Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Configuring Ports, Database, and
Previous Next Contents Index Bookshelf


Chapter 6 Configuring Ports, Database, and SMTP Settings

Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. They use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations; SSL ciphers during SSL negotiation; privileged users; and log files to log messages to. This chapter explains how to configure these ports, the internal database, and the mail server settings for a CMS instance.

The chapter has the following sections:
CMS Ports
Certificate Management System listens to different ports for requests from different users. As illustrated in Figure 6.1, it listens to the administration port, the agent port, and end-entity ports.

Figure 6.1 CMS ports for administration, agent, and end-entity operations

When choosing ports for Certificate Management System, be sure to choose ports that are unique on the host system--that is, no other application can be using, or attempting to use, the port numbers you assign to Certificate Management System. To verify that a port is available for use, check the appropriate file for your operating system; port numbers for network-accessible services are usually maintained in a file named services. (On Unix, if you are not running as root or superuser when you install or start the server, you will have to use a port number higher than 1024.)

 Remote Administration Port

The administration port is an SSL (encrypted) port at which Certificate Management System listens to requests from its administration interface; administrators make these requests from the CMS window. When you install Certificate Management System, it assigns a random number (greater than 1024) as the administration port number. You can change this port number at any time, to any number between 1 and 65535. For security reasons you should consider changing the administration port number periodically.

Agent Port

The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface.

Agent functions always require SSL client authentication. For a list of supported agent operations, see "Agent Services".

When you install Certificate Management System, it assigns a random number (greater than 1024) as the agent port number and prompts you to change it, if necessary; the port number can be any number between 1 and 65535. The number you choose for the agent port affects your agent users--all agents access Certificate Management System by specifying the name of the server (the CMS instance) and the agent port number in the URL. For example, if you choose port number 4430, the URL would look like this:

 https://<host_name>:4430/<subsystem>

 For example, the URL to a Certificate Manager agent interface would look like this: https://testCA.netscape.com:5600/ca

 If you change the agent port number, be sure to inform your agent users.

 End-Entity Ports

For requests from end entities, Certificate Management System can listen to two ports, an SSL (encrypted) port and a non-SSL port. End entities make these requests from the end entity services interface; see "End-Entity Services".

Certificate Management System provides the following services through the HTTP and HTTPS ports:

 Configuring Port Numbers

Configuring port numbers for a CMS instance involves two steps:

Step 1. Specify the Port Number

To change the administration, agent, or end-entity port numbers used by a CMS instance:

  1. Log in to the CMS window (see "Logging In to the CMS Window").

  2. Select the Configuration tab.

    3. The Network tab appears.

  3. To change the administration port number, enter the port number in the Administration section:
    4.

    SSL port.

    Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window--that is, HTTPS requests from administrators. Make sure the port number you specify is unique on the host system.

    Backlog. Type the number of connections that can be waiting to be serviced at the administration port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

  4. To change the agent port number, enter the port number in the Agent section:

    5. SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the Agent Services interface--that is, HTTPS requests from agents. Make sure the port number you specify is unique on the host system.

    Backlog. Type the number of connections that can be waiting to be serviced at the agent port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

  5. To change the end-entity port numbers, enter the port numbers in the End Entity section.

    6. Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications; you can use both at the same time. But if you prefer, you can disable the non-SSL port by unchecking the "Enable" option.

    Port. Type a TCP/IP port number that is unique on the host system. Certificate Management System uses this port for non-SSL communications with the end entity services interface.

    This port is provided to allow enrollments of end entities that do not support SSL; for example, HTTP requests from end entities such as routers. You can use the Enable check box to turn this port on or off. Keep in mind that if this port is enabled, end entities will be able to enroll over HTTP too, which means their certificate requests could be intercepted and replayed to the server.

    Backlog. Type the number of connections that can be waiting to be serviced at the end entity HTTP port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

    Enable. This check box allows you to enable or disable the HTTP port. Uncheck the option if you want to disable the port.

    For issuing certificates to routers (using the CEP protocol), the port must be enabled; see "CEP Enrollment".

    SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the end entity services interface (that is, HTTPS requests from end entities during certificate enrollment, renewal, and revocation). Make sure the port number you specify is unique on the host system.

    If you don't want end-entity interaction with a subsystem, for example, if you don't want end entities to interact with a Certificate Manager, you can disable this port too (in addition to the HTTP port). See "Step 6. Enable End-Entity Interaction".

    Backlog. Type the number of connections that can be waiting to be serviced at the end-entity HTTPS port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

  6. To save your changes, click Save.

    7. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Step 2: Specify IP Addresses

This step is optional.

You can configure CMS instances to listen to specific IP addresses. For example, you can install the Certificate Manager and Data Recovery Manager on a single host, in separate instances, and then configure the instances so that the Certificate Manager is served on one IP address and the Data Recovery Manager is served on another address.

 To clarify this further, consider the machine that hosts the Certificate Manager and Data Recovery Manager has two Ethernet cards that respond to the IP addresses 197.1.137.97 and 197.1.137.98. You can set up the Certificate Manager to listen to port 443 for the IP address 197.1.137.97 and the Data Recovery Manager to listen to port 443 for the IP address 197.1.137.98.

 To configure a CMS instance to listen to specific IP addresses:
  1. Stop the CMS instance; see "Stopping Certificate Management System".

  2. Open the configuration file in a text editor; to locate the file, see "Locating the Configuration File".

  3. Add one or more of the following as appropriate:

  4. Add the IP address or the host name or interface name as the value for the parameter you just added. For example,
    5.

  5. If necessary, repeat step 4 for the other ports.
    6.

  6. Save your changes, and close the configuration file.

  7. Start the CMS instance; see "Starting Certificate Management System".


Internal Database
Certificate Management System performs various certificate and key-management functions in response to the requests it receives. These functions include the following:

 To fulfill these functions, Certificate Management System maintains a persistent store--a preconfigured Netscape Directory Server--referred to as the internal database or local database. The internal database is installed automatically as a part of the CMS installation. It is used as an embedded database exclusively by Certificate Management System and can be managed using Directory management tools that come with Netscape Directory Server.

 The Directory Server instance used for the internal database is different from the LDAP-compliant directory that you use to manage your corporatewide data (users and groups, their certificates, CRLs, and so on).

 Keep in mind that the subsystems use the database for storing different objects. A Certificate Manager stores all the data, certificate issuance requests, certificates, CRLs, and related information; a Registration Manager only stores the certificate issuance requests it receives; and a Data Recovery Manager only stores key records and related data.

 Configuring the Internal Database

Each instance of Certificate Management System uses a Netscape Directory Server instance as its internal database. All the subsystems that were installed in a CMS instance use the same Directory Server instance to store their data. For example, if you installed a Certificate Manager and Data Recovery Manager together, they use the same internal database for data storage.

Caution The internal database schema is preconfigured for storing CMS data only. Do not make any changes to it or configure Certificate Management System to use any other LDAP directory. Doing so can result in loss of data. Also, do not attempt to use this database for any other purpose.

Step 1. Identify the Directory Server Instance

To identify the Directory Server instance that a CMS instance should use as its internal database:

  1. Log in to the CMS window (see "Logging In to the CMS Window").

  2. Select the Configuration tab, and then in the right pane, select the Internal Database tab.

  3. Identify a Directory Server instance by providing the following details:

    4. Host name. Type the full host name of the machine on which Netscape Directory Server is installed. Certificate Management System uses this name to access the directory. The format for the host name is as follows:

    <machine_name>.<your_domain>.<domain>

    By default, the host name of the Directory Server instance being used as the internal database is shown as localhost instead of the actual host name (for example, certificates.netscape.com). This is done on purpose to insulate the internal database from being visible outside the system--that is, a server on localhost can only be accessed from the local machine. Thus, the default configuration minimizes the risk of someone connecting to this Directory Server instance from outside the local machine.

    You can configure the host name to something other than localhost if you know what you are doing and you think you can limit the visibility of the internal database to a local subnet. For example, if you installed Certificate Management System and Directory Server on separate machines for load balancing, you will have to specify the host name of the machine in which Directory Server is installed.

    Port number. Type a TCP/IP port number; Certificate Management System uses this port for non-SSL communications with the Directory Server instance that is functioning as the internal database. Make sure that the port you specify is unique on the host system.

    Directory manager DN. Type the distinguished name (DN) of an entry in your LDAP directory that has read and write permission to the entire directory tree. Certificate Management System will use this DN when it accesses the directory tree to communicate with the directory. Keep in mind that the access control set up for this DN determines whether Certificate Management System can communicate with the directory. Typically, you would want to enter the directory manager's DN (the root DN) because this DN will have read/write permission to the entire directory tree; see "Root Distinguished Name".

  4. To save your changes, click Save.

    5. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Step 2. Restrict Access to the Internal Database

This step is optional.

Netscape Console displays an entry or icon for the Directory Server instance that Certificate Management System uses as its internal database. You can distinguish an internal database instance from other Directory Server instances. It is in this form: slapd-<cms_instance_id>-db

 Unlike the CMS window, access to which is restricted to users with CMS administrator privileges, the Directory Server window can be accessed by the person who has privileges to access Netscape Console. That is, this person can open the Directory Server window for the internal database and make changes to the data stored there. For example, this person can make changes to the CMS administrators group, such as deleting existing users and adding entries for self.

 If you are concerned about this, you can restrict access to the internal database to only those users who know its Directory Manager DN and corresponding password. You can change this password by modifying the single sign-on password cache; see "Changing the Password of an Entry in the Password Cache".

  1. Log in to Netscape Console (see "Logging In to Netscape Console").

  2. In the Console tab, select the server group that contains the CMS instance you want.

  3. Select the entry that corresponds to the internal database to which you want to restrict access, and click Open.

    4. The Directory Server window appears.

  4. Select the Configuration tab.
    5.

  5. In the navigation tree, expand Plugins, and then select Pass Through Authentication.

  6. In the right pane, uncheck or disable the "Enable plugin" option.

  7. Click Save to save your changes.

    8. You are prompted to restart the server.

  8. Click the Tasks tab and click "Restart the Directory Server."

  9. Close the Directory Server window.

  10. When the server is restarted, from Netscape Console, open the Directory Server window.

    11. The "Login to Directory" dialog box appears; the Distinguished Name field displays the Directory Manager DN and you're required to enter the password that corresponds to this entry.

    The Directory Server window (for the internal database) opens only if you enter the correct password.


SMTP Settings
Certificate Management System can send email notifications automatically to users or agents when interesting events occur. For example, you can configure the server to send users email notifications of timed events, such as the expiration of their certificates; for details, see "Job Scheduling and Notification".

To identify the mail server that a CMS instance should use for routing email notifications:
  1. Log in to the CMS window (see "Logging In to the CMS Window").

  2. Select the Configuration tab, and then in the right pane, select the SMTP tab.

  3. Identify the mail server by providing the following details:

    4. Server name. Type the full host name of the machine on which your mail server is installed. Certificate Management System uses this name to access the mail server. The format for the host name is as follows:

    <machine_name>.<your_domain>.<domain>

    By default, the host name of the mail server is shown as localhost instead of the actual host name (for example, mail.netscape.com).

    Port number. Type the port number at which the mail server is listening for requests.

  4. To save your changes, click Save.

    5. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.