CMS Common Criteria Setup Procedure

1. Overview

This document presumes that the reader has become familiar with the basics of the Certificate Management System (CMS) and all of its subsystems. Additionally, it presumes that all hardware and software requirements covered in the release notes have been met on the host system, and that there exists the ability to install, configure, and operate CMS within the parameters defined herein.

For the purposes of this document, the examples provided will be specific to the Solaris 8 UNIX operating system using local files on a local machine. This will include all sample entry names, identification numbers, command-line utilities, etc.

Additionally, the notation used throughout this document to refer to parameters contained in the installation worksheets will consist of emboldened italicized variables contained within curly braces (e. g. - {server_root}). Whenever such a variable is encountered, the user should always replace this variable with the corresponding actual value contained in the appropriate installation worksheet.

Note that after subsystems are completely setup, the CMS administrators will not have direct write access to any file under {server_root}/cert-[{caid},{subcaid},{drmid},{ocspid},{raid}]. It is recommended that if situations occur where it is required to operate on these restricted files directly from the IT environment, the CMS administrator should perform the following steps:


1. Consult with the OS administrator to reactivate the cmsuser account for temporary access to the needed areas.
2. With an OS administrator and at least one other CMS role user (a ccagent or ccauditor) present, log in as cmsuser to do the necessary operations.
3. Finally, the OS administrator will deactivate the cmsuser account.

Operations that may require such procedures (after file permissions have been setup) include:


• PasswordCache - encryption and decryption of passwords require access to the CMS subsystem's cryptographic tokens
• cmsutil - signing of the backup files require access to the CMS subsystem's cryptographic tokens.

---

2. Setting up CMS subsystems

• Securing the Environment
• Setup an isolated secured network.
• Setup FIPS 140-1 level 3 hardware tokens (See instructions provided by the hardware vendor).
• Assign CMS Roles (follow this link for more information).
• With all CMS Roles present, and bearing in mind the comments found in the Overview [Section I], follow the appropriate instructions to setup the corresponding CMS subsystems:
• Setting up a CA [Section III]
• Setting up an RA [Section IV]
• Setting up a DRM [Section V]
• Setting up an OCSP Responder [Section VI]
• Setting up a Subordinate CA [Section VII]
• Setting up an FBCA [Section VIII]
• Connect this isolated network to the primary network.

---

3. Setting up a CA

• Complete the Installation Worksheet for a Certificate Authority (CA)
• Create Operating System Users & Groups [Section IX]
• Create a fresh FIPS token (i. e. - nCipher) by performing the following instruction:
  
  • Erase the operator card on module 1:
  /opt/nfast/bin/createocs -e -F 0 1 0
  • Create the operator card on module 1:
  /opt/nfast/bin/createocs -F 0 -p -t 0 1 0 nFast
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
• CA Installation [Section X]
• Add FIPS 140-1 level 3 Hardware token for CA [Section XI]
• Start Console for installation configuration [Section XXII,Section E]
• Configure CA from Console. [Section XII]
• As cmsuser, remove CertSetup.cfg by performing the following instruction:
• cd {server_root}/cert-{caid}/config
• rm CertSetup.cfg
• Disabling Features Not in the Common Criteria Evaluation [Section XXII]
• Setup CA Administrator's Browser: Import a CA Certificate Chain and Trust It [Section XXII, Section Q]
• Setup a CA Agent [Section XIII]
• Setup Signed Audit [Section XVI]
• Use FIPS 140-1 level 3 validated hardware token for generating password cache encryption key [Section XXII]
• Enable SSL Client Authentication in Internal DB [Section XVII]
• LDAP Publishing [Section XVIII]
• Setup Revocator [Section XXII]
• Certificate Profiles [Section XXII]
• Setup a CA Auditor [Section XIX]
• Setup a CA Administrator [Section XX]
• If this CA is intended to be cross-certified with another CA, please follow the steps in chapter VIII. Setting up a Federal Bridge Certificate Authority (FBCA) . [Section VIII]
• Changing Permissions [Section XXI]
• Restart Console [Section XXII]

---

4. Setting up an RA

• Complete the Installation Worksheet for a Registration Authority (RA)
• Create Operating System Users & Groups [Section IX]
• Create a fresh FIPS token (i. e. - nCipher) by performing the following instruction:
  
  • Erase the operator card on module 1:
  /opt/nfast/bin/createocs -e -F 0 1 0
  • Create the operator card on module 1:
  /opt/nfast/bin/createocs -F 0 -p -t 0 1 0 nFast
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
• RA Installation [Section X]
• Add FIPS 140-1 level 3 Hardware token for RA [Section XI]
• Start Console for installation configuration [Section XXII,Section E]
• Configure RA from Console [Section XII]
• As cmsuser, remove CertSetup.cfg by performing the following instruction:
• cd {server_root}/cert-{raid}/config
• rm CertSetup.cfg
• Setting Up RA as a Trusted Manager in CA subsystem [Section XV]
• Setup an RA Agent [Section XIII]
• Disabling Features Not in the Common Criteria Evaluation [Section XXII]
• Setup RA Administrator's Browser: Import a CA Certificate Chain and Trust It [Section XXII, Section Q]
• Setup Signed Audit [Section XVI]
• Use FIPS 140-1 level 3 validated hardware token for generating password cache encryption key [Section XXII]
• Enable SSL Client Authentication in Internal DB [Section XVII]
• Setup Revocator [Section XXII]
• Setup an RA Auditor [Section XIX]
• Setup an RA Administrator [Section XX]
• Restart CA Subsystem.
• Restart RA Subsystem.
• Changing Permissions [Section XXI]
• Restart Console [Section XXII]

---

5. Setting up a DRM

• Complete the Installation Worksheet for a Data Recovery Manager (DRM)
• Create Operating System Users & Groups [Section IX]
• Create a fresh FIPS token (i. e. - nCipher) by performing the following instruction:
  
  • Erase the operator card on module 1:
  /opt/nfast/bin/createocs -e -F 0 1 0
  • Erase the operator card on module 2:
  /opt/nfast/bin/createocs -e -F 0 2 0
  • Create the operator card on module 1:
  /opt/nfast/bin/createocs -F 0 -p -t 0 1 0 nFast
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
  • Create the operator card on module 2:
  /opt/nfast/bin/createocs -F 0 -p -t 0 2 0 nFast2
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
• DRM Installation [Section X]
• Add FIPS 140-1 level 3 Hardware token for DRM [Section XI]
• Start Console for installation configuration [Section XXII,Section E]
• Configure DRM from Console [Section XII]
• As cmsuser, remove CertSetup.cfg by performing the following instruction:
• cd {server_root}/cert-{drmid}/config
• rm CertSetup.cfg
• Disable the logout feature in the DRM:
  
  
  • As cmsuser, execute the command cd {server_root}/cert-{drmid}
  • Execute the command ./stop-cert
  • Execute the command cd {server_root}/cert-{drmid}/config
  • Edit the CMS.cfg file, and add the following line at the end of the file:
    
    • kra.storageUnit.logout=false
  • Execute the command cd {server_root}/cert-{drmid}
  • Execute the command ./start-cert
  
  
• Setup DRM Administrator's Browser: Import a CA Certificate Chain and Trust It [Section XXII, Section Q]
• Setup a DRM Agent [Section XIII]
• Setting Up a Certificate Manager as a Trusted Manager [Section XV]
• Setting up the CA/DRM Connector:
  
  
  • Open CA console.
  • Click on Configuration Tab.
  • From left-hand panel, click on Certificate Manager.
  • Click on Connectors.
  • Select Data Recovery Manager Connector.
  • Click Edit.
  • Check Enable.
  • Fill in the DRM hostname.
  • Fill in the DRM agent port.
  • Click OK.
  
  
• Install the Transport Certificate into the CA Enrollment Page [Section XXII]
• Setup Signed Audit [Section XVI]
• Use FIPS 140-1 level 3 validated hardware token for generating password cache encryption key [Section XXII]
• Enable SSL Client Authentication in Internal DB [Section XVII]
• Setup Revocator [Section XXII]
• Setup a DRM Auditor [Section XIX]
• Setup a DRM Administrator [Section XX]
• Restart CA Subsystem.
• Restart DRM Subsystem.
• Changing Permissions [Section XXI]
• Restart Console [Section XXII]

---

6. Setting up an OCSP Responder

• Complete the Installation Worksheet for an Online Certificate Status Protocol (OCSP) Responder
• Create a fresh FIPS token (i. e. - nCipher) by performing the following instruction:
  
  • Erase the operator card on module 1:
  /opt/nfast/bin/createocs -e -F 0 1 0
  • Create the operator card on module 1:
  /opt/nfast/bin/createocs -F 0 -p -t 0 1 0 nFast
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
• Create Operating System Users & Groups [Section IX]
• OCSP Installation [Section X]
• Add FIPS 140-1 level 3 Hardware token for OCSP [Section XI]
• Start Console for installation configuration [Section XXII,Section E]
• Configure OCSP Responder from Console [Section XII]
• As cmsuser, remove CertSetup.cfg by performing the following instruction:
• cd {server_root}/cert-{ocspid}/config
• rm CertSetup.cfg
• Setup OCSP Responder Administrator's Browser: Import a CA Certificate Chain and Trust It [Section XXII, Section Q]
• Setup an OCSP Responder Agent [Section XIII]
• Setup a CA in OCSP:


• Access a CA subsystem End Entity page using web browser:
  
  • As cmsuser, go to CA EE page by typing https://{cahost}:{caeesslport}. Click the retrieval tab and select List Certificates on the left-hand side and click "Find" button.
  • Click "Detail" button for the first certificate which is the CA signing certificate.
  • There are two base64 encoded certificates in the Certificate contents page. Copy the first base64 encoded certificate to the clipboard.
• Access OCSP agent port using web browser:
  
  • As ccagent1 for OCSP subsystem, go to OCSP agent services page by typing https://{ocsphost}:{ocspagentport}.
  • Click on ADD Certificate authority on the left hand side.
  • Paste the base64 encoded CA signing certificate in the text area provided on the right hand side. Then click "Submit" button.
  • Click on LIST Certificate authority on the left hand side.
  • The certificate authority which was added should be listed on the right hand side.


• Setup CA to publish CRL to this OCSP subsystem:


• Setup publishing:
  
  • As cmsuser, open CA console.
  • Click on Configuration tab.
  • From left-hand panel, click on Certificate Manager->Publishing->Publishers.
  • Select Publisher Management tab, click Add button.
  • Select OCSPPublisher and click Next.
  • Fill in the following information in the Publisher Editor dialog box:
  • Publisher ID: CAOCSPPUBLISHER
  • host: {ocsphost}
  • port: {ocspeesslport}
  • Click OK to dismiss the dialog box.
• Add a publishing rule:
  
  • From left-hand panel, click on Certificate Manager->Publishing->Rules.
  • Select Rules Management tab, click Add button.
  • Select Rule and click next.
  • Fill in the following information in the Rule Editor dialog box:
  • Rule ID: CAOCSPRULE
  • type: crl
  • enable: check box needs to be checked
  • mapper: none
  • publisher: CAOCSPPUBLISHER
  • Click OK.
• Do the following to enable publishing:
• In CA console, select Certificate Manager->Publishing on the left hand panel.
• Click General tab on the right hand panel. Make sure the check box for "Enable Pulishing" is checked. If not, check the checkbox and click "Save" button.


• Setup AIA extensions in profile:


• As ccagent1 for the CA subsystem, go to CA agent services page by typing https://{cahost}:{caagentport}
• Click on Manage Certificate Profiles on the left hand panel.
• Click "Manual User Dual-Use Certificate enrollment" and click "Disable" button.
• As cmsuser, open CA console:
• Go to Configuration tab.
• Select Certificate Manager->Certificate Profiles on the left hand panel.
• Select caUserCert profile. Click Edit/View button.
• Select AIA extension AuthInfoAccessExt.
• Click on Edit.
• Check the parameters:
• ad0_location_type: URIName
• ad0_location: http://{ocsphost}:{ocspeeport}/ocsp


• Click OK. Then click OK.
• Go back to CA agent services page:
• Click on Manage Certificate Profiles on the left hand panel.
• Click "Manual User Dual-use Certificate enrollment" and click "Approve" button to enable the certificate profile.


• Setup Signed Audit [Section XVI]
• Use FIPS 140-1 level 3 validated hardware token for generating password cache encryption key [Section XXII]
• Enable SSL Client Authentication in Internal DB [Section XVII]
• Setup Revocator [Section XXII]
• Setup an OCSP Responder Auditor [Section XIX]
• Setup an OCSP Responder Administrator [Section XX]
• Restart CA Subsystem.
• Restart OCSP Subsystem.
• Changing Permissions [Section XXI]
• Restart Console [Section XXII]

---

7. Setting up a Subordinate CA

• Complete the Installation Worksheet for a Subordinate Certificate Authority (CA)
• Create Operating System Users & Groups [Section IX]
• Create a fresh FIPS token (i. e. - nCipher) by performing the following instruction:
  
  • Erase the operator card on module 1:
  /opt/nfast/bin/createocs -e -F 0 1 0
  • Create the operator card on module 1:
  /opt/nfast/bin/createocs -F 0 -p -t 0 1 0 nFast
  The above command will prompt the user to insert a card containing FIPS auth which is the administrator card.
• Subordinate CA Installation [Section X]
• Add FIPS 140-1 level 3 Hardware token for Subordinate CA [Section XI]
• Start Console for installation configuration [Section XXII,Section E]
• Configure Subordinate CA [Section XII]
• As cmsuser, remove CertSetup.cfg by performing the following instruction:
• cd {server_root}/cert-{subcaid}/config
• rm CertSetup.cfg
• Disabling Features Not in the Common Criteria Evaluation [Section XXII]
• Setup Subordinate CA Administrator's Browser: Import a CA Certificate Chain and Trust It [Section XXII, Section Q]
• Setup a Subordinate CA Agent [Section XIII]
• Setup Signed Audit [Section XVI]
• Use FIPS 140-1 level 3 validated hardware token for generating password cache encryption key [Section XXII]
• Enable SSL Client Authentication in Internal DB [Section XVII]
• LDAP Publishing [Section XVIII]
• Setup Revocator [Section XXII]
• Setup a Subordinate CA Auditor [Section XIX]
• Setup a Subordinate CA Administrator [Section XX]
• Restart Console [Section XXII]
• Changing Permissions [Section XXI]
• Certificate Profiles [Section XXII]

---

8. Setting up an Federal Bridge Certificate Authority (FBCA)

1. Initial FBCA Setup

The following instructions show how to set up cross-certification between two independent CAs. The assumption is that a CA has already been setup [Section III] up to (but not including) the Changing Permissions [Section XXI] step.

The goal of setting up an FBCA is to have the local organization's CA cross-certified with another CA in a different organization. In the following instructions, the local CA will be called CA1, and the CA in a different organization will be called CA2. Please note that the CA2 referenced in the scenario below does not belong to this organization, and therefore, it is the responsibility of CA2's organization to do the tasks necessary to complete the setup.

• Make sure that publishing is turned on for CA1.
• Although this case is unlikely, make sure that CA1 and CA2 publish to two different publishing directories.
• Open CA1 Console:
  
  • Go to Configuration->Netscape CertificateManager->[Encryption]->Certificate Setup Wizard.
  • Select request for cert.
  • Go through the process of making a request for "subordinate CA":
    
    • Select "Use existing keypair".
    • Copy the request to the clipboard.
• Submit the request to CA2. Normally, the user should follow the instructions for CA2 to submit this subordinate CA request. Notify CA2's agent to approve the request.
• Retrieve the certificate once it has been approved (this will consist of the base64 encoded blob of this certificate).
• To install the certificate, open CA1 Console:
  
  • Go to Configuration->Netscape CertificateManager->[Encryption]->Certificate Setup Wizard.
  • Select "install".
  • At "Certificate Selection", select "Cross-signed Certificate(s)".
  • Paste base64 blob in.
• On the CA1 machine, copy the base-64 encoded blob to a file (e. g. - {server_root}/cert-{caid}/config/ca1.cert). This will be used later for building a "customized" CA cert chain.
• Ask the organization of CA2 to submit their subordinate CA certificate request to CA1. The following is the instruction to give them:
  
  • On CA2, generate a certificate request by using the existing CA signing certificate key pair.
  • Using a browser, go to the CA1 EE port:
    
    • Click on Profiles, "Manual Certificate Manager Signing Certificate Enrollment".
    • Copy the request and submit an enrollment request.
• Using a browser, go to the CA1 Agent port:
  
  • Approve the request.
  • Copy the base64 encoded blob to the clipboard.
• Notify the CA2's organization that the certificate is signed and ready.
• The CA2's cross-signed certificate also needs to be "installed" on CA1:
• Open CA1 Console:
• Go to Configuration->Netscape CertificateManager->[Encryption]->Certificate Setup Wizard.
• Select "install".
• At "Certificate Selection", select "Cross-signed Certificate(s)".
• Paste base64 blob in.
• On the CA1 machine, copy the base-64 encoded blob to a file (e. g. - {server_root}/cert-{caid};/config/ca2.cert).
• Executing the command ./ldapsearch -h {publishhost} -p {publishport} -b {publishing_dn} -D {publish_suffix} -w {publishdn_pwd} "cn=Certificate Manager" should list the crossCertificatePair attribute where the -D option specifies the baseDN, and the last value, "cn=Certificate Manager", should be changed to whatever cn was created for publishing.

2. Building a Customized CA Certificate Chain

When a cross-signing relationship is setup by following the FBCA setup instructions, it is important to reset the CA's certificate chain so that applications receive the proper trust chain. The following instructions show how to customize the CA certificate chain for a CA:

• Execute the command cd {server_root}/cert-{caid}
• Execute the command ./stop-cert
• Execute the command cd {server_root}/cert-{caid}/config
• Edit the CMS.cfg file, and place the following lines at the end of the file:
  
  • ca.signing.certchainNum=2
    ca.signing.certchain.cert0={server_root}/cert-{caid}/config/ca1.cert
    ca.signing.certchain.cert1={server_root}/cert-{caid}/config/ca2.cert
    
    where certchainNum tells how many certs are in the chain, and the rest are individual certs in the order from leaf to root (cert0 being the leaf, and cert1 being the self-signed root in this case).
    Each ca*.cert file contains a base-64 encoded cert excluding the Certificate Begin and Certificate End brackets.
    ca1.cert should contain the cert cross-signed by ca2 (not the self-signed cert)
    ca2.cert should contain the self-signed cert of ca2
    
• Execute the command cd {server_root}/cert-{caid}
• Execute the command ./start-cert

Once CA1 is started, go to either the EE or or the Agent port to display the ca cert chain to see its effect.

3. Finalize setting up an FBCA

• Changing Permissions [Section XXI]
• Restart Console [Section XXII]

---

9. Create Operating System Users & Groups

The procedure below describes setting up the necessary Users and Groups to install and run CMS. This procedure is expected to be run by an operating system administrator and may require this individual to have permissions to add both users and groups to a centralized repository (e. g. - NIS).

Note that the following sample entries will be referred to throughout this document:

On a Solaris 8 machine, login to the machine as super user, and edit the /etc/group file to add the CMS setup user, cmsuser, and all of the administration users to any previously created group associated with a FIPS 140-1 level 3 hardware token. For example, nCipher tokens contain a group called nfast in the /etc/group file:

• nfast::995:cmsuser,ccadmin1

  where:

  nfast is the sample name associated with a FIPS 140-1 level 3 hardware token 995 is an example of a unique group ID number; note that this number must be unique to the system cmsuser is the sample name of the CMS setup user assigned to this nfast group ccadmin1 is the sample name of an administration user assigned to this nfast group

Additionally, add the two groups cmsadmin and cmsaudit to the /etc/group file. Add all appropriate users to these two groups (e. g. - cmsuser to cmsadmin). Remember that a user is only allowed to be a member of either the cmsadmin group or the cmsaudit group, but NOT both! Add the following entries to the end of this file:

• cmsadmin::1003:cmsuser,ccadmin1

  where:

  cmsadmin is the sample name of the administrator's group 1003 is an example of a unique group ID number; note that this number must be unique to the system cmsuser is the sample name of the CMS setup user assigned to this cmsadmin group ccadmin1 is the sample name of an administration user assigned to this cmsadmin group

• cmsaudit::1004:ccaudit1

  where:

  cmsaudit is the sample name of the auditor's group 1004 is an example of a unique group ID number; note that this number must be unique to the system ccaudit1 is the sample name of an auditor assigned to this cmsaudit group

On the same Solaris 8 machine, still logged on to the machine as super user, use the useradd program to add the cmsuser, ccadmin1, ccaudit1, and ccagent1 users to the /etc/passwd (and the /etc/shadow) files:

• useradd -g cmsadmin -m -s /sbin/sh -d /export/home/cmsuser cmsuser
  

• cp /etc/skel/local.profile /export/home/cmsuser/.profile
  

• passwd cmsuser
  New password:
  Re-enter new password:
  

  creates cmsuser:x:19000:1003::/export/home/cmsuser:/sbin/sh in the /etc/passwd file

  where:

  cmsuser is the sample name of the original CMS user used during setup x is a placeholder for the passwd stored in the /etc/shadow file 19000 is an example of a unique user ID number; note that this number must be unique to the system 1003 is an example of the primary group ID number which corresponds to the cmsadmin group above /export/home/cmsuser is the sample name specifying this user's home directory /sbin/sh is the sample name specifying this user's login shell

IMPORTANT:  It should be understood that in the event of an actual deployment, real users would actually be used instead of the following entries ccadmin1, ccaudit1, and ccagent1, and therefore the steps necessary to create them would most likely not be necessary. However, as noted earlier, the following users will be referred to throughout this document:

• useradd -g cmsadmin -m -s /sbin/sh -d /export/home/ccadmin1 ccadmin1
  

• cp /etc/skel/local.profile /export/home/ccadmin1/.profile
  

• passwd ccadmin1
  New password:
  Re-enter new password:
  

  creates ccadmin1:x:19001:1003::/export/home/ccadmin1:/sbin/sh in the /etc/passwd file

  where:

  ccadmin1 is the sample name of this CMS administration user x is a placeholder for the passwd stored in the /etc/shadow file 19001 is an example of a unique user ID number; note that this number must be unique to the system 1003 is an example of the primary group ID number which corresponds to the cmsadmin group above /export/home/ccadmin1 is the sample name specifying this user's home directory /sbin/sh is the sample name specifying this user's login shell

• useradd -g cmsaudit -m -s /sbin/sh -d /export/home/ccaudit1 ccaudit1
  

• cp /etc/skel/local.profile /export/home/ccaudit1/.profile
  

• passwd ccaudit1
  New password:
  Re-enter new password:
  

  creates ccaudit1:x:19002:1004::/export/home/ccaudit1:/sbin/sh in the /etc/passwd file

  where:

  ccaudit1 is the sample name of this CMS auditor x is a placeholder for the passwd stored in the /etc/shadow file 19002 is an example of a unique user ID number; note that this number must be unique to the system 1004 is an example of the primary group ID number which corresponds to the cmsaudit group above /export/home/ccaudit1 is the sample name specifying this user's home directory /sbin/sh is the sample name specifying this user's login shell

• useradd -m -s /sbin/sh -d /export/home/ccagent1 ccagent1
  

• cp /etc/skel/local.profile /export/home/ccagent1/.profile
  

• passwd ccagent1
  New password:
  Re-enter new password:
  

  creates ccagent1:x:19003:10::/export/home/ccagent1:/sbin/sh in the /etc/passwd file

  where:

  ccagent1 is the sample name of this CMS agent user x is a placeholder for the passwd stored in the /etc/shadow file 19003 is an example of a unique user ID number; note that this number must be unique to the system 10 is an example of the primary group ID number /export/home/ccagent1 is the sample name specifying this user's home directory /sbin/sh is the sample name specifying this user's login shell

---

10. CMS Subsystem Installation

This step will install a Configuration Directory Server instance, an Admin Server instance, and a Certificate Management System (CMS) Server instance. Before starting this step, complete the appropriate installation worksheet for the selected CMS subsystem (initially, this will be a CA instance).

• login to the machine as user cmsuser
• uncompress the compressed tar file (e. g. - /usr/bin/gunzip certificate-6.1_SP_1-domestic-us.sparc-sun-solaris8.tar.gz)
• untar the resultant tar file (e. g. - /usr/sbin/tar -xvf certificate-6.1_SP_1-domestic-us.sparc-sun-solaris8.tar)
• Create a {server_root} directory.
• Make sure to change the permissions to allow the {server_root} directory to be created and the files written in the directory. As root, issue the command: chmod 777 {server_root}
• Login as cmsuser, invoke the setup utility from the command line and supply the following information:


1. Accept the default of "Yes" to continue installation as cmsuser
2. Type "Yes" to agree to the license terms. (Default is No.)
3. Accept the default of "1" to install "Netscape servers"
4. Accept the default of "2" to choose "Typical installation"
5. Type in a {server_root} to choose a valid location for the server root
6. Accept the default of "All" to select all "Netscape Server Products"
7. Accept the default of "1,2,3" to select all "Server Core Components"
8. Accept the default of "1,2" to select both components of the "Netscape Directory Suite"
9. Accept the default of "1,2" to select both components of the "Administration Services"
10. Accept the default of "1,2" to select both components of the "Netscape Certificate Management System"
11. Accept the default "Administration Domain" to accept the fully qualified domain name for the configuration directory server
12. Accept the default of "cmsuser" to run the configuration directory server as user cmsuser and accept the default of "cmsadmin" to run the configuration directory server as group cmsadmin
13. Accept the default of "No" to create a configuration directory server
14. Accept the default of "No" to store data in the local configuration directory server
15. Type in a {configdirport} for use as a valid configuration directory server port
    (NOTE:  value must be greater than 1024 on UNIX when not installing as root)
16. Type in a {configdirid} for use as a valid configuration directory server identifier
17. Accept the default of "admin" as a valid user name, type in a {adminpwd} for this user, and verify this {adminpwd} by retyping it
18. Accept the default of {configdir_suffix} to give the configuration directory server a good suffix to work with
19. Accept the default of {configdir_dn} (e. g. - "cn=Directory Manager") as a valid configuration directory server distinguished name (DN), type in a {configdir_dn_pwd} for this user, and verify this {configdir_dn_pwd} by retyping it
20. Accept the default "hostname" to accept the fully qualified domain name for the admin server (called the administration domain)
21. Type in an {adminport} to select a valid admin server port
    (NOTE:  value must be greater than 1024 on UNIX when not installing as root)
22. Accept the default of "cmsuser" to run the admin server as user cmsuser
23. Type in either {caid}, {drmid}, {ocspid}, {raid}, or {subcaid} for use as a valid Certificate Management System Identifier (based upon the type of CMS subsystem instance)


• Once all of this information is supplied, the server should then install without any errors.
• As root, change the permissions back to the original setting by doing chmod 755 {server_root}.

---

11. Setup FIPS 140-1 Level 3 Hardware Token with CMS

1. nCipher

The following table documents an example of how to add an nFast token to the CMS database:

Action

Result

Run modutil to link the nCipher library to CMS.             Solaris:               A) cd {server_root}/ alias.               B) setenv LD_LIBRARY_PATH {server_root}/bin/cert/lib               C) ../shared/bin/modutil -dbdir . -nocertdb -create               D) ../shared/bin/modutil -dbdir . -nocertdb -add nFast -libfile                     /opt/nfast/toolkits/pkcs11/libcknfast.so               E) ../shared/bin/modutil -dbdir . -nocertdb -list

Output from modutil:  -create  WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: {Ignore the warning, and just hit return to continue.)  Creating "secmod.db"...done.   -add    Module "nFast" added to database.   -list  Listing of PKCS #11 Modules -----------------------------------------------------------   1. NSS Internal PKCS #11 Module          slots: 2 slots attached         status: loaded          slot: NSS Internal Cryptographic Services Version 3.4          token: NSS Generic Crypto Services          slot: NSS User Private Key and Certificate Services          token: NSS Certificate DB   2. nFast         library name: /opt/nfast/toolkits/pkcs11/libcknfast.so          slots: 1 slot attached         status: loaded          slot: nFast         token: nFast   3. Root Certs         library name: {server_root}/alias/libnssckbi.so          slots: 1 slot attached         status: loaded          slot:          token: Builtin Object Token -----------------------------------------------------------

---

12. Configuring CMS Subsystems

1. Configuring a CA Subsystem

Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{caid} instance to bring up the configuration wizard and follow these steps:

Console Panels for CMS CA Configuration

Panel #	Panel Title	Default Action	User Action
1	Installation Wizard Introduction		Next>
2	Installation Wizard Logon Token	Password: Password Again:	Password: {internaltokenpwd} Password Again: {internaltokenpwd} Next>
3	Installation Wizard Internal Database	Instance ID: Port number: Directory manager DN: Password: Password Again:	Instance ID: {internaldb_id} Port number: {internaldb_port} Directory manager DN: {internaldb_dn} Password: {internaldb_dn_pwd} Password Again: {internaldb_dn_pwd} Next>
4	Installation Wizard Administrator	Administrator ID: Full Name: Password: Password (again): Allow multiple roles for users - Selected	Administrator ID: {cmsadminid} Full Name: {cmsadminfullname} Password: {cmsadminpwd} Password (again): {cmsadminpwd} Allow multiple roles for users - Deselect Next>
5	Installation Wizard Subsystems	Certificate Manager - Selected	Next>
6	Installation Wizard Remote Data Recovery Manager	No - Selected	Next>
7	Installation Wizard CA's serial number range	Starting serial number: 0x1 Ending serial number: 0x	Next>
8	Installation Wizard Internal OCSP Service	Enable OCSP service. - Selected	Enable OCSP service. - Deselect Next>
9	Installation Wizard Network Configuration	SSL administration port: SSL agent port: SSL end-entity port:	SSL administration port: {caadminport} SSL agent port: {caagentport} SSL end-entity port: {caeesslport} Next>
10	Installation Wizard CA Signing Certificate	Create self-signed CA Certificate - Selected	Next>
11	Installation Wizard Key-Pair Information for Certificate Manager CA Signing Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Password: {hardwaretokenpwd} Key type: {casigningkeytype} Key length: {casigningkeylen} Next>
12	Installation Wizard Message Digest Algorithm	SHA-1	Next>
13	Installation Wizard Subject Name for Certificate Manager CA Signing Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {casigning_subjectname} Next>
14	Installation Wizard Validity Period for Certificate Manager CA Signing Certificate		Next>
15	Installation Wizard Certificate Extensions for Certificate Manager CA Signing Certificate	Basic Constraints: CA Netscape certificate type: SSL CA, S/MIME CA, Object-signing CA Authority key identifier Subject key identifier Key usage	Next>
16	Installation Wizard Certificate Manager CA Signing Certificate Creation		Next>
17	Installation Wizard SSL Server Certificate	Sign SSL Certificate with my CA Signing Certificate - Selected	Next>
18	Installation Wizard Key-Pair Information for SSL Server Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Key type: {sslkeytype} Key length: {sslkeylen} Next>
19	Installation Wizard Message Digest Algorithm	SHA-1	Next>
20	Installation Wizard Subject Name for SSL Server Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ssl_subjectname} Next>
21	Installation Wizard Validity Period for SSL Server Certificate	Validity period of 2 years	Next>
22	Installation Wizard Certificate Extensions for SSL Server Certificate	Netscape certificate type: SSL Server, SSL client Authority key identifier Key usage	Next>
23	Installation Wizard SSL Server Certificate Creation		Next>
24	Installation Wizard Single Sign-on Summary	Remove password.conf after configuration - Deselected	Remove password.conf after configuration - Selected Next>
25	Installation Wizard Configuration Status		Done>




The CA server must be restarted by performing the following commands:


• Execute the command cd {server_root}/cert-{caid}.
• Execute the command ./restart-cert.

---

2. Configuring an RA Subsystem

Before configuring an RA subsystem, make sure that a CA subsytem has been configured.

Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{raid} instance to bring up the configuration wizard and follow these steps:

Console Panels for CMS RA Configuration

Panel #	Panel Title	Default Action	User Action
1	Installation Wizard Introduction		Next>
2	Installation Wizard Logon Token	Password: Password Again:	Password: {internaltokenpwd} Password Again: {internaltokenpwd} Next>
3	Installation Wizard Internal Database	Instance ID: Port number: Directory manager DN: Password: Password Again:	Instance ID: {internaldb_id} Port number: {internaldb_port} Directory manager DN: {internaldb_dn} Password: {internaldb_dn_pwd} Password Again: {internaldb_dn_pwd} Next>
4	Installation Wizard Administrator	Administrator ID: Full Name: Password: Password (again): Allow multiple roles for users - Selected	Administrator ID: {cmsadminid} Full Name: {cmsadminfullname} Password: {cmsadminpwd} Password (again): {cmsadminpwd} Allow multiple roles for users - Deselect Next>
5	Installation Wizard Subsystems	Certificate Manager - Selected	Registration Manager - Selected Next>
6	Installation Wizard Remote Certificate Manager	Host name: Agent SSL port number:	Host name: {cahost} Agent SSL port number: {caagentport} Next>
7	Installation Wizard Remote Data Recovery Manager	No - Selected	Next>
8	Installation Wizard Network Configuration	SSL administration port: SSL agent port: SSL end-entity port: non-SSL end-entity port:	SSL administration port: {raadminport} SSL agent port: {raagentport} SSL end-entity port: {raeesslport} non-SSL end-entity port: {raeeport} Next>
9	Installation Wizard Key-Pair Information for Registration Manager Signing Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Password: {hardwaretokenpwd} Key type: {rasigningkeytype} Key length: {rasigningkeylen} Next>
10	Installation Wizard Subject Name for Registration Manager Signing Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {rasigning_subjectname} Next>
11	Installation Wizard Certificate Extensions for Registration Manager Signing Certificate	Netscape certificate type: SSL client Authority key identifier Key usage	Next>
12	Installation Wizard Registration Manager Signing Certificate Request Creation		Next>
13	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section B. Creating a Registration Manager Signing Certificate. Next>
14	Installation Wizard Registration Manager Signing Certificate Installation	Yes	Next>
15	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
16	Installation Wizard Certificate Details		Next>
17	Installation Wizard Key-Pair Information for SSL Server Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Key type: {sslkeytype} Key length: {sslkeylen} Next>
18	Installation Wizard Subject Name for SSL Server Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ssl_subjectname} Next>
19	Installation Wizard Certificate Extensions for SSL Server Certificate	Netscape certificate type: SSL Server, SSL client Authority key identifier Key usage	Next>
20	Installation Wizard SSL Server Certificate Request Creation	Generate PKCS10 request.	Next>
21	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section C. Creating an SSL Server Certificate. Next>
22	Installation Wizard SSL Server Certificate Installation	Yes	Next>
23	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
24	Installation Wizard Certificate Details		Next>
25	Installation Wizard Single Sign-on Summary	Remove password.conf after configuration - Deselected	Remove password.conf after configuration - Selected Next>
26	Installation Wizard Configuration Status		Done>




The RA server must be restarted by performing the following commands:


• Execute the command cd {server_root}/cert-{raid}.
• Execute the command ./restart-cert.

---

3. Configuring a DRM Subsystem

Before configuring a DRM subsystem, make sure that a CA subsytem has been configured.

Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{drmid} instance to bring up the configuration wizard and follow these steps:

Console Panels for CMS DRM Configuration

Panel #	Panel Title	Default Action	User Action
1	Installation Wizard Introduction		Next>
2	Installation Wizard Logon Token	Password: Password Again:	Password: {internaltokenpwd} Password Again: {internaltokenpwd} Next>
3	Installation Wizard Internal Database	Instance ID: Port number: Directory manager DN: Password: Password Again:	Instance ID: {internaldb_id} Port number: {internaldb_port} Directory manager DN: {internaldb_dn} Password: {internaldb_dn_pwd} Password Again: {internaldb_dn_pwd} Next>
4	Installation Wizard Administrator	Administrator ID: Full Name: Password: Password (again): Allow multiple roles for users - Selected	Administrator ID: {cmsadminid} Full Name: {cmsadminfullname} Password: {cmsadminpwd} Password (again): {cmsadminpwd} Allow multiple roles for users - Deselect Next>
5	Installation Wizard Subsystems	Certificate Manager - Selected	Data Recovery Manager - Selected Next>
6	Installation Wizard Network Configuration	SSL administration port: SSL agent port:	SSL administration port: {drmadminport} SSL agent port: {drmagentport} Next>
7	Installation Wizard Key-Pair Information for Data Recovery Manager Transport Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Password: {hardwaretokenpwd} Key type: {drmtransportkeytype} Key length: {drmtransportkeylen} Next>
8	Installation Wizard Subject Name for Data Recovery Manager Transport Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {drmtransport_subjectname} Next>
9	Installation Wizard Certificate Extensions for Data Recovery Manager Transport Certificate	Authority key identifier Key usage	Next>
10	Installation Wizard Data Recovery Manager Transport Certificate Request Creation		Next>
11	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section D. Creating a Data Recovery Transport Certificate. Next>
12	Installation Wizard Data Recovery Manager Transport Certificate Installation	Yes	Next>
13	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
14	Installation Wizard Certificate Details		Next>
15	Installation Wizard Storage Key Creation for Data Recovery Manager	Token: "internal" Password: (greyed out) Key length: 1024	Token: {hardwaretokenname2} Password: {hardwaretokenpwd2} Key length: {drmstoragekeylen} Next>
16	Installation Wizard Data Recovery Key Scheme - 1	Number of recovery agents required: 2 Total number of recovery agents: 3	Number of recovery agents required: {numrequiredrecoveryagents} Total number of recovery agents: {numrecoveryagents} Next>
17	Installation Wizard Data Recovery Key Scheme - 2	Table of UID/password pairs	Use the values from the DRM Installation Worksheet for: {recoveryagent[i]id} {recoveryagent[i]pwd} {recoveryagent[i]pwd} where [i] is all required recovery agents up to {numrequiredrecoveryagents} Next>
18	Installation Wizard Key-Pair Information for SSL Server Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Key type: {sslkeytype} Key length: {sslkeylen} Next>
19	Installation Wizard Subject Name for SSL Server Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ssl_subjectname} Next>
20	Installation Wizard Certificate Extensions for SSL Server Certificate	Netscape certificate type: SSL Server, SSL client Authority key identifier Key usage	Next>
21	Installation Wizard SSL Server Certificate Request Creation	Generate PKCS10 request.	Next>
22	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section C. Creating an SSL Server Certificate. Next>
23	Installation Wizard SSL Server Certificate Installation	Yes	Next>
24	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
25	Installation Wizard Certificate Details		Next>
26	Installation Wizard Single Sign-on Summary	Remove password.conf after configuration - Deselected	Remove password.conf after configuration - Selected Next>
27	Installation Wizard Configuration Status		Done>




The DRM server must be restarted by performing the following commands:


• As cmsuser, execute the command cd {server_root}/cert-{drmid}.
• Execute the command ./restart-cert.

---

4. Configuring an OCSP Responder Subsystem

Before configuring an OCSP Responder subsystem, make sure that a CA subsytem has been configured.

Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{ocspid} instance to bring up the configuration wizard and follow these steps:

Console Panels for CMS OCSP Configuration

Panel #	Panel Title	Default Action	User Action
1	Installation Wizard Introduction		Next>
2	Installation Wizard Logon Token	Password: Password Again:	Password: {internaltokenpwd} Password Again: {internaltokenpwd} Next>
3	Installation Wizard Internal Database	Instance ID: Port number: Directory manager DN: Password: Password Again:	Instance ID: {internaldb_id} Port number: {internaldb_port} Directory manager DN: {internaldb_dn} Password: {internaldb_dn_pwd} Password Again: {internaldb_dn_pwd} Next>
4	Installation Wizard Administrator	Administrator ID: Full Name: Password: Password (again): Allow multiple roles for users - Selected	Administrator ID: {cmsadminid} Full Name: {cmsadminfullname} Password: {cmsadminpwd} Password (again): {cmsadminpwd} Allow multiple roles for users - Deselect Next>
5	Installation Wizard Subsystems	Certificate Manager - Selected	Online Certificate Status Manager - Selected Next>
6	Installation Wizard Network Configuration	SSL administration port: SSL agent port: SSL end-entity port: non-SSL end-entity port:	SSL administration port: {ocspadminport} SSL agent port: {ocspagentport} SSL end-entity port: {ocspeesslport} non-SSL end-entity port: {ocspeeport} Next>
7	Installation Wizard Key-Pair Information for Online Certificate Status Manager Signing Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Password: {hardwaretokenpwd} Key type: {ocspsigningkeytype} Key length: {ocspsigningkeylen} Next>
8	Installation Wizard Subject Name for Online Certificate Status Manager Signing Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ocspsigning_subjectname} Next>
9	Installation Wizard Online Certificate Status Manager Signing Certificate Request Creation		Next>
10	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section E. Creating an Online Certificate Status Manager Signing Certificate . Next>
11	Installation Wizard Online Certificate Status Manager Signing Certificate Installation	Yes	Next>
12	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
13	Installation Wizard Certificate Details		Next>
14	Installation Wizard Key-Pair Information for SSL Server Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Key type: {sslkeytype} Key length: {sslkeylen} Next>
15	Installation Wizard Subject Name for SSL Server Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ssl_subjectname} Next>
16	Installation Wizard Certificate Extensions for SSL Server Certificate	Netscape certificate type: SSL Server, SSL client Authority key identifier Key usage	Next>
17	Installation Wizard SSL Server Certificate Request Creation	Generate PKCS10 request.	Next>
18	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section C. Creating an SSL Server Certificate. Next>
19	Installation Wizard SSL Server Certificate Installation	Yes	Next>
20	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
21	Installation Wizard Certificate Details		Next>
22	Installation Wizard Single Sign-on Summary	Remove password.conf after configuration - Deselected	Remove password.conf after configuration - Selected Next>
23	Installation Wizard Configuration Status		Done>




The OCSP Responder server must be restarted by performing the following commands:


• Execute the command cd {server_root}/cert-{ocspid}.
• Execute the command ./restart-cert.

---

5. Configure a Subordinate CA Subsystem

Before configuring a Subordinate CA subsystem, make sure that a CA subsytem has been configured.

Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{subcaid} instance to bring up the configuration wizard and follow these steps:

Console Panels for CMS Subordinate CA Configuration

Panel #	Panel Title	Default Action	User Action
1	Installation Wizard Introduction		Next>
2	Installation Wizard Logon Token	Password: Password Again:	Password: {internaltokenpwd} Password Again: {internaltokenpwd} Next>
3	Installation Wizard Internal Database	Instance ID: Port number: Directory manager DN: Password: Password Again:	Instance ID: {internaldb_id} Port number: {internaldb_port} Directory manager DN: {internaldb_dn} Password: {internaldb_dn_pwd} Password Again: {internaldb_dn_pwd} Next>
4	Installation Wizard Administrator	Administrator ID: Full Name: Password: Password (again): Allow multiple roles for users - Selected	Administrator ID: {cmsadminid} Full Name: {cmsadminfullname} Password: {cmsadminpwd} Password (again): {cmsadminpwd} Allow multiple roles for users - Deselect Next>
5	Installation Wizard Subsystems	Certificate Manager - Selected	Next>
6	Installation Wizard Remote Data Recovery Manager	No - Selected	Next>
7	Installation Wizard CA's serial number range	Starting serial number: 0x1 Ending serial number: 0x	Next>
8	Installation Wizard Internal OCSP Service	Enable OCSP service. - Selected	Enable OCSP service. - Deselect Next>
9	Installation Wizard Network Configuration	SSL administration port: SSL agent port: SSL end-entity port:	SSL administration port: {subcaadminport} SSL agent port: {subcaagentport} SSL end-entity port: {subcaeesslport} Next>
10	Installation Wizard CA Signing Certificate	Create self-signed CA Certificate	Create subordinate CA Certificate Request Next>
11	Installation Wizard Key-Pair Information for Certificate Manager CA Signing Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Password: {hardwaretokenpwd} Key type: {subcasigningkeytype} Key length: {subcasigningkeylen} Next>
12	Installation Wizard Subject Name for Certificate Manager CA Signing Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {subcasigning_subjectname} Next>
13	Installation Wizard Certificate Extensions for Certificate Manager CA Signing Certificate	Basic Constraints: CA Netscape certificate type: SSL CA, S/MIME CA, Object signing CA Authority key identifier Subject key identifier Key usage	Next>
14	Installation Wizard CA Signing Certificate Request Creation	Generate PKCS10 request	Next>
15	Installation Wizard Submission of Request		Save the base-64 encoded request blob onto the clipboard (i. e. - click on the "Copy to Clipboard" button). Follow the instructions located in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section A. Creating a Certificate Manager Signing Certificate. Next>
16	Installation Wizard CA Signing Certificate Installation	Yes	Next>
17	Installation Wizard Location of the Certificate	The certificate is located in this file:	Click on the radio button entitled "The certificate is located in the text area below:" Click on the "Paste from Clipboard" button to copy the base-64 encoded certificate into the text area. Next>
18	Installation Wizard Certificate Details		Next>
19	Installation Wizard SSL Server Certificate	Sign SSL Certificate with my CA Signing Certificate	Next>
20	Installation Wizard Key-Pair Information for SSL Server Certificate	Token: "internal" Password: (greyed out) Key type: RSA Key length: 1024	Token: {hardwaretokenname} Key type: {sslkeytype} Key length: {sslkeylen} Next>
21	Installation Wizard Message Digest Algorithm		Next>
22	Installation Wizard Subject Name for SSL Server Certificate	Enter the values for the subject DN components:	Enter the values for the subject DN string: {ssl_subjectname} Next>
23	Installation Wizard Validity Period for SSL Server Certificate		Next>
24	Installation Wizard Certificate Extensions for SSL Server Certificate	Netscape certificate type: SSL Server, SSL client Authority key identifier Key usage	Next>
25	Installation Wizard SSL Server Certificate Creation		Next>
26	Installation Wizard Single Sign-on Summary	Remove password.conf after configuration - Deselected	Remove password.conf after configuration - Selected Next>
27	Installation Wizard Configuration Status		Done>




The Subordinate CA server must be restarted by performing the following commands:


• Execute the command cd {server_root}/cert-{subcaid}.
• Execute the command ./restart-cert.

---

13. Setting Up an Agent

1. Setup a CA Agent

1. Create a CA agent in the console:
1. To setup an agent, open up the console as an administrator, and select the desired CMS instance from the left-hand panel.
2. Click the Open button on the right-hand panel.
3. Type in {cmsadminid} and {cmsadminpwd} in the authentication dialog box.
4. Click OK and the CMS console appears.
5. Click on the configuration tab and select "Users and Groups" on the left-hand panel.
6. Click on the Users tab on the right-hand panel.
7. Click the "Add" button to bring up the dialog box entitled "Edit User Information".
8. Fill in the following fields:
   
   
   User ID: {caagentid}
   Full Name: CA agent's full name
   Password: {caagentpwd}
   Confirm Password: {caagentpwd}
   Group: Certificate Manager Agents
   
   (NOTE:  It is recommended to use the operating system UID.)
   
   
9. Click OK to save the information and dismiss the "Edit User Information" dialog box.
2. Get a CA agent certificate from the browser:
1. From a client machine start the browser.
2. As a CA agent, type the following in the URL field of a browser:
   
   
   https://{cahost}:{caadminport}/ca/adminEnroll.html
   
   
3. In the Agent Certificate Enrollment form, enroll for the agent's certificate as the CA subsystem's first privileged user by typing in {caagentid} as the User ID and {caagentpwd} as the password that was entered while creating the agent user in the console.
4. Click Submit.
5. Follow the instructions presented by the browser as it generates a key pair.
6. If authentication is successful, the new agent certificate will be imported into the browser.
7. Finally, click the agent page link to go the CA agent page.
3. To use specific TOE maintenance tools which exist in the {server_root}/bin/cert/tools directory, CA agents may require their own personal security databases (i. e. - cert8.db, and key3.db, and secmod.db) to be located in their home directories. For the actual usage of TOE maintenance tools such as CMCEnroll, CMCRevoke, and bulkissuance, please refer to the "Command-Line Tools Guide".

2. Setup a DRM, an OCSP Responder, or an RA Agent

1. Get an agent certificate for ccagent1 from the browser by performing the following steps:
1. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
2. Start the browser, and go to the CA end-entity page by typing https://{cahost}:{caeesslport}.
3. Click on the Enrollment tab.
4. Select "List Certificate Profiles" on the left-hand panel.
5. Select "Manual User Dual-Use Certificate Enrollment".
6. Fill in the information for UID and Common Name fields.

For DRM agent:

UID=drmAgent
Common Name=drmAgent


For OCSP agent:

UID=ocspAgent
Common Name=ocspAgent


For RA agent:

UID=raAgent
Common Name=raAgent



7. Click submit.
8. If ccagent1 hasnt logon the cert8.db, password dialog box will be prompted. Enter the password for the ccagent1's cert8.db in the browser.
9. As the CA agent, perform the following steps to approve the request:
1. Go to the CA agent page by typing https://{cahost}:{caagentport}.
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button and the "Request Queue" page will appear.
5. Find the request id, click the corresponding "Details" button, and the complete "Request" page will appear.
6. Click the "submit" button at the bottom of the page.
7. The pretty print of the certificate should appear.
8. Write down the serial number of the certificate: _________________________________.
10. Once again, as {ccagent1}, clicks on the Retrieval tab.
11. Click "List Certificates" on the left-hand panel.
12. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
13. Search for the serial number and click the corresponding "Details" button.
14. The certificate content page will appear.
15. (IMPORTANT:  Be sure NOT to skip this step!)
    Import the certificate to the browser by clicking the "Import Your Certificate" button at the bottom of the page.
16. There are two base-64 encoded certificates in the page; copy the first base-64 encoded blob including the header and footer to the clipboard.
2. Create an agent in the console:
1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
2. To setup an agent, open up the console as cmsuser, and select the desired CMS instance from the left-hand panel.
3. Click the Open button on the right-hand panel.
4. Type in {cmsadminid} and {cmsadminpwd} in the authentication dialog box.
5. Click OK.
6. CMS console appears.
7. Click on the configuration tab and select "Users and Groups" on the left-hand panel.
8. Click on the Users tab on the right-hand panel.
9. Click the "Add" button to bring up the dialog box entitled "Edit User Information".
10. If this is an RA, fill in the following fields:
    
    
    User ID: {raagentid}
    Full Name: RA agent's full name
    Password: {raagentpwd}
    Confirm Password: {raagentpwd}
    Group: Registration Manager Agents
    
    
    
11. If this is a DRM, fill in the following fields:
    
    
    User ID: {drmagentid}
    Full Name: DRM agent's full name
    Password: {drmagentpwd}
    Confirm Password: {drmagentpwd}
    Group: Data Recovery Manager Agents
    
    
    
12. If this is an OCSP Responder, fill in the following fields:
    
    
    User ID: {ocspagentid}
    Full Name: OCSP Responder agent's full name
    Password: {ocspagentpwd}
    Confirm Password: {ocspagentpwd}
    Group: Online Certificate Status Manager Agents
    
    
    
13. Click OK to save the information and dismiss the "Edit User Information" dialog box.
14. Select the agent entry from the list and click the "Certificates" button.
15. The dialog box entitiled "Manage User Certificates" appears.
16. Click the "Import" button in the dialog box.
17. The dialog box entitled "Import Certificate" appears.
18. In this dialog box, click "Paste from the clipboard" button, and the administrator certificate appears in the text area.
19. Click OK to dismiss the "Import Certificate" dialog box.
20. Finally, click the "Done" button to dismiss the "Manage User Certificates" dialog box.

---

14. Creating and Retrieving CMS Subsystem Certificates

1. Creating a Certificate Manager Signing Certificate

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
1. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
2. Click on the Enrollment tab
3. Select "List Certificate Profiles" on the left-hand panel.
4. Select "Manual Certificate Manager Signing Certificate Enrollment".
5. Paste the base-64 encoded Certificate Manager signing certificate request from the clipboard into the text area.
6. Click Submit.
7. The resultant page will display the request id.
8. Write down the request id: _________________________________.
2. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
1. Start a browser and go to the CA agent page by typing https://{cahost}:{caagentport}:
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button, and the "Request Queue" page will appear.
5. Find the request id, click the corresponding "Details" button, and the complete "Request" page will appear.
6. Scroll down and search for "Basic Constraints Extension".
7. Change the "Path Length" field from -2 to -1.
8. Then click the "submit" button at the bottom of the page.
9. The pretty print of the certificate should appear.
10. Write down the serial number of the certificate: _________________________________.
3. Using the same browser opened in step 1 of this procedure:
1. Once again, click on the "Retrieval" tab in the browser.
2. Click "List Certificates" on the left-hand panel.
3. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
4. Search for the serial number and click the corresponding "Details" button.
5. The certificate content page will appear.
6. There are two base-64 encoded certificates in the page; highlight the second one which is in PKCS7 format and perform the following:
   
   • From the top level menu of the browser, select the "Edit" menu item, and select the "Copy" command from the pull down menu to copy the certificate to the clipboard.



2. Creating a Registration Manager Signing Certificate

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
1. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
2. Click on the Enrollment tab.
3. Select "List Certificate Profiles" on the left-hand panel.
4. Select "Manual Registration Manager Signing Certificate Enrollment".
5. Paste the base-64 encoded Registration Manager signing certificate request from the clipboard into the text area.
6. Click Submit.
7. The resultant page will display the request id.
8. Write down the request id: _________________________________.
2. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
1. Start a browser and go to the CA agent page by typing https://{cahost}:{caagentport}:
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button and the "Request Queue" page will appear.
5. Find the request id, click the corresponding "Details" button, and the complete "Request" page will appear.
6. Click the "submit" button at the bottom of the page.
7. The pretty print of the certificate should appear.
8. Write down the serial number of the certificate: _________________________________.
3. Using the same browser opened in step 1 of this procedure:
1. Once again, click on the "Retrieval" tab in the browser.
2. Click "List Certificates" on the left-hand panel.
3. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
4. Search for the serial number and click the corresponding "Details" button.
5. The certificate content page will appear.
6. There are two base-64 encoded certificates in the page; highlight the second one which is in PKCS7 format and perform the following:
   
   • From the top level menu of the browser, select the "Edit" menu item, and select the "Copy" command from the pull down menu to copy the certificate to the clipboard.



3. Creating an SSL Server Certificate

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
1. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
2. Click on the Enrollment tab.
3. Select "List Certificate Profiles" on the left-hand panel.
4. Select "Manual Server Certificate Enrollment".
5. Paste the base-64 encoded SSL server certificate from the clipboard into the text area.
6. Click Submit.
7. The resultant page will display the request id.
8. Write down the request id: _________________________________.
2. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
1. Start a browser and go to the CA agent page by typing https://{cahost}:{caagentport}:
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button, and the "Request Queue" page will appear.
5. Find the request id, click the corresponding "Details" button, and the complete "Request" page will appear.
6. Click the "submit" button at the bottom of the page.
7. The pretty print of the certificate should appear.
8. Write down the serial number of the certificate: _________________________________.
3. Using the same browser opened in step 1 of this procedure:
1. Once again, click on the "Retrieval" tab in the browser.
2. Click "List Certificates" on the left-hand panel.
3. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
4. Search for the serial number and click the corresponding "Details" button.
5. The certificate content page will appear.
6. There are two base-64 encoded certificates in the page; highlight the second one which is in PKCS7 format and perform the following:
   
   • From the top level menu of the browser, select the "Edit" menu item, and select the "Copy" command from the pull down menu to copy the certificate to the clipboard.



4. Creating a Data Recovery Transport Certificate

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
1. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
2. Click on Enrollment tab.
3. Select "List Certificate Profiles" on the left-hand panel.
4. Select "Manual Data Recovery Manager Transport Certificate Enrollment".
5. Paste the base-64 encoded Data Recovery Manager Transport certificate from the clipboard into the text area.
6. Click Submit.
7. The resultant page will display the request id.
8. Write down the request id: _________________________________.
2. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
1. Start a browser and go to the CA agent page by typing https://{cahost}:{caagentport}:
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button, and the "Request Queue" page will appear.
5. Find the request id, click the corresponding "Details" button, and the complete "Request" page will appear.
6. Click the "submit" button at the bottom of the page.
7. The pretty print of the certificate should then appear.
8. Write down the serial number of the certificate: _________________________________.
3. Using the same browser opened in step 1 of this procedure:
1. Once again, click on the "Retrieval" tab in the browser.
2. Click "List Certificates" on the left-hand panel.
3. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
4. Search for the serial number and click the corresponding "Details" button.
5. The certificate content page will appear.
6. There are two base-64 encoded certificates in the page; highlight the second one which is in PKCS7 format and perform the following:
   
   • From the top level menu of the browser, select the "Edit" menu item, and select the "Copy" command from the pull down menu to copy the certificate to the clipboard.



5. Creating an Online Certificate Status Manager Signing Certificate

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
1. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
2. Click on the Enrollment tab.
3. Select "List Certificate Profiles" on the left-hand panel.
4. Select "Manual OCSP Manager Signing Certificate Enrollment".
5. Paste the base-64 encoded OCSP Manager Signing certificate from the clipboard into the text area.
6. Click Submit.
7. The resultant page will display the request id.
8. Write down the request id: _________________________________.
2. Follow the procedure in chapter XXII. Miscellaneous, section M.4. Determine and Set UID to ccagent1.
1. Start a browser and go to the CA agent page by typing https://{cahost}:{caagentport}:
2. Select "List Requests" on the left-hand panel.
3. Enter the request id in the textfield on the right-hand panel.
4. Click the "Find" button, and the "Request Queue" page will appear.
5. Find the request id, and click the corresponding "Details" button.
6. The complete "Request" page will appear.
7. Click the "submit" button at the bottom of the page.
8. The pretty print of the certificate should then appear.
9. Write down the serial number of the certificate: _________________________________.
3. Using the same browser opened in step 1 of this procedure:
1. Once again, click on the "Retrieval" tab in the browser.
2. Click "List Certificates" on the left-hand panel.
3. Enter the serial number in the "Lowest serial number" field, and click the "Find" button.
4. Search for the serial number, and click the corresponding "Details" button.
5. The certificate content page will appear.
6. There are two base-64 encoded certificates in the page; highlight the second one which is in PKCS7 format and perform the following:
   
   • From the top level menu of the browser, select the "Edit" menu item, and select the "Copy" command from the pull down menu to copy the certificate to the clipboard.



---

15. Setting Up a Trusted Manager

1. Setting Up a CA as a Trusted Manager in the DRM Subsystem

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
2. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}.
3. Click the retrieval tab, and click List Certificates on the left-hand side.
4. Click Find button.
5. Search for the certificate with serial number 0x3. Check the Subject name if it matches with the {ssl_subjectname} in CA subsystem.
6. If it matches, then click the corresponding Details button for this certificate.
7. Copy the first base-64 encoded certificate including the footer and header to the clipboard.
8. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{drmid} instance to bring up the DRM console.
9. Click Configuration tab and select Users and Groups on the left-hand side.
10. Click "Add" button to add a new user. The dialog box entitled "Edit User Information" appears. Fill in the following information:
    • User ID: CATrustedManager
    • Full Name: CATrustedManager
    • Password: password
    • Confirm Password: password
    • Group: Trusted Managers
11. Then click OK to dismiss the "Edit User Information" dialog box.
12. Select the "CATrustedManager" from the list and click "Certificates" button. The dialog box entitled "Manage User Certificates" appears.
13. Click "Import" button and the dialog box entitled "Import Certificate" appears.
14. Click "Paste from Clipboard" button to paste the certificate.
15. Click Done to exit the "Import Certificate" dialog box.
16. Click "Done" button to exit the "Manage User Certificate" dialog box.

2. Setting Up an RA as a Trusted Manager in the CA subsystem

1. Follow the procedure in chapter XXII. Miscellaneous, section M.1. Determine and Set UID to cmsuser.
2. Start a browser and go to the CA EE page by typing https://{cahost}:{caeesslport}:
3. Click the retrieval tab, and click List Certificates on the left-hand side.
4. Enter the serial number marked down in chapter XIV. Creating and Retrieving CMS Subsystem Certificates, section B.2.h Creating a Registration Manager Signing Certificate in the "Lowest serial number" field and click the "Submit" button.
5. Click Details button in the first certificate of the list.
6. Copy the first base-64 encoded certificate to the clipboard.
7. If no console is running, follow the directions in chapter XXII. Miscellaneous, section E. Start Console. Double click on the cert-{caid} instance to bring up the CA console.
8. Click Configuration tab and select Users and Groups on the left-hand side.
9. Click "Add" button to add a new user. The dialog box entitled "Edit User Information" appears. Fill in the following information:
   • User ID: RATrustedManager
   • Full Name: RATrustedManager
   • Password: password
   • Confirm Password: password
   • Group: Trusted Managers
10. Then click OK to dismiss the "Edit User Information" dialog box.
11. Select the "RATrustedManager" from the list and click "Certificates" button. The dialog box entitled "Manage User Certificates" appears.
12. Click "Import" button and the dialog box entitled "Import Certificate" appears.
13. Click "Paste from Clipboard" button to paste the certificate.
14. Click Done to exit the "Import Certificate" dialog box.
15. Click "Done" button to exit the "Manage User Certificate" dialog box.

---

16. SignedAudit

1. Signed Audit Setup

1. Request a Certificate
1. If no CMS console is open, follow the directions in chapter XXII. Miscellaneous, section N. Invoking Certificate Setup Wizard, and request a certificate:
2. Select the "Request for a certificate" radio button. Click next.
3. On the Certificate Selection screen, select Others from the combobox, and in the certificate type box, type "signedAudit". Click next.
4. In the Certificate Request for Log and CRL Signing Certificate panel, click the "Create New Key Pair" radio button, and then select {hardwaretokenname} in the "Token:" combobox, and accept the default key type and key length. Click next.
5. In the Subject Name for Log and CRL Signing Certificate panel, specify the subject name for the certificate. (e. g. - cn=[{caid},{subcaid},{drmid},{ocspid},{raid}]SignedAudit,ou=netscape,o=aol,c=US) Click next. Click next
6. Click the "Copy to Clipboard" button. Click next.
7. Click done to exit the Certificate Setup Wizard.
2. Certificate Enrollment
1. Follow the procedure in chapter XXII. Miscellaneous, section O. Creating a Signed Audit Certificate.
3. Install Certificate
1. Go back to the Certificate Setup Wizard.
2. In the "Type of Operation" panel, select the "Install a Certificate" radio button. Click next.
3. In the "Certificate Selection" panel, select "Other Certificates" from the combobox. Click next.
4. In the "Location of Certificate" panel, click "The certificate is located in the text area below:" radio button. Click the "Paste from Clipboard" button. Click next.
5. (IMPORTANT:  Be sure NOT to skip this step!)
   In the "Certificate Details" panel, enter [{caid},{subcaid},{drmid},{ocspid},{raid}]SignedAudit as the nickname of the certificate. Click next.
6. Click done to exit the Certificate Setup Wizard.
4. Setup Signed Audit using CMS Console
1. Click on the Configuration Tab in CMS Console.
2. Click on Log on the left-hand side of the panel.
3. Select Signed Audit on the right-hand side of the panel.
4. Click on Edit/View.
• Set enable: true.
• Set logSigning: true.
• Set signedAuditCertNickname: {hardwaretokenname}:[{caid},{subcaid},{drmid},{ocspid},{raid}]SignedAudit.
• Click on OK.
5. After completing this step, the following lines in the file {server_root}/cert-[{caid},{raid},{ocspid},{subcaid},{drmid}]/config/CMS.cfg should read:
   
   
   log.instance.SignedAudit.enabled=true
   log.instance.SignedAudit.signedAuditCertNickname=nFast:[{caid},{subcaid},{drmid},{ocspid},{raid}]SignedAudit.
   log.instance.SignedAudit.logSigning=true
   
   
5. Restart CMS subsystem.

---

17. Setup SSL Client Authentication between CMS and Internal Database

1. Setup SSL Client Authentication in an Internal DB

1. Select the internal database {internaldb_id} to configure for SSL under the Server Group on the left hand panel of the Admin Console. If the {internaldb_id} is not found, then do the following:
• Click "View" from the top of the admin console menu.
• Click Refresh in the pull down menu.
• Double click the node for the domain name on the left hand panel.
• Double click the node for the Server Group.
• The internal database {internaldb_id} should be under the Server Group.
• Select the internal database {internaldb_id} instance.
2. Click "Open" button on the right hand panel to open internal database console.
3. Click on Task Tab and click on Manage Certificates button. Type in the {internaldb_hardwaretokenpwd} if prompted. The wizard appears.
1. In the "Set Security Device Password", type in the {internaldb_tokenpwd} as internal token password and click next.
2. In the "Manage Certificates" dialog box, select {internaldb_hardwaretokenname} from the combobox. Click on "Server Certs" tab to add the SSL server certificate to the internal database.
1. Click Request button to make a request for a SSL server Certificate. The Certificate Request Wizard appears.
• Click Next to request certificate manually.
• Type in {internaldb_sslsubjectname} as the subject name for the requestor information. Make sure to have State/province information and Click Next.
• Type in {internaldb_hardwaretokenpwd} as token password and click Next.
• Click the "Copy to Clipboard" button to save the certificate request to the clipboard.
• Follow the procedure in chapter XXII. Miscellaneous, section P. Creating an SSL Server Certificate for Directory Server to create the SSL server certificate.
• Click Done.
2. Click the "Install" button to install the SSL server certificate in the internal database. The Certificate Install Wizard appears.
• Click "in the following encoded text block" radio button, and then click the "Paste from Clipboard" button to paste the SSL server certificate. Click Next.
• The certificate information is shown. Click Next.
• Enter {internaldb_sslnickname} as the name of the certificate in the text field. Click Next. Click next.
• Type in {internaldb_hardwaretokenpwd} as the token password. Click Done.
3. In the "Manage Certificates" dialog box, click on "CA Certs" tab to add the trusted CA chain to the certificate database in the internal database.
1. Follow the procedure in chapter XXII. Miscellaneous, section L. Retrieving a CA Certificate Chain to retrieve the CA certificate chain.
2. Select "internal (software)" from the Security Device combobox.
3. Click Install button to install the trusted CA chain. The Certificate Install Wizard appears.
• Click "in the following encoded text block:" button and click the "Paste from Clipboard" button to paste the CA certificate chain in the text area. Click next.
• The certificate information is shown. Click Next.
• The Certificate Type is shown. Click Next.
• Click Done to exit the wizard.
4. Click Close button to dismiss the Manage Certificates dialog box.
4. Click on Configuration tab to enable SSL in the internal database.
1. Select the top node on the left hand panel. Click Settings tab on the right hand panel. Enter {internaldb_sslport} for the Encrypted port field.
2. Click the Encryption tab.
3. Check the "Enable SSL for this server" and the "Use this cipher family: RSA" checkboxes.
4. Select the {internaldb_hardwaretokenname}:{internaldb_sslnickname} in Certificate field. (Sometimes the combobox has a long list of ceritificates and there might be a problem to scroll down within the combobox. The user will need to use the up and down arrows to scroll up and down.)
5. Click Save.
5. Restart the internal database from the command line by typing {server_root}/slapd-{internaldb_id}/restart-slapd.

2. Modification in CMS entries

1. Stop CMS server
2. Go to {server_root}/cert-[{caid},{subcaid},{drmid},{ocspid},{raid}]/config
3. The following CMS.cfg is an example for a CA. To do this for other subsytems, change all the following references for ca to ra, ocsp or drm. Edit CMS.cfg with the following lines:

 
internaldb.ldapauth.authtype=SslClientAuth
internaldb.ldapauth.bindDN=CN=Directory Manager
internaldb.ldapauth.bindPWPrompt=Internal LDAP Database
internaldb.ldapconn.host={cahost}
(NOTE:  Make sure to change this from localhost to the actual hostname. Use the fully qualified domain name.)
internaldb.ldapconn.port={internaldb_sslport}
internaldb.ldapconn.secureConn=true

Note: The following line does not exist in CMS.cfg. It has to be added to CMS.cfg.
internaldb.ldapauth.clientCertNickname={hardwaretokenname}:Server-Cert cert-[{caid},{subcaid},{drmid},{ocspid},{raid}]
 

3. Setup an entry for a client certificate in a internal database

1. In the admin console, select internal database instance under Server Group on the left hand panel.
2. Click Open button to open internal database directory server console.
1. By performing the following procedure, a new suffix will be added to the Internal Database:

For example, if the CMS subsystem SSL server certificate has a subject name like {ssl_subjectname} which is cn=