Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Introduction to Authentication
Previous Next Contents Index Bookshelf


Chapter 9 Introduction to Authentication

Authentication is the process of verifying the identity of a user that is requesting a service from Netscape Certificate Management System (CMS). More specifically, authentication involves acquiring and verifying the values of the configured attributes of the user. For example, the user might be prompted to log in with a user name and password, and then the server would look in a preconfigured database to verify that the user's password was correct.

Service requests to Certificate Management System come from any of the following users:

This chapter explains how Certificate Management System identifies and authenticates these users, and it provides details about the various authentication methods supported by the server. After reading this chapter, you should be able to determine which of the authentication plug-in modules provided out of the box is suitable for your PKI deployment.

This chapter has the following sections:


Privileged-User Authentication
For authenticating privileged users, such as administrators and agents, Certificate Management System uses built-in authentication mechanisms.

Authentication of Administrators

When an administrator makes an administrative request to Certificate Management System (from the CMS window within Netscape Console or from any command-line tool), the server needs to authenticate the administrator before processing the request. To facilitate this, Certificate Management System supports an authentication method that includes user ID- and password-based authentication from the client and SSL server authentication from the server.

Certificate Management System identifies and authenticates users with administrator privileges by checking their user IDs and passwords in its internal database. These are the user IDs and passwords you entered in the internal database when you created these user entries. For details, see "Setting Up Administrators".

Figure 9.1 illustrates the authentication process.

Figure 9.1 CMS authentication of a user with administrator privileges

These are the steps shown in Figure 9.1:

  1. An administrator opens Netscape Console and attempts to log in to the CMS window by entering the user ID and password at the login prompt. The server takes the administrator's user ID and password and binds them to privileged-user entries in its internal database.
  2. If the user ID and password bind successfully to a user entry, authentication succeeds; otherwise, it fails.
  3. If both authentication and authorization succeed, the server services the request. Otherwise, it rejects the request and logs the reason for the rejection.

Note Authentication for administrators is hardcoded; it is not configurable.

Authentication of Agents

When an agent makes a request to Certificate Management System (from the appropriate Agent Services interface), the server needs to authenticate the agent before processing the request. To facilitate this, Certificate Management System supports a certificate-based authentication method.

Certificate Management System identifies and authenticates a user with agent privileges by checking the user's SSL client certificate in its internal database. The certificates it checks are the ones you imported and stored in the internal database while creating or modifying the user entry. You create agent users for a CMS instance by adding their client certificates into the internal database and associating them with the corresponding users' identification information; for details, see "Setting Up Agents".

When an agent makes a request to perform a privileged operation, the server requests SSL client authentication from the client that the agent has used to connect to the server. The server then uses the successfully SSL client-authenticated certificate to map to internal user entries for further checks. The server checks the certificate's subject name and issuer name against the list of privileged-user certificates stored in its internal database. If the certificate belongs to a privileged user who is authorized (based on group membership) to perform agent operations, the server allows the user to perform the requested operation. Otherwise, the server rejects the request and logs an appropriate message (for details, see "Logs").

Note Authentication for agents is hardcoded; it is not configurable.

Figure 9.2 shows how a Registration Manager authenticates and authorizes a Registration Manager agent.

Figure 9.2 Registration Manager authentication of a user with Registration Manager agent privileges

This example shows these steps:

  1. An agent opens a web browser and enters the URL to the Registration Manager Agent Services interface hosted by the Registration Manager. The server requests the client for SSL client authentication. The client in turn prompts the agent to specify the certificate that it should present to the server for authentication. The successfully SSL client authenticated certificate is presented to the Registration Manager.
  2. Upon receiving the certificate, the Registration Manager performs the following authentication and authorization process:
  3. If both authentication and authorization succeed, the Registration Manager services the request. Otherwise, it rejects the request and logs a reason for the rejection.


End-Entity Authentication
This section provides an overview of how Certificate Management System authenticates end entities during certificate enrollment, renewal, and revocation processes.

Authentication of End Entities During Certificate Enrollment

When an end entity submits a certificate request, a Certificate Manager or Registration Manager's first task is to identify and authenticate the end entity. The server must perform this task before it can register the end entity for certificate issuance. This task includes verifying the end entity's identity based on information the end entity provides and returning enough information about the end entity so that the subject name for the certificate can be constructed.

To cater to a variety of end-entity enrollment scenarios, Certificate Management System supports both manual and automated certificate issuance. For detailed description of authentication methods supported by the Certificate Manager and Registration Manager, see "Authentication Modules for End-Entity Enrollment".

Authentication of End Users During Certificate Renewal

When an end user submits a certificate renewal request, the first step in the renewal process is for the Certificate Manager or Registration Manager to identify and authenticate the end user. This step includes making sure that the end user's current certificate is either "valid" or "expired" ("revoked" is not acceptable).

Certificate Management System verifies the authenticity of a certificate renewal request by mapping the subject name in the certificate being presented for renewal to certificates in its internal database. The server renews the certificate only if the subject name maps successfully to a certificate in its internal database. If the internal database contains more than one certificate with matching subject name as that the one presented by the end entity for client authentication, the server lists all the matching certificates and expects the end entity to pick one for renewal.

Here are a few things to keep in mind about certificate renewal:

Certificate Renewal Form

The End Entity Services interface of the Certificate Manager and Registration Manager includes a default HTML form for renewing end users' certificates. The form is accessible from the Renewal tab as shown in Figure 9.3.

Figure 9.3 Certificate renewal form for end users

The default renewal form is preconfigured for SSL client authentication, enabling end users to renew their personal or client certificates by presenting valid or expired certificates.

If you want to change the form content to suit your organization's requirements, edit the following file:

<server_root>/cert-<instance_id>/web/ee/UserRenewal.html

For details on individual form elements, see the online help available by clicking the Help button on the form. For more information on customizing the form, see "Agent and End-Entity Interfaces".

Authentication of End Users During Certificate Revocation

Certificates can be revoked by administrators, agents, and end users. When an end user submits a certificate revocation request, the first step in the revocation process is for the Certificate Manager or Registration Manager to identify and authenticate the end user. The reason for this is when an end user attempts to revoke a certificate, the server needs to verify that the user is attempting to revoke his or her own certificate, not a certificate belonging to someone else.

Both Certificate Manager and Registration Manager support the following methods of revocation:

Forms for both methods are available through the End Entity Services interface (HTTPS only) of the Certificate Manager and Registration Manager; see "Certificate Revocation Forms".

Here are a few common points to keep in mind about the automated revocation of end users' certificates:

SSL Client Authenticated Revocation

In an SSL client authenticated revocation method, the server expects the end user to present a certificate that has the same subject name as the one he or she wants to revoke and uses that for authentication purposes. The server verifies the authenticity of a revocation request by mapping the subject name in the certificate being presented for client authentication to certificates in its internal database. The server revokes the certificate only if the certificate maps successfully to one or more valid or expired certificates in its internal database.

After successful authentication, if the server detects only one valid or expired certificate with matching subject name as that of the one presented for client authentication, it revokes the certificate. If the server detects more than one valid or expired certificate with matching subject name, it lists all those certificates. The user can then either select the certificate to be revoked or revoke all certificates in the list.

Here are a few things, in addition to the ones listed on page 314, to keep in mind about SSL client authenticated revocation:

Challenge-Password-Based Revocation

A challenge password is a unique, alphanumeric string that the end user specifies when requesting a certificate; the user is expected to keep this password confidential and use it to authenticate to the server when revoking the certificate. When the server issues the certificate, it associates the password with the certificate, stores both the certificate and password in its internal database, and uses them later for authenticating any revocation requests.

In the challenge-password-based revocation method, the server expects the end user to specify the serial number of the certificate the user wants to revoke and the challenge password associated with the certificate. The server verifies the authenticity of a revocation request by mapping the serial number to the list of certificates in its internal database followed by mapping the challenge password specified to the one associated with the matching certificate it detects in the internal database.

The server revokes the certificate only if the certificate maps successfully to one or more valid or expired certificates in its internal database. If the server detects only one valid or expired certificate with a matching serial number and challenge password, it automatically revokes the certificate. If the server detects more than one valid or expired certificates with matching serial numbers, it lists all those certificates. The user can then select the certificate to be revoked or revoke all certificates in the list.

Here are a few things, in addition to the ones listed on page 314, to keep in mind about the challenge-password-based revocation:

Certificate Revocation Forms

The End Entity Services interface of the Certificate Manager and Registration Manager includes default HTML forms for both the SSL client authenticated revocation and challenge-password-based revocation. The forms are accessible from the Revocation tab. Figure 9.4 shows the form that enables end users to revoke their certificates using a challenge password. You can view the form that enables SSL client authenticated revocation by clicking the User Certificate link.

Figure 9.4 Form for SSL client authenticated certificate revocation

If you want to change the forms to suit your organization's requirements, you can edit the following files:

Both the files are located here:

<server_root>/cert-<instance_id>/web/ee

For details on individual form elements, see the online help available by clicking the Help button on the form. For more information on customizing the form, see "Agent and End-Entity Interfaces".

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.