Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE Manual

Download or browse on-line these Manual  for Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE Other.

Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE Manual Information:

This manual for Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 60 pages, and the size of the file at download is . The document type is Manual .

Download Manual

Summary of Contents:

[Page 1] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Red Hat Certificate System Enterprise Security Client Guide Red Hat Author(s): Red Hat, Inc. ISBN: N/A Publication date: ...

[Page 2] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Red Hat Certificate System Enterprise Security Client Guide ...

[Page 3] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

1 http://www.opencontent.org/openpub Red Hat Certificate System Enterprise Security Client Guide: Copyright © 2006 Red Hat, Inc. All rights reserved. This material may be distributed only subject to the terms and conditions set forth in the Open Pub...

[Page 4] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Red Hat Certificate System Enterprise Security Client Guide ...

[Page 5] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

1. Introduction ........................................................................................................... 1 1. Features ........................................................................................................ 1 2. Pl...

[Page 6] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

vi ...

[Page 7] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Introduction The Red Hat Certificate System creates, manages, renews, and deletes certificates and keys within an organization. There are five subsystems which govern the behavior of the public-key infrastructure (PKI) of the organization: • The Ce...

[Page 8] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

interface URL without requiring any user configuration. • Enterprise Security Client has diagnostic logging that records common access and events and records potential errors such as interruptions with the connection between the Enterprise Security...

[Page 9] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

On most operating systems, many programs maintain an icon in the tray or notification area. These icons can be used to control the operation of the program, usually through context menus when the icon is right-clicked. In the default Enterprise Secur...

[Page 10] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

4 ...

[Page 11] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Platform Support Enterprise Security Client supports the following platforms: • Red Hat Enterprise Linux 4 AS (Intel x86) • Red Hat Enterprise Linux 4 ES (Intel x86) • Microsoft Windows XP • Apple MAC OS X 10.4.x (Tiger) Smart Card Support. E...

[Page 12] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

6 ...

[Page 13] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Installation Enterprise Security Client is packaged as a set of RPMs and other files that are part of the complete Certificate System distribution. These are listed in the installation chapter of the Certificate System Administrator's Guide. The...

[Page 14] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.1. Launching the Installation Wizard 3. The wizard displays the list of packages which will be installed. Chapter 3. Installation 8 ...

[Page 15] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.2. Launching the Installation Wizard 4. The wizard screen asks for the final installation directory for Enterprise Security Client. The default is C:\Program Files\Red Hat\ESC. Installation on Windows 9 ...

[Page 16] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.3. Installation Directory 5. The wizard screen asks for the start menu directory for Enterprise Security Client. The default is Red Hat. Chapter 3. Installation 10 ...

[Page 17] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.4. Start Menu Directory 6. Proceed through the Enterprise Security Client installation wizard. Click Install to begin installing the Enterprise Security Client components. NOTE The installation process also installs the CoolKey PKCS #11 driv...

[Page 18] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.5. Beginning Installation Chapter 3. Installation 12 ...

[Page 19] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.6. Installation Progress 7. Once the installation has completed, Enterprise Security Client will prompt for the user to insert a token and can be launched for immediate use. Installation on Windows 13 ...

[Page 20] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.7. Launching the Smart Card Manager 8. Click the Finish button to complete the installation. Chapter 3. Installation 14 ...

[Page 21] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.8. Completing Installation 2. Installation on Red Hat Enterprise Linux To install Enterprise Security Client and its supporting components on Red Hat Enterprise Linux, do the following: NOTE If the up2date utility was already used to install...

[Page 22] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

su rpm -ivh ccid-1.0.1-5.i386.rpm rpm -ivh pcsc-lite-1.3.1-7.i386.rpm rpm -ivh pcsc-lite-libs-1.3.1-7.i386.rpm rpm -ivh ifd-egate-0.05-15.i386.rpm rmp -ivh coolkey-1.0.1-4.i386.rpm rpm -ivh esc-1.0.0-19.i386.rpm The version numbers for the different ...

[Page 23] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.9. Mac Installation Program b. Select the location to install the CoolKey package. Figure 3.10. Installation Location c. Click the Upgrade button to begin installation. Installation on Mac OS X 17 ...

[Page 24] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 3.11. Launch Installation d. Supply the Mac administrator password. Figure 3.12. Mac Admin Password Chapter 3. Installation 18 ...

[Page 25] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

e. Click the Close button to complete the installation. Figure 3.13. Finish Installation When the process is completed, the Egate token drivers, the PKCS11 module, and the TokenD software are installed on the local system. Installation on Mac OS X 19...

[Page 26] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

20 ...

[Page 27] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Using the Enterprise Security Client The following section contains basic instructions on using the Enterprise Security Client for token enrollment, formating, and password reset operations. 1. Launching Enterprise Security Client • On Red Hat Ente...

[Page 28] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Since the Enterprise Security Client is based on Mozilla XULRunner, each user has a profile similar to the user profiles used by Mozilla Firefox or Thunderbird. The Enterprise Security Client accesses the configuration preferences file. When the Ente...

[Page 29] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

"http://www.test.example.com" The Phone Home feature and the different type of information used by it only work when the TPS has been properly configured to use Phone Home. If the TPS is not configured for Phone Home, then this feature is i...

[Page 30] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.1. Prompt for Phone Home Information The TPS configuration URI is the URL of the TPS server which returns the rest of the Phone Home information to the Enterprise Security Client. An example of this URL is https://test.example.com:12443/cgi-...

[Page 31] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

The CAPI store is a repository controlled by Windows that houses a collection of digital certificates associated with a given CSP. CAPI oversees the certificates, while each CSP controls the cryptographic keys belonging to the certificates. The Certi...

[Page 32] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

traditional full-sized smart card into a smart card reader. 3. When the system recognizes the smart card, it displays a message indicating it has detected an uninitiated smart card. Figure 4.2. Smart Card Enrollment with a Card This screen gives the ...

[Page 33] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.3. Smart Card Enrollment Message When the Card Is Removed Reinserting the card brings the previous dialog back with the option to enroll the smart card. Click Enroll My Smart Card to continue with the enrollment process. 4. Since the Enterpr...

[Page 34] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.4. Smart Card Enrollment Page 5. This example is the default enrollment UI included with the TPS server. This UI is a standard HTML form, so simple modifications, such as setting the company logo or adding extra text or changing field text, ...

[Page 35] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

NOTE The LDAP user ID and password refer to the fact that the TPS server is usually associated with a Directory Server which stores user information and to which the TPS refers to authenticate users. • Password. This sets the smart card's pass...

[Page 36] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.5. Smart Card Enrollment Success Message 5. Customizing the Smart Card Enrollment User Interface The Certificate System TPS subsystem has a generic external smartcard enrollment user interface which is formatted in standard HTML and Javascri...

[Page 37] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

The default HTML page, shown in Example 4.2, “Customizing the Smart Card Enrollment User Interface”, can be edited to change the colors, images, and layout. <html> <head> <meta http-equiv="Content-Type" content="text...

[Page 38] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

<td><input type="password" id="snamepwd" value=""></td> </tr> </table> <p class="bodyText"> Before you can use your smartcard, you need a password to protect it.</p> &l...

[Page 39] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.6. Manage Smart Cards Page 6.1. Formatting the Smart Card Formatting the card brings the smart card to the uninitialized state, which removes all the user keypairs previously generated and erases the password set on the smart card during enr...

[Page 40] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

6.2. Reset Smart Card Password If a user forgets the password for a smart card after the card is enrolled, it is possible to reset the password by doing the following: 1. Place a supported smart card into the USB slot of the computer. Make sure the s...

[Page 41] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

The View Certificates button shows basic information about the selected smart card, including the keys and certificates stored on it. 1. Place a supported smart card into the USB slot of the computer. Make sure the card shows up in the Active Smart C...

[Page 42] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.9. Manual Enrollment Form Enrolling a token with the user key pairs means the token can be used for certificate-based operations such as SSL client authentication and S/MIME. NOTE The TPS server can be configured to generate the user key pai...

[Page 43] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

5. The TPS server can be configured to authenticate the enrollment operation. If the TPS has been configured for authentication, enter the user credentials when the dialog box appears, and click OK. Figure 4.10. LDAP Authentication Prompt 6. The enro...

[Page 44] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• Problems occur during a smart card operation, such as a certificate enrollment, password reset, or format operation. • The Enterprise Security Client loses the connection to the smart card. This can happen when problems communicating with the P...

[Page 45] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Figure 4.11. Diagnostics Screen The diagnostics screen displays the following information: • The Enterprise Security Client version number. • The version information for the system upon which the client is running. • The number of cards detecte...

[Page 46] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• The version of the applet running inside the smart card. • The alpha-numeric ID of the card. • The card's status, which can be NO_APPLET (no key is detected), UNINITIALIZED (the key is detected, but no certificates have been enrolled), o...

[Page 47] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME After a token is enrolled, the token can be used for SSL client authentication and S/MIME email applications. The PKCS #11 module has different names and locations dependi...

[Page 48] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

3. If the CA is not yet trusted, download and import the CA certificate. a. Open the SSL End Entity page on the CA. For example: https://example.com:9443/ca/ee/ca b. Click the Retrieval tab, and then click Import CA Certificate Chain. c. Click Downlo...

[Page 49] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

The certificates can be used for SSL. 2. S/MIME Applications To enable S/MIME on mail applications such as Mozilla Thunderbird: 1. In Mozilla Thunderbird, open the Edit menu, and select Account Settings. 2. Select Security on the left. 3. Add a PKCS ...

[Page 50] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

6. In the Encryption of the Security panel, click Select to choose the certificate to encrypt and decrypt messages. Chapter 5. Using Enterprise Security Client Keys for SSL Client Authentication and S/MIME 44 ...

[Page 51] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Uninstalling Enterprise Security Client This section provides platform-specific instructions to uninstall Enterprise Security Client. 1. Uninstalling on Windows 1. Unplug all USB tokens. 2. Stop Enterprise Security Client. 3. Open the Control Panel, ...

[Page 52] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

NOTE There is no uninstallation program for the Mac. Chapter 6. Uninstalling Enterprise Security Client 46 ...

[Page 53] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Appendix A. Enterprise Security Client Configuration Previously, Enterprise Security Client relied on an application-specific configuration file. Enterprise Security Client is now based on Mozilla XULRunner technology, which allows the preferences fa...

[Page 54] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• Windows: C:\Documents and Settings\$USER\Application Data\RedHat\ESC\Profiles • Red Hat Enterprise Linux: ~/.redhat/esc • Mac: ~/Library/Application Support/ESC/Profiles The esc-prefs.js file section below shows the Enterprise Security Client...

[Page 55] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

on smart cards or keys. CoolKey TokenD allows a Certificate System key to show as a KeyChain. 2.1. Verifying the TokenD Is Working 1. Make sure Enterprise Security Client has been installed on the Mac computer. 2. Use Enterprise Security Client to en...

[Page 56] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• GenericAuth.js contains the code for the authentication prompt. This prompt is configurable from the TPS server, which requires dynamic processing by Enterprise Security Client. 3.1. Quick Javascript UI Guide Certificate System 7.1 deployments ma...

[Page 57] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• Windows: C:\Program Files\Red Hat\ESC • Red Hat Enterprise Linux: /usr/lib/esc-1.0.0/esc • Mac: User preference for the ESC.app directory, usually the desktop 4.1. Windows On Windows, Enterprise Security Client uses the following directories ...

[Page 58] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

• Privately deployed XUL framework in Contents/ • Info.plist • Frameworks/ • XUL.framework/ • Resources • Enterprise Security Client XULRunner application configuration file: application.ini • Enterprise Security Client XPCOM components...

[Page 59] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

Index 53 ...

[Page 60] Red Hat CERTIFICATE SYSTEM ENTERPRISE - SECURITY GUIDE

54 ...