Solving this problem requires some way for a user to log in once, using a single password, and get authenticated access to all servers that user is authorized to use--without sending any passwords over the network. This capability is known as single sign-on.

Netscape supports single sign-on for Navigator 3.x, Communicator, Communicator Professional Edition, and most of the SuiteSpot 3.x servers. Netscape's approach to single sign-on involves the use of digital certificates to authenticate users to servers. For Netscape products, single sign-on is an authentication mechanism that replaces more cumbersome multiple-password authentication without affecting existing access-control mechanisms.

This document introduces single sign-on for network administrators and describes how to plan and deploy a single sign-on solution using Netscape products.

• Introduction to Single Sign-On
• Planning a Single Sign-On Solution
• Setting Up Netscape Servers for Single Sign-On
• Setting Up Netscape Clients for Single Sign-On
• Issuing Client Certificates
• Testing Your Setup Before Full Deployment

To give Netscape comments on this guide or on any aspect of single sign-on, please send email to sso-feedback. This address is strictly for collecting feedback; you will not receive a personal response.

For information about getting technical help with any Netscape product, see Netscape Tech Support.

Introduction to Single Sign-On

After the server has established the user's identity, optionally including user/group information stored in a Lightweight Directory Access Protocol (LDAP) directory, it continues its evaluation of the ACLs and authorizes or denies access to the requested information according to the user's access privileges.

Figure 1 illustrates the basic elements of the ACL evaluation process. Netscape's approach to single sign-on replaces client authentication based on passwords sent over the network with client authentication based on the Secure Sockets Layer (SSL) and certificates.

Figure 1    Single sign-on uses certificate-based authentication

This approach has several benefits for users and administrators:

• Ease of use. Users can log in once and get authenticated access to all servers for which that user is authorized, without being interrupted by repeated requests for passwords.
• Password limited to local machine. To log in, the user types a single password that protects the private-key database on the local machine. Passwords are not sent over the network.
• Simplified management. Administrators can control who is allowed access to which servers by controlling the lists of certificate authorities maintained by client and server software. These lists are shorter than lists of user names and passwords and don't change as often.
• Access control not affected. Single sign-on involves replacing client authentication mechanisms, not access-control mechanisms. Administrators don't need to change existing ACLs that may have been originally set up to work with basic password authentication.

A certificate is an electronic document used to identify an individual, company, or other entity. Certificate authorities (CAs) are entities that validate identities and issue certificates. CAs are either independent third parties or organizations running their own certificate-issuing server software (such as Netscape Certificate Server). For more information about certificates and public-key cryptography, see Appendix A, "Netscape's Use of Public-Key Cryptography."

The following sections introduce the use of single sign-on with Netscape products:

• Client Authentication and Single Sign-On
• Netscape Products That Support Single Sign-On

Although such security risks don't matter for most casual uses of the Internet, they are not acceptable within an enterprise intranet or extranet. Administrators can address some of these risks by using client and server software that provides some form of authentication. For example, if you must type your name and password before accessing a server, the server uses that information and an internal database to authenticate your identity--to confirm that you are who you say you are.

Authentication by itself, however, doesn't address threats to privacy or data integrity. The Secure Sockets Layer (SSL) standard supported by Netscape products addresses the need for authentication, privacy, and data integrity. SSL is a protocol that runs above TCP/IP and below HTTP, LDAP, IMAP, NNTP, and other high-level network protocols. SSL allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection.

A server-authenticated SSL connection makes it extremely difficult to eavesdrop on the connection, modify the data without detection, or impersonate the identity of the server. However, unless the client as well as the server is authenticated, any user can establish a connection and gain access to the resources managed by the server.

Client authentication is an essential element of network security within most intranets or extranets. The sections that follow contrast the two forms of client authentication introduced in Figure 1:

•  Basic Authentication. Almost all server software permits client authentication by means of a name and password. This form of authentication may take place in the clear (that is, without encryption) or over a server-authenticated and encrypted SSL connection.
•  Strong Authentication. Client authentication based on certificates, as implemented by Netscape, requires SSL. This is the form of authentication used to support single sign-on for Netscape products.

Basic Authentication

• The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.
• The user has requested a resource.
• The server has requested client authentication in the process of evaluating its access-control lists (ACLs) for the requested resource.

These are the steps shown in Figure 2:

1. In response to an authentication request from the server, the client displays a dialog box requesting the user's name and password for that server. The user must supply a name and password separately for each new server the user wishes to use during a work session.

2. The client sends the name and password across the network, either in the clear or over an encrypted SSL connection.

3. The server looks up the name and password in its local password database and, if they match, accepts them as evidence authenticating the user's identity.

4. The server continues evaluating its ACLs (optionally making use of information stored in the LDAP directory, in company databases, and so on), determines whether the identified user is permitted to access the requested resource, and if so allows the client to access it.

As shown in the next section, single sign-on replaces the first three steps with a mechanism that allows the user to supply just one password (which is not sent across the network) and allows the administrator to control user authentication centrally with the aid of the Certificate Server and the Directory Server.

Strong Authentication

As in Figure 2, in Figure 3 it is assumed that the user has already decided to trust the server and has requested a resource, and that the server has requested client authentication in the process of evaluating its access control lists (ACLs) for the requested resource.

Figure 3    Using a certificate to authenticate a client to a server

Unlike the process shown in Figure 2, the process shown in Figure 3 requires the use of SSL and takes place after the initial server authentication. It is also assumed that the client has a valid certificate that can be used to identify the client to the server. This process is called "strong authentication" because it is based on what the user has (the certificate) as well as what the user knows (the password that protects the private key).

These are the steps shown in Figure 3:

1. The client software, in this case Communicator or Navigator 3.x, maintains a database of the private keys that correspond to the public keys published in any certificates issued for that client. The client asks for the password to this database the first time the client needs to access it during a given session, for example the first time the user attempts to access an SSL-enabled server that requires certificate-based client authentication. After entering this password once, the user doesn't need to enter it again for the rest of the session, even when accessing other SSL-enabled servers.

2. The client unlocks the private-key database, retrieves the private key for the user's certificate, and uses that private key to digitally sign some data that has been randomly generated for this purpose on the basis of input from both the client and the server. This data and the digital signature constitute "evidence" of the private key's validity. The digital signature can be created only with that private key and can be validated with the corresponding public key against the data that was signed, which is unique to the SSL session.

3. The client sends both the user's certificate and the evidence (the randomly generated piece of data that has been digitally signed) across the network.

4. The server uses the certificate and the evidence to authenticate the user's identity. (For a detailed discussion of the way this works, see Appendix A, "Netscape's Use of Public-Key Cryptography.")

5. The server maps the user's identity to a unique entry in the LDAP directory and checks that the entry contains the same certificate that was presented to the server. This step assumes that the Certificate Server has been configured to publish each certificate it issues in the directory. To disallow authentication for a particular user, (for example, someone who has left the company), the administrator simply removes the person's certificate from the LDAP directory. This single action prevents that person from accessing any of the company's servers, even if the person's certificate hasn't expired.

6. If the LDAP lookup is successful, the server continues evaluating its ACLs (optionally making use of information stored in the LDAP directory, in company databases, and so on), determines whether the identified user is permitted to access the requested resource, and if so allows the client to access it.

Netscape Products That Support Single Sign-On

• Client software:
• Navigator 3.x
• Communicator 4.x
• Communicator Professional Edition 4.x
• Client administration software:
• Administration Toolkit (for use with Navigator 3.x)
• Mission Control (for use with Communicator and Communicator Professional Edition)
• SuiteSpot software
• Netscape Certificate Server 1.x
• Netscape Directory Server 1.x
• Netscape Enterprise Server 3.x
• Messaging Server 3.x
• Collabra Server 3.x

It is possible to deploy a single sign-on solution with the aid of a third-party certificate authority rather than managing your own certificates with the Certificate Server. However, this guide assumes you are using some version of the Certificate Server.

The Directory Server is a special case. For more information about the single sign-on support provided by the Directory Server and future support by other SuiteSpot servers, see Appendix B, "Single Sign-On and Future Versions of SuiteSpot Servers."

Planning a Single Sign-On Solution

• Planning Your LDAP Directory
• Establishing the CA Hierarchy
• Mapping DNs to an LDAP Entry
• Planning Access Control
• Establishing Security Policies
• Dealing with Export Restrictions

• Make sure the distinguished name (DN) to be used in the user's certificate can be mapped to the user's entry in the directory tree. This is discussed later in this document under Mapping DNs to an LDAP Entry.
• Include an attribute for the user's certificate in the attributes for your user entries.
• Limit access to the portion of each entry that contains the user's certificate.

• Certificates, DNs, and LDAP Lookups
• LDAP Tree Hierarchy and Entry Attributes
• Integration Issues

A certificate binds a distinguished name (DN) to a public key. A DN is the string representation of an entity's name. For example, this might be a typical DN for an employee of Netscape Communications Corporation:

uid=doe,e=doe@netscape.com,cn=John Doe,o=Netscape Communications Corp.,c=US

• uid: user ID
• e: email address
• cn: the user's common name
• o: organization
• c: country

It's very important to make sure that the DN used to identify the user in the user's certificate can be mapped to the user's unique entry in the LDAP directory. The directory doesn't need all the information in the DN to identify a user, but it needs enough to be able to identify the user uniquely. For example, the information the server extracts from the DN must include information, such as an email address or an employee ID number, that distinguishes two people with the same name.

LDAP Tree Hierarchy and Entry Attributes

It's also important to think about the kinds of information the directory will contain. This decision affects both the tree hierarchy and the attributes of each entry. For example, entries for people require different treatment than entries for servers or other devices. Therefore, these two kinds of entries are typically located in different branches of the directory tree. In addition, the kind of entry, or object class, used for people contains different categories of information, or attributes, than the object class for servers.

As discussed later in this document (Using the Verification Gateway Interface), you can use a Verification Gateway Interface (VGI) script to automate the issuing of certificates. VGI provides a way to write code that checks information provided by the requester and determines whether the request is valid. Thinking about the information provided in certificate requests that might be processed by VGI scripts may help you determine the appropriate attributes for the user entries in your directory.

Another consideration as you plan user attributes is the trade-off between information stored in the user's certificate and information stored in the LDAP directory. In general, keeping only the minimal static information required to identify a user in the certificate is a good way to ensure that the certificate can be as permanent as possible. Information that changes, such as employee status, department, or physical location, can be stored in the LDAP entry. This approach makes it possible to issue someone a single certificate that remains valid until its expiration date and doesn't need to be revoked or reissued, with attendant overhead, every time the person's status changes.

In some businesses, however, approaches that require short-term certificates for specific purposes may be preferable despite the additional certificate management overhead.

Integration Issues

You should make long-term plans for integrating sources of information into the LDAP directory, not only for the initial setup but also for keeping the information current. For information about integrating HR applications and other sources of information, go to the Directory Server area of Server Central.

You may also want to consider eventually linking in your company's telephone system, badging system, Unix and NT logins, and so on. To fully integrate single sign-on authentication with forms of access not directly controlled by Netscape servers, you can use solutions provided by third parties specifically for such purposes. For information about Netscape partners that provide single sign-on solutions, see Netscape Security Partners.

Establishing the CA Hierarchy

This section describes three aspects of setting up your CA lists and gives some examples:

• Planning the CA Hierarchy
• Verifying Certificate Chains
• Determining Which CA Certificates to Install
• Examples

You can delegate this responsibility by setting up subordinate CAs. The X.509 standard includes a model for setting up a hierarchy of CAs, as shown in Figure 4. Each CA is identified by a CA certificate, which is a certificate that identifies the CA and contains the public key corresponding to the CA's signing key. A CA certificate is used to validate all the other certificates signed by the authority.

Figure 4    Example of a hierarchy of certificate authorities

In this model, the root CA is at the top of the hierarchy and has a self-signed certificate. The CAs that are directly subordinate to the root CA have CA certificates signed by the root CA. CAs under the subordinate CAs in the hierarchy have their CA certificates signed by the higher-level subordinate CAs.

You have a great deal of flexibility in terms of the way you set up the CA hierarchy for your organization. In general, it's a good idea to use a root CA that issues only subordinate CA certificates, because this gives you the greatest flexibility if you decide to change the structure later on.

Figure 5 and Figure 6 illustrate two alternative hierarchies; there are any number of possibilities.

Figure 5    A CA hierarchy based on relationship to the company

Figure 6    A CA hierarchy based on the contexts in which certificates are used

CA hierarchies are reflected in certificate chains. A certificate chain is series of certificates issued by successive CAs. Figure 7 shows a certificate chain leading from a certificate that identifies some entity through two subordinate CA certificates to the CA certificate for the root CA (based on the CA hierarchy shown in Figure 4).

Figure 7    Example of a certificate chain

A certificate chain traces a path of certificates from a branch in the hierarchy to the root of the hierarchy. In a certificate chain, the following occur:

• Each certificate is followed by the certificate of its issuer.
• Each certificate contains the name (DN) of that certificate's issuer, which is the same as the subject name of the next certificate in the chain.

In Figure 7, the Engineering CA certificate contains the DN of the CA (that is, USA CA), that issued that certificate. USA CA's DN is also the subject name of the next certificate in the chain.

• Each certificate is signed with the private key of its issuer. The signature can be verified with the public key in the issuer's certificate, which is the next certificate in the chain.

In Figure 7, the public key in the certificate for the USA CA can be used to verify the USA CA's digital signature on the certificate for the Engineering CA.

Verifying Certificate Chains

1. The certificate validity period is checked against the current time provided by the verifier's system clock.

2. The issuer's certificate is located. The source can either be the verifier's local certificate database (on that client or server) or the certificate chain provided by the subject (for example, over an SSL connection).

3. The certificate signature is verified using the public key in the issuer's certificate.

4. If the issuer's certificate is trusted by the verifier in the verifier's local database, verification stops successfully here. Otherwise, the issuer's certificate is checked to make sure it contains the appropriate subordinate CA indication in the Netscape certificate type extension, and chain verification returns to step 1 to start again, but with this new certificate. Figure 8 presents an example of this process.

Figure 8 shows what happens when only Root CA is included in the verifier's local database. If a certificate for one of the intermediate CAs shown in Figure 8, such as Engineering CA, is found in the verifier's local database, verification stops with that certificate, as shown in Figure 9.

Figure 9    Verifying a certificate chain to an intermediate CA

Expired validity dates, an invalid signature, or the absence of a certificate for the issuing CA at any point in the certificate chain causes authentication to fail. For example, Figure 10 shows how verification fails if neither the Root CA certificate nor any of the intermediate CA certificates are included in the verifier's local database.

Figure 10    A certificate chain that can't be verified

For detailed information about the way a CA's digital signature is verified, see Appendix A, "Netscape's Use of Public-Key Cryptography."

Determining Which CA Certificates to Install

You should install the certificates of CAs that you trust to sign client or server certificates and subordinate CA certificates. For most CA policies, a client or server should install the root CA certificate and mark it as trusted; the client will then accept certificates signed by the root CA and all of its subordinate CAs. Additional subordinate CA certificates do not need to be installed at all if the corresponding root CA is installed and has been marked as trusted.

For information about installing CA certificates in Navigator 3.x and Communicator using the Administration Toolkit and Mission Control, see Setting Up Netscape Clients for Single Sign-On. For information about installing CA certificates in servers, see Setting Up Netscape Servers for Single Sign-On.

Examples

• A server in Europe whose server certificate is signed by the Europe CA should install at least the following certificates in its local database: its own certificate, the Europe CA certificate, the Root CA certificate. These are the certificates in its certificate chain.
• If a client or server keeps the Root CA certificate in its local database and marks it as trusted, the client or server will accept certificates signed by all of the subordinate CAs: USA CA, Europe CA, and Asia CA (without user-intervention dialog boxes on the client). If a new subordinate CA, Australia CA, is added, the server automatically accepts certificates signed by the new subordinate CA.
• If a server in Europe wishes to accept only those certificates issued by Europe CA, it can load the Europe CA certificate into its local database, mark that CA as trusted, and mark the Root CA as untrusted.

1. It maps the distinguished name (DN) in the certificate to a branch point in the LDAP directory.

2. It tells the server what values to use from the DN in the certificate (such as the user's name, email address, and so on) for the purpose of searching the directory.

3. It specifies whether or not the server goes through an additional verification process. If the certmap.conf file is configured to support single sign-on, this process involves matching the certificate presented for authentication with the certificate stored in the user's LDAP directory entry. This step allows you to revoke a certificate by removing it from the user's entry in the directory. This prevents authentication even if the certificate is otherwise valid.

After the server finds a matching entry and certificate in the LDAP directory, it can use that information to determine the appropriate kind of authorization for the client. For example, some servers use information from a user's entry to determine group membership, which in turn can be used during evaluation of ACLs to determine what resources the user is authorized to access.

For information about setting up Netscape servers to look up client certificates in an LDAP directory, see Set Up the certmap.conf File later in this document.

Planning Access Control

By default, the server has one ACL file that contains multiple ACLs, which can be associated with specific resources. You can modify the ACL file for each server to exercise fine-grained control over the kind of resources each user or group of users is allowed. If you highly specialized access control needs, such as using a separate database or defining a custom method of client authentication, you can use the Enterprise Server ACL API to manipulate ACLs, read and write ACL files, and evaluate and test access control to resources on the Enterprise server. For more information about the ACL API, see the separate document Access Control Programmer's Guide.

If a server has not yet authenticated the user's identity and the evaluation of an ACL requires it, the server must authenticate the user's identity before proceeding with the evaluation. Access control can be managed based on the user's identity (and membership in one or more groups) or according to the host IP address of the requesting client. For the purposes of single sign-on, you should base access control on the user's identity.

In addition to its ACLs, each server that you set up for single sign-on uses a list of users, typically sorted into groups, to determine access rights. The list of users and groups is stored either in a database on the server or in an LDAP directory such as the Directory Server.

For any given resource, you can allow or deny access to everyone in the database or directory, or you can allow or deny access to specific people. As part of the planning process, you should identify and name any groups that you want to define and document your decisions. At a minimum, you should determine the formal name of each group, the general permissions you want each group to have, and the people you know you will want to include in each group. During deployment, you must make sure the database or directory has users and groups in it before you attempt to set access control.

As you plan your groups, keep the following guidelines in mind:

• Avoid high levels of nesting within groups. That is, avoid situations in which one group is a member of another group, which is in turn a member of another group, and so on. This kind of nesting can severely affect performance. In general you should avoid more than two levels of nesting.
• Do not create circular groups. That is, avoid situations in which group 1 is a member of group 2 and group 2 is a member of group 1. This kind of arrangement can severely degrade performance.

For more information about planning access control, see the Administrator's Guide for each server you plan to include in your single sign-on deployment. For information about setting up access control and configuring the directory service for the Enterprise Server, see Restrict Access later in this document.

Establishing Security Policies

• Security Policy Architecture
• Client Software Policies

Access control is another important part of the security policy architecture for any single sign-on solution. For a brief discussion of access control issues, see Planning Access Control.

Administrators also decide whether to issue certificates manually or to issue them automatically with the aid of a Verification Gateway Interface (VGI) script. If certificates are issued manually, an administrator or some other designated individual must check each request and verify the identity of the requester. The way this verification occurs is a policy question. For example, the administrator could require the requester to verify a request number, to meet the issuer in person, or to hand-deliver certain notarized documents. Issuing certificates manually may be necessary for certain individuals who are granted special access, but it can be cumbersome in large organizations that need to issue thousands of certificates.

VGI provides a general-purpose mechanism that allows a Certificate Server to process certificate requests programmatically. For information about VGI scripts, see Using the Verification Gateway Interface.

Important Policies related to physical security are always important for network security. For single sign-on, the physical security of server backups is essential, especially backups of the Certificate Server. If the security of Certificate Server backups is compromised, your entire network is vulnerable. Make sure you keep your server backups locked up and tightly controlled.

You can use Mission Control to configure proxy server settings, determine how often the user will be asked for the password for the private-key database, set up CA lists, configure SSL, and control almost any other Communicator preference or setting. You can also lock some or all of your custom settings, thereby preventing users from altering them.

You can use the Administrator's Toolkit to set up client copies of Navigator 3.x in a similar fashion; however, you can't change these settings after you have deployed the software.

See Setting Up Netscape Clients for Single Sign-On for more information about configuring client software.

Dealing with Export Restrictions

The laws of other countries may also affect the kind of software you can deploy. For example, software that supports encryption of any kind is not permitted in France without prior authorization from the French government. Similar restrictions for import and domestic use also may come into existence in other countries. Further, the US Government prohibits outright the export of any Netscape product with encryption to the following pariah countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Encryption strength is described in terms of the size (in bits) of the keys used to perform the encryption.128-bit encryption provides significantly better cryptographic protection than 40-bit encryption. Roughly speaking, 128-bit encryption is 3 x 10²⁶ times stronger than 40-bit encryption, which is not considered "strong" in the cryptographic community. It should be noted, however, that Netscape products use a different key for each encrypted SSL session, regardless of key size. Thus, even if intruders devoted significant resources and time toward breaking a key for one encrypted session, the discovered key would be useless for other sessions.

Netscape provides three versions of each release of its client software:

• The domestic version, for use in the United States and Canada only, supports encryption-key lengths of up to 128 bits (for RC2 and RC4 algorithms) and 168 bits (for Triple DES). It supports S/MIME encryption with key lengths of up to 128 bits (for RC2) and 168 bits (for DES). The domestic client uses this stronger encryption with server software that can support it; otherwise, as when communicating with international versions of Netscape server software, the client uses 40-bit encryption
• The international version, for export to countries other than the United States, Canada, France, and the pariah countries noted above, supports SSL and S/MIME encryption but with key lengths generally limited to 40 bits (for RC2 and RC4 algorithms; DES is not supported). However, the international version of Communicator 4.02 or later also supports conditional 128-bit or 168-bit SSL encryption, on a per-session basis, when communicating with a Netscape server that presents a valid Global Server ID server certificate (see below).
• The French version, for export to France, supports 40-bit SSL encryption only (for RC2 and RC4; DES is not supported). The French version does not support S/MIME encryption.

• The domestic version, for use in the United States and Canada and by international banks that have obtained a valid Global Server ID server certificate, supports SSL encryption with key lengths of up to 128 bits (for RC2 and RC4) and 168 bits (for Triple DES).
• The international version, for export to countries other than the United States, Canada, and the pariah countries noted above, supports 40-bit SSL encryption only (for RC2 and RC4; DES is not supported).

Setting Up Netscape Servers for Single Sign-On

These sections discuss some of the tasks involved in using SuiteSpot 3.0 servers to deploy a single sign-on solution:

• Setting Up the Directory Server
• Setting Up the Certificate Server
• Setting Up the Enterprise Server
• Setting Up the Messaging Server

Setting Up the Directory Server

To set up the Directory Server to work with the Certificate Server, you must perform the following tasks:

• Install a Directory Server
• Add an Entry for the Certificate Authority
• Set Up an Entry with Write Access
• Add Entries for the Users
• Get a Server Certificate
• Enable Encryption

Important After you click "Install a New Netscape Directory Server" from the Server Selector, you are presented with a form that allows you to select the initial settings for the Directory Server, including whether you want encryption enabled. Do not click the button that enables encryption when you first install the Directory Server. Before enabling encryption, you must configure the Directory Server as described in the sections that follow and install and configure the Certificate Server as described in Setting Up the Certificate Server.

When adding the entry, select the entry type based on the distinguished name of the CA:

• If the CA's distinguished name begins with the cn component, create a new Person entry for the CA. (If you select a different type of entry, the interface may not allow you to specify a value for the cn component.)
• If the CA's distinguished name begins with the ou component, create a new Organizational Unit entry for the CA.

For more details on setting up the Certificate Server to update the CA entry with the correct information, see step 7 in Configure the Certificate Server to Work with the Directory Server.

Make sure to follow step 7 in the procedure. If you do not and if the CA entry does not belong to the certificationAuthority object class, the CA certificate will not be published to the directory.

Set Up an Entry with Write Access

• Give write access to the CA's distinguished name (see the Directory Server Administrator's Guide for instructions).
• Use the distinguished name of an existing entry that has write access.

Also, when you configure the Certificate Server to work with the Directory Server, you need to specify this distinguished name as the "Access DN" (the DN used to access the directory server). For details, see step 5 in Configure the Certificate Server to Work with the Directory Server.

Add Entries for the Users

Use the tools provided with the Directory Server to add an entry for each user. These entries must belong to an object class (for example, the inetOrgPerson object class) that allows the userCertificate;binary attribute.

Depending on the way you organize your directory tree, you may also need to include an indexed LDAP attribute called CmapLdapAttr, which contains the subject DNs from all certificates belonging to the user. For more information about CmapLdapAttr, see the discussion of default properties of the certmap.conf file in Set Up the certmap.conf File.

Get a Server Certificate

You can get a server certificate either from one of the third-party CAs listed at Certificate Authority Services or from your own Certificate Server after it is set up. In either case, you must also make sure the Directory Server has a copy of the appropriate CA's certificate in its list of trusted CAs.

Enable Encryption

Setting Up the Certificate Server

The following kinds of distinguished names arise in the context of the operation of the Certificate Server:

• Certificate authority (CA) DN. Each instance of the certificate server represents a single abstract agency called a CA, also known as an issuer. The certificate authority has a distinguished name. This name appears as the issuer name in each certificate issued by the CA.
• Subject DN. The subjects of the CA are the entities that have certificates issued by the CA. Each of the subjects of the CA has a distinguished name. This name appears as the subject name in the subject's certificate.
• SSL server DN. The Certificate Server itself uses SSL for encryption and for the authentication of privileged clients. The Certificate Server has a distinguished name that appears in its own server SSL certificate. Usually the Certificate Server's SSL certificate is issued by the CA, but this is not required.
• Directory access DN. The Certificate Server binds and authenticates to the Directory Server using a directory access DN, also called the bind DN, that is specified in the certificate server's local configuration and is associated with the password entered at the time the Certificate Server is started. This name can be the same as or distinct from the issuer's certificate authority DN. This DN must be afforded the necessary access rights as a principal in the directory to perform the operations described below.

• When the Certificate Server starts up, it publishes the CA's certificate to the Directory Server.
• When the Certificate Server issues a new certificate, the certificate is published to the Directory Server.
• When a certificate is revoked, the certificate is removed from the Directory Server.
• When the certificate revocation list is created or updated (either through a form in Certificate Server or through a certificate revocation), the list is published to the Directory Server.

Some aspects of configuring the Certificate Server to support single sign-on depend on the configuration of the Directory Server, and vice versa. Before you complete the tasks described in this section, make sure you read and understand Setting Up the Directory Server.

To set up the Certificate Server to work with the Directory Server, you must perform the following tasks:

• Install a Certificate Server
• Configure the Certificate Server to Work with the Directory Server
• Specify How the Certificate Server Matches DNs to Directory Entries

A Certificate Server should normally be maintained on its own separate server hardware with appropriate resources to support the scalability you expect for your organization. Using a separate machine for the Certificate Server also improves its performance. The Certificate Server should also have its own dedicated Administration Server.

Important Plan carefully for the Certificate Server's physical security before you deploy the Certificate Server for general use within your organization. Access to both the machine it runs on and backup media should be tightly controlled. If the physical security of the Certificate Server or its backups is compromised, your entire network is vulnerable.

Configure the Certificate Server to Work with the Directory Server

Figure 11    Certificate Server directory configuration

To configure the Certificate Server to work with your Directory Server, follow these steps:

1. Click Yes under "Enable updates to Directory Server."

2. In the Directory Server Host field, enter the hostname of your Directory Server.

3. In the Directory Server Port field, enter the port number of your Directory Server.

4. If you specified a secure port in the previous step, click Yes under "Is this a Secure port."

5. Scroll down if necessary to the Access DN field and enter the directory access DN--that is, the entry in the directory server that has write permission to the directory. (For details, see Set Up an Entry with Write Access.)

   Whenever you start the Certificate Server, you will be prompted to enter the password for this DN.

6. If you use exactly the same structure and conventions for distinguished names in the Directory Server and in the Certificate Server, follow these steps:
   • Under "Components to form the subject's DN in the directory," select all components.
   • Under "Components to match attributes in the directory," do not select any components.

   For more information about these settings, see Specify How the Certificate Server Matches DNs to Directory Entries.

7. To add the object class certificationAuthority to the CA's entry in the directory (if the entry does not already belong to this class), click Yes under "Convert issuer's entry to certificationAuthority."

   The certificationAuthority object class represents a CA. Entries of this class must contain a CA certificate. If you click the Yes radio button, the CA certificate is automatically published to the directory.

   If you click No, the CA certificate will not be published to the directory if it does not already belong to the certificationAuthority object class.

8. If you want the individual errors logged during Directory Server updates, click Yes under "Log individual errors in Directory Server updates."

   By default, a single error is logged if problems occur during a directory server update. If you want more detail on the problems (for example, if you want to know which specific entries could not be updated and why they could not be updated), select this option.

9. Click OK.

10. Click Save and Apply, and stop and start the Certificate Server for your changes to take effect.

Subject names in certificates are in distinguished-name format. The Certificate Server uses parts of these subject names to construct a distinguished name that it can use as the base DN for searching the directory. Each attribute value assertion (AVA) in a distinguished name, such as cn=Jane Doe, is represented by a DER-encoded ISO Object Identifier (OID) for the attribute tag and the DER encoding of the value.

For use with LDAP, the subject name in the certificate is translated to its string form as defined by RFC 1779. The LDAP search operation recognizes the string forms of the DN attribute tags listed in Table 1. (Case is ignored.)

Table 1 

Attribute tag	Represents
cn	Common name
ou	Organization unit
o	Organization
l	Locality
st	State or province
c	Country
uid	User ID
mail	Electronic mail address
e	Electronic mail address

The Certificate Server begins its search by forming the base DN from a selection of AVAs across the subject's distinguished name in the certificate. It selects the AVAs according to the settings in the section labeled "Components to form the subject's DN in the directory" of the Certificate Server Directory Configuration form. This part of the form is shown in Figure 12. Note that in this form, "components" mean the same thing as "DN attribute tags."

Figure 12    Using the Certificate Server Directory Configuration form to specify a directory search

The choice of which AVAs from the subject name in the certificate should be used in the base DN is determined by the structure of the directory tree in the LDAP directory. With some directory structures, specifying an individual branch of the tree may be sufficient to identify an entry uniquely. With others, it may be necessary to use additional information that is provided in subject name AVAs but doesn't correspond to branches of the tree. The search based on this additional information uses attributes of directory entries that correspond to the attribute tags used in AVAs. The Certificate Server uses the settings in the section of the form labeled "Components to match attributes in the directory" to identify the AVAs it should use for this part of the search.

For example, suppose this is the subject name in the certificate:

cn=Jane Doe,ou=My Division,o=My Company,c=US

For example, if you set up the Certificate Server to use all of the AVAs in the sample subject name given above, the Certificate Server uses the following distinguished name as the base DN of its search for Jane Doe:

cn=Jane Doe,ou=My Division,o=My Company,c=US

Any unselected attribute tags are not used to build the distinguished name. In the previous example, if you did not select the OU component in the Certificate Server Directory Configuration form, the Certificate Server uses this distinguished name as the base for the directory search:

cn=Jane Doe,o=My Company,c=US

For example, if you selected CN, OU, O, and C under "Components to form the subject's DN in the directory," select L under "Components to match attributes in the directory" only if its value can be used to distinguish between entries with identical cn, ou, o, and c values.

If you always get a single, distinct matching entry from the DN, you do not need to select any checkboxes under "Components to match attributes in the directory."

With certain directory tree structures, the AVAs used to form subject's DN in the directory might match more than one entry. For example, this base DN

cn=Jane Doe,ou=My Division,o=My Company,c=US

For example, suppose that the two Jane Doe entries in the directory are distinguished by the value of the mail attribute (one entry's mail value is janedoe1, the other entry's mail value is janedoe2). Since the mail attribute corresponds to the e (email) attribute type in a distinguished name, you can set up the subject names of certificates to include the e attribute type. (The e attribute tag is the only one converted to a different tag, mainly for compatibility. The other attribute tags are not converted.)

By default, the e, l, and st attribute tags are not included in the standard set of certificate request forms. You can either add these attribute tags to the forms, or you can use a VGI script to use these attribute types when populating the subject name in the certificate issuance forms.

Setting Up the Enterprise Server

To set up the Enterprise Server for single sign-on, you must perform the following tasks:

• Install an Enterprise Server
• Generate a Key Pair and Request a Server Certificate
• Set Client Authentication and Encryption Preferences
• Restrict Access
• Configure Directory Service
• Set Up the certmap.conf File

Generate a Key Pair and Request a Server Certificate

1. In the Administration Server, click Keys & Certificates button near the top of the window.

2. In the left frame, click Generate Key, which displays the Generate Key form.

3. Click the Help button, and follow the instructions for generating a public-private key pair from the command line. As part of this process, you will be prompted for a password. Remember this password; you will need to use it to start up the server in secure mode.

Figure 13    The Administration Server's Request Certificate form

1. In the left frame, click Request Certificate, which displays the Request Certificate form shown in Figure 13.

2. Fill in the request form (including the location of the key-pair file you just generated) and submit the request to a CA. You can either submit the request through email to a third-party CA or through a URL for a CA within your organization that uses the Netscape Certificate Server.

3. After the CA issues you a certificate, you need to install it. In the left frame, click Install Certificate to display the Install Certificate form.

4. Install the certificate, either by specifying a file or pasting it into the appropriate field, and click the This Server button. After you submit the form, the certificate is added to your server's certificate database.

5. Get a copy of the certificate authority's CA certificate and install this certificate using the same form. Be sure to click the Trusted Certificate Authority button.

Set Client Authentication and Encryption Preferences

• Always require a client to present a valid certificate to access any part of the server. You set this across-the-board client authentication mode from the Encryption Preferences form as described in this section.
• Specify which users are allowed what kinds of access. This can be useful, for example, if you want all users to be able to access the main index.html file and require a certificate only if the user decides to follow some link on that page. For details, see Restrict Access.

To set up across-the-board client authentication, follow these steps:

1. Go to Server Preferences in the Server Manager and click Encryption On/Off. You can turn on SSL encryption from here. (Note that it's possible to require SSL client authentication without turning on SSL encryption.)

2. Click Encryption Preferences. The form shown in Figure 14 appears.

3. Click the Yes button under "Require client certificates (regardless of access control)."

Figure 14    Encryption preferences for the Enterprise Server

Restrict Access

The main Access-Control List Management form has three sections:

• Pick a resource lets you specify a wildcard pattern (such as *.html) for restricted files or directories or choose a directory or a filename to restrict. You can also browse for a file or directory by clicking the Browse button.
• Pick an existing ACL provides access to the ACLs you've created.
• Type in the ACL name allows you to create named ACLs. Use this option only if you're familiar with ACL files and the obj.conf configuration file--you'll need to manually edit obj.conf if you want to apply named ACLs to resources.

1.   Click the Browse button under "Pick an existing ACL" to select a directory for which to set rules.

4.   Click the underlined word in the Users/Groups column to see the User/Group window in Figure 15.

The SSL radio button must be selected, as shown in the figure, to support single sign-on. The selections "Authenticated people only" and "All in the authentication database" ensure that only people with entries in the database will have the specified rights (read, write, or whatever is specified under "Rights") to the server. As shown in the figure, you typically set the Authentication Database to the Default LDAP setting.

To view the windows that specify the rest of an access-control rule, click the other underlined entries in the Access Control Rules columns, including Action (the action enforced by the rule, such as Allow or Deny), Rights (read, write, and other rights that the action allows or denies), and so on. Clicking an underlined entry displays a corresponding window in the lower part of the frame where you can specify the relevant information. You can also combine rules; for example, you can combine a read rule for one group of users with a separate rule that also gives write access to a smaller group of people in the authentication database.

When you are setting up and testing your rules, it's important to consider the way they interact. For example, if one rule allows everyone to read a resource, an additional rule that allows particular users or groups to read it will not prevent everyone else from accessing it too. Make sure you test for the false negative of any rule you set up. For instance, if you want only certain people to have read access, make sure to test not only whether they can get access, but whether other people can't.

For more information on specifying access-control rules, click the Help button in any of the windows available from the main Access Control List Management form.

Configure Directory Service

Figure 16    The Configure Directory Service form

When you have set up your Enterprise Server to talk to the LDAP server as shown, you also get access to the following environmental variables from within CGI scripts:

• REMOTE_USER is set to the UID of the user, such as jsmith. This is the most useful variable. For example, you can use it to check the LDAP directory for the user's manager, phone number, and so on, or you can customize the information presented to different users. Because this variable is typically used in CGI scripts, you may not have to change existing CGI scripts to support single sign-on.
• CLIENT_CERT contains an encoded copy of the user's certificate.
• AUTH_TYPE is set to ssl when appropriate.
• HTTPS is set to on when appropriate.
• HTTPS_KEYSIZE is the number of bits in the encryption key, for example, 128.
• HTTPS_SECRETKEYSIZE is the number of bits in the secret key, usually 40 for export, 128 for US.

Format of the certmap.conf File

certmap name issuerDN

name:property [value]

Important The issuerDN must exactly match the issuer DN of the CA that issued the client certificate. For example, the following two issuer DN lines differ only in the spaces separating the AVAs, but the server treats these two entries as different:

certmap moz ou=Mozilla Certificate Authority,o=Netscape,c=US

certmap moz ou=Mozilla Certificate Authority, o=Netscape, c=US

• DNComps is a list of comma-separated DN attribute tags used to determine where in the LDAP directory the server should start searching for directory entries that match the user's information (that is, the owner of the client certificate). The server gathers values for these tags from the client certificate and uses the values to form an LDAP DN, which then determines where the server starts its search in the LDAP directory. For example, if you set DNComps to use the o and c DN attribute tags, the server starts the search from the o=org, c=country entry in the LDAP directory, where org and country are replaced with values from the DN in the certificate.
• If there isn't a DNComps entry in the mapping, the server uses either the CmapLdapAttr setting or the entire subject DN in the client certificate.
• If the DNComps entry is present but has no value, the server searches the entire LDAP tree for entries matching the filter.

• FilterComps is a list of comma-separated DN attribute tags used to create a filter by gathering information from the user's DN in the client certificate. The server uses the values for these tags to form the search criteria for matching entries in the LDAP directory. If the server finds one or more entries in the LDAP directory that match the user's information gathered from the certificate, the search is successful and the server optionally performs a verification. For example, if FilterComps is set to use the e and uid attribute tags (FilterComps=e,uid), the server searches the directory for an entry whose values for e and uid match the user's information gathered from the client certificate. Email addresses and user IDs are good filters because they are usually unique entries in the directory.

The filter needs to be specific enough to match one and only one entry in the LDAP database. The following component tags are supported for FilterComps: cn, ou, o, c, l, st, e, and mail. Case is ignored. You can use e or mail, but not both.

• verifycert tells the server whether it should compare the client's certificate with the certificate found in the user's LDAP entry. It takes two values: on and off. Netscape recommends that you set this to on for a complete single sign-on solution. This ensures that the server will not authenticate the client unless the certificate presented exactly matches the certificate stored in the directory. To revoke a user's certificate, you can just remove it from the user's LDAP entry.
• CmapLdapAttr is the name of the entry attribute in the LDAP directory that contains subject DNs from all certificates belonging to the user. Because this attribute isn't a standard LDAP attribute, you have to extend the LDAP schema to include it (see the Directory Server Administrator's Guide for detail). If the CmapLdapAttr property exists in the certmap.conf file, the server searches the entire LDAP directory for an entry whose attribute (named with this property) matches the subject's full DN (taken from the certificate). If the search doesn't yield any entries, the server retries the search using the DNComps and FilterComps mappings. The search will take place more quickly if CmapLdapAttr is an indexed LDAP attribute.

This approach to matching a certificate to an LDAP entry is useful when it's difficult to match entries using DNComps and FilterComps.

• Library is the pathname to a shared library or DLL. You need to use this property only if you want to extend or replace the standard functions that perform the actual mapping on the basis of information in the certmap.conf file. (This is typically not necessary unless you have very specialized mapping requirements.) For information about these functions and how to extend or replace them, see the Certificate Mapping API.
• InitFn is the name of an init function from a custom library. You need to use this property only if you want to extend or replace the standard functions that perform the actual mapping on the basis of information in the certmap.conf file. (This is typically not necessary unless you have very specialized mapping requirements.) For information about these functions and how to extend or replace them, see the Certificate Mapping API.

Configuration Example #1

certmap default default

default:DNComps ou, o, c

default:FilterComps e, uid

default:verifycert on

The server then uses the values for email address and user ID from the certificate to search for a match in the LDAP directory before authenticating the user. When it finds an entry, the server verifies the certificate by comparing the one the client sent to the one stored in the directory.

Configuration Example #2

certmap default default

default:DNComps

default:FilterComps e, uid

certmap MyCA ou=MySpecialTrust,o=MyOrg,c=US

MyCA:DNComps ou,o,c

MyCA:FilterComps e

MyCA:verifycert on

Important The issuer DN (that is, the CA's information) in the certificate must be identical to the issuer DN listed in the first line of the mapping. Even an extra space after a comma will cause a mismatch.

More details about setting up the Messaging Server for single sign-on will be provided in future versions of this document. For complete information about installing and setting up the Messaging Server, see the Messaging Server Administrator's Guide or the online documentation.

Setting Up Netscape Clients for Single Sign-On

• Using Mission Control to Configure Communicator for Single Sign-On
• Using the Administration Toolkit to Configure Navigator 3.x

It's also possible to use Mission Control with the standard Communicator product to configure the CA list and other settings when you initially deploy client software. You must use Communicator Professional Edition to take advantage of Mission Control's dynamic update capabilities.

The following sections describe how to use Mission Control to configure Communicator settings related to single sign-on:

• Configuring the Certificate Database for Communicator
• Configuring SSL and Password Settings for Communicator
• Configuring User Certificate Setting for Communicator

Configuring the Certificate Database for Communicator

To set up the CA certificates for Communicator Professional Edition, you can use either of the methods just discussed, or you can use JavaScript in the AutoConfig file. Using the AutoConfig file offers you the greatest flexibility, since you can change the database dynamically. the Netscape Mission Control Guide.

for details on how to do this.

The simplest way to set up the CA databases is to use the Security Info window to modify a single certificate database, then distribute the cert7.db file with each client copy.

Important Before you attempt to modify a certificate database, make sure you start from a clean installation of Communicator with a new user profile, so that none of your personal certificate information is included in the certificate database you generate.

1. Click the Security button on the Navigator toolbar.

2. In the Security Info window, click Signers.

3. Delete or edit a certificate signer (CA certificates) by selecting the CA's name and clicking the appropriate button. Note that when you select a CA name and click Edit, you can select options that determine whether Communicator will accept this CA for certifying network sites, email users, or software developers (code signers). To set up a CA that you want Communicator to recognize for the purposes of single sign-on, you must, at a minimum, click the checkbox labeled "Accept this Certificate Authority for Certifying network sites."

4. Click OK.

Once you have added a new CA to the list, make sure that you select the CA's name, click Edit, and select the appropriate options as described in step 3 above.

When you have modified the CA list to your satisfaction, locate the cert7.db file in the /Communicator/Users/username subdirectory for the new user profile you have modified (the bookmark.htm file is located in the same directory).

To associate the new CA list with the Communicator software you initially deploy with Mission Control, you need to copy the cert7.db into the appropriate Default directories of your custom InstallBuilder directory. For example, for the 32-bit version of Communicator, you would replace the file /32-bit/Navigator 4x/Program/Default/cert7.db with your custom cert7.db file.

For detailed information about customizing Communicator and setting up an AutoConfig file for use by Communicator Professional Edition, see the Mission Control documentation.

Configuring SSL and Password Settings for Communicator

The Configuration Editor that comes with Mission Control generates a JavaScript file. If you are familiar with JavaScript, you can edit this file further to refine the settings at a level of detail that's not possible with the Configuration Editor.

For example, the following lines of JavaScript in the configuration file set up Communicator to ask for a password the first time it's needed during a session (for example, when Communicator first needs to present a certificate and signed data for client authentication after being launched) and to enable both SSL 2.0 and SSL 3.0:

with (PrefConfig) {
lockPref("security.ask_for_password", 1);
lockPref("security.enable_ssl2", true);
lockPref("security.enable_ssl3", true);
}

lockPref("security.ask_for_password", 2);
lockPref("security.password_lifetime",30);

For more information about ciphers and other aspects of SSL, see the chapter on encryption and SSL in any server's Administrator's Guide or check the server's online help.

Configuring User Certificate Setting for Communicator

This section describes how to configure automatic certificate selection. To see what this setting controls, click the Security button on the Navigator toolbar to open the Security Info window, then click Navigator in the left frame. The pop-up menu labeled "Certificate to identify you to a web site" allows a user to select one of the following items:

• The name of a particular client certificate.
• "Ask every time," which causes Communicator to present a dialog box each time a certificate is requested by a server, allowing the user to choose a certificate explicitly.
• "Select Automatically," which causes Communicator to compare the server's list of CAs to the CAs that have signed each available client certificate and to choose a client certificate signed by a CA that is trusted by the server.

with (PrefConfig) {
defaultPref("security.default_personal_cert", "Let Navigator choose automatically");
}

It is convenient to use the automatic certificate selection feature for all users in an organization. If you find that some users with multiple certificates are denied access to web sites even though they possess valid client certificates and you have deleted the untrusted CAs from the server's list of CAs, you should recommend that they change the preference to "Ask every time" and select the appropriate server when presented with the resulting dialog box. (Alternatively, you can change the string in the second line of the JavaScript example shown above to "Ask every time".) You should also check the server logs to find out what's really going on.

Using the Administration Toolkit to Configure Navigator 3.x

Configuring the Certificate Database for Navigator 3.x

Important Before you attempt to modify a certificate database, make sure you start from a clean installation of Navigator with a new user profile, so that none of your personal certificate information is included in the certificate database you generate.

1. Choose Security Preferences from the Options menu.

2. In the Preferences window, click Site Certificates.

3. Choose Certificate Authorities from the pop-up menu near the top of the window.

4. Delete or edit a certificate signer (CA certificates) by selecting the CA's name and clicking the appropriate button. Note that when you select a CA name and click Edit, Navigator displays another window that allows you to determine whether Navigator will accept this CA for certifying network sites. To set up a CA that you want Navigator to recognize for the purposes of single sign-on, you must, at a minimum, click the checkbox labeled "Allow connections to sites certified by this authority."

5. Click OK.

Once you have added a new CA to the list, make sure that you select the CA's name, click Edit, and select the appropriate options as described in step 4 above.

When you have modified the CA list to your satisfaction, locate the cert5.db file in the /Netscape/Users/username subdirectory for the new user profile you have modified (the bookmark.htm file is located in the same subdirectory). To associate the new CA list with the Navigator software you deploy with the Administration Toolkit, you need to copy the cert5.db into the appropriate directories in the zip files containing the files to be installed.

One way to update the CA database dynamically after you have deployed Navigator 3.x is to write a login script that replaces the user's cert5.db file with a modified version. The most reliable way to update the CA database dynamically is to use Mission Control and Communicator Professional Edition.

Configuring SSL and Password Settings for Navigator 3.x

Each setting in the configuration file used by the Administration Toolkit consists of a key-value pair. For example, the following key-value pairs ensure that Navigator supports SSL versions 2 and 3:

Enable SSL v2 = yes
Enable SSL v3 = yes

Default Ask for password=0

A setting of 1 instead of 0 indicates that Navigator should ask for the password each time it is requested.

For detailed information about editing Navigator 3.x settings and deploying customized copies, see the Administration Toolkit documentation.

Issuing Client Certificates

However, this approach requires careful explanation to users and testing with users, because they must complete the required steps accurately and completely before they can begin using their certificates. Before issuing client certificates across a large organization, you should plan the process carefully and test it with a small pilot group of users. One of the issues you must deal with is the bootstrapping problem--that is, how to authenticate users initially when they first request a certificate. Some organizations may be able to use the Unix login and password for this purpose.

These sections discuss the two main issues you need to address before issuing certificates to users:

• Using the Verification Gateway Interface
• Guiding Users Through the Request Process

VGI provides a general-purpose mechanism that allows a Certificate Server to process certificate requests programmatically. For example, given the user ID, a VGI script can prepopulate other fields in the certificate, such as the user's full legal name and department number, by extracting this information from an HR database, an LDAP directory, or some other source. It's also possible to require the user to type in an existing Unix login name and password, which the VGI script can verify before issuing the certificate.

For more information about using VGI, see Chapter 22, "Writing an AutoVerification Program," in the Certificate Server Administrator's Guide.

Certificate Server utilities and basic VGI examples are available at these FTP addresses:

• Windows 95/NT: ftp://ftp1.netscape.com/private/certificate/1.0/TeMporARY/ex101eiu.exe
• Solaris: ftp://ftp1.netscape.com/private/certificate/1.0/TeMporARY/certificateextras-1_01-export-us_sparc-sun-solaris2_4_tar.gz
• IRIX: ftp://ftp1.netscape.com/private/certificate/1.0/TeMporARY/certificateextras-1_01-export-us_mips-sgi-irix5_3_tar.gz

Guiding Users Through the Request Process

One way to deal with this is to require users to authenticate themselves when requesting a certificate by entering a Unix or NT login and password. As suggested in the previous section, it's possible to write a VGI script to verify that these are correct before issuing a certificate. It may be more convenient for your organization to check some other form of identification, such as an employee number, in a similar way.

Another issue to consider is how the user will back up the private key for a newly issued certificate. This can be an especially serious consideration if you are issuing certificates that can also be used for signing and encrypting email. Problems arise if the user deletes the private key for his or her certificate and doesn't have a backup, or if the user forgets the password for the Communicator certificate and private key databases. In these cases the user will never be able to read stored email that other people have encrypted with the public key for that certificate. There is nothing the system administrator can do about this after the fact: messages can't be decrypted, for all practical purposes, without the private key.

One way to deal with this problem is to require users to back up their private key as soon as Communicator generates it. Communicator automatically suggests this, but there's no way for the administrator to enforce this backup. Another solution is to require each user to back up the private key to a single server maintained by the administrator. This won't help if the user forgets the password, but it can provide a simple key-recovery system if the user's private key is lost or damaged, and the administrator can check whether the backup has taken place.

Future versions of Netscape software will support more sophisticated key-recovery systems that will assist administrators when users forget their passwords, lose their backups, leave the company, and so on. For example, such as system might require some minimum number of people among a specified group of administrators or other personnel to agree and provide special passwords to recover a user's private key from a central repository. This kind of scheme, sometimes called an m of n scheme, ensures that keys can be recovered in emergencies without unduly compromising the user's privacy.

When issuing certificates for use with SuiteSpot 3.0, it's generally preferable to issue just one certificate for each user. You can ensure that each user gets only one certificate by writing a VGI script that checks whether the user's entry in the LDAP directory already includes a certificate before issuing one to the user. Future versions of SuiteSpot will provide better support for multiple certificates.

You should think carefully about the request process and test it on a small group of users before you start to rely on it for issuing certificates to large numbers of people. For example, these steps might be appropriate for some organizations:

1. The user goes to a certificate request page.

2. The user generates the public-private key pair, provides identifying information in a form, and submits the public key and the information to a Certificate Server.

3. After the user submits the required information, a VGI script processes the information. This can include checking a Unix login and hashed password against the equivalent information in an LDAP database or checking whether a certificate is already listed in the directory for that user. It can also include populating some fields of the certificate, such as the user's legal name or the company's full name, with information from other sources.

4. If the VGI script determines that the user can be issued a certificate, the Certificate Server informs the user.

5. The user downloads the certificate from the Certificate Server into the client's certificate database.

6. The user backs up the certificate, for example onto a floppy disk or onto a designated server.

7. If necessary, the user also downloads the CA certificate into the client's certificate database and marks the certificate as trusted.

8. The user tests the newly issued client certificate by visiting a special test page on a server.

Keep in mind the need to reissue certificates when they expire. You should consider how often you want to do this before you set the expiration dates for the certificates you plan to issue.

It's possible to test your single sign-on configuration with existing deployments before switching a server over completely to single sign-on. The only requirement is that the server not currently use its secure port. You can add the secure port and configure it for single sign-on, then ask a select group of test users to access the server using https://. This allows you to test a frequently accessed server without disrupting service.

Once you have experimented in a very limited setting and performed appropriate tests, you should deploy to a very small group of real users--perhaps a dozen, perhaps a hundred, depending on the size of your company and the complexity of the network. You may want to repeat some of the tests with this small initial group.

Do not deploy to a larger group of users until you have worked out all the problems that arise in your initial tests and your first group of users is using single sign-on successfully.

Last Updated: 10/20/97 14:15:39