Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual

Download or browse on-line these Deployment Manual for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Other.

Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Manual Information:

This manual for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT, given in the PDF format, is available for free online viewing and download without logging on. The guide contains 114 pages, and the size of the file at download is . The document type is Deployment Manual.

Download Manual

More Manuals:

In case you failed to obtain relevant information in this document, please, look through related operating manuals and user instructions for Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT. Just click one of the links below to go to the selected manual:

Summary of Contents:

[Page 1] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Red Hat Certificate System 8 Deployment Guide Ella Deon Lackey Publication date: July 22, 2009, updated on September 24, 2009 ...

[Page 2] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Deployment Guide Red Hat Certificate System 8 Deployment Guide Author Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Att...

[Page 3] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

iii About This Guide vii 1. Examples and Formatting ...................................................................................

[Page 4] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Deployment Guide iv 4.4. CRLs ......................................................................................................................... 50 4.5. Publishing ..............................................................................

[Page 5] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

v 6.5.1. Usage Assumptions ......................................................................................... 83 6.5.2. Organizational Policies ..................................................................................... 84 6.5.3. Po...

[Page 6] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

vi ...

[Page 7] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

vii About This Guide This guide explains how to install and configure Red Hat Certificate System subsystems. This guide is intended for experienced system administrators planning to deploy the Certificate System. Certificate System agents should refe...

[Page 8] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About This Guide viii 1.2. Tool Locations All of the tools for Red Hat Certificate System are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location. 1.3. Guide Formatting Certain words are re...

[Page 9] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Giving Feedback ix • Certificate System Installation Guide 2 covers the installation process for all Certificate System subsystems. This manual is intended for Certificate System administrators. • Certificate System Administrator's Guide 3 ...

[Page 10] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About This Guide x • Set the component to Doc - deployment-guide. • Set the version number to 8.0. • For errors, give the page number (for the PDF) or URL (for the HTML), and give a succinct description of the problem, such as incorrect procedu...

[Page 11] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. 1 Introduction to Public-Key Cryptography Public-key cryptography and related standards underlie the security features of many products such as signed and encrypted email, single sign-on, and Secure Sockets Layer (SSL) communications. This...

[Page 12] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 2 with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult, if...

[Page 13] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Key Length and Encryption Strength 3 The scheme shown in Figure 1.2, “Public-Key Encryption” allows public keys to be freely distributed, while only authorized people are able to read data encrypted using this key. In general, to send encrypted d...

[Page 14] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 4 Because it is relatively trivial to break an RSA key, an RSA public-key encryption cipher must have a very long key — at least 1024 bits — to be considered cryptographically strong. On the othe...

[Page 15] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Certificates and Authentication 5 A digital signature is similar to a handwritten signature. Once data have been signed, it is difficult to deny doing so later, assuming the private key has not been compromised. This quality of digital signatures pro...

[Page 16] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 6 a server. Server authentication refers to the identification of a server (the organization assumed to be running the server at the network address) by a client. Client and server authentication are...

[Page 17] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Authentication Confirms an Identity 7 2. The client sends the name and password across the network, either in plain text or over an encrypted SSL connection. 3. The server looks up the name and password in its local password database and, if they mat...

[Page 18] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 8 a Server” requires SSL. Figure 1.5, “Using a Certificate to Authenticate a Client to a Server” also assumes that the client has a valid certificate that can be used to identify the client to ...

[Page 19] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

How Certificates Are Used 9 1.3.3. How Certificates Are Used Certificates have a purpose: to establish trust. Their usage varies depending on the kind of trust they are used to ensure. Some kinds of certificates are used to verify the identity of the...

[Page 20] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 10 messages loses the private key and does not have access to a backup copy of the key, the encrypted messages can never be decrypted. 1.3.3.1.3. Single Sign-on Network users are frequently required ...

[Page 21] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

How Certificates Are Used 11 This list is not exhaustive; there are certificate enrollment forms for dual-use certificates for LDAP directories, file-signing certificates, and other subsystem certificates. These forms are available through the Certif...

[Page 22] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 12 Certificate Type Use Example CA certificates Used to identify CAs. Client and server software use CA certificates to determine what other certificates can be trusted. For more information, see Sec...

[Page 23] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Contents of a Certificate 13 1.3.3.2.2. Other Signing Certificates Other services, such as the OCSP responder service and CRL publishing, can use signing certificates other than the CA certificate. For example, a separate CRL signing certificate can ...

[Page 24] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 14 Users do not usually need to be concerned about the exact contents of a certificate. However, system administrators working with certificates may need some familiarity with the information contain...

[Page 25] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Contents of a Certificate 15 DNs may include a variety of other name-value pairs. They are used to identify both certificate subjects and entries in directories that support the Lightweight Directory Access Protocol (LDAP). The rules governing the co...

[Page 26] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 16 ed:27:40:4d:86:b3:05:c0:01:bb:50:15:c9:de:dc:85:19:22: 43:7d:45:6d:71:4e:17:3d:f0:36:4b:5b:7f:a8:51:a3:a1:00: 98:ce:7f:47:50:2c:93:36:7c:01:6e:cb:89:06:41:72:b5:e9: ...

[Page 27] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

How CA Certificates Establish Trust 17 • Section 1.3.5.1, “CA Hierarchies” • Section 1.3.5.2, “Certificate Chains” • Section 1.3.5.3, “Verifying a Certificate Chain” 1.3.5.1. CA Hierarchies In large organizations, responsibility for...

[Page 28] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 18 the root CA, based on the CA hierarchy shown in Figure 1.6, “Example of a Hierarchy of Certificate Authorities”. Figure 1.7. Example of a Certificate Chain A certificate chain traces a path of...

[Page 29] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

How CA Certificates Establish Trust 19 1. The certificate validity period is checked against the current time provided by the verifier's system clock. 2. The issuer's certificate is located. The source can be either the verifier's loca...

[Page 30] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 20 Figure 1.9. Verifying a Certificate Chain to an Intermediate CA Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate cha...

[Page 31] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Managing Certificates 21 Figure 1.10. A Certificate Chain That Cannot Be Verified 1.4. Managing Certificates Certificates are used in many applications, from encrypting email to accessing websites. There are two major stages in the lifecycle of the c...

[Page 32] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 1. Introduction to Public-Key Cryptography 22 library card are different than the ones to get a driver's license. Similarly, different CAs have different procedures for issuing different kinds of certificates. Requirements for receiving ...

[Page 33] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. 23 Overview of Red Hat Certificate System Subsystems Every common PKI operation — issuing, renewing and revoking certificates; archiving and recovering keys; publishing CRLs and verifying certificate status — are carried out by interop...

[Page 34] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 24 2.1.1. About the Certificate Manager (CA) As stated, the Certificate Manager is the heart of the Certificate System. It manages certificates at every stage, from requests through enrollm...

[Page 35] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About the Certificate Manager (CA) 25 When an end entity enrolls in a PKI by requesting a certificate, the following events can occur, depending on the configuration of the PKI and the subsystems installed: 1. The end entity provides the information ...

[Page 36] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 26 • If the notification feature is set up, the link where the certificate can be obtained is sent to the end user. 10. An automatic notice can be sent to the end entity when the certific...

[Page 37] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About OCSP Services 27 RAs remove some of the load from CAs by handling the validation part of a certificate request. For example, offices or organizations can validate requests locally, according to their predefined standards, using RA agents. This ...

[Page 38] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 28 • A responder with a public key trusted by the client. Such a responder is called a trusted responder. • A responder that holds a specially marked certificate issued to it directly b...

[Page 39] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About the Data Recovery Manager (DRM) 29 NOTE If the CRL is large, the Certificate Manager can take a considerable amount of time to publish the CRL. The Online Certificate Status Manager stores each Certificate Manager's CRL in its internal dat...

[Page 40] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 30 The DRM stores private encryption keys in a secure key repository in its internal database; each key is encrypted and stored as a key record and is given a unique key identifier. The arc...

[Page 41] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About the Data Recovery Manager (DRM) 31 a. The end entity, using a client which can generate dual key pairs, submits a request through the Certificate Manager enrollment form. b. The client detects the JavaScript in the enrollment form and exports o...

[Page 42] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 32 NOTE The page that the first agent used to initiate the key recovery request keeps refreshing until all agents required to authorize have performed the authorization. It is important tha...

[Page 43] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

About the Token Key Service (TKS) 33 2.1.6. About the Token Key Service (TKS) The Certificate System Token Management System consists of three components, the Token Processing System (TPS), the Token Key Service (TKS), and the Enterprise Security Cli...

[Page 44] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 34 2.2.1.1. The Java Administrative Console for CA, OCSP, DRM, and TKS Subsystems The Java console is used by four subsystems: the CA, OCSP, DRM, and TKS. The console is accessed using a lo...

[Page 45] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Interfaces for Administrators 35 based authentication. The other subsystems used separate SSL ports for the agent and administrative services, along with certificate-based authentication. The HTML admin interface is much more limited than the Java co...

[Page 46] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 36 Figure 2.4. TPS Admin Page 2.2.2. Agent Interfaces The agent services pages are where almost all of the certificate and token management tasks are performed. These services are HTML-base...

[Page 47] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

End User Pages 37 Figure 2.5. Certificate Manager's Agent Services Page The operations vary depending on the subsystem: • The Certificate Manager agent services include approving certificate requests (which issues the certificates), revoking c...

[Page 48] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 2. Overview of Red Hat Certificate System Subsystems 38 The end-user services are accessed over standard HTTP using the server's hostname and the standard port number; they can also be accessed over HTTPS using the server's hostname...

[Page 49] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Enterprise Security Client 39 • Supports JavaCard 2.1 or higher cards and Global Platform 2.01-compliant smart cards like Safenet's 330J smart card • Supports Global Platform 2.01-compliant smart cards like Gemalto e-gate 32K and Gemalto TOP...

[Page 50] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

40 ...

[Page 51] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 3. 41 Supported Standards and Protocols Red Hat Certificate System is based on many public and standard protocols and RFCs, to ensure the best possible performance and interoperability. The major standards and protocols used or supported by C...

[Page 52] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 3. Supported Standards and Protocols 42 • The default internal PKCS #11 module, which comes with two tokens: • The internal crypto services token, which performs all cryptographic operations such as encryption, decryption, and hashing. �...

[Page 53] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Supported Cipher Suites for RSA 43 NOTE Longer RSA keys are required to provide security as computing capabilities increase. The recommended RSA key-length is 2048 bits. Though many web servers continue to use 1024-bit keys, web servers should migrat...

[Page 54] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 3. Supported Standards and Protocols 44 Bits of Security 1 RSA Key Length ECC Key Length 256 15360 512+ The information in this table is from the National Institute of Standards and Technology (NIST). For more information, see http:// csrc.ni...

[Page 55] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Supported PKIX Formats and Protocols 45 • Operations performed with Certificate System tools, including the Subject Alt Name Extension tool, HttpClient, and the Bulk Issuance Tool • Client communications, including both the pkiconsole and IPv6-en...

[Page 56] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 3. Supported Standards and Protocols 46 Format or Protocol RFC or Draft Description Certificate Request Message Format (CRMF) RFC 4211 A message format to send a certificate request to a CA. Certificate Management Message Formats (CMMF) Messa...

[Page 57] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Supported Security and Directory Protocols 47 Protocol Description Lightweight Directory Access Protocol (LDAP) v2, v3 A directory service protocol designed to run over TCP/IP and across multiple platforms. LDAP is a simplified version of Directory A...

[Page 58] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 3. Supported Standards and Protocols 48 Protocol Description IPv4 and IPv6 Certificate System supports both IPv4 and IPv6 address namespaces for communications and operations with all subsystems and tools, as well as for clients, subsystem cr...

[Page 59] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 4. 49 Major Features in Certificate System This chapter covers some of the major features of Red Hat Certificate System, giving a brief rundown of the major functionality of the product. These summaries are meant to help administrators unders...

[Page 60] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 4. Major Features in Certificate System 50 4.4. CRLs The Certificate System can create certificate revocation lists (CRLs) from a configurable framework which allows user-defined issuing points so a CRL can be created for each issuing point. ...

[Page 61] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Auditing 51 4.11. Auditing The Certificate System maintains audit logs for all events, such as requesting, issuing and revoking certificates and publishing CRLs. These logs are then signed. This allows authorized access or activity to be detected. An...

[Page 62] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 4. Major Features in Certificate System 52 Each object is then mapped to a security context, which defines the type of object and how it is allowed to function on the Linux server. Objects can be grouped into domains, and then each domain is ...

[Page 63] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Security-Enhanced Linux Support 53 • Any access not specified in the SELinux policy is denied to the Certificate System instance. For Certificate System, each subsystem is treated as an SELinux object, and each subsystem has unique rules assigned t...

[Page 64] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

54 ...

[Page 65] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. 55 Planning the Certificate System Each Red Hat Certificate System subsystem is installed and configured separately. They can all be installed on the same machine, installed on separate servers, or have multiple instances installed across ...

[Page 66] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 56 Figure 5.1. CA Only Certificate System All of the basic processing for requests and issuing certificates can handled by the Certificate Manager, and it is the only required subsystem. There can be a singl...

[Page 67] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Planning for Lost Keys: Key Archival and Recovery 57 5.1.2. Planning for Lost Keys: Key Archival and Recovery One operation the CA cannot perform, though, is key archival and recovery. A very real scenario is that a user is going to lose his private ...

[Page 68] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 58 Another option, though is to distribute some of the tasks of a single CA to another subsystem. For example, Example Corp. has a manageable number of people requesting certificates for a single CA to issue...

[Page 69] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Planning for Smart Cards 59 Figure 5.4. CA and OCSP 5.1.5. Planning for Smart Cards Most certificates are enrolled through the CA. This is useful for certificates enrolled through an application such as a web browser or web server. For managing smart...

[Page 70] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 60 Figure 5.5. How Certificate System Manages Smart Cards To use the tokens, the Token Processing System must be able to recognize and communicate with them. The tokens must first be enrolled to format the t...

[Page 71] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Defining the Certificate Authority Hierarchy 61 After installation, the TPS configuration can be edited to use additional CA, DRM, and TKS instances for failover support, so if the primary subsystem is unavailable, the TPS can switch to the next avai...

[Page 72] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 62 the certificate to be issued. Before deploying the full PKI, however, consider whether to have a root CA, how many to have, and where both root and subordinate CAs will be located. 5.2.1. Subordination to...

[Page 73] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Planning Security Domains and Trust Relationships 63 Because clone CAs and original CAs use the same CA signing key and certificate to sign the certificates they issue, the issuer name in all the certificates is the same. Clone CAs and the original C...

[Page 74] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 64 OCSP, and other CAs — must become members of the security domain by supplying the security domain URL when configuring the subsystem. Each subsystem within the security domain shares the same trust poli...

[Page 75] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Using Trusted Managers 65 • The Certificate System security domain allows an offline CA to be set up. In this scenario, the offline root has its own security domain. All online subordinate CAs belong to a different security domain. • The security...

[Page 76] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 66 Subsystem Certificates • User's (agent/administrator) certificate • Audit log signing certificate DRM • Transport certificate • Storage certificate • SSL server certificate • Subsystem ce...

[Page 77] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

CA Distinguished Name 67 must be requested with the appropriate extensions. After installing the certificate, the publishing directory must be configured to use the new server certificate. • Any number of SSL server certificates can be issued for a...

[Page 78] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 68 SHA1withRSA is the default signing algorithm for CAs for RSA certificates. SHA1withEC is the default signing algorithm for CAs for ECC certificates. Along with a key type, each key has a specific bit leng...

[Page 79] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Using Certificate Extensions 69 NOTE For more information on standard extensions, see RFC 2459 1 , RFC 3280 2 , and RFC 3279 3 . The X.509 v3 standard for certificates allows organizations to define custom extensions and include them in certificates....

[Page 80] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 70 • If the extension is critical and the certificate is sent to an application that does not understand the extension based on the extension's ID, the application must reject the certificate. • If ...

[Page 81] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Using and Customizing Certificate Profiles 71 A set of certificate profiles have been predefined for the most common certificates issued. These certificate profiles define defaults and constraints, associate the authentication method, and define the ...

[Page 82] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 72 constraints. This validation procedure is only for verification and does not result in the request being submitted. The agent is bound by the constraints set; they cannot change the request in such a way ...

[Page 83] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Publishing Certificates and CRLs 73 • In automatic enrollment, end-entity requests are authenticated using a plug-in, and then the certificate request is processed; an agent is not involved in the enrollment process. • In CMC enrollment, a third ...

[Page 84] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 74 • If certificates are published to the directory, than every user or server to which a certificate is issued must have a corresponding entry in the LDAP directory. • If CRLs are published to the direc...

[Page 85] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Considering Physical Security and Location 75 • Allowing appropriate access to other subsystems and clients outside of the firewall The CA, DRM, and TKS are always placed inside a firewall because they contain critical information that can cause de...

[Page 86] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 76 pkiconsole https://server.example.com:9445/ca All agent and admin functions require SSL client authentication. For requests from end entities, the Certificate System listens on both the SSL (encrypted) po...

[Page 87] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Tokens for Storing Certificate System Subsystem Keys and Certificates 77 certificates. The Certificate System automatically generates these files in the filesystem of its host machine when first using the internal token. These files are created durin...

[Page 88] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 5. Planning the Certificate System 78 Administrators are allowed to select any of the tokens that are logged in as the default token, which is used to generate system keys. 5.7. Questions for Planning the Certificate System • Will the PKI a...

[Page 89] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. 79 Setting up a Common Criteria Environment Setting up a secure environment according to Red Hat Certificate System's Common Criteria evaluation guidelines requires special planning for its subsystems and users. The actual installatio...

[Page 90] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. Setting up a Common Criteria Environment 80 • Secure password and certificate storage. Plan for the storage of any passwords and certificates. Also define the user password policy. Make sure everyone knows and adheres to these policies. ...

[Page 91] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Users, Roles, and Access Control for Common Criteria 81 messages, and other important or relevant information about the transaction, like the certificate serial number, DN, or authentication source. The only configurable option for the audit log cont...

[Page 92] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. Setting up a Common Criteria Environment 82 6.4.1. Certificate System User Types Each Certificate System subsystem has up to four roles. While the names of the user roles (administrator, agent, auditors, and trusted managers), the function...

[Page 93] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Access Controls for Common Criteria 83 6.4.2. Access Controls for Common Criteria All of the subsystems and supporting network environment must support and enforce an access control policy with the following restrictions: • Users are only granted a...

[Page 94] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. Setting up a Common Criteria Environment 84 Objective Area Description Social engineering training General users, administrators, operators, officers and auditors are trained in techniques to thwart social engineering attacks. Cooperative ...

[Page 95] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Security Objectives 85 Objective Area Description Modification of private/secret keys A secret/private key is modified. Sender denies sending information The sender of a message denies sending the message to avoid accountability for sending the messa...

[Page 96] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. Setting up a Common Criteria Environment 86 Objective Area Description Malicious code not signed Protect Certificate System from malicious code by ensuring all code is signed by a trusted entity prior to loading it into the system. Notify ...

[Page 97] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Features Not Covered by Common Criteria Evaluation` 87 Objective Area Description Procedures for preventing malicious code Incorporate malicious code prevention procedures and mechanisms. Protect stored audit records Protect audit records against una...

[Page 98] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Chapter 6. Setting up a Common Criteria Environment 88 • Running the internal LDAP database or any publishing LDAP database without SSL. • Adding a custom plug-in. All role users for a subsystem must carefully evaluate any custom plug-ins before ...

[Page 99] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

89 Glossary A access control The process of controlling what particular users are allowed to do. For example, access control to servers is typically based on an identity, established by a password or a certificate, and on rules regarding what that en...

[Page 100] Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT

Glossary 90 authentication module A set of rules (implemented as a Java™ class) for authenticating an end entity, agent, administrator, or any other entity that needs to interact with a Certificate System subsystem. In the case of typical end-user ...