Netscape Certificate Management System Administrator's Guide: Configuration

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Contents

Index

Bookshelf

Chapter 3 Configuration

The runtime properties of Netscape Certificate Management System (CMS) are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup.

When you install Certificate Management System, the installer creates an ASCII file, named CMS.cfg, and populates it with the appropriate configuration parameters. You can control the way Certificate Management System functions by making the appropriate changes to the configuration information.

This chapter explains how the installation affects the number of configuration files created in your machine and their contents. It also explains ways in which you can modify the configuration and precautions you should take when doing so. The chapter ends with a road map to configuring individual subsystems.

The chapter has the following sections:

Effects of Installation Type on Configuration

Locating the Configuration File

Modifying the Configuration

Road Map to Configuring Subsystems

Effects of Installation Type on Configuration

For each instance of Certificate Management System there is a configuration file, named CMF.cfg. The configuration file controls the runtime properties of the corresponding CMS instance.

A CMS instance can include a single subsystem or two subsystems in one of the following combinations:

A single Certificate Manager, Registration Manager, or Data Recovery Manager

A Certificate Manager and Data Recovery Manager together

A Registration Manager and Data Recovery Manager together

Figure 3.1 illustrates a deployment scenario involving two instances of Certificate Management System running on the same host (Host A) and a single instance running on another host (Host B). Notice the two separate configuration files for the instances running on Host A, one for each CMS instance.

Although the names of both the configuration files are the same, the information included in the files differs according to the subsystems installed in each instance. For example, the configuration file for CMS Instance 1 includes only those parameters that govern the Registration Manager, whereas the configuration file for CMS Instance 2 includes parameters that control both the Certificate Manager and Data Recovery Manager.

It is also important to understand that subsystems installed in a CMS instance share certain parts of the configuration. They use the same

Administration, agent, and end-entity ports for interaction

Internal token and trust database

SSL ciphers during SSL negotiation

Privileged users (administrators and agents)

Log files to log messages

Internal database for data storage

Figure 3.1 How installation affects configuration

Duplicating a Configuration from One Instance to Another

If you have deployed a large number of CMS instances that are identical--for example, multiple Registration Managers--and you want all these instances to have the same configuration, you can accomplish this by configuring one of the instances and then replacing the configuration files of the other instances with the one that contains the required configuration. Figure 3.2 illustrates this quick way of deploying multiple Registration Managers with the same configuration.

Figure 3.2 Duplicating a configuration

Caution Be careful when replacing configuration of one instance with another. The configuration file for an instance contains instance-specific parameters. If you replace these parameters, the instance will fail to start or function properly.

Locating the Configuration File

Each instance of Certificate Management System has its own configuration file, CMF.cfg. The default location for this file is as follows:

<server_root>/cert-<instance_id>/config

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

Modifying the Configuration

You can modify the CMS configuration in two ways:

By changing the configuration parameter values from the CMS window. This is the recommended method for changing configuration. See "Changing the Configuration From the CMS Window".

By manually changing the configuration parameter values in the configuration file, CMF.cfg. See "Changing the Configuration by Editing the Configuration File".

Changing the Configuration From the CMS Window

The CMS window allows you to view the current configuration of a CMS instance and make the required changes. Because this is the recommended method for changing configuration, the chapters that follow focus on explaining how to change the various configuration parameter values from the CMS window.

Note You may find the road map provided in "Road Map to Configuring Subsystems" useful in setting up your CMS instances.

Changing the Configuration by Editing the Configuration File

This section explains how to change the CMS configuration by editing the configuration parameter values in the file CMF.cfg. This ASCII file is read by Certificate Management System when it is started.

Caution Do not edit the configuration file directly if you are not familiar with the configuration parameters or if you are not sure that the changes you intend to make are acceptable by the server. Certificate Management System will fail to start up if you make incorrect modifications to the configuration file. Incorrect configuration can also result in data loss.

Also, before you start editing the configuration file, be sure to read "Guidelines for Editing the Configuration File".

To modify the configuration file directly:

Stop the CMS instance whose configuration file you want to edit (see "Stopping Certificate Management System").

Open a terminal window.

Go to this directory: <server_root>/cert-<instance_id>/config

Open the configuration file, CMF.cfg, in a text editor.

Edit information in the file and save your changes.

Restart Certificate Management System (see "Restarting Certificate Management System").

Guidelines for Editing the Configuration File

The file-based, configuration-store implementation for Certificate Management System is based on java.util.Properties. The following guidelines may help you interpret the information in the configuration file.

The format of the configuration file is as follows:

value (e.g. base-64 encoded certificate)

Comment lines, blank lines, unknown parameters, or misspelled parameters are ignored by Certificate Management System. Comment lines begin with a number sign (#). A line beginning with white space is considered a continuation of the previous line.

The configuration file has many sections. Some sections contain parameters specific to the subsystems that have been installed; the other sections contain parameters that are shared by the subsystems. Subsystem-specific parameters are distinguished by a prefix identifying the subsystem:

ca for the Certificate Manager

ra for the Registration Manager

kra for the Data Recovery Manager

The parameter names and their values are strings. The parameter names can be hierarchically structured with '.' notation with multiple levels--for example, ca.Policy.rule.RSAKeyRule.maxSize. The entries corresponding to a lower level (such as Policy in the example) can be requested from the configuration corresponding to its higher level (ca in the example).

The values that need to be localized (such as distinguished names in multibyte format) should be entered in utf8 format. For more information on this format, see the document UTF-8, a transformation format of Unicode and ISO 10646, available at this URL:

http://info.internet.isi.edu:80/in-notes/rfc/files/ rfc2044.txt

Certificate Management System writes out the configuration in a sorted order.

The values of some parameters are referenced to other parts of the configuration file. For example, assume that a parameter is defined as subsystem.id=ca; when this parameter is processed by the server, all the parameters beginning with ca will be used.

The configuration file supports Unix-style file separator, the forward slash
(/). If the \ file separator is required, use two backward slashes (\\) instead of one.

Sample Configuration File

The following sample configuration is of a Certificate Manager.

Important This sample file includes some of the parameters used by Certificate Management System. However, there is no guarantee that an arbitrary set of options you create will work.

_000=##

_001=## File Created On     : Sun Jan 02 23:02:35 PST 2000

_002=##

instanceRoot=/usr/netscape/cert-testCA

machineName=testCA.siroe.com

agentGateway._000=##

agentGateway._001=## Agent Gateway

agentGateway._002=##

	agentGateway.docRoot=/usr/netscape/cert-testCA/web/agent

	agentGateway.dynamicVariables=serverdate=serverdate()

	agentGateway.enableAdminEnroll=true

	agentGateway.enableBulkInterface=true

	agentGateway.keepAliveOn=true

	agentGateway.mimeTypeConf=/usr/netscape/cert-testCA/config/

		mime.types

	agentGateway.numServices=1

	agentGateway.service0=https

	agentGateway.CAGetBySerial.successTemplate=/ca/ImportCert.template

	agentGateway.adminEnroll.successTemplate=/ca/EnrollSuccess.template

	agentGateway.bulkissuance.errorTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.pendingTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.rejectedTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.successTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.svcpendingTemplate=/ca/ 

		bulkissuance.template

	agentGateway.bulkissuance.unauthorizedTemplate=/ca/	

		bulkissuance.template

	agentGateway.bulkissuance.unexpectedErrorTemplate=/ca/

		bulkissuance.template

	agentGateway.https.backlog=15

	agentGateway.https.nickName=Server-Cert cert-testCA

	agentGateway.https.port=4605

	agentGateway.https.type=https

auths._000=##

auths._001=## Authentication

auths._002=##

auths.impl._000=##

auths.impl._001=## authentication manager implementations

auths.impl._002=##

	auths.impl.KerberosAuth.class=com.netscape.certsrv.

		authentication.KerberosBasedAuthentication

	auths.impl.NISAuth.class=com.netscape.certsrv.

		authentication.NISAuth

	auths.impl.PortalEnroll.class=com.netscape.certsrv.

		authentication.PortalEnroll

	auths.impl.UidPwdDirAuth.class=com.netscape.certsrv.

		authentication.UidPwdDirAuthentication

	auths.impl.UidPwdPinDirAuth.class=com.netscape.certsrv.

	authentication.UidPwdPinDirAuthentication

	auths.revocationChecking.bufferSize=5

	auths.revocationChecking.ca=ca

	auths.revocationChecking.enabled=true

	auths.revocationChecking.unknownStateInterval=0

	auths.revocationChecking.validityInterval=120

ca.id=ca

	ca.local=true

	ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, 

		RenewalConstraintsRule, DefaultRenewalValidityRule, 

		RevocationConstraintsRule, DefaultRevocationRule, NSCertTypeExt, 

		CMCertKeyUsageExt, RMCertKeyUsageExt, ClientCertKeyUsageExt, 

		ServerCertKeyUsageExt, ObjSignCertKeyUsageExt, 

		SubjectKeyIdentifierExt, CertificatePoliciesExt, NSCComment, 

		OCSPNoCheckExt, OCSPSigningExt, CODESigningExt, GenericASN1Ext, 

		CRLDistributionPointsExt, SubjectAltNameExt, SigningAlgRule, 

		AuthorityKeyIdentifierExt, BasicConstraintsExt, UniqueSubjectName, 

		NameConstraintsExt, PolicyConstraintsExt, SubCANameCheck, 

		PolicyMappingsExt, IssuerRule

ca.Policy.impl._000=##

ca.Policy.impl._001=## Policy Implementations

ca.Policy.impl._002=##

	ca.Policy.impl.AuthInfoAccessExt.class=com.netscape.certsrv.policy.

		AuthInfoAccessExt

	ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.certsrv.

		policy.AuthorityKeyIdentifierExt

	ca.Policy.impl.BasicConstraintsExt.class=com.netscape.certsrv.

		policy.BasicConstraintsExt

	ca.Policy.impl.CRLDistributionPointsExt.class=com.netscape.certsrv.

		policy.CRLDistributionPointsExt

	ca.Policy.impl.CertificatePoliciesExt.class=com.netscape.certsrv.

		policy.CertificatePoliciesExt

	ca.Policy.impl.DSAKeyConstraints.class=com.netscape.certsrv.policy.

		DSAKeyConstraints

	ca.Policy.impl.DefaultRevocation.class=com.netscape.certsrv.policy.

		DefaultRevocation

	ca.Policy.impl.ExtendedKeyUsageExt.class=com.netscape.certsrv.

		policy.ExtendedKeyUsageExt

	ca.Policy.impl.GenericASN1Ext.class=com.netscape.certsrv.policy.

		GenericASN1Ext

	ca.Policy.impl.IssuerAltNameExt.class=com.netscape.certsrv.policy.

		IssuerAltNameExt

	ca.Policy.impl.IssuerConstraints.class=com.netscape.certsrv.policy.

		IssuerConstraints

	ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.certsrv.

		policy.KeyAlgorithmConstraints

	ca.Policy.impl.KeyUsageExt.class=com.netscape.certsrv.policy.

		KeyUsageExt

	ca.Policy.impl.NSCComment.class=com.netscape.certsrv.policy.

		NSCComment

	ca.Policy.impl.NSCertTypeExt.class=com.netscape.certsrv.policy.

		NSCertTypeExt

	ca.Policy.impl.NameConstraintsExt.class=com.netscape.certsrv.policy.

		NameConstraintsExt

	ca.Policy.impl.OCSPNoCheckExt.class=com.netscape.certsrv.policy.

		OCSPNoCheckExt

	ca.Policy.impl.PinPresent.class=com.netscape.certsrv.policy.

		PinPresent

	ca.Policy.impl.PolicyConstraintsExt.class=com.netscape.certsrv.

		policy.PolicyConstraintsExt

	ca.Policy.impl.PolicyMappingsExt.class=com.netscape.certsrv.policy.

		PolicyMappingsExt

	ca.Policy.impl.PrivateKeyUsagePeriodExt.class=com.netscape.certsrv.

		policy.PrivateKeyUsagePeriodExt

	ca.Policy.impl.RSAKeyConstraints.class=com.netscape.certsrv.policy.

		RSAKeyConstraints

	ca.Policy.impl.RenewalConstraints.class=com.netscape.certsrv.policy.

		RenewalConstraints

	ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.

		certsrv.policy.RenewalValidityConstraints

	ca.Policy.impl.RevocationConstraints.class=com.netscape.certsrv.

		policy.RevocationConstraints

	ca.Policy.impl.SigningAlgorithmConstraints.class=com.netscape.

		certsrv.policy.SigningAlgorithmConstraints

	ca.Policy.impl.SubCANameCheck.class=com.netscape.certsrv.policy.

		SubCANameCheck

	ca.Policy.impl.SubjectAltNameExt.class=com.netscape.certsrv.policy.

		SubjAltNameExt

	ca.Policy.impl.SubjectDirectoryAttributesExt.class=com.netscape.

		certsrv.policy.SubjectDirectoryAttributesExt

	ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.certsrv.

		policy.SubjectKeyIdentifierExt

	ca.Policy.impl.UniqueSubjectName.class=com.netscape.certsrv.policy.

		UniqueSubjectName

	ca.Policy.impl.ValidityConstraints.class=com.netscape.certsrv.

		policy.ValidityConstraints

	ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true

	ca.Policy.rule.AuthorityKeyIdentifierExt.implName=

		AuthorityKeyIdentifierExt

	ca.Policy.rule.AuthorityKeyIdentifierExt.predicate=

	ca.Policy.rule.BasicConstraintsExt.enable=true

	ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt

	ca.Policy.rule.BasicConstraintsExt.predicate=

	ca.Policy.rule.BasicConstraintsExt.removeBasicExt=true

	ca.Policy.rule.CMCertKeyUsageExt.crlSign=true

	ca.Policy.rule.CMCertKeyUsageExt.digitalSignature=true

	ca.Policy.rule.CMCertKeyUsageExt.enable=true

	ca.Policy.rule.CMCertKeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.CMCertKeyUsageExt.keyCertsign=true

	ca.Policy.rule.CMCertKeyUsageExt.nonRepudiation=true

	ca.Policy.rule.CMCertKeyUsageExt.predicate=certType==ca

	ca.Policy.rule.CODESigningExt.critical=false

	ca.Policy.rule.CODESigningExt.enable=true

	ca.Policy.rule.CODESigningExt.id0=1.3.6.1.5.5.7.3.3

	ca.Policy.rule.CODESigningExt.implName=ExtendedKeyUsageExt

	ca.Policy.rule.CODESigningExt.predicate=certType==codeSignClient

	ca.Policy.rule.CRLDistributionPointsExt.enable=false

	ca.Policy.rule.CRLDistributionPointsExt.implName=

	CRLDistributionPointsExt

	ca.Policy.rule.CRLDistributionPointsExt.issuerName0=

	ca.Policy.rule.CRLDistributionPointsExt.issuerName1=

	ca.Policy.rule.CRLDistributionPointsExt.issuerName2=

	ca.Policy.rule.CRLDistributionPointsExt.issuerType0=

	ca.Policy.rule.CRLDistributionPointsExt.issuerType1=

	ca.Policy.rule.CRLDistributionPointsExt.issuerType2=

	ca.Policy.rule.CRLDistributionPointsExt.numPoints=0

	ca.Policy.rule.CRLDistributionPointsExt.pointName0=

	ca.Policy.rule.CRLDistributionPointsExt.pointName1=

	ca.Policy.rule.CRLDistributionPointsExt.pointName2=

	ca.Policy.rule.CRLDistributionPointsExt.pointType0=

	ca.Policy.rule.CRLDistributionPointsExt.pointType1=

	ca.Policy.rule.CRLDistributionPointsExt.pointType2=

	ca.Policy.rule.CRLDistributionPointsExt.predicate=

	ca.Policy.rule.CRLDistributionPointsExt.reasons0=

	ca.Policy.rule.CRLDistributionPointsExt.reasons1=

	ca.Policy.rule.CRLDistributionPointsExt.reasons2=

	ca.Policy.rule.CertificatePoliciesExt.enable=false

	ca.Policy.rule.CertificatePoliciesExt.implName=

		CertificatePoliciesExt

	ca.Policy.rule.CertificatePoliciesExt.policyId=

	ca.Policy.rule.CertificatePoliciesExt.predicate=

	ca.Policy.rule.ClientCertKeyUsageExt.digitalSignature=true

	ca.Policy.rule.ClientCertKeyUsageExt.enable=true

	ca.Policy.rule.ClientCertKeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.ClientCertKeyUsageExt.keyEncipherment=true

	ca.Policy.rule.ClientCertKeyUsageExt.nonRepudiation=true

	ca.Policy.rule.ClientCertKeyUsageExt.predicate=certType==client

	ca.Policy.rule.DSAKeyRule.enable=true

	ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints

	ca.Policy.rule.DSAKeyRule.maxSize=2048

	ca.Policy.rule.DSAKeyRule.minSize=512

	ca.Policy.rule.DSAKeyRule.predicate=

	ca.Policy.rule.DefaultRenewalValidityRule.enable=true

	ca.Policy.rule.DefaultRenewalValidityRule.implName=

		RenewalValidityConstraints

	ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365

	ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30

	ca.Policy.rule.DefaultRenewalValidityRule.predicate=

	ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15

	ca.Policy.rule.DefaultRevocationRule.enable=true

	ca.Policy.rule.DefaultRevocationRule.implName=DefaultRevocation

	ca.Policy.rule.DefaultRevocationRule.predicate=

	ca.Policy.rule.DefaultValidityRule.enable=true

	ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints

	ca.Policy.rule.DefaultValidityRule.maxValidity=365

	ca.Policy.rule.DefaultValidityRule.minValidity=30

	ca.Policy.rule.DefaultValidityRule.predicate=

	ca.Policy.rule.GenericASN1Ext.critical=false

	ca.Policy.rule.GenericASN1Ext.enable=false

	ca.Policy.rule.GenericASN1Ext.implName=GenericASN1Ext

	ca.Policy.rule.GenericASN1Ext.name=

	ca.Policy.rule.GenericASN1Ext.oid=

	ca.Policy.rule.GenericASN1Ext.pattern=

	ca.Policy.rule.GenericASN1Ext.predicate=

	ca.Policy.rule.GenericASN1Ext.attribute.0.source=

	ca.Policy.rule.GenericASN1Ext.attribute.0.type=

	ca.Policy.rule.GenericASN1Ext.attribute.0.value=

	ca.Policy.rule.GenericASN1Ext.attribute.1.source=

	ca.Policy.rule.GenericASN1Ext.attribute.1.type=

	ca.Policy.rule.GenericASN1Ext.attribute.1.value=

	ca.Policy.rule.GenericASN1Ext.attribute.2.source=

	ca.Policy.rule.GenericASN1Ext.attribute.2.type=

	ca.Policy.rule.GenericASN1Ext.attribute.2.value=

	ca.Policy.rule.GenericASN1Ext.attribute.3.source=

	ca.Policy.rule.GenericASN1Ext.attribute.3.type=

	ca.Policy.rule.GenericASN1Ext.attribute.3.value=

	ca.Policy.rule.GenericASN1Ext.attribute.4.source=

	ca.Policy.rule.GenericASN1Ext.attribute.4.type=

	ca.Policy.rule.GenericASN1Ext.attribute.4.value=

	ca.Policy.rule.GenericASN1Ext.attribute.5.source=

	ca.Policy.rule.GenericASN1Ext.attribute.5.type=

	ca.Policy.rule.GenericASN1Ext.attribute.5.value=

	ca.Policy.rule.GenericASN1Ext.attribute.6.source=

	ca.Policy.rule.GenericASN1Ext.attribute.6.type=

	ca.Policy.rule.GenericASN1Ext.attribute.6.value=

	ca.Policy.rule.GenericASN1Ext.attribute.7.source=

	ca.Policy.rule.GenericASN1Ext.attribute.7.type=

	ca.Policy.rule.GenericASN1Ext.attribute.7.value=

	ca.Policy.rule.GenericASN1Ext.attribute.8.source=

	ca.Policy.rule.GenericASN1Ext.attribute.8.type=

	ca.Policy.rule.GenericASN1Ext.attribute.8.value=

	ca.Policy.rule.GenericASN1Ext.attribute.9.source=

	ca.Policy.rule.GenericASN1Ext.attribute.9.type=

	ca.Policy.rule.GenericASN1Ext.attribute.9.value=

	ca.Policy.rule.IssuerRule.enable=false

	ca.Policy.rule.IssuerRule.implName=IssuerConstraints

	ca.Policy.rule.IssuerRule.issuerDN=

	ca.Policy.rule.IssuerRule.predicate=certType==client AND 

		certauthEnroll==on

	ca.Policy.rule.KeyAlgRule.algorithms=RSA

	ca.Policy.rule.KeyAlgRule.enable=true

	ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints

	ca.Policy.rule.KeyAlgRule.predicate=

	ca.Policy.rule.NSCComment.enable=false

	ca.Policy.rule.NSCComment.implName=NSCComment

	ca.Policy.rule.NSCComment.policyId=

	ca.Policy.rule.NSCComment.predicate=

	ca.Policy.rule.NSCertTypeExt.enable=true

	ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt

	ca.Policy.rule.NSCertTypeExt.predicate=certType!=CEP-Request

	ca.Policy.rule.NameConstraintsExt.critical=true

	ca.Policy.rule.NameConstraintsExt.enable=false

	ca.Policy.rule.NameConstraintsExt.implName=NameConstraintsExt

	ca.Policy.rule.NameConstraintsExt.numExcludedSubtrees=3

	ca.Policy.rule.NameConstraintsExt.numPermittedSubtrees=3

	ca.Policy.rule.NameConstraintsExt.predicate=certType == ca

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.base=

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.max=-1

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.min=0

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees0.valueType=

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.base=

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.max=-1

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.min=0

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees1.valueType=

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.base=

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.max=-1

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.min=0

	ca.Policy.rule.NameConstraintsExt.excludedSubtrees2.valueType=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.base=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.max=-1

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.min=0

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees0.valueType=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.base=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.max=-1

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.min=0

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees1.valueType=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.base=

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.max=-1

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.min=0

	ca.Policy.rule.NameConstraintsExt.permittedSubtrees2.valueType=

	ca.Policy.rule.OCSPNoCheckExt.critical=false

	ca.Policy.rule.OCSPNoCheckExt.enable=true

	ca.Policy.rule.OCSPNoCheckExt.implName=OCSPNoCheckExt

	ca.Policy.rule.OCSPNoCheckExt.predicate=certType==ocspResponder

	ca.Policy.rule.OCSPSigningExt.critical=false

	ca.Policy.rule.OCSPSigningExt.enable=true

	ca.Policy.rule.OCSPSigningExt.id0=1.3.6.1.5.5.7.3.9

	ca.Policy.rule.OCSPSigningExt.implName=ExtendedKeyUsageExt

	ca.Policy.rule.OCSPSigningExt.predicate=certType==ocspResponder

	ca.Policy.rule.ObjSignCertKeyUsageExt.digitalSignature=true

	ca.Policy.rule.ObjSignCertKeyUsageExt.enable=true

	ca.Policy.rule.ObjSignCertKeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.ObjSignCertKeyUsageExt.keyCertsign=true

	ca.Policy.rule.ObjSignCertKeyUsageExt.predicate=

		certType==objSignClient

	ca.Policy.rule.PolicyConstraintsExt.critical=false

	ca.Policy.rule.PolicyConstraintsExt.enable=false

	ca.Policy.rule.PolicyConstraintsExt.implName=PolicyConstraintsExt

	ca.Policy.rule.PolicyConstraintsExt.inhibitPolicyMapping=0

	ca.Policy.rule.PolicyConstraintsExt.predicate=certType==ca

	ca.Policy.rule.PolicyConstraintsExt.reqExplicitPolicy=0

	ca.Policy.rule.PolicyMappingsExt.critical=false

	ca.Policy.rule.PolicyMappingsExt.enable=false

	ca.Policy.rule.PolicyMappingsExt.implName=PolicyMappingsExt

	ca.Policy.rule.PolicyMappingsExt.numPolicyMappings=1

	ca.Policy.rule.PolicyMappingsExt.predicate=certType==ca

	ca.Policy.rule.PolicyMappingsExt.policyMap0.issuerDomainPolicy=

	ca.Policy.rule.PolicyMappingsExt.policyMap0.subjectDomainPolicy=

	ca.Policy.rule.RMCertKeyUsageExt.digitalSignature=true

	ca.Policy.rule.RMCertKeyUsageExt.enable=true

	ca.Policy.rule.RMCertKeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.RMCertKeyUsageExt.nonRepudiation=true

	ca.Policy.rule.RMCertKeyUsageExt.predicate=certType==ra

	ca.Policy.rule.RSAKeyRule.enable=false

	ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537

	ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints

	ca.Policy.rule.RSAKeyRule.maxSize=2048

	ca.Policy.rule.RSAKeyRule.minSize=512

	ca.Policy.rule.RSAKeyRule.predicate=

	ca.Policy.rule.RenewalConstraintsRule.enable=true

	ca.Policy.rule.RenewalConstraintsRule.implName=RenewalConstraints

	ca.Policy.rule.RenewalConstraintsRule.predicate=

	ca.Policy.rule.RevocationConstraintsRule.enable=true

	ca.Policy.rule.RevocationConstraintsRule.implName=

		RevocationConstraints

	ca.Policy.rule.RevocationConstraintsRule.predicate=

	ca.Policy.rule.ServerCertKeyUsageExt.dataEncipherment=true

	ca.Policy.rule.ServerCertKeyUsageExt.digitalSignature=true

	ca.Policy.rule.ServerCertKeyUsageExt.enable=true

	ca.Policy.rule.ServerCertKeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.ServerCertKeyUsageExt.keyEncipherment=true

	ca.Policy.rule.ServerCertKeyUsageExt.nonRepudiation=true

	ca.Policy.rule.ServerCertKeyUsageExt.predicate=certType==server

	ca.Policy.rule.SigningAlgRule.algorithms=

		MD5withRSA,MD2withRSA,SHA1withRSA,SHA1withDSA

	ca.Policy.rule.SigningAlgRule.enable=true

	ca.Policy.rule.SigningAlgRule.implName=SigningAlgorithmConstraints

	ca.Policy.rule.SigningAlgRule.predicate=

	ca.Policy.rule.SubCANameCheck.enable=true

	ca.Policy.rule.SubCANameCheck.implName=SubCANameCheck

	ca.Policy.rule.SubCANameCheck.predicate=

	ca.Policy.rule.SubjectAltNameExt.enable=true

	ca.Policy.rule.SubjectAltNameExt.enableManualValues=false

	ca.Policy.rule.SubjectAltNameExt.implName=SubjectAltNameExt

	ca.Policy.rule.SubjectKeyIdentifierExt.enable=true

	ca.Policy.rule.SubjectKeyIdentifierExt.implName=

		SubjectKeyIdentifierExt

	ca.Policy.rule.SubjectKeyIdentifierExt.predicate=certType==ca

	ca.Policy.rule.UniqueSubjectName.enable=false

	ca.Policy.rule.UniqueSubjectName.implName=UniqueSubjectName

	ca.Policy.rule.UniqueSubjectName.predicate=

ca.crl._000=##

ca.crl._001=## CA CRL

ca.crl._002=##

	ca.crl.MasterCRL.allowExtensions=false

	ca.crl.MasterCRL.autoUpdateInterval=20

	ca.crl.MasterCRL.class=com.netscape.certsrv.ca.CRLIssuingPoint

	ca.crl.MasterCRL.description=

		CA's complete Certificate Revocation List

	ca.notification.certIssued.emailSubject=Your Certificate Request

	ca.notification.certIssued.emailTemplate=/usr/netscape/cert-testCA/

		emails/certIssued_CA.html

	ca.notification.certIssued.enabled=false

	ca.notification.certIssued.senderEmail=

	ca.notification.requestInQ.emailSubject=Certificate Request in Queue

	ca.notification.requestInQ.emailTemplate=/usr/netscape/cert-testCA/

		emails/reqInQueue.html

	ca.notification.requestInQ.enabled=false

	ca.notification.requestInQ.recipientEmail=

	ca.notification.requestInQ.senderEmail=

	ca.publish.mapper.impl.LdapDNCompsMap.class=com.netscape.certsrv.

		ldap.LdapCertCompsMap

	ca.publish.mapper.impl.LdapDNExactMap.class=com.netscape.certsrv.

		ldap.LdapCertExactMap

	ca.publish.mapper.impl.LdapSimpleMap.class=com.netscape.certsrv.

		ldap.LdapSimpleMap

	ca.publish.mapper.impl.LdapSubjAttrMap.class=com.netscape.certsrv.

		ldap.LdapCertSubjMap

	ca.publish.mapper.instance.LdapCaCertMap.dnPattern=

		UID=$cert.cn,OU=people,O=$cert.o

	ca.publish.mapper.instance.LdapCaCertMap.pluginName=LdapSimpleMap

	ca.publish.mapper.instance.LdapCrlMap.dnPattern=

		UID=$cert.cn,OU=people,O=$cert.o

	ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapSimpleMap

	ca.publish.mapper.instance.LdapUserCertMap.dnPattern=

		UID=$cert.UID,OU=people,O=$cert.o

	ca.publish.mapper.instance.LdapUserCertMap.pluginName=LdapSimpleMap

	ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.

		certsrv.ldap.FileBasedPublisher

	ca.publish.publisher.impl.LdapCaCertPublisher.class=com.netscape.

		certsrv.ldap.LdapCaCertPublisher

	ca.publish.publisher.impl.LdapCrlPublisher.class=com.netscape.

		certsrv.ldap.LdapCrlPublisher

	ca.publish.publisher.impl.LdapUserCertPublisher.class=com.netscape.

		certsrv.ldap.LdapUserCertPublisher

	ca.publish.publisher.impl.ValiCertPublisher.class=com.valicert.

		publisher.VcPublisher

	ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr=

		caCertificate;binary

	ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass=

		certificationAuthority

	ca.publish.publisher.instance.LdapCaCertPublisher.pluginName=

		LdapCaCertPublisher

	ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=

		certificateRevocationList;binary

	ca.publish.publisher.instance.LdapCrlPublisher.pluginName=

		LdapCrlPublisher

	ca.publish.publisher.instance.LdapUserCertPublisher.certAttr=

		userCertificate;binary

	ca.publish.publisher.instance.LdapUserCertPublisher.pluginName=

		LdapUserCertPublisher

	ca.publish.rule.impl.Rule.class=com.netscape.certsrv.ldap.LdapRule

	ca.publish.rule.instance.LdapCaCertRule.enable=true

	ca.publish.rule.instance.LdapCaCertRule.mapper=LdapCaCertMap

	ca.publish.rule.instance.LdapCaCertRule.pluginName=Rule

	ca.publish.rule.instance.LdapCaCertRule.predicate=

	ca.publish.rule.instance.LdapCaCertRule.publisher=

		LdapCaCertPublisher

	ca.publish.rule.instance.LdapCaCertRule.type=ca

	ca.publish.rule.instance.LdapCrlRule.enable=true

	ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap

	ca.publish.rule.instance.LdapCrlRule.pluginName=Rule

	ca.publish.rule.instance.LdapCrlRule.predicate=

	ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher

	ca.publish.rule.instance.LdapCrlRule.type=crl

	ca.publish.rule.instance.LdapObjSignCertRule.enable=true

	ca.publish.rule.instance.LdapObjSignCertRule.mapper=LdapUserCertMap

	ca.publish.rule.instance.LdapObjSignCertRule.pluginName=Rule

	ca.publish.rule.instance.LdapObjSignCertRule.predicate=

	ca.publish.rule.instance.LdapObjSignCertRule.publisher=

		LdapUserCertPublisher

	ca.publish.rule.instance.LdapObjSignCertRule.type=objSignClient

	ca.publish.rule.instance.LdapUserCertRule.enable=true

	ca.publish.rule.instance.LdapUserCertRule.mapper=LdapUserCertMap

	ca.publish.rule.instance.LdapUserCertRule.pluginName=Rule

	ca.publish.rule.instance.LdapUserCertRule.predicate=

	ca.publish.rule.instance.LdapUserCertRule.publisher=

		LdapUserCertPublisher

	ca.publish.rule.instance.LdapUserCertRule.type=client

	ca.signing.cacertnickname=caSigningCert cert-testCA

	ca.signing.defaultSigningAlgorithm=MD5withRSA

	ca.signing.tokenname=Internal Key Storage Token

	dbs.ldap=internaldb

	dbs.newSchemaEntryAdded=true

	dbs.nextSerialNumber=1

eeGateway._000=##

eeGateway._001=## End Entity Gateway

eeGateway._002=##

	eeGateway.authority=ca

	eeGateway.docRoot=/usr/netscape/cert-testCA/web/ee

	eeGateway.dynamicVariables=serverdate=serverdate(),subsystemname=

		subsystemname(),http=http()

	eeGateway.enableConnector=true

	eeGateway.keepAliveOn=true

	eeGateway.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types

	eeGateway.numServices=2

	eeGateway.service0=http

	eeGateway.service1=https

	eeGateway.http.backlog=15

	eeGateway.http.enable=true

	eeGateway.http.port=4603

	eeGateway.http.type=http

	eeGateway.https.backlog=15

	eeGateway.https.nickName=Server-Cert cert-testCA

	eeGateway.https.port=4604

	eeGateway.https.type=https

internaldb._000=##

internaldb._001=## Internal Database

internaldb._002=##

	internaldb.maxConns=15

	internaldb.minConns=3

	internaldb.ldapauth.authtype=BasicAuth

	internaldb.ldapauth.bindDN=cn=Directory Manager

	internaldb.ldapauth.bindPWPrompt=Internal LDAP Database

	internaldb.ldapconn.host=testCA.siroe.com

	internaldb.ldapconn.port=3602

	internaldb.ldapconn.secureConn=false

jobsScheduler._000=##

jobsScheduler._001=## jobScheduler

jobsScheduler._002=##

	jobsScheduler.enabled=false

	jobsScheduler.interval=1

	jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.

		certsrv.jobs.RenewalNotificationJob

	jobsScheduler.impl.RequestInQueueJob.class=com.netscape.

		certsrv.jobs.RequestInQueueJob

	jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.

		certsrv.jobs.UnpublishExpiredJob

	jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5

	jobsScheduler.job.certRenewalNotifier.emailSubject=

		Certificate Renewal Notification

	jobsScheduler.job.certRenewalNotifier.emailTemplate=/usr/netscape/

		cert-testCA/emails/rnJob1.txt

	jobsScheduler.job.certRenewalNotifier.enabled=false

	jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30

	jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30

	jobsScheduler.job.certRenewalNotifier.pluginName=

		RenewalNotificationJob

	jobsScheduler.job.certRenewalNotifier.senderEmail=

	jobsScheduler.job.certRenewalNotifier.summary.emailSubject=

		Certificate Renewal Notification Summary

	jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=/usr/

		netscape/cert-testCA/emails/rnJob1Summary.txt

	jobsScheduler.job.certRenewalNotifier.summary.enabled=true

	jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=/usr/

		netscape/cert-testCA/emails/rnJob1Item.txt

	jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=

	jobsScheduler.job.certRenewalNotifier.summary.senderEmail=

	jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0

	jobsScheduler.job.requestInQueueNotifier.enabled=false

	jobsScheduler.job.requestInQueueNotifier.pluginName=

		RequestInQueueJob

	jobsScheduler.job.requestInQueueNotifier.subsystemId=ca

	jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=

		Requests in Queue Summary Report

	jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=/usr/

		netscape/cert-testCA/emails/riq1Summary.html

	jobsScheduler.job.requestInQueueNotifier.summary.enabled=true

	jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=

	jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=

	jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6

	jobsScheduler.job.unpublishExpiredCerts.enabled=false

	jobsScheduler.job.unpublishExpiredCerts.pluginName=

		UnpublishExpiredJob

	jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=

		Expired Certs Unpublished Summary

	jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=/usr/

		netscape/cert-testCA/emails/euJob1.html

	jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true

	jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=/usr/

		netscape/cert-testCA/emails/euJob1Item.html

	jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=

	jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=

jss._000=##

jss._001=## JSS

jss._002=##

	jss.certdb=/usr/netscape/cert-testCA/config/cert7.db

	jss.enable=true

	jss.keydb=/usr/netscape/cert-testCA/config/key3.db

	jss.moddb=/usr/netscape/admin-serv/config/secmodule.db

	jss.ssl.cipherfortezza=true

	jss.ssl.cipherpref=

	jss.ssl.cipherversion=cipherdomestic

logAudit._000=##

logAudit._001=## Logging

logAudit._002=##

	logAudit.bufferSize=512

	logAudit.expirationTime=2592000

	logAudit.fileName=/usr/netscape/cert-testCA/logs/audit

	logAudit.flushInterval=5

	logAudit.level=1

	logAudit.maxFileSize=100

	logAudit.on=true

	logAudit.rolloverInterval=2592000

logError._000=##

logError._001=## Logging

logError._002=##

	logError.bufferSize=512

	logError.expirationTime=2592000

	logError.fileName=/usr/netscape/cert-testCA/logs/error

	logError.flushInterval=5

	logError.level=3

	logError.maxFileSize=100

	logError.on=true

	logError.rolloverInterval=2592000

	logNTAudit.NTEventSourceName=cert-testCA

	logNTAudit.level=1

	logNTAudit.on=true

	logNTSystem.NTEventSourceName=cert-testCA

	logNTSystem.level=2

	logNTSystem.on=true

logSystem._000=##

logSystem._001=## Logging

logSystem._002=##

	logSystem.bufferSize=512

	logSystem.expirationTime=2592000

	logSystem.fileName=/usr/netscape/cert-testCA/logs/system

	logSystem.flushInterval=5

	logSystem.level=3

	logSystem.maxFileSize=100

	logSystem.on=true

	logSystem.rolloverInterval=2592000

	oidmap.auth_info_access.class=com.netscape.certsrv.cert.

		AuthInfoAccessExtension

	oidmap.auth_info_access.oid=1.3.6.1.5.5.7.1.1

	oidmap.challenge_password.class=com.netscape.certsrv.cmsgateway.

		cert.crs.ChallengePassword

	oidmap.challenge_password.oid=1.2.840.113549.1.9.7

	oidmap.extended_key_usage.class=com.netscape.certsrv.cert.

		ExtendedKeyUsageExtension

	oidmap.extended_key_usage.oid=2.5.29.37

	oidmap.extensions_requested_pkcs9.class=com.netscape.certsrv.

		cmsgateway.cert.crs.ExtensionsRequested

	oidmap.extensions_requested_pkcs9.oid=1.2.840.113549.1.9.14

	oidmap.extensions_requested_vsgn.class=com.netscape.certsrv.

		cmsgateway.cert.crs.ExtensionsRequested

	oidmap.extensions_requested_vsgn.oid=2.16.840.1.113733.1.9.8

	oidmap.netscape_comment.class=netscape.security.x509.

		NSCCommentExtension

	oidmap.netscape_comment.oid=2.16.840.1.113730.1.13

	oidmap.ocsp_no_check.class=com.netscape.certsrv.cert.

		OCSPNoCheckExtension

	oidmap.ocsp_no_check.oid=1.3.6.1.5.5.7.48.1.5

	os.serverName=cert-testCA

	os.userid=nobody

radm._000=##

radm._001=## Remote Admin

radm._002=##

	radm.keepAliveOn=true

	radm.mimeTypeConf=/usr/netscape/cert-testCA/config/mime.types

	radm.numServices=1

	radm.service0=https

	radm.https.backlog=15

	radm.https.maxThreads=10

	radm.https.minThreads=3

	radm.https.nickName=Server-Cert cert-testCA

	radm.https.port=4606

	radm.https.timeout=0

	radm.https.type=https

	smtp.host=localhost

	smtp.port=25

subsystem._000=##

subsystem._001=## Loadable Subsystems

subsystem._002=##

	subsystem.0.class=com.netscape.certsrv.ca.CertificateAuthority

	subsystem.0.id=ca

	subsystem.1.class=com.netscape.certsrv.cmsgateway.EEGateway

	subsystem.1.id=eeGateway

usrgrp._000=##

usrgrp._001=## User/Group

usrgrp._002=##

	usrgrp.ldap=internaldb

Road Map to Configuring Subsystems

This section outlines how to configure an instance of Certificate Management System and indicates where to find the information required to accomplish the task.

Step 1. Check Which Subsystems are Installed in the Instance

Log in to the CMS window for the CMS instance you installed, and check the navigation tree to see which subsystems are installed in that instance; this way you will know the subsystems you should configure. To log in to the CMS window, see "Logging In to the CMS Window".

Step 2. Check the Port Numbers

Check the port numbers assigned for administration, agent, and end-entity operations. Make the appropriate modifications, if necessary. Keep in mind that all subsystems installed in an instance use the same ports, but can be configured to listen on different IP addresses. For instructions, see "Configuring Port Numbers".

Step 3. Verify Key Pair and Certificates

When you install a CMS instance, the server prompts you to create the certificates required for the subsystems in that instance to function. You should check the certificates used by each subsystem, and determine if you need to get additional certificates, use hardware tokens, and so on.

Each subsystem in an instance has a set of certificates that it uses for specific purposes. Understand how and when the subsystem uses its certificates. For details, see "Keys and Certificates for the Main Subsystems".

Determine if you want to generate any new certificates. For example, if you have two subsystems installed in an instance, you may want them to use separate SSL server certificates; by default, there's only one SSL server certificate per instance. For details, see "Getting New Certificates for the Subsystems".

Determine if you want to use hardware tokens for generating and storing these certificates. If required, install new hardware tokens. For details, see "Tokens for Storing Keys and Certificates".

Determine if you want to renew any of the existing certificates. For example, if you have issued certificates with very short validity periods, you might want to renew them. For details, see "Renewing Certificates for the Subsystems".

Check the certificate database to see which CA certificates are trusted. Delete any unwanted CA certificates, change the trust settings of CA certificates that you don't want to trust to untrusted, and install any new CA certificate or certificate chains. For details, see "Managing the Certificate Database".

Step 4. Check the SMTP Settings

Check the mail server settings--Certificate Management System uses this information to send automated email notifications. If necessary, make the appropriate changes to the host name and port number. Keep in mind that all subsystems installed in an instance use the same mail server. To change the mail server-specific information, see "SMTP Settings".

Step 5. Set up Privileged Users

Set up required administrators and agents. This way you can delegate administration and agent tasks to other individuals. For details, see "Setting Up Privileged Users".

If you have installed remote Registration Managers that have certificates signed by third-party CAs (that is, not by a Certificate Manager), you should add their certificates to the Certificate Manager's database to facilitate SSL client authenticated communication. For details, see "Setting Up Trusted Managers".

Step 6. Customize End-Entity and Agent Forms

End entities can interact with the Certificate Manager and Registration Manager with the help of end-entity forms; end entities cannot interact with the Data Recovery Manager. Similarly, agents can interact with the appropriate subsystem using the agent forms. Certificate Management System provides HTML forms-based interfaces for end entities and agents out of the box. For details, see "Introduction to End-Entity and Agent Interfaces".

Determine which forms you want to use for end-entity enrollment and whether they require any customization. You may also use your own forms for this purpose, provided you add the required JavaScript. For details, see "End-Entity Services".

When customizing end-entity forms, keep in mind the authentication method--manual or automated--you want to employ for your end entities.

Step 7. Setup Authentication for End Entities

Depending on how you've deployed Certificate Management System, you may need to do this for a Certificate Manager or Registration Manager, or for both. For example, you may have a PKI setup in which Registration Managers act as front ends to Certificate Managers--that is, end entities interact with Registration Managers only; they do not interact with the Certificate Manager.

Determine whether you want to use any of the authentication plug-in modules provided for automated enrollment of end users. For details, see "Overview of Authentication Modules". If you don't, you either have to use the manual enrollment method or will have to use your own custom module. For information on developing authentication modules and registering them in the CMS framework, see "Developing Custom Authentication Modules".

Configure the Certificate Manager or Registration Manager to use a specific authentication method. For details, see "Setting Up Authentication for End-User Enrollment".

Step 8. Schedule Jobs

Each CMS instance includes a Job Scheduler component that can execute specific jobs at specified times. The Job Scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time. For details, see "Introduction to Job Scheduling and Notifications".

During installation, a few jobs are already created and enabled. Jobs that you might want to schedule include email notifications of timed events (such as the expiration of a certificate) that require action on the part of users, and periodic activities such as removing expired certificates from the publishing directory. For scheduling jobs, follow the instructions in "Scheduling Automated Jobs".

Step 9: Enable Event-Driven Notifications

You can also configure both Certificate Manager and Registration Manager to send email notifications automatically to end entities, agents, or administrators when certain events occur. Unlike jobs that are executed at preconfigured schedule, these notifications are event-driven--that is, whenever an event occurs, the server notifies the user. Notifiable events include certificate issuance and pending requests in an agent queue.

Decide if you want to turn on any of the notifications. If you do, the server uses the mail server specified in the SMTP settings (see "Step 4. Check the SMTP Settings") to send these notifications. For details, see "Event-Driven Notifications".

Step 10. Set up Policies

Each subsystem in a CMS instance has its own policy processor. If you have installed more than one subsystem in an instance, you should apply the instructions in this section to each subsystem. That is, you should configure the Certificate Manager and Registration Manager for certificate formulation, issuance, renewal, and revocation policies. Similarly, configure the Data Recovery Manager for key archival and recovery policies. To understand policy, see "Introduction to Policy".

During installation, a few policy rules are already created and enabled. Check each policy rule and decide whether you want to use it. If you don't, you can either disable it or delete it altogether from the configuration. For those rules that you want to use, check the configuration parameter values and make changes as appropriate.

Determine if you want to add any new policy rules. Check the built-in policy plug-in modules to see if they can be used to create the rules you want. You can also plug-in your own modules in the CMS framework and use them.

Add new rules, if required.

For instructions to do all of the above tasks, see "Setting up Policy Rules for a Subsystem".

Step 11. Set up Publishing

This step is optional, and is applicable to the Certificate Manager only--you need to do this only if you want the Certificate Manager to publish certificates and CRLs to any of the supported repositories.

To configure a Certificate Manager to publish certificates and CRLs to an LDAP-compliant directory, such as Netscape Directory Server, see "Publishing Certificates and CRLs to a Directory".

To configure a Certificate Manager to publish certificates and CRLs to a flat file, see "Publishing Certificates and CRLs to Flat Files".

To configure a Certificate Manager to publish CRLs to an online validation authority (also called OCSP responder), see "Publishing CRLs to Online Validation Authority".

Step 12. Set up Logging

Each instance of Certificate Management System maintains extensive audit, error, and system logs. By looking at these logs, you can monitor a server's activities. Also, by configuring these logs, you can control the information that gets written to the log files. Because Certificate Management System maintains the log files in the file system of the host machine, it is important that you configure the logs appropriately (so that the host machine doesn't get overloaded). Be sure to read "Introduction to Logs"; this chapter will help you decide log configuration.

Once you decide the configuration for server logs, follow the information in "Configuring Logs" and configure all the three logs. Then, start monitoring the server's activities as explained in "Monitoring Logs".

Step 13. Set up archival and recovery for end users' keys

If you have installed the Data Recovery Manager, follow the instructions in "Setting Up Key Archival and Recovery Process" and set up archival and recovery for end users' encryption private keys.

Step 14. Test your PKI Setup

Use the information in "Issuing and Managing End-Entity Certificates" and test that the certificate issuance, renewal, and revocation operations work satisfactorily.

If you have deployed the Data Recovery Manager, follow the information in "Step A. Test Your Key Archival Setup" and "Step D. Test Your Key Recovery Setup" to test the key archival and recovery operation respectively.

Step 15. Plan for Backing up CMS Configuration and Data

It is a good practice to periodically back up the CMS data on to some backup media. Creating backups will help you use them for data restoration in the event of data loss. For details, see "Backing Up and Restoring Data".