About This Guide
Chapter 1 Agent Services
Chapter 2 Handling Certificate Requests
Chapter 3 Finding and Revoking Certificates
Chapter 4 Publishing to a Directory
Chapter 5 Recovering Encrypted Data
Index
Netscape Certificate Management System Agent's Guide: Agent Services
Previous Next Contents Index


Chapter 1 Agent Services

This chapter describes the role of the privileged users called agents in managing Netscape Certificate Management System (CMS). It also introduces the tools that agents use to administer service requests.

The chapter has the following sections:


Overview of Certificate Management System
Netscape Certificate Management System is a highly configurable set of software components and tools for creating, deploying, and managing certificates. The standards and services that facilitate the use of public-key cryptography and X.509 version 3 certificates in a networked environment are collectively called the public key infrastructure (PKI) for that environment. In any PKI, a certificate authority (CA) is a trusted entity that issues, renews, and revokes certificates. An end entity is a person, router, server, or other entity that uses a certificate to identify itself.

To participate in a PKI, an end entity must enroll, or register, in the system. The end entity typically initiates enrollment by giving the CA some form of identification and a newly generated public key. The CA uses the information provided to authenticate, or confirm, the identity; it then issues the end entity a certificate that associates that identity with the public key, and signs the certificate with the CA's own private signing key.

End entities and CAs may be in different geographic or organizational areas or in completely different organizations. CAs may include third parties that provide services through the Internet as well as the root CAs and subordinate CAs for individual organizations. Policies and certificate content may vary from one organization to another. End-entity enrollment for some certificates may require physical verification, such as an interview or notarized documents, while enrollment for others may be fully automated.

To meet the widest possible range of configuration requirements, Certificate Management System permits the independent installation of three separate subsystems, or "managers," that typically play distinct roles:

Since CAs can delegate some responsibilities to subordinate CAs, a Certificate Manager might delegate responsibilities to one or more levels of subordinate Certificate Managers, and Registration Managers might delegate responsibilities to subordinate Registration Managers. Therefore many complex variations are possible.

Three kinds of entities can access CMS subsystems: administrators, agents, and end entities. Administrators are responsible for the initial setup and ongoing maintenance of the subsystems. Administrators can designate users with special privileges, called agents, for each subsystem. Agents manage day-to-day interactions with end entities and other aspects of the PKI. This guide describes the tasks that agents can perform. End entities access Registration Manager or Certificate Manager subsystems to enroll in a PKI and to take part in other life-cycle management operations, such as renewal or revocation.

Figure 1.1 shows the ports used by administrators, agents, and end entities. All agent and administrator interactions with CMS subsystems occur over HTTPS. End-entity interactions can take place over HTTP or HTTPS.

Figure 1.1    Certificate Management System and its users


Agent Tasks
The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI:

To perform the privileged operations of an agent, you use the CMS Agent Services pages. To access these pages, you must have a personal SSL client certificate, and the CMS administrator must have identified you as a privileged user in the user database. For more information on how to get set up as a privileged user, see the Netscape Certificate Management System Administrator's Guide.

Certificate Manager Agent Services
The default entry page to the Certificate Manager agent services is shown in Figure 1.2. To access these pages, you must be a designated Certificate Manager agent and your client software must have a valid certificate identifying you as such.

Figure 1.2    Certificate Manager Agent Services page

 As a Certificate Manager agent, you can perform the following tasks:

Registration Manager Agent Services
The default entry page to the Registration Manager agent services is shown in Figure 1.3. To access these pages, you must be a designated Registration Manager agent and your client software must have a valid certificate identifying you as such.

Figure 1.3    Registration Manager Agent Services page

 As a Registration Manager agent, you can handle certificate requests. You can list the certificate service requests received by the Registration Manager subsystem, assign requests to yourself, reject or cancel requests, clone requests, and approve enrollment requests to be passed on to the Certificate Manager for issuance. See Chapter 2, "Handling Certificate Requests."

Data Recovery Manager Agent Services
The default entry page to the Data Recovery Manager agent services is shown in Figure 1.4. To access these pages, you must be a designated Data Recovery Manager agent and your client software must have a valid certificate identifying you as such.

Figure 1.4    Data Recovery Manager Agent Services page

 As a Data Recovery Manager agent, you can perform the following tasks:

Key recovery requires the authorization of one or more recovery agents. The administrator for the Data Recovery Manager designates recovery agents. Typically, several recovery agents own portions of the storage key for the Data Recovery Manager. The approval of m of a total of n agents is required to authorize key recovery. The values of m and n for your installation of the Data Recovery Manager is determined by the administrator in charge of the subsystem.

For more information on these tasks, see Chapter 5, "Recovering Encrypted Data."


Forms for Performing Agent Operations
The agent services consist of a form-based HTML interface that is part of your Certificate Management System installation. The CMS administrator designates particular users as agents for each installed subsystem (Certificate Manager, Registration Manager, and Data Recovery Manager). Only a designated agent for a subsystem can use the Agent Services interface for that subsystem. In addition, you must have a personal client SSL certificate to access the Agent Services interface.

As a subsystem agent with the proper certificate, you use the Agent Services page to access the forms you need to perform the agent tasks. Table 1.1 describes each of these HTML forms.

Table 1.1 Forms used for agent operations
Form name
Description
List Requests (Certificate Manager and Registration Manager)
Use this form to examine, select, and process requests for certificate services. Both Certificate Manager and Registration Manager agents can use this form.

For instructions on using this form, see "Listing Certificate Requests" in Chapter 2.
List Certificates (Certificate Manager)
Use this form to list certificates within a range of serial numbers. You can limit the list to valid certificates. Only Certificate Manager agents can use this form.

For instructions on using this form, see "Basic Certificate Listing" in Chapter 3.
Search for Certificates
(Certificate Manager)
Use this form to search for and list certificates issued by
CMS. Only Certificate Manager agents can use this form.

This form allows you to search by subject name or by
certificate type, the state of the certificate (expired,
revoked, and so on), and the dates when the certificate
was issued or revoked, expired, or became valid.

For instructions on using this form, see
"Advanced Certificate Search" in Chapter 3.
Revoke Certificates
(Certificate Manager)
Use this form to search for and revoke certificates issued
by Certificate Management System. Only Certificate
Manager agents can use this form.

For instructions on using this form, see
"Revoking Certificates" in Chapter 3.
Update Revocation List
(Certificate Manager)
Use this form to manually update the published list of
revoked certificates. Only Certificate Manager agents can
use this form.

For instructions on using this form, see
"Managing the Certificate Revocation List" in Chapter 3.
Update Directory Server
(Certificate Manager)
Use this form to update the LDAP publishing directory
with changes in certificate information (newly issued
certificates, updated CRLs, and so on). Only Certificate
Manager agents can use this form.

For instructions on using this form, see
"Updating the Directory with Changes" in Chapter 4.
List Requests
(Data Recovery Manager)
Use this form to find and examine requests for key
services. Only Data Recovery Manager agents can use
this form.

For instructions on using this form, see
"Viewing Key Service Requests" in Chapter 5.
Search for Keys
(Data Recovery Manager)
Use this form to find and list specific archived keys. Only
Data Recovery Manager agents can use this form.

For instructions on using this form, see
"Finding Archived Keys" in Chapter 5.
Recover Keys
(Data Recovery Manager)
Use this form to find and recover specific archived keys.
Only Data Recovery Manager agents can use this form.
You can select a key in the list returned by a search and
initiate its recovery, which must be authorized by
designated key recovery agents.

For instructions on using this form, see
"Recovering Keys" in Chapter 5.
Authorize Recovery
(Data Recovery Manager)
Use this form to remotely authorize a key recovery
request initiated by another Data Recovery Manager
agent. Key recovery agents do not have to be Data
Recovery Manager agents if key recovery is handled
locally; however, only key recovery agents who are also
Data Recovery Manager agents can access this form.

For instructions on using this form, see
"Recovering Keys" in Chapter 5.


Accessing Agent Services
Access to the agent services forms requires certificate-based authentication. Only users who authenticate with the correct certificate and who have been granted the proper access privilege can access and use the forms. The operation uses the SSL protocol; that is, you connect to the server using HTTPS (not HTTP) on the SSL agent port. For example, if Certificate Management System is installed on a host named cert.mycompany.com and is running on port 443 (the default port for SSL connections), you invoke the Agent Services interface by using the following URL:

https://cert.mycompany.com:443

The Agent Services pages are written in HTML and are intended to be customized. This document describes the default pages. If your administrator has customized these pages, yours may differ from those described here. Check with the CMS administrator for information on your local installation.

Administrator/Agent Certificate Enrollment
Immediately after installing any Certificate Management System instance, the administrator must enroll for the initial administrator/agent certificate. This is the first user certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can create additional agents with the appropriate user privileges and issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:

  1. Open a web browser window.

  2. Go to the URL for the SSL agent port.

    3. By default, this is a URL of the following form:

    https://<hostname>:<agent_port_number>

  3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).

  4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

    5. Authentication Information

    User ID: The ID you entered for the CMS administrator during installation.
    Password: The password you specified for the CMS administrator during installation.

    Subject Name

    The subject name is the distinguished name (DN) that identifies the certified owner of the certificate.

    Full name: Name of administrator/agent
    Login name: User ID of administrator/agent
    Email address: Email address of administrator/agent
    Organization unit: Name of the organization unit to which the administrator/agent belongs
    Organization: Name of the company or organization the administrator/ agent works for.
    Country: Two-letter code for the administrator/agent's country.

    User's Key Length Information

    Key Length: The length of the private key that will be generated by your browser. This key corresponds to the public key that is part of the administrator/agent certificate.

  5. Click Submit.

  6. Follow the instructions your browser presents as it generates a key pair.

  7. If authentication is successful, the new certificate will be imported into your browser, and you will be given an opportunity to make a backup copy.
Now you have a client authentication certificate in the name you specified. This special user, who was named as the initial administrator for Certificate Management System during installation, has been automatically designated as the first agent. This certificate allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in Netscape Console, you use the user ID that you specified for the certificate and the corresponding password—both of which must correspond to the values you specified for the CMS administrator during installation.

Important
After you submit the initial Administrative Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the administrator/agent certificate, you must reset a parameter in the configuration file to make the initial administrative enrollment form available again. Follow these steps:

  1. In the left frame of Netscape Console, open the CMS instance for which you want to display the Administrator/Agent Certificate Enrollment form.

    2. The server requests the password for the CMS administrator.

  2. Click the icon labeled Stop the Server.

  3. Go to the directory <server_root>/<instance_ID>/config, open the file CMS.cfg in a text editor, and find the following line:

    4. agentGateway.enableAdminEnroll=false

  4. Change false to true, and save the file.

  5. Start the server from the CMS window where you stopped it. (Alternatively, right-click on the name of the instance in the left frame and choose Start Server.) At this point, the server asks you for the single signon password you specified during installation.

  6. The next time you access the SSL agent port, the Administrator/Agent Certificate Enrollment form will be available again.
Agent Services Entry Page
To access the Agent Services interface in a default installation:

  1. Open a browser.

  2. Go to the URL for the SSL agent port.

    3. This is the same URL you used to access the initial Administrator/Agent Certificate Enrollment form.

  3. In the Agent Services entry page, click the subsystem whose agent services you require.

 The choices depend on which subsystems have been installed in the particular Certificate Management System instance. (The Certificate Manager and Registration Manager cannot be installed in the same instance, so they never appear together on this page.) If you present a valid certificate and have been designated as an agent for a subsystem, you can access and use the Agent Services pages for that subsystem by clicking the link on this page.

If you do not yet have your certificate, click Services Summary to enroll for one. For more information, see "Services Summary Page" (the next section).

Services Summary Page
If you want to access another gateway without looking up the port number, click Services Summary on the Agent Services entry page. The Services Summary page gives you access to each of the configured gateways: the HTTPS end-entity gateway, the HTTP end-entity gateway (if it has been enabled), and the Agent Services entry page.

Figure 1.5    Services Summary page

 If you do not yet have a certificate that allows you access to the Agent Services pages, go to one of the end-entity gateways and enroll for your certificate.

 

Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.