Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. They use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations; SSL ciphers during SSL negotiation; privileged users; and log files to log messages to. This chapter explains how to configure these ports, the internal database, and the mail server settings for a CMS instance.
Internal Database
SMTP Settings
Figure 6.1 CMS ports for administration, agent, and end-entity operations
The administration port is an SSL (encrypted) port at which Certificate Management System listens to requests from its administration interface; administrators make these requests from the CMS window. When you install Certificate Management System, it assigns a random number (greater than 1024) as the administration port number. You can change this port number at any time, to any number between 1 and 65535. For security reasons you should consider changing the administration port number periodically.
The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface.
Data Recovery Manager agents use the agent port for recovering end users' encryption private keys over HTTPS.
<host_name> is in the form <machine_name>.<your_domain>.<domain>
<subsystem> is a prefix identifying the subsystem that hosts the agent interface:
ra for the Registration Manager
kra for the Data Recovery Manager
For requests from end entities, Certificate Management System can listen to two ports, an SSL (encrypted) port and a non-SSL port. End entities make these requests from the end entity services interface; see "End-Entity Services".
The HTTPS port can be used to provide the following services for enforcing data privacy and client authentication:
General certificate retrieval requests, such as retrieving a single certificate identified by a serial number, listing certificates based on certain criteria (for example, an LDAP search filter defined over standard attributes), and getting a CA's certificate chain
Similar to the HTTP port, you can enable or disable the HTTP port. For example, if you don't want end-entity interaction with a Certificate Manager, you can disable the HTTPS port. For details, see "Step 6. Enable End-Entity Interaction".
Configuring port numbers for a CMS instance involves two steps:
Step 2: Specify IP Addresses
To change the administration, agent, or end-entity port numbers used by a CMS instance:
Select the Configuration tab.
The Network tab appears.
SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window--that is, HTTPS requests from administrators. Make sure the port number you specify is unique on the host system. Backlog. Type the number of connections that can be waiting to be serviced at the administration port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call. To change the agent port number, enter the port number in the Agent section:
Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window--that is, HTTPS requests from administrators. Make sure the port number you specify is unique on the host system.
SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the Agent Services interface--that is, HTTPS requests from agents. Make sure the port number you specify is unique on the host system. Backlog. Type the number of connections that can be waiting to be serviced at the agent port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call. To change the end-entity port numbers, enter the port numbers in the End Entity section.
Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications; you can use both at the same time. But if you prefer, you can disable the non-SSL port by unchecking the "Enable" option.
This port is provided to allow enrollments of end entities that do not support SSL; for example, HTTP requests from end entities such as routers. You can use the Enable check box to turn this port on or off. Keep in mind that if this port is enabled, end entities will be able to enroll over HTTP too, which means their certificate requests could be intercepted and replayed to the server.
For issuing certificates to routers (using the CEP protocol), the port must be enabled; see "CEP Enrollment".
If you don't want end-entity interaction with a subsystem, for example, if you don't want end entities to interact with a Certificate Manager, you can disable this port too (in addition to the HTTP port). See "Step 6. Enable End-Entity Interaction".
The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.
This step is optional.
Open the configuration file in a text editor; to locate the file, see "Locating the Configuration File".
Add one or more of the following as appropriate:
For agent port, add this line: agentGateway.https.host=
For end-entity HTTPS port, add this line: eeGateway.https.host=
For end-entity HTTP port, add this line: eeGateway.http.host=
If you entered the host name as the value, the parameter would look similar to this: radm.https.host=cert.netscape.com
Save your changes, and close the configuration file.
Start the CMS instance; see "Starting Certificate Management System".
Storing and retrieving of certificate records
Storing of CRLs
Storing and retrieving of end users' encryption private key records
<cms_instance_id>-db
Each instance of Certificate Management System uses a Netscape Directory Server instance as its internal database. All the subsystems that were installed in a CMS instance use the same Directory Server instance to store their data. For example, if you installed a Certificate Manager and Data Recovery Manager together, they use the same internal database for data storage.
Step 1. Identify the Directory Server Instance
To identify the Directory Server instance that a CMS instance should use as its internal database:
Select the Configuration tab, and then in the right pane, select the Internal Database tab.
Identify a Directory Server instance by providing the following details:
Host name. Type the full host name of the machine on which Netscape Directory Server is installed. Certificate Management System uses this name to access the directory. The format for the host name is as follows:
<machine_name>.<your_domain>.<domain>
By default, the host name of the Directory Server instance being used as the internal database is shown as localhost instead of the actual host name (for example, certificates.netscape.com). This is done on purpose to insulate the internal database from being visible outside the system--that is, a server on localhost can only be accessed from the local machine. Thus, the default configuration minimizes the risk of someone connecting to this Directory Server instance from outside the local machine.
You can configure the host name to something other than localhost if you know what you are doing and you think you can limit the visibility of the internal database to a local subnet. For example, if you installed Certificate Management System and Directory Server on separate machines for load balancing, you will have to specify the host name of the machine in which Directory Server is installed.
To save your changes, click Save.
In the Console tab, select the server group that contains the CMS instance you want.
Select the entry that corresponds to the internal database to which you want to restrict access, and click Open.
The Directory Server window appears.
In the navigation tree, expand Plugins, and then select Pass Through Authentication.
In the right pane, uncheck or disable the "Enable plugin" option.
Click Save to save your changes.
You are prompted to restart the server.
Close the Directory Server window.
When the server is restarted, from Netscape Console, open the Directory Server window.
The "Login to Directory" dialog box appears; the Distinguished Name field displays the Directory Manager DN and you're required to enter the password that corresponds to this entry.
The Directory Server window (for the internal database) opens only if you enter the correct password.
Select the Configuration tab, and then in the right pane, select the SMTP tab.
Identify the mail server by providing the following details:
Server name. Type the full host name of the machine on which your mail server is installed. Certificate Management System uses this name to access the mail server. The format for the host name is as follows:
By default, the host name of the mail server is shown as localhost instead of the actual host name (for example, mail.netscape.com).