Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Configuring Authentication for End
Previous Next Contents Index Bookshelf


Chapter 12 Configuring Authentication for End Users

Netscape Certificate Management System (CMS) provides a customizable authentication component that supports various methods for authenticating end users. This chapter explains how to configure a Certificate Manager and Registration Manager to use specific authentication plug-in modules for authenticating end users during certificate enrollment.

Before reading this chapter, you should have read the chapters "Introduction to Authentication"and "Authentication Modules for End-Entity Enrollment". In particular, you should be familiar with the various plug-in modules for authenticating end users that come with Certificate Management System. If you are not, see "Overview of Authentication Modules".

The chapter has the following sections:


Authentication Management
You can manage end-user authentication in two ways:

The recommended method is to use the CMS window.

Authentication Management From the CMS Window

Figure 12.1 shows the CMS window, which provides the user interface for configuring and managing the end-user authentication.

Figure 12.1 End-user authentication information in the CMS window

In the navigation tree of the CMS window, you will find a single Authentication object. Selecting this object shows the authentication modules and instances currently recognized by this instance of Certificate Management System. From this window you can do the following:

The sections that follow describe the parts of the window from which you carry out these operations.

Authentication Instance Tab

The Authentication Instance tab lists the currently configured authentication instances, so that you can manage them at a single place. From this tab you can perform the following operations:

Add. The add operation shows a list of registered authentication plug-in modules from which you can select the one you want to configure. When you save the changes, Certificate Management System creates the new authentication instance and displays it in the list of authentication instances. For instructions, see "Step 4: Add an Authentication Instance".

Delete. The delete operation allows you to remove unwanted authentication instances from the CMS configuration. For instructions, see "Deleting an Authentication Instance".

Edit/View. The edit operation allows you to view and modify the configuration parameter values of currently configured authentication instances. For instructions, see "Modifying an Authentication Instance".

Authentication Plugin Registration Tab

The Authentication Plugin Registration tab lists the currently registered authentication plug-in modules for the selected CMS instance and gives you access to the window from which you can register new authentication plug-in modules. On this tab you will find the names of registered modules listed on the left and the path to the Java class that implements the module listed on the right.

You can perform the following operations from this tab:

Register. This operation allows you to register a new authentication plug-in module. When you save the changes, Certificate Management System loads the authentication plug-in implementation and displays it in the list of registered modules. For instructions, see "Registering an Authentication Module".

Delete. This operation allows you to remove unwanted authentication plug-in modules from the CMS framework. For instructions, see "Deleting an Authentication Module".

Authentication Parameters in the Configuration File

The sample configuration file shown on page 89 illustrates how authentication-specific information appears in the configuration file. Keep the following points in mind:

To change the configuration by editing the configuration file, follow the instructions in "Changing the Configuration by Editing the Configuration File".


Managing Authentication Instances
This section explains how to use the CMS window to do the following:

For information on adding or changing authentication-specific information in the configuration file, see "Authentication Parameters in the Configuration File".

Setting Up Authentication for End-User Enrollment

To set up a Certificate Manager and Registration Manager to authenticate end users based on a specific criteria, follow these steps:

Note If you do not configure a Certificate Manager or Registration Manager to use any of the registered authentication plug-in modules, the server uses manual authentication for end-user enrollment. This means that all end-user enrollment requests are queued for agent approval. For more information, see "Manual Authentication".

Step 1: Find the Required Information

Before setting up a Certificate Manager or Registration Manager to use a specific authentication method:

The next step depends on the authentication module you chose:

Step 2. Set Up the Directory for PIN-Based Enrollment

Go through this step only if you want to configure the server to use the directory- and PIN-based authentication method (with or without PIN removal).

To set up a directory for PIN-based authentication method:

Step A. Check the Directory for User Entries

Before you run the PIN Generator tool, make sure that the directory you intend to use for generating PINs has been populated with end-user entries that require PINs. It is also a good idea to confirm with that directory's administrator that all pending directory requests have been processed before the PIN Generator starts its operation.

Step B. Update the Directory

By default, the PIN Generator modifies the pin attribute in a directory's user entry (see "Arguments"). Because this attribute is not part of the standard organizationalPerson, you need to add it--that is, create a new object class (named pinPerson) in your authentication directory's schema.

In general, you need to update the slapd.user_at.conf file to include the pin attribute and the slapd.user_oc.conf file to include the object-class definition. The modified schema should look similar to this:

attribute pin bin

objectclass pinPerson

In addition, if you want to make use of the PIN-removal feature--that is, remove a user's PIN from the directory after Certificate Management System successfully authenticates that user and thus prevent the user from enrolling for another certificate--ACIs must be set up on the directory to prevent end users from creating new PINs for themselves. To do this, you need to create an entry for a PIN manager user with read-write permission to the pin attribute.

The PIN Generator tool comes with a configuration file, named setpin.conf, which enables you to automate the process of updating the authentication directory with changes required for setting up PIN-based authentication. The configuration file is located in this directory:

<server_root>/bin/cert/tools

To make the required schema changes and add an entry for the PIN manager user:

  1. Go to this directory: <server_root>/bin/cert/tools
  2. Open the setpin.conf file in a text editor.
  3. Follow the instructions outlined in the file and make the appropriate changes.
  4. Typically, you will need to update the Directory Server's host name, Directory Manager's bind password, and PIN manager's password.

  5. Run the setpin command with its optfile option pointing to the setpin.conf file (setpin optfile=setpin.conf).
  6. The tool modifies the schema with a new attribute (by default, pin) and a new object class (by default, pinPerson), creates a pinmanager user, and sets the ACI to allow only the pinmanager user to modify the pin attribute.

    If the tool is able to update the directory with all the changes, you should see a status-update message, similar to the sample shown below:

    
    

    Adding attribute: ( pin-oid NAME 'pin' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5' SINGLE-VALUE )

    .. successful

    
    

    Adding objectclass: ( pinPerson-oid NAME 'pinPerson' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass ) MAY ( aci $ pin )

    .. successful

    
    

    Adding user: cn=pinmanager,o=siroe.com

    .. successful

    
    

    modifying ACI for: ou=people,o=siroe.com

    .. successful

Step C. Prepare the Input File

This step is optional.

If you want to generate PINs for specific user entries or want to provide your own PINs, use an input file (to provide the tool with such information). For information on constructing an input file, see "Input File".

Step D. Run the Command Without the Write Option

Run the setpin command without the write option. Be sure to include the output option and bind to the directory as the PIN manager user. For details, see "The setpin Command".

The tool will write PINs to the specified output file; no changes are made to the directory yet. This will give you the opportunity to check the PINs (by looking at the output file) before updating the directory.

To run the command:

  1. Open a terminal window.
  2. Go to this directory: <server_root>/bin/cert/tools
  3. Run the setpin command with the appropriate arguments; be sure to point the optfile option to the file you've created (and not to the setpin.conf file).
Step E. Check the Output File

Check the output file to be sure it contains PINs for your users; the output should look similar to the one specified in "Output File".

Next, verify that the tool has assigned PINs to the correct users and that the PINs conform to the length and character-set restrictions you specified. If the output isn't what you want, run the command again with appropriate arguments. Repeat the process until the output file shows the results you want.

Step F. Run the Command Again with the Write Option

When you are sure about the results, run the command again (with exactly the same arguments) with the write option and the output option. The tool stores the hashed PINs in the directory. For information on how PINs are stored in the directory, see "How PINs Are Stored in the Directory".

Use the output file for delivering PINs to users after you complete setting up the required authentication method; see "Step 9. Deliver PINs to End Users".

Step 3. Enable the PIN Present Policy

This step is required for PIN-based enrollment with PIN removal only.

To deploy PIN-based enrollment with PIN removal effectively, the PIN present policy must be enabled and configured properly. This policy, if enabled, checks the authentication directory for a user's PIN when an end user requests a certificate and issues the certificate only if the PIN exits in the directory--thus preventing users from getting a certificate in the absence of a PIN. If you are not familiar with the role this policy plays in PIN-based enrollment, see "PIN Present Policy".

Unlike some of the other policy rules, Certificate Management System does not create an instance of the PIN present policy rule during installation. If you created this rule after installation, you can configure the server to use that rule. The instructions below explain how to create a new rule:

  1. Log in to the CMS window for the Certificate Manager (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select Certificate Manager, and then select Policies.
  4. The Policy Rules Management tab appears. It lists currently configured policy rules.

  5. Click Add
  6. The Policy Plugin Implementation window appears.

  7. Select PinPresentConstraints and click Next.
  8. The Policy Rule Editor window appears. It lists the configuration information required for this policy rule.

  9. Enter the appropriate information.
  10. Policy Rule ID. Type a unique name that will help you identify the rule. Be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-). For example, you can type My_Policy_Rule or MyPolicyRule as the instance name, but not My Policy Rule.

    enable. Check the box to enable the rule.

    predicate. Type the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank. Because the enrollment method is applicable for end user enrollments only, the typical predicate expression would be HTTP_PARAMS.certType==client. To form the correct predicate expression, see "Using Predicates in Policy Rules".

  11. Click OK.
  12. You are returned to the Policy Rules Management tab. If required, click the Reorder button and order the rules as appropriate. For details, see "Step 5. Reorder Policy Rules".

Step 4: Add an Authentication Instance

Adding an authentication instance to the CMS configuration involves creating a new instance of an already registered plug-in module, assigning a unique name or ID to the instance, and entering appropriate values for the parameters that define the plug-in you want to create an instance of.

When naming an authentication instance (or rule), be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-); other characters and spaces are not allowed. For example, you can type My_Auth_Rule or MyAuthRule as the instance name, but not My Auth Rule.

Also note that when you add an authentication instance, the CMS configuration is updated with authentication-specific information only. The server does not associate the authentication instance you added with any of the end-user enrollment forms--that is, the end-user servlets that should use this authentication instance are not configured yet. You make this association by manually embedding the authentication instance name in the enrollment forms.

By default, the enrollment forms include authentication instance names listed in Table 12.1. Note that the authentication instances are not created by default; only the instance names are embedded in the forms for your convenience. If you create authentication instances with the default names, you can skip the step ("Step A. Associate the Authentication Instance With the Enrollment Form") that explains how to update an enrollment form to associate it with the name of an authentication instance.

Table 12.1 Default authentication instance names embedded in end user enrollment forms

Enrollment form (filename)
Authentication instance name
Certificate-based enrollment for dual certificates
(CertBasedDualEnroll.html)
UserDirEnrollment
Certificate-based enrollment for encryption certificates
(CertBasedEncryptionEnroll.html)
UserDirEnrollment
Certificate-based enrollment for single certificates
(CertBasedSingleEnroll.html)
UserDirEnrollment
Directory-based enrollment
(DirUserEnroll.html)
UserDirEnrollment
Directory- and PIN-based enrollment
(DirPinUserEnroll.html)
PinDirEnrollment
NIS server-based enrollment
(NISUserEnroll.html)
NISAuth
Portal enrollment
(PortalEnrollment.html)
PortalEnrollment

Figure 12.2 shows the default directory-based enrollment form configured to use an authentication instance named UserDirEnrollment.

Figure 12.2 Authentication information in the default directory-based enrollment form

For information on locating and customizing the default end-entity forms, see "End-Entity Forms and Templates".

To add an authentication instance to the CMS configuration:

  1. In the CMS window, select the Configuration tab.
  2. In the navigation tree, select Authentication.
  3. The right pane shows the Authentication Instance tab, which lists any currently configured authentication instances.

  4. Click Add.
  5. The Select Authentication Plugin Implementation window appears. It lists the currently registered authentication plug-in modules.

  6. Select a plug-in module.
  7. The following choices are the ones provided by default with Certificate Management System (they are described in "Overview of Authentication Modules"). If you have registered any custom authentication plug-in modules, they too will be available for selection.

    UidPwdDirAuth. Select this if you want to use the directory-based authentication module; see "Directory-Based Authentication".

    UidPwdPinDirAuth. Select this if you want to use the directory- and PIN-based authentication module (with or without PIN removal); see "Directory- and PIN-Based Authentication".

    To configure Certificate Management System for PIN-based enrollment method, you must have completed "Step 2. Set Up the Directory for PIN- Based Enrollment".

    NISAuth. Select this if you want to use the NIS server-based authentication module; see "NIS Server-Based Authentication".

    PortalEnroll. Select this if you want to use the portal authentication module; see "Portal Enrollment".

    For the purposes of this instruction, assume that you selected UidPwdPinDirAuth.

  8. Click Next.
  9. The Authentication Instance Editor window appears. The Authentication Instance ID field shows the default instance name embedded in the associated enrollment form (see Table 12.1). The Authentication Plugin ID field shows the module you've chosen. The remaining fields list the configuration information required for this authentication instance.

  10. If you don't want to use the default instance name, in the Authentication Instance ID field, type a unique name for this instance that will help you identify it.
  11. For the name, be sure to use an alphanumeric string with no spaces. If you chose to use a different name, be sure to edit the default name in the enrollment form in the next step, "Step 5. Set Up the Enrollment Interface".

  12. Fill in values for the remaining parameters.
  13. Click OK.
  14. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. Don't restart the server yet; you can do this after you've made all the required changes.

Step 5. Set Up the Enrollment Interface

This step explains how to customize the end-entity interface for the enrollment method you've chosen for your users.

Step A. Associate the Authentication Instance With the Enrollment Form

You can skip this step if, in the previous step, you chose the default instance name suggested in Table 12.1. Otherwise, you must edit the enrollment form to associate the instance you added because Certificate Management System relies on the authentication instance name embedded in the enrollment form to determine the authentication method.

For the new authentication instance to work with end-entity enrollment forms, you must update the appropriate forms, as follows:

  1. In the CMS host system, go to this directory:
    <server_root>/cert-<instance_id>/web/ee
  2. Locate the file that corresponds to the authentication module you chose in "Step 4: Add an Authentication Instance"; use Table 12.1 for guidance.
  3. Open the file in a text editor.
  4. Locate the attribute that associates the authentication instance with the enrollment form.
  5. <INPUT TYPE="HIDDEN" NAME="authenticator" VALUE="myAuthMgr">

    <INPUT TYPE="HIDDEN" NAME="authenticator" VALUE="myAuthMgr">

  6. Check the value assigned to authenticator attribute (the VALUE= field). Make sure that it is same as the name or ID you assigned to the authentication instance you created in Step 5. If it is different, replace it with the name of the authentication instance. For example, if you used test_auth as the instance name, the edited line should look like this:
    <INPUT TYPE="HIDDEN" NAME="authenticator" VALUE="test_auth">
  7. Save your changes and close the file.
Step B. Customize the Form

You can make any other changes to meet your organization's requirements.

Step C. Hook Up the Certificate-Based Enrollment Form

This step is required if you want to use any of the certificate-based enrollment forms.

As explained in "Enrollment Forms", Certificate Management System provides three forms for certificate-based enrollment:

By default, the form named CertBasedDualEnroll.html is hooked up to the Enrollment tab of the end-entity interface. You can replace this form with either of the other two forms, CertBasedEncryptionEnroll.html and CertBasedSingleEnroll.html; you can do this by uncommenting the script relevant to either of the forms in the index file and by commenting out the script for CertBasedDualEnroll.html--thus, effectively unhook the old one and hook the new one.

To enable any of the certificate-based enrollment forms, follow these steps:

  1. In the CMS host system, go to this directory:
    <server_root>/cert-<instance_id>/web/ee
  2. Locate the index.html file.
  3. Open the file in a text editor.
  4. Follow instructions as appropriate:
  5. If you want to enable the CertBasedDualEnroll.html form, search for CertBasedDualEnroll. You should find a block of script like the following:

    count++;

    }

    if (http != 'true') {

    // this one is directory based cert-based

    if ( isAuthMgrEnabled("UidPwdDirAuth") ) {

    item = 'certBasedDualEnroll';

    menuItems[count] = top.EnrollMenu[count] =

    new menuItem(item, 'CertBasedDualEnroll.html',
    'Certificate');

    
    

    If you want to enable the CertBasedEncryptionEnroll.html form, search for CertBasedEncryption. You should find a block of script like the following:

    			count++; 
    
    			} 
    
    		//		item = 'certBasedEncEnroll'; 
    
    		//		menuItems[count] = top.EnrollMenu[count] = 
    
    		//			new menuItem(item, 
    // 'CertBasedEncryptionEnroll.html', 'Certificate');
    
    

    Uncomment the lines and then add lines for using the automated enrollment module you configured the server with. Your edited lines should look similar to this:

    		count++;
    
    		}
    
    		if (http != 'true') { 
    
    			// this one is directory based cert-based
    
    		if ( isAuthMgrEnabled("UidPwdDirAuth") ) { 
    
    			item = 'certBasedEncEnroll';
    
    			menuItems[count] = top.EnrollMenu[count] = 
    
    				new menuItem(item, 'CertBasedEncryptionEnroll.html',
    'Certificate');
    
    

    If you want to enable the CertBasedSingleEnroll.html form, search for CertBasedSingle. You should find a block of script similar to this:

    			count++; 
    
    			} 
    
    		//		item = 'certBasedSingleEnroll'; 
    
    		//		menuItems[count] = top.EnrollMenu[count] = 
    
    		//			new menuItem(item, 'CertBasedSingleEnroll.html', 
    // 'Certificate');
    
    

    Uncomment the lines and then add lines for using the automated enrollment module you configured the server with. Your edited lines should look like these:

    		count++;
    
    		}
    
    		if (http != 'true') { 
    
    			// this one is directory based cert-based
    
    		if ( isAuthMgrEnabled("UidPwdDirAuth") ) { 
    
    			item = 'certBasedSingleEnroll';
    
    			menuItems[count] = top.EnrollMenu[count] = 
    
    				new menuItem(item, 'CertBasedSingleEnroll.html',
    'Certificate');
  6. Make sure to comment out lines for any unused options.
  7. If you're using any of the default modules, except for the one provided for the directory-based enrollment (UidPwdDirAuth), edit the following line to replace UidPwdDirAuth with the name of the module you're using.
  8. if ( isAuthMgrEnabled("UidPwdDirAuth") ) {

  9. By default, a link named Certificate will be created under the Browser section. If you want to rename the link, replace Certificate in the following line with the new name:
  10. new menuItem(item, 'CertBasedDualEnroll.html', 'Certificate');

  11. Save your changes and close the file.
Step D. Remove Unwanted Enrollment Options

This step is optional.

By default, the Enrollment tab of the end-entity interface shows just one link, named Manual, under the Browser section. The Manual link opens a form that enables end users to request certificates manually. When you enable automated enrollment, that is, when you create an instance of any of the automated enrollment modules, a link for the corresponding form is automatically created under the Browser section. For example, if you create an instance of the directory-based authentication module, you will notice a new link named Directory under the Browser section.

If you don't want your end users to see the manual enrollment option, you can remove it from the Enrollment tab altogether. The steps below explain how to remove the Manual link from the Browser section of the Enrollment tab:

  1. In the CMS host system, go to this directory:
  2. <server_root>/cert-<instance_id>/web/ee

  3. Locate the index.html file.
  4. Open the file in a text editor.
  5. Locate the initEnrollMenu function (the function initEnrollMenu() line).
  6. Remove or comment out lines that correspond to the Manual enrollment form.
  7. 		count++;
    
    			item = 'manuser';
    
    			menuItems[count] = top.EnrollMenu[count] = 
    
    				new menuItem(item, 'ManUserEnroll.html', 'Manual');
    
  8. Save your changes and close the file.
  9. Open a browser window.
  10. Go to the end-entity interface and verify your changes.
Step 6. Enable End-Entity Interaction

You can configure end-entity interaction with a Certificate Manager or a Registration Manager, or with both. End entities cannot interact with a Data Recovery Manager directly; they must interact through a Certificate Manager or Registration Manager. By default, the Certificate Manager is configured for end-entity interaction; the Registration Manager is not configured for end-entity interaction.

Depending on the subsystem you're configuring, follow the instructions in "Enabling End-Entity Interaction with a Certificate Manager" or in "Enabling End-Entity Interaction with a Registration Manager".

Enabling End-Entity Interaction with a Certificate Manager

To enable end-entity interaction with a Certificate Manager:

  1. In the CMS window, select the Configuration tab.
  2. In the navigation tree, select Certificate Manager.
  3. The General Setting tab appears.

  4. In the Web Access section, check the "Enable end-entity interaction" option if you want end entities to be able to interact with the selected Certificate Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server.
  5. Note that if you disable end-entity interaction, the Network tab still shows the HTTPS port and allows you to configure it (see "Configuring Port Numbers"). However, you should know that the server ignores this port.

  6. In the Certificate Validity section, check the "Override validity nesting requirement" option, if you want the Certificate Manager to issue certificates with validity periods beyond that of its CA signing certificate; see "CA Signing Key Pair and Certificate").
  7. If you leave the box unchecked and if the Certificate Manager (CA) finds a request with validity period extending beyond that of its CA signing certificate, it automatically truncates the validity period to end on the day the CA signing certificate expires. For example, if the CA signing certificate expires on June 10, 2004, any enrollment or renewal request with validity period beyond June 10, 2004 will have validity period truncated to end on June 10, 2004.

    Validity periods of certificates during enrollment is determined by the policy explained in "Validity Constraints Policy". Similarly, validity periods of certificates during renewal is determined by the policy explained in "Renewal Validity Constraints Policy".

  8. In the Certificate Serial Number section, specify the serial number range for certificates issued by this Certificate Manager. The server assigns the serial number you enter in the "Next serial number" to the next certificate it issues and the number you enter in the "Last serial number" to the last certificate it issues.
  9. The serial number range enables you to deploy multiple CAs, balancing the number of certificates each CA issues. Note that the combination of an issuer name and a serial number uniquely identifies a certificate. To ensure that two distinct certificates issued by the same authority doesn't contain the same serial number, make sure the serial number range does not overlap among cloned CAs. (For information on cloning CAs, see Netscape Certificate Management System Installation and Deployment Guide.

  10. In the Default Signing Algorithm section, select the signing algorithm the Certificate Manager should use for signing certificates. The choices are "MD2 with RSA," "MD5 with RSA," and "SHA1 with RSA," if the CA's signing key type is RSA and "SHA1 with DSA," if the CA's signing key type is DSA.
  11. Note that the signing algorithm specified in the Certificate Manager's policy configuration overrides the algorithm you select here. For information on a Certificate Manager's policy configuration, see "Signing Algorithm Constraints Policy".

  12. To save your changes, click Save.
  13. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Enabling End-Entity Interaction with a Registration Manager

To enable end-entity interaction with a Registration Manager:

  1. In the CMS window, select the Configuration tab.
  2. In the navigation tree, select Registration Manager.
  3. The General Setting tab appears.

  4. In the Web Access section, check the "Enable end-entity interaction" option if you want end entities to be able to interact with the selected Registration Manager via the HTTPS port; leave it unchecked to disable end-entity interaction with the server.
  5. Note that if you disable end-entity interaction, the Network tab still shows the HTTPS port and allows you to configure it (see "Configuring Port Numbers"). However, you should know that the server ignores this port.

  6. To save your changes, click Save.
  7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Step 7. Turn on Automated Notification

Both the Certificate Manager and the Registration Manager can send certificate-issuance notification to end users. For details on turning this feature on, see "Configuring a Subsystem to Send Notifications to End Entities".

Step 8. Test Your Authentication Setup

To test whether your end users can successfully enroll for a certificate using the authentication method you've set up:

  1. Open a web browser window.
  2. Go to the end-entity interface for the enrollment authority you configured. The default URL is as follows:
  3. https://<host_name>:<end_entity_HTTPS_port> or
    http://<host_name>:<end_entity_HTTP_port>

  4. In the Enrollment tab, open the enrollment form you customized.
  5. Fill in all the values and submit the request.
  6. The client prompts you to enter the password for your key database.
  7. When you enter the correct password, the client generates the key pair.
  8. Do not interrupt the key-generation process. Upon completion of the key generation, the request is submitted to the server for certificate issuance. The server subjects the request to the currently configured policy rules and issues the certificate only if the request passes all the policy rules.

    Upon receipt of a notification about the certificate issuance, install the certificate in your browser.

  9. Verify that the certificate is installed in the browser's certificate database; for example, in Communicator you can open the Security Info window and verify that the certificate is listed in there.
  10. If you've set up the directory- and PIN-based authentication with PIN removal, reenroll for another certificate using the same PIN. Your request should get rejected.
  11. If you've set up the portal enrollment, verify that an entry for the user is created in the directory. For example, you can point your browser to the portal directory and find out if an entry for the user for whom you requested the certificate exists.
  12. In the URL field, type
    ldap://<host_name>:<port>/<base_dn>??sub?(uid=<user_id>), substituting <host_name> with the fully qualified host name of the Directory Server, <port_number> with the port number at which the Directory Server is listening to authentication requests from the Certificate Manager <base_dn> with the DN to start searching for the user's entry, and <user_id> with the ID of the user for whom you requested the certificate.

    For example, if the directory host name is corpDirectory, port number is 389, base DN is O=siroe.com, and user's ID is jdoe, the URL would look like this:

    ldap://corpDirectory:389/O=siroe.com??sub?(uid=jdoe)

    In the resulting page, look for the user's credentials and verify that they match what you specified in the enrollment form. If you've configured Certificate Management System to publish certificates to the same directory ("Publishing Certificates and CRLs to a Directory"), you will be able to see the certificate-related information; it typically includes information such as the owner of the certificate, the CA that has issued the certificate, the serial number, the validity period, and the certificate fingerprint.

Step 9. Deliver PINs to End Users

This step is applicable for directory- and PIN-based authentication with or without PIN removal.

After you have confirmed that the PIN-based enrollment works (as it should), deliver the PINs to users so they can use them during enrollment. To protect the privacy of PINs, be sure to use a secure, out-of-band method for delivery. Here are a few suggested delivery methods:

Deleting an Authentication Instance

You can delete an authentication instance that you no longer need from the CMS configuration. If you delete an authentication instance, end users will fail to enroll for certificates using the associated enrollment form. If you want the form to work with another authentication instance, you must make the appropriate changes to the form; see "Step 5. Set Up the Enrollment Interface".

To delete an authentication instance from the CMS configuration:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, click Authentication.
  4. The right pane shows the Authentication Instance tab, which lists currently configured authentication instances.

  5. In the Instance Name list, select the instance you want to delete and click Delete.
  6. When prompted, confirm the delete action.
  7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Modifying an Authentication Instance

You can modify an authentication instance by editing its configuration parameter values; you cannot edit the name of an instance. To change the name of an instance, you need to create a new instance exactly like the instance you want to rename, except with a new name, and delete the old instance. For details, see "Step 4: Add an Authentication Instance".

When you modify an authentication instance, the CMS configuration is updated to include the modifications. Because you are not changing the name of the authentication instance, you do not have to make any changes to the end-user servlet configuration.

To modify an authentication instance in the CMS configuration:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, click Authentication.
  4. The right pane shows the Authentication Instance tab, which lists configured authentication instances.

  5. In the Instance Name list, select the instance you want to modify and click Edit.
  6. The Configure Authentication Instance Parameters window appears, showing the current configuration of this instance.

    For the purposes of completing these instructions, assume you selected UserDirEnrollment.

  7. Make changes as appropriate. If you need description for any of the parameters, click the Help button or check these:
  8. Click OK.
  9. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Managing Authentication Plug-in Modules
This section explains how to use the CMS window to do the following:

For information on adding or changing authentication-specific information in the configuration file, see "Authentication Parameters in the Configuration File".

Registering an Authentication Module

You can register custom authentication plug-in modules from the CMS window. Registering a new authentication module involves specifying the name of the module and the full name of the Java class that implements the authentication interface. For example, you can add a Java class, named as follows, that implements an authentication module: com.netscape.certsrv.authentication.ssnAuth

Before registering an authentication module, be sure to put the Java class for the module in the classes directory; see "Compiling and Installing Authentication Manager Plug-ins".

To register an authentication module in the CMS authentication framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, click Authentication, and in the right pane, click the Authentication Plugin Registration tab.
  4. The tab lists modules that are already registered.

  5. Click Register.
  6. The Register Authentication Plugin Implementation window appears.

  7. Specify which module you want to register:
  8. Plugin name. Type a name for the module.

    Class name. Type the full name of the class for this module--that is, the path to the implementing Java class. If this class is part of a package, be sure to include the package name. For example, if you are registering a class named NISAuth and if this class is in a package named com.mycompany, type com.mycompany.NISAuth.

  9. Click OK.
  10. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Deleting an Authentication Module

You can delete an authentication plug-in module that you no longer need by using the CMS window. Before deleting a module, be sure to delete all the instances that are based on this module; see "Deleting an Authentication Instance". You should also update the appropriate end-entity enrollment forms.

To delete an authentication module from the CMS authentication framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, click Authentication, and in the right pane, click the Authentication Plugin Registration tab.
  4. The tab lists the currently registered modules.

  5. In the Plugin Name list, select the module you want to delete and click Delete.
  6. When prompted, confirm the delete action.
  7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.