Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Netscape Certificate Management System Administrator's Guide: Configuring a Subsystem's Policies
Previous Next Contents Index Bookshelf


Chapter 19 Configuring a Subsystem's Policies

Netscape Certificate Management System (CMS) provides a customizable policy framework for its main subsystems, the Certificate Manager, Registration Manager, and Data Recovery Manager. This chapter explains how to configure these subsystems to apply organizational and other policies on incoming certificate and key-related requests.

Before reading this chapter, you should have read the previous chapters in this part. In particular, you should be familiar with the various policy plug-in modules that come with Certificate Management System. If you are not, see "Constraints-Specific Policy Modules"and "Extension-Specific Policy Modules".

The chapter has the following sections:


Policy Management
You can manage both constraints and extensions policy rules in two ways:

The recommended method is to use the CMS window.

Policy Management From the CMS Window

The CMS window (as shown in Figure 19.1) provides the appropriate user interface to support policy management for each subsystem, the Certificate Manager, Registration Manager, and Data Recovery Manager.

Figure 19.1 Policy information in the CMS window

Under each subsystem tree node in the CMS window, you will find a Policies object. This object represents the policy configuration of that subsystem, enabling you to accomplish the following operations:

The sections that follow describe the parts of the window from which you carry out these operations.

Policy Rules Management Tab

The Policy Rules Management tab displays the current policy configuration for the selected subsystem. The tab lists the currently configured policy instances (or rules) for a subsystem, enabling you to manage them at a single place. From this tab you can add, modify, or delete rules, enable or disable individual rules, and change the order in which the rules get applied to an end-entity request.

Add. The add operation shows a list of registered policy modules from which you can select the one you want to configure. When you save the changes, the subsystem creates the rule and displays it in the list of policy rules. For instructions, see "Step 4. Add New Policy Rules".

Delete. The delete operation allows you to remove unwanted policy rules from the CMS configuration. For instructions, see "Step 3. Delete Unwanted Policy Rules".

Edit/View. The edit operation allows you to view and modify configuration parameter values associated with the currently configured policy rules. For instructions, see "Step 2. Modify Existing Policy Rules".

Reorder. The reorder operation allows you to change the order of the policy rules a subsystem applies to an end-entity request. Enabled rules are applied in the order in which they appear; disabled rules are ignored. For instructions, see "Step 5. Reorder Policy Rules".

Policy Plugin Registration Tab

The Policy Plugin Registration tab lists the currently registered policy plug-in modules for the selected subsystem and gives you access to the window from which you can register new modules. On this tab you will find the names of registered modules listed on the left and the path to the Java class that implements the module listed on the right.

You can perform the following operations from this tab:

Register. This operation allows you to register a new policy module. For instructions, see "Registering a Policy Module".

Delete. This operation allows you to remove unwanted policy modules from the CMS framework. For instructions, see "Deleting a Policy Module".

Policy Parameters in the Configuration File

The sample configuration file shown on page 89 illustrates how policy-specific information appears in the configuration file. Keep the following points in mind:

To change the configuration by editing the configuration file, follow the instructions in "Changing the Configuration by Editing the Configuration File".


Setting up Policy Rules for a Subsystem
You can configure the main subsystems of Certificate Management System (CMS)--the Certificate Manager, Registration Manager, and Data Recovery Manager--to apply certain organizational policies on end entities' certificate enrollment, renewal, and revocation requests before servicing them. This section explains how to configure a subsystem to evaluate end-entity requests based on a set of policy rules. The steps are as follows:

For information on adding or changing policy-specific information in the configuration file, see "Policy Parameters in the Configuration File".

Step 1. Plan

Before configuring a Certificate Manager's or Registration Manager's policy, be sure to do this:

This planning will help you configure a Certificate Manager and Registration Manager with the appropriate policy rules so that your end entities get the right kind of certificate.

Step 2. Modify Existing Policy Rules

You can modify a policy rule by editing its configuration parameter values; you cannot edit the name of a rule. To change the name of a rule, you need to create a new rule exactly like the rule you want to rename, except with a new name, and delete the old rule.

As a part of editing a rule, you can change its status from enabled to disabled or vice versa by checking or unchecking the enable parameter. A subsystem subjects certificate requests only to those rules that are enabled.

During installation, the Certificate Manager and Registration Manager automatically create a set of policy rules (that you would most likely want to use) using the policy modules registered by default. Figure 19.2 shows the policy rules created for a Certificate Manager. The Registration Manager also has a similar list. Table 19.1 summarizes the default rules created for both Certificate Manager and Registration Manager.

After installation, you must verify whether you want to use these rules, check how these rules are configured, and make the appropriate configuration changes. Keep in mind some of these policy rules are essential for the server to process requests. For example, the server won't be able to process certificate-issuance requests if the validity constraints rule is disabled; see "Validity Constraints Policy". Similarly, the server won't be able to process certificate-renewal requests if the renewal validity constraints rule is disabled; see "Renewal Validity Constraints Policy".

If you don't want to use a rule, delete it from the configuration as explained in "Step 3. Delete Unwanted Policy Rules"; alternatively, you may keep it disabled. If you want to create a new rule, you can do so as explained "Step 4. Add New Policy Rules".

Figure 19.2 Default policy rules created for a Certificate Manager

Table 19.1 Default policy rules created for a Certificate Manager and Registration Manager

Policy rule name
Created for Certificate Manager
Created for Registration Manager
KeyAlgRule
See "KeyAlgRule Rule".

Yes
Yes
DSAKeyRule
Created only if the CA signing key is DSA. See "DSAKeyRule Rule".

Yes
Yes
RSAKeyRule
See "RSAKeyRule Rule".

Yes
Yes
DefaultValidityRule
See "DefaultValidityRule Rule".

Yes
Yes
RenewalConstranitsRule
See "RenewalConstraintsRule Rule".

Yes
Yes
DefaultRenewalValidityRule
See "DefaultRenewalValidityRule Rule".

Yes
Yes
RevocationConstranitsRule
See "RevocationConstraintsRule Rule".

Yes
Yes
NSCertTypeExt
See "NSCertTypeExt Rule".

Yes
Yes
CMCertKeyUsageExt
See "CMCertKeyUsageExt Rule".

Yes
Yes
RMCertKeyUsageExt
See "RMCertKeyUsageExt Rule".

Yes
Yes
ClientCertKeyUsageExt
See "ClientCertKeyUsageExt Rule".
Yes
Yes
ServerCertKeyUsageExt
See "ServerCertKeyUsageExt Rule".

Yes
Yes
ObjSignCertKeyUsageExt
See "ObjSignCertKeyUsageExt Rule".

Yes
Yes
SubjectKeyIdentifierExt
See "SubjectKeyIdentifierExt Rule".

Yes
Yes
CertificatePoliciesExt
See "CertificatePoliciesExt Rule".

Yes
Yes
NSCCommentExt
See "NSCCommentExt Rule".

Yes
Yes
OCSPNoCheckExt
See "OCSPNoCheckExt Rule".

No
No
OCSPSigningExt
See "OCSPSigningExt Rule".

Yes
Yes
CODESigningExt
See "CODESigningExt Rule".

Yes
Yes
CRLDistributionPointsExt
See "CRLDistributionPointsExt Rule".

Yes
Yes
AuthorityKeyIdentifierExt
See "AuthorityKeyIdentifierExt Rule".

Yes
No
BasicConstraintsExt
See "BasicConstraintsExt Rule".

Yes
No
UniqueSubjectName
See "UniqueSubjectNameConstraints Rule".

Yes
No
SubjectAltNameExt
See "SubjectAltNameExt Rule".

Yes
Yes
GenericASN1Ext
See "GenericASN1Ext Rule".

Yes
Yes
NameConstraintsExt
See "NameConstraintsExt Rule".

Yes
No
PolicyConstraintsExt
See "PolicyConstraintsExt Rule".

Yes
No
IssuerRule
See "IssuerRule Rule".

Yes
No
PolicyMappingsExt
See "PolicyMappingsExt Rule".

Yes
No
SubCANameCheck
See "SubCANameConstraints Rule".

Yes
No
SigningAlgRule
See "SigningAlgRule Rule".
Yes
No

To modify a policy rule in the CMS configuration:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select the subsystem to which the policy rule you want to modify belongs.
  4. Select Policies.
  5. The Policy Rules Management tab appears (Figure 19.2). It lists configured policy rules. The default rules are listed in Table 19.1.

  6. In the Policy Rule list, select a rule that you want to modify.
  7. For the purposes of this instruction, assume that you selected the rule named DefaultValidityRule.

  8. Click Edit/View.
  9. The Policy Rule Editor window appears, showing how this rule is configured. An example is shown below.

  10. Make the necessary changes and click OK.
  11. You are returned to the Policy Rules Management tab.

  12. Repeat steps 5 through 7 for the remaining rules.
  13. Click Refresh.
Step 3. Delete Unwanted Policy Rules

You can delete any unwanted policy rules from the CMS configuration. If you think you might need a rule in the future, instead of deleting it from the configuration you should disable it by unchecking the enable parameter. In this way, you can avoid re-creating the rule in the future. Because the subsystems subject end-entity requests only to rules that are currently enabled (see "Policy Processor"), keeping unwanted rules in the disabled state in the configuration does not affect policy decisions made by a subsystem.

To delete a policy rule from the CMS configuration:

  1. In the Policy Rules Management tab, select the rule you want to delete and click Delete.
  2. When prompted, confirm the delete action.
  3. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. Don't restart the server yet; you can do so after you've made all the required changes.

Step 4. Add New Policy Rules

Adding a policy rule to the CMS configuration involves creating a new instance of an already registered policy plug-in module, assigning a unique name for the instance, and entering appropriate values for the parameters that define the module you want to create an instance of.

When you add a policy rule, the CMS configuration gets updated with policy-specific information. Keep the following points in mind:

Figure 19.3 shows the policy modules registered with a Certificate Manager. The Registration Manager also has a similar list. Table 19.2 summarizes the default modules registered with both Certificate Manager and Registration Manager. If you have registered any custom policy modules (see "Registering a Policy Module"), they too will be available for selection.

Figure 19.3 Default policy modules registered with a Certificate Manager

Table 19.2 Policy modules registered with a Certificate Manager and Registration Manager

Policy plug-in module name and description
Provided with Certificate Manager
Provided with Registration Manager
AuthInfoAccessExt
See "Authority Information Access Extension Policy".

Yes
Yes
AuthorityKeyIdentifierExt
See "Authority Key Identifier Extension Policy".

Yes
No
BasicConstraintsExt
See "Basic Constraints Extension Policy".

Yes
No
CertificatePoliciesExt
See "Certificate Policies Extension Policy".

Yes
Yes
CertificateRenewalWindowExt
See "Certificate Renewal Window Extension Policy".

Yes
Yes
CertificateScopeOfUseExt
See "Certificate Scope of Use Extension Policy".

Yes
Yes
CRLDistributionPointsExt
See "CRL Distribution Points Extension Policy".

Yes
Yes
DSAKeyConstraints
See "DSA Key Constraints Policy".

Yes
Yes
ExtendedKeyUsageExt
See "Extended Key Usage Extension Policy".

Yes
Yes
GenericASN1Ext
See "Generic ASN.1 Extension Policy".

Yes
Yes
KeyAlgorithmConstraints
See "Key Algorithm Constraints Policy".

Yes
Yes
IssuerAltNameExt
See "Issuer Alternative Name Extension Policy".

Yes
Yes
IssuerConstraints
See "Issuer Constraints Policy".

Yes
No
KeyUsageExt
See "Key Usage Extension Policy".

Yes
Yes
NameConstraintsExt
See "Name Constraints Extension Policy".

Yes
No
NSCComment
See "Netscape Certificate Comment Extension Policy".

Yes
Yes
NSCertTypeExt
See "Netscape Certificate Type Extension Policy".

Yes
Yes
OCSPNoCheckExt
See "OCSP No Check Extension Policy".

Yes
Yes
PinPresent
See "PIN Present Policy".

Yes
Yes
PolicyConstraintExt
See "Policy Constraints Extension Policy".

Yes
No
PolicyMappingsExt
See "Policy Mappings Extension Policy".

Yes
No
PrivateKeyUsagePeriodExt
See "Private Key Usage Period Extension Policy".

Yes
Yes
RenewalConstraints
See "Renewal Constraints Policy".

Yes
Yes
RenewalValidityConstraints
See "Renewal Validity Constraints Policy".

Yes
Yes
RevocationConstraints
See "Revocation Constraints Policy".

Yes
Yes
RSAKeyConstraints
See "RSA Key Constraints Policy".

Yes
Yes
SigningAlgorithmConstraints
See "Signing Algorithm Constraints Policy".

Yes
Yes
SubjectAltNameExt
See "Subject Alternative Name Extension Policy".

Yes
Yes
SubCANameCheck
See "Subordinate CA Name Constraints Policy".

Yes
No
SubjectDirectoryAttributesExt
See "Subject Directory Attributes Extension Policy".

Yes
Yes
SubjectKeyIdentifierExt
See "Subject Key Identifier Extension Policy".

Yes
Yes
UniqueSubjectName
See "Unique Subject Name Constraints Policy".

Yes
No
ValidityConstraints
See "Validity Constraints Policy".
Yes
Yes

To add a new policy rule to the CMS configuration:

  1. In the Policy Rules Management tab, click Add.
  2. The Select Policy Plugin Implementation window appears. It lists registered policy plug-in modules. The default modules are listed in Table 19.2.

  3. Select a plug-in module.
  4. For the purposes of this instruction, assume that you selected the ValidityConstraints module.

  5. Click Next.
  6. The Policy Rule Editor window appears. It lists the configuration information required for this policy rule.

  7. Enter the appropriate information.
  8. Policy Rule ID. Type a unique name that will help you identify the rule. Be sure to formulate the name using any combination of letters (aA to zZ), digits (0 to 9), an underscore (_), and a hyphen (-). For example, you can type My_Policy_Rule or MyPolicyRule as the instance name, but not My Policy Rule.

    enable. Check the box to enable the rule (default). If you enable the rule and set the remaining parameters correctly, the server sets the configured validity period in certificates specified by the predicate parameter.

    Uncheck the box to disable the rule. If you disable the rule, the server does not set the configured validity period in certificates; it sets the validity period to the one specified in the request.

    predicate. Type the predicate expression for this rule. If you want this rule to be applied to all certificate requests, leave the field blank (default). To form a predicate expression, see "Using Predicates in Policy Rules".

    minValidity. Type the minimum validity period, in days, for certificates. The value must be an integer greater than zero and less than the value you will type for the maxValidity parameter next. The default value is 180 days.

    maxValidity. Type the maximum validity period, in days, for certificates. The value must be an integer greater than zero and also greater than the value you typed for the minValidity parameter. The default value is 730 days.

    leadTime. Type the lead time, in minutes, for certificates. For a certificate renewal request to pass the renewal validity constraints policy, the value of the notBefore attribute in the certificate request must not be more than value of the leadTime parameter in the future, relative to the time when the policy rule is run. The default value is 10 minutes.

    The notBefore attribute value specifies the date on which the certificate validity begins.

    lagTime. Type the lag time, in minutes, for certificates. For a certificate renewal request to pass the renewal validity constraints policy, the value of the notBefore attribute in the certificate request must not be more than the value of the lagTime in the past, relative to the time when the policy is run. The default value is 10 minutes.

    The notBefore attribute value specifies the date on which the certificate validity ends.

    notBeforeSkew. Type the number of minutes to subtract from the current time when creating the value for the certificate's notBefore attribute. It can help some clients with incorrectly set clocks use the new certificate after downloading. For example, if the certificate is issued at 11:30 a.m. and the clock settings of the client into which the certificate is downloaded is 11:20 a.m., the certificate cannot be used for 10 minutes. Setting the value of the notBeforeSkew parameter to 10 minutes would adjust the value of the notBefore parameter to 11:20 a.m.--thus making the certificate usable following the down load. The default value is 5 minutes.

  9. Click OK.
  10. You are returned to the Policy Rules Management tab.

  11. Repeat steps 1 through 5 and create additional rules, if required.
Step 5. Reorder Policy Rules

For maintaining priority levels, Certificate Management System supports a linear list of policy rules in increasing order of priority. This means that for a given policy category in the configuration file, a policy configuration with a lower priority precedes one with a higher priority. This simple linear listing avoids the need to have explicit locking on request attributes to prevent conflicting changes. By ordering the rules, you introduce a concurrency control whereby a higher-priority rule configuration overwrites any changes made by a lower-priority rule configuration that precedes it.

You may want to specify policies at different priority levels for the same operation depending on the end-entity information. For example, authentication policies, if any, need to precede others in the list.

To reorder policy rules in the CMS configuration:

  1. In the Policy Rules Management tab, click Reorder.
  2. The Reorder Policy Rules window appears. It lists configured policy rules in the order in which they are executed by the subsystem. Keep in mind that the server executes the rules on a first-come-first-served basis, overwriting the configuration determined by the previous rule, if any.

  3. To change the order of a rule, select it in the list and click the Up or Down button, as appropriate.
  4. When you have the correct order, click OK.
  5. You are returned to the Policy Rules Management tab.

  6. To view the updated configuration, click Refresh.
Step 6. Restart the Server

This step is required only if you were prompted to restart the server in any of the previous steps.

To restart the server from the CMS window:

  1. Click the Tasks tab
  2. Click Restart the Server.
Step 7. Test Policy Configuration

To make sure that you've configured the server correctly, request a certificate and check the certificate for details such as for validity period, key type and size, and extensions.

Step A. Enroll for a Certificate

The steps outlined below explain how to request a personal certificate from the Certificate Manager using the manual enrollment method (see "Manual Authentication"). If you've configured the Certificate Manager for automated certificate issuance, for example the directory-based enrollment, you can use the appropriate form and request a certificate.

To request a client or personal certificate from the Certificate Manager:

  1. Open a web browser window.
  2. Go to the End Entity Services interface of the Certificate Manager you configured (or the Registration Manager that's connected to this Certificate Manager). The URL is in this form:
  3. https://<host_name>:<end_entity_HTTPS_port> or

    http://<host_name>:<end_entity_HTTP_port>

  4. In the left frame, under Browser, click Manual.
  5. This opens the manual enrollment form.

  6. Fill in all the values and submit the request.
  7. The client prompts you to enter the password for your key database.

  8. When you enter the correct password, the client generates the key pairs.
  9. Do not interrupt the key-generation process.

Step B. Approve the Request

This step is required if you used the manual enrollment form for requesting the certificate. The request you submitted is waiting in the agent queue for approval by an agent.

To approve the request:

  1. Go to the Certificate Manager's Agent Services interface.
  2. The URL is in this format: https://<host_name>:<agent_port>

  3. In the left frame, click the link that says List Requests.
  4. In the form that appears, select the "Show pending requests" option and click Find.
  5. You should see your request in the list of pending requests.

  6. Locate the request you submitted and approve the request.
  7. You should see a confirmation page indicating that the certificate has been issued. Don't close the page until you finish the next step.

Step C. Check the Certificate Details

Verify that the certificate contains the required details. Be sure to check the Extension section to see if it contains all the required extensions.


Managing Policy Plug-in Modules
This section explains how to use the CMS window to perform the following operations:

For information on adding or changing policy-specific information in the configuration file, see "Policy Parameters in the Configuration File".

Registering a Policy Module

You can register new policy plug-in modules in a subsystem's policy framework. Registering a new policy module involves specifying the name of the module and the full name of the Java class that implements the policy interface. For example, you can add a policy implementation, named as follows, to the Data Recovery Manager's policy framework:

com.netscape.policy.KeyArchivalPolicy

Before registering a plug-in module, be sure to put the Java class for the module in the classes directory (the implementation must be on the class path).

To register a policy module in a subsystem's policy framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select the subsystem that will use the module you want to register.
  4. Select Policies, and then in the right pane, select the Policy Plugin Registration tab.
  5. The Policy Plugin Registration tab appears. It lists registered policy plug-in modules.

  6. Click Register.
  7. The Register Policy Plugin Implementation window appears.

  8. Specify information as appropriate:
  9. Plugin name. Type a name for the plug-in module.

    Class name. Type the full name of the class for this module--that is, the path to the implementing Java class. If this class is part of a package, be sure to include the package name. For example, if you are registering a class named myPolicy and if this class is in a package named com.myCompany, type com.myCompany.myPolicy.

  10. Click OK.
  11. You are returned to the Policy Plugin Registration tab.

  12. To view the updated configuration, click Refresh.
Deleting a Policy Module

You can delete unwanted policy plug-in modules using the CMS window. Before deleting a module, be sure to delete all the policy rules that are based on this module; see "Step 3. Delete Unwanted Policy Rules".

To delete a policy module from a subsystem's policy framework:

  1. Log in to the CMS window (see "Logging In to the CMS Window").
  2. Select the Configuration tab.
  3. In the navigation tree, select the subsystem that registers the module you want to delete.
  4. Select Policies, and then in the right pane, select the Policy Plugin Registration tab.
  5. The Policy Plugin Registration tab appears. It lists registered policy modules. For information about this tab, see "Policy Plugin Registration Tab".

  6. In the Plugin Name list, select the module you want to delete and click Delete.
  7. When prompted, confirm the delete action.
 

© Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.