Previous     Contents     Index     Next     
iPlanet Certificate Management System Installation and Setup Guide



Chapter 10   CMS Configuration


The runtime properties of iPlanet Certificate Management Server (CMS) are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup.

When you install Certificate Management System, the installer creates an ASCII file, named CMS.cfg, and populates it with the appropriate configuration parameters. You can control the way Certificate Management System functions by making the appropriate changes to the configuration information.

This chapter explains how the installation affects the number of configuration files created in your machine and their contents. It also explains ways in which you can modify the configuration and precautions you should take when doing so. The chapter ends with a road map to configuring individual subsystems.

The chapter has the following sections:



Effects of Installation Type on Configuration

For each instance of Certificate Management System there is a configuration file, named CMS.cfg. The configuration file controls the runtime properties of the corresponding CMS instance.

A CMS instance can include a single subsystem or two subsystems in one of the following combinations:

  • A single Certificate Manager, Registration Manager, Data Recovery Manager, or Online Certificate Status Manager

  • A Certificate Manager and Data Recovery Manager together

  • A Registration Manager and Data Recovery Manager together

Figure 10-1 illustrates a deployment scenario involving two instances of Certificate Management System running on the same host (Host A) and a single instance running on another host (Host B). Notice the two separate configuration files for the instances running on Host A, one for each CMS instance.

Although the names of both the configuration files are the same, the information included in the files differs according to the subsystems installed in each instance. For example, the configuration file for CMS Instance 1 includes only those parameters that govern the Registration Manager, whereas the configuration file for CMS Instance 2 includes parameters that control both the Certificate Manager and Data Recovery Manager.

It is also important to understand that subsystems installed in a CMS instance share certain parts of the configuration. They use the same

  • Administration, agent, and end-entity ports for interaction

  • Internal token and trust database

  • SSL ciphers during SSL negotiation

  • Privileged users (administrators and agents)

  • Log files to log messages

  • Internal database for data storage

Figure 10-1    How installation affects configuration



Duplicating Configuration From One Instance to Another

If you have deployed a large number of CMS instances that are identical—for example, multiple Registration Managers—and you want all these instances to have the same configuration, you can accomplish this by configuring one of the instances and then replacing the configuration files of the other instances with the one that contains the required configuration. Figure 10-2 illustrates this quick way of deploying multiple Registration Managers with the same configuration.

Figure 10-2    Duplicating a configuration



Note Be careful when replacing configuration of one instance with another. The configuration file for an instance contains instance-specific parameters. If you replace these parameters, the instance will fail to start or function properly.




Locating the Configuration File


Each instance of Certificate Management System has its own configuration file, CMS.cfg. The default location for this file is as follows:

<server_root>/cert-<instance_id>/config



Modifying the Configuration


You can modify the CMS configuration in two ways:


Changing the Configuration From the CMS Window

The CMS window allows you to view the current configuration of a CMS instance and make the required changes. Because this is the recommended method for changing configuration, the chapters that follow focus on explaining how to change the various configuration parameter values from the CMS window.


Note You may find the road map provided in Road Map to Configuring Subsystems useful in setting up your CMS instances.



Changing the Configuration by Editing the Configuration File

This section explains how to change the CMS configuration by editing the configuration parameter values in the file CMS.cfg. This ASCII file is read by Certificate Management System when it is started.


Caution

Do not edit the configuration file directly if you are not familiar with the configuration parameters or if you are not sure that the changes you intend to make are acceptable by the server. Certificate Management System will fail to start up if you make incorrect modifications to the configuration file. Incorrect configuration can also result in data loss.

Also, before you start editing the configuration file, be sure to read Guidelines for Editing the Configuration File.


To modify the configuration file directly:

  1. Stop the CMS instance whose configuration file you want to edit (see Stopping Certificate Management System).

  2. Open a terminal window.

  3. Go to this directory: <server_root>/cert-<instance_id>/config

  4. Open the configuration file, CMS.cfg, in a text editor.

  5. Edit information in the file and save your changes.

  6. Restart Certificate Management System (see Restarting Certificate Management System).


Guidelines for Editing the Configuration File

The file-based, configuration-store implementation for Certificate Management System is based on java.util.Properties. The following guidelines may help you interpret the information in the configuration file.

  • The format of the configuration file is as follows:

    #comment
    [parameter]=value
    value

    [parameter]
    multi
    line
    value (e.g. base-64 encoded certificate)

  • Comment lines, blank lines, unknown parameters, or misspelled parameters are ignored by Certificate Management System. Comment lines begin with a number sign (#). A line beginning with white space is considered a continuation of the previous line.

  • The configuration file has many sections. Some sections contain parameters specific to the subsystems that have been installed; the other sections contain parameters that are shared by the subsystems. Subsystem-specific parameters are distinguished by a prefix identifying the subsystem:

    • ca for the Certificate Manager

    • ra for the Registration Manager

    • kra for the Data Recovery Manager

    • ocsp for the Online Certificate Status Manager

  • The parameter names and their values are strings. The parameter names can be hierarchically structured with '.' notation with multiple levels—for example, ca.Policy.rule.RSAKeyRule.maxSize. The entries corresponding to a lower level (such as Policy in the example) can be requested from the configuration corresponding to its higher level (ca in the example).

  • The values that need to be localized (such as distinguished names in multibyte format) should be entered in utf8 format. For more information on this format, see the document UTF-8, a transformation format of Unicode and ISO 10646, available at this URL: http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2044.txt

  • Certificate Management System writes out the configuration in a sorted order.

  • The values of some parameters are referenced to other parts of the configuration file. For example, assume that a parameter is defined as subsystem.id=ca; when this parameter is processed by the server, all the parameters beginning with ca will be used.

  • The configuration file supports Unix-style file separator, the forward slash (/). If the backward slash (\) file separator is required, use two backward slashes (\\) instead of one.

  • The sample shown on page363 illustrates how authentication-specific information appears in the configuration file. Keep the following points in mind:

    • All authentication-specific information, such as names of registered authentication plug-in modules and any configured instances, appears in the Authentication section of the configuration file.

    • Each registered authentication plug-in module is identified by its implementation name and the corresponding Java class.

    • Each configured instance of an authentication module is identified by the name or ID you specified when creating it.

    • You can create multiple instances out of an implementation; each instance must have a unique name.

    • The name of an authentication instance must be used in the corresponding enrollment form so that the server is able to determine the authentication method during end-user enrollment. For details, see Step 5. Set Up the Enrollment Interface.

  • The sample shown on page372 shows how Job Scheduler-specific information appears in the configuration file. Note the following:

    • All job-specific information, such as registered job modules and configured instances, appears in the Job Scheduler section of the configuration file.

    • Each registered job module is identified by its implementation name and the corresponding Java class.

    • Each job (or configured instance of a job module) is identified by the name specified when the job was created.

    • You can create as many instances of an implementation as you like; each instance must have a unique name.

  • The sample shown on page364 illustrates how policy-specific information appears in the configuration file. Note the following:

    • All policy-specific information, such as registered policy plug-in implementations, configured rules, and ordering, appear in the Policy section of the configuration file. If you have installed more than one subsystem in a CMS instance, for example Certificate Manager and Data Recovery Manager together, the configuration file will include policy sections that are specific to each of the subsystems that share the configuration.

      You can identify policy pertaining to a subsystem by these prefixes: Certificate Manager by ca, Registration Manager by ra, and Data Recovery Manager by kra.

    • Each registered policy plug-in module is identified by its implementation name and the corresponding Java class.

    • Each configured rule of a policy module is identified by the name specified when the rule was created.

    • You can create multiple rules out of an implementation; each rule must have a unique name.

  • The sample on page373 illustrates how information specific to logs appears in the configuration file.


Sample Configuration File

The following sample configuration is of a Certificate Manager.


Note This sample file includes some of the parameters used by Certificate Management System. However, there is no guarantee that an arbitrary set of options you create will work.


_000=##
_001=## File Created On : Sun Jan 02 23:02:35 PST 2000
_002=##

instanceRoot=/usr/netscape/cert-testCA
machineName=testCA.siroe.com

agentGateway._000=##
agentGateway._001=## Agent Gateway
agentGateway._002=##

   agentGateway.docRoot=/usr/netscape/cert-testCA/web/agent
   agentGateway.dynamicVariables=serverdate=serverdate()
   agentGateway.enableAdminEnroll=true
   agentGateway.enableBulkInterface=true
   agentGateway.keepAliveOn=true
   agentGateway.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types
   agentGateway.numServices=1
   agentGateway.service0=https
   agentGateway.CAGetBySerial.successTemplate=/ca/ImportCert.template
   agentGateway.adminEnroll.successTemplate=/ca/EnrollSuccess.template
   agentGateway.bulkissuance.errorTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.pendingTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.rejectedTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.successTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.svcpendingTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.unauthorizedTemplate=/ca/bulkissuance.template
   agentGateway.bulkissuance.unexpectedErrorTemplate=/ca/bulkissuance.template
   agentGateway.https.backlog=15
   agentGateway.https.nickName=Server-Cert cert-testCA
   agentGateway.https.port=4605
   agentGateway.https.type=https

auths._000=##
auths._001=## Authentication
auths._002=##
auths.impl._000=##
auths.impl._001=## authentication manager implementations
auths.impl._002=##

   auths.impl.NISAuth.class=com.netscape.certsrv.authentication.NISAuth
   auths.impl.PortalEnroll.class=com.netscape.certsrv.authentication.PortalEnroll
   auths.impl.UidPwdDirAuth.class=com.netscape.certsrv.authentication.
      UidPwdDirAuthentication
   auths.impl.UidPwdPinDirAuth.class=com.netscape.certsrv.authentication.
      UidPwdPinDirAuthentication
   auths.revocationChecking.bufferSize=5
   auths.revocationChecking.ca=ca
   auths.revocationChecking.enabled=true
   auths.revocationChecking.unknownStateInterval=0
   auths.revocationChecking.validityInterval=120

ca.id=ca
ca.local=true

   ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, RenewalConstraintsRule,
   DefaultRenewalValidityRule, RevocationConstraintsRule, DefaultRevocationRule,
   NSCertTypeExt, CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt,
   ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, SubjectKeyIdentifierExt,
   CertificatePoliciesExt, NSCComment, OCSPNoCheckExt, OCSPSigningExt, CODESigningExt,
   GenericASN1Ext, CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule,
   AuthorityKeyIdentifierExt, BasicConstraintsExt, UniqueSubjectName, NameConstraintsExt,
   PolicyConstraintsExt, SubCANameCheck, PolicyMappingsExt, IssuerRule

   ca.Policy.processor=classic

ca.Policy.impl._000=##
ca.Policy.impl._001=## Policy Implementations
ca.Policy.impl._002=##

   ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.certsrv.policy.AuthInfoAccessExt
   ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.certsrv.policy.
      AuthorityKeyIdentifierExt
   ca.Policy.impl.BasicConstraintsExt.class=com.netscape.certsrv.policy.
      BasicConstraintsExt
   ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.certsrv.policy.
      CRLDistributionPointsExt
   ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.certsrv.policy.
      CertificatePoliciesExt
   ca.Policy.impl.DSAKeyConstraints.class=com.netscape.certsrv.policy.DSAKeyConstraints
   ca.Policy.impl.DefaultRevocation.class=com.netscape.certsrv.policy.DefaultRevocation
   ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.certsrv.policy.
      ExtendedKeyUsageExt
   ca.Policy.impl.GenericASN1Ext.class=com.netscape.certsrv.policy.GenericASN1Ext
   ca.Policy.impl.IssuerAltNameExt.class=com.netscape.certsrv.policy.IssuerAltNameExt
   ca.Policy.impl.IssuerConstraints.class=com.netscape.certsrv.policy.IssuerConstraints
   ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.certsrv.policy.
      KeyAlgorithmConstraints
   ca.Policy.impl.KeyUsageExt.class=com.netscape.certsrv.policy.KeyUsageExt
   ca.Policy.impl.NSCComment.class=com.netscape.certsrv.policy.NSCComment
   ca.Policy.impl.NSCertTypeExt.class=com.netscape.certsrv.policy.NSCertTypeExt
   ca.Policy.impl.NameConstraintsExt.class=com.netscape.certsrv.policy.NameConstraintsExt
   ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.certsrv.policy.OCSPNoCheckExt
   ca.Policy.impl.AttributePresent.class=com.netscape.certsrv.policy.AttributePresent
   ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.certsrv.policy.
      PolicyConstraintsExt
   ca.Policy.impl.PolicyMappingsExt.class=com.netscape.certsrv.policy.PolicyMappingsExt
   ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.certsrv.policy.
      PrivateKeyUsagePeriodExt
   ca.Policy.impl.RSAKeyConstraints.class=com.netscape.certsrv.policy.RSAKeyConstraints
   ca.Policy.impl.RenewalConstraints.class=com.netscape.certsrv.policy.RenewalConstraints
   ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.certsrv.policy.
      RenewalValidityConstraints
   ca.Policy.impl.RevocationConstraints.class=com.netscape.certsrv.policy.
      RevocationConstraints
   ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.certsrv.policy.
      SigningAlgorithmConstraints
   ca.Policy.impl.SubCANameCheck.class=com.netscape.certsrv.policy.SubCANameCheck
   ca.Policy.impl.SubjectAltNameExt.class=com.netscape.certsrv.policy.SubjAltNameExt
   ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.certsrv.policy.
      SubjectDirectoryAttributesExt
   ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.certsrv.policy.
      SubjectKeyIdentifierExt
   ca.Policy.impl.UniqueSubjectName.class=com.netscape.certsrv.policy.UniqueSubjectName
   ca.Policy.impl.ValidityConstraints.class=com.netscape.certsrv.policy.
      ValidityConstraints

   ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true
   ca.Policy.rule.AuthorityKeyIdentifierExt.implName=AuthorityKeyIdentifierExt
   ca.Policy.rule.AuthorityKeyIdentifierExt.predicate=

   ca.Policy.rule.BasicConstraintsExt.enable=true
   ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt
   ca.Policy.rule.BasicConstraintsExt.predicate=HTTP_PARAMS.certType == ca
   ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true

   ca.Policy.rule.CMCertKeyUsageExt.crlSign=true
   ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true
   ca.Policy.rule.CMCertKeyUsageExt.enable=true
   ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt
   ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true
   ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true
   ca.Policy.rule.CMCertKeyUsageExt.predicate=certType==ca

   ca.Policy.rule.CODESigningExt.critical=false
   ca.Policy.rule.CODESigningExt.enable=true
   ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3
   ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt
   ca.Policy.rule.CODESigningExt.predicate=certType==codeSignClient

   ca.Policy.rule.CRLDistributionPointsExt.enable=false
   ca.Policy.rule.CRLDistributionPointsExt.implName=CRLDistributionPointsExt
   ca.Policy.rule.CRLDistributionPointsExt.issuerName0=
   ca.Policy.rule.CRLDistributionPointsExt.issuerName1=
   ca.Policy.rule.CRLDistributionPointsExt.issuerName2=
   ca.Policy.rule.CRLDistributionPointsExt.issuerType0=
   ca.Policy.rule.CRLDistributionPointsExt.issuerType1=
   ca.Policy.rule.CRLDistributionPointsExt.issuerType2=
   ca.Policy.rule.CRLDistributionPointsExt.numPoints=0
   ca.Policy.rule.CRLDistributionPointsExt.pointName0=
   ca.Policy.rule.CRLDistributionPointsExt.pointName1=
   ca.Policy.rule.CRLDistributionPointsExt.pointName2=
   ca.Policy.rule.CRLDistributionPointsExt.pointType0=
   ca.Policy.rule.CRLDistributionPointsExt.pointType1=
   ca.Policy.rule.CRLDistributionPointsExt.pointType2=
   ca.Policy.rule.CRLDistributionPointsExt.predicate=
   ca.Policy.rule.CRLDistributionPointsExt.reasons0=
   ca.Policy.rule.CRLDistributionPointsExt.reasons1=
   ca.Policy.rule.CRLDistributionPointsExt.reasons2=

   ca.Policy.rule.CertificatePoliciesExt.enable=false
   ca.Policy.rule.CertificatePoliciesExt.implName=CertificatePoliciesExt
   ca.Policy.rule.CertificatePoliciesExt.policyId=
   ca.Policy.rule.CertificatePoliciesExt.predicate=

   ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true
   ca.Policy.rule.ClientCertKeyUsageExt.enable=true
   ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt
   ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true
   ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true
   ca.Policy.rule.ClientCertKeyUsageExt.predicate=certType==client

   ca.Policy.rule.DSAKeyRule.enable=true
   ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints
   ca.Policy.rule.DSAKeyRule.maxSize=2048
   ca.Policy.rule.DSAKeyRule.minSize=512
   ca.Policy.rule.DSAKeyRule.predicate=

   ca.Policy.rule.DefaultRenewalValidityRule.enable=true
   ca.Policy.rule.DefaultRenewalValidityRule.implName=RenewalValidityConstraints
   ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365
   ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30
   ca.Policy.rule.DefaultRenewalValidityRule.predicate=
   ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15

   ca.Policy.rule.DefaultRevocationRule.enable=true
   ca.Policy.rule.DefaultRevocationRule.implName=DefaultRevocation
   ca.Policy.rule.DefaultRevocationRule.predicate=

   ca.Policy.rule.DefaultValidityRule.enable=true
   ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints
   ca.Policy.rule.DefaultValidityRule.maxValidity=365
   ca.Policy.rule.DefaultValidityRule.minValidity=30
   ca.Policy.rule.DefaultValidityRule.predicate=

   ca.Policy.rule.GenericASN1Ext.critical=false
   ca.Policy.rule.GenericASN1Ext.enable=false
   ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext
   ca.Policy.rule.GenericASN1Ext.name=
   ca.Policy.rule.GenericASN1Ext.oid=
   ca.Policy.rule.GenericASN1Ext.pattern=
   ca.Policy.rule.GenericASN1Ext.predicate=
   ca.Policy.rule.GenericASN1Ext.attribute.0.source=
   ca.Policy.rule.GenericASN1Ext.attribute.0.type=
   ca.Policy.rule.GenericASN1Ext.attribute.0.value=
   ca.Policy.rule.GenericASN1Ext.attribute.1.source=
   ca.Policy.rule.GenericASN1Ext.attribute.1.type=
   ca.Policy.rule.GenericASN1Ext.attribute.1.value=
   ca.Policy.rule.GenericASN1Ext.attribute.2.source=
   ca.Policy.rule.GenericASN1Ext.attribute.2.type=
   ca.Policy.rule.GenericASN1Ext.attribute.2.value=
   ca.Policy.rule.GenericASN1Ext.attribute.3.source=
   ca.Policy.rule.GenericASN1Ext.attribute.3.type=
   ca.Policy.rule.GenericASN1Ext.attribute.3.value=
   ca.Policy.rule.GenericASN1Ext.attribute.4.source=
   ca.Policy.rule.GenericASN1Ext.attribute.4.type=
   ca.Policy.rule.GenericASN1Ext.attribute.4.value=
   ca.Policy.rule.GenericASN1Ext.attribute.5.source=
   ca.Policy.rule.GenericASN1Ext.attribute.5.type=
   ca.Policy.rule.GenericASN1Ext.attribute.5.value=
   ca.Policy.rule.GenericASN1Ext.attribute.6.source=
   ca.Policy.rule.GenericASN1Ext.attribute.6.type=
   ca.Policy.rule.GenericASN1Ext.attribute.6.value=
   ca.Policy.rule.GenericASN1Ext.attribute.7.source=
   ca.Policy.rule.GenericASN1Ext.attribute.7.type=
   ca.Policy.rule.GenericASN1Ext.attribute.7.value=
   ca.Policy.rule.GenericASN1Ext.attribute.8.source=
   ca.Policy.rule.GenericASN1Ext.attribute.8.type=
   ca.Policy.rule.GenericASN1Ext.attribute.8.value=
   ca.Policy.rule.GenericASN1Ext.attribute.9.source=
   ca.Policy.rule.GenericASN1Ext.attribute.9.type=
   ca.Policy.rule.GenericASN1Ext.attribute.9.value=

   ca.Policy.rule.IssuerRule.enable=false
   ca.Policy.rule.IssuerRule.implName=IssuerConstraints
   ca.Policy.rule.IssuerRule.issuerDN=
   ca.Policy.rule.IssuerRule.predicate=certType==client AND certauthEnroll==on

   ca.Policy.rule.KeyAlgRule.algorithms=RSA
   ca.Policy.rule.KeyAlgRule.enable=true
   ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints
   ca.Policy.rule.KeyAlgRule.predicate=

   ca.Policy.rule.NSCComment.enable=false
   ca.Policy.rule.NSCComment.implName=NSCComment
   ca.Policy.rule.NSCComment.policyId=
   ca.Policy.rule.NSCComment.predicate=

   ca.Policy.rule.NSCertTypeExt.enable=true
   ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt
   ca.Policy.rule.NSCertTypeExt.predicate=certType!=CEP-Request

   ca.Policy.rule.NameConstraintsExt.critical=true
   ca.Policy.rule.NameConstraintsExt.enable=false
   ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt
   ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3
   ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3
   ca.Policy.rule.NameConstraintsExt.predicate=certType == ca
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base=
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.valueType=
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base=
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.valueType=
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base=
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0
   ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.valueType=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0

   ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.valueType=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.valueType=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base=
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0
   ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.valueType=

   ca.Policy.rule.OCSPNoCheckExt.critical=false
   ca.Policy.rule.OCSPNoCheckExt.enable=true
   ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt
   ca.Policy.rule.OCSPNoCheckExt.predicate=certType==ocspResponder

   ca.Policy.rule.OCSPSigningExt.critical=false
   ca.Policy.rule.OCSPSigningExt.enable=true
   ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9
   ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt
   ca.Policy.rule.OCSPSigningExt.predicate=certType==ocspResponder

   ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true
   ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true
   ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt
   ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true
   ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=certType==objSignClient

   ca.Policy.rule.PolicyConstraintsExt.critical=false
   ca.Policy.rule.PolicyConstraintsExt.enable=false
   ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt
   ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0
   ca.Policy.rule.PolicyConstraintsExt.predicate=certType==ca
   ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0

   ca.Policy.rule.PolicyMappingsExt.critical=false
   ca.Policy.rule.PolicyMappingsExt.enable=false
   ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt
   ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1
   ca.Policy.rule.PolicyMappingsExt.predicate=certType==ca
   ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy=
   ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy=

   ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true
   ca.Policy.rule.RMCertKeyUsageExt.enable=true
   ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt
   ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true
   ca.Policy.rule.RMCertKeyUsageExt.predicate=certType==ra

   ca.Policy.rule.RSAKeyRule.enable=false
   ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537
   ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints
   ca.Policy.rule.RSAKeyRule.maxSize=2048
   ca.Policy.rule.RSAKeyRule.minSize=512
   ca.Policy.rule.RSAKeyRule.predicate=

   ca.Policy.rule.RenewalConstraintsRule.enable=true
   ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints
   ca.Policy.rule.RenewalConstraintsRule.predicate=

   ca.Policy.rule.RevocationConstraintsRule.enable=true
   ca.Policy.rule.RevocationConstraintsRule.implName=RevocationConstraints
   ca.Policy.rule.RevocationConstraintsRule.predicate=

   ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true
   ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true
   ca.Policy.rule.ServerCertKeyUsageExt.enable=true
   ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt
   ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true
   ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true
   ca.Policy.rule.ServerCertKeyUsageExt.predicate=certType==server

   ca.Policy.rule.SigningAlgRule.algorithms=MD5withRSA,MD2withRSA,SHA1withRSA,SHA1withDSA
   ca.Policy.rule.SigningAlgRule.enable=true
   ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints
   ca.Policy.rule.SigningAlgRule.predicate=

   ca.Policy.rule.SubCANameCheck.enable=true
   ca.Policy.rule.SubCANameCheck.implName=SubCANameCheck
   ca.Policy.rule.SubCANameCheck.predicate=
   ca.Policy.rule.SubjectAltNameExt.enable=true
   ca.Policy.rule.SubjectAltNameExt.enableManualValues=false
   ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt

   ca.Policy.rule.SubjectKeyIdentifierExt.enable=true
   ca.Policy.rule.SubjectKeyIdentifierExt.implName=SubjectKeyIdentifierExt
   ca.Policy.rule.SubjectKeyIdentifierExt.predicate=certType==ca

   ca.Policy.rule.UniqueSubjectName.enable=false
   ca.Policy.rule.UniqueSubjectName.implName=UniqueSubjectName
   ca.Policy.rule.UniqueSubjectName.predicate=

ca.crl._000=##
ca.crl._001=## CA CRL
ca.crl._002=##

   ca.crl.MasterCRL.allowExtensions=false
   ca.crl.MasterCRL.autoUpdateInterval=20
   ca.crl.MasterCRL.class=com.netscape.certsrv.ca.CRLIssuingPoint
   ca.crl.MasterCRL.description=CA's complete Certificate Revocation List

   ca.notification.certIssued.emailSubject=Your Certificate Request
   ca.notification.certIssued.emailTemplate=/usr/netscape/cert-testCA/emails/
      certIssued_CA.html
   ca.notification.certIssued.enabled=false
   ca.notification.certIssued.senderEmail=

   ca.notification.requestInQ.emailSubject=Certificate Request in Queue
   ca.notification.requestInQ.emailTemplate=/usr/netscape/cert-testCA/emails/
      reqInQueue.html
   ca.notification.requestInQ.enabled=false
   ca.notification.requestInQ.recipientEmail=
   ca.notification.requestInQ.senderEmail=

   ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.certsrv.ldap.LdapCertCompsMap
   ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.certsrv.ldap.LdapCertExactMap
   ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.certsrv.ldap.LdapSimpleMap
   ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.certsrv.ldap.LdapCertSubjMap
   ca.publish.mapper.instance.LdapCaCertMap.dnPattern=UID=$cert.cn,OU=people,O=$cert.o
   ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapSimpleMap
   ca.publish.mapper.instance.LdapCrlMap.dnPattern=UID=$cert.cn,OU=people,O=$cert.o
   ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapSimpleMap
   ca.publish.mapper.instance.LdapUserCertMap.dnPattern=UID=$cert.UID,OU=people,O=$cert.o
   ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap
   ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.certsrv.ldap.
      FileBasedPublisher
   ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.certsrv.ldap.
      LdapCaCertPublisher
   ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.certsrv.ldap.
      LdapCrlPublisher
   ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.certsrv.ldap.
      LdapUserCertPublisher
   ca.publish.publisher.impl.ValiCertPublisher.class=com.valicert.publisher.VcPublisher

   ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=caCertificate;binary
   ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=certificationAuthority
   ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=LdapCaCertPublisher
   ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary
   ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher
   ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=userCertificate;binary
   ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=LdapUserCertPublisher
   ca.publish.rule.impl.Rule.class=com.netscape.certsrv.ldap.LdapRule

   ca.publish.rule.instance.LdapCaCertRule.enable=true
   ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap
   ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule
   ca.publish.rule.instance.LdapCaCertRule.predicate=
   ca.publish.rule.instance.LdapCaCertRule.publisher=LdapCaCertPublisher
   ca.publish.rule.instance.LdapCaCertRule.type=ca

   ca.publish.rule.instance.LdapCrlRule.enable=true
   ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap
   ca.publish.rule.instance.LdapCrlRule.pluginName=Rule
   ca.publish.rule.instance.LdapCrlRule.predicate=
   ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher
   ca.publish.rule.instance.LdapCrlRule.type=crl

   ca.publish.rule.instance.LdapObjSignCertRule.enable=true
   ca.publish.rule.instance.LdapObjSignCertRule.mapper=LdapUserCertMap
   ca.publish.rule.instance.LdapObjSignCertRule.pluginName=Rule
   ca.publish.rule.instance.LdapObjSignCertRule.predicate=
   ca.publish.rule.instance.LdapObjSignCertRule.publisher=LdapUserCertPublisher
   ca.publish.rule.instance.LdapObjSignCertRule.type=objSignClient

   ca.publish.rule.instance.LdapUserCertRule.enable=true
   ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap
   ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule
   ca.publish.rule.instance.LdapUserCertRule.predicate=
   ca.publish.rule.instance.LdapUserCertRule.publisher=LdapUserCertPublisher
   ca.publish.rule.instance.LdapUserCertRule.type=client

   ca.signing.cacertnickname=caSigningCert cert-testCA
   ca.signing.defaultSigningAlgorithm=MD5withRSA
   ca.signing.tokenname=Internal Key Storage Token
   cms.version=4.22

   dbs.ldap=internaldb
   dbs.newSchemaEntryAdded=true
   dbs.nextSerialNumber=1

eeGateway._000=##
eeGateway._001=## End Entity Gateway
eeGateway._002=##

   eeGateway.authority=ca
   eeGateway.docRoot=/usr/netscape/cert-testCA/web/ee
   eeGateway.dynamicVariables=serverdate=serverdate(),subsystemname=subsystemname(),
      http=http()
   eeGateway.enableConnector=true
   eeGateway.keepAliveOn=true
   eeGateway.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types
   eeGateway.numServices=2
   eeGateway.service0=http
   eeGateway.service1=https
   eeGateway.http.backlog=15
   eeGateway.http.enable=true
   eeGateway.http.port=4603
   eeGateway.http.type=http
   eeGateway.https.backlog=15
   eeGateway.https.nickName=Server-Cert cert-testCA
   eeGateway.https.port=4604
   eeGateway.https.type=https

internaldb._000=##
internaldb._001=## Internal Database
internaldb._002=##

   internaldb.maxConns=15
   internaldb.minConns=3
   internaldb.ldapauth.authtype=BasicAuth
   internaldb.ldapauth.bindDN=cn=Directory Manager
   internaldb.ldapauth.bindPWPrompt=Internal LDAP Database
   internaldb.ldapconn.host=testCA.siroe.com
   internaldb.ldapconn.port=3602
   internaldb.ldapconn.secureConn=false

jobsScheduler._000=##
jobsScheduler._001=## jobScheduler
jobsScheduler._002=##

   jobsScheduler.enabled=false
   jobsScheduler.interval=1
   jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.certsrv.jobs.
      RenewalNotificationJob
   jobsScheduler.impl.RequestInQueueJob.class=com.netscape.certsrv.jobs.
      RequestInQueueJob
   jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.certsrv.jobs.
      UnpublishExpiredJob
   jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5
   jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate Renewal Notification
   jobsScheduler.job.certRenewalNotifier.emailTemplate=/usr/netscape/cert-testCA/emails/
      rnJob1.txt
   jobsScheduler.job.certRenewalNotifier.enabled=false
   jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30
   jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30
   jobsScheduler.job.certRenewalNotifier.pluginName=RenewalNotificationJob
   jobsScheduler.job.certRenewalNotifier.senderEmail=
   jobsScheduler.job.certRenewalNotifier.summary.emailSubject=Certificate Renewal
      Notification Summary
   jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=/usr/netscape/cert-testCA/
      emails/rnJob1Summary.txt
   jobsScheduler.job.certRenewalNotifier.summary.enabled=true
   jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=/usr/netscape/
      cert-testCA/emails/rnJob1Item.txt
   jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=
   jobsScheduler.job.certRenewalNotifier.summary.senderEmail=
   jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0
   jobsScheduler.job.requestInQueueNotifier.enabled=false
   jobsScheduler.job.requestInQueueNotifier.pluginName=RequestInQueueJob
   jobsScheduler.job.requestInQueueNotifier.subsystemId=ca
   jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=Requests in Queue
      Summary Report
   jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=/usr/netscape/
      cert-testCA/emails/riq1Summary.html
   jobsScheduler.job.requestInQueueNotifier.summary.enabled=true
   jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=
   jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=
   jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6
   jobsScheduler.job.unpublishExpiredCerts.enabled=false
   jobsScheduler.job.unpublishExpiredCerts.pluginName=UnpublishExpiredJob
   jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired Certs
      Unpublished Summary
   jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=/usr/netscape/
      cert-testCA/emails/euJob1.html
   jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true
   jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=/usr/netscape/
      cert-testCA/emails/euJob1Item.html
   jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=
   jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=

jss._000=##
jss._001=## JSS
jss._002=##

   jss.certdb=/usr/netscape/cert-testCA/config/cert7.db
   jss.enable=true
   jss.keydb=/usr/netscape/cert-testCA/config/key3.db
   jss.moddb=/usr/netscape/admin-serv/config/secmodule.db
   jss.ssl.cipherfortezza=true
   jss.ssl.cipherpref=
   jss.ssl.cipherversion=cipherdomestic

logAudit._000=##
logAudit._001=## Logging
logAudit._002=##
log.Error._000=##
log.Error._001=## Logging
log.Error._002=##
log.System._000=##
log.System._001=## Logging
log.System._002=##

   log.impl.NTEventLog.class=com.netscape.certsrv.logging.NTEventLog
   log.impl.file.class=com.netscape.certsrv.logging.RollingLogFile

   log.instance.Audit.bufferSize=512
   log.instance.Audit.enable=true
   log.instance.Audit.expirationTime=2592000
   log.instance.Audit.fileName=/usr/netscape/cert-testCA/logs/audit
   log.instance.Audit.flushInterval=5
   log.instance.Audit.level=1
   log.instance.Audit.maxFileSize=100
   log.instance.Audit.pluginName=file
   log.instance.Audit.rolloverInterval=2592000
   log.instance.Audit.type=audit

   log.instance.Error.bufferSize=512
   log.instance.Error.enable=true
   log.instance.Error.expirationTime=2592000
   log.instance.Error.fileName=/usr/netscape/cert-testCA/logs/error
   log.instance.Error.flushInterval=5
   log.instance.Error.level=3
   log.instance.Error.maxFileSize=100
   log.instance.Error.pluginName=file
   log.instance.Error.rolloverInterval=2592000
   log.instance.Error.type=system

   log.instance.NTAudit.NTEventSourceName=cert-testCA
   log.instance.NTAudit.enable=true
   log.instance.NTAudit.level=1
   log.instance.NTAudit.pluginName=NTEventLog
   log.instance.NTAudit.type=audit

   log.instance.NTSystem.NTEventSourceName=cert-testCA
   log.instance.NTSystem.enable=true
   log.instance.NTSystem.level=2
   log.instance.NTSystem.pluginName=NTEventLog
   log.instance.NTSystem.type=system

   log.instance.System.bufferSize=512
   log.instance.System.enable=true
   log.instance.System.expirationTime=2592000
   log.instance.System.fileName=/usr/netscape/cert-testCA/logs/system
   log.instance.System.flushInterval=5
   log.instance.System.level=3
   log.instance.System.maxFileSize=100
   log.instance.System.pluginName=file
   log.instance.System.rolloverInterval=2592000
   log.instance.System.type=system

   oidmap.auth_info_access.class=com.netscape.certsrv.cert.AuthInfoAccessExtension
   oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1
   oidmap.challenge_password.class=com.netscape.certsrv.cmsgateway.cert.
      crs.ChallengePassword
   oidmap.challenge_password.oid=1.2.840.113549.1.9.7
   oidmap.extended_key_usage.class=com.netscape.certsrv.cert.ExtendedKeyUsageExtension
   oidmap.extended_key_usage.oid=2.5.29.37
   oidmap.extensions_requested_pkcs9.class=com.netscape.certsrv.cmsgateway.cert.
      crs.ExtensionsRequested
   oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14
   oidmap.extensions_requested_vsgn.class=com.netscape.certsrv.cmsgateway.cert.
      crs.ExtensionsRequested
   oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8
   oidmap.netscape_comment.class=netscape.security.x509.NSCCommentExtension
   oidmap.netscape_comment.oid=2.16.840.1.113730.1.13
   oidmap.ocsp_no_check.class=com.netscape.certsrv.cert.OCSPNoCheckExtension
   oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5

   os.serverName=cert-testCA
   os.userid=nobody

radm._000=##
radm._001=## Remote Admin
radm._002=##

   radm.keepAliveOn=true
   radm.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types
   radm.numServices=1
   radm.service0=https
   radm.https.backlog=15
   radm.https.maxThreads=10
   radm.https.minThreads=3
   radm.https.nickName=Server-Cert cert-testCA
   radm.https.port=4606
   radm.https.timeout=0
   radm.https.type=https

   smtp.host=localhost
   smtp.port=25

subsystem._000=##
subsystem._001=## Loadable Subsystems
subsystem._002=##

   subsystem.0.class=com.netscape.certsrv.ca.CertificateAuthority
   subsystem.0.id=ca
   subsystem.1.class=com.netscape.certsrv.cmsgateway.EEGateway
   subsystem.1.id=eeGateway

usrgrp._000=##
usrgrp._001=## User/Group
usrgrp._002=##

   usrgrp.ldap=internaldb



Road Map to Configuring Subsystems


This section outlines how to configure an instance of Certificate Management System and indicates where to find the information required to accomplish the task.


Step 1. Check Which Subsystems are Installed in the Instance

Log in to the CMS window for the CMS instance you installed, and check the navigation tree to see which subsystems are installed in that instance; this way you will know the subsystems you should configure. To log in to the CMS window, see Logging In to the CMS Window.


Step 2. Check the Port Numbers

Check the port numbers assigned for administration, agent, and end-entity operations. Make the appropriate modifications, if necessary. Keep in mind that all subsystems installed in an instance use the same ports, but can be configured to listen on different IP addresses. For instructions, see Configuring Port Numbers.


Step 3. Verify Key Pair and Certificates

When you install a CMS instance, the server prompts you to create the certificates required for the subsystems in that instance to function. You should check the certificates used by each subsystem, and determine if you need to get additional certificates, use hardware tokens, and so on.

  • Each subsystem in an instance has a set of certificates that it uses for specific purposes. Understand how and when the subsystem uses its certificates. For details, see Keys and Certificates for the Main Subsystems.

  • Determine if you want to generate any new certificates. For example, if you have two subsystems installed in an instance, you may want them to use separate SSL server certificates; by default, there's only one SSL server certificate per instance. For details, see Getting New Certificates for the Subsystems.

  • Determine if you want to use hardware tokens for generating and storing these certificates. If required, install new hardware tokens. For details, see Tokens for Storing CMS Keys and Certificates.

  • Determine if you want to renew any of the existing certificates. For example, if you have issued certificates with very short validity periods, you might want to renew them. For details, see Renewing Certificates for the Subsystems.

  • Check the certificate database to see which CA certificates are trusted. Delete any unwanted CA certificates, change the trust settings of CA certificates that you don't want to trust to untrusted, and install any new CA certificate or certificate chains. For details, see Managing the Certificate Database.


Step 4. Set up Privileged Users

Set up required administrators and agents. This way you can delegate administration and agent tasks to other individuals. For details, see Setting Up Privileged Users.

If you have installed remote Registration Managers that have certificates signed by third-party CAs (that is, not by a Certificate Manager), you should add their certificates to the Certificate Manager's database to facilitate SSL client authenticated communication. For details, see Setting Up Trusted Managers.


Step 5. Customize End-Entity and Agent Forms

End entities can interact with the Certificate Manager and Registration Manager with the help of end-entity forms; end entities cannot interact with the Data Recovery Manager. Similarly, agents can interact with the appropriate subsystem using the agent forms. Certificate Management System provides HTML forms-based interfaces for end entities and agents out of the box. For details, see CMS Customization Guide.

Determine which forms you want to use for end-entity enrollment and whether they require any customization. You may also use your own forms for this purpose, provided you add the required JavaScript.

When customizing end-entity forms, keep in mind the authentication method—manual or automated—you want to employ for your end entities.


Step 6. Setup Authentication for End Users

Depending on how you've deployed Certificate Management System, you may need to do this for a Certificate Manager or Registration Manager, or for both. For example, you may have a PKI setup in which Registration Managers act as front ends to Certificate Managers—that is, end entities interact with Registration Managers only; they do not interact with the Certificate Manager.

Determine which of the authentication plug-in module is suitable for your users and then configure the Certificate Manager or Registration Manager to use that authentication method; see Configuring Authentication for End-User Enrollment.


Step 7: Enable Event-Driven Notifications

You can also configure both Certificate Manager and Registration Manager to send email notifications automatically to end entities, agents, or administrators when certain events occur. Unlike jobs that are executed at preconfigured schedule, these notifications are event-driven—that is, whenever an event occurs, the server notifies the user. Notifiable events include certificate issuance and pending requests in an agent queue.

Decide if you want to turn on any of the notifications. For details, see Configuring a Subsytem to Send Notifications.


Step 8. Schedule Jobs

Each CMS instance includes a Job Scheduler component that can execute specific jobs at specified times. The Job Scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time.

During installation, a few jobs are already created and enabled. Jobs that you might want to schedule include email notifications of timed events (such as the expiration of a certificate) that require action on the part of users, and periodic activities such as removing expired certificates from the publishing directory. For scheduling jobs, follow the instructions in Configuring a Subsystem to Run Automated Jobs.


Step 9. Set up Policies

Each subsystem in a CMS instance has its own policy processor. If you have installed more than one subsystem in an instance, you should apply the instructions in this section to each subsystem. That is, you should configure the Certificate Manager and Registration Manager for certificate formulation, issuance, renewal, and revocation policies. Similarly, configure the Data Recovery Manager for key archival and recovery policies. To understand policy, see Introduction to Policy.

  1. During installation, a few policy rules are already created and enabled. Check each policy rule and decide whether you want to use it. If you don't, you can either disable it or delete it altogether from the configuration. For those rules that you want to use, check the configuration parameter values and make changes as appropriate.

  2. Determine if you want to add any new policy rules. Check the built-in policy plug-in modules to see if they can be used to create the rules you want. You can also plug-in your own modules in the CMS framework and use them.

  3. Add new rules, if required.

For instructions to do all of the above tasks, see Configuring Policy Rules for a Subsystem.


Step 10. Set up Publishing

This step is optional, and is applicable to the Certificate Manager only—you need to do this only if you want the Certificate Manager to publish certificates and CRLs to any of the supported repositories.


Step 11. Set up Key Archival and Recovery

If you have installed the Data Recovery Manager, follow the instructions in Configuring Key Archival and Recovery Process and set up archival and recovery for end users' encryption private keys.


Step 12. Set up Logging

Each instance of Certificate Management System maintains extensive audit, error, and system logs. By looking at these logs, you can monitor a server's activities. Also, by configuring these logs, you can control the information that gets written to the log files. Because Certificate Management System maintains the log files in the file system of the host machine, it is important that you configure the logs appropriately (so that the host machine doesn't get overloaded). Be sure to read Introduction to Logs; this chapter will help you decide log configuration.

Once you decide the configuration for server logs, follow the information in Configuring CMS Logs and configure all the three logs. Then, start monitoring the server's activities as explained in Monitoring CMS Logs.


Step 13. Plan for Backing up CMS Configuration and Data

It is a good practice to periodically back up the CMS data on to some backup media. Creating backups will help you use them for data restoration in the event of data loss. For details, r details, see Chapter 6, "Backing Up and Restoring Data" of CMS Command-Line Tools Guide.


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002