Escolar Documentos
Profissional Documentos
Cultura Documentos
Technical Reference
CUSTOMER MANUAL
Managed PKI Technical Reference BT38-MPKI6-TRF-V1.1 has been produced from: VeriSign Inc. Doc Ref 00010843 Copyright 1999 - 2003 VeriSign, Inc. All rights reserved. Printed in the United States of America. Publication date: August 2003 BT Revision date: October 2006 This document supports Managed PKI 6.0 and all subsequent releases unless otherwise indicated in a new edition or release notes. U.S. Patent 6,324,645 Trademark Notices VeriSign is a registered trademark of VeriSign, Inc. The VeriSign logo, VeriSign Trust Network, and Go Secure! are trademarks and service marks of VeriSign Inc. XMLPay and OnSite are registered trademarks of VeriSign, Inc. Other trademarks and service marks in this document are the property of their respective owners. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photographic, audio, or otherwise) without prior written permission of VeriSign, Inc. Notwithstanding the above, permission is granted to reproduce and distribute this document on a nonexclusive, royalty-free basis, provided that (i) the foregoing copyright notice and the beginning paragraphs are prominently displayed at the beginning of each copy, and (ii) this document is accurately reproduced in full, complete form with attribution of the document to VeriSign, Inc BT Notice This software and the corresponding documentation are being provided to you in conjunction with the products and services provided to you by BT. The software and documentation was originally designed to be used with products and services offered directly by VeriSign to its customers. BT is offering substantially the same products and services to you as VeriSign provides to its customers. The software and documentation, however, may have been translated and localized by BT. BT assumes all responsibility for the translation and localization of the software and documentation, and VeriSign disclaims any and all warranties, express, implied, or statutory, including without limitation any implied warranty of merchantability or fitness for a particular purpose and refuses liability for such translation and localization.
Note This document may describe features and/or functionality that are not
present in your software or your service agreement. Contact your account representative to learn more about what is available with this VeriSign product.
ii
BT38-MPKI6-TRF-V1.1
Contents
Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 8 CSR-Based Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Chapter 9 Using an ODBC Data Source With Automated Administration or Key Management Service . . . . . . . . . . . . . . 85
Setting Up an ODBC Data Source on Unix . . . . . . . . . . . . . . . . . . . . . . . . . 85 Setting Up An ODBC Data Source on Windows . . . . . . . . . . . . . . . . . . . . . 87
iv
BT38-MPKI6-TRF-V1.1
Contents
Editing the haydn.edf File (an Example haydn.edf Code) . . . . . . . . . . . 126 Following Editing Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Designing Web Pages for Use With Sophialite . . . . . . . . . . . . . . . . . . . . . Using the form_file INPUT Element . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the html_file INPUT Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Additional INPUT Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using VHTML Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 126 127 127 128
150 150 151 152 152 153 153 154 155 156
BT38-MPKI6-TRF-V1.1
Contents
Microsoft Examples: Internet Information Server (IIS) Solutions . . . . . . . Preparing IIS for Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Just Trust the Root (IIS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Map to User Accounts (IIS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Netscape Examples: Web Server Solutions . . . . . . . . . . . . . . . . . . . . . . . Installing a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Just Trust the Root (Netscape) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Map to User Accounts In LDAP (Netscape) . . . . . . . . . . . . . . . . . . . . . Certmap.conf Configuration File for Managed PKI (Netscape) . . . . . .
Appendix C Understanding How BT Trust Services Generates Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Managed PKI LDIF Files with Netscape iPlanet 4.x . . . . . . . . . . . . Installation and Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using your directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Netscape Communicator to send secure e-mail . . . . . . . . . . . . . 197 197 198 201 201 202
Importing Managed PKI LDIF Files into iPlanet Directory Server v5.0 . . . 204
BT38-MPKI6-TRF-V1.1
vii
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
viii
BT38-MPKI6-TRF-V1.1
CHAPTER 1
Introduction
1 ret pahC
VeriSign Managed PKI consist of a variety of tools and services to help you establish a customized public key infrastructure (PKI) and Certificate Authority (CA) system for issuing and managing digital certificates throughout your enterprise. This guide contains reference information to help you keep Managed PKI core technologies running smoothly. This chapter includes the following topics: About This Manual on page 1 Related Documents on page 3
BT38-MPKI6-TRF-V1.1
Chapter 4, Understanding the Automated Administration Feature, identifies the primary components involved in Automated Administration (AA) and describes the process in which a verification data source is used to automate the process of authenticating requests for certificates. Chapter 5, Understanding Subscriber Certificate Renewal, describes Automatic Renewal, Re-Authentication Renewal, and Client Authentication Renewal, which are the three options for processing subscriber certificate renewals with Automated Administration. Chapter 6, Understanding Signing Utilities, discusses the key generation (swkeygen and aakeygen) and certificate import (swimport) components for the Automated Administration signing options. Chapter 7, Working with Automated Administration APIs, describes Automated Administration application programmable interfaces (APIs), and explains how to use them to customize your verification and registration data sources. Chapter 7 also includes information on the regInfo name/value pairs needed to enroll for End-user certificates, IPSec certificates and Software Validation certificates. Chapter 8, CSR-Based Enrollment, describes the process of certificate enrollment and acquisition using a CSR. Chapter 9, Using an ODBC Data Source With Automated Administration or Key Management Service, describes the use of ODBC data sources. Chapter 10, Using a Flat File for Verification Data, explains how to use a text file for testing Automated Administration signing. Chapter 11, Understanding Directory Technology (Overview), explains the fundamental concepts underlying directory services, including introductory information about X.500 and LDAP. Chapter 12, Implementing Native Character Encodings with AA or KMS, describes how to enable end users to enter data in their preferred character set. Chapter 13, Downloading Certificate Revocation Lists, gives instructions for checking lists of certificates that are no longer valid. Chapter 14, Working With Sophialite, describes the programming interface to Sophialite, the CGI program that communicates data from subscribers browsers (viewing HTML pages hosted on your local Web server) to a BT
2 BT38-MPKI6-TRF-V1.1
Chapter 1 Introduction
Trust Services Web server. In addition, the chapter gives details about designing Web pages for use with Sophialite. Chapter 15, Understanding the Browser Emulation Specification, describes the emulation protocol between a PKI-enabled client and either a VeriSign Managed PKI RA or a VeriSign Managed PKI CA. Appendix A, About Certificate-Based Access Control, provides foundation knowledge about access control in general and certificate-based access control in particular. Appendix B, Characters Allowed in Digital Certificates, includes the list of ASCII characters allowed in certificate enrollment requests. Appendix C, Understanding How BT Trust Services Generates Certificates, is an overview of the information path from the initiation of a request through the processing center, and back to the originating browser. Appendix D, Using Netscapes Directory Server with Managed PKI LDIF Files, describes the use of LDAP directories with Managed PKI. Appendix E, Adding Fields to the Subscriber Enrollment Pages, describes customizing end-user pages. Appendix F, Removing Fields from the Certificate Enrollment Form, describes customizing end-user pages.
Related Documents
The following documents support information provided in this document. All Managed PKI customer documents are available on the Managed PKI CD or from the Control Center Download page. Managed PKI Introduction Managed PKI Installation and Configuration Managed PKI Administrators Handbook Authentication Services Hardware/Software Requirements Authentication Services Error Codes and Troubleshooting Guide Enterprise Support and Service Overview
BT38-MPKI6-TRF-V1.1
Key Management Service Administrators Handbook Key Management Service Installing Managed PKI with Key Management Service
BT38-MPKI6-TRF-V1.1
CHAPTER 2
This chapter explains the Local Hosting feature of Managed PKI, and gives instructions for customizing the end-user Web pages. For instructions on installing Local Hosting, refer to Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service. This chapter includes the following topics: Introduction to Local Hosting on page 6 Using the Digital ID Center Pages on page 6 Using Customizer Commands on page 8 Modifying Digital ID Center Pages on page 10
BT38-MPKI6-TRF-V1.1
When an end user enrolls for a certificate or performs other certificate management tasks, he or she works on the Digital ID Center Web pages that are locally hosted at your Web site. The Digital ID Center pages consist of entry forms that pass information from subscribers to BT Trust Services, and refreshed VHTML (Variable HTML) pages that return information from BT to subscribers. Local Hosting is required for such product features as Automated Administration and Key Management Service. Many customers use Local Hosting even when it is not required so they can customize the Digital ID Center pages.
BT38-MPKI6-TRF-V1.1
Retrieving a certificate when it is issued Finding another subscribers certificate Renewing their certificates Revoking their own certificates By implementing Local Hosting, your organization can customize the Digital ID Center pages on your Web server. Instead of a standard BT Trust Services Digital ID Center page with your companys name on top, your organization can provide your end users with a page that also contains your own text, links, and logo. For instance, you may: Provide special instructions for your subscribers Add links to other services on your site Modify the appearance and functionality to blend seamlessly with your organizations other intranet pages Although BT Trust Services continues to host all Control Center pages (the pages used to administer the Managed PKI service) and certificate management operations, you control the appearance and design of the end-user interface. Figure 2-2 and Figure 2-3 provide examples of customization. In Figure 2-2, the completion page includes the normal logo and several links. In Figure 2-3, the organizations logo replaces the normal logo, and the links have been removed.
As an administrator, in addition to your certificate management responsibilities, you may be responsible for maintaining your companys Digital ID Center pages. You can modify the HTML files by following the procedures in this chapter.
BT38-MPKI6-TRF-V1.1
command must be run every time you make changes to the Policy File. Details about the install command and customizing local hosting pages are found in Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service.
install-aa-<nt|sun|hpux|aix> customizes Automated Administration
software. Refer to Managed PKI Installation and Configuration for more information about this command.
install-kms-<nt|sun|hpux|aix> customizes Key Management Service software. Refer to Key Management Service Installing Managed PKI with Key Management Service for more information about this command. migrate-<nt|sun|hpux|aix> identifies Local Hosting pages that might be
overwritten during an upgrade. This command is needed only if you are upgrading from one version of Managed PKI to a different version. Refer to Managed PKI Upgrading for more information. The Digital ID Center pages produced during the first installation, although customized to your configuration, are standard BT Trust Services pages containing the organization name you entered when enrolling for your administrator certificate. If you want to further modify them by changing HTML or adding text or logos, you can open the HTML files in a text editor and make changes as described in Modifying Digital ID Center Pages on page 10. The Local Hosting installation produces two kinds of HTML pages: HTML pages that include entry forms which pass information from the user to BT Trust Services. Chapter 14, This section is intended for HTML authors using VHTML (Variable HTML) and Sophialite to:, provides detailed information on the named variables used in the Digital ID Center pages. Variable HTML (VHTML) pages that return information to the user. For example, VHTML pages may be used to display the information requested by a user. See Chapter 14, This section is intended for HTML authors using VHTML (Variable HTML) and Sophialite to:, for information about VHTML.
BT38-MPKI6-TRF-V1.1
Modifying Digital ID Center Pages After the Customizer Has Placed Them Into Your Web Server Directory
Once the original install command has been completed and the Digital ID Center pages are installed into your companys Web server, you may modify them to add text and logos specific to your company. To do this, use the commands shown in this section to place the pages in a temporary directory (staging directory) and edit and test them. Since the files in the staging area are not associated with a server, the forms do not post data. However, once you move the files into the working directory of your Managed PKI server, they work correctly. The examples here assume that the htmldocs directory resides in the recommended directory C:\VeriSign\OnSite\webroot. The staging directory may be named something like C:\VeriSign\TempDigitalIDCenter. The Policy File is ACMEBank.policy in this example.
1 2
Put the Managed PKI CD in the CD drive. On the UNIX or DOS command line, go to the CD drive, then to the directory that has the name that matches the operating system you are using. Still on the command line, run the customizer (install-<nt|sun|hpux|aix>) command using the following syntax:
install-<nt|hpux|sun|aix> <source dir> <dest dir> <policyfile>
Note
Type the entire path name for the source, destination, and Policy File.
source dir: C:\VeriSign\OnSite\webroot, the full path to the directory where the HTML files now reside.
10
BT38-MPKI6-TRF-V1.1
dest dir: The full path to the destination where you want to place the files, for example, C:\VeriSign\TempDigitalIDCenter. policyfile: The full path to the Policy File you downloaded after you ran the Policy Wizard, for example, C:\Policies\ACMEBank.policy This executed command places duplicates of your editable Digital ID Center pages into the destination directory called TempDigitalIDCenter.
4
Go to TempDigitalIDCenter and edit the HTML files to make your customizations. Follow these guidelines when editing Local Hosting pages: Use a text editor such as Notepad or vi, not a commercial HTML editor. Commercial HTML editors make unwanted changes to the pages. Do not alter any text that appears between the following tags:
<-- VSSKBEGIN <policy-name>#<frag-id> --> <-- VSSKEND <policy-name>#j<frag-id> -->
Each of these tags must appear alone on a text line. Modifying text that appears between VSSKBEGIN and VSSKEND tags causes the pages to malfunction.
CAUTION 5
After you make the changes, test the pages. When you have finished testing, move the files to the htmldocs directory in C:\VeriSign\OnSite\webroot.
You may be running the Policy Wizard because: You are changing your existing Managed PKI configuration. You are upgrading from a previous version to the current version of Managed PKI (See Managed PKI Upgrading) and must run the Policy Wizard to perform your initial configuration of the new version of Managed PKI. You need to run the customizer command without overwriting your existing Digital ID Center pages. In this case, your existing Digital ID Center pages, rather than the templates on the CD, serve as the basis for formatting. The command uses your existing files as the source files and places copies of them back into the destination directory. This enables you to preserve the changes you made to your existing HTML files when you change the Managed PKI configuration.
IMPORTANT! Each time you download a Policy File, you are required to run the install customizer command. Be aware that the customizer command for subsequent configurations uses different syntax than did the customizer command for the initial configuration. This difference is to allow you to run the command without overwriting your modified pages. 1 2
Run the Managed PKI Policy Wizard and download the Policy File. Put the Managed PKI CD in the CD drive. On the UNIX or DOS command line, go to the CD drive, then to the directory that has the name that matches the operating system you are using. Still on the command line, run the customizer (install-<nt|sun|hpux|aix>) command using the following syntax:
install-<nt|hpux|sun|aix> <source dir> <dest dir> <policyfile>
Note
Type the entire path name for the source, destination, and Policy File.
where the source directory and destination directory are the same. The command overwrites the correctly edited files back onto themselves. The following examples show sample commands for Microsoft Windows, Sun Solaris, HP-UX, and AIX:
12
BT38-MPKI6-TRF-V1.1
These examples assume D: is your CD drive and the ACMEBank.policy file is located as indicated in each example.
Note
BT38-MPKI6-TRF-V1.1
13
14
BT38-MPKI6-TRF-V1.1
CHAPTER 3
VeriSign Managed PKI Passcode Authentication automatically approves and rejects certificate requests by comparing the applicants enrollment data with pre-configured verification data. Passcode Authentication immediately processes and issues certificates, with no intermediate confirmation and approval steps. When an applicant applies for a certificate, the submitted enrollment data (or a subset defined by the Managed PKI administrator) is compared to information in the verification database. The verification database includes a list of all prospective certificate applicants, along with the data that uniquely identifies them. Based upon guidelines established by your organization, the certificate request is either approved or rejected. This chapter includes the following topics: About Passcode Authentication on page 15 Fulfilling Managed PKI Administrator Responsibilities on page 18
Acquiring a Certificate
With Passcode Authentication, an applicant acquires a certificate as follows:
Figure 3-5 Underlying data handling for the Passcode Authentication process
When configuring Passcode Authentication in the Policy Wizard, the Managed PKI administrator specifies the fields that an applicant must complete on the certificate enrollment page. These fields are known as match fields. The values entered in match fields are used to identify the person requesting the certificate. Typical match fields are first name, last name, and e-mail address. In addition, the
16
BT38-MPKI6-TRF-V1.1
user must enter a passcode to prove their identity. The Managed PKI administrator assigns the passcode to the user and delivers it by an out-of-band mechanism. To install and configure Passcode Authentication, see Managed PKI Installation and Configuration. Once you have installed and configured Passcode Authentication, you may change the verification database stored at BT Trust Services through the Control Center. For example, you can upload additional Comma Separated Value (CSV) files to authorize new subscribers and remove existing entries in the verification database, as needed (see Adding New Applicants to the Verification Database on page 19 and Cancelling Passcodes on page 21). In addition, you can reset passcodes in the verification database (see Resetting Passcodes on page 23).
Step 1
Step 2
BT38-MPKI6-TRF-V1.1
17
Step 3
Step 4
Step 5
Managing Certificates
Depending on your Managed PKI configuration, ongoing administration duties may include the following: Manually processing and reviewing certificate requests. You will not perform this duty if you use the Passcode authentication option. Revoking certificates Updating Certificate Revocation Lists (CRLs) Supporting subscribers Renewing certificates
18 BT38-MPKI6-TRF-V1.1
Updating the certificate directory Monitoring certificate activity To perform some of these tasks, the administrator must have the Certificate Management role. Use the Administrator Roles Wizard to assign roles during installation and configuration (see Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service).
On the Certificate Management page of the Control Center, click the Create Passcodes link. The Create Passcode page opens. Passcodes must be a minimum of 4 characters. However, for greater security, passcodes should be a minimum of 8 characters.
Note
BT38-MPKI6-TRF-V1.1
19
Generate a new CSV file. The values in this file are added to any that you uploaded previously. The word add must be the first line of the file, as shown:
add #Passcode,Last Name,e-mail Address *,Smith,jsmith@acme.com *,Kim,jkim@abc.edu *,Jones,jjones@xyz.org
Note If your Managed PKI account supports the CEP protocol to enroll for certificates for devices, be sure to include the fully-qualified domain name, IP address values, or both in the CSV file to enable matching on the appropriate value.
20
BT38-MPKI6-TRF-V1.1
On the Certificate Management page, click the Upload Passcodes link. Enter the name and location of the CSV file, or use the Browse button to locate the file.
Click Submit. If the file is configured correctly, the Passcode Operation Complete page opens with a success message. If the file is incorrectly configured, a message details the errors. Correct the errors and resubmit the file.
Changing Managed PKI Configuration Settings Whenever you alter the Managed PKI policy settings for the match fields, you must cancel any unused passcodes and resubmit a new verification file. Cancelling Passcodes Periodically, you may need to cancel passcodes from the verification database. For instance, you may need to cancel a passcode if passcode security has been violated or if potential subscribers no longer have valid reasons for obtaining a certificate. Depending on the number of deletions, you can either cancel passcodes manually for each individual, or submit cancellations as a group in a CSV file. See Resetting Passcodes on page 23 for information on resetting cancelled passcodes.
Note
BT38-MPKI6-TRF-V1.1
21
Click the View Passcodes link on the Certificate Management page. The View Passcode search page opens. Specify search criteria and click Submit. The search results show all entries in the verification database that match your search criteria. To read additional information about a passcode before canceling it, click View Details in the Action column. To cancel the passcode, select it and click Cancel in the Action column.
You can cancel a group of passcodes by following the identical steps as uploading, except that you use the word cancel in the first line of the CSV file:
1
Generate a new CSV file with entries for each person who must no longer have access to a passcode or certificate.
IMPORTANT!
example:
cancel #Passcode,Last Name,e-mail Address *,Smith,jsmith@acme.com *,Kim,jkim@abc.edu *,Jones,jjones@xyz.org
2 3
On the Certificate Management page, click the Upload Passcodes link. Enter the name and location of the CSV file, or use the Browse button to locate the file. Click Submit. If the file is configured correctly, the Passcode Operation Complete page opens with a success message. If the file is incorrectly configured, a message indicates the errors. Correct the errors and resubmit the file.
4 5
22
BT38-MPKI6-TRF-V1.1
Resetting Passcodes A passcode might become unavailable to an applicant for the following reasons: Repeated attempts to enroll contained incorrect entries, thus exceeding the lockout threshold, triggering lockout, and changing the passcode status to locked. The lockout threshold is the number of times an applicant is allowed to enter a passcode incorrectly before passcode access is frozen. The Managed PKI administrator specifies this value in the Policy Wizard, as well as setting the passcode expiration time period there. See Managed PKI Installation and Configuration.
Note
The Passcode has not been claimed in the time allotted in the Passcode Expiration Period, in which case the passcode status has changed to expired. The Passcode was cancelled by the administrator, thus changing the passcode status to cancelled. When appropriate, administrators can reset locked out, expired, or cancelled passcodes. In addition, you can explicitly set passcodes to particular values (see Setting a Single Passcode to a Specific Value on page 24).
Resetting an Individual Passcode
BT38-MPKI6-TRF-V1.1
23
On the Certificate Management page, click the View Passcodes link. The View Passcode search page opens.
Enter search criteria and click Submit. The View Passcodes page shows all entries in the verification database that match your search criteria. Select the passcode you want to reset and click Reset from the Action column. This resets the lockout counter and expiration date, and generates a new passcode. Deliver the new passcode to the subscriber in a secure way.
If a passcode has a status of unused, you can replace its current value with a specific value of your choice. Follow these steps to set a specific passcode value.
24 BT38-MPKI6-TRF-V1.1
On the Certificate Management page, click the View Passcodes link. The View Passcode search page opens. Select search criteria and click Submit. The View Passcodes page shows all entries in the verification database that match your search criteria. Select the passcode, and click Edit in the Action column. Change the passcodes current value to the specific value you want and click Continue.
3 4
Renewing Certificates When Using Passcode Authentication As a security precaution, all certificates have a limited lifetime or validity period (also known as the operational period). When a certificates validity period passes, the certificate is no longer valid for access to secure sites and applications. Managed PKI sends a renewal e-mail message to the subscriber. A trusted subscriber can request certificate renewal from the Managed PKI administrator. The Managed PKI administrator reviews the subscriber renewal application and provides a new passcode to the subscriber if they are still entitled to a certificate. The subscriber uses the new passcode to enroll for a new certificate.
Note
For more information about renewing certificates, see Managed PKI Administrators Handbook.
BT38-MPKI6-TRF-V1.1
25
26
BT38-MPKI6-TRF-V1.1
CHAPTER 4
Both AA and KMS use the Automated Administration functionality to programmatically approve end-user certificates. This chapter defines the components involved in typical installations of Automated Administration and describes how Automated Administration processes certificate requests. For instructions about installing and configuring AA or KMS, see Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service. This chapter includes the following topics: Introduction on page 27 Understanding the Components of Automated Administration on page 28 Operational Overview on page 32 Native Character Support for Automated Administration on page 33
Introduction
As with Passcode Authentication, Automated Administration enables your organization to approve and reject certificate requests without the involvement of an administrator. Automated Administration automatically compares an applicants enrollment data with information in the verification data source. The verification data source is your organizations already-existing list (ODBC-compliant database, LDAP directory, or flat file) of all prospective certificate applicants along with the unique
BT38-MPKI6-TRF-V1.1
27
data that identifies them. The certificate request is approved or rejected based upon guidelines established by your organization. Although the implementation process for Automated Administration is slightly more complex than installing Passcode Authentication, Automated Administration offers greater flexibility.
28
BT38-MPKI6-TRF-V1.1
Sophialite. Sohialite is a CGI program that facilitates communication between VeriSign Managed PKI or the Certificate Authority (CA) and the enrollment processing application (pestub in Figure 4-6). For more information about Sophialite, see Chapter 14, Working With Sophialite. Local Hosting server. This Web server instance serves the Digital ID Center pages used by applicants to perform certificate services (enroll, search, revoke, and so on). This server receives the enrollment data and forwards it to the AA or KMS server via Sophialite. Automated Administration (AA) server. The AA server takes in enrollment data, determines if a certificate can appropriately be issued by checking the verification data source, encrypts and signs the certificate request, decrypts and signature-checks the certificate response, and stores the certificate in the registration data source. (If KMS is implemented, the KMS server performs these functions.) To facilitate maintenance, you have the option to run two instances of the AA server on a single host, as described in Managed PKI Installation and Configuration. KMS server. (Optional) The KMS server (vskmssrv) enables private key recovery (see Figure 4-7) and performs all of the tasks described for the AA server. If you use KMS, then you do not need to install an AA server. Pestub, vsaasrv, and vskmsrv. Binary files that enable AA to function on Sun Solaris, Microsoft Windows, HP-UX, and IBM AIX systems. These include binary files for both ODBC-compliant databases and LDAP directory access software. pestub enables communication between the Local Hosting server and the AA server. If you are implementing KMS, pestub enables communication between the Local Hosting server and the KMS server. vsaasrv is the AA server software. It enables communications with the verification and registration data sources. vskmsrv (If KMS is used) enables private key recovery for end users and enables communications with the verification and registration data sources
Verification Data Source Shared Libraries. These shared libraries enable the AA or KMS server to use the authentication information in your existing data source (ODBC database, LDAP directory, or flat file) to verify certificate
BT38-MPKI6-TRF-V1.1
29
enrollment data. There is no need to create a new data source for this purpose, instead, you make use of BT-provided shared libraries to enable data handling. Registration Data Source Shared Libraries. These shared libraries enable the AA or KMS server to store certificate information in your existing data source (ODBC database, LDAP directory, or flat file) when a certificate is issued. There is no need to create a new data source for this purpose, instead, you make use of BT-provided shared libraries to enable data handling.
Note
The following sample files for the Microsoft Access ODBC data source may be found on the Managed PKI CD:
- AutoAuth.mdb - sample ODBC data source file for Microsoft Access 97 or 98 - AutoAuth2000.mdb - sample ODBC data source file for Microsoft Access 2000. Signing device. The signing device stores a Registration Authority (RA) private key, which is used to digitally sign all data transmitted from the AA (or KMS) server. The private key for the RA certificate can either be stored in a software library (software signing option), or on a Chrysalis-ITS Luna 2 token (hardware signing option). The default signing device is the software signing option. The hardware signing option provides greater security, however, because the RA private key never leaves the Luna 2 token and it is virtually impossible for an attacker to view the key. With a standalone installation of AA, the signing device resides on the computer that runs the AA server. When KMS is implemented, the signing device resides on the KMS server host.
30
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
31
Operational Overview
This section describes the process of applying for, approving, and retrieving a certificate with Automated Administration.
Using a browser, an applicant opens the certificate enrollment page on the Local Hosting Web server, and enters the enrollment data and authentication data (a shared secret or PIN). The browser generates the public key, and the applicant then submits the request. The Local Hosting server runs Sophialite, a VeriSign CGI program provided by BT Trust Services. Sophialite calls the AA or KMS server, which then extracts the data from the request and compares it with the authentication data in the verification data source. If the applicants identity is authenticated (confirmed), the request is approved. The AA or KMS server then invokes the signing function to sign the approved request (thus creating a certificate signing request, or CSR). Sophialite forwards the CSR to the BT Trust Services Issuing Center or the Certification Authority (CA).
32
BT38-MPKI6-TRF-V1.1
The BT Trust Services Issuing Center processes the enrollment data and creates a certificate. The certificate and response data are signed with the appropriate BT signers, and are sent to Sophialite. Sophialite calls the AA or KMS server to register this new certificate information in your registration data source. Sophialite sends the certificate to the applicants browser. The browser automatically installs the certificate.
Note
Requests to the AA or KMS server do not automatically generate a Confirmation e-mail message. A pickup e-mail that includes a user PIN number is sent if the request was given a pending (waiting) status and then approved. When a pending Automated Administration request is approved, the certificate is issued immediately.
This is in contrast to non-Automated Administration requests which become certificates only when the user picks them up. This behavior conforms with the CRS protocol. The administrator can use View Certificates to query for the certificate, resend the pick up e-mail, or look at the PIN in View Details. For more information about Automated Administration flow, see Understanding AA Flow Control in Chapter 7, Working with Automated Administration APIs.
34
BT38-MPKI6-TRF-V1.1
CHAPTER 5
As a security measure, all certificates have a limited lifetime, or operational period (also known as the validity period). Most certificates have a validity period of one year. When the validity period passes, a subscriber must no longer use that certificate. A trusted subscriber can request renewal of his or her certificate, so he or she can continue using applications that require a certificate. Managed PKI enables you to specify how subscribers and administrators request renewal of their certificates. This chapter includes the following topics: Renewal Methods for Automated Administration Implementations on page 35 Using Automatic Renewal on page 36 Using Re-Authentication Renewal on page 39 Using Client Authentication Renewal on page 39
BT38-MPKI6-TRF-V1.1
35
Like all Digital ID Center pages with Local Hosting, renewal pages are hosted on your Web server. The default Renewal Notification message sent to subscribers includes a default URL for the renewal pages. Managed PKI administrators can use the E-mail Wizard in the Control Center to replace the default URL with the actual renewal URL. If you have customized your Automated Administration or passcode functions so that the subscriber e-mail address is not included in the enrollment data submitted to BT Trust Services, the system cannot send a renewal notice to each individual subscriber. You must run the Control Center Renewal Wizard, specifying either to not send renewal notices or to send them to a fixed recipient.
Note
You can customize the renewal e-mail that is sent to the user. See Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service for details. You must also renew your Registration Authority (RA) certificate. (The RA certificate and private key are used to sign certificate signing request (CSR) messages between the AA or KMS server and BT. The private key for the RA certificate is kept on the AA or KMS token.) Before your RA certificates expire, Managed PKI sends a renewal notice to the e-mail address that you specified in the RA enrollment form.
Note
Automatic renewal for Microsoft Internet Explorer users: BT Trust Services sends a renewal notice, including the renewal page URL and renewal ID, to the certificate holder. The page presents the list of certificates in the certificate registry. The subscriber selects the certificate to be renewed, and submits the renewal request. If the certificate is not found, Managed PKI asks the subscriber to re-enroll. If the certificate is found, Managed PKI uses the certificate to sign a certificate proof of possession. The browser then generates a new key pair, and the public key and the certificate proof of possession are sent to BT. In the Key Management Service, the KMS server generates the key pair. Upon verifying the signature, BT Trust Services issues the new certificate and sends it to the browser. The browser loads the new certificate in the certificate registry, and calls the Sophialite CGI program to register the new certificate. Automatic renewal for Netscape Navigator users: BT Trust Services sends a renewal notice, including the renewal page URL and renewal ID, to the certificate holder. When the subscriber goes to the renewal page, Managed PKI asks for the renewal ID, along with the challenge phrase the subscriber entered to enroll for the original certificate. If the challenge phrase entered by the subscriber in the renewal page is incorrect, Managed PKI asks the subscriber to re-enroll. If the challenge phrase is correct, the browser generates a new key pair, and the public key and challenge phrase are sent to BT. Upon verifying the renewal ID and challenge phrase, BT Trust Services issues the new certificate and sends it to the AA or KMS server, as appropriate. The KMS server combines the new certificate and the new private key into a PKCS#12 file. The AA server sends the new certificate to the browser, and the browser registers it. The subscriber sees a success page that provides the location of the PKCS#12 file and what password should be used to unlock it. The subscriber imports the PKCS#12 file into the browser. The browser registers the new certificate. If you are using the VeriSign Personal Trust Agent (PTA), you will not need to manually import the PKCS#12 file into your browser. The renewal process will automatically load the new certificate into Netscape Navigator.
Note
BT38-MPKI6-TRF-V1.1
37
Once the certificate is sent back to the browser, the Register function in your stub code (pestub, or vsaasrv or vskmsrv) is invoked with the new certificate. You can use the functions provided in the VeriSign Certificate Parsing Module (CPM) to extract the Subject Distinguished Name (DN) and additional information from among other fields. For example, you can parse the DN to build an appropriate key to insert the new certificate into your database. Optionally, if you have implemented the Dual Key option of KMS the end user will get two certificates with the exact same DN, but their key usage extensions will differ. If you extract the key usage extension with the VeriSign Certificate Parsing Module, you can tell the certificates apart. BT Trust Services strongly recommends that you keep old certificates in your database to verify signatures or decrypt data generated in the past by older certificates. VeriSigns Key Management Service can help by securely storing users keys. KMS has significant security advantages over other key-management alternatives, as described in Key Management Service Administrators Handbook.
38
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
39
40
BT38-MPKI6-TRF-V1.1
CHAPTER 6
The AA software and hardware signing options (and AA functionality of KMS) come with the following components: For generating keys: swkeygen (software signing) aakeygen (hardware signing)
For importing certificates: swimport This chapter includes the following topics: Using the Software Signing Option swkeygen on page 41 Using the Hardware Signing Option aakeygen on page 42 Importing Certificates swimport on page 43
BT38-MPKI6-TRF-V1.1
41
You can enter swkeygen parameters in any order, but the command must end with > followed by the name of the CSR file to generate (racert.req).
Note
Example swkeygen Command The following example produces a CSR named racert.req with Common Name Test, Organization Acme, and Organizational Unit Support:
swkeygen -name Test -org Acme -division Support >racert.req
You can enter akeygen parameters in any order, but the command must end with > followed by the name of the CSR file to generate (racert.req).
Note
Example aakeygen Command The following example produces a CSR named racert.req with Common Name Test, Organization Acme, and Organizational Unit Support:
aakeygen -name Test -org Acme -division Support >racert.req
BT38-MPKI6-TRF-V1.1
43
You can also use swimport to display all certificates in the certificate store. This procedure is only used with software signing.
Note
Note
The following are several examples of using swimport: The following example imports the PKCS#12 file cert.p12, which is protected by the password mypassword, into the certificate store:
swimport -file cert.p12 -p12 -p12pswd mypassword
The following example imports the PKCS#7 file cert.p7 into the certificate store:
swimport -file cert.p7
The following example imports the X.509 file cert.509 into the certificate store:
swimport -file cert.509 -509
44
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
45
46
BT38-MPKI6-TRF-V1.1
CHAPTER 7
This chapter describes how to work with Automated Administration (AA) application programmable interfaces (APIs). This chapter describes how to use your custom shared library files to add functionality not supported by the BT-provided APIs, and to configure an alternate data source (other than ODBC, LDAP, or flat file). This chapter also describes the regInfo name/value pairs needed to enroll for client certificates (for applications such as S/MIME clients, Web browsers, single sign-on clients), Software Validation certificates, and SSL IDs. Refer to Authentication Services Error Codes and Troubleshooting for a list of the error codes and messages that Automated Administration may return.
Note
This chapter includes the following topics: Understanding AA Flow Control on page 48 Using the Automated Administration APIs on page 50 Using the Verification and Registration API on page 52 Using the Signing API on page 56 Understanding Additional Data Source Configuration on page 67 Using Name/Value Pairs for Enrolling End-Entity Certificates on page 73 Preparing to Enroll for an RA Certificate on page 79 Understanding regInfo Value Tag Definitions on page 81
BT38-MPKI6-TRF-V1.1
47
48
BT38-MPKI6-TRF-V1.1
The end-to-end flow-of-control list that follows corresponds to the numbers in Figure 7-10.
1
The applicant submits the enrollment page. This action posts enrollment and authentication data from the browser to the CGI program (Sophialite). Sophialite calls a verification function using the pestub function in the Communication Library.
Pestub sends the enrollment data behind the firewall to the AA server.
3 4
The AA server queries the verification data source, and returns the verification result. In Figure 7-10, this occurs internally on the AA server (VSAAsrv).
49
BT38-MPKI6-TRF-V1.1
The AA server invokes the signing function to sign the enrollment data and verification result. The AA server returns the signed data to Sophialite. The data excludes any data you have configured as hidden, using the FIELD_HIDE_ATTR parameter in vsaasrv.cfg. Sophialite sends the signed enrollment request and verification result as a PKCSReq to crs.exe running at BT Trust Services. After BT Trust Services generates the certificate, Sophialite receives a CertRep (certificate response) from BT. Sophialite calls a Register function in pestub to update the directory or database with the certificate. the certificate information to the AA server.
10 Pestub sends 11
(Optional) The AA server updates the registration data source with the certificate data. In Figure 7-10, this occurs internally on the AA server and its database. Sophialite returns the certificate to the applicants browser.
12
50
BT38-MPKI6-TRF-V1.1
You can design the enrollment form to include only the minimum number of fields required to authenticate the applicant. After the applicant is authenticated by the database lookup, you can use values from the database to set values for other fields in the name/value pair set that is sent to BT Trust Services as the CSR (certificate signing request) file. These values can be held in a hidden variable in the VHTML form, as it is updated by Sophialite before submission to BT. To protect sensitive data, such as user passwords and PINs, you can configure name/value pairs that will be excluded from communications sent to BT. You configure these name/value pairs in the Signer Config section of the vsaasrv.cfg file. These values are removed after the verification process. Table 7-2 specifies the enrollment data required in a complete certificate request. Fields that are marked as configuration are specified as required or optional when the administrator runs the Policy Wizard. The Field Category column refers to the groups of fields created by the Certificate Administrator during the Certificate Enrollment page configuration process.
Table 7-2 Supported name keywords
Field Name mail_middleName mail_firstName mail_lastName mail_email jobTitle mailStop employeeID additional_field3 to additional_field6 challenge locality Field Category Standard Standard Standard Standard Standard Standard Standard Customized Standard Standard Description Applicant middle name Applicant first name Applicant last name Applicant e-mail address Applicant job title Applicant mail stop Applicant employee ID Customized additional fields Challenge phrase City, town, and so on Required Required Configurable Configurable Configurable Configurable Configurable Configurable Required/ Optional Optional
BT38-MPKI6-TRF-V1.1
51
If the Certificate Administrator used the Control Center Policy Wizard to create custom certificate fields, these fields are held in variables named additional_field4, additional_field5, and additional_field6.
Understanding VSAA_NAME
The VSAA_NAME structure stores a name/value pair. These name/value pairs are used to communicate enrollment information.
typedef struct { char *pszName ; char *pszValue ; } VSAA_NAME ; VSAA_STATUS
52
BT38-MPKI6-TRF-V1.1
Output
panOutput
ProcessEntries
pestub.cpp
BT38-MPKI6-TRF-V1.1
53
Certificate Registration Error Notification The following sections of this document break down each of the operations listed above into a series of steps. Where appropriate, the text indicates whether the code in the step is modifiable or must be used as written. Understanding Applicant Enrollment Authentication Applicant authentication is invoked after the applicant clicks the Submit button to enroll for a certificate. The operation value is defined as AutoAuthOSUserSubmit.
1
The applicant request can be authenticated by extracting data from the name/value pair listed in the request form and by comparing it with your authentication data. If you have configured name/value pairs to hide from BT Trust Services, these values are removed after verification.
If the applicant is authenticated, the function could augment additional name/value pairs to the list of input name/value pairs. (All available names are listed in Table 7-2.) Next, augment or change the value of authenticate to YES. If the applicant is not authenticated and there is no need for the Certificate Administrator to review the request, then the function returns VSAA_VERIFY_FAILED. If the Certificate Administrator needs to review the request, then augment or change the value of authenticate to NO or PENDING. VSAA_EncodePKCSReq() is invoked with all applicant-entered name/value pairs. If any error is detected during these steps, an appropriate VSAA_STATUS value is returned.
Understanding Certificate Pickup This operation is invoked after the applicant clicks the Submit button to pick up a certificate. The operation value is defined as permanent. This code must be used as written.
1
VSAA_EncodeGetCert() is invoked with all applicant-entered name/value pairs and augmented name/value pairs.
BT38-MPKI6-TRF-V1.1
54
The output VSAA_NAME array is returned, as well as the return code of the VSAA_EncodeGetCert() function.
Understanding Certificate Renewal This operation is invoked after the applicant clicks the Submit button on the renewal page. The operation value is defined as userRenewal. If you have chosen automatic renewal, the code must be used as written.
1
VSAA_EncodePKCSReq() is invoked with all applicant-entered name/value pairs. The output VSAA_NAME array is returned, as well as the return code of VSAA_EncodePKCSReq() function.
Understanding Certificate Revocation This operation is invoked after the applicant clicks the Submit button to revoke a certificate. The operation value is defined as do user revoke. This code must be used as written.
1
VSAA_EncodeRevReq() is invoked with all applicant-entered name/value pairs and augmented name/value pairs. The output VSAA_NAME array is returned, as well as the return code of VSAA_EncodeRevReq() function.
Understanding Certificate Registration This operation is invoked just before the certificate is installed on the applicants browser. The value of the operation name/value pair is register. This code may be modified.
1
Optionally, to update your database you can extract the certificate, certificate serial number, and applicant name from the applicant-entered name/value pair. Create a list of one VSAA_NAME entry for output. The entry contains NULL values. Return VSAA_SUCCESS.
BT38-MPKI6-TRF-V1.1
55
Understanding Error Notification This operation is invoked if an error is detected after the applicant verification operation is invoked. The value of the operation name/value pair is error_register. This code may be modified.
1
Optionally, you can extract and log the error_status along with the other enrollment information. Create a list of one VSAA_NAME entry for output. The entry contains NULL values. Return VSAA_SUCCESS.
Understanding the Decrypt Operation This operation is invoked by Sophialite to verify and decrypt data. The value of the operation name/value pair is ReceiveEncryptResponse. This code must be used as written.
1 2
The VSAA_DecodeCertRep() function is invoked. The output VSAA_NAME array is returned, as well as the return code of VSAA_DecodeCertRep() function.
56
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
57
certSerial reason
comment challenge
Comment associated with a revocation request. Challenge phrase supplied by the user during the enrollment process. It is stored in the BT Trust Services repository and can be used later to revoke a certificate.
Syntax Input
58
BT38-MPKI6-TRF-V1.1
allInOne lunaCfgFile
Output
signedEnrollInfo
Syntax
BT38-MPKI6-TRF-V1.1
59
60
BT38-MPKI6-TRF-V1.1
Syntax VSAA_STATUS VSAA_EncodeGetCRL(VSAA_NAME anInput[],VSAA_NAME**signedGetCert, int allInOne, const char*lunaCfgFile); Input anInput Two name/value pairs are required in the anInput parameter: issuerName: Name of the issuing Certification Authority. time: Used to retrieve the CRL. allInOne lunaCfgFile If allInOne is TRUE, this function initializes and cleans up the signing library. Path name of the signing library configuration file. If NULL is passed, the vsautoauth.conf file is used.
BT38-MPKI6-TRF-V1.1
61
62
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
63
Table 7-14 describes additional name/value pairs returned by the VSAA_DecodeCertRep() function.
Table 7-14 Additional name/value pairs returned by the VSAA_DecodeCertRep function
Name operation Format/Value CertRep RevRep messageStatus Response_Success Response_Failure Response_Pending certOrCRL error_status transaction_id nonce half ASCII half ASCII Base64encoded of the certificate or CRL. VeriSign-defined error status. Request/response Transaction ID. Sender/Receiver nonce. Reply status. Description Reply indicator.
64
BT38-MPKI6-TRF-V1.1
Output
rsp
Output
rsp
Output
rsp
notBefore: The start of the certificates validity period. notAfter: The end of the certificates validity period.
VSAA_DecodeCert allocates storage for rsp. The caller is responsible for calling VSAA_FreeName() to free this data after use.
66
BT38-MPKI6-TRF-V1.1
The values of VER_SERVICE_DLL and REG_SERVICE_DLL in the vsaasrv.cfg file specify which shared libraries vsaasrv.exe uses for verification and registration, respectively.
As shown above, vsaasrv.exe dynamically loads the specified shared libraries and calls APIs from each shared library as required. The loaded shared libraries specify the procedure entry points for the APIs. VER_SERVICE_DLL indicates the shared library to be used for verification (using the VerifyUser() API). REG_SERVICE_DLL specifies the shared library to be used for registration (using the RegisterUser() API).
VerifyUser( ) Function
The VerifyUser( ) function receives name/value pairs and verifies user requests. This function is required only if implementing the verification function. This function is called before sending enrollment, pickup, revoke, or renew requests to BT Trust Services. VerifyUser( ) performs any specified operations before sending the request to BT Trust Services. You specify the operations to perform in the Service Type Config section of vsaasrv.cfg.
68
BT38-MPKI6-TRF-V1.1
The AA server allows you to encapsulate verification steps (calling the VerifyUser() function) in the shared library (vsaaodbc, vsaaldap, or your own library based on vsaacust) and control when it is invoked. This functionality is controlled by three configuration parameters in the vsaasrv.cfg configuration file: PRE_PICKUP_PROCESS, PRE_REVOKE_PROCESS, and PRE_RENEWAL_PROCESS (all are set to OFF by default). With these variables set to OFF, all name/value pairs for pickup, revocation, and renewal pass through the verification module without change. If any are set to ON, the appropriate verification function (DoPrePickUpProcess(), DoPreRevokeProcess(), or DoPreRenewalProcess() is invoked. You put your custom verification steps within these functions in the shared library. In this way, all custom code can reside within the shared library and not in the vsaasrv main code. This makes future AA upgrades easier and less risky. The pseudo-code that follows describes the functionality within the vsaasrv main routine and the shared libraries. If you are not using a customized data source module, keep the default value of OFF for these parameters.
Note
Example Implementations of Custom Code in Shared Libraries For examples of how to implement these functions, see the appropriate CPP file: vasscust.cpp, vsaafile.cpp, vsaodbc.cpp, or vsaaldap.cpp. All name/value pairs entered by users are sent through the VerifyUser() function before being included in the CSR, signed, and sent to BT Trust Services (except for the ReceiveEncryptedResponse, register, and error_register operations, whose data is sent to other functions). Pseudocode of vsaasrv Main Routine
if operation == VSAA_AA_SUBMIT || operation == VSAA_AA_PICKUP || operation == VSAA_AA_REVOKE || operation == VSAA_AA_RENEWAL { // Perform verification steps first call VerifyUser() // see function below sign data and return it to sophialite to send to VeriSign }
BT38-MPKI6-TRF-V1.1
69
else if operation == VSAA_REGISTER { // This operation indicates that the certificate is downloaded call RegisterUser() } else if operation == VSAA_ERROR_OP { // This operation indicates that the submission process // encountered an error call ErrorUser() }
70
BT38-MPKI6-TRF-V1.1
// insert your custom verification steps here } DoPreRevokeProcess () { // insert your custom verification steps here } DoPreRenewProcess () { // insert your custom verification steps here }
Create the custom shared libraries. You have the following options: Start with the src/vsaacust/src/vsaacust.cpp template file (this file includes the above-mentioned stub APIs). Modify the example functions as required. The BT-provided LDAP and ODBC shared libraries are examples of adaptations of vsaacust.cpp. To save time, you may want to start with these files rather than writing the functions from scratch using vsaacust.cpp. Source code appears in the directories named src/vsaaldap/src and src/vsaaodbc/src. The source code also provides a Microsoft Visual C++ project file for Windows, and makefiles for Sun Solaris, HP-UX, and AIX. Building components under the vsaacust directory produces a shared library called vsaacust (.dll, .so, or .sl). You can change the makefile or Visual C++ project file to specify a different output library name.
Note Specific instructions for compiling with different releases of Sun Solaris are in Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service. 2
In this step, modify the configuration settings (or add a new section) in vsaasrv.cfg for your verification and/or registration data source. vsaasrv.cfg includes a configuration section for each type of service module (flat file, ODBC, and directory service) supported by Automated Administration. The corresponding shared libraries are shipped with the Automated Administration package. Modify the configuration settings as required. The Initialize() API in your custom library uses these settings. In vsaasrv.cfg, set the values of VER_SERVICE_DLL and REG_SERVICE_DLL to your shared library names. Start vsaasrv.exe. Automated Administration now uses the custom verification and/or registration module(s).
72
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
73
Using Enrollment Name/Value Pairs The regInfo enrollment must contain the following name/value pairs.
Table 7-22 regInfo enrollment name/value pairs for personal client certificates
Name corp_company Value Tag TEXT Mandatory / Optional mandatory Description Used along with the org_unit value to construct the jurisdiction value of the Managed PKI Account. Restrictions This value is determined during Managed PKI Enrollment This value is determined during Managed PKI Enrollment
org_unit
TEXT
Used along with the corp_company value to construct the jurisdiction value of the Managed PKI Account. Value must be end-user. A yes value causes the mail_email value to be placed in the e-mail attribute of the DN. Specifies the commonName attribute in the DN. If a commonName attribute is specified in the PKCS#10 request, it overrides this value. This value is placed in the e-mail attribute of the DN, if embed_email has yes value. If an e-mailAddress attribute is specified in the PKCS#10 request, it overrides this value.
cert_type embed_email
TEXT TEXT
mandatory optional
common_name
TEXT
mandatory
mail_email
mandatory
mandatory, use the embed_email name/value pair to specify if it must be included in the DN or not.
jobTitle
TEXT
optional
This value is placed in the Title attribute in the DN. If a title attribute is specified in the PKCS#10 request, it overrides this value.
74
BT38-MPKI6-TRF-V1.1
Table 7-22 regInfo enrollment name/value pairs for personal client certificates
employeeID TEXT optional This value is placed in an Organizational Unit attribute in the DN. This value is placed in an Organizational Unit attribute in the DN. This value is placed in an Organizational Unit attribute in the DN. This value is placed in an Organizational Unit attribute in the DN. This value is placed in an Organizational Unit attribute in the DN. This value is a challenge phrase supplied by the user during the registration process. A hash of this value is stored in the repository and may be used later to revoke or renew a certificate. This value is not checked if the RevReq message is signed by a BT Trust Services issued RA certificate. If a challengePhrase attribute exists in the PKCS#10 requests, the value of this attribute overrides the value specified in this name/value pair. This value is used to indicate whether a certificate must be issued (YES), rejected (NO), or queued (PENDING). All End Entity to CA enrollments automatically are placed in the Pending queue for further processing. MAXLENGTH =32
mailStop
TEXT
optional
additional_field4
TEXT
optional
additional_field5
TEXT
optional
additional_field6
TEXT
optional
challenge
TEXT
authenticate
TEXT
BT38-MPKI6-TRF-V1.1
75
Using Renewal Name/Value Pairs The following table lists reginfo renewal name/value pairs.
Table 7-23 reginfo renewal name/value pairs for personal client certificates
Name corp_company Value Tag TEXT Mandatory / Optional mandatory Description Used with the org_unit value to construct the jurisdiction value of the Managed PKI Account. Used with the corp_company value to construct the jurisdiction value of the Managed PKI Account. Value must be end-user. Value must be renew. The method of renewal. renew autoAuth, pkcs7, or renewalID Restrictions This value is determined during Managed PKI Enrollment This value is determined during Managed PKI Enrollment
org_unit
TEXT
USER_CERT
BASE64
This value contains the base 64 encoded certificate to be renewed. This value contains the base 64 encoded PKCS#7 message representing the signature of the value specified in detachedMesg. This signature must be created using the certificate to be renewed. Data to be signed by the certificate to be renewed. This can be any string (specifically Renew me)
pkcsInformation
BASE64
detachedMesg
TEXT
mandatory for pkcs7 getMethod mandatory for renewaID getMethod mandatory for renewalD getMethod
secretCode
TEXT
Renewal ID.
challenge
TEXT
76
org_unit
TEXT
mandatory
cert_type common_name
TEXT TEXT
mandatory optional
embed_email
TEXT
optional
mail_email
mandatory
BT38-MPKI6-TRF-V1.1
77
Table 7-24 reginfo enrollment name/value pairs for IPSec certificates (Continued)
challenge TEXT Optional for RA enrollments. Mandatory for end entity enrollments. This value is a challenge phrase supplied by the user during the registration process. A hash of this value is stored in the repository and may be used later to revoke and renew a certificate. This value is not checked if the RevReq message is signed by a BT Trust Services issued RA certificate. If a challengePhrase attribute exists in the PKCS#10 requests, the value of this attribute overrides the value specified in this name/value pair. This value is used to indicate whether a certificate must be issued (YES), rejected (NO), or queued (PENDING). All End Entity to CA enrollments automatically are placed in the pending queue for further processing. MAXLENGTH=32
authenticate
TEXT
org_unit
TEXT
78
BT38-MPKI6-TRF-V1.1
Table 7-25 reginfo renewal name/value pairs for IPSec certificates (Continued)
USER_CERT BASE64 mandatory for autoAuth getMethod mandatory for pkcs7 getMethod This value contains the base 64 encoded certificate to be renewed. This value contains the base 64 encoded PKCS#7 message representing the signature of the value specified in detachedMesg. This signature must be created using the certificate to be renewed. Data to be signed by the certificate to be renewed. This can be any string (specifically Renew me)
pkcsInformation
BASE64
detachedMesg
TEXT
mandatory for pkcs7 getMethod mandatory for renewaID getMethod mandatory for renewalD getMethod
secretCode
TEXT
Renewal ID
challenge
TEXT
BT38-MPKI6-TRF-V1.1
79
IMPORTANT! To bind your RA certificate to your Managed PKI account, you must use the identical case-sensitive text values for organization and orgUnit that you used when you enrolled for the Managed PKI service. Set the attribute values as follows:
- organization: Use the value that you submitted for Company / Department / Agency. - orgUnit: Use the value that you submitted for Division / Organization / Project. Table 7-26 describes each of the RA certificate name attributes.
Table 7-26 RA certificate name attributes
Name Attribute country state locality organization orgUnit commonName Attribute Tag PrintableString PrintableString T61String T61String T61String T61String Max Length 2 128 128 64 64 64 Required? Optional Optional Optional Required Optional Required
80
BT38-MPKI6-TRF-V1.1
T61
CLEAR BASE64
BT38-MPKI6-TRF-V1.1
81
82
BT38-MPKI6-TRF-V1.1
CHAPTER 8
CSR-Based Enrollment
8 ret pahC
This chapter describes the process of applying for, approving, and retrieving a certificate using a certificate signing request (CSR-based) enrollment. A CSR-based enrollment is used for non-browser applications that require certificates and that produce Base64 encoded PKCS#10 CSRs. Figure 8-12 describes the steps involved for a subscriber to enroll for a certificate using an existing CSR on their computer.
Using a browser, the applicant opens the certificate enrollment page for enrolling with a CSR. The first page of enrollment requests the applicant to locate the CSR on their machine. The applicant selects the Browse button on the first enrollment page, locates the CSR, then continues. The Local Hosting server parses the public key from the CSR and embeds the key in the second enrollment page presented to the applicant. The applicant provides the requested enrollment data for the second enrollment page, then clicks Submit. Only the public key is used from the CSR. The second enrollment page lists the required authentication information and certificate content fields set by the Managed PKI administrator with the Policy Wizard. The second enrollment page does not automatically populate the enrollment fields with information from the CSR. The applicant must provide the information for the fields listed on the second enrollment page. The certificate created by the certificate authority contains the information provided by the applicant. The certificate does not contain information provided by the application-generated CSR other than the public key.
Note
The BT Trust Services Issuing Center processes the enrollment data and signs it with the appropriate signer. A certificate is then created and attached to an e-mail message sent to the subscribing applicant. The subscribing applicant saves the certificate to their machine then installs the certificate according to the instructions for the application that generated the CSR.
84
BT38-MPKI6-TRF-V1.1
CHAPTER 9
Using an ODBC Data Source With Automated Administration or Key Management Service
9 ret pahC
You can use an ODBC database as the registration, verification, and/or recovery data source for use with Automated Administration and Key Management Service. This chapter describes how to set up your ODBC database and environment to support Automated Administration functionality. This chapter includes the following topics: Setting Up an ODBC Data Source on Unix on page 85 Setting Up An ODBC Data Source on Windows on page 87
Obtain the ODBC Connect database driver from DataDirect Technologies for your target database and AA or Key Manager server platform. See Authentication Services Hardware/Software Requirements for supported drivers for each platform. Install the ODBC Connect driver package. Follow the instructions provided with the driver. In general, you will need to:
a b c
Untar ev$OS.tar into a directory datadirect Change as root, cd datadirect/odbc Run ksh unixpi.ksh, and follow the instructions
Setup ODBC environment for the user who will run AA server, which is typically root user. The requirement environment is ODBCINI, and
85
BT38-MPKI6-TRF-V1.1
library path to load ODBC driver libraries. Refer to the driver configuration guide for the setup.
a b
Copy /opt/odbc/odbc.ini to /opt/odbc/system_odbc.ini Edit system_odbc.ini file to add a new block for your database by copying the block for Oracle Wire Protocol. Configure the LIBPATH and ODBCINI environment for test users. For example:
setenv ODBCINI /opt/odbc/system_odbc.ini source /opt/odbc/odbc.csh [for LD_LIBRARY_PATH addition]
Set up ODBC data source for the database that AA or KMS will use. Edit the system_odbc.ini file to add a new block for your database by copying the block for Oracle Wire Protocol. Here is a sample block.
[ODBC Data Sources] DB2 Wire Protocol=DataDirect 4.00 DB2 Wire Protocol Driver ... AutoAuth=DataDirect 4.0 Oracle database for AutoAuth tables ... [AutoAuth] Driver=/opt/odbc/lib/ivora17.so Description=AutoAuth test with DataDirect 4.0 Oracle Wire Protocol LogonID= Password= HostName=aaserver.acme.com PortNumber=1521 SID=sid1 CatalogOptions=0 ProcedureRetResults=0 EnableDescribeParam=0 EnableStaticCursorsForLongData=0 ApplicationUsingThreads=1
VeriSign recommends that you use Wire protocol driver version so that you do not need to install a database client in your AA or Key Manager server host.
Tip
86
BT38-MPKI6-TRF-V1.1
Chapter 9 Using an ODBC Data Source With Automated Administration or Key Management Service
to
Driver=/opt/odbc/lib/ivora17.sl.
6
Optional: Test ODBC with sample table provided in CD. Create sample tables and data in Oracle server for test. Use sqlplus with vsaaora.sql from the AA or KMS package to add tables and data into your test database. Configure the AA or Key Manager server to use ODBC. Set values for the following variables in the vsaasrv.cfg or vskmsrv.cfg file (respectively) to use the ODBC data source you configured in system_odbc.ini.
VER_REG_DATABASE AutoAuth VER_REG_DBUSERNAME <dbuser> VER_REG_DBPASSWORD <password>
On the Windows Start menu, select SettingsControl Panel and double-click Administrative Tools. The Control Panel opens. Double-click the ODBC icon. The ODBC Data Source Administrator dialog box opens.
BT38-MPKI6-TRF-V1.1
87
Click the Drivers tab (Figure 9-13) and verify that you have the latest ODBC driver for your database.
88
BT38-MPKI6-TRF-V1.1
Chapter 9 Using an ODBC Data Source With Automated Administration or Key Management Service
Click Add. The Create New Data Source dialog box opens (see Figure 9-15).
Select your database driver and click Finish. The ODBC Microsoft Access Setup dialog box opens. In the ODBC Microsoft Access Setup dialog box, enter a name (for example, Automated Administration Database or Key Management Serive Database) in the Data Source Name field. Ensure that you use the same name that you used in the AA or Key Manager server configuration file. Enter the path for the database files. Refer to the databases instruction manual for procedures.
a
In the Database panel of the ODBC Microsoft Access Setup dialog box, click the Select button. The Select Database dialog box opens (see Figure 9-16).
Navigate to the mdb file you will use with Automated Administration and click OK.
Close the open dialog boxes. The ODBC database is now configured for use with Automated Administration or Key Management Service. Configure the AA or Key Manager server to use ODBC. Set values for the following variables in vsaasrv.cfg or vskmsrv.cfg (respectively) to use the ODBC data source you configured in system_odbc.ini.
VER_REG_DATABASE AutoAuth VER_REG_DBUSERNAME <dbuser> VER_REG_DBPASSWORD <password>
10
90
BT38-MPKI6-TRF-V1.1
CHAPTER 10
This chapter describes the structure and function of validuser.txt, a static verification data file. This chapter includes the following topics: About validuser.txt on page 91 Understanding validuser.txt File Structure on page 92 Understanding How validuser.txt Operates on page 92
About validuser.txt
Since the flat file version of the verification database allows you to test functionality with a defined, simple data source, validuser.txt is useful for initial installations of Automated Administration (AA) or Key Management Service (KMS). However, although a flat file is useful when there are a limited number of participants, it is impractical for most production implementations. The validuser.txt file is intended for testing purposes only. The validuser.txt file and format are not intended for production implementations.
Note
The file is structured as a .txt (plain text) file containing the entry information, usually in the form of a Comma Separated Value (CSV) list. It is useful for entering small amounts of information, but is cumbersome with large numbers of updates. Use validuser.txt with the flat file version of the authentication server, not with the ODBC version.
Note
BT38-MPKI6-TRF-V1.1
91
The first, third and fifth lines in the following example contain authentication data. The e-mail addresses in the enrollment form trigger Automated Administration to perform the appropriate action for the request (approve, reject, or place in the pending state). This procedure avoids the process of accessing the verification database. The second, fourth and sixth lines in the example contain the authenticate value or augmentation data. The augmentation data is added to the certificate request from the corresponding user, whose e-mail address appears in the flat file data above the authenticate line.
mail_email=approve@verisign.com authenticate=YES mail_email=reject@verisign.com authenticate=NO mail_email=pending@verisign.com authenticate=PENDING
In the example, enrollments with an e-mail address of approve@verisign.com are augmented with the authenticate name/value pair set to YES. This causes the request to be approved, regardless of any other text. Similarly, an e-mail address of reject@verisign.com is augmented with NO, and the request is rejected.
92
BT38-MPKI6-TRF-V1.1
The search algorithm is based on finding name/value pairs that start the same as the name/value pairs in the file, and it locates any match that starts with the correct information. For example, a search for mail_firstName=John makes a valid match with a mail_firstName of John, JohnB, Johnson, and so on. If one of the lines has a match, then the server augments the request with the following (augmentation data) line in the flat file. It then signs the request, and sends it back to the Local Hosting server, which forwards it to the processing center. The flat file shown in this example approves John Doe and Jane Doe, rejects John Smith and Jane Smith, and places John Jones and Jane Jones in the pending state.
BT38-MPKI6-TRF-V1.1
93
94
BT38-MPKI6-TRF-V1.1
CHAPTER 11
Managed PKI supports a variety of directory types (as described in Authentication Services Hardware/Software Requirements) for your verification and registration data source and to store published certificates in Automated Administration. Managed PKI supports standard schema attributes and can be customized to meet your needs. Appendix D, Using Netscapes Directory Server with Managed PKI LDIF Files, provides detailed instructions for using Managed PKI LDIF files with Directory Server. This chapter includes the following topics: Introduction on page 95 Understanding X.500 the ISO Standard Directory Architecture on page 97 Understanding LDAP Internet Standard for Directory Access on page 99 Using Windows 2000 with Active Directory on page 100
Introduction
A directory is a specialized type of database that provides information to a user communityfor example, information about employees, such as names, telephone numbers and e-mail addresses, or information about network resources such as printers and routers. Many network applications and utilities rely upon directory services because a directory is designed to respond quickly to high volumes of queries. Unlike most
BT38-MPKI6-TRF-V1.1 95
general-purpose databases, the information in a directory is typically read more often than it is changed. Updates to a directory usually involve only simple changes to a single entry. In contrast, most general-purpose databases are designed to balance many different requirements, typically processing read-then-modify transactions which affect multiple entries. The complex transactions of a general-purpose database require equally complex transaction management or roll back schemes. Such complex schemes are not needed for operating a directory. Many enterprises operate multiple, independent directory services, each based on its own proprietary protocol. Such directory services also require separate administration and maintenance. As the number of applications and utilities relying on directories increases, maintaining separate directories becomes increasingly difficult. The ideal solution is a single directory service using an industry standard protocol to support the entire enterprise. Figure 11-17 on page 97 illustrates such an arrangement. To establish a directory as a centralized information source, all applications the directory supports must share a common means of accessing and interpreting the stored information. This means adopting open, widely supported standards. To increase informations availability and reliability, a directory allows information to be replicated between multiple servers. Unlike a database application which requires absolute consistency between all database replicas, a directory application is typically tolerant of transient inconsistencies.
96
BT38-MPKI6-TRF-V1.1
This tolerance leads to replication protocols that are much simpler. In turn, simpler replication protocols facilitate the deployment of large directory systems.
Figure 11-17 The directory service as the hub of a large distributed system
Description Telephone number Alices digital certificate Alices encrypted private key
Some attribute-value pairs in a directory entry are used to comprise the Distinguished Name. The Distinguished Name is a set of data that uniquely identifies a real-world entity, such as a person. The attribute-value pairs of the Distinguished Name comprise the hierarchy of the Directory Information Tree. The Directory Information Tree is simply a conceptual tool used to diagram the attribute-value pairs of the distinguished name. In Figure 11-18, the Directory Information Tree consists of the C, O, OU, and CN attribute-value pairs. Therefore, the Distinguished Name for our example is: C=US; O=VerySecure Inc.; OU=Security; CN=Alice Cryptographer
The X.500 Directory Access Protocol (DAP) is the protocol that enables a directory user to access an X.500 directory.
98
BT38-MPKI6-TRF-V1.1
100
BT38-MPKI6-TRF-V1.1
CHAPTER 12
If the Managed PKI administrator configures an account for UTF-8 encoding in the Policy Wizard, end users can enter data in UTF-8 encoded characters. MPKI allows end users to enter enrollment data in their native language, and the input is converted to UTF-8 for inclusion in certificates, and optionally converted to UTF-8 data for storage in the registration data source. AA and KMS support native character encodings for all data source types: flat file, ODBC-compliant databases, and LDAP servers (most LDAP servers use UTF-8 encoding to store native character data). Authentication Services Hardware/Software Requirements lists the encodings supported by Managed PKI.
BT38-MPKI6-TRF-V1.1
101
When applications and Web sites read certificates, they convert the certificates UTF-8 data, as needed, into the encoding that they use.
Managed PKI support for native-language character encodings includes the following: End users can enter native-language characters in the Digital ID Center pages and can view native-language characters in their certificate. You configure the character set that will be used by the pages through the Policy Wizard in the Control Center. You must inform end users that native characters are supported on these pages. For more information, see Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service. Administrators can view native characters in the Control Center. Automated Administration supports native-language characters, allowing native-language characters to be stored in the registration data source as UTF-8 format.
102
BT38-MPKI6-TRF-V1.1
Example Implementation
For example, you want to support a native-language character set in UTF-8 encoding. To implement this scenario: The administrator specifies UTF-8 encoding in the Policy Wizard. This setting becomes the account encoding. The subscriber enters data using native-language characters. The subscribers browser must be set to UTF-8 encoding. The administrators browser must be set to view UTF-8 encoded characters. If you implemented AA or KMS, the data sources must support and be configured for UTF-8 encoding. Refer to the documentation provided with yur data source for information on configuring it for UTF-8 encoding.
BT38-MPKI6-TRF-V1.1
103
ASCII-Only Data
VeriSign requires that the following certificate data be entered as single-byte ASCII characters. Because the ASCII character set is a subset of the other encodings, the AA server passes ASCII-only fields without conversion. Company/Department/Agency Division/Organization/Project E-mail address Country Passcode
104
BT38-MPKI6-TRF-V1.1
CHAPTER 13
BT and VeriSign maintain and publish certificate revocation information in the form of certificate revocation lists (CRLs). The CRL for each Certification Authority (CA) is updated regularly and released to the public. Certificates are revoked when they are no longer valid. For example, a certificate can be revoked if a certificate holder leaves a company or if the security of the certificate has been compromised. The CRL is a signed list of revoked certificates. An application that relies upon certificates must check the current CRL. Most customers download CRLs from BT through the Control Center. However, if you use Certificate Validation Module (CVM) to automatically download CRLs, then you must configure the application with the appropriate URL. This chapter lists the URLs for these CRL Web pages. Procedures for configuring CVM with these URLs are provided in Managed PKI Certificate Validation and Parsing Guide. If you use a third-party application to download and check CRLs, refer to the documentation provided with that application for configuration procedures. This chapter includes the following topics: Accessing CRLs Through Managed PKI Public on page 106 Accessing CRLs Through Managed PKI Private on page 106
BT38-MPKI6-TRF-V1.1
105
106
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
107
108
BT38-MPKI6-TRF-V1.1
CHAPTER 14
This section is intended for HTML authors using VHTML (Variable HTML) and Sophialite to: Pass information from HTML entry forms to a server-side processing application Return information from the server to the applicant in named variables in HTML pages Present the appropriate HTML pages to the applicant, as determined by the value of a status code returned by the server-side processing application To use Sophialite, you need the following skills: Working knowledge of HTML General understanding of CGI and Web server operations Basic understanding of how to use variables and simple logical expressions in programming This chapter includes the following topics: Understanding Sophialite on page 110 Configuring Sophialite to use a Proxy Server on page 111 Understanding the Form Definition File (FDF) on page 111 Modifying End-User Error Message Text on page 125 Designing Web Pages for Use With Sophialite on page 126
BT38-MPKI6-TRF-V1.1
109
Understanding Sophialite
Sophialite, a CGI program, facilitates transmitting data from a form within an HTML page to a server-side processing application. In addition, Sophialite returns data to named variables in VHTML pages. The named variables are defined in a form definition file (FDF)a text file containing six descriptors per variable. Variable names are used as keys to associate values with the appropriate HTML elements, FDF entries, and database fields in the processing application. Therefore, variable names must be consistently applied to VHTML pages, the FDF, and the database schema of the processing application. If you remove the mail_firstName and mail_lastName fields from the enrollment pages, and make them optional in the corresponding .fdf files, the authentication database supplies the Common Name (CN) for the certificate. When this is the case, the common_name name/value pair takes precedence over mail_firstName and mail_lastName.
Note
A typical implementation of Sophialite includes an HTML-based registration form, a VHTML-based confirmation form, a customer database management application, and a set of HTML pages. The HTML pages are presented to the applicant in the event of errors or problems with the submitted data. As shown in Figure 14-20, Sophialite enables two-way information passing between client and server, while the FDF ensures one-to-one correspondence between VHTML name/value pairs and fields in the customer database.
110
BT38-MPKI6-TRF-V1.1
Depending on status values returned by the Processing Application (pestub), Sophialite can return either refreshed HTML or a VHTML form containing named values to the client browser.
The proxy server name and proxy port must be separated by a colon, with no space before or after the colon. If no proxy port is specified, port 80 is used.
Note
BT38-MPKI6-TRF-V1.1
111
form definition files in an INPUT element within a form (see Designing Web Pages for Use With Sophialite on page 126). Figure 14-21 shows the data process flow for a VHTML/Sophialite system. Sophialite reads the FDF before the HTML page, and then creates a skeleton of the entry list (that is, an unpopulated list). Sophialite then reads the form in the HTML page and compares the data with the named INPUT elements and the named entries in the FDF. By default, the POST target is actually set to softbounce.exe, not sophialite.exe. The softbounce.exe executable is a proxy to sophialite.exe and acts as an additional check to prevent users from passing extra fields to the back end. To use softbounce.exe and pass extra fields, you must edit the enroll_wait.htm file in the htmldocs/client directory.
Note
The FDF contains descriptions of entry variables and status variables. Entry variables are used to pass applicant-entered information from the Web page, through Sophialite, and on to the processing application. Status variables are used to control presentation of pages according to status codes returned by the processing application.
112
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
113
A status variable has three descriptors. For each type of variable, descriptors are delimited by white space (spaces or tabs), and each variable description is terminated by a carriage return (unless continued to the next line with the + character). Comments can be included, but they must consist of a single line starting with a pound symbol (#). All descriptors must be present for each named variable, except for static values (identified in the sample file shown below). A short form definition file might look like this:
#NAME TYPE REQUIREMENT DEPENDENCY CONTROL
#-----------------------------------------------------------------------email cust_name addr city state postcode phone fax pub_key # phoneOK CONTROL OPTIONAL NONE NONE e-mail e-mail TEXT TEXT TEXT TEXT PHONE PHONE BASE64 MANDATORY MANDATORY MANDATORY MANDATORY MANDATORY MANDATORY OPTIONAL OPTIONAL MANDATORY NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE NONE
The above FDF defines e-mail addresses, names, address information, and public keys as required information, while designating telephone and fax numbers as optional. An optional designation means the form may be processed if the applicant does not provide telephone or fax numbers. Finally, control corresponds to a button the applicant might select on an HTML page to indicate if telephone contact is acceptable. A portion of an HTML page that could work with this FDF might look like this:
114
BT38-MPKI6-TRF-V1.1
Note
<HTML> ... <FORM ACTION=/cgi-bin/sophialite.exe ENCTYPE=x-www-form-encoded METHOD=POST> ... <INPUT TYPE=text NAME=email SIZE=24> <INPUT TYPE=text NAME=cust_name SIZE=24> <INPUT TYPE=text NAME=addr SIZE=16> <INPUT TYPE=text NAME=city SIZE=16> <INPUT TYPE=text NAME=state SIZE=2 MAXLENGTH=2> <INPUT TYPE=text NAME=postcode SIZE=10 MAXLENGTH=10> <INPUT TYPE=text NAME=phone SIZE=13 MAXLENGTH=13> <INPUT TYPE=text NAME=fax SIZE=13 MAXLENGTH=13>
The maximum length of values passed to Sophialite is enforced by the HTML page (and presumably by the processing application on the server side), not by Sophialite. Also, the name/value pairs are not order-dependent (the HTML page and FDF can arrange the name/value pairs in different orders).
BT38-MPKI6-TRF-V1.1
115
BASE64
A digital certificate represented by Base-64 representation (two ASCII characters per digit). Any characters allowed. Often used for text areas in which applicants enter comments and questions. Used for handling data in the VHTML page itself. Usually radio buttons and checkboxes. 8-digit numeric date in the format mmddyyyy. Can include slash (/) or dash (-) separators.
CLEAR
Yes
CONTROL
N/A
No
DATE
Yes
116
BT38-MPKI6-TRF-V1.1
DEBIT
Algorithmically checked to ensure it is a possible credit card number (checking for current validity is the responsibility of the processing application). A through Z, a through z, 0 through 9, and the following special characters: ! ' ( ) + -./:@_ None 0 through 9, spaces, and the following special characters: ( )+ - ./: A through Z, a through z, 0 through 9, spaces, and the following special characters: !"#$&'( )+,-./:;<>@ _.` 0x0D and 0x7F through 0xFF All upper 128 characters. (This includes most European alphabets.) The following characters are not permitted: % * = ? [ ] \ ^ { } | ~
Yes
HYBRID PHONE
A control whose value is passed to the processing application. Used for telephone numbers; checked for length and characters. Alphanumeric text including non-US characters
Yes Yes
T61
Yes
TEXT
Alphanumeric data.
A through Z, a through z, 0 through 9, spaces, and the following special characters: '()+,-./:
Yes
Using Requirement (Entry Variables Only) The REQUIREMENT descriptor for entry variables may be MANDATORY or OPTIONAL. A mandatory requirement means a value is required before data can
BT38-MPKI6-TRF-V1.1
117
be passed to the processing application. An optional requirement means that the variable need not contain a value. Using Dependency and Control (Entry Variables Only) The Dependency and Control fields are used together to load values into variables on the basis of the state of one or more controls, and to dynamically determine if the REQUIREMENT descriptor of a variable is MANDATORY or OPTIONAL. The simplest use of Dependency and Control is to designate a variable as OPTIONAL or MANDATORY on the basis of a control. For example, a credit card number would be required when the value of a button is C_Card, and optional when the value is Purchase Order. To accomplish this, the variables REQUIREMENT is set to MANDATORY, DEPENDENCY is set to NONE, and CONTROL contains a logical expression. When the expression evaluates to TRUE, the REQUIREMENT is honored. When it evaluates to FALSE, REQUIREMENT is treated as OPTIONAL. The following FDF entry is an example of how to designate a variable as OPTIONAL or MANDATORY:
#NAME TYPE REQUIREMENT DEPENDENCY CONTROL
#-----------------------------------------------------------------------pmt_type card_num CONTROL DEBIT OPTIONAL MANDATORY NONE NONE NONE pmt_type = C_Card
A more complex use of Dependency and Control can assign the value of one variable to another variable based on a control. For example, the variable biz_phone could be assigned the value of home_phone when the value of a button is Home_Office. To accomplish this, the biz_phone variable is assigned a DEPENDENCY of home_phone. When a logical expression in CONTROL evaluates to TRUE, the value of the home_phone is copied to biz_phone. The following FDF entry is an example of how to assign the value of one variable to the value of another variable:
#NAME TYPE REQUIREMENT DEPENDENCY CONTROL
#-----------------------------------------------------------------------Biz_loc
118
CONTROL
OPTIONAL
NONE
NONE
BT38-MPKI6-TRF-V1.1
biz_phone
PHONE
MANDATORY
home_phone
Biz_loc = Home_Office
The most complex application of Dependency and Control assigns the value from one of two variables to a third variable based on a control. For example, the variable best_num could be assigned the value of home_phone when the value of a button is Call_home, or the value of biz_phone when the buttons value is Call_work. The + character is used as a logical OR to separate the two logical possibilities in the Dependency and Control descriptors. The following FDF entry is an example of how to assign the value from one of two variables to a third variable:
#NAME TYPE REQUIREMENT DEPENDENCY CONTROL
#-----------------------------------------------------------------------Contact best_num CONTROL PHONE OPTIONAL MANDATORY NONE home_phone biz_phone NONE Contact = Call_home + Contact = Call_work
Addressing a Special Case: Using Constant as an Entry Variable Descriptor You can define an entry variable with a static value in the FDF. You do not need to define static entry variables in the HTML file because if the same variable exists in both the HTML and FDF files, the FDF value takes precedence. The following is an example of how to define a constant entry variable:
# # CONSTANT # CONST member_service TWA - Customer Service EnterpriseServiceAdmin
There are three columns in this example. The first column specifies this line as constant entry variable. The second column specifies the name of the variable, and the last column specifies the value. Notice that the value can contain spaces. Using Code (Status Variables Only) The code data is an alphanumeric string representing the hexadecimal error code returned by the processing application. There are no restrictions on the code values; any alphanumeric value is acceptable.
BT38-MPKI6-TRF-V1.1
119
Using Value (Status Variables Only) The value field data is a static alphanumeric string that you define. Placing a filename or URL address in the value field enables the processing application to dynamically locate and display the HTML page associated with a specific status code. For example, if the status code returned is 3001, the value field might contain the pointer prepend.htm. Status variables do not exist within HTML pages. Instead, status variables point to the location of HTML files. The file to which a status variable refers must be local to the server.
Note
The default path to the file is the server URL. For example, if the server URL is http://www.myserver.com/ and the associated file is in the directory /htmldocs/newpages, the value field data would be /newpages/<filename>.
Note
The htmldocs directory is the main directory for the HTML files.
The search path for locating the associated HTML files begins from the cgi-bin directory. The cgi-bin directory resides at the same directory level as the htmldocs directory. If the URL or filename listed in the value field does not begin with ../htmldocs/ the application automatically prefixes ../htmldocs/. The following FDF entries provide for five different status codes returned by the processing application. Each status code results in a unique action.
#NAME CODE VALUE
120
BT38-MPKI6-TRF-V1.1
The following table provides examples of how value fields map to code values and the location of the associated HTML pages.
Table 14-29 Status code page location
Status Code 3001 4002 5003 6004 6005 Value prepend.htm ../../hack/replace.htm test/prependPath.htm ../CompDept/zapPath.htm ../htmldocs/noChange.htm Location of Page relative to the cgi-bin directory ../htmldocs/prepend.htm ../htmldocs/replace.htm ../htmldocs/test/prependPath.htm ../htmldocs/zapPath.htm ../htmldocs/noChange.htm
The highest level directory for an HTML file is the htmldocs directory. An HTML file may be located in any directory structure within the htmldocs directory.
Note
#-----------------------------------------------------------------------name NONE email NONE home_ph NONE work_ph NONE TEXT TEXT PHONE PHONE NONE NONE NONE NONE MANDATORY MANDATORY OPTIONAL OPTIONAL NONE NONE NONE NONE
BT38-MPKI6-TRF-V1.1
121
#----------------------------------------------------------STATUS STATUS STATUS STATUS 3001 4002 5003 6004 vErrorPage.html ../trouble/vBigProblemPage.html EntryForm.html http://www.yourco.com/infoPage.html
122
BT38-MPKI6-TRF-V1.1
124
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
125
This is a required field. The information entered should contain only alphabetical or numerical characters and please do not use any of these symbols: ! @ $ % ^ & * ( ) ~ _ ? > < / \..
126
BT38-MPKI6-TRF-V1.1
Within the form, a hidden INPUT element named form_file must be included, with its VALUE set to the location (relative to the servers /cgi-bin directory) of the FDF describing the form. For example:
... <INPUT TYPE=hidden NAME=form_file VALUE=../fdf/entryForm.fdf>
This INPUT element enables Sophialite to identify the appropriate FDF for the page. When the only function of the page is to pass applicant-entered information to Sophialite, no VHTML tags are used.
BT38-MPKI6-TRF-V1.1
127
128
BT38-MPKI6-TRF-V1.1
CHAPTER 15
This chapter describes the browser emulation protocol used for communication between a PKI-enabled client, and either a VeriSign Managed PKI RA or a VeriSign Managed PKI CA. This document specifies the procedures and protocol information for communicating between the client and the Automated Authentication server (AA Server) or the CA. There are two basic modes of operation in both the interactions between the client and the AA server and between the client and the CAautomatic and manual. The mode of operation is specified in the instructions for running Policy Wizard (see Managed PKI Installation and Configuration). This chapter includes the following topics: (Optional) Tools Used by the Client to Interface with Managed PKI on page 129 Understanding Fundamental Assumptions on page 130 Understanding End Entity Token Generation on page 131 Working with HTTP and MIME on page 131 End Entity Certificate Request Process for Managed PKI on page 133
Your administrator can make some fields optional or mandatory in the Policy Wizard. They can see which fields are mandatory or required when they use the Policy Module API. Therefore, BT Trust Services recommends that you use the VeriSign Policy Module API. For information on Policy Module API documentation, contact your BT representative.
Note
130
BT38-MPKI6-TRF-V1.1
BT38-MPKI6-TRF-V1.1
131
The CA receives the incoming message through a simple HTTP POST operation to a CGI program called sophia.exe. The value of the Content-type variable should be application/x-www-form-url-encoded. The length of the message should be set by the Content-Length. The User-Agent variable is required and should have the value Browser Emulation. The body should be the name-value pairs, where the value is URL encoded according to RFC2396. An example of a certificate request:
POST /services/CompanyName/cgi-bin/sophia.exe HTTP/1.0\n User-Agent: Browser Emulation\n Content-type: application/x-www-form-urlencoded\n Content-Length: 603\n \n operation=C1LRAUserSubmit&form_file=%2E%2E%2Ffdf%2Fclient%2FuserEnrollMS%2Efdf&r emote_host=Browser+Emulation&public_key_format=pkcs10&common_name=Test&mail_emai l=test%5Fcompany%40com%2Ecom&public_key=MIIBTTCB%2BQIBADBNMQswCQYDVQQGEwJTRTEoMC YGA1UEChMfRW50ZWdyaXR5IFNvbHV0aW9ucyBDb3Jwb3JhdGlvbjEUMBIGA1UEAxMLVGVzdENsaWVudD EwXDANBgkqhkiG9w0BAQEFA%2FMANjLepcGf14tArnzQK4638je9hgV2rjQ9BGluHvi9shBITlbigJ4t EQ3UIwIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjAnBgNVHREEIDAegRx0aG9tYXNfY2FsZGVuaXVzQGhv dG1haWwuAANAAGIv5sz9ZP5jdSMpYyoRWtuwCM74nf5j36izH%2FGedu%2BfZsMN0ebiW8Ljl2NWpLBx G1WB5VMqaChA31BYU4SOog%3D%3D&challenge=1111\n
Messages returned back to the client is a list of name-value pairs embedded in a HTML file where the name-value pair is URL encoded according to RFC2396.
132
BT38-MPKI6-TRF-V1.1
It is up to the program performing browser emulation to parse the HTTP response and find the required name-value pairs.
Note
Requesting a Certificate
To request a certificate, a users client generates a key pair and certifies it. The client generates an RSA key pair and creates the corresponding PKCS #10 request.
BT38-MPKI6-TRF-V1.1
133
The client formats the request in name/value pairs. The following table describes all the name/value pairs sent by a client requesting a certificate.
Name operation Value Tag TEXT Mandatory / Optional mandatory Description Must be C1 LRAUserSubmit if enrollment request is sent directly to CA (at VeriSign). Must be AutoAuthOSUserSubmit if enrollment request is sent to RA (Local hosting). form_file remote_host public_key_form at public_key common_name CLEAR TEXT TEXT BASE64 TEXT mandatory mandatory mandatory mandatory optional Must be ../fdf/client/userEnrollMS.fdf Must be Browser Emulation Must be PKCS#10 The base64 encoded PKCS#10 Common name. Mandatory if mail_firstName and mail_lastName are not present Restrictions Must be the first name-value pair specified
Note: If policy file has UTF-8 option turned on when you customize the Local Hosting site kit, Value Tag is T61.
mail_firstName TEXT optional First name.
Note: If policy file has UTF-8 option turned on when you customize the Local Hosting site kit, Value Tag is T61.
mail_lastName TEXT optional Last name.
Note: If policy file has UTF-8 option turned on when you customize the Local Hosting site kit, Value Tag is T61.
134
BT38-MPKI6-TRF-V1.1
Name challenge
Description This value is a challenge phrase supplied by the user during the registration process. A hash of this value is stored in the repository and is used to authenticate a revocation request.
mailStop
T61
optional
additional_field4
T61
optional
BT38-MPKI6-TRF-V1.1
135
Name additional_field5
Description This value is placed in an Organizational Unit attribute in the DN This value is placed in an Organizational Unit attribute in the DN
Restrictions
additional_field6
T61
optional
Using server authentication, the client sends the request to sophialite.exe or sophia.exe using the URI (Uniform Resource Identifier) specified in the configuration file over an SSL link. The name-value pairs are be sent in the enrollment and are retrieved from the Managed PKI Policy Module API VSPM_GetParameterCount() and VSPM_GetParameter(). All parameters with the VSPM_REQUIREMENT attribute set to VSPM_REQ_MANDATORY should be sent to the enrollment server. You can request the name-value pairs, the applicant's name as mail_firstName, and mail_lastName or common_name. The name value pairs are case sensitive.
Note
136
BT38-MPKI6-TRF-V1.1
successful, the reply contains a corresponding PKCS#7 (certificates and CRLs only) message. Otherwise the reply contains an error code.
Name error_status Value Tag TEXT Description Status code of the operation. error_status = 0x'3062' or 0x'1b59' indicates request is pending (manual authentication). error_status = 0x'0' or 0x'6fff' indicates successful response (Automated authentication). certOrCRL TEXT PKCS#7 that is first Base64 encoded, then URL encoded. Only present if certificate is approved Restrictions
If the certificate issuance is automatic, the client processes the PKCS #7 reply, or the user receives an e-mail from the Managed PKI CA containing the PIN that is used to retrieve the certificate.
BT38-MPKI6-TRF-V1.1
137
The client processes the PKCS #7 reply and the end entity is ready to use it.
End Entity Certificate Request Process for Managed PKI Key Management Service
Requesting a Certificate
A browser emulating client generates only a digitalSignature key. The keyEncipherment key pair is generated by the Managed PKI Key Management Service. The client generates an RSA key pair and creates the corresponding PKCS#10 request. The client formats the request in name-value pairs. The following table describes all the name-value pairs sent by a client requesting a certificate.
Name operation Value Tag TEXT Mandatory / Optional mandatory Description Must be AutoAuthOSUserSub mit. Use ../fdf/client/userEnroll DualMS.fdf for dual keys Use ../fdf/client/userEnroll EncMS.fdf for keyEncipherment key Use ../fdf/client/userEnroll MS.fdf for digitalSignature key Restrictions Must be the first name-value pair specified
form_file
CLEAR
mandatory
138
BT38-MPKI6-TRF-V1.1
Description Must be Browser emulation The base64 encoded PKCS#10 Must be NO This value is the challenge phrase supplied by the user during the registration process. A hash of this value is stored in the repository and is used to authenticate a revocation request.
Restrictions
authenticate challenge
TEXT TEXT
mandatory mandatory
Max length is 32
Note: If policy file has UTF-8 option turned on when you customize the Local Hosting site kit, Value Tag is T61.
common_name TEXT optional/man datory Common name.
mail_firstName
TEXT
optional/man datory
First name.
BT38-MPKI6-TRF-V1.1
139
Name mail_lastName
optional optional optional optional optional/man datory optional This value is placed in the Title attribute in the DN. This value is placed in an Organizational Unit attribute in the DN This value is placed in an Organizational Unit attribute in the DN This value is placed in an Organizational Unit attribute in the DN This value is placed in an Organizational Unit attribute in the DN This value is placed in an Organizational Unit attribute in the DN Used for internationalization Used for internationalization Used for internationalization
employeeID
T61
optional
mailStop
T61
optional
additional_field4
T61
optional
additional_field5
T61
optional
additional_field6
T61
optional
140
BT38-MPKI6-TRF-V1.1
The client posts the request to sophialite.exe in the Key Management Service local hosting site kit URL.
Note
The SSL connection is critical as the private key is sent in the reply.
Value Tag TEXT Description Status code of the operation. error_status = 0x'a104' indicates request is pending (manual authentication). error_status = 0x'0' or 0x'6fff' indicates successful response (Automated authentication). Restrictions
Name error_status
certOrCRL
TEXT
PKCS#7 that is first Base64 encoded, then Url encoded. This contains the certificate chain for the digitalSignature keyException: If operation is "PickupPKCS12", ignore this value
pkcs8_line
TEXT
PKCS#8 that is first Base64 encoded, then Url encoded. This contains the keyEncipherment key
Only present if response is successfulException: It is not present if the operation is "permenant" (note spelling)
BT38-MPKI6-TRF-V1.1
141
Name pkcs7_line
Description PKCS#7 that is first Base64 encoded, then URL encoded. This contains the certificate chain for the keyEncipherment keyException:
Restrictions Only present if response is successfulException: It's not present if operation is permenant (note spelling).
pkcs12_pas sword
TEXT
To get the PKCS#12 and its password for an encryption certificate, you have to manually change the key_format in the corresponding file from PKCS#8 to PKCS#12. Key Management Service version 3.5 and above supports PKCS#12 delivery method.
Note
Change the following file for the Key Management Service account for browser emulation: For htmldocs/client/userInstallEncMS.htm:
Content-Type:text/html
<HTML> <BODY> <INPUT type=hidden NAME=error_status VALUE="$$error_status$$"> <INPUT type=hidden NAME=pkcs7_line VALUE="$$pkcs7_line$$"> <INPUT type=hidden NAME=pkcs8_line VALUE="$$pkcs8_line$$"> </BODY> </HTML>
For htmldocs/client/userInstallMS.htm:
Content-Type:text/html <HTML> <BODY> <INPUT type=hidden NAME=error_status VALUE="$$error_status$$"> <INPUT type=hidden NAME=certOrCRL VALUE="$$certOrCRL$$"> </BODY> 142 BT38-MPKI6-TRF-V1.1
</HTML> For htmldocs/client/userInstallDualMS.htm: Content-Type:text/html <HTML> <BODY> <INPUT type=hidden NAME=error_status VALUE="$$error_status$$"> <INPUT type=hidden NAME=certOrCRL VALUE="$$certOrCRL$$"> <INPUT type=hidden NAME=pkcs7_line VALUE="$$pkcs7_line$$"> <INPUT type=hidden NAME=pkcs8_line VALUE="$$pkcs8_line$$"> </BODY> </HTML>
For htmldocs/error/KMpending.htm
Content-Type:text/html <HTML> <BODY> <INPUT type=hidden NAME=error_status VALUE="$$error_status$$"> <INPUT type=hidden NAME=pkcs12_password VALUE="$$pkcs12_password$$"> </BODY> </HTML>
Sample Enrollment Response from Server after making the suggested change to the Local Hosting Site kit:
<HTML> <BODY> <INPUT type=hidden NAME=error_status VALUE="6fff"> <INPUT type=hidden NAME=pkcs7_line VALUE="MIIHcAYJKoZIhvcNAQcCoIIHYTCAAgEBMQAw BT38-MPKI6-TRF-V1.1 143
CwYJKoZIhvcNAQcBoIAwggP3MIIDoaA3uAc4u7gsVcBVOaJeL4ijMA0GCSqGSIb3DQEBBAUAMEMxETAPBgNVBAoTCFZlcmlTa WduMS4wLAYDVQQLEyVWZXJpU2lnbiBDbGFzcyAyIE9uU2l0ZSBJbmRpdmlkdWFsIENBMB4XDTAyMTIxMTAwMDAwMFoXDTAyMT IxODIzNTk1OVowgcUxETAPBgNVBAoUCEdhcnJpc29uMRMwEQYDVQQLFApLZXlNYW5hZ2VyMUYwRAYDVQQLdmVyaXNpZ24uY29 tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk5MRowGAYDVQQLFBFFbXBsb3llZUlEIC0gMTIz NDESMBAGA1UEAxMJMTQzNCAxMjEwMSMwIQYJKoZIhvcNAQkBFhRhcHByb3ZlQHZlcmlzaWduLmNvbTCBnzANBgkqhkiG9w0BA QEFAAOBjQAwgYkCgYEAvqLloqs58go7FpNMbDL5tOcEXDE7PeHCEam0rFbHGcgCpTslS88e5jLgvMqtxhRdAmrmh+krCv5QbH 2FZy9IOGD/PcZvrEL7oP80NJ38J06URB5HUHBEqk8rexSZiqkRhMF3H3iNeHVUEq5msJwcJl5LZC45ru8GX4/lSC/ZizsCAwE AAaOCAagwggGkMAkGA1UdEwQCMAAwggEkBgNVHSAEggEbMIIBFzCCARMGC2CGSAGG+EUBBwEGMIIBAjArBggrBgEFBQcCARYf aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYS1rcjCB0gYIKwYBBQUHAgIwgcUagcJOT1RJQ0U6IFByaXZhdGUga2V5IG1he SBiZSByZWNvdmVyZWQgYnkgVmVyaVNpZ24ncyBjdXN0b21lciB3aG8gbWF5IGJlIGFibGUgdG8gZGVjcnlwdCBtZXNzYWdlcy B5b3Ugc2VuZCB0byBjZXJ0aWZpY2F0ZSBob2xkZXIuICBVc2UgaXMgc3ViamVjdCB0byB0ZXJtcyBhdCBodHRwczovL3d3dy5 2ZXJpc2lnbi5jb20vcnBhLWtyIChjKTk5LjALBgNVHQ8EBAMCBSAwEQYJYIZIAYb4QgEBBAQDAgeAME8GA1UdHwRIMEYwRKBC Ib3DQEBBAUAA0EAAQLm0P5Rdq7QgQmZl2IVZXypuiolE5mxbSXN32sQNA35i9kBfF9ds8LKx0zQ8Fs9e0BKw5FSW19P6jLrKR 3UizCCA0YwggKvoAMCAQICEAJyLlkVWyrrnlQeLtXcRJQwDQYJKoZIhvcNAQEFgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln biwgSW5jLjFBMD8GA1UECxM4Q2xhc3MgMiBURVNUIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gR zIxQzBBBgNVBAsTOlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzL3Rlc3RjYS8gKGMpMDIxHz AdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxHzAdBgNVBAsTFkZvciBUZXN0IFB1cnBvc2VzIE9ubHkwHhcNMDIwNzE yMDAwMDAwWhcNMDcwNzExMjM1OTU5WjBDMREwDwYDVQQKEwhWZXJpU2lnbjEuMCwGA1UECxMlVmVyaVNpZ24gQ2xhc3MgMiBP blNpdGUgSW5kaXZpZHVhbCBDQTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDBxzQcrg+TVGE2erKVwdCYECWHOICDqj/oHiMlu BVeF3oNIEYZAsfYohYmkkOoGP/qfCecH76QoXTONQ8aX1AgMBAAGjgdAwgc0wDwYDVR0TBAgwBgEB/wIBADBLBgNVHSAERDBC MEAGCmCGSAGG+EUBBxUwMjAwBggrBgEFBQcCARYkaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nwcy90ZXN0Y2EvME0GA1UdH wRGMEQwQqBAoD6GPGh0dHA6Ly9waWxvdG9uc2l0ZWNybC52ZXJpc2lnbi5jb20vT2ZmbGluZUNBL3Rlc3RwY2EyLWcyLmNybD ALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4GBAG3RSVMxLPVhRjZApGW5ZH9x11kCbpj UCFC3OmsKi1UFPOyy515bZjawM43TjTr/BK8UO/PQtGjHWRClq3dPInD9WoQt64lQS5y181jepq696/oJDki549p9tUjzdgai +HQl6cIi8AsBBq/YueKgDGiveLIJmIza+EeC4GLzgn0MAAAxAAAA"> <INPUT type=hidden NAME=pkcs8_line VALUE="MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIw ggJeAgEAAoGBAL6i5aKrOfIKOxaTTGwy+bTnBFwxOz3hwhGptKxWxxnIAqU7JUvPHuYy4LzKrcYUXQJq5ofpKwr+UGx9hWcvS Dhg/z3Gb6xC+6D/NDSd/CdOlEQeR1BwRKpPK3sUmYqpEYTBdx94jXh1VBKuZrCcHCZeS2QuOa7vBl+P5Ugv2Ys7AgMBAAECgY EAigbx0zy8gMXtkGPoMnMaH2Qg4Qt4RE7gL9+7BAj0sXMCj1XqpB/71FrEI41wEnoN+cEi1wb49kW6P0MGwvYWCBQxJUU9KLc +nVYoavd3SJ8zcbluawfVamtkOhlV0F2fKJM4cXFArTi9vKlXka86wglFyRJ/yh7GH1+gECQQDeqkNw4ul3W+T/Z7KecldHtY 3cJwxZrr/LK9AVRSPdSHTskcDT3RP6HzjvA3AsJhJO0VJrkQBye0dQeMKYwo7AkEA2y0d6DCplm1WD6lefIr7rXMK1Rlhxkhe q96XK7+dekqxwsQICkCwPz5MlYWBm62XKPtGFtgjfdgsDG7pzAQJAMMnt7RZLQbQJAU2ffchgB35ojwyfUCdSLxpyhbaYnSGc n944YSlPuxKeCuhxuv7231T1Yaeljx7Hrdl5/hSlcQJBAIguMDbkhXqB1MdGZQU3razZE0Q/doKO0YIEUqYszTrid1CK9DoHF bCer/Q5aTBnxYrdZBxD8uB4AuBFV1kTMAECQQCnTP+JsMCv8tnMPuroASdn4p0SoabytFVfgajeTQZDUrn+vg/NVQuuSurQpm pe/yoxraaw noCAg/cvGuUU65dc"> </BODY> </HTML>
144
BT38-MPKI6-TRF-V1.1
pkcs12_password
TEXT
mandatory
BT38-MPKI6-TRF-V1.1
145
TEXT
mandatory
mandatory mandatory
146
BT38-MPKI6-TRF-V1.1
Description Must be Browser Emulation Must be PKCS#7 Certificate serial of the to be renewed certificate Certificate issuer DN of the to be renewed certificate PKCS#7 signed message in base64 format Must be Renew Digital ID The base64 encoded PKCS#10
Restrictions
BASE64
mandatory
BT38-MPKI6-TRF-V1.1
147
148
BT38-MPKI6-TRF-V1.1
APPENDIX A
This appendix provides foundation knowledge about access control in general and certificate-based access control in particular. It also provides examples of access control solutions and step-by-step instructions for how to implement them. The chapter contains the following sections: Overview on page 149 Certificates as a Basis for Access Control on page 150 Access Control Architectural Models on page 153 Microsoft Examples: Internet Information Server (IIS) Solutions on page 156 (includes step-by-step instructions) Netscape Examples: Web Server Solutions on page 176 Implementation Guidelines for Managed PKI Web Access Control on page 188
Overview
Enterprises have traditionally used password-based authentication systems to restrict resource access to authorized users. Authorized users may be a small group such as the enterprises employees or business partners, or a large group such as the general public. Password-based solutions have also been used to secure Web resources. As technology and programming have become more sophisticated and complex, however, password-based authentication systems have not proven themselves able to provide the required level of access-control protection.
BT38-MPKI6-TRF-V1.1 149
Because of this, systems protected only by password-based solutions are highly vulnerable to security attacks. Certificate-based authentication systems provide an alternative to traditional password-based systems. Digital IDs can be used either as a replacement for passwords, or in conjunction with them for added security. Certificate-based authentication systems offer greater security, even if not used in conjunction with a password-based solution. This is because for a user to establish his or her identity in a two-factor authentication system, he or she must prove possession of a token (the private key) and knowledge of a passphrase. The passphrase that a user supplies is typically a PIN (Personal Identification Number) that unlocks a smart card, or is a password to decrypt a private key.
Subscriber Authentication
When a Web browser accesses an SSL-enabled Web server, the browser always unilaterally authenticates the server.
150
BT38-MPKI6-TRF-V1.1
The authentication of the Web server is based on the servers SSL certificate, the servers ability to prove that it possesses the private key corresponding to its certified public key, the notion of trust (root keys) in the browser, certificate revocation information, and other policy factors. During the SSL handshake protocol, the Web server can optionally authenticate the subscriber who is trying to access the resource through the Web browser. The authentication of the subscriber to the Web server results in a mutual authentication of the Web server and Web browser. The Web server uses the subscriber certificate, the subscribers ability to prove that she possesses the private key corresponding to her certified public key, the servers trust policy, revocation data, and other policy rules to determine whether to trust the identity of the subscriber.
certificate mapping API to map subscriber certificates to LDAP accounts in order to determine and enforce access rights. An enterprise can also store account information and access privileges in a relational database, and write custom code to look up subscribers access privileges in the database based on their certificates. Access Control Architectural Models on page 153 discusses a variety of access control architectures.
In the Netscape LDAP case, for example, remove the subscribers account information. If an enterprise is using a relational database to store account information, either remove the subscribers account or turn off the subscribers privilege by setting a flag in the database. If an enterprise is using Microsoft IIS to map certificates to Windows accounts, it can disable the subscribers account. This issue is discussed in Access Control Architectural Models on page 153.
BT38-MPKI6-TRF-V1.1
153
Because the decision to grant or deny access is based on the root signature, this model works best with private Managed PKI hierarchies. This model can also work with public hierarchies on some servers. For example, with IIS, the server needs additional configuration to use advanced certificate mapping so that only public Managed PKI certificates that have a specific value in a certain organization field in the subject information are accepted. It is critical to configure the Web server to check the revocation information and to revoke a subscribers certificate when he or she should no longer be allowed to access a resource. Keep in mind that there is an interval during which the access control system might violate its integrity rules. This interval is the time between when a person should no longer be permitted to access a resource and when the persons certificate is revoked and the revocation information is updated. You can use this method in conjunction with another level of security (application-level passwords) to give individuals specific access privileges. This is a useful implementation for enterprises that have an existing security infrastructure, and that want to add certificates as an added, more-secure layer of access control in addition to the existing method.
154
BT38-MPKI6-TRF-V1.1
An enterprise can, for example, create one distinct account for each of its business partner companies and issue a certificate for each designated employee of a business partner. Certificates could have a field that distinguishes business partners from each other, such as an organizational unit field. The enterprise can then configure its Web server and map all the designated employees of a business partner to the appropriate account configuration for that partner. An organization thus imposes its access control policies by carefully setting up access privileges for each business partner account. If the enterprise needs to support different access privileges for employees within a particular business partner, it can configure more than one account for the partner and use another field in the certificate, such as the organizational unit, to carry out the appropriate mappings. Although this is an example of an extranet case, mapping certificates to user accounts is not limited to extranets. An enterprise can use the same techniques to control access for its internal employees. For example, it can configure an access control solution that determines access based on the department for which an employee works. To revoke the access privileges of a previously authorized person, either the certificate can be revoked, or the account used for certificate mapping can be disabled. The latter option works only if the person has a dedicated account for mapping. If the person shares the mapped account with other subscribers, certificate revocation is the only option. In any case, it is always recommended to deny access at every point at which denial is possible.
BT38-MPKI6-TRF-V1.1
155
For example, Netscape Web servers use a certificate mapping API to control the mapping of subscriber certificates to user accounts. An enterprise might customize this API and use the common name field of a certificate to assign a unique account for every subscriber, or use the organization field to map many subscriber certificates to one account. Netscape provides a tight integration between its Web servers and LDAP directory and an end-to-end access control solution based on this model. As with the previous model, an enterprise can use several methods to remove a subscribers access privileges. It can revoke the persons certificate and perform revocation checking with the Web server, disable the persons account information from the LDAP directory, or implement both methods together. If the access control system maps more than one subscriber to one account, however, the second method does not work and certificate revocation is the only practical method for denying access.
Map to Database
This model is similar to the LDAP model, except that account information is kept in a non-LDAP compliant database. The overall decision flow is the same. A subscriber presents a certificate in order to access a resource; the access control system authenticates the subscriber and then uses the certificate as an index into the database to determine account information and access rights. Mapping a certificate into a database entry may involve more custom programming than the LDAP case, because Web server vendors do not generally provide end-to-end solutions. To remove the access privileges of a user from the system, the subscribers certificate can be revoked, or the subscribers account information in the database can be disabled, or both.
156
BT38-MPKI6-TRF-V1.1
First, obtain the CA that you want to trust. Create a certificates management console to manage the certificates for the computer you are working on, as follows:
a b c d e f g
From the Start menu, click Run. The Run dialog box appears. Type mmc and choose OK. From the Console menu, click Add/Remove Snap-in. In the next dialog box, click Certificates, and then choose Add. Click Computer account, then choose Next. Click Local computer, then choose Finish. Choose Close, and then choose OK. The Certificates directory now appears in the left pane of the console. From the Console menu, click Save As. In the File name text box, type Certificates, and then choose Save.
h i 3
In the console, expand the Certificates node. Then expand Trusted Root Certification Authorities.
BT38-MPKI6-TRF-V1.1
157
Right-click the Certificates folder, point to All Tasks, and then click Import, as shown below.
The Certificate Import Wizard starts. Choose Next. Choose Browse to select the CA certificate you want to import. Then choose Next. Select Place all certificates in the following store, and choose Browse and select the Trusted Root Certification Authority store. Then choose Next to store the CA certificate. Read all the information in the Completing the Certificate Import Wizard window, and then choose Finish.
The CA certificate is now installed. Verify this by scrolling through the certificates list in the right pane and locating the certificate you just installed. Installing a Server Certificate Refer to your supplier for instructions on installing server certificates.
158
BT38-MPKI6-TRF-V1.1
Requiring Subscriber Certificates To require users to present their certificates when they access an SSL-enabled Web server, you must first configure IIS to use the SSL protocol and then instruct IIS to require subscriber certificates. IIS is typically configured to use the Private Communication Technology (PCT) protocol with browsers that support PCT, such as IE.
To view the default protocol (IE 4.0)
If you have IE 4.0, follow these instructions to view the default protocol:
1 2 3
Make sure SSL is enabled on the Web server. Connect your IE browser to IIS using the https protocol. Double-click the lock symbol that appears at the bottom of the browser window. In the Properties dialog box, select the Security protocol field.
If the value of Properties field is PCT instead of SSL or TLS (TLS or Transport Layer Security is the latest version of SSL), you must edit the Windows registry, as explained in To change the default setting: on page 160.
BT38-MPKI6-TRF-V1.1
159
Note It is possible to configure IE to force IIS to use SSL instead of PCT. In that case, the Security protocol field displays SSL even though the servers default protocol is still PCT. Unless you have specifically configured IE to use SSL, you can assume the Security protocol field shows IIS default security protocol field.
If you have IE 5.0, follow these instructions to view the default protocol:
1 2 3
Make sure SSL is enabled on the Web server. Connect your IE browser to IIS using the https protocol. Place the cursor on any text on the Web page (avoid graphics or links). Right-click Properties. The protocol version appears in a dialog box.
From the Start menu, click Run. The Run dialog box appears. Type regedit and click OK. The Registry Editor starts.
Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Neither VeriSign nor Microsoft can guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
CAUTION 3
Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0 subkey and select Server. From the Edit menu, select New, and then select Binary Value. A new value appears in the right-side pane. If necessary, right-click the new item and select Rename. Type Enabled and press Enter. Right-click the enabled item and select Modify. The Edit Binary Value dialog appears. Type 00000000 (eight zeros) and click OK.
160
BT38-MPKI6-TRF-V1.1
8 9
Select Exit from the Registry menu bar to close the Registry Editor. Reboot the computer. This change will take effect the next time you start Windows.
In this procedure, you instruct IIS to require subscriber certificates. You can use these steps to protect your entire Web site, individual directories, or individual files.
1 2
Make sure SSL is enabled on the Web server. Bring up Microsoft Management Console (MMC), select your Web site, right-click and select Properties from the pop-up menu. Select the Directory Security tab (Figure A-3)..
BT38-MPKI6-TRF-V1.1
161
In the Secure Communications dialog box, check the Require Secure Channel when accessing this resource box, and select Require Subscriber Certificates (Figure A-4)..
Make sure SSL is enabled on the IIS server. Install the private CA root in the Web Server. See Installing a Private CA on IIS with Windows 2000 on page 157 for instructions.
BT38-MPKI6-TRF-V1.1
162
Configure the list of trusted roots on IIS. Enable the Managed PKI private root and disable all the other roots. If you leave a public root enabled, a subscriber with a certificate issued by a root other than your private root can access the Web resources. Require subscriber certificate authentication by following the instructions in Requiring Subscriber Certificates on page 159. Install the VeriSign Managed PKI Certificate Validation Module (CVM) on the Web server. See Managed PKI Certificate Validation and Parsing Guide for instructions.
Recommended Testing Use the following test scenario to test the basic functionality of the access control system.
1
Use Managed PKI to issue a subscriber (browser) certificate for yourself under your private hierarchy. Use the certificate to access a resource on the Web server. Access Managed PKI to revoke your certificate and update the CRL. You should no longer be able to access the Web server. Try to access the Web server using a certificate issued by a root other than your private root. Access should be denied. A good test would be to use a certificate issued by a public root you disabled when you configured the list of trusted roots.
BT38-MPKI6-TRF-V1.1
163
The Web server must first authenticate subscriber certificates before it can map them to accounts. If you are using a private Managed PKI hierarchy, you must import the private root into IIS, as described in Just Trust the Root (IIS) on page 162. Regardless of the type of hierarchy (private or public), it is recommended to configure the list of roots trusted by IIS and remove the unnecessary public roots.
Note
You can use the subscriber certificate mapping feature in two ways. First, you can configure IIS to handle each certificate in its entirety and map a user to a Windows account if the full content of a users certificate matches a predetermined certificate. Second, or in conjunction with the first method, you can specify matching rules and configure the certificate mapping based on specific certificate fields, such as the users organization name. These two methods are described in the following subsections. Map the Certificate to a User Account You can configure IIS to match a subscriber certificate to a list of internally-defined certificates and to map to a Windows account if a match is found. When you configure IIS to map certificates individually, you must specifically define a mapping for each user who needs to access the Web server. IIS documentation uses the term one-to-one mapping for this method of subscriber certificate mapping. Contrary to what you might think it means, one-to-one mapping does not necessarily imply that you must map each subscriber certificate to a distinct account. You can map multiple certificates to a single account, but you must define a one-to-one mapping for each subscriber certificate. The need to define a mapping for each user, however, poses a scalability issue. Another issue with the one-to-one mapping approach is that you must have a text (ASCII) copy of the subscribers certificate during configuration. This may not always be possible.
164
BT38-MPKI6-TRF-V1.1
You can use Active Server Pages to create a script for extracting subscriber certificate information from the users HTTP request header. See the Active Server Pages documentation for more information. Follow these instructions to configure your access control system:
1
Determine the number of accounts needed for mapping. Refer to Map to User Accounts on page 154 for more information. Configure all the required accounts on your system. If each certificate holder already has an account (for example, they are employees) you can use the existing accounts.
Determine the resources (files and directories) you want to restrict and assign an appropriate ACL to each resource. The resources must reside on an NTFS partition. Follow the instructions in Just Trust the Root (IIS) on page 162 to configure the list of roots trusted by IIS. Bring up the Microsoft Management Console (MMC). Select your Web site. Right-click and select Properties from the pop-up menu. Select the Directory Security tab from the Properties dialog box. Click the Edit button under Secure Communications. In the Secure Communications dialog box, check the Require Secure Channel when accessing this resource box, select Require Subscriber
BT38-MPKI6-TRF-V1.1
165
Certificates, and check the Enable Subscriber Certificate Mapping box, as shown.
Figure A-5 Enabling subscriber certificate mapping in the Secure Communications dialog box
166
BT38-MPKI6-TRF-V1.1
Click the Edit button in the Secure Communications dialog box. The Account Mappings dialog box appears (Figure A-6). Select the Basic tab.
In the Account Mappings dialog box, click the Add button to define a new mapping. You must first designate the certificate used for mapping. You must have a text (ASCII) copy of the subscribers certificate. Click the Open button to open the Map to Account dialog box.
BT38-MPKI6-TRF-V1.1
167
Specify the account that should be used for mapping in the Map to Account dialog box (Figure A-7).
IIS displays the new mapping in the Account Mappings dialog box (Figure A-8). Define any additional mappings. Save the changes.
Determine how you intend to handle revocation of access privileges. Install the VeriSign Managed PKI Certificate Validation Module (CVM) on the Web server if required.
168
BT38-MPKI6-TRF-V1.1
Figure A-9 Account Mappings dialog box with a new mapping defined
Recommended Testing Use the following test scenario to test the basic functionality of the access control system.
1 2
Use Managed PKI to issue a subscriber (browser) certificate for yourself. Map your Digital ID to an account that has access privileges to a resource. Use the Digital ID to access that resource on the Web server. Use a Digital ID that is not mapped to any account to access the resource. Access should be denied. If you have installed the CVM, access Managed PKI to revoke your mapped Digital ID and update the CRL (in most cases, you have to wait 24 hours). You should no longer be able to access the Web server.
Map the Certificate to a User Account Based on Certificate Fields (IIS) A more practical way to map certificates to accounts is to configure IIS to match certificates based on their fields.
BT38-MPKI6-TRF-V1.1
169
For example, you can set up IIS to map all certificates whose organization field is businessPartner1 to the businessPartner1 account, and map all certificates whose organization field is businessPartner2 to businessPartner2 account. You can also use it to mimic the just trust the root configuration of private hierarchies. The many-to-one mapping (a term used in IIS documentation) eliminates both the need to have access to users certificates during the configuration phase and the need to configure a mapping for each user. As an Managed PKI administrator, you must carefully design the content of end-user certificates if you are planning to use certificate fields for mapping. The Policy Wizard lets you define additional fields in end-user enrollment pages and to specify the fields you want to appear in certificates. You can run the Policy Wizard multiple times. If you are using Local Hosting or Automated Administration, you may have to make changes to the certificate lifecycle Web pages.
Note
IIS formats the information within subscriber certificates into arrangements of fields and subfields. Field names represent general categories of information and consist of subfields, which contain specific identification information. IIS supported field names are Subject, Issuer, and Serial Number. The following list describes the basic subfields contained in a certificate: Organization (O) Preferably International Organization for Standardization (ISO)-registered top-level enterprise or company name. Organizational Unit (OU) A department within an enterprise, such as Marketing. Common Name (CN) The domain name of the server, for example, www.microsoft.com. Country (C) Two letter ISO country designation (for example, AU, FR, UK, US) State/Province (S) Full name of the state or province with no abbreviation (for example, Washington, Alberta, California). Locality (L) The full name of the city in which your organization is located, such as Redmond or Toronto.
170 BT38-MPKI6-TRF-V1.1
Initials (I). Given Name (GN). Title (T). Follow these instructions to configure your access control system:
1
Establish the certificate mapping rules you intend to use. Determine the certificate fields required to support the mapping rules. Run the Policy Wizard and customize the end-user enrollment pages accordingly. Specify the number of accounts needed for mapping. Refer to Map to User Accounts on page 154 for more information. Configure all the required accounts on your system. Determine the resources (files and directories) you want to restrict and assign an appropriate ACL to each resource. The resources must reside on a NTFS partition. Follow the instructions in Just Trust the Root (IIS) on page 162 to configure the list of roots trusted by IIS. Start MMC and select your Web site. Right-click, and select Properties from the pop-up menu. Select the Directory Security tab from the Properties dialog box. Click the Edit button under Secure Communications. In the Secure Communications dialog box, check the Require Secure Channel when accessing this resource box, select Require Subscriber Certificates, and check Enable Subscriber Certificate Mapping. Click the Edit button in the Secure Communications dialog box. Account Mappings dialog box appears. Make sure the Advanced tab is selected (Figure A-15). Click Add to add a new rule. In the General dialog box (Figure A-13), provide a description of the new rule. Determine whether you are going to apply the rule to only specific CAs or all those that you trust.
8 9
It is always recommended to narrow the number of trusted issuers. You can, for example, trust only the root of your Managed PKI hierarchy.
Note
BT38-MPKI6-TRF-V1.1
171
10
Click New to edit the rule (Figure A-11). Implement the mapping rules according to your organizations policy. You can use the * (asterisk) wild card character.
172
BT38-MPKI6-TRF-V1.1
12
Click OK. Your new rule appears in the Rules dialog box (Figure A-12).
Click Next. Determine the Windows account you should use for mapping (Figure A-13).
BT38-MPKI6-TRF-V1.1
173
14
Click Finish. The new rule appears in the Account Mappings box (Figure A-14). You can use the Move Up or Move Down buttons to reorder the rules.
Because IIS uses the first matching rule for account mapping, the rules should be ordered from the most specific at the top to the least specific at the bottom.
Note
It is recommended to have your last rule apply to all remaining certificates and refuse access. That way, any certificate that does not match one of your other rules will not be allowed to connect to the server.
One method for doing this is to use the wildcard to match against the Serial Number of the certificate, and then refuse access. Without this last rule, certificate holders with no match would be allowed to connect to your Web server with the default Internet user account (IUSR_[servername].)
174
BT38-MPKI6-TRF-V1.1
15
Determine how you intend to handle revocation of access privileges. Install the VeriSign Managed PKI Certificate Validation Module (CVM) on the Web server if required.
BT38-MPKI6-TRF-V1.1
175
Recommended Testing Use the following test scenario to test the basic functionality of the access control system.
1
Use VeriSign Managed PKI to issue a subscriber (browser) Digital ID for yourself. Define a new mapping rule that maps your certificate to an account that has access privileges to a resource. Use the Digital ID to access that resource on the Web server. Issue another Digital ID that does not pass the mapping rule. You should not be able to access a restricted resource on the server. Test revocation.
Enable SSL on the Web server. Install the private CA root in the Web Server. Point your browser to the Managed PKI Control Center, and click the Install CA link in the
176
BT38-MPKI6-TRF-V1.1
Configuration menu. Copy the CA certificate that appears in the page (Figure A-17).
In the Netscape Administration Server, select the Keys & Certificates menu under GENERAL ADMINISTRATION and then click the Install Certificate link. Paste the root (CA) certificate in the Message text area. Add the text -----BEGIN CERTIFICATE----- as the first line of the certificate. Add the text -----END CERTIFICATE----- as the last line of the certificate.
BT38-MPKI6-TRF-V1.1
177
Select Trusted Certification Authority (Figure A-18) and click OK. Follow the instructions to install your root.
Configure the list of trusted roots on the Web server. (Click the Manage Certificates link under the Keys & Certificates menu. Make sure to enable the Managed PKI private root and disable all the other roots.) If you leave a public root enabled, a subscriber with a certificate issued by a root other than your private root can access the Web resources.
Select your server instance from the Netscape Administration Server. Require subscriber certificate authentication by choosing the Encryption Preferences link under the Server Preferences menu and setting Require subscriber certificates to yes. Restart the Web server. Install the VeriSign Managed PKI Certificate Validation Module on the Web server. Refer to Manged PKI Certificate Validation and Parsing Guide for instructions.
6 7
Recommended Testing Use the following test scenario to test the basic functionality of the access control system.
178 BT38-MPKI6-TRF-V1.1
Use Managed PKI to issue a subscriber (browser) Digital ID for yourself. Use the Digital ID to access a resource on the Web server. Access Managed PKI to revoke your Digital ID and update the CRL. You should no longer be able to access the Web server. Try to access the Web using a certificate issued by a root other than your own. Access should be denied. It is best to use a certificate issued by a public root you disabled when you configured the list of trusted roots.
Configure user and group information. Configure user and group information in the database, either a local database or Netscape Directory Server (LDAP). Because you first install the administration server, you can configure the server to use either a local database or a directory server. You can, however, change this configuration later after the administration server is installed, as described in Configuring an Access Control System With User Accounts in an LDAP Directory (Netscape) on page 183.
Use the Netscape administration server to restrict access to resources. The process of access restriction involves choosing a resource and specifying a list of users and groups with their corresponding access rights to that resource. Designate the authentication method, which can be default, basic, SSL, or other. In the basic authentication method, a user must provide a user name and password to gain access to the resource. The Netscape Web server first confirms the users identity by looking up the username and password in the database (authentication) and then uses the ACL associated with the resource to determine whether it should grant the access (authorization).
With the SSL authentication, the Web server uses the subscriber certificate to search the database for the users entry. If the entry is found, the server can optionally compare the certificate received against the certificate in the directory. The next two sections discuss in more detail how the server searches the database.
Note
BT38-MPKI6-TRF-V1.1
179
If the Web server can successfully map the certificate to a user account, it proceeds to authorize the user by using the mapped account in conjunction with the ACL on the resource.
4
Define exactly how the Web server searches for the user entry in the LDAP database. You should configure the certmap.conf mapping file, and decide whether you need to customize the Certificate Mapping API. The next two sections provide more information on the certmap.conf file and the Certificate Mapping API.
You can customize the process of mapping a subscriber certificate to a user account by defining how the Netscape Web server searches the LDAP directory for a users entry. You can also specify whether the server should verify that the submitted subscriber certificate matches the users certificate in the directory. The certmap.conf mapping file, which contains the above customization information, determines: The branch in the LDAP tree where the server should begin its search. The certificate attributes that the server should use as search criteria when searching for the entry in the LDAP directory. Whether the server should compare the submitted subscriber certificate with the certificate under the users entry. To customize the mapping process, you must edit the certmap.conf file, which is located under <server_root>/userdb/. For details on configuring this file, refer to Managing Netscape Servers (a manual) or see Certificate-Mapping Programmers Guide. These documents are available from Netscape. This section includes an overview of this file taken from these sources. You can use the following properties in the certmap.conf file:
DNComps. A list of comma-separated attributes used to determine where in the
LDAP directory that the server should start searching for entries that match the certificate subjects information. The server substitutes values for these
180
BT38-MPKI6-TRF-V1.1
attributes from the subscriber certificate to form an LDAP distinguished name (DN). For example, if you set DNComps to use the o and c attributes of the DN, the server starts the search from the o=org, c=country entry in the LDAP directory.
FilterComps. A list of comma-separated attributes used to create a filter by
substituting information from the subject DN of the subscriber certificate. For example, if you set FilterComps to use the e-mail and user ID attributes, the server searches the directory for an entry whose values for e-mail and user ID match the certificate subjects information.
VerifyCert. This flag takes a binary value (on or off) and instructs the server
whether it should compare the subscriber certificate with the certificate found in the LDAP directory.
CmapLdapAttr. If there is a CmapLdapAttr property in the certmap.conf
file, the server searches the entire LDAP directory for an entry whose attribute, named with this property, matches the certificate subjects DN. If the search does not find any matches, the server reverts to using the DNComps and FilterComps mappings.
library. The pathname to a shared library or DLL. This property is used only
if you are customizing the certificate mapping API (explained in Certmap.conf Configuration File for Managed PKI (Netscape) on page 182).
InitFn. The name of an initialization function from a custom library, used only if you are customizing the certificate mapping API Example certmap.conf File
In the example, the server determines the starting search branch in LDAP by collection values for the organizational unit (ou), organization (o), and country (c) of DNComps from the subscriber certificate subject DN.
BT38-MPKI6-TRF-V1.1
181
The e-mail address and user ID from the subscriber certificate are used to search for a match in the LDAP directory, as identified by FilterComps. Finally, the server is instructed to match the subscriber certificate against the one stored in the directory when it finds a matching entry in LDAP.
You can also configure the mapping process programatically through a set of API functions, referred to as the Certificate Mapping API. The main API function calls into three other API functions to find a certificate subjects entry in the directory. It first calls the certificate mapping function, which uses the submitted certificate and the certmap.conf file to generate a base DN and
182
BT38-MPKI6-TRF-V1.1
a search filter. The base DN determines the entry from which the search should begin. For example, if the base DN is <O=ACME, C=US>, a subtler search looks up through all entries in the directory that have <O=ACME, C=US> in their distinguished names. The base DN and search filter is passed to the certificate search function, which actually searches the directory for the certificate subjects entry and returns a list of matching entries. Finally, the main API function calls the certificate verification function to narrow down the list to a single matching entry and verify that the entry has an associated certificate. The three functions described above define the process of finding a certificate subjects entry in the directory. You can write your own versions of the functions, compile them into a shared library or a dynamic linked library (DLL), and modify the certmap.conf file to load your library and use the customized functions instead of the default API functions. To use this API, you need a copy of the Directory SDK, available from the Netscape DevEdge site at http://developer.netscape.com.
Configuring an Access Control System With User Accounts in an LDAP Directory (Netscape)
Follow these instructions to configure an access control system with user accounts in an LDAP directory.
1
When you install your LDAP directory, you must enable the option that allows LDAP to be used with Web servers. If this option is not enabled, Netscape Web servers cannot integrate with LDAP. Determine whether you want to store certificates in LDAP. Managed PKI provides a Directory Integration Toolkit that you can use to populate your LDAP with certificates. The Managed PKI Automated Administration option is required if you want to use this toolkit. Make sure SSL is enabled on the Web server. If you are using an Managed PKI private hierarchy, follow steps 2 through 4 of the previous section to install your private root and to configure the list of trusted roots on the Web server.
3 4
BT38-MPKI6-TRF-V1.1
183
If you are using a public hierarchy, restrict the list of trusted roots to only the VeriSign Class 2 Public Primary CA. Select your server instance from the Netscape Administration Server. Require subscriber certificate authentication by choosing the Encryption Preferences link under the Server Preferences menu and setting Require subscriber certificates to yes. Configure the directory service (Figure A-19). However, skip this step if you configured the service when you installed the Netscape Administration Server.
In the Netscape Administration Server under GENERAL ADMINISTRATION, click Global Settings and select the Configure Directory Service link (Figure A-20). Select Local Database or LDAP Directory Server in the Obtain Directory Service From field. If you choose LDAP Directory Server, you need to provide the host name and port number of the directory server. Refer to the Netscape online help for a description of the fields.
8
184
Design and implement your access control policy in the Web server. From the Server Preferences menu, click the Restrict Access link (Figure A-21). Under Pick a resource, select a resource and click the Edit Access Control button (Figure A-21). Figure A-22 shows the user interface to define an ACL. Figure shows what happens when you click anyone under User/Groups. In the User/Group dialog box, provide the group and user information, as entered in LDAP, and choose SSL as the authentication method.
BT38-MPKI6-TRF-V1.1
185
186
BT38-MPKI6-TRF-V1.1
Configure the certmap.conf file. Customize the Certificate Mapping API, if needed. Restart the Web server. If you are planning to check for revocation information, install the VeriSign Managed PKI Certificate Validation Solution Kit on the Web server. See the Manged PKI Certificate Validation and Parsing Guide for instructions.
Recommended Testing
The following test scenario tests basic functionality of the access control system:
1 2 3 4 5
Use Managed PKI to issue a subscriber (browser) Digital ID for yourself. Set up an account for yourself in LDAP. Configure the certmap.conf file to map your Digital ID to your account. Setup an access control rule. Issue another Digital ID that does not pass the mapping rule. You should not be able to access a restricted resource on the server. Test revocation.
187
BT38-MPKI6-TRF-V1.1
Install and configure Managed PKI. Decide whether you want to use the Managed PKI Local Hosting and Automated Administration options. Decide whether you want to use the Managed PKI Personal Trust Agent option. Pick an access control model. Determine what information must appear in each certificate to support your access control model. Run the Policy Wizard to configure the end-user enrollment pages. Determine your revocation checking method(s). Ideally, your access control system should warn users if their certificate is about to expire. Alternatively, if feasible, it should renew their certificates automatically.
4 5
188
BT38-MPKI6-TRF-V1.1
APPENDIX B
VeriSign uses industry standards to ensure that Certification Authorities (CAs) and certificates as supplied by BT Trust Services are readable across different platforms and character encoding formats. Character encoding formats specify how computers process the characters for a given language. To meet these standards, VeriSign CA and certificate information can contain only specific characters. Users can enroll for certificates using any of the encoding formats that BT Trust Services supports. For information on supported encoding formats, see Managed PKI Installation and Configuration or Key Management Service Installing Managed PKI with Key Management Service. VeriSign certificates are encoded in the encoding used by the user. The certificate encoding is associated with the certificate. This enables consumers of the certificate to properly interpret and display certificate data. This appendix includes the following topics: Characters Allowed on Administrator Pages on page 190 Characters Allowed on End-user Enrollment Pages on page 191
BT38-MPKI6-TRF-V1.1
189
190
BT38-MPKI6-TRF-V1.1
A through Z, a through z, 0 through 9, spaces, and the following special characters: ' ( ) + , - . / :
BT38-MPKI6-TRF-V1.1
191
192
BT38-MPKI6-TRF-V1.1
APPENDIX C
This appendix gives an overview of the information path from initiation of a request on the client browser, through the processing center, and back to the originating browser. The progression is essentially the same for Local Hosting and BT Trust Services-hosted situations. A typical process flow is shown in Figure C-24.
The following example describes the steps involved when a subscriber searches for an associates certificate.
1
A subscriber wants to send encrypted e-mail to an associate, which requires the associates certificate. To locate and download the certificate, the subscriber
BT38-MPKI6-TRF-V1.1
193
uses a browser to access the Digital ID Center index page, shown in Figure C-25.
The subscriber clicks the Search link to open the Search for Digital IDs page (Figure C-26).
194
BT38-MPKI6-TRF-V1.1
In the Search for Digital IDs page (Figure C-26), the subscriber enters the associates e-mail address and selects all certificates. Then, the subscriber clicks the Search button to submit the form.
Through the HTTP POST operation, the form is submitted to a CGI program, hosted at BT Trust Services. Using a form definition file (FDF) associated with the Find Certificate page, the CGI program extracts the specified values from the form (in this example, jane@acme.com and all certificates). The CGI program then passes these values to the VeriSign software that processes the request. The VeriSign software locates all certificates for jane@acme.com and passes the response value (the list of certificate information for jane@acme.com) back to the CGI program. Then, the CGI program passes this value to another CGI program (haydn) which is hosted on your Web server. Using FDFs, haydn
BT38-MPKI6-TRF-V1.1
195
converts the values to named variables and displays the Search Results VHTML (Variable HTML) page to the subscriber (see Figure C-27).
196
BT38-MPKI6-TRF-V1.1
APPENDIX D
This appendix includes the following sections: Using Managed PKI LDIF Files with Netscape iPlanet 4.x on page 197. Importing Managed PKI LDIF Files into iPlanet Directory Server v5.0 on page 204.
Follow the these steps to set up and configure the directory (iPlanet Directory Server 4.x). These instructions assumes that you are building a directory server from scratch. You can omit the initialization steps if you already have a directory server up and running.
BT38-MPKI6-TRF-V1.1
197
Configuration
Configure Server Configure your server according to recommendations from the Netscape LDAP Server documentation. Your configuration should include all database tuning parameters (allidthreshold, dbcache, cache) as well as server configuration (port number, user, admin account and password, modification tracking on/off and so on). Define Schema You must define a schema for your directory that is compatible with Managed PKI. Managed PKI defines a new attribute type, and two new objects for storage in the directory: branch and subscriber (or entry). These objects are named using the attribute objectclass. Following is an example of the Managed PKI attribute and object definition.
Managed PKI Attribute Definition
Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files
objectclass branch requires objectClass allows userSMimeCertificate;binary, sn, st, "brought by", unstructuredAddress, street, serialnumber, userCertificate;binary, userCertificate, cn, c, mail, labeleduri, o, ou, l objectclass subscriber requires objectClass allows userSMimeCertificate;binary, sn, st, "brought by", unstructuredAddress, street, serialnumber, userCertificate;binary, userCertificate, cn, c, mail, labeleduri, o, ou, l
BT38-MPKI6-TRF-V1.1
199
Adding Object Definitions To add the objectclass definitions to your server, modify your slapd.conf file (located in the config subdirectory of your server instance). Your slapd.conf file begins with commented lines that start with hash marks (#), followed by lines that include other files. You should add new lines to include the attribute and object definition file. The first few lines of your slapd.conf should now resemble the following:
# Used by Netscape Directory Server include /usr/netscape/server4/slapd-myServer/config/slapd.at.conf include /usr/netscape/server4/slapd-myServer/config/slapd.vs.at.conf include /usr/netscape/server4/slapd-myServer/config/slapd.oc.conf include /usr/netscape/server4/slapd-myServer/config/slapd.vs.oc.conf access log /usr/netscape/server4/slapd-myServer/logs/access
The ordering of the include files is critical. You must include slapd.at.conf before slapd.vs.at.conf. You must include slapd.vs.at.conf and slapd.oc.conf before slapd.vs.oc.conf.
Note
Choosing a Base DN You will have to choose a baseDN. Your baseDN is comprised of the maximum amount of static naming information you want to store in your directory. Typically, this will be your Company and Department name, which is the top few levels of your Subscriber Certificate's Subject Names. This portion of the name is static across all Certificates that you publish to your directory. For example, a good choice might be a baseDN of o=MyCompanyName,ou=MyDepartmentName Once you have selected your baseDN, you should modify your slapd.conf file to reflect this. You will also have to choose an administrative account name and password and create access control information (who is allowed to search the directory, who is allowed to add/delete information from the directory, etc.). See your directory server documentation and online help for more information. If you are using an existing directory, create a new suffix for the top-level entry in your LDIF file (if it does not yet exist).
200
BT38-MPKI6-TRF-V1.1
Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files
Create Directory
Once you have installed and configured your directory server, you are ready to create your initial directory. This can be done through the Netscape administrative server UI or through the ldif2db command. See your server documentation and online help for more information on creating your directory. Once you have created your directory, verify that it contain access control information and an entry for your baseDN. Adding data to the directory You can add data to your directory using Netscape's ldapmodify command and the LDIF file that you downloaded from Managed PKI. To add data, issue the following command with the appropriate LDIF file name, administrator user name, and password:
ldapmodify -a -h <LDAP host> -p 389 -D "cn=Directory Manager" -w "password" -c -v -f <LDIF file>
The -c flag (required) indicates that the utility should continue to process even if it encounters a duplicate entry. Remove data from the directory Your can remove data from your directory using Netscape's ldapdelete command and the remove LDIF file you downloaded from Managed PKI. To remove data, issue the following command with the appropriate LDIF file name, administrator user name, and password:
ldapdelete -h <LDAP host> -p 389 -D "cn=Directory Manager" -w "password" -f <LDIF file to remove>
Start Communicator. In the Edit menu, select Preferences. Expand Mail & Groups.
BT38-MPKI6-TRF-V1.1
201
4 5 6 7 8
Select Directory. Select New. Enter a friendly name in the Description field. Enter the name of your directory machine in the LDAP Server field. Click OK.
In the task bar, click Start. Select Find from the program list. Select People from the Find list. In the Look In box, select Directory Services. Click Add. In the Internet Directory (LDAP) server field, enter the name of your directory host. Click Next. Click Next again. Enter a friendly name in the Internet Directory Service Name field. Click Finish. Select the friendly name from Step 9 in the Internet Accounts window. Select Properties. Click the Advanced tab. Select the Use Simple Search Filter option. Click OK.
7 8 9 10 11 12 13 14 15
202
BT38-MPKI6-TRF-V1.1
Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files
3 4 5 6 7 8 9 10 11
Enter a subject and a body for the message. Click the Security button. If the upper right pane indicates that you may encrypt the e-mail, skip to Step 8. Click the Get Certificates button. Select the friendly name that you created in Step 9 on page 202. Click OK to close the Netscape Security Advisor. Click the Select Message Options tab. Click Encrypt. Click Send.
Select Compose Message (CTRL-N). Select an addressee. Enter subject and body for the message. Click the Encrypt Message button on the task bar. Click Send. If you did not successfully send encrypted mail, continue with Step 6. In the Tools menu, select Address Book. Click the Find button in the toolbar. Select the friendly name that you created in Step 9 on page 202. Enter the name or e-mail address of the addressee. Click Find. A result list should appear. If the list is empty, then your addressee was not found in the directory. Double-click the entry that you wish to view. Confirm this is the entry you want (confirm e-mail address). Click Add to address book. Click OK.
6 7 8 9 10
11
12 13
BT38-MPKI6-TRF-V1.1
203
14
Click Send.
Importing Managed PKI LDIF Files into iPlanet Directory Server v5.0
For iPlanet Directory Server 5.0, follow these steps to import Managed PKI LDIF files:
Step 1
Create the required Managed PKI schema extension in the LDAP server
VeriSign Managed PKI LDIF uses the following new attributes (See slapd.vs.at.conf and slapd.vs.oc.conf): unstructuredAddress and new objectclasses: branch subscriber You can perform this task from either the command line or Console. The following instructions describe the Console method. To create the new attribute unstructuredAddress:
1 2 3
Login as admin and switch to user cn=Directory Manager. Select the Configuration tab of the target LDAP server. In the left navigation tree, select the Schema folder and select the Attributes tab. Click Create. The Create Attribute dialog box appears. Enter unstructuredAddress in the Attribute Name text box. Optional: Enter an object identifier for the attribute in the OID text box. Select a syntax that describes the data to be held by the attribute from the Syntax menu. Select Directory String in this example. If you want the attribute to be multi-valued, select the Multi-Valued checkbox. Do not select any other items for this attribute.
4 5 6 7
204
BT38-MPKI6-TRF-V1.1
Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files
Click OK.
On the Configuration tab, in the left navigation tree, select the Schema folder and then select the Object Classes tab in the right pane. Click Create. The Create Object Class dialog box appears. Enter branch for the attribute in the Object Class Name text box. Optional: Enter an object identifier for the object class in the Attribute OID text box. Select a parent object for the object class from the Parent menu. Select Top for this example. To add an attribute that may be present in entries that use the new object class, highlight the attribute in the Available Attributes list and then click the Add button to the left of the Allowed Attributes box. Repeat this step for each of the allowed attributes listed for this objectclass in the slapd.vs.oc.conf file. When you are satisfied with your object class definition, click OK.
2 3 4
Step 2
On the Directory Server Console, select the Configuration tab. Right-click Data in the left navigation pane and select New Root Suffix. The Create new root suffix dialog box appears. Enter a unique suffix in the New Suffix field. Enter c=US. Select the Create associated database automatically checkbox if a database should be created at the same time as the new root suffix. Deselect the checkbox to create a database for the new root suffix later. You may want to do this to be able to specify a directory in which the database will be created. The new root suffix is disabled until you create a database.
3 4
If you selected the Create associated database automatically checkbox in page 205, enter a unique name for the new database in the Database name field.
205
BT38-MPKI6-TRF-V1.1
Click OK to create the new root suffix. The suffix appears automatically under the Data branch in the left navigation pane.
Step 3
On the Directory Server Console, select the Tasks tab. Scroll to the bottom of the screen and select Import Database. You can also import by going to the Configuration tab and selecting Import from the Console menu. The Import Database dialog box appears.
In the LDIF File field, enter the full path to the LDIF file to import. Alternatively, click Browse to select the file. If you are running the console on a computer remote to the directory, the field name appears as LDIF file (on the computer running the console). This reminds you that when you browse, you are not browsing your current directory. Instead, you are browsing the file system of the machine running the console.
In the Options box, select one or more of the following options: Add Only. The LDIF file may contain modify and delete instructions in addition to the default add instructions. If you want the server to ignore operations other than add, select the Add Only check box. Continue on Error. Select the Continue on error checkbox if you want the server to continue with the import even if errors occur. For example, you might use this option if you are importing an LDIF file that contains some entries that already exist in the database in addition to new ones. The server notes existing entries in the rejects file while adding all new entries.
206
BT38-MPKI6-TRF-V1.1
Appendix D Using Netscapes Directory Server with Managed PKI LDIF Files
In the File for Rejects field, enter the full path to the file in which you want the server to record all entries it cannot import. Alternatively, click Browse to select the file. For example, the server cannot import an entry that already exists in the database or an entry that has no parent object. The console writes the error message sent by the server to the rejects file. If you leave this field blank, the server will not record rejected entries.
Click OK. The server performs the import and also creates indexes.
BT38-MPKI6-TRF-V1.1
207
208
BT38-MPKI6-TRF-V1.1
APPENDIX E
This appendix describes the process for adding input fields to the subscriber enrollment page. You can add fields to these pages only if you are locally hosting the Digital ID Center pages.
BT38-MPKI6-TRF-V1.1
209
The following is an example of the <INPUT> tag for a new field called userid:
<INPUT NAME=userid TYPE=text VALUE="" SIZE=20 MAXLENGTH=30>
210
BT38-MPKI6-TRF-V1.1
The following is an example of the line defining a new field called userid.
userid TEXT MANDATORY NONE NONE
Modifying enroll_wait.htm
Modify the enroll_wait.htm file by adding an INPUT TYPE tag for the new field. The following is an example of the INPUT TYPE tag for a new field called userid.
<INPUT TYPE=hidden NAME=userid TYPE=hidden VALUE="$$common_name$$">
Predefined Fields
Any field you add that is not predefined by VeriSign will not be returned by BT Trust Services as part of the certificate. Values entered by your subscribers in these fields are not available to AA for entry into your registration data source. However, VeriSign has predefined several customizable fields that do get returned with the certificate. Use these fields to add customized subscriber data to your registration data source. password. This field provides the subscribers password to AA, but unlike the other predefined fields, does not pass the value to BT Trust Services. Go Secure for Lotus Notes uses this field by default. common_name. This field allows the subscriber to enter his or her full name in one field rather than entering the first and last name in separate fields. This field gets passed to BT Trust Services and then back to AA for registration. You might use this field if you are pre-populating the enrollment page from a database or directory, and the subscribers name is stored as a full name. When using this predefined field, you must also remove the FirstName and LastName fields from the enrollment pages, FDF files, and enroll_wait.htm file.
BT38-MPKI6-TRF-V1.1
211
user_data. VeriSign has predefined five fields for subscriber data that can be added to the registration data source but do not need to be in the certificate: user_data_1 through user_data_5. These fields are passed to BT Trust Services and then back to the customer for registration. The user_data fields are already defined in the FDF files and in enroll_wait.htm, so you need only to add an <INPUT> tag to the enrollment pages to use them.
212
BT38-MPKI6-TRF-V1.1
APPENDIX F
This appendix describes how to remove a field from the standard Digital ID enrollment form. You can remove fields from these pages only if you are locally hosting the Digital ID Center pages. For example: If you are retrieving users Common Names from a directory or database, you may want to remove the First Name and Last Name input fields from the enrollment form. If you are not manually approving certificates, you may want to remove the Comments field. If your organization requires users to contact an administrator to revoke their certificate, you can remove the Challenge Phrase field from the enrollment page.
Overview
Removing a field from the enrollment pages is a relatively simple process, but it requires manual modification of the policy file, so it must be done with care. The policy file is created in the Control Center and lists the options for your account. Whenever you need to make a change to your account, you run the Policy Wizard from the Control Center and download a new policy file. Making manual changes to the file is discouraged, but sometimes useful, as in the case of removing a field from enrollment. Any manual edits that you make to the policy file will be lost each time you download a new policy file from the Control Center. Be sure to keep track of the
BT38-MPKI6-TRF-V1.1 213
changes that you make so you can re-apply them if you ever have to download a new copy of the policy file.
Removing a Field
To remove a field from the enrollment pages, you must edit its section or sub-container under the Enrollment section of the policy file. Each enrollment field has a sub-container with variables that tell the customization engine how to customize that field in the enrollment pages. To remove a field, you must edit that fields policyValue entry. For example, to remove the Comments field from the enrollment page, open the policy file in a text editor and change the Comments field policyValue from exists to absent:
. . Comments { # 0 sub containers policyValue:exists bRequired:OPTIONAL
to:
. . Comments { # 0 sub containers policyValue:absent bRequired:OPTIONAL
Once you have made the necessary changes, re-customize the pages by rerunning the install script (as described in Using Customizer Commands on page 8). If you are re-customizing pages you have already installed, be sure to use current install directory as both the source and destination arguments when you run the script:
install-[OS] D:\VeriSign\OnSite\webroot D:\VeriSign\OnSite\ webroot D:\ACMEBank.policy
By changing the policyValue to absent and re-customizing the pages, you allow the customization engine to modify all the appropriate HTML and FDF files to safely remove the Comments field from all the pages. If you ever decide to add the field back, then change the policyValue back to exists and rerun the install script.
214
BT38-MPKI6-TRF-V1.1
Index
Index
A
AA see Automated Administration AA server 29 components 28 aakeygen 42 access denying 155, 156 mapping by user account 154, 164, 169, 179 access control architecture 153 certificate-based 149 native IIS 151 native Netscape 151 using with Managed PKI 188 access control list 151, 154, 155, 165, 179, 185 ACL see access control list Active Directory 100 Active Directory Connect 100 Active Server Pages 165 AIX sitekit directory 13 APIs Automated Administration 50 Signing 56 verification and registration 52 ASP see Active Server Pages augmentation data 93 authentication 150 using an LDAP directory 29 using an ODBC database 29
authorization 150 Automated Administration 27 certificate renewal 36 detailed flow control 48 flow of control 48 linking to data source 87 operational overview 32, 83 signing utilities 41 using the APIs 50 Automated Administration APIs data structures 50 ProcessEntries 53 VSAA_NAME 52 VSAA_STATUS 52 Automated Administration server 29 automatic renewal for Microsoft Internet Explorer users 37 for Netscape Navigator users 37
B
base64 format 62 browser emulation 129 BT Trust Services Issuing Center 32
C
C field 170 certificate fields 170 revoking 154 Certificate Parsing Module 38 certificate proof of possession. 37 certificate renewal automatic 36 client authentication 39 re-authentication 39
BT38-MPKI6-TRF-V1.1
215
Managed PKI Technical Reference certificate revocation list 18, 105, 152 certificate signing request 32, 47 Certificate Validation Module 105, 168, 175 certificate-based access control 149 certificates publishing 130 publishing to Active Directory 100 revoking 18 certmap.conf file 180 CGI program 29, 32, 49 challenge phrase hidden 38 Chrysalis-ITS Luna 30 CmapLdapAttr property 181 CN field see Common Name field commercial HTML editor 11 Common Name field 170 configuration additional Automated Administration 67 changing Managed PKI 11 Control Center 7, 17, 19, 52 Country field 170 CPM see Certificate Parsing Module 38 CRL see certificate revocation list cryptographic protocol 150, 159, 162, 176, 179, 183, 185 CSR see certificate signing request customizer command 8 CVM see Certificate Validation Module 105 see Certificate Validation Module
Digital ID Center pages 6 customizing 11 index page 194 directory entry 97 schema 99 technology overview 95 Directory Access Protocol 98 Directory Information Tree 98 Distinguished Name 98 DN see Distinguished Name DNComps property 180 domain controllers 100
E
end entity certification 133 token 131 enrollment pages 6 entry variables 112 error message text modifying 125 expiration period passcode 23
F
FDF see form definition file fields, certificate 170 FilterComps property 181 firewall 49 form definition file 110, 111, 114, 126, 195
G
Given Name field 171 GN field 171
D
DAP see Directory Access Protocol data source linking to Automated Administration 87 216
H
hardware signing 30, 41, 42 utility 42 BT38-MPKI6-TRF-V1.1
Index haydn 195 haydn.edf file 126 haydn.exe 125 hierarchy private 106 public 106 HP-UX sitekit directory 13 HTML, variable 109
L
L field see Locality field LDAP 155, 179 defined 99 see lightweight directory access protocol library property 181 Lightweight Directory Access Protocol 99 lightweight directory access protocol 151 Local Hosting server 29 flow of control 48 Locality field 170 Luna token 30
I
I field 171 IIS native access control 151 InitFn property 181 Initials field 171 install command see customizer command installing trusted roots 157 ISO Standard Directory Architecture 97
M
Managed PKI Key Management Service 29 modifying configuration 11 private hierarchy 106 public hierarchy 106 modifying error messages 125
J
jurisdiction 107 Just Trust the Root 153 for IIS 162 for Netscape 176
N
name/value pairs 52, 54, 64 browser emulation specification 73, 129 Digital ID enrollment 81 Registration Authority certificate enrollment 79 Netscape Web server solutions 176 Netscape native access control 151
K
Key Management Service 29 security advantages 38 Key Management Services 131 Key Managment Service signing utilities 41 keywords reserved for parameters 122 KMS see Key Management Service
O
ODBC data source configuring 85 operational period 25, 35 Organizational Unit field 170 OU see Organizational Unit field
BT38-MPKI6-TRF-V1.1
217
P
passcode cancelling 21 expiration period 23 used 18 passcode authentication in the Policy Wizard 15 passwords used with certificates 154 PCT see Private Communication Technology pestub 29, 38, 49, 50 pilot system 106 PKCS#12 format 44 PKCS#7 format 43 Policy file 8 Policy Wizard 8, 12, 52 POST target 112 Private Communication Technology 159 private hierarchy 106 ProcessEntries function 52, 53 applicant enrollment authentication 54 certificate pick up 54 certificate registration 55 certificate renewal 55 certificate revocation 55 decrypt operation 56 error notification 56 production system 106 public hierarchy 106
Register function 38 Registration Authority certificate 30 registration data source 30 Registration server 28 renewing certificates 39 replication protocols 97 requiring subscriber certificates 159 reserved name keywords 122 revoking certificates 154
S
S field see State/Province field schema directory 99 Secure Sockets Layer 150, 159, 162, 176, 179, 183, 185 server certificate 158, 176 shared library custom 71 Signing API 56 signing device 30 signing utilities understanding 41 softbounce.exe 112 software signing 41 swimport 43 swkeygen 41 software signing option 30 Solaris see Sun Solaris Sophia modifying error message text with 125 Sophialite 29, 32, 37, 49 SSL 150 see Secure Sockets Layer State/Province field 170 status variables 112 subfields, certificate 170 subject distinguished name 38 RA_dn 41 BT38-MPKI6-TRF-V1.1
R
RA certificate 30 re-authentication renewal 39 re-configuring Managed PKI 11 regInfo IPSec certificates 7779 personal client certificates 7376 value tag definitions 81
218
Index subscriber certificates requiring 159 subscribers adding 19 certificate renewal 36, 39 Sun Solaris 27, 91 sitekit directory 13 swimport utility 43 swkeygen 41 variables entry 112 status 112 verification and registration API 52 verification data source 29, 32 flat-file version 91 VerifyCert property 181 VHTML 51, 109, 196 VSAA_CleanupSigner function 61, 63 VSAA_DecodeCert function 66 VSAA_DecodeCertRep function 56, 63, 65 additional name/value pairs 64 VSAA_EncodeGetCert function 54, 59 VSAA_EncodeGetCRL function 60 VSAA_EncodePKCSReq function 54, 55, 58 VSAA_EncodeRevReq function 55 VSAA_ExchangeMsg function 65, 66 VSAA_ExtractCert function 66 VSAA_FreeName function 63, 64, 65 VSAA_InitSigner function 58 VSAA_NAME 55, 56 VSAA_SetDebugLog function 65, 66 VSAA_STATUS 52, 54 VSAA_SUCCESS 52, 56 vsaasrv 29, 38, 49 vskmsrv 29
T
T field see Title field testing (IIS) 163, 169, 176 testing (Netscape) 178, 187 Title field 171 transient inconsistencies 96 trusted roots installing 157
U
unpopulated list 112 upgrading Managed PKI 11 user account mapping access by 154, 164, 169, 179
V
validity period 25, 35 validuser.txt 91 Variable HTML 109 variable naming, VHTML 128
W
Windows 2000 100, 197
X
X.509 format 43, 44, 66
BT38-MPKI6-TRF-V1.1
219
220
BT38-MPKI6-TRF-V1.1