|
Administrator's Guide Netscape Certificate Management System |
|
||
|
|
Conventions Used in This Guide
Certificate Manager Flexibility and Scalability
Java SDK Extension Mechanism for Customization
How Certificate Management System Works
How the Certificate Manager Works
About the Registration Manager
How the Registration Manager Works
Online Certificate Status Manager
Certificate Manager and Registration Manager
Certificate Manager and Data Recovery Manager
Certificate Manager, Data Recovery Manager, and Registration Manager
Certificate Management Formats and Protocols
Security and Directory Protocols
Installation and Configuration Overview
Installation and Configuration Process
About the Installation Program
Certificate Manager Deployment Considerations
Self-Signed Root vs. Subordinate CA
Certificate Manager Certificates
Certificate Manager Interfaces
Installing a Certificate Manager
Installing a Certificate Manager as a Root CA
Installing a Certificate Manager as a Subordinate CA
Configuring the Certificate Manager
Managing Certificates and the Certificate Database
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Changing Internal Database Settings
Changing the Certificate Issuance Rules
Configuring Certificate Profiles
Customizing the End Entity Interface
Setting Up the CMCAuth Authentication Plug-in
Setting Up the Server for Multiple Requests in a Full CMC Request
How The Certificate Manager Works
Issuing Cross-Pair Certificates
Importing Cross-Pair Certificates
Publishing Cross-Pair Certificates
Chapter 4 Registration Manager
Registration Manager Deployment Considerations
Registration Managers Certificates
Registration Manager Interfaces
Installing a Registration Manager
Configuring a Registration Manager
Managing Certificates and the Certificate Database
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Changing Internal Database Settings
Configuring Certificate Profiles
Customizing the End Entity Interface
How a Registration Manager Works
Setting Up a Certificate Manager with OCSP Service
Online Certificate Status Manager Deployment Considerations
Online Certificate Status Manager Certificates
Installing an Online Certificate Status Manager
Configuring the Online Certificate Status Manager
Managing Certificates and the Certificate Database
Changing Ports and IP Addresses
Changing Subsystem Security Setting
Changing Passwords or Storage Settings
Changing Internal Database Settings
Identifying the CA to the OCSP Responder
Configure the Revocation Info Stores
Chapter 6 Data Recovery Manager
PKI Setup for Key Archival and Recovery
Clients That Can Generate Dual Key Pairs
Forms for Users and Key Recovery Agents
Key Recovery Agents and Their Passwords
How Agent-Initiated Key Recovery Works
Installing a Standalone Data Recovery Manager
Data Recovery Manager's Key Pairs and Certificates
Installing the Data Recovery Manager
Configuring Key Archival and Recovery Process
Step 1. Set Up the Key Archival Process
Step 2. Set Up the Key Recovery Process
Step 3. Test Your Key Archival and Recovery Setup
Chapter 7 Token Management System
Chapter 8 Administrative Basics
Netscape Administration Server
Setting up Certificate Authentication for the CMS Console
Passwords Stored by the Server
Starting, Stopping, and Restarting CMS Instances
Subsystem Configuration Overview
Configuring Multiple CMS Instances
Removing an Instance From a System
Locating the Configuration File
Editing the Configuration File
Guidelines for Editing the Configuration File
Duplicating Configuration From One Instance to Another
Log Levels (Message Categories)
Buffered Versus Unbuffered Logging
Configuring Logs in the CMS Console
Configuring Logs in the CMS.cfg File
Modifying Self Test Configuration
Changing the Internal Database Configuration
Enable SSL Client Authentication with the Internal Database
Restricting Access to the Internal Database
Managing the Certificate Database
Viewing and Deleting Certificate Database Content
Changing the Trust Settings of a CA Certificate
Installing a New CA Certificate in the Certificate Database
Installing a CA Certificate Chain in the Certificate Database
Consideration When Getting New Certificates for the Subsystems
Tokens for Storing CMS Keys and Certificates
Managing Tokens Used by the Subsystems
Hardware Cryptographic Accelerators
Configuring the Server's Security Preferences
Configuring the Server to Use Separate SSL Server Certificates
Getting an SSL Client Certificate for a Subsystem
Setting up Administrators, Agents, and Auditors
Creating a User and Assigning Them to a Group
Setting up Agents Using the Automated Process
First Agent Certificate for a Certificate Manager
Getting an Agent's Certificate from a Public CA
Getting an Agent's Certificate from Certificate Management System
Revocation Status Checking of Agent Certificates
Changing a CMS User's Login Information
Changing a CMS User's Certificate
Access Control Instructions (ACIs)
certServer.admin.request.enrollment
certServer.ca.request.enrollment
certServer.ee.facetofaceenrollment
certServer.ee.request.enrollment
certServer.ee.request.facetofaceenrollment
certServer.ee.request.revocation
certServer.general.configuration
certServer.kra.certificate.transport
certServer.log.configuration.SignedAudit.expirationTime
certServer.log.configuration.fileName
certServer.log.content.SignedAudit
certServer.policy.configuration
certServer.profile.configuration
certServer.publisher.configuration
certServer.ra.facetofaceenrollment
certServer.ra.facetofaceenrollment.enableHosts
certServer.ra.request.enrollment
certServer.registry.configuration
certServer.usrgrp.administration
Setting Up Agent-Approved Enrollment
Setting Up Directory Based Enrollment
Setting Up Pin Based Enrollment
Agent Initiated End User Enrollment
Setting Up Agent Initiated Enrollment
Setting Up Certificate Based Enrollment
Issuing and Managing Server Certificates
Renewal of Server Certificates
Getting Certificates for Netscape Version 4.x and Later Servers
Setting Up Automated CEP Enrollment
Setting Up Publishing of CEP Certificates and CRLs
Certificate Issuance to Routers or VPN Clients
Managing Authentication Plug-ins
Generating Files Required By Third-Party Object Signing Tools
Chapter 11 Certificate Profiles
Setting Up Certificate Profiles
Modifying a Certificate Profile
Authority Info Access Extension Default
Authority Key Identifier Extension Default
Basic Constraints Extension Default
CRL Distribution Points Extension Default
Extended Key Usage Extension Default
Freshest CRL Extension Default
Name Constraints Extension Default
Netscape Comment Extension Default
Netscape Certificate Type Extension Default
OCSP No Check Extension Default
Policy Constraints Extension Default
Policy Mappers Extension Default
Subject Alternative Name Extension Default
Subject Key Identifier Extension Default
Token Supplied Subject Name Default
User Supplied Extension Default
User Signing Algorithm Default
User Supplied Subject Name Default
User Supplied Validity Default
Basics Constraints Extension Constraint
Extended Key Usage Extension Constraint
Key Usage Extension Constraint
Netscape Certificate Type Extension Constraint
Using Predicates in Policy Rules
Configuring Policy Rules for a Subsystem
Constraints-Specific Policy Module Reference
Extension-Specific Policy Module Reference
Managing Policy Plug-in Modules
Chapter 13 Automated Notifications
Setting Up Automated Notifications
Types of Automated Notifications
Determining End-Entity Email Addresses
Setting Up Automated Notifications
Configuring Specific Notifications By Editing the Configuration File
Customizing Notification Messages
Notification Message Templates
Frequency Settings for Automated Jobs
Enabling and Configuring the Job Scheduler
Enabling and Configuring Specific Jobs Using the CMS Console
Enabling Configuring Specific Jobs By Editing the Configuration File
Configuration Parameters of RenewalNotificationJob
Configuration Parameters of RequestInQueueJob
Configuration Parameters of UnpublishExpiredJob
Customizing Notification Messages
Templates for Summary Notifications
Registering or Deleting a Job Module
Chapter 15 Revocation and CRLs
Authentication of End Users During Certificate Revocation
Reasons for Revoking a Certificate
Revocation Checking by Netscape Servers
Setting Up the Issuance of CRLs
Configuring CRLs for Each Issuing Point
Configuring Publishers for Publishing to a File
Configuring Publishers for Publishing to OCSP
Configuring Publishers for LDAP Publishing
Publisher Plug-in Module Reference
Mapper Plug-in Modules Reference
Modifying Publishing Rules for Certificates and CRLs
Configuring the Directory for LDAP Publishing
Directory Authentication Method
Updating Certificates and CRLs in a Directory
Manually Updating Certificates in the Directory
Manually Updating the CRL in the Directory
Registering and Deleting Mapper and Publisher Plug-in Modules
Chapter 17 Configuring CMS for High Availability
CMS High Availability Overview
Architecture of a Failover System
Cloning the Certificate Manager
Testing the CA Cloned-Master Connection
Additional CRL Scheduling Information
Converting a Master CA into a Cloned CA
Converting a Cloned CA into a Master CA
Cloning the Online Certificate Status Manager
Preparing to Clone the Online Certificate Status Manager
Testing the OCSP Cloned-Master Connection
Cloned-Master OCSP Responder Conversion
Converting a Master OCSP Responder into a Cloned OCSP Responder
Converting a Cloned OCSP Responder into a Master OCSP Responder
Cloning the Data Recovery Manager
Testing the DRM Cloned-Master Connection
Cloned-Master DRM Responder Conversion
Appendix A Common Criteria Environment: Security Requirements
Security Requirements for the IT Environment
Identification and authentication (FIA)
CIMC TOE Access Control Policy
Appendix B Common Criteria Environment: Setup and Operations
TOE Security Environment Assumptions
Security Requirements for the IT Environment
Private and Secret Key Zeroization
Password and Certificate Storage
Protection of Private and Secret Keys
CMS Privileged Users and Groups (Roles)
CMS Common Criteria Environment Setup and Installation Guide
Understanding Setup of Common Criteria Evaluated Netscape CMS
CMS Common Criteria Environment Setup and Installation Process
Appendix C Understanding the Common Criteria Evaluated CMS Setup
Understanding the Common Criteria Environment
Understanding Operating System Setup (Users, Groups, and File Permissions)
Understanding CMS Installation
Configuring CMS to Use Hardware Tokens
SSL Client Authentication with the Internal Database
Backup and Restore of a CMS Subsystem
Common Criteria Deployment Scenarios
Features That Are Not Part of the Common Criteria Environment
CMS Role Users and Authorization
OCSP Responder Revocation Information Store
Common Criteria Environment Setup Procedures
Appendix D Common Criteria Environment: Security Objectives
1.1 Security Objectives for the TOE
1.2 Security Objectives for the Environment
1.2.1 Non-IT security objectives for the environment
1.2.2 IT security objectives for the environment
1.3 Security Objectives for both the TOE and the Environment
Appendix E Common Criteria Environment: TOE Security Environment Assumptions
1.1.3 Connectivity Assumptions
1.3 Organization Security Policies
Appendix F Certificate Download Specification
Importing Certificates into Netscape Communicator
Importing Certificates into Netscape Servers
Appendix G Certificate and CRL Extensions
Introduction to Certificate Extensions
Structure of Certificate Extensions
Standard X.509 v3 Certificate Extensions
Introduction to CRL Extensions
Sample CRL and CRL Entry Extensions
Standard X.509 v3 CRL Extensions
Netscape-Defined Certificate Extensions
CA Certificates and Extension Interactions
Registration of Object Identifiers
Appendix I Distinguished Names
DNs in Certificate Management System
Role of Distinguished Names in Certificates
Appendix J Introduction to Public-Key Cryptography
Key Length and Encryption Strength
Certificates and Authentication
A Certificate Identifies Someone or Something
Authentication Confirms an Identity
How CA Certificates Are Used to Establish Trust
Certificates and the LDAP Directory
Renewing and Revoking Certificates
Appendix K Introduction to SSL
© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Last Updated November 23, 2004