Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Administration Tasks and Tool
Previous Next Contents Index Bookshelf


Chapter 2 Administration Tasks and Tool

In administering Netscape Certificate Management System (CMS), you perform server-specific tasks such as starting, stopping, and restarting the server; changing configuration; configuring certificate issuance and management policies; adding or modifying privileged-user and group information; setting up authentication mechanisms for users who may request services from the server; performing routine server maintenance tasks; monitoring logs; and backing up server data.

To enable system administrators to accomplish these server-specific tasks quickly and easily, Certificate Management System provides a GUI-based administration tool, called the CMS window, within Netscape Console. This chapter provides an overview of both Netscape Console and the CMS window.

 Note You can use Netscape Console for managing various network resources. However, this chapter's focus is on using Netscape Console for CMS administration. For complete information about Netscape Console, see Managing Servers with Netscape Console, which is included with the CMS documentation.


Netscape Console
Netscape Console is a stand-alone Java application that provides a GUI-based front end to all network resources registered in an organization's configuration directory. This unified administration interface (shown in Figure 2.1) simplifies network administration by supplying access points to all Netscape version 4.x server instances installed across a network. Similarly, it simplifies basic user and group management by providing a unified administration interface to the user directory.

Figure 2.1 Main Netscape Console window, with a CMS instance selected in the Console tab

Console Tab

For any given instance of Netscape Console, the limits of the network it can administer are defined by the set of resources whose configuration information is stored in the same configuration directory--that is, the maximum set of hosts and servers that can be monitored from Netscape Console. The superadministrator (the person who manages the configuration directory) can set access permissions on all network resources registered in the configuration directory. Thus, for a given administrator using Netscape Console, the actual number of visible servers and hosts may be fewer, depending on the access permissions that the administrator has.

The Console tab displays all servers registered in a particular configuration directory, giving you a consolidated view of all the server software and resources under your control. What you control is determined by the access permissions the superadministrator has set up for you.

 From this view you can perform tasks across arbitrary groups or a cluster of servers in a single operation. In other words, you can use the Console tab to manage a single server or multiple servers that are installed on different ports on one machine. Also, you can access individual server windows (or administration interfaces) by double-clicking the icons for the corresponding server instance entries (SIEs).

 With the exception of Certificate Management System, all server instances displayed on the Console tab store their configuration information in the same configuration directory. For security purposes, Certificate Management System uses file-based configuration which is stored locally on the host system; during installation, the server registers only its SIE in the configuration directory. For details about this file, see "Configuration".

You can accomplish various CMS-specific tasks from the Console tab:

 Users and Groups Tab

The Users and Groups tab (shown in Figure 2.2) manages user accounts, group lists, and access control information for individual users and groups. All applications registered within the Netscape Console framework share core user and group information in the user directory, which typically is a global directory for corporatewide user data.

Figure 2.2 Users and Groups tab of Netscape Console

From this tab, you can accomplish various user- and group-specific tasks, such as these:

 Netscape Administration Server

Netscape Administration Server is a web-based (HTTP) server that enables you to configure all your Netscape version 4.x servers, including Certificate Management System, through Netscape Console. Administration Server (and the configuration directory) must be running before you can configure any of these servers. It is included with all Netscape servers and is installed when you install your first server in a server group. A server group refers to servers that are installed in a server root directory and that are managed by a single instance of Netscape Administration Server.

You access Administration Server by entering its URL in the Netscape Console login screen. This URL is based on the computer host name and the port number you chose when you installed Certificate Management System. The format for the URL looks like this:

 http://<machine_name>.<your_domain>.<domain>:<port_number>

 Whenever you try to gain access to Administration Server, you will be prompted to authenticate yourself to the configuration directory by entering your user ID and password. These are the administrator user name and password that you specified when you installed Certificate Management System (or the first server in the server group) and Administration Server on your computer. Once Administration Server is running, you can use Netscape Console to administer all servers in that group, including Certificate Management System.

 For complete details about Netscape Administration Server, see Managing Servers with Netscape Console. To locate an online version of this book, go to <server_root>/manual/index.html.

Starting Administration Server

The CMS installation program automatically starts the instance of Administration Server that you identified during installation for monitoring Certificate Management System. If you stopped Administration Server after installation, you must start it before you can administer Certificate Management System from the CMS window.

You can start the server from Netscape Console, the command line, or the Windows NT Services panel.
    1. Log in to Netscape Console (see "Logging In to Netscape Console").

    2. In the Console tab, locate the Administration Server instance that you want to start, and double-click the corresponding entry.

      3. The Administration Server window appears.

    3. In the Tasks tab, click Start the Server.

Shutting Down Administration Server

It is good security practice to shut down Administration Server when you are not using it. This minimizes the chances of someone else changing your configuration.

You can shut down the server from Netscape Console, the command line, or the Windows NT Services panel.
    1. Log in to Netscape Console (see "Logging In to Netscape Console").

    2. In the Console tab, locate the Administration Server instance that you want to shut down, and double-click the corresponding entry.

      3. The Administration Server window appears.

    3. In the Tasks tab, click Stop the Server.


Logging In to Netscape Console
You can launch and use Netscape Console only when the configuration directory and Administration Server are running. If the servers are not running, go to the command line and start them. For information on starting Administration Server from the command line, see "Starting Administration Server". For information on starting the configuration directory, check the Netscape Directory Server documentation.

When you launch Netscape Console, it displays a login window. You are required to authenticate to the configuration directory by entering your administrator's ID, your password, and the URL (including port number) of the Administration Server representing a server group to which you have access. You cannot use Netscape Console without having login access to at least one server group on your network.
  1. Open the Netscape Console application by using the appropriate option:
    2.

  2. Authenticate yourself to the configuration directory.
    3.

    User ID. Type the administrator ID you specified when you installed Administration Server on your machine. You installed Administration Server either when you installed your first Netscape 4.x server or as a part of CMS installation.

    Password. Type the administrator password that you specified when you installed Administration Server on your computer during CMS installation.

    Administration URL. This field should show the URL to Administration Server. If it doesn't or if it doesn't have the URL of Administration Server that you want, type the URL in this field. The URL is based on the computer host name and the Administration Server port number you chose when you installed Certificate Management System. Use this format:

    http://<machine_name>.<your_domain>.<domain>:<port_number>

    For example, if your domain name is siroe and you installed Administration Server on a host machine called myHost and specified port number 12345, the URL would look like this:

    http://myHost.siroe.com:12345

  3. Click OK.
    4.

    Netscape Console appears with a list of all the servers and resources under your control (see Figure 2.1).


The CMS Window
The CMS window is a GUI-based administration interface that allows you to perform day-to-day operational and managerial duties for Certificate Management System. You launch the CMS window from within Netscape Console (see Figure 2.3). You can use the CMS window to access the server locally or remotely.

Figure 2.3 Certificate Management System window, launched from Netscape Console

The CMS window has three separate tabs, each addressing specific administrative areas: the Tasks tab, the Configuration tab, and the Status tab.

 Tasks Tab

The Tasks tab allows you to perform frequently required tasks. From this tab, you can start, stop, and restart the server.

For details on these common tasks, see "Stopping Certificate Management System" and "Restarting Certificate Management System".

Configuration Tab

The Configuration tab allows you to view the current server configuration settings and change them.

Table 2.1 provides details about the tasks you can accomplish from this tab. You access specific settings by selecting an entry in the navigation tree and working with the tabs that appear in the right pane.

Table 2.1 Tasks you can accomplish from the Configuration tab

Task
Description
Configuring network settings
This involves operations such as the following:
For details, see "Configuring Ports, Database, and SMTP Settings".
Configuring the internal database settings
This involves specifying the host name and port number of the directory server that Certificate Management System should use for storing data. For details, see "Internal Database".
Managing CMS keys and certificates
This involves operations such as the following:
Configuring SMTP settings
This involves specifying the host name and port number of the mail server that Certificate Management System should use for sending email notifications. For details, see "SMTP Settings".
Setting up privileged users
This involves operations such as the following:
Determining authentication for end users
This involves operations such as the following:
Scheduling jobs
This involves operations such as the following:
Enabling automated notifications
This involves operations such as the following:
Configuring certificate issuance and management policies
This involves operations such as the following:
For details, see "Setting up Policy Rules for a Subsystem".
Publishing certificates and CRLs
This involves operations such as the following:
Managing CMS logs
This involves configuring system, error, and audit logs maintained by Certificate Management System. For details, see "Configuring Logs".
Configuring the Data Recovery Manager
This involves configuring the Data Recovery Manager for archival and recovery of end users' encryption private keys. For details, see "Recovering Encrypted Data".
Backing up and restoring CMS data
This involves operations such as the following:
For details, see "Backing Up and Restoring Data".

Status Tab

The Status tab allows you to monitor the server by viewing the contents of various logs maintained by Certificate Management System.

You can monitor active as well as rotated log files. For details, see the following sections:
Logging In to the CMS Window
You access the CMS window from Netscape Console. For details on Netscape Console, see "Netscape Console".

The Console tab of Netscape Console contains a list of network resources that are under your control. In this list you can identify CMS instances by their icons or by server identifiers you specified during installation (for example, you may have named a CMS instance ABC Corp CA).

 To open the CMS window for a specific CMS instance:
  1. Log in to Netscape Console (see "Logging In to Netscape Console").

  2. In the Console tab, select the Server Group that contains the CMS instance you want to use as your source.

  3. In the navigation tree, locate the CMS instance you want to administer.

  4. Select the instance and click Open or double-click the corresponding entry.

    5. If the selected server is not running, you are asked to start the server first. In that case, start the server, and then repeat steps 2 through 4. For information on starting the server, see "Starting Certificate Management System".

    If the selected server is running, you are prompted to authenticate to Certificate Management System.

  5. Enter the appropriate information:
    6.

    User ID. If you are logging in for the first time, type the Certificate Administrator ID; you specified this user ID during installation (so that you could log in to the CMS window without having to create privileged-user entries). Otherwise, type your privileged-user ID (administrator ID).

    Password. If you are logging in for the first time, type the Certificate Administrator password; you specified this password during installation (so that you could log in to the CMS window without having to create privileged-user entries). Otherwise, type your privileged-user (administrator) password; see "Administrators".

    Upon successful authentication, the CMS window appears (Figure 2.3).

Note Accessing the CMS window is a privileged operation that is restricted to CMS administrators. After you log in for the first time, create at least one user in each of the default groups; see "Groups and Their Privileges".

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.