Netscape Certificate Management System Administrator's Guide: Introduction to Policy

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling CMS Instances
Chapter 5: Starting and Stopping CMS Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Authentication Modules for End-Entity Enrollment
Chapter 11: Using the PIN Generator Tool
Chapter 12: Configuring Authentication for End Users
Chapter 13: Developing Custom Authentication Modules
PART 5: Job Scheduling and Notification
Chapter 14: Introduction to Job Scheduling and Notifications
Chapter 15: Configuring Schedulable Jobs
PART 6: Policies
Chapter 16: Introduction to Policy
Chapter 17: Constraints-Specific Policy Modules
Chapter 18: Extension-Specific Policy Modules
Chapter 19: Configuring a Subsystem's Policies
PART 7: Publishing
Chapter 20: Introduction to Publishing Certificates and CRLs
Chapter 21: Modules for Publishing Certificates and CRLs
Chapter 22: Configuring a Certificate Manager for Publishing
PART 8: Agent and End-Entity Interfaces
Chapter 23: Introduction to End-Entity and Agent Interfaces
Chapter 24: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 25: Introduction to Logs
Chapter 26: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 27: Issuing and Managing End-Entity Certificates
Chapter 28: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Netscape Certificate Management System Administrator's Guide: Introduction to Policy

Chapter 16 Introduction to Policy

You can configure the main subsystems of Netscape Certificate Management System (CMS)--the Certificate Manager, Registration Manager, and Data Recovery Manager--to apply certain organizational policies on an end entity's certificate enrollment and management requests before servicing them. For example, some of the policies you might want a Certificate Manager to impose on these requests may include setting a minimum and maximum limit on validity period and key length of certificates, setting extensions based on the end entity's role within an organization, setting signing algorithms, and so on.

This chapter provides an overview of policy in general, and it explains the various policy plug-ins supported out of the box.

The chapter has the following sections:

What Is Policy?

Policy Rules

Policy Processor

Built-in Policy Plug-in Modules

What Is Policy?

Policy refers to a set of rules that Certificate Management System uses to evaluate or verify an incoming request from an end entity and to determine the outcome; the incoming requests that are governed by policies include certificate issuance, certificate renewal, certificate revocation, key archival, and key recovery requests. For example, in the case of a certificate issuance request, the outcome would be the certificate content.

A Certificate Manager's policy can include rules for evaluating certificate formulation, signing, renewal, and revocation requests. For example, you can configure a Certificate Manager's policy to impose restrictions on validity length, key type, key length, subject name, extensions, and signing algorithm during certificate issuance.

A Registration Manager's policy can include rules for verifying incoming certificate issuance, renewal, and revocation requests from end entities in order to formulate the certificate content before forwarding the requests to a Certificate Manager for signing. For example, you can configure a Registration Manager's policy to impose restrictions on validity period, key length, subject name, and extensions. In general, policies for Registration Manager are largely the same as for Certificate Manager.

A Data Recovery Manager's policy can include rules for verifying users' encryption private key archival and recovery requests.

Using policies, you can configure Certificate Management System to perform one or more of the following operations on each certificate issuance or management request it receives:

Screen the request for specific content, and modify, reject, or defer (for agent approval) it accordingly. For example, the request might be checked for the inclusion of organizational constraints, such as key algorithm, key size, validity period, or a particular signing algorithm; if it did not meet the requirement, the subsystem would modify the request or return an error, depending on the severity of the problem.

Set common attributes, such as extensions for user and server certificate requests.

Policy Rules

A policy rule refers to a uniquely configured instance of any policy plug-in implementation; see "Built-in Policy Plug-in Modules" for a list of plug-in modules provided for Certificate Management System. For example, you can use the plug-in module provided for setting validity periods on certificates to configure a policy rule that forces validity periods for all client certificates issued by a Certificate Manager to fall within a predetermined range, say between 6 and 24 months. A subsystem's policy configuration can consist of one or more policy rules, each performing one or more of the following operations:

Validate the request content by comparing it with configured criteria; reject, modify, or defer (for agent approval) the request if any of the request parameters are invalid.

Build certificate content--for example, set common extensions and the validity period.

Enforce organizational constraints, such as subject name, key algorithm, key size, and validity period.

Determine whether the private key should be archived.

Keep in mind that the server applies the rules when processing end-entity requests and after agent approval (for deferred requests).

Types of Policy Rules

Certificate Management System supports distinct policy rules for each of the operations that end entities perform--certificate enrollment, renewal, and revocation, and key archival and recovery. Consequently, there are five broad categories of policies, corresponding to these types of operations:

Enrollment policies

Renewal policies

Revocation policies

Key archival policies

Key recovery policies

To facilitate this classification, Certificate Management System supports a parent interface for a generic policy rule and other operation-specific interfaces that extend the parent interface. Check the CMS SDK, available in the form of Java Docs at this location: <server_root>/cms_sdk/sdkdocs

For general guidelines on developing custom policy modules and adding them to the CMS policy framework, take a look at the samples installed at this location: <server_root>/cms_sdk/samples/policy

Using Predicates in Policy Rules

You can use predicates in a policy rule. A predicate indicates whether the rule that contains the predicate applies to a request. If you specify a predicate as part of the rule configuration, the policy rule applies that predicate based on request attributes to determine whether the rule is applicable for a request.

The policy predicate is a logical expression. You form the expression using variables and relational operators (AND or OR). For example, you could set up a predicate to put the CRL Distribution Point extension only in SSL client certificates, or set different validity dates for certificates for users in different groups.

The following are sample predicates:

HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering

HTTP_PARAMS.certType==server AND HTTP_PARAMS.o==Siroe OR HTTP_PARAMS.certType==ca

Expression Support for Predicates

You form an expression using an attribute, its value, and one or more of the operators listed in Table 16.1. For a list of attributes, see "Attributes for Predicates".

Table 16.1 Predicates in policy: supported comparison and logical operators


Operator	Description
==	Equal to
!=	Not equal to
AND	Logical operator AND
OR	Logical operator OR

Note that the expression parsing support currently supports only two comparison operators (==, !=) and two relational operators (AND, OR).

Policy expressions are formed with the following rules:

PrimitiveExpression | AndExpression | OrExpression

PrimitiveExpression is equal to: Attribute op Value

Attribute can be a string

op can be any of these operators: == or !=

Value can be a string

AndExpression is equal to: Expression AND Expression

OrExpression is equal to: Expression OR Expression

In an expression, the AND operator takes precedence over an OR operator. For example, the expression

HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering OR HTTP_PARAMS.certType==ca

is interpreted as

(HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering) OR HTTP_PARAMS.certType==ca

Certificate Management System evaluates an expression based on the attributes in the request. The attributes are filled in by servlets from the HTTP input forms used for request submission. Some attributes, such as passwords typed in the form are not stored in the request. Other attributes regarding the end entity, such as the user ID, are set on the request after successful authentication. The servlets also interpret the form content, for example, retrieving the key material out of the KEYGEN or PKCS #10 information and setting the key in the certificate content. They can also set additional attributes related to the certificate content on the request. In general, you can configure which attributes--for example, sensitive attributes such as passwords--should or shouldn't be stored in the request.

Note that all data related to an end entity is gathered at the servlet level and set on the request before the request is passed to the policy subsystem. The policy subsystem applies configured policy rules on the request, determines whether the request needs agent approval, performs constraint- and extension-specific checks on the request attributes, and then formulates the certificate content by adding the appropriate information, such as the validity period and extensions.

The expression queries the request for the attributes, compares the value returned with the value provided in the predicate, and returns a boolean result.

Be aware that if the same name is in a HTTP form input and authentication token (authentication result) the authentication result can override the HTTP form input. For example, if email is in a HTTP input and an authentication module also puts email in the authentication result (that is, authtoken) the email value from the authentication module will override the email value from the HTTP input in the request. A predicate using email in an expression will be evaluated to the value of the authentication instead of the HTTP input value.

The following are sample predicates:

HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering

HTTP_PARAMS.certType==server AND HTTP_PARAMS.o==Siroe OR HTTP_PARAMS.certType==ca

Attributes for Predicates

Attributes for predicates can come from any of the following:

Input form--that is, the HTML form that end entities use for submitting certificate requests.

Authentication token--what the authentication subsystem returns after successfully authenticating an end entity.

A service--for example, a Certificate Manager, Registration Manager, or Data Recovery Manager service can add certain attributes to the end-entity request.

Policy processor--what the policy subsystem returns after subjecting the end-entity request to policy checking. For example, an extension-based policy can set an appropriate extension in the certificate.

Table 16.2 lists default attributes that are supported by various request object implementations.

Table 16.2 Attributes supported by request object implementations


Request type	Variable name	Description
Default attributes from an input form:
Enrollment	certType	Specifies the certificate type. Default values include the following: ca (Certificate Manager's CA signing certificate) CEP-Request (router certificate) client (client certificates) objSignClient (Object Signing certificates ocspResponder (OCSP Responder certificate) other ra (Registration Manager's signing certificate) server (server certificate)
Enrollment	requestFormat	Specifies the certificate request format. Default values include the following: keygen pkcs10 clientAuth
Enrollment	doSslAuth	Specifies whether the client is required to do SSL client authentication during enrollment. Default values include the following: on off
Enrollment	certauthEnroll	Specifies whether it is a certificate-based enrollment (see "Certificate-Based Enrollment"). Default values include the following: on off
Enrollment	certauthEnrollType	Specifies the number of keys to be generated for a certificate-authenticated enrollment--whether a single signing key, a single encryption key, or dual keys (one for signing and another for encryption) is to be generated. Default values include the following: single encryption dual
Enrollment	cepsubstore	Specifies the name of the CEP service; for example, cep1 and cep2. When setting up multiple CEP services, you can use predicates to differentiate one service for another; see "Step 4. Set Up Multiple CEP Services".
Enrollment, Renewal, and Revocation	requestStatus	Specifies when (or the phase in which) a request gets subjected to policy processing: begin specifies that the request be subjected to a policy before it gets queued for agent approval. pending specifies that the request be subjected to a policy after agent approval.
Renewal	requestFormat	Specifies the certificate request format. Default values include the following: clientAuth pkcs10
Default attributes from an authentication token: (Upon successful authentication these attributes go into an enrollment request)
Enrollment	authMgrImplName	Specifies the name of the authentication plug-in module that authenticated the request.
Enrollment	authMgrInstName	Specifies the name of the authentication instance that authenticated the request.

You can define your own attributes for predicates, if there's a need. For example, assume you have two organizational units Sales and Manufacturing and you want to issue client certificates with different validity periods to users in these two units. A quick and easy way to accomplish this would be to define a new attribute for the organizational unit, add the attribute to the enrollment form that the users in these organizational units use for certificate enrollment (so that the server receives it from the HTTP input), and use the attribute in the predicate expression for the validity constraints policy--a policy rule that determines the validity period of certificates the server issues. For details on this policy, see "Validity Constraints Policy".

Note that to define a new attribute in any of the HTML forms, all you need to do is to add the following line to the corresponding HTML form:

<input type="HIDDEN" name="attribute_name" value="attribute_value">

Assuming that the new attribute you define for the organizational unit is orgunit, the line you would add to the enrollment form would be:

<input type="HIDDEN" name="orgunit" value="Sales">

To add this line to an enrollment form, you would:

Open the corresponding HTML file in a text editor.

Locate the section that lists the HTTP input variables.

Add this line: <input type="HIDDEN" name="orgunit" value="Sales">

Save your changes and close the file.

For the server to use the attribute (to distinguish enrollment requests from users in the Sales unit versus those in the Manufacturing unit) to issue certificates with the appropriate validity periods, you must formulate your predicate expression with the attribute you added. Here's how you do this:

Create a new instance of the ValidityConstraints policy plug-in implementation.

Enter the appropriate values for all the attributes. Assume you

named the instance ValidityRule1

set the minimum validity period to 10 days

set the maximum validity period to 180 days

defined the predicate expression as HTTP_PARAMS.certType==client AND HTTP_PARAMS.orgunit==Sales

(This expression specifies that the policy be applied to only client certificate requests from users in the organizational unit named Sales.)

A sample of the resulting configuration entries in the CMS configuration file would be as follows:

ca.Policy.rule.ValidityRule1.enable=true

ca.Policy.rule.ValidityRule1.implName=ValidityConstraints

ca.Policy.rule.ValidityRule1.maxValidity=180

ca.Policy.rule.ValidityRule1.minValidity=10

ca.Policy.rule.ValidityRule1.predicate=HTTP_PARAMS.certType= =client AND HTTP_PARAMS.orgunit==Sales

Now, for setting the validity period in certificates of users who are not in the Sales organization--in this case, this would be Manufacturing--you would create another instance of ValidityConstraints policy rule as before with a different set values.

Assume you

named the instance ValidityRule1

set the maximum validity period to 60 days

set the minimum validity period to 10 days

defined the predicate expression as HTTP_PARAMS.certType==client AND HTTP_PARAMS.orgunit!=Sales

(This expression specifies that the policy be applied to only client certificate requests from users who are not in the organizational unit named Sales.)

A sample of the resulting configuration entries in the CMS configuration file would be as follows:

ca.Policy.rule.ValidityRule2.enable=true

ca.Policy.rule.ValidityRule2.implName=ValidityConstraints

ca.Policy.rule.ValidityRule2.maxValidity=60

ca.Policy.rule.ValidityRule2.minValidity=10

ca.Policy.rule.ValidityRule2.predicate=HTTP_PARAMS.certType= =client AND HTTP_PARAMS.orgunit!=Sales

The new configuration would result in certificates with a validity period of six months for users in the Sales organizational unit and a validity period of three months for users in the Manufacturing unit.

Policy Processor

Each subsystem--the Certificate Manager, Registration Manager, or Data Recovery Manager--has its own policy processor. Each processor subjects an incoming request to the applicable policy rules for that subsystem.

When a subsystem starts up, its policy processor reads the current policy configurations from the configuration file, initializes them, and classifies them based on their type (see "Types of Policy Rules"). Then, when the subsystem receives an authenticated request, its request processor invokes the policy processor to apply policies on that request. The policy processor applies the rules on the request based on the request type. The policy processor also filters the rules based on predicates (see "Using Predicates in Policy Rules").

Note that the policy processor applies only the enabled policy rules, in the order in which they are configured, before determining the final outcome. Each rule the processor executes returns a PolicyResult object. Three return values are possible:

PolicyResult.REJECTED (indicates that the request failed the rule)

PolicyResult.DEFERRED (indicates that the request requires agent approval)

PolicyResult.ACCEPTED (indicates that the request passed the rule)

After all the policy rules are applied, the processor determines the status of the request (in this order):

If the request failed any policy rule (that is, if any of the policy rules returned a PolicyResult.REJECTED value), the processor rejects the request. The rule that rejected the request sets appropriate error messages on the request.

If at least one of the policy rules requires agent approval for the request (that is, if any of the policy rules returned a PolicyResult.DEFERRED value), the processor stores the request in the request queue for agent approval.

If the request passes all the policy rules (that is, all policy rules returned a PolicyResult.ACCEPTED value), the request gets serviced--for example the certificate is issued or renewed.

Built-in Policy Plug-in Modules

Certificate Management System comes with various policy plug-in modules that help you govern its certificate generation and management operations. The CMS window lists all the plugins and the corresponding classes that are currently recognized by the server; see Figure 16.1

Figure 16.1 Built-in policy plug-in modules

The modules provided out of the box can be categorized, based on their functionality, into two groups:

Constraints-Specific Policy Modules

Extension-Specific Policy Modules

The chapters that follow cover both the groups in detail. Note that Certificate Management System doesn't come with key archival and recovery policy modules.

© Copyright � 2000 Sun Microsystems, Inc. Some preexisting portions Copyright � 2000 Netscape Communications Corp. All rights reserved.