.

TKS Connection Settings


conn.tks<n>.hostport

Specify the TKS sub-system hostname and port number. Format is as follows <tks-hostname>:<tks-portnumber>

NOTE: please use the TKS's agent port for this.

conn.tks<n>.clientNickname

Specify the Client certificate nickname to use. This Certificate is used by TPS when connecting to the TKS. This Client certificate should be trusted by the TKS and the client should actually be a configured TKS agent.

conn.tks<n>.retryConnect

Specify the number of times TPS tries to re-connect to the TKS upon connection failure. Valid values are in 'integer'. For example, 3.

conn.tks<n>.SSLOn

Specify if SSL needs to be turned on for the Connection to the TKS. This value must be 'true'.

conn.tks<n>.keepAlive

Specify if you want to the keep the connection to the TKS alive or terminate it after every operation. Valid values are true | false.

conn.tks<n>.serverKeygen

Specify if you want to use the where you want key generation to happen. When set to true , Key generation happens on the Server. When set to false, key generation happens on the client ( aka ; token )

DRM Connection Settings

conn.drm<n>.hostport

Specify the DRM sub-system hostname and port number. Format is as follows <drm-hostname>:<drm-portnumber>

NOTE: please use the DRM agent port for this.

conn.drm<n>.clientNickname

Specify the Client certificate nickname to use. This Certificate is used by TPS when connecting to the DRM. This Client certificate should be trusted by the DRM and the client should actually be a configured DRM agent.

conn.drm<n>.retryConnect

Specify the number of times TPS tries to re-connect to the DRM upon connection failure. Valid values are in 'integer'. For example, 3.

conn.drm<n>.SSLOn

Specify if SSL needs to be turned on for the Connection to the DRM. This value must be 'true'.

conn.drm<n>.keepAlive

Specify if you want to the keep the connection to the DRM alive or terminate it after every operation. Valid values are true | false.

LDAP Authentication

auth.instance.<n>.type

Specify the authentication type to use. Must be 'LDAP_Authentication' for now

auth.instance.<n>.libraryName

Specify the library to use for LDAP authentication. Provide the full path to the library. Filename must be libldapauth.so

auth.instance.<n>.libraryFactory

Specify the function name to use for LDAP authentication. Must be 'GetAuthentication' for now.

auth.instance.<n>.authId

Specify this auth instance id so that we could use in when defining other operations. For example, ldap1.

auth.instance.<n>.hostport

Specify the LDAP hostname and port number. Format is as follows : <ldap-hostname>:<ldap-port>

auth.instance.<n>.SSLOn

Specify if SSL should be turned on/off. Valid values are 'true | false'.

auth.instance.<n>.retries

Specify the number of times authentication is tried upon failure. Valid values are in 'integer'. for example, 1.

auth.instance.<n>.retryConnect

Specify the number of times TPS tries to re-connect to the LDAP server upon connection failure. Valid values are in 'integer'. For example, 3.

auth.instance.<n>.baseDN

Specify the baseDN where to start the LDAP search from. For example, o=example.com

auth.instance.<n>.ui.title.en

Specify the title of the LDAP Auth plugin. For example,  "LDAP Authentication"

auth.instance.<n>.ui.description.en

Specify the description of the LDAP auth activity. For example, "This authenticates the user against the LDAP dev directory"

auth.instance.<n>.ui.id.UID.name.en

Specify the UID parameter name. For example, "LDAP User ID"

auth.instance.<n>.ui.id.PASSWORD.name.en

Specify the password parameter name. For example, "LDAP Password"

auth.instance.<n>.ui.id.UID.description.en

Specify the description for the UID param

auth.instance.<n>.ui.id.PASSWORD.description.en

Specify the description for the password param


Applet Information

applet.aid.cardmgr_instance

Do not change

applet.aid.netkey_instance

Do not change

applet.aid.netkey_file

Do not change

applet.aid.netkey_old_instance

Do not change

applet.aid.netkey_old_file

Do not change

applet.so_pin

Do not change

applet.delete_old

Do not change

Encrypted Channel Bet'n TPS and Token

channel.encryption

Specify if you want the data being transmitted between the TPS and the token  to be encrypted or not. Valid values are true | false.

Mapping and Filters

In this section , please note that
<Operation> can be enroll,pinreset or format
<n> = 0,1,2,3.... etc

op.<Operation>.mapping.order

Specify the number of tokenTypes to map.  Format is <n>,<n>,<n>. For example 0,1,2

op.<Operation>.mapping.<n>.filter.tokenType

Filter based on the tokenType sent by ESC. Specify the expected tokenType that TPS will receive from ESC. For example, 'userKey'. The target Tokentype will be matched if the tokenType sent by ESC also matches.

op.<Operation>.mapping.<n>.filter.tokenATR

Filter based on the ATR sent by ESC. Specify the expected ATR that TPS will receive from ESC. For example, 1234. The target tokentype will be matched, if the ATR of the token and the ATR mentioned here matches.

op.<Operation>.mapping.<n>.filter.tokenCUID.start

Filter based on the CUID range. The target TokenType will be matched, if the CUID falls within the start-end range.

op.<Operation>.mapping.<n>.filter.tokenCUID.end

Filter based on the CUID range. The target TokenType will be matched, if the CUID falls within the start-end range.

op.<Operation>.mapping.<n>.filter.appletMajorVersion

Filter based on the applet Major version.  For an applet file name 1.3.423FFAZ.ijc , 1 is the major version. The target tokenType will be matched/selected, if the applet's Major Version sent by ESC matches this param.

op.<Operation>.mapping.<n>.filter.appletMinorVersion

Filter based on the applet minor version. For an applet file name 1.3.423FFAZ.ijc , 3 is the minor version. The target tokenType will be matched/selected, if the applet's minor Version sent by ESC matches this param.

op.<Operation>.mapping.<n>.target.tokenType

Set this parameter to the 'tokenType' that you want selected for this mapping. For example it could be set to 'userKey'.

Enrollment Operation - Preferences

op.enroll.<tokenType>.temporaryToken.tokenType

Specify the <tokenType> to use for temporary tokens. <tokenType> typically refers to the profile thats defined which can specify how certs should be generated, how keys should be recovered, how format should be done .. etc.

op.enroll.<tokenType>.keyGen.recovery.destroyed.keyType.num

Specify number of keyTypes. Default value is 2.

op.enroll.<tokenType>.keyGen.recovery.destroyed.keyType.value.<n>

Specify keyType. Default values are signing | encryption.

op.enroll.<tokenType>.keyGen.signing.recovery.destroyed.scheme

Specify signing certificate recovery scheme for destroyed tokens. Default value is 'GenerateNewKey'. Other possible values include 'RecoverLast'

op.enroll.<tokenType>.keyGen.signing.recovery.destroyed.revokeCert

Specify if signing certificate should be revoked or not. Valid values are  true | false. default value is true.

op.enroll.<tokenType>.keyGen.signing.recovery.destroyed.revokeCert.reason

Specify what the signing certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.encryption.recovery.destroyed.scheme

Specify encryption certificate recovery scheme for destroyed tokens. Default value is 'RecoverLast. Other possible values include 'GenerateNewKey'

op.enroll.<tokenType>.keyGen.encryption.recovery.destroyed.revokeCert

Specify if encryption certificate should be revoked or not. Valid values are  true | false. default value is true.

op.enroll.<tokenType>.keyGen.encryption.recovery.destroyed.revokeCert.reason

Specify what the encryption certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.recovery.keyCompromise.keyType.num

specify the number of key types for recovery for the tokens whose keys are compromised.

op.enroll.<tokenType>.keyGen.recovery.keyCompromise.keyType.value.<n>

Specify keyType. Default values are signing | encryption.

op.enroll.<tokenType>.keyGen.signing.recovery.keyCompromise.scheme

Specify signing certificate recovery scheme for tokens whose keys are compromised. Default value is 'GenerateNewKey'. Other possible values include 'RecoverLast'

op.enroll.<tokenType>.keyGen.signing.recovery.keyCompromise.revokeCert

Specify if the signing certificate should be revoked or not if the original token's key has been comprised. Valid values are  true | false.

op.enroll.<tokenType>.keyGen.signing.recovery.keyCompromise.revokeCert.reason

Specify what the signing certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.encryption.recovery.keyCompromise.scheme

Specify encryption certificate recovery scheme for tokens whose key is compromised. Valid values include 'GenerateNewKey' and 'RecoverLast'

op.enroll.<tokenType>.keyGen.encryption.recovery.keyCompromise.revokeCert

Specify if the encryption certificate should be revoked or not if the token's key has been comprised. Valid values are  true | false.

op.enroll.<tokenType>.keyGen.encryption.recovery.keyCompromise.revokeCert.reason

Specify what the signing certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.recovery.onHold.keyType.num

Specify the number of key types for the tokens that you want to put onHold ( for temporary loss reasons ). Valid values are in integer. Default is 2.

op.enroll.<tokenType>.keyGen.recovery.onHold.keyType.value.<n>

Specify keyType. Default values are signing | encryption.

op.enroll.<tokenType>.keyGen.signing.recovery.onHold.scheme

Specify the recovery scheme for signing certificates for tokens that are to be put onHold. Valid values are 'GenerateNewKey' and 'RecoverLast'

op.enroll.<tokenType>.keyGen.signing.recovery.onHold.revokeCert

Specify if the signing certificate should be revoked or not if the token's key has been comprised. Valid values are  true | false.

op.enroll.<tokenType>.keyGen.signing.recovery.onHold.revokeCert.reason

Specify what the signing certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.encryption.recovery.onHold.scheme

Specify the recovery scheme for encryption certificates for tokens that are to be put onHold. Valid values are 'GenerateNewKey' and 'RecoverLast'

op.enroll.<tokenType>.keyGen.encryption.recovery.onHold.revokeCert

Specify if the encryption certificate should be revoked or not if the token's key has been comprised. Valid values are  true | false.

op.enroll.<tokenType>.keyGen.encryption.recovery.onHold.revokeCert.reason

Specify what the encryption certificate revocation reason should be. default value is 0. Valid values are
0 - unspecified
1 - key compromised
2 - ca key compromised
3 - affiliation changed
4 - certificate superseded
5 - cessation of operation
6 - certificate is on hold

op.enroll.<tokenType>.keyGen.tokenName

Specify the name of the token to use. TPS has the capability to substitute some special strings here.
For example,
if you use $cuid$ here, the tokenName is substituted with the CUID of the token.
if you use $userid$ here, the tokenName is substituted with the User ID of the authenticating user.

op.enroll.<tokenType>.keyGen.keyType.num

Specify the number of keys/certs to be generated for this profile. Values are in integer. default is 2.

op.enroll.<tokenType>.keyGen.keyType.value.<n>

Specify keyType. Default values are signing | encryption.

op.enroll.<tokenType>.keyGen.signing.keySize

Specify key size to use for key generation. Default is 1024.

############################################################
# DO NOT Alter these values
############################################################

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.encrypt

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.sign

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.signRecover

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.decrypt

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.derive

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.unwrap

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.wrap

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.verifyRecover

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.verify

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.sensitive

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.private

op.enroll.<tokenType>.keyGen.signing.public.keyCapabilities.token

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.encrypt

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.sign

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.signRecover

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.decrypt

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.derive

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.unwrap

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.wrap

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.verifyRecover

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.verify

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.sensitive

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.private

op.enroll.<tokenType>.keyGen.signing.private.keyCapabilities.token

############################################################

op.enroll.<tokenType>.keyGen.signing.label

Specify the token label for the signing cert. Valid values are $pretty_cuid$, $cuid$, $msn$,$userid$,$profileId$

op.enroll.<tokenType>.keyGen.signing.cuid_label

Specify the cuid to be shown in the certificate.

op.enroll.<tokenType>.keyGen.signing.overwrite

Specify if you want TPS to overwrite you existing signing cert or not. Valid values are true | false.

op.enroll.<tokenType>.keyGen.signing.ca.profileId

Specify the ca profile that should be use for creating the signing certificate. Default is caTokenUserSigningKeyEnrollment

op.enroll.<tokenType>.keyGen.signing.ca.conn

Specify the CA connection to use. Default value is ca1

op.enroll.<tokenType>.keyGen.encryption.keySize

Specify the keysize for the encryption key. Default is 1024.

############################################################
# Do not alter these
############################################################

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.encrypt

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.sign

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.signRecover

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.decrypt

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.derive

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.unwrap

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.wrap

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.verifyRecover

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.verify

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.sensitive

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.private

op.enroll.<tokenType>.keyGen.encryption.public.keyCapabilities.token


op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.encrypt

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.sign

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.signRecover

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.decrypt

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.derive

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.unwrap

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.wrap

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.verifyRecover

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.verify

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.sensitive

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.private

op.enroll.<tokenType>.keyGen.encryption.private.keyCapabilities.token

############################################################

op.enroll.<tokenType>.keyGen.encryption.label

Specify the token label for the encryption cert. Valid values are $pretty_cuid$, $cuid$, $msn$,$userid$,$profileId$

op.enroll.<tokenType>.keyGen.encryption.cuid_label

Specify the cuid to be shown in the certificate.

op.enroll.<tokenType>.keyGen.encryption.overwrite

Specify if the encryption cert on the token should be overwritten or not. Valid values are true | false.

op.enroll.<tokenType>.keyGen.encryption.ca.profileId

Specify the ca profile to use for enrolling encryption certs. Default value is caTokenUserEncryptionKeyEnrollment
op.enroll.<tokenType>.keyGen.encryption.ca.conn
Specify the ca connection to use to generate encryption certs. Default value is ca1

op.enroll.<tokenType>.update.applet.emptyToken.enable

Specify if you need TPS to upload an applet to the token when it doesn't have one.  Valid values are true | false.

op.enroll.<tokenType>.update.applet.enable

Specify if applet upgrade is turned on or off. Valid values true | false.

op.enroll.<tokenType>.update.applet.requiredVersion

Specify the version of applet to use. It should be the filename of the applet without the .ijc extension.

op.enroll.<tokenType>.update.applet.directory

Specify the local filesystem directory where the applets are located.

op.enroll.<tokenType>.update.symmetricKeys.enable

Specify if the key change over feature should be enabled or not. Valid values are true | false. When enabled, TPS checks to see the key version sent by the token matches  symmetricKeys.requiredVersion

op.enroll.<tokenType>.update.symmetricKeys.requiredVersion

Specify the key version thats required to be present on the key.

op.enroll.<tokenType>.loginRequest.enable

Specify if the login request should be sent to the token. This parameter enables authentication. Valid values are true | false

op.enroll.<tokenType>.pinReset.enable

Specify if the token's pin should be reset or not. Default value is true. Valid values are true | false.

op.enroll.<tokenType>.pinReset.pin.minLen

Specify the minimum number of characters for the pin

op.enroll.<tokenType>.pinReset.pin.maxLen

Specify the max number of characters for the pin

op.enroll.<tokenType>.tks.conn

Specify the tks connection to use for this operation.

op.enroll.<tokenType>.auth.id

Specify the LDAP auth instance to use for this operation. Default value is ldap1.

op.enroll.<tokenType>.auth.enable

Specify whether we need to authenticate the user info. Valid values are true | false

Pin Reset Operation - Preferences

op.pinReset.<tokenType>.update.applet.emptyToken.enable

Specify if you need TPS to upload an applet to the token when it doesn't have one.  Valid values are true | false.

op.pinReset.<tokenType>.update.applet.enable

Specify if applet upgrade is turned on or off. Valid values true | false.

op.pinReset.<tokenType>.update.applet.requiredVersion

Specify the key version thats required to be present on the key.

op.pinReset.<tokenType>.update.applet.directory

Specify the local filesystem directory where the applets are located.

op.pinReset.<tokenType>.update.symmetricKeys.enable

Specify if the key change over feature should be enabled or not. Valid values are true | false. When enabled, TPS checks to see the key version sent by the token matches  symmetricKeys.requiredVersion

op.pinReset.<tokenType>.update.symmetricKeys.requiredVersion

Specify the key version thats required to be present on the key.

op.pinReset.<tokenType>.loginRequest.enable

Specify if the login request should be sent to the token. This parameter enables authentication. Valid values are true | false

op.pinReset.<tokenType>.pinReset.pin.minLen

Specify the minimum number of characters for the pin

op.pinReset.<tokenType>.pinReset.pin.maxLen

Specify the max number of characters for the pin

op.pinReset.<tokenType>.tks.conn

Specify the tks connection to use for this operation

op.pinReset.<tokenType>.auth.id

Specify the LDAP auth instance to use for this operation. Default value is ldap1.

op.pinReset.<tokenType>.auth.enable

Specify whether we need to authenticate the user info. Valid values are true | false

Format Operation - Preferences

op.format.<tokenType>.update.applet.emptyToken.enable

Specify if you need TPS to upload an applet to the token when it doesn't have one.  Valid values are true | false

op.format.<tokenType>.update.applet.requiredVersion

Specify if applet upgrade is turned on or off. Valid values true | false.

op.format.<tokenType>.update.applet.directory

Specify the local filesystem directory where the applets are located

op.format.<tokenType>.update.symmetricKeys.enable

Specify if the key change over feature should be enabled or not. Valid values are true | false. When enabled, TPS checks to see the key version sent by the token matches  symmetricKeys.requiredVersion

op.format.<tokenType>.update.symmetricKeys.requiredVersion

Specify the key version thats required to be present on the key.

op.format.<tokenType>.revokeCert

Specify if you want TPS to revoke the certificates associated with the token during this format operation. Default is true. Valid values are true | false

op.format.<tokenType>.ca.conn

Specify the ca connection to use for this operation

op.format.<tokenType>.loginRequest.enable

Specify if the login request should be sent to the token. This parameter enables authentication. Valid values are true | false

op.format.<tokenType>.tks.conn

Specify the tks connection to use for this operation

op.