Chapter 9   Administration Tasks and Tools


In administering iPlanet Certificate Management Server (CMS), you perform server-specific tasks such as starting, stopping, and restarting the server; changing configuration; configuring certificate issuance and management policies; adding or modifying privileged-user and group information; setting up authentication mechanisms for users who may request services from the server; performing routine server maintenance tasks; monitoring logs; and backing up server data.

To enable system administrators to accomplish these server-specific tasks quickly and easily, Certificate Management System provides a GUI-based administration tool, called the CMS window, within iPlanet Console. This chapter provides an overview of both iPlanet Console and the CMS window.

• iPlanet Console

• Logging In to iPlanet Console

• The CMS Window

• Logging In to the CMS Window

  
  

  ---

  Note	You can use iPlanet Console for managing various network resources. However, this chapter's focus is on using iPlanet Console for CMS administration. For complete information about iPlanet Console, see Managing Servers with iPlanet Console, which is included with the CMS documentation.

  ---

  
  

iPlanet Console

---

iPlanet Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization's configuration directory. This unified administration interface (shown in Figure 9-1) simplifies network administration by supplying access points to all iPlanet version 4.x server instances installed across a network. Similarly, it simplifies basic user and group management by providing a unified administration interface to the user directory.

Figure 9-1    iPlanet Console window, with a CMS instance selected in the Console tab

Console Tab

For any given instance of iPlanet Console, the limits of the network it can administer are defined by the set of resources whose configuration information is stored in the same configuration directory—that is, the maximum set of hosts and servers that can be monitored from iPlanet Console. The superadministrator (the person who manages the configuration directory) can set access permissions on all network resources registered in the configuration directory. Thus, for a given administrator using iPlanet Console, the actual number of visible servers and hosts may be fewer, depending on the access permissions that the administrator has.

The Console tab displays all servers registered in a particular configuration directory, giving you a consolidated view of all the server software and resources under your control. What you control is determined by the access permissions the superadministrator has set up for you.

From this view you can perform tasks across arbitrary groups or a cluster of servers in a single operation. In other words, you can use the Console tab to manage a single server or multiple servers that are installed on different ports on one machine. Also, you can access individual server windows (or administration interfaces) by double-clicking the icons for the corresponding server instance entries (SIEs).

With the exception of Certificate Management System, all server instances displayed on the Console tab store their configuration information in the same configuration directory. For security purposes, Certificate Management System uses file-based configuration which is stored locally on the host system; during installation, the server registers only its SIE in the configuration directory. For details about this file, see CMS Configuration.

You can accomplish various CMS-specific tasks from the Console tab:

• Install multiple instances of Certificate Management System.

• Remove an instance of Certificate Management System from a system or host.

• Clone an instance of Certificate Management System.

• Set access permissions for Certificate Management System.

• Migrate configuration information from one version of Certificate Management System to another.

• Launch the Administration Server window (so that you can configure an Administration Server instance for administering Certificate Management System).

• Launch the CMS window.

Users and Groups Tab

The Users and Groups tab (shown in Figure 9-2) manages user accounts, group lists, and access control information for individual users and groups. All applications registered within the iPlanet Console framework share core user and group information in the user directory, which typically is a global directory for corporatewide user data.

Figure 9-2    Users and Groups tab of iPlanet Console

From this tab, you can accomplish various user- and group-specific tasks, such as these:

• Add, modify, and delete user and group information in the user directory.

• Search for specific user and group entries in the user directory.

iPlanet Administration Server

iPlanet Administration Server is a web-based (HTTP) server that enables you to configure all your iPlanet servers, including Certificate Management System, through iPlanet Console. Administration Server (and the configuration directory) must be running before you can configure any of these servers. It is included with all iPlanet servers and is installed when you install your first server in a server group. A server group refers to servers that are installed in a server root directory and that are managed by a single instance of iPlanet Administration Server.

You access Administration Server by entering its URL in the iPlanet Console login screen. This URL is based on the computer host name and the port number you chose when you installed Certificate Management System. The format for the URL looks like this: http://<machine_name>.<your_domain>.<domain>:<port>

Whenever you try to gain access to Administration Server, you will be prompted to authenticate yourself to the configuration directory by entering your user ID and password. These are the administrator user name and password that you specified when you installed Certificate Management System (or the first server in the server group) and Administration Server on your computer. Once Administration Server is running, you can use iPlanet Console to administer all servers in that group, including Certificate Management System.

For complete details about iPlanet Administration Server, see Managing Servers with iPlanet Console.

Starting Administration Server

The CMS installation program automatically starts the instance of Administration Server that you identified during installation for monitoring Certificate Management System. If you stopped Administration Server after installation, you must start it before you can administer Certificate Management System from the CMS window.

You can start the server from iPlanet Console, the command line, or the Windows NT Services panel.

• To start Administration Server from iPlanet Console:
  1. Log in to iPlanet Console (see Logging In to iPlanet Console).

  2. In the Console tab, locate the Administration Server instance that you want to start, and double-click the corresponding entry.

     The Administration Server window appears.

  3. In the Tasks tab, click Start the Server.

• To start Administration Server from the command line:

  At the prompt, enter the following line: <server_root>/admin-<instance_id>/start-admin

  This command starts Administration Server at the port number you specified during installation. Once the server is running, you can use iPlanet Console to access Certificate Management System.

• Administration Server runs as a service in a Windows NT system. You can use the Windows NT Services panel to start the service directly.

Shutting Down Administration Server

It is good security practice to shut down Administration Server when you are not using it. This minimizes the chances of someone else changing your configuration. You can shut down the server from iPlanet Console, the command line, or the Windows NT Services panel.

• To shut down Administration Server from iPlanet Console:
  1. Log in to iPlanet Console (see Logging In to iPlanet Console).

  2. In the Console tab, locate the Administration Server instance that you want to shut down, and double-click the corresponding entry.

     The Administration Server window appears.

  3. In the Tasks tab, click Stop the Server.

• To shut down Administration Server from the command line:

  At the prompt, enter the following line: <server_root>/admin-<instance_id>/stop-admin

• Administration Server runs as a service in a Windows NT system; you can use the Windows NT Services panel to stop the service directly.

Logging In to iPlanet Console

---

You can launch and use iPlanet Console only when the configuration directory and Administration Server are running. If the servers are not running, go to the command line and start them. For information on starting Administration Server from the command line, see Starting Administration Server. For information on starting the configuration directory, check the iPlanet Directory Server documentation.

When you launch iPlanet Console, it displays a login window. You are required to authenticate to the configuration directory by entering your administrator's ID, your password, and the URL (including port number) of the Administration Server representing a server group to which you have access. You cannot use iPlanet Console without having login access to at least one server group on your network.

1. Open the iPlanet Console application by using the appropriate option:
   • For local access on a Unix machine, at the command-line prompt, enter the following line: <server_root>/admin-<instance_id>/start-console

   • Local access on a Windows NT machine, double-click the iPlanet Console icon on your desktop; this icon was created when you installed your first iPlanet server.
     
     

     The iPlanet Console window appears.

2. Authenticate yourself to the configuration directory.

   User ID. Type the administrator ID you specified when you installed Administration Server on your machine. You installed Administration Server either when you installed your first iPlanet server or as a part of CMS installation.

   Password. Type the administrator password that you specified when you installed Administration Server on your computer during CMS installation.

   Administration URL. This field should show the URL to Administration Server. If it doesn't or if it doesn't have the URL of Administration Server that you want, type the URL in this field. The URL is based on the computer host name and the Administration Server port number you chose when you installed Certificate Management System. Use this format:

   http://<machine_name>.<your_domain>.<domain>:<port_number>

   For example, if your domain name is siroe and you installed Administration Server on a host machine called myHost and specified port number 12345, the URL would look like this: http://myHost.siroe.com:12345

3. Click OK.

   iPlanet Console appears with a list of all the servers and resources under your control (see Figure 9-1). To view general information about a specific server, click the corresponding entry. To access the administration interface for a specific server, double-click the corresponding entry.

The CMS Window

---

The CMS window is a GUI-based administration interface that allows you to perform day-to-day operational and managerial duties for Certificate Management System. You launch the CMS window from within iPlanet Console (Figure 9-3).

Figure 9-3    Certificate Management System window, launched from iPlanet Console

You can use the CMS window to access the server locally or remotely. The window has three separate tabs—Tasks, Configuration, and Status—each addressing specific administrative areas.

Tasks Tab

The Tasks tab enables you to perform tasks such as starting, stopping, and restarting the server, and running the Certificate Setup Wizard. For details see Chapter 8 "Starting and Stopping CMS Instances" and Certificate Setup Wizard.

Configuration Tab

The Configuration tab enables you to view and modify the configuration.

Table 9-1 provides details about the tasks you can accomplish from this tab. You access specific settings by selecting an entry in the navigation tree and working with the tabs that appear in the right pane.

Table 9-1    Tasks you can accomplish from the Configuration tab  

Task	Description
Configuring network settings	This involves changing the administration, agent, and end-entity ports of Certificate Management System. For details, see Chapter 11 "Setting Up Ports."
Configuring the internal database settings	This involves specifying the host name and port number of the Directory Server that Certificate Management System should use for storing data. For details, see Chapter 12 "Setting Up Internal Database."
Setting up privileged users	This involves operations such as the following: Entering information about privileged users (administrators, agents, and trusted managers) into the CMS internal database. Modifying user information. Deleting users from the database. For details, see see Chapter 13 "Managing Privileged Users and Groups."
Managing CMS keys and certificates	This involves operations such as the following: Managing the CMS certificate database. Generating new and renewing existing certificates for the Certificate Manager, Registration Manager, Data Recovery Manager, and Online Certificate Status Manager. Installing new hardware tokens. For details, see Chapter 14 "Managing CMS Keys and Certificates."
Determining authentication for end users	This involves operations such as the following: Viewing currently registered authentication plug-in modules. Configuring Certificate Management System to use a specific authentication method to authenticate end users when they enroll for a certificate. Registering custom authentication plug-in modules. For details, see Chapter 15 "Setting Up End-User Authentication."
Enabling automated email notifications	This involves operations such as the following: Entering the information required by the server to send automated notifications to one or more agents when a request enters the agent queue. Entering the information required by the server to send automated certificate-issuance notifications to end entities when the server issues them certificates. Specifying the host name and port number of the mail server that Certificate Management System should use for sending email notifications. Customizing the notification message templates to suit your organization's requirements. For details, see Chapter 16 "Setting Up Automated Notifications."
Scheduling automated jobs	This involves operations such as the following: Viewing currently registered plug-in modules for jobs. Configuring Certificate Management System to execute specific jobs. For details, see Chapter 17 "Scheduling Automated Jobs."
Configuring certificate issuance and management policies	This involves operations such as the following: Viewing currently registered policy plug-in modules for a Certificate Manager or Registration Manager. Configuring the Certificate Manager or Registration Manager for certificate formulation, issuance, renewal, and revocation policies, and configuring the Data Recovery Manager for the archiving and recovery of end users' encryption private keys. For details, see Chapter 18 "Setting Up Policies."
Publishing certificates and CRLs	This involves operations such as the following: Configuring the Certificate Manager to publish certificates and CRLs to an LDAP-compliant directory, such as iPlanet Directory Server. For details, see Chapter 19 "Setting Up LDAP Publishing." Configuring the Certificate Manager to publish certificates and CRLs to a flat file for importing into other repositories. For details, see Chapter 20 "Publishing Certificates and CRLs to a File." Configuring the Certificate Manager to publish CRLs to the CMS OCSP responder, Online Certificate Status Manager. For details, see Chapter 21 "Setting Up an OCSP Responder."
Configuring the Data Recovery Manager	This involves configuring the Data Recovery Manager for archival and recovery of end users' encryption private keys. For details, see Chapter 22 "Setting Up Key Archival and Recovery."
Managing CMS logs	This involves configuring system, error, and audit logs maintained by Certificate Management System and using these logs to monitor the server's activities. For details, see Chapter 23 "Managing CMS Logs."
Backing up and restoring CMS data	This involves operations such as the following: Periodically backing up the CMS data. In the event of data loss, using the resulting archives to restore the data. For details, see Chapter 6, "Backing Up and Restoring Data" of CMS Command-Line Tools Guide.

Status Tab

The Status tab allows you to monitor the server by viewing the contents of various logs maintained by Certificate Management System.

You can monitor active as well as rotated System, Error, and Audit log files. For details, see Monitoring CMS Logs.

Logging In to the CMS Window

---

You access the CMS window from iPlanet Console. For details on iPlanet Console, see iPlanet Console.

The Console tab of iPlanet Console contains a list of network resources that are under your control. In this list you can identify CMS instances by their icons or by server identifiers you specified during installation (for example, you may have named a CMS instance ABC Corp CA).

---

Note	Accessing the CMS window is a privileged operation that is restricted to CMS administrators. After you log in for the first time, create at least one user in each of the default groups; see Groups and Their Privileges.

---

To open the CMS window for a specific CMS instance:

1. Log in to iPlanet Console (see Logging In to iPlanet Console).

2. In the Console tab, select the Server Group that contains the CMS instance you want to use as your source.

3. In the navigation tree, locate the CMS instance you want to administer.

4. Select the instance and click Open or double-click the corresponding entry.

   If the selected server is not running, you are asked to start the server first. In that case, start the server, and then repeat steps 2 through 4. For information on starting the server, see Starting Certificate Management System.

   If the selected server is running, you are prompted to authenticate to Certificate Management System.
   
   

5. Enter the appropriate information:

   User ID. If you are logging in for the first time, type the Certificate Administrator ID; you specified this user ID during installation (so that you could log in to the CMS window without having to create privileged-user entries). Otherwise, type your privileged-user ID (administrator ID).

   Password. If you are logging in for the first time, type the Certificate Administrator password; you specified this password during installation (so that you could log in to the CMS window without having to create privileged-user entries). Otherwise, type your privileged-user (administrator) password; see Administrators.

   Upon successful authentication, the CMS window appears (Figure 9-3).