Previous     Contents     Index     Next     
iPlanet Certificate Management System Installation and Setup Guide



Chapter 11   Setting Up Ports


Subsystems installed in an instance of iPlanet Certificate Management Server (CMS) share certain configuration information. For example, they use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations; SSL ciphers during SSL negotiation; privileged users; and log files to log messages to. This chapter explains how to configure the ports for a CMS instance.

The chapter has the following sections:



CMS Ports

Certificate Management System listens to different ports for requests from different users. As illustrated in Figure 11-1, it listens to the administration port, the agent port, and end-entity ports.

Figure 11-1    CMS ports for administration, agent, and end-entity operations


When choosing ports for Certificate Management System, be sure to choose ports that are unique on the host system—that is, no other application can be using, or attempting to use, the port numbers you assign to Certificate Management System. To verify that a port is available for use, check the appropriate file for your operating system; port numbers for network-accessible services are usually maintained in a file named services. (On Unix, if you are not running as root or superuser when you install or start the server, you will have to use a port number higher than 1024.)


Remote Administration Port

The administration port is an SSL (encrypted) port at which Certificate Management System listens to requests from its administration interface; administrators make these requests from the CMS window. When you install Certificate Management System, it assigns a random number (greater than 1024) as the administration port number. You can change this port number at any time, to any number between 1 and 65535. For security reasons you should consider changing the administration port number periodically.


Agent Port

The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface.

  • The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end entities and to perform certain other privileged operations over HTTPS.

  • Data Recovery Manager agents use the agent port for recovering end users' encryption private keys over HTTPS.

Agent functions always require SSL client authentication. For a brief list of supported agent operations, see Agent Services Interface.

When you install Certificate Management System, it assigns a random number (greater than 1024) as the agent port number and prompts you to change it, if necessary; the port number can be any number between 1 and 65535. The number you choose for the agent port affects your agent users—all agents access Certificate Management System by specifying the name of the server (the CMS instance) and the agent port number in the URL. For example, if you choose port number 4430, the URL would look like this:

https://<hostname>:4430/<subsystem>

<hostname> is in the form <machine_name>.<your_domain>.<domain>

<subsystem> is a prefix identifying the subsystem that hosts the agent interface: ca for the Certificate Manager, ra for the Registration Manager, , kra for the Data Recovery Manager, and ocsp for Online Certificate Status Manager.

For example, the URL to a Certificate Manager agent interface would look like this: https://demoCA.siroe.com:5600/ca

If you change the agent port number, be sure to inform your agent users.


End-Entity Ports

For requests from end entities, Certificate Management System can listen to two ports, an SSL (encrypted) port and a non-SSL port. End entities make these requests from the end entity services interface; see End-Entity Services Interface.

Certificate Management System provides the following services through the HTTP and HTTPS ports:

  • The HTTP port can be used to service end-entity-initiated PKI requests, such as enrollment, renewal, and revocation; enrollment requests can include requests from Cisco routers (using the CEP protocol). You have the choice of keeping this port enabled or disabled.

  • The HTTPS port can be used to provide the following services for enforcing data privacy and client authentication:

    • End-entity-initiated PKI requests, such as enrollment, renewal, and revocation.

    • General certificate retrieval requests, such as retrieving a single certificate identified by a serial number, listing certificates based on certain criteria (for example, an LDAP search filter defined over standard attributes), and getting a CA's certificate chain.

    Similar to the HTTP port, you can enable or disable the HTTP port. For example, if you don't want end-entity interaction with a Certificate Manager, you can disable the HTTPS port. For details, see Step 6. Enable End-Entity Interaction.



Configuring Port Numbers

Configuring port numbers for a CMS instance involves two steps:


Step 1. Specify the Port Number

To change the administration, agent, or end-entity port numbers used by a CMS instance:

  1. Log in to the CMS window (see Logging In to the CMS Window).

  2. Select the Configuration tab.

    The Network tab appears.

  3. To change the administration port number, enter the port number in the Administration section:

    SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window—that is, HTTPS requests from administrators. Make sure the port number you specify is unique on the host system.

    Backlog. Type the number of connections that can be waiting to be serviced at the administration port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

    To change the agent port number, enter the port number in the Agent section:

    SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the Agent Services interface—that is, HTTPS requests from agents. Make sure the port number you specify is unique on the host system.

    Backlog. Type the number of connections that can be waiting to be serviced at the agent port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

  4. To change the end-entity port numbers, enter the port numbers in the End Entity section.

    Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications; you can use both at the same time. But if you prefer, you can disable the non-SSL port by unchecking the "Enable" option.

    Port. Type a TCP/IP port number that is unique on the host system. Certificate Management System uses this port for non-SSL communications with the end entity services interface.

    This port is provided to allow enrollments of end entities that do not support SSL; for example, HTTP requests from end entities such as routers. You can use the Enable check box to turn this port on or off. Keep in mind that if this port is enabled, end entities will be able to enroll over HTTP too, which means their certificate requests could be intercepted and replayed to the server.

    If the CMS instance includes a Certificate Manager and if the Certificate Manager is configured to service OCSP requests from OCSP-compliant clients, then this port must be enabled so that OCSP-compliant clients can successfully query the Certificate Manager for the revocation status of a certificate. For details, see Setting Up a Certificate Manager with OCSP Service.

    Backlog. Type the number of connections that can be waiting to be serviced at the end entity HTTP port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

    Enable. This check box allows you to enable or disable the HTTP port. Uncheck the option if you want to disable the port.

    For issuing certificates to routers (using the CEP protocol), the port must be enabled. For details, see Chapter 25 "Setting Up CEP Enrollment."

    SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the end entity services interface (that is, HTTPS requests from end entities during certificate enrollment, renewal, and revocation). Make sure the port number you specify is unique on the host system.

    If you don't want end-entity interaction with a subsystem, for example, if you don't want end entities to interact with a Certificate Manager, you can disable this port too (in addition to the HTTP port). See Step 6. Enable End-Entity Interaction.

    Backlog. Type the number of connections that can be waiting to be serviced at the end-entity HTTPS port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

  5. To save your changes, click Save.

    The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Step 2: Specify IP Addresses

This step is optional.

You can configure CMS instances to listen to specific IP addresses. For example, you can install the Certificate Manager and Data Recovery Manager on a single host, in separate instances, and then configure the instances so that the Certificate Manager is served on one IP address and the Data Recovery Manager is served on another address.

To clarify this further, consider the machine that hosts the Certificate Manager and Data Recovery Manager has two Ethernet cards that respond to the IP addresses 197.1.137.97 and 197.1.137.98. You can set up the Certificate Manager to listen to port 443 for the IP address 197.1.137.97 and the Data Recovery Manager to listen to port 443 for the IP address 197.1.137.98.

To configure a CMS instance to listen to specific IP addresses:

  1. Stop the CMS instance; see Stopping Certificate Management System.

  2. Open the configuration file in a text editor; to locate the file, see Locating the Configuration File.

  3. Add one or more of the following as appropriate:

    • For remote administration port, add this line: radm.https.host=

    • For agent port, add this line: agentGateway.https.host=

    • For end-entity HTTPS port, add this line: eeGateway.https.host=

    • For end-entity HTTP port, add this line: eeGateway.http.host=

  4. Add the IP address or the host name or interface name as the value for the parameter you just added. For example,

    • If you entered an IP address as the value, the parameter would look similar to this: radm.https.host=197.1.137.98

    • If you entered the host name as the value, the parameter would look similar to this: radm.https.host=cert.siroe.com

  5. If necessary, repeat step 4 for the other ports.

  6. Save your changes, and close the configuration file.

  7. Start the CMS instance; see Starting Certificate Management System.


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002