Previous     Contents     Index     Next     
iPlanet Certificate Management System Installation and Setup Guide



Chapter 3   Default Demo Installation


This chapter describes how to set up a simple installation that demonstrates the basic capabilities of a Certificate Manager with an integrated Registration Manager. It is intended for administrators who are already familiar with PKI concepts. An experienced administrator should be able to install and set up the default demo in less than an hour, then use it to try out basic iPlanet Certificate Management Server (CMS) procedures.


Caution

This chapter describes how to install a Certificate Manager for demonstration purposes only. The steps described require that you accept most of the default values suggested at each stage of installation and configuration. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4 "Planning Your Deployment" and the chapters that follow.


This chapter has the following sections:



System Requirements

This section summarizes the basic software and hardware requirements for any machine on which you intend to install Certificate Management System instances and related software:


Operating System and Software Required

Operating systems supported:

  • Sun Solaris 8 (with relevant Java 2 patches)

  • Windows 2000 and Windows NT 4.0 with Service Pack 6

Other required software:

  • iPlanet Administration Server 5.1 (included)

  • iPlanet Directory Server 5.1 (included)

  • Browser software that supports SSL


Platform Requirements

Each platform has slightly different requirements. In addition to the requirements listed in Table 3-1, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Management System.


Table 3-1    Software and hardware requirements  

Solaris Platform Requirements

OS Version

Machine

RAM

Hard disk storage space requirements  

Solaris 8 (with relevant Java 2 patches)

Ultra 1 or faster

128 MB (256 recommended)

Total required is approximately 450 MB, broken down as follows:

  • Total transient space required during installation: 100 MB

  • Hard disk storage space required for installation (approximate values):
    Space required for setup, configuration, and running the server: 300 MB
    Additional space to allow for database growth in pilot deployment: 50 MB (this may be reduced to 10 MB for default demo installation)
    Total disk storage space for installation: 350 MB

 

Windows NT Platform Requirements

OS Version

Machine

File system

RAM

Hard disk storage space requirements  

Windows 2000, Windows NT 4.0 with Service Pack 6

Pentium II 400 or faster

NTFS or FAT

128 MB of RAM (256 recommended)

Total required is approximately 350 MB, broken down as follows:

  • Total transient space required during installation: 100 MB

  • Hard disk storage space required for installation (approximate values):
    Space required for setup, configuration, and running the server: 200 MB
    Additional space to allow for database growth in pilot deployment: 50 MB (this may be reduced to 10 MB for default demo installation)
    Total disk storage space for installation: 250 MB

 

Other Requirements

 
  • On UNIX systems, you must install as root in order to use well-known port numbers (such as 443) that are less than 1024. If you do not plan to use port numbers less than 1024, you do not need to install as root. If you plan to run the Administration Server as root, you should also install as root and specify the default user and group, nobody, as the system ID for other server processes.

  • On a Windows NT system, you must install as Administrator or a user with Administrator privileges (that is, the user must be in the Administrators group).

 



Overview of the Default Demo


The default demo installation described in this chapter is intended to provide a quick, hands-on experience of the basic Certificate Management System interfaces. It is intended for demonstration purposes only and relies on a number of default settings that may not be appropriate for a mission-critical installation. Before you attempt to install more sophisticated pilots or a full-scale deployment, read Chapter 4 "Planning Your Deployment" and the chapters that follow.

The default demo installation includes the following iPlanet software:

  • iPlanet Console. iPlanet Console is described in a separate guide, Managing Servers with iPlanet Console. It is a standalone Java application used to manage iPlanet server instances with the aid of a configuration directory and a user directory. For this demo, iPlanet Console controls just the server instances listed here; the configuration and user directories are combined in a single iPlanet Directory Server instance. In real deployments, iPlanet Console can be set up to control a variety of servers in different instances and on different machines that are registered with a single configuration directory, which could potentially be separate from the user directory.

  • iPlanet Administration Server. This lightweight HTTP server acts as the back end to iPlanet Console. An instance of Administration Server manages operation requests involving any iPlanet servers installed in the same server root, or server group, and invokes CGI programs to perform these operations. For this demo, a single Administration Server instance provides administrative access to the Directory Server instance and Certificate Manager instance listed below—the only other server instances in the same server group.

  • Configuration and User Directory (iPlanet Directory Server). This is an instance of Directory Server with two subtrees. The user subtree keeps track of users and groups and their privileges (for the Administration Server, not for Certificate Management System). The configuration subtree keeps track of the location on the network of iPlanet servers. For this demo, the configuration subtree keeps track of itself, the Administration Server instance, the single instance of Certificate Management System, and a separate instance of Directory Server that serves as the internal database for Certificate Management System. For this demo, the user subtree is also used as the user and group directory for directory-based authentication and publishing.

  • Certificate Manager. For this demo, the single instance of Certificate Management System contains a Certificate Manager that is configured to perform registration tasks as well as CA tasks.

  • Internal Database (iPlanet Directory Server) for Certificate Management System. For each instance of Certificate Management System you install an instance of iPlanet Directory Server that acts as the internal database for certificate and request information.

You use the main window of iPlanet Console to perform basic tasks such as starting and stopping a server. To manage any server controlled by iPlanet Console (in this case, just Directory Server and the Certificate Manager), first locate it on the left side of the main iPlanet Console window, then double-click the icon to open a separate administrative window for that server.

iPlanet Console uses the configuration directory for information on the locations and contents of server groups on the network. It also interacts with the Administration Server for each server group to perform some tasks, such as managing SSL encryption settings. However, to manage settings displayed in the iPlanet Console window for a particular Certificate Management System instance, iPlanet Console acts directly on a configuration file stored with that instance. (For more information about the configuration file, see Chapter 10 "CMS Configuration."

As you proceed with the default demo installation and configuration, you will be asked to assign several port numbers, names, and passwords. Figure 3-1 shows the four main software elements of the demo and the port numbers and protocols they use for different purposes. Using the default ports for the end-entity URLs helps users because they will not need to remember port numbers; any HTTPS request will try port 443 if no port is specified in the URL.

Figure 3-1    Software installed and port numbers assigned for the default demo

You will also be asked to provide additional information, such as the name of each server instance to be installed, the names and passwords of various types of administrators, and information related to the CA signing certificate and SSL server certificate that the Certificate Manager must have available before it can begin operation.

To keep things simple for the default demo, most of the information requested during installation is set either to a default or to some arbitrary, convenient value. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4 "Planning Your Deployment" and the chapters that follow to determine the precise names and settings that are appropriate for your situation.

Another difference between the default demo and more sophisticated installations is that the Directory Server instance, in addition to providing both the configuration directory and the user directory, is also used to publish and test certificates you issue with the Certificate Manager instance. In a real-world deployment, the Directory Server Instance used for configuration and for users is unlikely to be used for publishing.


Demo Passwords

The demo that you install is a real CA that can issue certificates. Even if you plan to remove it after testing, you should maintain the security of the demo system. For this reason, the installation procedure does not give specific passwords for each administrative user. However, to avoid confusion, the passwords that you will need are identified here and are later referred to by this identification. If you make a list of the passwords you decide on, be sure to keep the list secure.

You will need to provide the following passwords during the installation process:

<admin password>

Administrator for both Administration Server and its configuration directory. Use this password to start iPlanet Console and the Installation Wizard.

<dir mgr password>

Manager for the configuration directory. (This password must be at least eight characters.)

<intdb password>

Administrator for the CMS internal database (an instance of Directory Server). This password is kept and protected in a special cache that you access with the <single-signon password>.

<CMS password>

CMS administrator. Use this password to access iPlanet Console's CMS window.

<token password>

Password for the CMS key database. This password is kept and protected in a special cache that you access with the <single-signon password>.

<single-signon password>

This password protects the <intdb password> and <token password>. Use this password to start Certificate Management System.



Installing the Default Demo


The installation script installs and starts an Administration Server and a Directory Server; the process is slightly different for Windows NT and UNIX systems. The Installation Wizard, which is the same on both systems, installs Certificate Management System itself and creates the system's certificates. When you have finished installing the files, you start Certificate Management System and enroll for the initial administrator-agent certificate, which you then use to verify that the system is properly installed and functions correctly.

The steps of this installation procedure are described in the following sections:


Step 1. Run the Installation Script — UNIX

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a Windows NT system, see Step 1. Run the Installation Script—Windows NT.

To run the installation script, change to the distribution directory (where you have downloaded the distribution files) and execute the file setup.

In the instructions that follow, the question that appears at the bottom of each setup screen is in boldface, followed by the action you should take.

  1. Would you like to continue with setup? [Yes]: Press Enter.

  2. Do you agree to the license terms? [No]: Type yes and press Enter.

  3. Select the items you would like to install [1]: Press Enter.

  4. Server root [/usr/iplanet/servers]: Press Enter to accept the default server root directory. (If you are not installing as root, you probably will not have permission to create directories in /usr so you will have to choose another location.)

  5. Specify the components you wish to install [All]: Press Enter to accept the default.

  6. Specify the components you wish to install [1,2,3]: Press Enter to accept the default server product components.

  7. Specify the components you wish to install [1,2]: Press Enter to accept the default Directory Suite components.

  8. Specify the components you wish to install [1,2]: Press Enter to accept the default Administration Services components.

  9. Specify the components you wish to install [1, 2]: Press Enter to accept the default CMS components.

  10. Computer name [myhost.mydomain.com]: Press Enter to install on the local machine.

  11. System User [nobody]: Enter the user that the configuration/user Directory Server process will run as. Where your system supports it, accept the default user, nobody, creating that user as necessary.

  12. System Group [nobody]: Enter the group that the configuration/user Directory Server process will run as. Where your system supports it, accept the default group, nobody, creating that group as necessary.

  13. Do you want to register this software with an existing iPlanet configuration directory server? [No]: Press Enter to install a new configuration directory.

  14. Do you want to use another directory to store your data? [No]: Press Enter to use the new configuration directory as your user/group directory.

  15. Directory server network port [389]: Press enter to accept the default, 389. If you are not installing as root or if 389 is in use, the default will be a random number; you may want to change this number to something easy to remember, such as 38989.

  16. Directory server identifier [myhost]: Type configdir as the unique identifier for the configuration directory, and press Enter.

  17. iPlanet configuration directory server administrator ID [admin]: Press Enter to accept the default, then enter the <admin password>.

  18. Suffix [o=mydomain.com]: Press Enter to accept the default.

  19. Directory Manager DN [cn=Directory Manager]: Press Enter to accept the default, then enter the <dir mgr password>.

  20. Administration Domain [mydomain.com]: Press Enter to accept the default.

  21. Administration port [random #]: Type 4444 and press Enter.

  22. Run Administration Server as [root]: Press Enter to accept the default.

  23. Certificate Management System Server identifier [localhost]: Type demoCA and press Enter. After the script copies the files and updates the system, which may take a few minutes, press Enter to continue.

The first phase of the installation is now complete. The installation script has installed iPlanet Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to configure the Certificate Management System instance by running the Installation Wizard.


Step 1. Run the Installation Script—Windows NT

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a UNIX system, see Step 1. Run the Installation Script — UNIX.

  1. To run the installation script, open the distribution directory for the system software you are using and double-click the file setup.exe.

    In the instructions that follow, the name that appears in the title bar of each setup screen is in bold, followed by a description of the action you should take.

  2. Welcome. Click Next.

  3. Software License Agreement. Click Yes.

  4. Select Server or Console Installation. Leave the default setting (iPlanet Servers) selected and click Next.

  5. Choose the Installation Type. Leave the default setting (Typical) selected and click Next.

  6. Choose Installation Directory. Leave the default setting (C:\iPlanet\Servers) selected and click Next.

  7. Select Products. Leave all four components selected and click Next.

  8. Directory Server 4.13. Leave the default setting (This instance will be the configuration directory server) selected and click Next.

  9. Directory Server 4.13. Leave the default setting (Store data in this directory server) selected and click Next.

  10. Directory Server 4.13 Server Settings. Type the following values, then click Next:

    Server identifier: Accept the default.

    Server port: Accept the default, which should be 389
    Suffix: Accept the default, which should be your company's domain name, in the form o=<your_domain>.<domain>.

  11. Directory Server 5.1 iPlanet Configuration Directory Server Administrator. Type the following values, then click Next:

    Configuration Directory Administrator ID: admin
    Password: <admin password>
    Password (again): <admin password>

  12. Directory Server 4.13 Administration Domain. Accept the default, which should be your company's domain name, in the form <your_domain>.<domain>.

  13. Directory Server 4.13 Directory Manager Settings. Type the following values, then click Next:

    Directory Manager DN: cn=Directory Manager
    Password: <dir mgr password>
    Password (again): <dir mgr password>

  14. Administration Server Port Selection. Type the value 12345 and click Next.

  15. Certificate Management System Server identifier. Accept the default, and click Next.

  16. Configuration Summary. Click Next.

  17. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. This process may take a few minutes.

  18. Setup Complete. Leave the default setting (Restart my computer now.) and click Finish.

The first phase of the installation is now complete. The installation script has installed iPlanet Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to complete the installation of Certificate Management System by running the Installation Wizard.


Step 2. Run the Installation Wizard

To begin running the Installation Wizard, follow these steps:

  1. If iPlanet Console is not running, start it.

    • On a Windows NT system, click Start, and then choose Programs, iPlanet, and iPlanet Console, in that order. Alternatively, click the iPlanet Console shortcut in the iPlanet directory that opens on your desktop after setup completes.

    • On a Unix system, open a command shell, change to the directory /usr/iplanet/servers, and execute the file startconsole.

  2. Log in as admin, giving the password <admin password>.

    The main window of iPlanet Console appears.

    If the Administration URL is not filled in, enter http://<myhost>:12345

  3. In the navigation tree at the left, open your computer, then open Server Group.

  4. Select cert-<identifier> and double-click it; alternatively, you can also click the Open button on the Certificate Management System panel on the right.

    After a few moments, the Installation Wizard appears. You use the wizard to get the initial certificates and set the initial configuration for this demo instance of Certificate Management System.

In the instructions that follow, the panel title that appears below the title bar for each screen is in boldface, followed by the action you should take.

  1. Introduction. Click Next.

  2. Internal Database. Type the following values, then click Next:

    Instance ID: Accept the default (<identifier>-db).
    Port number: Accept the default (38900).
    Directory Manager DN: cn=Directory Manager
    Password: <intdb password>
    Password (again): <intdb password>



    At this point the system creates the internal database, which can take some time.

  3. Administrator. Type the following values, then click Next:

    Administrator ID: CMSadmin
    Full name: Accept the default value.
    Password: <CMS password>
    Password (again): <CMS password>

  4. Subsystems. Click Next to accept the default selection (Certificate Manager only).

  5. Remote Data Recovery Manager. Click Next to accept the default selection (No).

    At this point the system configures the internal database, which can take some time.

  6. CA's serial number range. Click Next to accept the default (start at 0x1 with no upper limit).

  7. Internal OCSP Service. Click Next to accept the default (the option is selected).

  8. Network Configuration. Select the Enable checkbox to enable the non-SSL end-entity gateway, then accept the default values listed below. If one of the default ports is unavailable, a different, randomly selected port will appear in the form.

    SSL administration port: 8200
    SSL agent port: 8100
    SSL end-entity port: 443
    Enable: Select this checkbox to enable the non-SSL end-entity gateway.
    Non-SSL end-entity port: 80

  9. CA Signing Certificate. Click Next to accept the default selection (Create self-signed CA certificate).

  10. Key-Pair Information for Certificate Manager CA Signing Certificate. Type the following values, then click Next:

    Token: Accept the default value (Internal).
    Password: <token password>
    Password (again): <token password>
    Key type: Accept the default value (RSA).
    Key length: Select 1024 and leave the custom key-length field blank.

  11. Message Digest Algorithm. Click Next to accept the default (SHA1).

  12. Subject Name for Certificate Manager CA Signing Certificate. Type the following values, then click Next:

    Common name (CN=): Certificate Manager
    Organization Unit (OU=): <name of your organizaion>
    Organization (O=): <name of your company>
    Locality (L=): <name of your locality>
    State (ST=): <name of your state, province, or territory>
    Country (C=): <two-letter code for your country>

  13. Validity Period for Certificate Manager CA Signing Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.

  14. Certificate Extensions for Certificate Manager CA Signing Certificate. Click Next to accept the default selections.

  15. Certificate Manager CA Signing Certificate Creation. Click Next.

  16. SSL Server Certificate. Click Next to accept the default selection (Sign SSL certificate with my CA signing certificate selected.).

  17. Key-Pair Information for Server SSL Certificate. Change the Key length to 1024, accept the default values for other fields, then click Next.

  18. Message Digest Algorithm. Click Next to accept the default (SHA1).

  19. Subject Name for SSL Server Certificate. Type the following values, then click Next.

    Common name (CN=): <hostname, in the "machine.domain.com" form>
    Organization Unit (OU=): <name of your organization>
    Organization (O=): <name of your company>
    Locality (L=): <name of your locality>
    State (ST=): <name of your state, province, or territory>
    Country (C=): <two-letter code for your country>



  20. Validity Period for SSL Server Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.

  21. Certificate Extensions for SSL Server Certificate. Click Next to accept the default selections.

  22. SSL Server Certificate Creation. Click Next.

    The generation of the certificate can take some time.

  23. Set Up Single Signon Password. Type the following values, then click Next.

    Single signon password: <single-signon password>
    Single signon password (again): <single-signon password>



  24. Configuration Status. Click Done. Certificate Management System starts automatically.

The installation and configuration of Certificate Management System is now complete, and the Certificate Manager is running.

The user interface of Certificate Management System is now available through the web gateways whose ports you specified during installation. You can access them directly in a web browser by going to those ports using the appropriate protocol.

  • The SSL agent gateway URL is:
    https://<machine_name>.<your_domain>.<domain>:8100

  • The SSL end-user gateway URL is:
    https://<machine_name>.<your_domain>.<domain>:443

  • The non-SSL end-user gateway URL is:
    http://<machine_name>.<your_domain>.<domain>:80


Step 3. Get the First User Certificate

After you complete configuration of Certificate Management System with the Installation Wizard, you must enroll for a certificate for the first agent. This is the first user certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can use iPlanet Console to create additional agents with the appropriate user privileges and use Agent Services to issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.


Enrolling for the First Agent Certificate

To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:

  1. Open a web browser window.

  2. Go to the URL for the SSL agent port (8100).

    For example: https://pc618981.red.iplanet.com:8100.

    The first time you access this port, the system opens the Administrator/Agent Certificate Enrollment form.

    Because you have accessed an SSL port, Certificate Management System presents its SSL server certificate to your browser for authentication. This is the SSL server certificate that you just created during installation. Because you just created it, it is not on your list of trusted certificates. A series of dialog boxes now appears that lets you add the CMS server certificate to your list of trusted certificates.

  3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).

  4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

    Authentication Information

    User ID: CMSadmin
    Password: <CMS password>

    Subject Name

    Full name: CMS Administrator
    Login name: CMSadmin
    Email address: <your email address>
    Organization unit: CMS Demo
    Organization: <name of your company>

    User's Key Length Information

    Key Length: Select 1024 (High Grade)

    Note that the validity period of this initial agent certificate is hard-coded as one year.

  5. Click Submit.

  6. Follow the instructions your browser presents as it generates a key pair.

    If authentication is successful, the new certificate will be imported into your browser. You should make a backup copy of the certificate.

Now you have a client authentication certificate in the name CMS Administrator. This special user name, which you specified as the initial administrator for Certificate Management System during installation, has now been designated as the first agent. The certificate you just created allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in iPlanet Console, you use the CMS administrator user ID and the CMS password.


If You Need the First Agent Form Again

After you submit the initial Administrator/Agent Certificate Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the initial agent certificate, you must reset a parameter in the configuration file to make the initial Administrator/Agent Certificate Enrollment form available again. Follow these steps:

  1. In the left frame of iPlanet Console, open cert-demoCA.

    The server requests your <CMS password>.

  2. Click the icon labeled "Stop the Server".

  3. Go to this directory: <server_root>/cert-demoCA/config

  4. Open the file CMS.cfg in a text editor, and find the following line:

    agentGateway.enableAdminEnroll=false

  5. Change false to true, and save the file.

  6. Start the server from the CMS window where you stopped it.

    Alternatively, right-click on cert-demoCA in the left frame and choose Start Server.

  7. Enter your <single-signon password>.

    The next time you access https://<hostname>:8100, the Administrative/Agent Enrollment form will be available again.



Using the Default Demo

You have now performed a basic installation and can use the installed demo Certificate Manager to issue certificates. This section provides the following exercises with which you can test the installation and practice using the system:

  • Verify the Installation,Accessing the various web gateways and using the default versions of the forms to enroll for and issue a certificate.

  • Create a Policy,: Configuring the Certificate Manager to reject certificate requests that do not use at least 1024-bit key lengths.

  • Use an LDAP Directory,: Adding a user to the configuration directory you just installed and using directory-based authentication to enroll as that user.

  • Publish Certificates to an LDAP Directory,: Publishing client certificates to the directory.

  • Send Renewal Reminders,: Configuring the Certificate Manager to send out automatic renewal reminders to entities whose certificates will be expiring soon.


Verify the Installation

To verify that the installation is correct and complete, you will access each of the different gateways for the various user interface pages: the SSL and non-SSL end-user pages, and the Agent Services pages for the Certificate Manager. You will use each set of pages to perform a basic task.


Viewing Issued Certificates From the Agent Gateway

  1. In a web browser window, use HTTPS to go to the URL for the SSL agent port that you specified. For example: https://<hostname>:8100

  2. Because this is an SSL connection, you are prompted to present your client SSL certificate for authentication. Choose the certificate you received on initial enrollment.

    The Agent Services entry page appears.



  3. Click Services Summary.

    The Services Summary page appears, giving you access to all the gateways.



  4. Click End Users Services.

    The Enrollment tab for the non-SSL end-entity gateway appears.

  5. Click the Retrieval tab.

    The form that appears is for the first option, List Certificates.

  6. Type 0x0 into the field labeled "Lowest serial number," then click Find to list the certificates that the Certificate Manager has issued so far.

    If you followed the instructions in this chapter exactly, you should see three certificates listed: the CA signing certificate (CN=Demo CA), the Certificate Manager SSL server certificate (CN=<your hostname>), and your initial agent certificate (CN=CMS administrator).

  7. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)


Enrolling for a Certificate From the End-Entity Gateway

After following the previous procedure, your browser will be at the Services Summary page. Follow this procedure to submit an enrollment request through the end-entity gateway.

  1. Click SSL End-Users Services.

    The Enrollment tab for the SSL end-entity gateway appears.

  2. Use the Manual User Enrollment form that appears to enroll for a certificate.

    For Full Name, type the name User1, so you will recognize this certificate as distinct from your administrator's certificate. When you have finished filling it out, submit the form.

  3. Follow the instructions your browser presents as it generates a key pair.

    After the key pair has been generated, the Certificate Manager displays a notice that the certificate request has been submitted, including a request ID.

  4. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)


Finding and Approving a Certificate Request

After following the previous procedure, your browser will be at the Services Summary page. Follow this procedure to approve the enrollment request you just submitted. This procedure will issue a certificate from the request that can be used as an agent certificate.

  1. Click Agent Services, then click Certificate Manager Agent Services.

    To access this page, your browser must present your client SSL certificate to authenticate your identity.

  2. If a dialog box appears requesting that you select a certificate, select the certificate name that begins with CMS Administrator.

    The first form for the Agent Services gateway appears—the List Requests form.

  3. Select "Show enrollment requests" for Request Type.

  4. Select "Show Pending Requests" for Request status, and then click Find.

    One request should be returned: the request you just made through the SSL end-user gateway, which is marked as pending.

  5. Click the Details button next to the pending request.

  6. Scroll down to the last section of the Request Details form, labeled Privileges.

  7. Select the checkbox labeled "This certificate is for a Certificate Manager agent," then type a user ID for the new agent.

    This user ID can be the same (User1) that you specified in the certificate request, or it can be some other ID that you want to use to identify this agent in the CMS window of iPlanet Console, such as Agent1.

  8. At the bottom of the form, select "Accept this request" and click Do It.

    The certificate is issued immediately. The Request Details form is replaced by a form announcing that the certificate has been generated, along with its serial number.

  9. Click Show Certificate to view the new certificate.

    At the bottom of the page is a button labeled Import Your Certificate. Normally, you would mail this page to the requestor, or the Certificate Manager would mail the requestor an automatic notification containing the certificate and instructions.

  10. Since you made the request yourself from this computer, go ahead and click Import Your Certificate to import the certificate into your browser.

You have now designated User1 as an agent. Since you have already issued a certificate in the name of User1, you can now present that certificate to access the Agent Services pages. User1 is an agent, but not an administrator; as User1, you can manage certificate requests, but you cannot access iPlanet Console's CMS window to configure the system.


Setting Your Browser to Use the Agent Certificate

To verify that the User1 certificate really can access the agent pages, you must first set your browser to use the User1 certificate to identify you to web sites. To do this in Communicator 4.x, for example, follow these steps:

  1. Click the Security button in the Navigation toolbar near the top of the window.

  2. Click Navigator in the left-hand frame.

  3. From the drop-down list labeled "Certificate to identify you to a web site," select your User1 certificate.

  4. Click OK.


Testing Your New Certificate

Clear the browsers cached security information so that it will ask for a new certificate when you view the agent gateway.

  1. Go to any other web page that is not part of Agent Services (such as http://www.sun.com).

  2. Return to the Agent Services pages at the URL for the SSL agent port that you specified.

    For example: https://myhost.mydomain.com:8100

    You should be able to access the Agent Services pages without any difficulty, as long as you are using the same computer from which you requested and imported the User1 certificate.

Before you continue, you might want to try accessing the new installation from another computer and with a different login. Try enrolling for user certificates from there, using both the SSL and non-SSL end-user gateways. If you wish, you can also enroll for additional agent certificates. You will have to return to the computer from which you requested and imported your CMSAdmin and User1 certificates to access the Agent Services pages and approve the requests.


Create a Policy

Policies are rules that you define that are applied to requests before a certificate is issued. Certificate Management System provides configurable policies that allow you to enforce your organization's requirements for certificates. You can configure different policies to be applied to different requests based on criteria such as the type of request or which Registration Manager or Certificate Manager received the request. You can find out more about policies in Chapter 18 "Setting Up Policies."

In a real PKI deployment, you would probably formulate your policies before installing any software, and configure how the policies will be implemented before issuing any certificates. For this demonstration, you will implement a simple but very useful rule before you start issuing certificates.

You will create a policy that requires all certificate requests use RSA key pairs that are 1024-bit or longer. This ensures that all of the certificates you issue meet a minimum level of security. Later, you will try to enroll for a certificate using a shorter-length key pair (512 bits) to show how the request is rejected automatically by the policy.

Policies do not always result in acceptance or rejection: they can also be used to modify certificate attributes such as the validity period or certificate extensions. In the "Create a Policy" exercise, you create a policy that will reject requests that do not have at least 1024-bit keys. In the "Use an LDAP Directory" exercise, you will try to enroll using a 512-bit key to see how the policy works.


Configuring an RSA Key Length Policy

  1. Start iPlanet Console:

    • On a Windows NT system, click Start, then choose Programs, then iPlanet, then iPlanet Console.

    • On a UNIX system, open a command shell, change to the directory
      /usr/iplanet/servers, and execute the file startconsole.

  2. Log in as admin, giving the password <admin password>.

    The main window of iPlanet Console appears.

  3. In the navigation tree on the left, open your computer, then open Server Group.

  4. Select the CMS instance (cert-demoCA).

  5. In the Certificate Management System panel at the right, click Open.

  6. Log in as CMSadmin, giving the password <CMS password>.

    iPlanet Console's CMS window appears, showing the Tasks tab.

  7. In the CMS window, click the Configuration tab.

  8. In the navigation tree on the left, open the Certificate Manager folder and click Policies.

  9. From the list of policies in the Policy Rules Management tab, select RSAKeyRule (the second policy in the list) then click Edit/View.

  10. In the Policy Editor dialog box, provide the following information:

    minSize: 1024
    maxSize: 2048
    exponents: accept the default setting
    enable: true
    predicate: HTTP_PARAMS.certType==client

    The predicate indicates that this policy will be applied to certificate requests for client certificates only. The minSize sets the minimum allowed length for the RSA key pair used to generate the request; requests with shorter RSA keys will be rejected. The policy is turned on for all requests to this Certificate Manager by setting enabled to true.

  11. Click OK to save the changes. The RSAKeyRule should now be listed as enabled in the Policy Rules Management tab.

That is all you need to do. The policy will now be enforced on all requests for client certificates. You will see how this policy works in the next part of the demonstration when you enroll for a client certificate.


Use an LDAP Directory

To test using Certificate Management System with an LDAP directory, you will use iPlanet Console's CMS window to enable directory-based authentication using the configuration directory that you installed with the demo. You will add a user (User2) to the directory, then enroll for a certificate as User2, using directory-based enrollment.

You will first try to enroll using 512-bit keys; the enrollment will fail because of the policy requiring 1024-bit keys. After you submit a new request with a 1024-bit key, Certificate Management System should authenticate the user information in the directory and issue the certificate automatically.

To use directory-based authentication to enroll entities:

You can find out more about authentication in Chapter 15 "Setting Up End-User Authentication."


Step 1. Enable Directory-Based Authentication

To enable directory-based authentication for the Certificate Manager:

  1. If the CMS console window is not still open, start iPlanet Console again (or go back to the main window) and open the window for Certificate Management System.

  2. In the CMS console window, select the Configuration tab, then select Authentication in the navigation tree.

  3. On the Authentication Instance tab, click Add.

  4. In the Select Authentication Plugin Implementation dialog box, select UidPwdDirAuth and click Next.

  5. In the Authentication Instance Editor dialog box, provide the following information:

    Authentication Instance ID: UserDirEnrollment
    dnpattern: cn=$attr.cn,c=US
    ldapStringAttributes: Leave blank
    ldapByteAttributes: Leave blank
    ldap.ldapconn.host: <hostname>
    ldap.ldapconn.port: 389
    ldap.ldapconn.secureConn: false
    ldap.ldapconn.version: 3
    ldap.basedn: o=<your domain>.<domain>
    ldap.minConns: 3
    ldap.maxConns: 5

  6. Click OK.


    Note If you leave the dnpattern field blank, the dnpattern used by default is E=$attr.mail,CN=$attr.cn,O=dn.o,C=$dn.c. This pattern works well with Communicator and other browsers. For the demo, you used a simpler dnpattern to avoid configuring other things. The simpler pattern should not be used for a real deployment. End-entity certificates for use with S/MIME may not work correctly if the E attribute is not present. Certificate display will not work correctly if the C and O attributes are left out.



Step 2. Add a User to the Directory

The users and groups of your organization are kept in the organization's global directory. Since you are using the configuration directory that you installed with the demo to simulate such a global directory, you must add a user to the configuration directory's user and groups subtree. (Notice that this is a different operation from adding a user or group to the Certificate Manager's internal database.)

To add a user to the configuration directory's subtree for users and groups:

  1. Start iPlanet Console again, or go back to the main window.

  2. Select the Users and Groups tab and click Create (in the lower right corner).

  3. In the Select Organization Unit dialog box, select People and click OK.

  4. In the Create User dialog box fill out the required fields as follows:

    First Name: User
    Last Name: Two
    Full Name: User Two
    User ID: User2
    Password: <User2 password>
    Confirm password: <User2 password>
    E-Mail: <your email address>



  5. Click OK.

    You can see that User Two has been added to the list of users.


Step 3. Enroll with Directory-Based Authentication

Now that there is a user in the authentication directory, you can test directory-based authentication. In order to show the key length policy working, you will request the certificate using a 512-bit key first, then change the request to use a 1024-bit key.

  1. Open a browser window and go to the Certificate Manager's end-entity interface: https://<machine_name>.<your_domain>.<domain>:444

  2. In the Enrollment panel under User Enrollment, click Directory-based.

  3. Fill out the enrollment form as follows:

    User ID: User2
    Password: <User2 password>
    Key Length: Select 512 (Low Grade)

  4. Click Submit.

    A dialog box asks whether to generate a private key.

  5. Click OK, and provide your key database password if requested.

    After the key is generated, your browser submits the certificate request to the Certificate Manager. The Certificate Manager verifies the request against all applicable policies (including the RSA key length policy for client certificates you configured earlier). The response from the server will be a Request Rejected page explaining that the request violated the RSAKeyRule policy.

  6. Use your browser's Back button to return to the Directory-based enrollment form. If the identity information is no longer present, enter the User ID and Password again.

  7. Change the Key Length setting to 1024 (High Grade), and click Submit.

    A dialog box asks whether to generate a private key.

  8. Click OK, and provide your key database password if requested.

    The new certificate is issued immediately and installed in your browser.

Next, you will configure Certificate Management System to publish (in the directory) the certificate you just issued.


Publish Certificates to an LDAP Directory

In any PKI there are things that you need to publish to make them available to entities. Certificate revocation lists (CRLs), for example, can be made available at a well known URL so that clients and servers can check them as needed instead of fetching and storing the list every time it is updated. In a PKI where people need to exchange encrypted files or email, you do not want each person to have to store everyone else's public key; instead, you can publish certificates to a directory or database and allow users to look up public keys as needed.

In this example, you will configure a Certificate Manager to publish new certificates to an existing directory (the configuration directory that iPlanet Console uses).

To publish certificates to a directory, you must configure information about the destination directory, configure the rules for publishing to it, then update the directory. Updating the directory publishes certificates that were issued before publishing was enabled; certificates issued later will be published automatically as they are issued.

Before you change the configuration you should understand the basics of the flexible components that make up the Certificate Management System publishing system: mappers, publishers, and rules.

Mappers translate objects (such as certificates) in the internal database into some other form for publishing. You will configure an LDAP mapper to translate the user name in a client certificate request to a distinguished name (DN) in the publishing directory.

Publishers are objects that actually publish the data. You will not configure the publisher here, but the LdapUserCertPublisher finds the DN that the mapper produces and adds a certificate attribute to its entry. The value of the attribute, of course, is the client certificate (in a binary form).

Rules coordinate the use of a mapper with a publisher for objects that meet certain conditions. The conditions may simply require a certain type of object (such as a client certificate). A condition may also assert some additional requirement (a predicate) that must be true about that type of object in order to invoke the rule. You will not configure any rules in this example. By default, the Certificate Manager uses a rule to coordinate the LdapUserCertMap and the LdapUserCertPublisher for publishing client certificates.


Configure the Publishing Destination

To enable publishing and configure the directory where certificates will be published:

  1. If the CMS window is not still open, start iPlanet Console again (or go back to the main Console window) and open the window for Certificate Management System.

  2. Open the Certificate Manager folder and select Publishing.

  3. Check the Enable Publishing checkbox then the Enable LDAP Publishing checkbox.

    The Destination area becomes editable.

  4. Enter information in the Destination area to identify the directory to which you want to publish (use the configuration directory, where User Two's entry is stored):

    Host Name: <machine_name>.<your_domain>.<domain>
    Port Number: 389
    Directory Manager DN: cn=Directory Manager
    Password: <dir mgr password>
    Password (again): <dir mgr password>
    Version: 3
    Authentication: Basic authentication

  5. Click Save.

    A dialog box appears that indicates whether Certificate Management System is able to connect, authenticate, and bind to the directory.

    If your configuration is not successful, make sure that the entries you make in the Destination area correspond to how you configured the Configuration Directory Server when you ran the setup program.

Directory publishing is now enabled. Certificate Management System will publish any new certificates to the directory according to the publication rules. The next step is to set those rules.


Set Rules for Publishing Certificates

In this section, you configure Certificate Management System to map client certificates to People entries in the o=<your_domain.<domain> directory tree using the user ID from the certificate request.

To configure Certificate Management System to publish user certificates to an LDAP directory:

  1. Open the CMS console window and select the Configuration tab.

  2. Open the Certificate Manager folder and double-click Publishing.

  3. Below Publishing in the navigation tree, click Mappers.

  4. In the Mappers Management tab, select LdapUserCertMap and click Edit/View.

  5. Change the dnPattern parameter value to UID=$req.UID, OU=people, O=<your domain>.<domain>

    This pattern will cause the mapper to formulate a DN using the user ID from the certificate request (the data entered in the User ID field on the end entity enrollment form) and fixed values for OU and O.

  6. Click OK.

Certificate Management System can now publish user certificates in the configuration directory. You do not need to configure the Publisher or Rule. If you want to see more about how the rule works, look at the LdapUserCertRule under Rules (using the Edit/View button) and the LdapUserCertPublisher under Publishers.


Update the Publishing Directory

Your Certificate Manager is now configured to automatically publish newly issued client certificates. If you want to experience this, you can follow the instructions in "Step 2. Add a User to the Directory" and "Step 3. Enroll with Directory-Based Authentication" again to add a new user and enroll for a certificate.

Use the procedure in this example to view the new user's directory entry and see the certificate published automatically (certificates are published every 20 minutes, so you may need to wait a few minutes before a new certificate is published).

In the example here, you conclude by manually updating the directory with the issued (but unpublished) certificate for User Two. You will look at User Two's directory entry before and after publishing to see how the entry changes.

To view the directory entry for User Two:

  1. Go to the iPlanet Console main window, select the configuration directory (configdir) in the navigation tree, and then click Open.

  2. Click the Directory tab.

    The directory information trees are represented in the navigation tree on the left.

  3. Open the entry for your domain (for example, siroe.com).

  4. Select the People node in the entry for your domain.

    The right side of the window lists the People entries. (If you have followed the examples, User Two will be the only entry.)

  5. Double-click the User Two entry to open the Edit Entry dialog box.

  6. Click Advanced at the bottom of the dialog box to see all of the attributes for User Two in the Property Editor dialog box.

    User Two has attributes for Email address, First name, etc., but no certificate.

  7. Click Cancel to close the Property Editor dialog box, but leave the Edit Entry dialog box open if you can: you will open the Property Editor again after you manually publish certificates.

To publish certificates to the directory manually:

  1. In a browser, go to the URL for the SSL agent port. For example:

    https://myhost.mydomain.com:8100/

    If you are asked to select a certificate for client authentication, be sure not to choose the certificate for User Two since that user does not have administrative privileges.

  2. Select Certificate Manager Agent Services.

  3. Select Update Directory Server from the list on the left.

  4. Check the first checkbox, labeled "Update everything in the database to the directory," then click Update Directory.

    After a few seconds a results page displays. Most of the entries will indicate failures because in this example you did not configure publishing rules for most of the object types in the internal database.

    The third item in the list should read "Valid certificates have been published in the directory." This means that publishing client certificates was successful.

  5. Return to the Edit Entry dialog for User Two (repeat the previous procedure if necessary) and click Advanced to open the Property Editor.

    The first attribute listed is now the Certificate for User Two. The certificate is in an unreadable binary form, so you do not see any actual data.

You have successfully configured the Certificate Manager to publish client certificates to an LDAP directory.


Send Renewal Reminders

Certificate Management System provides a facility for scheduling automatic jobs. The jobs facility can help you manage the certificate lifecycle by automating processes such as removing revoked certificates from your data store or notifying end-entities when their certificates are about to expire.

This exercise will show you how to use the jobs facility to send out automatic renewal reminders to entities. You will configure Certificate Management System to send email to entities starting 400 days before the certificate expires. In a real deployment, of course, you would probably not start reminding certificate holders to renew until 30 days before expiration. You will see the email that is sent to a certificate holder and a summary report of all notices that can be sent to a CMS agent.

To complete this exercise, you need to have access to a host that can receive Simple Mail Transfer Protocol (SMTP) requests and send mail. By default, Certificate Management System configures localhost (the machine on which it is running) as the mail server. Many UNIX hosts run SMTP daemons (such as sendmail) in their default configurations, so in UNIX you may not need to change the CMS defaults. Windows NT systems, however, do not typically run SMTP daemons by default and you will probably need to configure the SMTP settings in Certificate Management System.

If you are sure that the machine on which Certificate Management System is running is also capable of receiving SMTP requests on port 25, skip to Configuring Certificate Management System to Send Renewal Reminders.

Otherwise, find out the name of host that can accept SMTP requests and follow the next procedure, Configuring a Mail Server for Certificate Management System, to configure Certificate Management System.


Configuring a Mail Server for Certificate Management System

To configure the server from which Certificate Management System can send mail:

  1. Open the CMS console window and select the Configuration tab.

  2. Click the SMTP tab.

  3. Type the hostname of your mail server in the "Server name" field.

  4. Enter the port number your server uses for SMTP in the Port Number field.

    If you are certain that your server uses a port number other than 25 for SMTP, enter it in the "Port number" field. However, it is unlikely that any server uses a different number for the well-known SMTP service.

  5. Click Save.


Configuring Certificate Management System to Send Renewal Reminders

To configure Certificate Management System to send renewal reminders:

  1. Open the CMS console window and select the Configuration tab.

  2. Open Job Scheduler in the navigation tree.

  3. Select Jobs.

  4. Select certRenewalNotifier in the Job Instance tab.

  5. Click Edit/View.

    The Job Instance Editor dialog box displays. By default this job is enabled and scheduled to notify end-entities 30 days before their certificates expire. You will change the settings so that renewal notices begin 400 days before the certificate expires (so you will get notices for the certificates issued during this demonstration). You will also send notices every minute (instead of every day) so that you get an immediate message, and send a summary report to yourself.

  6. Make sure the following parameters have the listed values:

    enabled: true
    cron: * * * * * (include spaces between the asterisks)
    notifyTriggerOffset: 400
    senderEmail: <your email address>
    summary.enabled: true
    summary.recipientEmail: <your email address>
    summary.senderEmail: <your email address>

  7. Click OK.

  8. Select Job Scheduler in the Configuration tab's navigation tree.

    The next step will turn on the Job Scheduler. Once the scheduler is enabled you will receive at least two email messages every minute. Make sure you turn off the Job Scheduler after a few minutes to avoid a flood of email messages.

  9. Select the Enable Jobs Scheduler checkbox.

  10. Click Save.

    You should begin receiving email after one minute.

  11. After the scheduler has been running for a few minutes, deselect the Enable Jobs Scheduler checkbox.

  12. Click Save.

  13. Check your email.

    You will have at least two messages.

    Messages with the subject "Certificate Renewal Notification" are examples of notices sent to end entities. By default, these are sent to the address in the email (E) attribute in the certificate subject. These messages explain that the certificate is going to expire on a certain date, and they provide a URL for an end-entity gateway where the certificate can be renewed.

    Messages with the subject "Certificate Renewal Notification Summary" are examples of the summary report sent to the address in the job's summaryRecipientEmail parameter (usually a CMS agent). These messages list all of the certificates that are about to expire (according to the job's notifyTriggerOffset parameter) and whether or not the Certificate Manager succeeded in sending a renewal notice.

    The message content, format, and subject are all customizable, so in a real deployment you can create messages that better suit your organization.

You have now completed the default demo. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 4 "Planning Your Deployment" and the chapters that follow.

After you are finished using the demonstration installation, remove it from your system. For instructions, see Uninstalling Certificate Management System.  


Previous     Contents     Index     Next     
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated October 07, 2002