Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 Assembly instructions

Installation and Setup Guide

Netscape Certificate Management System

Version6.0

March 2002

Netscape Communications Corporation ("Netscape") and its licensors retain all ownership rights to the software programs offered by

Netscape (referred to herein as "Software") and related documentation. Use of the Software and related documentation is governed

by the license agreement for the Software and applicable copyright law.

Your right to copy this documentation is limited by copyright law. Making unauthorized copies, adaptations or compilation works is

prohibited and constitutes a punishable violation of the law. Netscape may revise this documentation from time to time without

notice.

THIS DOCUMENTATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL NETSCAPE BE

LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND ARISING FROM ANY

ERROR IN THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY LOSS OR INTERRUPTION OF BUSINESS,

PROFITS, USE, OR DATA.

Netscape and the Netscape N logo are registered trademarks of Netscape Communications Corporation in the United States and

other countries. Other Netscape logos, product names, and service names are also trademarks of Netscape Communications

Corporation, which may be registered in some countries. Other product and brand names are the exclusive property of their

respective owners.

The downloading, exporting, or reexporting of Netscape software or any underlying information or technology must be in full

compliance with all United States and other applicable laws and regulations. Any provision of Netscape software or documentation

to the U.S. government is with restricted rights as described in the license agreement for that Software.

Contents

AboutThisGuide.............................................................. 23

What’sinThisGuide....................................................................23

WhatYouShouldAlreadyKnow .........................................................26

ConventionsUsedinThisGuide .........................................................27

WheretoGoforRelatedInformation......................................................28

Part 1 OverviewandDemoInstallation......................................... 31

Chapter 1 IntroductiontoCertificateManagementSystem.......................... 33

OverviewofKeyFeatures ...............................................................34

Flexibleend-entityregistrationservicesframework ....................................37

SystemOverview.......................................................................41

Public-KeyInfrastructure .............................................................43

CMSSubsystemsorManagers.........................................................44

CertificateManager ...............................................................45

RegistrationManager..............................................................47

DataRecoveryManager............................................................48

OnlineCertificateStatusManager ...................................................49

BasicSystemConfiguration ...........................................................50

Plug-inModules.....................................................................55

AuthenticationPlug-inModules ....................................................55

PolicyPlug-inModules ............................................................57

JobPlug-InModules...............................................................61

MapperandPublisherPlug-inModules ..............................................62

Event-DrivenNotifications............................................................64

AuxiliaryComponents ..................................................................64

Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CMSSDK...........................................................................65

4 Netscape Certificate Management System Installation and Setup Guide • March 2002

EntryPointsforVariousTypesofUsers ................................................... 66

AgentServicesInterface .............................................................. 68

CertificateManagerAgentServices ................................................. 68

RegistrationManagerAgentServices ................................................ 69

DataRecoveryManagerAgentServices.............................................. 70

OnlineCertificateStatusManagerAgentServicesInterface............................. 71

End-EntityServicesInterface.......................................................... 72

SystemArchitecture .................................................................... 73

PKCS#11........................................................................... 74

NSS................................................................................ 76

JSSandtheJava/JNILayer ........................................................... 76

Middleware/Java2Layers ........................................................... 76

AuthenticationandPolicyModules .................................................... 77

Standards Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

CertificateManagementFormatsandProtocols.......................................... 77

SecurityandDirectoryProtocols....................................................... 78

Chapter 2 CertificateEnrollmentandLife-CycleManagement ....................... 81

StepsinEnd-EntityEnrollment .......................................................... 81

SomeEnrollmentScenarios.............................................................. 84

FirewallConsiderations .............................................................. 84

Extranet/E-Commerce:ExampleCorp .................................................. 85

EnrollingExistingCustomers....................................................... 86

EnrollingNewCustomers.......................................................... 87

EnrollingExtranetUsers ........................................................... 89

PINRegistration:AtlasManufacturing ................................................. 91

VPNClientEnrollmentandRevocation ................................................ 93

RouterEnrollmentandRevocation..................................................... 96

EndEntitiesandLife-CycleManagement.................................................. 98

Life-CycleManagementFormatsandProtocols.......................................... 98

AccesstoSubsystems ................................................................ 99

HTMLFormsforEndUsers.......................................................... 101

NetscapePersonalSecurityManager .................................................. 102

Chapter 3 DefaultDemoInstallation ........................................... 105

SystemRequirements.................................................................. 105

OverviewoftheDefaultDemo.......................................................... 106

DemoPasswords ................................................................... 109

Installing the Default Demo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Step1.RuntheInstallationScript—UNIX............................................. 110

Step1.RuntheInstallationScript—WindowsNT....................................... 112

Step2.RuntheInstallationWizard ................................................... 120

Step3.GettheFirstUserCertificate ...................................................133

EnrollingfortheFirstAgentCertificate .............................................133

IfYouNeedtheFirstAgentFormAgain ............................................135

UsingtheDefaultDemo................................................................136

VerifytheInstallation ...............................................................136

ViewingIssuedCertificatesFromtheAgentGateway .................................137

EnrollingforaCertificateFromtheEnd-EntityGateway ..............................138

FindingandApprovingaCertificateRequest ........................................139

SettingYourBrowsertoUsetheAgentCertificate ....................................140

TestingYourNewCertificate ......................................................140

CreateaPolicy .....................................................................141

ConfiguringanRSAKeyLengthPolicy .............................................141

UseanLDAPDirectory..............................................................143

Step1.EnableDirectory-BasedAuthentication .......................................144

Step2.AddaUsertotheDirectory .................................................145

Step3.EnrollwithDirectory-BasedAuthentication ...................................147

PublishCertificatestoanLDAPDirectory..............................................148

ConfigurethePublishingDestination ...............................................149

SetRulesforPublishingCertificates ................................................150

UpdatethePublishingDirectory ...................................................152

SendRenewalReminders ............................................................153

ConfiguringaMailServerforCertificateManagementSystem .........................154

ConfiguringCertificateManagementSystemtoSendRenewalReminders ...............155

Part 2 PlanningandInstallation.............................................. 159

Chapter 4 Planning Your Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

TopologyDecisions....................................................................162

ServerGroupsandCMSInstances ....................................................162

SingleCertificateManager ...........................................................162

CertificateManagerandRegistrationManager .........................................163

CertificateManagerandDataRecoveryManager .......................................165

CertificateManager,DataRecoveryManager,andRegistrationManager...................167

ClonedCertificateManager ..........................................................169

CertificateAuthorityDecisions ..........................................................169

CA’sDistinguishedName ...........................................................170

CASigningKeyTypeandLength.....................................................170

CA Signing Certificate’s Validity Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Self-SignedRootVersusSubordinateCA...............................................171

CAsandCertificateExtensions .......................................................172

CACertificateRenewalorReissuance .................................................172

6 Netscape Certificate Management System Installation and Setup Guide • March 2002

CryptographicTokenDecisions ......................................................... 173

PublishingDecisions .................................................................. 174

PublishingtoCertificatesandCRLstoFiles ............................................ 174

PublishingtoCertificatesandCRLstoaDirectory ...................................... 174

PublishingCRLstotheOnlineCertificateStatusManager ............................... 175

SubsystemCertificateDecisions......................................................... 176

SSLServerCertificates .............................................................. 176

CertificateManagerCertificates ...................................................... 177

RegistrationManagerCertificates..................................................... 177

DataRecoveryManagerCertificateandStorageKey .................................... 178

OnlineCertificateStatusManagerCertificates .......................................... 178

AuthenticationDecisions............................................................... 179

PolicyDecisions....................................................................... 179

DeploymentStrategyandPortAssignments .............................................. 180

Chapter 5 InstallationWorksheet.............................................. 183

InformationforUNIXInstallationScript ................................................. 184

InstallationLocation ................................................................ 184

ConfigurationDirectoryServer....................................................... 184

User/GroupDirectoryServer ........................................................ 185

ConfigurationDirectorySettings ..................................................... 185

AdministrationServerInformation ................................................... 186

CertificateManagementSystemIdentifier ............................................. 187

InformationforNTInstallationScript.................................................... 187

InstallationDirectory ............................................................... 187

ConfigurationDirectoryServer....................................................... 187

User/GroupDirectoryServer ........................................................ 188

ConfigurationDirectorySettings ..................................................... 189

ConfigurationDirectoryServerAdministrator ......................................... 189

DirectoryServerAdministrationDomain .............................................. 189

DirectoryManagerSettings .......................................................... 189

AdministrationServerPort .......................................................... 190

CertificateManagementSystemIdentifier ............................................. 190

InitialConfiguration................................................................... 190

TokenLogonorSingleSign-OnPassword ................................................ 191

InternalDatabase................................................................... 191

Administrator...................................................................... 191

Subsystems ........................................................................ 192

RemoteCertificateManager ......................................................... 192

RemoteDataRecoveryManager...................................................... 192

NetworkConfiguration ............................................................. 193

CertificateManagerConfiguration ...................................................... 193

CASigningCertificate .............................................................. 193

CA’sSerialNumberRange ........................................................193

Key-PairInformationforCASigningCertificate......................................194

SubjectNameforCASigningCertificate ............................................194

Validity Period for CA Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

ExtensionsforCASigningCertificate ...............................................195

CASigningCertificateRequest .......................................................197

RegistrationManagerConfiguration .....................................................197

RegistrationManagerSigningCertificateRequest .......................................197

Key-PairInformationforRegistrationManagerSigningCertificate .....................197

SubjectNameforRegistrationManagerSigningCertificate ............................198

RegistrationManagerSigningCertificateIssuer.........................................199

DataRecoveryManagerConfiguration ...................................................199

TransportCertificate ................................................................199

Key-PairInformationforTransportCertificate .......................................199

SubjectNameforTransportCertificate..............................................200

Validity Period for Transport Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

ExtensionsforTransportCertificate ................................................201

TransportCertificateRequest.........................................................202

StorageKeyandRecoveryAgentConfiguration ........................................202

StorageKeyCreation .............................................................202

DataRecoveryScheme—1.........................................................203

DataRecoveryScheme—2.........................................................203

OnlineCertificateStatusManagerConfiguration ..........................................203

OnlineCertificateStatusManagerSigningCertificateRequest ............................204

Key-Pair Information for Online Certificate Status Manager Signing Certificate . . . . . . . . . . . 204

SubjectNameforOnlineCertificateStatusManagerSigningCertificate .................204

OnlineCertificateStatusManagerSigningCertificateIssuer ..............................205

ClonedCertificateManagerConfiguration................................................205

CASigningCertificate...............................................................206

CA’sSerialNumberRange ........................................................206

ClonedKeyandCertificateMaterial ................................................206

SSLServerKeyandCertificate .....................................................207

SSLServerCertificateConfiguration .....................................................207

SSLServerCertificate ...............................................................207

Key-PairInformationforSSLServerCertificate ......................................207

SubjectNameforSSLServerCertificate .............................................208

Validity Period for SSL Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

ExtensionsforSSLServerCertificate................................................209

SSLCertificateRequest ..............................................................210

Chapter 6 InstallingCertificateManagementSystem ............................. 211

InstallationOverview ..................................................................211

InstallationStages...................................................................212

8 Netscape Certificate Management System Installation and Setup Guide • March 2002

BeforeYouBegintheInstallation ..................................................... 213

Stage1.RunningtheInstallationScript................................................... 215

RunningtheInstallationScriptonUNIX............................................... 215

RunningtheInstallationScriptonWindowsNT ........................................ 218

Stage2.RunningtheInstallationWizard ................................................. 221

Installing the Certificate Manager as a Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Installing the Certificate Manager as a Subordinate CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Installing a Standalone Registration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Installing a Standalone Data Recovery Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Installing a Online Certificate Status Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Stage3.EnrollingforAdministrator/AgentCertificate ..................................... 271

AgentCertificateforaCertificateManager............................................. 271

AgentCertificateforOtherCMSManagers ............................................ 274

Stage4.FurtherConfigurationOptions .................................................. 277

Stage5.CreatingAdditionalInstancesorCAClones....................................... 278

Chapter 7 Installing and Uninstalling CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Installing Multiple CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

CloningaCertificateManager .......................................................... 282

Step1.BeforeYouBegin............................................................. 283

Step2.CreateInstancesforCloneCAs ................................................ 285

Installing Clone CA in Master CA’s Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Installing Clone CA in a Different Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Installing Clone CA on a Separate Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Step3.ShutdowntheMasterCA ..................................................... 287

Step4.CopyMasterCA’sCertificateandKeyDatabase ................................. 288

Step5.StarttheMasterCA .......................................................... 288

Step6.ConfiguretheCloneCA ...................................................... 289

Step8.EstablishTrustBetweenMasterCAandCloneCAs............................... 290

StepA.LocatetheMasterCA’sSSLServerCertificate................................. 290

StepB.CreateaPrivileged-UserEntryforCloneCAs ................................. 292

Step9.TestClone-MasterConnection ................................................. 295

StepA.RequestaCertificatefromtheCloneCA ..................................... 295

StepB.ApprovetheRequest ...................................................... 296

StepC.DownloadtheCertificatetotheBrowser ..................................... 296

StepD.RevoketheCertificate ..................................................... 297

StepE.CheckMasterCA’sCRLfortheRevokedCertificate ........................... 297

Step10.UseMasterCA’sAgentCertificateinCloneCAs ................................ 298

ViewingInstanceInformation .......................................................... 299

ChangingtheNameofanInstance ...................................................... 301

RemovinganInstanceFromaSystem.................................................... 302

UninstallingCertificateManagementSystem ............................................. 303

UninstallingFromtheCommandLine ................................................ 303

UninstallingbyUsingtheWindowsNTAdd/RemoveProgramsUtility ...................304

Chapter 8 Starting and Stopping CMS Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Significanceofpassword.confFile .......................................................306

StartingCertificateManagementSystem..................................................306

RequiredStart-upInformation........................................................307

StartingFromNetscapeConsole ......................................................308

StartingFromtheCommandLine.....................................................309

StartingFromtheWindowsNTServicesPanel..........................................310

StoppingCertificateManagementSystem.................................................310

StoppingFromNetscapeConsole .....................................................311

StoppingFromtheCommandLine....................................................312

StoppingFromtheWindowsNTServicesPanel ........................................312

RestartingCertificateManagementSystem................................................312

RestartingFromtheCMSWindow ....................................................313

RestartingFromtheCommandLine...................................................314

CheckingSystemStatus ................................................................314

AttendingtoanUnresponsiveServer ....................................................315

PasswordCache.......................................................................315

Password-QualityChecker .............................................................316

Part 3 Configuration ....................................................... 319

Chapter 9 Administration Tasks and Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

NetscapeConsole .....................................................................322

ConsoleTab........................................................................322

UsersandGroupsTab...............................................................323

NetscapeAdministrationServer ......................................................324

StartingAdministrationServer.....................................................325

ShuttingDownAdministrationServer ..............................................326

LoggingIntoNetscapeConsole .........................................................326

TheCMSWindow .....................................................................327

TasksTab..........................................................................329

ConfigurationTab ..................................................................329

StatusTab .........................................................................332

LoggingIntotheCMSWindow .........................................................333

Chapter 10 CMS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

EffectsofInstallationTypeonConfiguration ..............................................335

DuplicatingConfigurationFromOneInstancetoAnother................................337

LocatingtheConfigurationFile..........................................................337

10 Netscape Certificate Management System Installation and Setup Guide • March 2002

ModifyingtheConfiguration ........................................................... 338

ChangingtheConfigurationFromtheCMSWindow.................................... 338

ChangingtheConfigurationbyEditingtheConfigurationFile............................ 338

Guidelines for Editing the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

SampleConfigurationFile ........................................................... 341

RoadMaptoConfiguringSubsystems ................................................... 354

Step1.CheckWhichSubsystemisInstalledintheInstance ............................ 355

Step2.CheckthePortNumbers ................................................... 355

Step3.VerifyKeyPairandCertificates ............................................. 355

Step4.SetupPrivilegedUsers..................................................... 355

Step5.CustomizeEnd-EntityandAgentForms...................................... 356

Step6.SetupAuthenticationforEndUsers.......................................... 356

Step7:EnableEvent-DrivenNotifications ........................................... 356

Step8.ScheduleJobs ............................................................. 357

Step9.SetupPolicies............................................................. 357

Step10.SetupPublishing......................................................... 357

Step11.SetupKeyArchivalandRecovery .......................................... 358

Step12.SetupLogging ........................................................... 358

Step13.PlanforBackingupCMSConfigurationandData ............................ 358

Chapter 11 SettingUpPorts .................................................. 359

CMSPorts............................................................................ 359

RemoteAdministrationPort ......................................................... 360

AgentPort......................................................................... 361

End-EntityPorts.................................................................... 361

ConfiguringPortNumbers ............................................................. 362

Step1.SpecifythePortNumber ...................................................... 362

Step2:SpecifyIPAddresses ......................................................... 364

Chapter 12 SettingUpInternalDatabase........................................ 365

InternalDatabase ..................................................................... 365

ConfiguringtheInternalDatabase....................................................... 366

Step1.IdentifytheDirectoryServerInstance........................................... 367

Step2.RestrictAccesstotheInternalDatabase ......................................... 368

Chapter 13 ManagingPrivilegedUsersandGroups .............................. 371

Privileged-User Types and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Administrators..................................................................... 372

Agents ............................................................................ 373

Agent’sCertificateforSSLClientAuthentication..................................... 375

RevocationStatusCheckingofAgentCertificates .................................... 378

TrustedManagers .................................................................. 380

This manual suits for next models

Table of contents

Other Netscape Software manuals

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE DIRECTORY SERVER 6.01 Assembly instructions

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 -... Service manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 Assembly instructions

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 7.0 -... User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN User manual

Netscape

Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 -... Service manual

Popular Software manuals by other brands

COMPRO

COMPRO COMPROFM manual

Muratec

Muratec OFFICEBRIDGE ONLINE user guide

Oracle

Oracle Contact Center Anywhere 8.1 installation guide

Adobe

Adobe 65007312 - Photoshop Lightroom Programmer's guide

Avaya

Avaya NULL One-X for RIM Blackberry user guide

HP ProLiant BL420c user guide

PS Audio

PS Audio PowerPlay Programming manual

Brady

Brady LOCKOUT PRO 3.0 Administrator's guide

Avaya

Avaya Interaction Center user guide

Texas Instruments

Texas Instruments TI-83 Plus Silver Edition Guide book

Novell

Novell GROUPWISE 8 - INTERNET AGENT manual

Oracle

Oracle Application 9i Configuration guide

Acer

Acer RDM user guide

Canon

Canon Vixia HF21 instruction manual

Canon

Canon ZR950 instruction manual

Samsung

Samsung Auto Backup user manual

Polycom

Polycom Vortex EF2201 Application note

Brocade Communications Systems

Brocade Communications Systems Brocade 8/12c user manual