Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Introduction to End-Entity and Agent
Previous Next Contents Index Bookshelf


Chapter 23 Introduction to End-Entity and Agent Interfaces

Netscape Certificate Management System (CMS) provides HTML forms-based interfaces for agents and end entities to use in performing certificate- and key-related operations. This chapter introduces these forms and explains how they work. You can use the forms as they are provided out of the box or customize them to meet your organization's requirements.

This chapter has the following sections:

 For details on customizing these forms, see "Customizing End-Entity and Agent Interfaces".


End-Entity Services
Certificate Management System provides HTML forms for the various entities--people, routers, servers, and others--that use certificates to identify themselves and that need to be able to request certificate issuance and management operations. These forms, collectively called the end-entity services interface, use different protocols and life-cycle management procedures for different kinds of end entities. For example, the Certificate Manager provides separate certificate enrollment forms for clients such as Netscape Navigator 3.x, versions of Netscape Communicator later than 4.5, and Microsoft Internet Explorer. The reason for this is that end entities running Navigator 3.x and Communicator versions earlier than 4.5 present an enrollment form based on the use of the HTML tag KEYGEN to generate keys; end entities running Internet Explorer present a form based on PKCS #10, the RSA standard for certificate request syntax.

 Figure 23.1 shows the end-entity services interface hosted by a Certificate Manager.

Figure 23.1 End-entity services interface

For a summary of the various end entities, protocols, cryptographic algorithms, and key pairs (single or dual) supported by Certificate Management System, see Table 23.1.

For a complete list of the end-entity forms--for enrollment, renewal, retrieval, revocation, and key recovery--that come with Certificate Management System, see "End-Entity Forms and Templates".

How Client Type Determines the End-Entity Interface

Each type of end-entity form provided by Certificate Management System is served by a servlet. This servlet determines which version of the form to present based on information about the end entity (the type, version, language, and so on), information in the form itself, and other factors.

Each form also specifies both an authentication manager and an output template:

 Based on all the information, a form's servlet sends the end entity the version of the form (including the embedded JavaScript code) appropriate for that end entity. For example, in the case of end entities that support the KEYGEN tag, the Certificate Manager or Registration Manager sends a form that uses KEYGEN to generate keys and formulate a certificate request. In the case of end entities that support the Certificate Management Message Format (CMMF) protocol, the Certificate Manager or Registration Manager sends a form that uses a JavaScript API to fully automate both key generation and certificate issuance.

 Certificate Request Formats Specific to End Entities

Table 23.1 lists the forms provided by the Certificate Manager and Registration Manager for certificate issuance and life-cycle management operations, and indicates supported authentication mechanisms and request formats.

You can customize any of the default forms and their corresponding servlets and output templates. For details, see "Customizing End-Entity and Agent Interfaces".

Table 23.1 Summary of end-entity forms, authentication methods and certificate request formats

Form for end-entity operation
Authentication method
Supported certificate request formats
Certificate enrollment
Client (end user) certificates
Manual, LDAP directory based, and NIS server based
Server certificates
Manual
PKCS #10
Cisco routers
Manual or automated
Certificate Enrollment protocol (CEP)

Certificate renewal
Client (end user) certificates
SSL client authentication
Server certificates
Manual
PKCS #10
Cisco routers
Manual
CEP

Certificate revocation
Client (end user) certificates
SSL client authentication and challenge-password based

Server certificates
Manual
PKCS #10
Cisco routers
Manual
CEP

Encryption private key storage and recovery
Client (end user) certificates
Not applicable


Agent Services
As an administrator, you can designate privileged users, called agents, for each subsystem. Agents are responsible for the day-to-day operation of requests from end entities. To enable agents to accomplish their duties, Certificate Management System provides a set of HTML forms for Certificate Manager, Registration Manager, and Data Recovery Manager agents. Collectively, these forms are called the Agent Services interface.

 Depending on the choices you made during installation, a combination of the following agent services will be installed:

 This section gives an overview of these forms and explains how to access them. For a complete list of the agent forms and output templates that come with Certificate Management System, see "Agent Forms and Templates". For step-by-step instructions on using the agent forms, see Netscape Certificate Management System Agent's Guide. For information on locating this guide, see "Where to Go for Related Information".

Note that accessing the Agent Services interface is a privileged operation, requiring certificate-based (or strong) authentication. It can be done only by users belonging to authorized agent groups maintained by Certificate Management System in its internal database. For details, see "Agents".

Certificate Manager Agent Services

The Certificate Manager Agent Services interface enables a Certificate Manager agent to interact with the Certificate Manager (the server). Figure 23.2 shows the Certificate Manager Agent Services interface.

Figure 23.2 Certificate Manager Agent Services interface

Using the default forms, a Certificate Manager agent can accomplish tasks such as these:

 Registration Manager Agent Services

The Registration Manager Agent Services interface enables a Registration Manager agent to interact with the Registration Manager (the server). Figure 23.3 shows the Registration Manager Agent Services interface.

Figure 23.3 Registration Manager Agent Services interface

Using the default forms, a Registration Manager agent can list deferred certificate requests from end entities and process them.

 Data Recovery Manager Agent Services

The Data Recovery Manager Agent Services interface enables a Data Recovery Manager agent to interact with the Data Recovery Manager (the server). Figure 23.4 shows the Data Recovery Manager Agent Services interface.

Figure 23.4 Data Recovery Manager Agent Services interface

Using the default forms, a Data Recovery Manager agent can search for and recover end users' encryption private keys from the key archive. (Key recovery requires authorization from key recovery agents; see "Key Recovery Process".)

Accessing the Agent Services Interface

Access to the Agent Services interface is restricted to authorized agents only. For details, see "Agents".

To access the Agent Services interface for a particular subsystem:
  1. Open a web browser.
    2.

  2. Go to the page where the Agent Services interface for Certificate Management System is installed.

    3. The default URL for this page is:

    https://<host_name>:<agent_port>

    <host_name> is in the form <machine_name>.<your_domain>.<domain>

    If you have customized Certificate Management System, go to the page containing the agent forms that you would use to submit a request.

  3. In the Agent Services menu, choose the agent services you require:
    4.

    The appropriate interface appears.

 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.