Previous Contents Index Next |
iPlanet Certificate Management System Customization Guide |
Chapter 2 Introduction to End-Entity Services Interface
The services interfaces that come with iPlanet Certificate Management Server (CMS) make it possible for end-entities to interact with the server. Your end-entities can use the interface's HTML-based forms to carry out various certificate and key-related operations, such as enrolling for, renewing, and revoking certificates.
You can use the default forms as they are, customize them, or develop your own forms to suit your organization's policies or terminology. This chapter explains the default forms and templates used by the end-entity interface.
The chapter has the following sections:
End-Entity Services Interface
End-Entity Services Interface
Certificate Management System provides HTML forms for the various entitiespeople, routers, servers, and othersthat use certificates to identify themselves and that need to be able to request certificate issuance and management operations. These forms, collectively called the End-Entity Services interface, use different protocols and life-cycle management procedures for different kinds of end entities. For example, the Certificate Manager provides separate certificate enrollment forms for clients such as Netscape Navigator 3.x, versions of Netscape Communicator later than 4.5, and Microsoft Internet Explorer. The reason for this is that end entities running Navigator 3.x and Communicator versions earlier than 4.5 present an enrollment form based on the use of the HTML tag KEYGEN to generate keys; end entities running Internet Explorer present a form based on PKCS #10, the RSA standard for certificate request syntax.
Figure 2-1 shows the end-entity services interface hosted by a Certificate Manager.
Figure 2-1    End-entity services interface
For a summary of the various end entities, protocols, cryptographic algorithms, and key pairs (single or dual) supported by Certificate Management System, see Table 2-1.
For a complete list of the end-entity formsfor enrollment, renewal, retrieval, revocation, and key recoverythat come with Certificate Management System, see End-Entity Forms and Templates.
How Client Type Determines the End-Entity Interface
Each type of end-entity form provided by Certificate Management System is served by a servlet. This servlet determines which version of the form to present based on information about the end entity (the type, version, language, and so on), information in the form itself, and other factors.
Each form also specifies both an authentication manager and an output template:
An authentication manager is a configured instance of an authentication plug-in module. When Certificate Management System receives a request from an end entity, it uses the authentication manager specified by the request to determine how to authenticate the end entity. For more information, see Chapter 15, "Setting Up End-User Authentication" in CMS Installation and Setup Guide.
The output template is an HTML page with embedded JavaScript used to return information from the end entity to the servlet. For more information, see Responses and Output Templates. Based on all the information, a form's servlet sends the end entity the version of the form (including the embedded JavaScript code) appropriate for that end entity. For example, in the case of end entities that support the KEYGEN tag, the Certificate Manager or Registration Manager sends a form that uses KEYGEN to generate keys and formulate a certificate request. In the case of end entities that support the Certificate Management Message Format (CMMF) protocol, the Certificate Manager or Registration Manager sends a form that uses a JavaScript API to fully automate both key generation and certificate issuance.
Certificate Request Formats Specific to End Entities
Table 2-1 lists the forms provided by the Certificate Manager and Registration Manager for certificate issuance and life-cycle management operations, and indicates supported authentication mechanisms and request formats. You can customize any of the default forms and their corresponding servlets and output templates. For details, see Chapter 3 "End-Entity Interface Reference."
Table 2-1    Summary of end-entity forms, authentication methods and certificate request formats
Form for end-entity operation
Authentication method
Supported certificate request formats
Accessing the End-Entity Services Interface
By default, access to the end-entity services interface of a Certificate Manager or Registration Manager is open to all users. To access the Agent Services interface for a particular subsystem:
Open a web browser window.
Go to the page where the End-Entity Services interface for the Certificate Manager or Registration Manager is installed.
The default URL for this page is:
http://<hostname>:<ee_port> or https://<host_name>:<ee_ssl_port>
<hostname> is in the form <machine_name>.<your_domain>.<domain>.
The appropriate interface appears. (If you have disabled the unsecure end-entity port, you won't be able to access the interface on that port.)
End-Entity Forms and Templates
This section describes the end-entity interface and its default forms.
The end-entity services interface is divided into three parts or framestop, menu, and content. The top frame includes tabs that are specific to end-entity operations, such as certificate enrollments and renewals. The menu lists all the operations supported by the selected tab. The content shows the form pertaining to the operation an end entity chooses in the menu; the form contains information to carry out the selected operation. Figure 2-1 shows the end-entity interface of a Certificate Manager.
Locating End-Entity Forms and Templates
You can find the HTML forms and the corresponding output templates for the end-entity interface at this location:
<server_root>/cert-<instance_id>/web/ee
Forms for Certificate Enrollment
Table 2-2 lists the file names of forms that appear as menu options in the Enrollment tab of the end-entity interface. The forms are available on Certificate Manager instances and Registration Manager instances. The only exception is that the Certificate Manager enrollment form is available only on Certificate Manager instances.
Forms for Certificate Renewal
Table 2-3 lists the forms that correspond to the menu options in the Renewal tab of the end-entity interface on Certificate Manager instances and Registration Manager instances.
Forms for Certificate Revocation
Table 2-4 lists the forms that correspond to the menu options in the Revocation tab of the end-entity services interface.
Forms for Certificate Retrieval
Table 2-5 lists the forms that correspond to the menu options in the Retrieval tab of the end-entity interface on Certificate Manager instances. Only the Import CA Certificate Chain interface is also available on Registration Manager instances.
Forms for Key Recovery
Table 2-6 lists the form that corresponds to the menu option in the Recovery tab of the end-entity interface. This form is available on a Certificate Manager instance or a Registration Manager instance that is configured as a trusted manager for a Data Recovery Manager instance.
Other Forms
Table 2-6 lists common forms that are used by the operation-specific forms in the end-entity interface.
Output Templates for End-Entity Interfaces
Table 2-8 lists the default templates that are used by the end-enetity interfaces to return data to the requestor.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated October 07, 2002