About This Guide


The Installation and Setup Guide explains how to install, configure, and maintain iPlanet Certificate Management Server (CMS), and use it for issuing and managing certificates to various end entities, such as web browsers (users), servers, Virtual Private Network (VPN) clients, and Cisco^TM routers.

---

Note

SunTM ONE Certificate Server was previously known as iPlanetTM Certificate Management System. The product was renamed shortly before the launch of this 4.7 release. The late renaming of this product has resulted in a situation where the new product name is not fully integrated into the shipping product. In particular, you will see the product referenced as iPlanet Certificate Management Server (CMS) within the product GUI and within the product documentation. For this release, please consider iPlanet Certificate Management Server and SunTM ONE Certificate Server as interchangeable names for the same product.

---

This preface has the following sections:

• What's in This Guide

• What You Should Already Know

• Conventions Used in This Guide

• Where to Go for Related Information

What's in This Guide

---

This guide covers topics that are listed below. You should use this guide in conjunction with the other CMS documentation, such as the ones that explain all the plug-ins and command-line tools that are provided for Certificate Management System. For a complete list of CMS documentation, see section Where to Go for Related Information.

• "About This Guide" Describes what's covered in this guide, what you should already know, and where to look for more information.

Part 1, "Overview and Demo Installation"

• Chapter 1 "Introduction to Certificate Management System" Provides an overview of the Certificate Management System architecture for creating, deploying, and managing certificates.

• Chapter 2 "Certificate Enrollment and Life-Cycle Management" Provides sample deployment scenarios.

• Chapter 3 "Default Demo Installation" Describes how to set up a simple pilot that demonstrates the basic capabilities of a Certificate Manager.

Part 2, "Planning and Installation"

• Chapter 4 "Planning Your Deployment" Reviews basic decisions you should make as you plan your initial deployment.

• Chapter 5 "Installation Worksheet" Provides a worksheet you can copy and use to collect the detailed information that you will need to provide during installation and configuration of individual subsystems.

• Chapter 6 "Installing Certificate Management System" Describes the procedure for installing CMS subsystems on the basis of the information collected in Chapter 5.

• Chapter 7 "Installing and Uninstalling CMS Instances" Describes how to create multiple instances, delete unwanted instances, clone instances, upgrade from a previous CMS version, and so on.

• Chapter 8 "Starting and Stopping CMS Instances" Describes how to start, restart, and stop CMS instances.

Part 3, "Configuration"

• Chapter 9 "Administration Tasks and Tools" Explains the GUI-based administration tools, iPlanet Console and CMS window.

• Chapter 10 "CMS Configuration" Shows a sample configuration file and explains the rules for editing the configuration file.

• Chapter 11 "Setting Up Ports" Describes various ports used by a CMS instance and explains how to set up these ports.

• Chapter 12 "Setting Up Internal Database" Describes the function of internal database and explains how to set it up.

• Chapter 13 "Managing Privileged Users and Groups" Describes privileged users, their access rights, and how to create them for managing a CMS instance.

• Chapter 14 "Managing CMS Keys and Certificates" Describes keys and certificates used by a CMS instance and explains how to renew and reissue them. Also provides information on installing hardware tokens.

• Chapter 15 "Setting Up End-User Authentication" Describes authentication methods for different types of CMS users, and explains how to configure a Certificate Manager or Registration Manager to use a specific authentication method for end-user enrollment.

• Chapter 16 "Setting Up Automated Notifications" Describes how to enable the automated notification feature—such as notifying agents when a request gets queued and notifying users when their certificates are issued—to ease administration overheads.

• Chapter 17 "Scheduling Automated Jobs" Describes how to schedule jobs that automatically perform certain certificate-related tasks at regular intervals—such as removing expired certificates from the directory and notifying users before their certificates expire—to ease administration overheads.

• Chapter 18 "Setting Up Policies" Describes how to configure a CMS manager to use policy rules that govern the formulation and issuance of certificate content, such as key size, signing algorithm, validity period, extensions, and so on.

• Chapter 19 "Setting Up LDAP Publishing" Provides an overview of LDAP publishing and describes how to configure a Certificate Manager to publish certificates and CRLs to an LDAP directory.

• Chapter 20 "Publishing Certificates and CRLs to a File" Describes how to configure a Certificate Manager to publish certificates and CRLs to files for importing to other repositories.

• Chapter 21 "Setting Up an OCSP Responder" Provides an overview of OCSP-compliant PKI setup and describes how to set up an OCSP-compliant PKI setup.

• Chapter 22 "Setting Up Key Archival and Recovery" Describes how to archive end users' encryption private keys and recover them, if there's a need.

• Chapter 23 "Managing CMS Logs" Describes how to enable logging, use logs to monitor the server's activities, and archive log files.

Part 4, "Issuing and Managing Certificates"

• Chapter 24 "Issuing and Managing Server Certificates" Describes how to issue SSL server certificates to other servers and manage the certificates.

• Chapter 25 "Setting Up CEP Enrollment" Describes how to configure the server to issue router and VPN client certificates.

Part 5, "Appendixes"

• Appendix A "Certificate Download Specification" Describes the data formats used by Netscape Communicator 4.x for installing certificates.

• Appendix B "Using SSL with iPlanet Web Server, Enterprise Edition 4.x" Explains how to set up client certificate authentication to work with Netscape Enterprise Server 3.x.

• Appendix C "Export Control Information" Summarizes the cryptographic operations, key lengths, and cipher suites that have received US government approval for the export version of Certificate Management System.

Glossary

Summarizes terms used in this guide and other CMS documentation.

What You Should Already Know

---

This guide is intended for experienced system administrators who are planning to deploy Certificate Management System. CMS agents should refer to iPlanet Certificate Management Server Agent's Guide for information on how to perform agent tasks, such as handling certificate requests and revoking certificates.

This guide assumes that you

• Are familiar with the basic concepts of public-key cryptography and the Secure Sockets Layer (SSL) protocol.
  • SSL cipher suites

  • The purpose of and major steps in the SSL handshake

• Understand the concepts of intranet, extranet, and the Internet security and the role of digital certificates in a secure enterprise. These include the following topics:
  • Encryption and decryption

  • Public keys, private keys, and symmetric keys

  • Significance of key lengths

  • Digital signatures

  • Digital certificates, including various types of digital certificates

  • The role of digital certificates in a public-key infrastructure (PKI)

  • Certificate hierarchies

  If you are new to these concepts, we recommend you read the security-related documents available online at this URL: http://docs.sun.com/db?p=coll/S1_nsCMS_42_Resources

  You may also refer to the security-related appendixes (Appendix D and Appendix E) of the accompanying manual, Managing Servers with iPlanet Console.

• Are familiar with the role of iPlanet Console in managing iPlanet servers. Otherwise, see the accompanying manual, Managing Servers with iPlanet Console.

• Are reading this guide in conjunction with the documentation listed in section Where to Go for Related Information.

Conventions Used in This Guide

---

The following conventions are used in this guide:

• Monospaced font—This typeface is used for any text that appears on the computer screen or text that you should type. It's also used for filenames, functions, and examples.

  Example: Server Root is the directory where the CMS binaries are kept.

• Italic—Italic type is used for emphasis, book titles, and glossary terms.

  Example: This control depends on the access permissions the superadministrator has set up for you.

• Text within "quotation marks"—Indicates cross-references to other topics within this guide.

  Example: For more information, see "Issuing a Certificate to a New User" on page 154.

• Boldface—Boldface type is used for various UI components such as captions and field names, and the terminology explained in the glossary.

  Example:

  Rotation frequency. From the drop-down list, select the interval at which the server should rotate the active error log file. The available choices are Hourly, Daily, Weekly, Monthly, and Yearly. The default selection is Monthly.

• Monospaced [ ]—Square brackets enclose commands that are optional.

  Example: PrettyPrintCert <input_file> [<output_file>]

  <input_file> specifies the path to the file that contains the base-64 encoded certificate.

  <output_file> specifies the path to the file to write the certificate. This argument is optional; if you don't specify an output file, the certificate information is written to the standard output.

• Monospaced <>—Angle brackets enclose variables or placeholders. When following examples, replace the angle brackets and their text with text that applies to your situation. For example, when path names appear in angle brackets, substitute the path names used on your computer.

  Example: Using Netscape Communicator 4.7 or later, enter the URL for the administration server: http://<hostname>:<port_number>

• /—A slash is used to separate directories in a path. If you use the Windows NT operating system, you should replace / with \ in paths.

  Example: Except for the Security Module Database Tool, you can find all the other command-line utilities at this location: <server_root>/bin/cert/tools

• Sidebar text—Sidebar text marks important information. Make sure you read the information before continuing with a task.

  Examples:
  

  ---

  Note	You can use iPlanet Console only when Administration Server is up and running.

  ---

  
  
  

  ---

  Caution

  A caution note documents a potential risk of losing data, damaging software or hardware, or otherwise disrupting system performance.

  ---

  
  

Where to Go for Related Information

---

This section summarizes the documentation that ships with Certificate Management System, using these conventions:

• <server_root> is the directory where the CMS binaries are kept (which you specify during installation).

• <instance_id> is the ID for this instance of Certificate Management System (specified during installation).

The documentation set for Certificate Management System includes the following:

• Managing Servers with iPlanet Console

  Provides background information on basic cryptography concepts and the role of iPlanet Console. To view the HTML version of this guide, open this file: <server_root>/manual/en/admin/help/contents.htm

• CMS Installation and Setup Guide (this guide)

  Describes how to plan for, install, and administer Certificate Management System. To access the installation and configuration information from within the CMS Installation Wizard or from the CMS window (within iPlanet Console), click any help button.

  To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/setup_guide/contents.htm

• CMS Plug-Ins Guide

  Provides detailed reference information on CMS plug-ins. To access this information from the CMS window within iPlanet Console, click any help button.

  To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/plugin_guide/contents.htm

• CMS Command-Line Tools Guide

  Provides detailed reference information on CMS tools.

  To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/tools_guide/contents.htm

• CMS Customization Guide

  Provides detailed reference information on customizing the HTML-based agent and end-entity interfaces.

  To view the HTML version of this guide, open this file: <server_root>/manual/en/cert/custom_guide/contents.htm

• CMS Agent's Guide

  Provides detailed reference information on CMS agent interfaces. To access this information from the Agent Services pages, click any help button.

  To view the HTML version of this guide, open this file: <server_root>/cert-<instance_id>/web/agent/manual/agent_guide/
  contents.htm

• End-entity help (online only, not printed)

  Provides detailed reference information on CMS end-entity interfaces. To access this information from the end-entity pages, click any help button.

  To view the HTML version of this guide, open this file: <server_root>/cert-<instance_id>/web/ee/manual/ee_guide/
  contents.htm
  

  ---

  Note	Do not change the default location of any of the HTML files; they are used for online help. You may move the PDF files to another location.

  ---

  
  

For a complete list of all documentation for Certificate Management System, including documentation for Directory Server, see Documentation Summary, located at: <server_root>/manual/index.html

For the latest information about Certificate Management System, including current release notes, technical notes, and deployment information, check this site: http://docs.sun.com/?p=coll/S1_s1CertificateServer_47