REDHAT CERTIFICATE SYSTEM 7.2 - AGENT GUIDE Manual

Download or browse on-line these Manual  for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Other.

Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE Manual Information:

This manual for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 73 pages, and the size of the file at download is 1.33 Mb. The document type is Manual .

Download Manual

More Manuals:

In case you failed to obtain relevant information in this document, please, look through related operating manuals and user instructions for Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE. Just click one of the links below to go to the selected manual:

Summary of Contents:

[Page 1] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Red Hat Certificate System Agent Guide 7.2 ...

[Page 2] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Red Hat Certificate System Agent Guide 7.2: Copyright © 2006 Red Hat, Inc. This manual is for agents of Certificate System subsystems. This guide explains the different agent services interfaces for the Certificate System subsystems and details the ...

[Page 3] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

...

[Page 4] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Table of Contents About This Guide ............................................................................................................................... vi 1. Who Should Read This Guide .........................................................

[Page 5] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

8. TPS: Agent Services ........................................................................................................................54 1. Basic Operations for an Agent and Administrator ........................................................

[Page 6] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

About This Guide This guide describes the agent services interfaces used by Red Hat Certificate System agents to administer subsystem cer- tificates and keys and other management operations. 1. Who Should Read This Guide This guide is intended for Ce...

[Page 7] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

cd /var/lib/rhpki-ca/ • Italics are used for emphasis, variables, book titles, glossary terms, and when a phrase is first used. For example: This control depends on the access permissions the super user has set for the user. • Square brackets ([]...

[Page 8] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 1. Agent Services This chapter describes the role of the privileged users, agents, in managing Certificate System subsystems. It also intro- duces the tools that agents use to administer service requests. 1. Overview of Certificate System Cer...

[Page 9] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

An online certificate-validation authority is often referred to as an OCSP responder. • Token Key Service. The Token Key Service (TKS) manages the master and transport keys required to generate and dis- tribute keys for smart cards. The TKS provide...

[Page 10] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

2. Agent Tasks The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI: • Certificate Manager agents manage certificate requests received by the Certificate Manager su...

[Page 11] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 1.2. Certificate Manager Agent Services Page A Certificate Manager agent performs the following tasks: • Handling certificate requests. An agent can list the certificate service requests received by the Certificate Manager subsystem, assign ...

[Page 12] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

2.2. Data Recovery Manager Agent Services The default entry page to the DRM agent services is shown in Figure 1.3, “Data Recovery Manager Agent Services Page”. Only designated DRM agents, with a valid certificate in their client software, are all...

[Page 13] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 1.4. Online Certificate Status Manager Agent Services Page An Online Certificate Status Manager agent performs the following tasks: • Checking CAs are currently configured to publish their CRLs to the Online Certificate Status Manager. • I...

[Page 14] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 1.5. TPS Agent Services Page A TPS agent performs the following tasks: • Listing and searching enrolled tokens by user ID or token CUID. • Listing and searching certificates associated with enrolled tokens. • Searching token operations b...

[Page 15] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 1.6. TPS Administrator Operations Tab A TPS administrator can perform the following tasks: • Listing and searching enrolled tokens by user ID or token CUID. • Editing token information, including the token owner's user ID. • Adding ...

[Page 16] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Form name Description ber of results to display. Display Revocation List Used to view the current CRL. The display can be custom- ized by the issuing point and display type. Clicking on the CRL number will display the time taken to generate this CRL,...

[Page 17] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Form name Description The operations are only searched by the contextually unique ID (CUID) of the token. See Section 5, “Searching Token Activities”. Table 1.1. Forms Used for Agent Operations 4. Accessing Agent Services Access to the agent serv...

[Page 18] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

here. Check with the Certificate System administrator for information on the local installation. 4. Accessing Agent Services 11 Chapter 1. Agent Services ...

[Page 19] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 2. CA: Working with Certificate Profiles A Certificate Manager agent is responsible for approving certificate profiles that have been configured by a Certificate System administrator. Certificate Manager agents also manage and approve certifi...

[Page 20] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• Unassigns the certificate request, which removes the certificate request from an agent's queue. Enrollment requests are submitted to a certificate profile and are subject to the defaults and constraints set up in that certi- ficate profile, ...

[Page 21] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Profile ID Profile Name Description ment ing smart card-based enrollments initi- ated through the TPS server for sign- ing certificates. Table 2.1. List of Certificate Profiles 3.1. Example Profile An example caUserCert profile, as shipped with the s...

[Page 22] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Profile Policy Set Defaults Constraints The keytype should be RSA. keyminLength = 512 keymaxLength = 4096 The key length should be between 512 and 4096. set4 - Authority Key Identifier No defaults No constraints set5 - AIA extension authinfoaccesscri...

[Page 23] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Profile Policy Set Defaults Constraints Type:RFC822Name,Enable: true}. set9 - SigningAlg Populates the certificate signing al- gorithm. The default value is Al- gorithm=SHA1withRSA. Accepts only the following signing algorithms: SHA1withRSA SHA256wit...

[Page 24] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

5. Enabling and Disabling Certificate Profiles Any certificate profiles that have been configured by an administrator are listed in the Manage Certificate Profiles page of the agent services page, which is accessed through the Manage Certificate Prof...

[Page 25] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

1. Open the Manage Certificate Profiles page, and click on a certificate profile name. 2. Open the certificate profile's Approve Certificate Profile page. 3. Click the Disapprove button at the bottom of the page. NOTE It is only possible to disa...

[Page 26] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 3. CA: Handling Certificate Requests A Certificate Manager agent is responsible for handling both manual enrollment requests made by end entities (end users, server administrators, and other Certificate System subsystems) and automated enroll...

[Page 27] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 3.1. Certificate Request Management Process 2. Listing Certificate Requests The Certificate Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, ca...

[Page 28] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

1. Go to the Certificate Manager agent services page. https://server.example.com:9443/ca/agent/ca NOTE An agent much have the proper client certificate to access this page. 2. Click List Requests to view the queue of certificates requests. The List R...

[Page 29] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

ing profile processing. If the system has been configured to provide automatic notifications to users, a notice is sent to the requester when the request is rejected. • Show completed requests. These are requests that have been completed, including...

[Page 30] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 3.4. Request Details NOTE If the system changes the state of the displayed request, using the browser's Back or Forward buttons or history to navigate can cause the data display to become out of date. To refresh the data, click the highli...

[Page 31] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• Renewal • Revocation • Any • Searching by Request Owner. There are to ways to search by the request owner: • Search for requests assigned to self • Search for requests assigned to a particular agent (based on UID attribute) Both of the ...

[Page 32] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

quest is confirmed as valid, or the system returns a list of fields that need to be edited. • Reject Request. Rejects the request. • Cancel Request. Cancels the request without issuing a certificate or a rejection. NOTE For more information on ho...

[Page 33] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 3.5. A Newly Issued Certificate Page To copy and mail a new server certificate to the requester, do the following: 1. Create a new email addressed to the requester. 2. From the agent services window where the new certificate is displayed, copy...

[Page 34] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

4. Create a new email message addressed to the requester. 5. Paste the URL into the body of the message, along with instructions to for the requester to go to that URL and click the Import button at the bottom of the page to import the certificate. A...

[Page 35] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 4. CA: Finding and Revoking Certificates A Certificate Manager agent can use the agent services page to find a specific certificate issued by the Certificate System or to retrieve a list of certificates that match specified criteria. The cert...

[Page 36] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Leaving either the lower limit or upper limit field blank displays the certificate with the specified number, plus all certificates before or after it in sequence. 3. To limit the returned list to valid certificates, select the check boxes labeled wi...

[Page 37] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 4.2. Search Certificates 3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information. • Serial Number Range. Finds a...

[Page 38] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• Revoked. The certificate has been revoked. • Expired. An expired certificate has passed the end of its validity period. • Revoked and Expired. The certificate has passed its validity period and been revoked. • Subject Name. Lists certificat...

[Page 39] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• Locality. Narrows the search by locality, such as the city. • State. Narrows the search by state or province. • Country. Narrows the search by country; use the two-letter country code, such as US. 5. After entering the field values for the se...

[Page 40] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 4.3. Search Results Form 3. Examining Certificates To examine the details of a certificate, do the following: 1. On the agent services page, click List Certificates or Search for Certificates, specify search criteria, and click Find to display...

[Page 41] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

5. The certificate is shown in base-64 encoded form at the bottom of the Certificate page, under the heading Installing this certificate in a server. 4. Revoking Certificates Only Certificate Manager agents can revoke certificates other than their ow...

[Page 42] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 4.5. Revoke One or All Certificates 4.2. Revoking One or More Certificates An entire list of certificates returned by a search can be revoked, or selected certificates from the list can be revoked. CAUTION Whether revoking a single certificate...

[Page 43] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

4. Confirm the certificate to be revoked in the revocation form. 4.2.2. Revoking Multiple Certificates To revoke all of the certificates returned in a search, do the following: 1. On the Certificate Manager's agent services page, click Revoke Ce...

[Page 44] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 4.6. Confirm Certificate Revocation To confirm the revocation, do the following: 1. Inspect the details of the certificate to verify that it is the one to be revoked. If more than one certificate is being re- voked, the form shows details for ...

[Page 45] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• Certificate superseded • Cessation of operation • Certificate is on hold 4. Enter any additional comment. The comment is included in the revocation request. When the revocation request is submitted, it is automatically approved, and the certi...

[Page 46] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

To update the CRL manually, do the following: 1. Open the Certificate Manager agent services page. 2. Click Update Revocation List to display the form for updating the CRL. Figure 4.7. Update Certificate Revocation List 3. Select the algorithm to use...

[Page 47] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 5. CA: Publishing to a Directory A Red Hat Directory Server installation is required for the Certificate System subsystems to be installed; this directory in- stance maintains user information and certificate and key information. The Certific...

[Page 48] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

• To publish the latest CRL, select Update certificate revocation list to the publishing directory. • To update information on valid certificates to the publishing directory, select Update valid certificates to the directory. To update a range of...

[Page 49] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 6. DRM: Recovering Encrypted Data This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only w...

[Page 50] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

amine it in more detail. 8. On the Key Service Request Queue form, find a particular request. If the desired request is not shown, scroll to the bottom of the list, and use the arrows to move to another page of search results. 9. Clicking the ID numb...

[Page 51] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 6.1. Search for Keys Page 3. To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information. • Owner n...

[Page 52] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

for maximum results. To limit the time allowed for the search, enter a value for time limit in seconds. 4. After entering the search criteria, click Show Key. The DRM displays a list of the keys that match the search criteria. Select a key from the l...

[Page 53] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 6.3. Key Details Page 2.2. Recovering Keys If the search was initiated through the Recover Keys button, the Search Results page also allows the agent to initiate the recovery of any key found. To initiate key recovery, do the following: 1. On ...

[Page 54] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 6.4. Key Detail Page for Recovering Keys The number of key recovery agent authorizations required to recover a key is configured by the DRM administrator by setting the following parameters in the CS.cfg file. kra.noOfRequiredRecoveryAgents=1 ...

[Page 55] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Do not close the browser after initiating the key recovery. The agent must wait for all other agents to authorize the key recovery request before the system returns the hyperlink to download the PKCS #12 file containing the private key. This page kee...

[Page 56] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 7. OCSP: Agent Services This chapter describes how to perform Online Certificate Status Manager (OCSP) agent tasks, such as identifying a CA to the OCSP and adding a CRL to the OCSP's internal database. This service is available only whe...

[Page 57] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

To store the Certificate Manager's CA signing certificate in the internal database of the OCSP, do the following: 1. Open the Certificate Manager's end-entities page. https://server.example.com:9443/ca/agent/ca 2. Select the Retrieval tab, ...

[Page 58] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 7.2. Add Certificate Authority Page 11. Click Add. The certificate is added to the internal database of the OCSP. NOTE If the CA contains multiple CRL distribution points, always publish the master CRL (the CRL that contains all re- voked cert...

[Page 59] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

3. In the results page, select the desired CRL issuing point, select the option to display the CRL as base-64, and click Display. 4. In the CRL details page, scroll to the Certificate revocation list base64 encoded section, which shows the CRL in bas...

[Page 60] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

5. Click Check. The next page shows the status of the certificate that was submitted. 4. Checking the Revocation Status of a Certificate 53 Chapter 7. OCSP: Agent Services ...

[Page 61] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Chapter 8. TPS: Agent Services This chapter describes how to perform Token Processing System (TPS) agent tasks, such as listing smart card tokens and resetting card PINs. Agents can manage the smart cards and the certificates stored on the cards. The...

[Page 62] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.1. Adding Tokens Normally, it is not necessary for agents to create a token entry because the entry is created automatically when the token connects to TPS, such as connecting through the Enterprise Security Client. However, an agent may wan...

[Page 63] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.3. Token Search Results Selecting a token shows the token's detail page. Figure 8.4. Token Details Four operations can be performed on the token through this page: • Changing the token status. • Editing the token policy. NOTE Agents...

[Page 64] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

The status is changed through the token details page, which is shown by listing or searching for tokens and then selecting a token from the returned list. Figure 8.5. Changing Status There are six possible token statuses: • The token is physically ...

[Page 65] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

To change the status, select the menu item, and click Go. 3.2. Editing the Token Clicking the Edit button opens up a page listing the token owner UID, the token CUID, the token status, and the token policy. Agents can edit one field for a token in th...

[Page 66] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.7. Listing Token Certificates 3.4. Conflicting Token Certificate Status Information The TPS stores the complete history of certificates' status, so that all changes in status can be reviewed. However, the status shown on the token is th...

[Page 67] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Clicking the Show Activities button in the token details page returns a list of all operations which have been performed on the token. Figure 8.8. Showing Token Activities 4. Listing and Searching Certificates There are two links for finding and view...

[Page 68] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.10. Certificate Search Results 5. Searching Token Activities The token activities, such as enrollment, which are performed through the TPS subsystem can be searched and listed for assistance with token management. There are two links for fin...

[Page 69] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.12. Listing Activities 6. Administrator Operations TPS administrators can perform all of the agent tasks through the Agent Operations tab of the TPS agent services page. Additionally, they can perform two tasks through the Administrator Oper...

[Page 70] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Figure 8.13. Token Details Page The activities available through the administrator token details page are different than the ones available through the agent token details page: • Showing the activities performed on the token. • Editing the token...

[Page 71] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

NOTE If the PIN_RESET policy is not set, then user-initiated PIN resets are allowed by default. If the policy is present and is changed from NO to YES, then a PIN reset can be initiated by the user once; after the PIN is reset, the policy value autom...

[Page 72] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

Index A accessing end-entity gateways , 2 accessing forms, 10 agent services forms accessing , 10 Certificate Manager , 3 Data Recovery Manager , 5 Online Certificate Status Manager , 5 summary , 8 TPS, 6 agents requirements for , 3 responsibilities ...

[Page 73] Red Hat CERTIFICATE SYSTEM 7.2 - MIGRATION GUIDE

TPS agent services forms , 6 certificates conflicting stat, 59 certificates and tokens, 54 changing token status, 56 deleting tokens, 62 editing tokens, 62 listing tokens, 55 searching activities, 61 searching tokens, 55, 60 type styles used in this ...