INSTALLATION GUIDE
Managed PKI Installation and Configuration
VeriSign, Inc.
March 2008
Managed PKI Installation and Configuration
----------------------------------------------------------© 1998-2008 VeriSign, Inc. All rights reserved. The information in this document belongs to VeriSign. It may not be used, reproduced or disclosed without the written approval of VeriSign.
DISCLAIMER AND LIMITATION OF LIABILITY VeriSign, Inc. has made efforts to ensure the accuracy and completeness of the information in this document. However, VeriSign, Inc. makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein.VeriSign, Inc. assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, VeriSign, Inc. assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. VeriSign Inc. reserves the right to make changes to any information herein without further notice.
TRADEMARKS VeriSign, the VeriSign logo, the checkmark circle, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
This document may describe features and/or functionality that are not present in your software or your service agreement. Contact your account representative to learn more about what is available with this VeriSign product. If you need help using this product, contact customer support.
[email protected]
+1-650-426-3535 or 1-800-579-2848
--------------------------------------------------------------------INSTALLATION GUIDE
Contents
+ Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Organization of this Manual . . . . . . . . . . . . . . . . . . . . . . 2 Installation Software for Managed PKI Services . . . .4 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
+ Chapter 2 Configuring Your System . . . . . . . . . . . . . 5 Before Enrolling for Managed PKI . . . . . . . . . . . . . . . .6 Basic Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Organizational Requirements . . . . . . . . . . . . . . . . . .6 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . .8 Configuration for Remote Hosting . . . . . . . . . . . . . . . 10 Configuration for Local Hosting . . . . . . . . . . . . . . . . . .11 Configuration for Remote Passcode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Configuration for Passcode Authentication with Local Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Configuration for VeriSign Registration Authority . 15 Requirements for VeriSign Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Installation Overview for VeriSign Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configuration for Outsourced Authentication . . . 19
iii
VeriSign, Inc.
March 2008
Managed PKI v7.2 Installation and Configuration
----------------------------------------------------------Configuration for VeriSign Go Secure! for Microsoft Exchange with Remote Hosting . . . . . . . . . . . . . . 20 Configuration for VeriSign Go Secure! for Microsoft Exchange with Local Hosting . . . . . . . . . . . . . . . . . 21 Configuration for VeriSign Go Secure! for Microsoft Exchange with VeriSign Registration Authority 23 Configuration for VeriSign Go Secure! for Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
+ Chapter 3 Configuring Managed PKI . . . . . . . . . . . . 29 Configuring Managed PKI . . . . . . . . . . . . . . . . . . . . . . 29 Customizing Subscriber Enrollment and Certificate Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Run the Policy Wizard . . . . . . . . . . . . . . . . . . . . . . . 33 Download the Policy File . . . . . . . . . . . . . . . . . . . . 56 (Optional) Perform Additional Configuration . . 58 Manual Authentication: Test Your Managed PKI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
+ Chapter 4 Installing the Administrator Kit . . . . . . . 75 Installing and Configuring the Administrator Kit . .75 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
+ Chapter 5 Configuring Local Hosting . . . . . . . . . . . 77 Local Hosting Overview . . . . . . . . . . . . . . . . . . . . . . . .77 Installing Local Hosting with Microsoft Internet Information Server (IIS) . . . . . . . . . . . . . . . . . . . . . . 79 Installing Local Hosting with Sun ONE Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Installing Local Hosting with Stronghold/Apache 110 Additional Configuration for Managed PKI . . . . . . 115 Configuring pestub . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Configuring Sophialite to use a Proxy Server . . 118 Configuring Subscriber Search to Use a Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
iv
VeriSign, Inc.
March 2008
Contents
-----------------------------------------------------------
+ Chapter 6 Registration Authority . . . . . . . . . . . . . . . 121 Implementation Strategy for VeriSign Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Installing VeriSign Registration Authority Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
+ Chapter 7 Configuring Passcode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
+ Chapter 8 Signing Option . . . . . . . . . . . . . . . . . . . . . .139 Installation Overview for the Signing Option . . . .140 Using the Software Signing Option . . . . . . . . . . . . . 141 Using the Hardware Signing Option . . . . . . . . . . . . 144 Installing the Hardware Signing Option . . . . . . . 144 Configuring the Hardware Signing Option . . . . . 144 Installing the RA Certificate . . . . . . . . . . . . . . . . . . 146 Renewing Expiring Certificates . . . . . . . . . . . . . . . . . 147 Replacing Expiring AutoAdmin.509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Renewing your RA Certificate . . . . . . . . . . . . . . . . 148 Renewing the RA Certificate with the Hardware Signing Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Starting and Stopping the Registration Authority Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Solaris or Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Remove the VeriSign Registration Authority Service (Windows only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
+ Chapter 9 Outsourced Authentication . . . . . . . . . .153 Configuring Outsourced Authentication for ODBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Configuring Outsourced Authentication for Flat File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Configuring Outsourced Authentication for Lightweight Directory Access Protocol (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
VeriSign, Inc.
March 2008
v
Managed PKI v7.2 Installation and Configuration
----------------------------------------------------------Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
+ Chapter 10 Secure Channel . . . . . . . . . . . . . . . . . . . . 161 Installation Overview for the Secure Channel . . . . 162 Setting Up the Secure Channel . . . . . . . . . . . . . . . . . 163 Generate the Certificate Request . . . . . . . . . . . . .164 Acquire and Install the Secure Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configure the Secure Channel . . . . . . . . . . . . . . . . 167 Secure Channel Between the VeriSign Registration Authority Server Host and the LDAP Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
+ Chapter 11 Subscriber Renewal . . . . . . . . . . . . . . . . 169 Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
+ Chapter 12 Moving to Production . . . . . . . . . . . . . . .173 Overview: Moving to Production . . . . . . . . . . . . . . . 174 Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Moving to Production . . . . . . . . . . . . . . . . . . . . . . . . . 176
+ Chapter 13 Enabling End-User Machines with Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 Deploy the MSI Packages . . . . . . . . . . . . . . . . . . . . . .180 Publish the OnSiteMSI package to a user . . . . . .180 Assign the OnSiteMSI package to a machine . . 181 Assign the OnSiteMSI to a user . . . . . . . . . . . . . . . 181 ActiveX Settings for Vista . . . . . . . . . . . . . . . . . . . 182 Exceptions for using pestub.dll.local in Production . . 187 Typical Load Balancing/Failover Configuration for Local Hosting and VeriSign Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Encrypting Configuration Files . . . . . . . . . . . . . . . . .194 Encrypting the Contents of vsrasrv.cfg . . . . . . . .194 Encrypting the Contents of vsautoauth.conf . . . 196 Conventions for the VeriSign Registration Authority Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Configuring the Windows Service Settings . . . . . . 198
vi
VeriSign, Inc.
March 2008
Contents
-----------------------------------------------------------
Configuring Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Configuring Channels . . . . . . . . . . . . . . . . . . . . . . . . . 198 Configuring Key Recovery . . . . . . . . . . . . . . . . . . . . . 199 Configuring the VeriSign Registration Authority 200 Configuring the Signer . . . . . . . . . . . . . . . . . . . . . . . . 201 Configuring Key Generation . . . . . . . . . . . . . . . . . . 202 Configuring Monitoring . . . . . . . . . . . . . . . . . . . . . . . 204 Configuring the Log File . . . . . . . . . . . . . . . . . . . . . . 205 Configuring Data Source Character Encoding . . 206 Configuring Service Types . . . . . . . . . . . . . . . . . . . . 207 Configuring Flat File Verification . . . . . . . . . . . . . . 209 Configuring an ODBC Database . . . . . . . . . . . . . . . 209 Configuring an LDAP Data Source . . . . . . . . . . . . . 213 Configuring the LDAP Verification Data Source 213 Configuring the LDAP Registration Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Configuring an LDAP Key Recovery Data Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 CMS Verification Data Source Configuration . . . 224 Flat file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 ODBC Verification Data Source: . . . . . . . . . . . . . 224 LDAP Verification Data Source: . . . . . . . . . . . . . 225
+ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
VeriSign, Inc.
March 2008
vii
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
viii
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Introduction 1 retpahC
This manual provides instructions for installing and configuring the following Managed PKI options and services. Remote Hosting: With Remote Hosting, the Digital ID Center (the set of Web pages where users enroll for and manage their certificates) is hosted at VeriSign. “Digital ID” is VeriSign’s service mark and brand name for a digital certificate. Local Hosting: With Local Hosting, your organization maintains the Digital ID Center pages on your company Web server, instead of storing the pages at VeriSign. While Digital ID Center pages are hosted locally by your organization, VeriSign still issues the certificates. Passcode Authentication: With Passcode Authentication, your organization automatically processes certificate applications, rather than approving or rejecting applications manually (known as manual authentication). By comparing the subscriber’s enrollment data with existing authentication data stored at VeriSign, Passcode Authentication approves or rejects certificate requests without administrator action at the time of enrollment. VeriSign Registration Authority: As with Passcode Authentication, VeriSign Registration Authority enables your organization to automatically process certificate applications. By comparing the subscriber’s enrollment data with existing authentication data stored at your location, VeriSign Registration Authority approves or rejects certificate requests without administrator action at the time of enrollment. VeriSign Registration Authority provides greater flexibility than Passcode Authentication, but also requires your organization to establish and maintain authentication servers and Web pages. VeriSign Registration Authority also gives you the option to implement key escrow and recovery to manage Managed PKI private keys and certificates. Escrowed keys are individually encrypted and stored in a database that can be backed up normally. A key can be recovered only with the combination of the encrypted key record, the Managed PKI administrator ID and recover
VeriSign, Inc.
March 2008
1
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
key subprivilege to present to the Control Center. The critical key escrow and recovery information (the information used for key recovery) is held securely at a VeriSign data center. Signing Options: Required for implementations of VeriSign Registration Authority, the signing option refers to the method used to store and use a Registration Authority (RA) certificate. RA certificates are used to digitally sign all data transmitted from the RA server host to VeriSign. You can either store RA certificates in a software library (software signing option), or on a SafeNet Luna token (hardware signing option). Secure Channel: To enhance security for VeriSign Registration Authority implementations, you can establish a Secure Sockets Layer-based (SSL) secure communications channel between the Local Hosting Web server and the RA server. The secure channel is used to authenticate servers and encrypt data. Subscriber Renewal: The subscriber renewal method is the process subscribers use to renew their certificates. Managed PKI supports three methods for certificate renewal: Automatic Renewal, Re-Authentication Renewal, and Client Authentication Renewal. For information on installing the For information about additional configuration of Managed PKI options and services not included in this manual, see Managed PKI Technical Reference.
Organization of this Manual Each chapter of this guide provides installation instructions for a distinct Managed PKI option or feature. To implement Managed PKI, read Chapter 2 first and then see the chapters needed for your configuration. This manual is organized as follows: Chapter 2, “Configuring Your System,” describes the factors you should consider in planning the installation and configuration of your system. To assist with your preparation efforts, this chapter identifies the general requirements for all Managed PKI implementations, as well as the additional requirements for typical Managed PKI configurations. Before installing Managed PKI, review this chapter closely to ensure that all required hardware and software is properly installed and configured. Chapter 3, “Configuring Managed PKI,” explains how to configure your Managed PKI service. This chapter provides directions for completing the
2
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Managed PKI Policy Wizard, downloading your policy file, and customizing Managed PKI with the Configuration Wizards. Chapter 4, “Installing the Administrator Kit,” provides instructions for installing the optional token package where you can securely store your administrator ID. Chapter 5, “Configuring Local Hosting,” explains how to install the Digital ID Center pages in three kinds of servers: Microsoft Internet Information Server (IIS), Sun ONE Web server, and Stronghold/Apache Web servers. Chapter 6, “Registration Authority,” outlines the recommended implementation strategy for VeriSign Registration Authority, and provides instructions for installing the VeriSign Registration Authority server software. Chapter 7, “Configuring Passcode Authentication,” describes how to configure Passcode Authentication. Chapter 8, “Signing Option,” explains how to set up either the hardware or software signing option. Chapter 9, “Outsourced Authentication,” describes the Outsourced Authentication option of Managed PKI and how to configure it with different data sources. Chapter 10, “Secure Channel,” describes how to set up the secure communications channel, an optional security feature for use with VeriSign Registration Authority. Chapter 11, “Subscriber Renewal,” explains how to configure the certificate renewal method (Automatic Renewal, Re-Authentication Renewal, or Client Authentication Renewal). Chapter 12, “Moving to Production,” describes how to migrate from VeriSign’s pilot environment (a pre-production system) to VeriSign’s production system. Chapter 13, “Enabling End-User Machines with Windows,” shows you how to ensure that all required ActiveX controls for Managed PKI can be installed on end-user machines that are running Windows. Appendix A, “pestub.dll.local,” describes how to configure the pestub.dll.local file to enable Local Hosting and VeriSign Registration Authority to process enrollment data. Appendix B, “Install Program Options,” describes how to use customizer.exe to enable the additional options of the install command.
VeriSign, Inc.
March 2008
3
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Appendix C, “Configuring Load Balancing and Failover,”describes how to handle failover of the Local Hosting Web server and Automated Authentication server hosts. Appendix D, “Configuration Files,” discusses the VeriSign Registration Authority configuration file.
Installation Software for Managed PKI Services To install Managed PKI services, you need the following materials: Managed PKI Documentation CD Managed PKI from MCI with Local Hosting CD Managed PKI VeriSign Registration Authority CD (if applicable) Managed PKI Third-Party Integration CD
Related Documents Customer documents are available on the CDs for the respective products. Additionally, you can access VeriSign documentation from the Managed PKI Control Center Download page. For further information about the material in this manual, see the following documents: Managed PKI v7.2 Introduction Managed PKI v7.2 Administrator’s Handbook Managed PKI Technical Reference Managed PKI v7.2 Hardware/Software Requirements Enterprise Support and Service Overview Managed PKI 7.2 Outsourced Authentication Administrator’s Guide Managed PKI Key Escrow and Recovery Guide Managed PKI v7.2 Error Codes and Troubleshooting Guide Managed PKI v7.2 Glossary
4
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuring Your System 2 retpahC
While planning the configuration of your system, ask yourself the following questions. Will you be using the certificates to send email outside of your organization? If so, then you should issue certificates from a Public Certification Authority. Do you plan on substantially modifying the enrollment and Digital ID Center Web pages? If so, then you should implement Local Hosting. See Chapter 5, “Configuring Local Hosting,” for more information. Would you like to automate certificate approval without having to maintain a database of users at your site? If so, you should consider Passcode Authentication. See Chapter 7, “Configuring Passcode Authentication,” for more information. Do you have a pre-existing database or directory of users? If so, then you should consider VeriSign Registration Authority. See Chapter 6, “Registration Authority,” for more information. Do you need key backup or key escrow? If so, then you should install Managed PKI with VeriSign Registration Authority. See Chapter 6, “Registration Authority,” and Managed PKI Key Escrow and Recovery Guide for more information. Do you want a third party to provide authentication for your users? If so, you should consider Outsourced Authentication (OA). See Chapter 9, “Outsourced Authentication,” for more information. Do you want to integrate your public key infrastructure (PKI) implementation with S/MIME using a Microsoft Exchange Server? If so, you should consider using Go Secure! for Microsoft Exchange. For more information, see Go Secure! for Microsoft Exchange Administrator’s Guide. Do you want to use transaction signing, or would you like to customize the user interface for client authentication? If so, then you should consider using
VeriSign, Inc.
March 2008
5
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
the Personal Trust Agent (PTA) or Personal Trust Service (PTS). For more information, see Go Secure! for Web Applications v7.2 Installation and Configuration Guide.
Before Enrolling for Managed PKI Before enrolling for Managed PKI, you must make the following decisions. For guidance in making these decisions, see Managed PKI v7.2 Introduction. Determine your Organizational Contact, Managed PKI administrator, and Billing Contact. Decide if your certificates will be issued under a public or private Certification Authority. Decide how many certificates to purchase initially. Determine whether your organization will use CSR-based enrollment.
Basic Requirements Your original service contract may include assistance from VeriSign’s Professional Services Organization (PSO) for the initial installation and configuration of Managed PKI. Once your organization has enrolled for Managed PKI, your account manager will contact you to schedule your Managed PKI installation. This initial visit by PSO personnel is known as the PSO engagement. If you have no contract for PSO support, your organization will independently install and configure Managed PKI. Note
Organizational Requirements In preparation for the installation and configuration of Managed PKI, your organization must complete the following tasks: 1
Work with your account manager to enroll in the VeriSign Managed PKI production system or VeriSign Managed PKI pilot system. For all VeriSign Registration Authority implementations, you should first set up Managed PKI in a pilot environment. Pilot environments allow you to test your implementation without compromising your production system. The pilot environment uses the same software as the production system, but issues only pilot certificates. Used strictly for testing purposes, pilot certificates are signed by test certificate authorities, rather than trusted ones.
6
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Once you are satisfied with your implementation, you can migrate to the production system. 2
Acquire the hardware and software needed for your configuration. See Managed PKI v7.2 Hardware/Software Requirements.
3
If your contract includes PSO installation, you should provide fully qualified technical personnel for training by the PSO team. Ensure that the trainees are available during the PSO engagement. Also, your organization should provide an analog telephone line for PSO personnel to contact VeriSign during installation. Although not required, an analog line may speed up the installation process.
4
Ensure that you have the appropriate rights to modify the administrator workstation, server machines, and other equipment.
See Managed PKI v7.2 Hardware/Software Requirements for the following requirements: Managed PKI administrator’s workstation Workstations of potential subscribers Server hosts Compatible compilers. If you compile code for VeriSign Registration Authority, you should use the same compiler for best compatibility.
VeriSign, Inc.
March 2008
7
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Installation Overview Figure 2-1 provides an overview of the overall installation process of Managed PKI. The remaining chapters of this document provides specific procedures for installing Managed PKI with these options.
Figure 2-1 Overall Managed PKI installation process
8
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Figure 2-2 Overall Managed PKI installation process
VeriSign, Inc.
March 2008
9
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuration for Remote Hosting Figure 2-3 illustrates a typical Managed PKI configuration hosted at VeriSign (also called remote hosting).
Figure 2-3 Typical configuration for remote hosting
Requirements for Remote Hosting Complete the “Basic Requirements” on page 6. No additional action is required. For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Remote Hosting
10
1
Configure Managed PKI as described in Chapter 3, “Configuring Managed PKI.”
2
Test the enrollment process.
3
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Configuration for Local Hosting Figure 2-4 illustrates a typical Managed PKI configuration with the Local Hosting Web server host.
Figure 2-4 Typical configuration for Local Hosting
Requirements for Local Hosting 1
Complete the “Basic Requirements” on page 6.
2
For Local Hosting, your organization must install Web pages and CGI scripts on a Web server known as the Local Hosting server host. See Managed PKI v7.2 Hardware/Software Requirements for a list of supported servers.
3
Configure the Local Hosting Web server host with: + an assigned and registered fully qualified domain name + appropriate user accounts created
4
(Recommended) To provide SSL-enabled access to your enrollment pages, you should install the appropriate VeriSign server certificate. Although SSL is not required, it is highly recommended.
5
Decide on the URL (and directory if applicable) that the Local Hosting enrollment pages will use.
VeriSign, Inc.
March 2008
11
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
6
Configure the Local Hosting Web server to contact the VeriSign domain using HTTPS without being prompted for a proxy user ID or password.
For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Local Hosting 1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
Implement Local Hosting, as described in Chapter 5, “Configuring Local Hosting.”
3
Test the enrollment process.
4
Begin rollout to end user. See Managed PKI v7.2 Getting Started for rollout strategies.
Figure 2-5 provides an overview of the installation process for Managed PKI with Local Hosting.
Figure 2-5 Installation of Managed PKI with Local Hosting
12
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Configuration for Remote Passcode Authentication Figure 2-6 illustrates a typical Passcode Authentication configuration hosted at VeriSign (remote hosting).
Figure 2-6 Typical configuration for Passcode Authentication with remote hosting
Requirements for Passcode Authentication with Remote Hosting Complete the “Basic Requirements” on page 6. No additional action is required. For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Passcode Authentication with Remote Hosting 1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
Configure Passcode Authentication, as described in Chapter 7, “Configuring Passcode Authentication.”
3
Test the enrollment process.
4
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
VeriSign, Inc.
March 2008
13
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuration for Passcode Authentication with Local Hosting Figure 2-7 illustrates a typical Passcode Authentication configuration with Local Hosting.
Figure 2-7 Typical configuration for Passcode Authentication with Local Hosting
Requirements for Passcode Authentication with Local Hosting 1
Complete the “Basic Requirements” on page 6.
2
Complete the requirements listed in “Configuration for Local Hosting” on page 11.
For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Passcode Authentication with Local Hosting
14
1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
Implement Local Hosting, as described in Chapter 5, “Configuring Local Hosting.”
VeriSign, Inc.
March 2008
-----------------------------------------------------------
3
Configure Passcode Authentication, as described in Chapter 7, “Configuring Passcode Authentication.”
4
Test the enrollment process.
5
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
Figure 2-8 provides an overview of the installation process for Managed PKI with Passcode Authentication.
Figure 2-8 Installation of Managed PKI with Passcode Authentication
Configuration for VeriSign Registration Authority Figure 2-9 illustrates a typical, stand-alone VeriSign Registration Authority configuration with the Local Hosting Web server host and VeriSign Registration
VeriSign, Inc.
March 2008
15
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Authority server host. This illustration also shows the different components in the VeriSign Registration Authority option.
Figure 2-9 Typical VeriSign Registration Authority configuration
The verification data source contains the authorization information that VeriSign Registration Authority uses to verify certificate enrollment data before issuing a certificate. After a certificate is issued, VeriSign Registration Authority writes the certificate and related information into a directory or database. This function is known as registration, and the database is known as the registration data source. Typically, the verification data source and the registration data source are combined in the same directory, or database. However, you can configure VeriSign Registration Authority so that the verification data source and registration data source consist of separate data sources, or even separate data sources on different computers. For clarity, this example separates the two data sources. If you have implemented the key escrow and recovery option, the escrowed keys are stored in the recovery data source. Requirements for VeriSign Registration Authority 1 Complete the requirements for Local Hosting (see page 11). Then:
16
VeriSign, Inc.
March 2008
-----------------------------------------------------------
+ Enable the Local Hosting Web server to send outbound HTTP requests
on port 80 without being prompted for a proxy user ID or password. + Enable the Local Hosting Web server to initiate requests to the VeriSign
Registration Authority server on a TCP/IP port of your choice. The default port is 2003. 2
If you use the hardware signing option, ensure that you have received and installed the necessary device and drivers on the VeriSign Registration Authority server. Note that the PCMCIA readers are external and not rack-mountable. Although the hardware signing option is not required, it is strongly recommended. While software signing is easier to set up, hardware signing is more secure. With hardware signing, the private key is generated on the Luna token, which prevents unauthorized parties from removing, reading, or duplicating it.
3
(Optional) If you need to customize the VeriSign Registration Authority verification or registration process beyond what is possible with the configuration file, then you will need to install a C++ development environment. See Managed PKI v7.2 Hardware/Software Requirements for the requirements for this environment. The C++ compiler can reside on the VeriSign Registration Authority server host or a separate computer. To ensure the broadest usability for VeriSign’s customers, the sample code provided with the VeriSign Registration Authority option is written in C++.
4
5
VeriSign, Inc.
If using an ODBC database: a
Install the database (if applicable) and create a VeriSign Registration Authority user with appropriate read/write access.
b
Prepare a database schema.
c
Install the proper ODBC drivers on the VeriSign Registration Authority server.
d
Create an ODBC connection to the database from the VeriSign Registration Authority server.
If using an LDAP directory: a
Ensure that the directory is LDAPv3 compliant.
b
Install and configure the directory service (if applicable) and create an VeriSign Registration Authority user with appropriate read/write access.
March 2008
17
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
c
Prepare an LDAP schema.
d
Ensure that the VeriSign Registration Authority server can communicate with the LDAP directory over the standard ports (for example, 389 for LDAP or 636 for LDAP using SSL).
For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for VeriSign Registration Authority 1 Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
18
2
Implement Local Hosting, as described in Chapter 5, “Configuring Local Hosting.”
3
Configure VeriSign Registration Authority, as described in Chapter 6, “Registration Authority.”
4
Set up your signing option, as described in Chapter 8, “Signing Option.”
5
Test the enrollment process.
6
(Optional) Set up a secure channel, as described in Chapter 10, “Secure Channel,” and test the enrollment process.
7
(Optional) Modify the Digital ID Center pages, as described in Managed PKI Technical Reference, and test the enrollment process.
8
Move to production, as described in Chapter 12, “Moving to Production.”
9
Test the enrollment pages.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
10 Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout
strategies. Figure 2-10 provides an overview of the installation process for the VeriSign Registration Authority.
Figure 2-10 Installation overview for the VeriSign Registration Authority Service
Configuration for Outsourced Authentication Outsourced Authentication uses VeriSign Registration Authority to request authentication from VeriSign for applicants with Pending status that VeriSign Registration Authority cannot verify using its verification and registration data source. To use Outsourced Authentication, you choose the Outsourced Authentication option when enrolling for Managed PKI service, then install and configure VeriSign Registration Authority. You must also change the VeriSign Registration Authority source code and recompile the corresponding libraries. For more information on Outsourced Authentication, see Chapter 9, “Outsourced Authentication.”
VeriSign, Inc.
March 2008
19
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuration for VeriSign Go Secure! for Microsoft Exchange with Remote Hosting Figure 2-11 illustrates a typical Go Secure! for Microsoft Exchange configuration with remote hosting.
Figure 2-11 Go Secure! for Microsoft Exchange with remote hosting
Requirements for Go Secure! for Microsoft Exchange with Remote Hosting 1
Complete the “Basic Requirements” on page 6.
2
Complete the “Configuration for Remote Hosting” on page 10.
3
Ensure that the end-user’s machine is in the same domain as the Exchange Server, or in domains that trust one another.
For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Go Secure! for Microsoft Exchange with Remote Hosting
20
1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
Install Go Secure! for Microsoft Exchange, as described in Go Secure! for Microsoft Exchange v7.2 Administrator’s Guide.
3
Test the enrollment process.
4
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Configuration for VeriSign Go Secure! for Microsoft Exchange with Local Hosting Figure 2-12 illustrates a typical Go Secure! for Microsoft Exchange configuration with Local Hosting.
Figure 2-12 Go Secure! for Microsoft Exchange with Local Hosting
Requirements for Go Secure! for Microsoft Exchange with Local Hosting 1
Complete the “Basic Requirements” on page 6.
2
Complete the “Configuration for Local Hosting” on page 11. Install Web pages and CGI scripts on the Local Hosting Web server host. See Managed PKI v7.2 Hardware/Software Requirements for supported server versions and requirements. + Configure the Local Hosting Web server host with:
– An assigned and registered fully qualified domain name – The appropriate user accounts created + (Optional) To provide SSL-enabled access to your enrollment pages, you
must install the appropriate VeriSign server certificate. Although SSL is not required, it is highly recommended. + Decide on the URL (and directory, if applicable) that the Local Hosting
enrollment pages will use.
VeriSign, Inc.
March 2008
21
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
+ Configure the Local Hosting Web server host to contact the VeriSign
domain using HTTPS (port 443) without being prompted for a proxy user ID or password. + If you are using the client-side update feature of Go Secure! for
Microsoft Exchange, ensure that the end-user’s machine is in the same domain as the Exchange Server, or in domains that trust one another. For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements. Installation Overview for Go Secure! for Microsoft Exchange with Local Hosting
22
1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
Implement Local Hosting, as described in Chapter 5, “Configuring Local Hosting.”
3
Configure Local Hosting for Go Secure! for Microsoft Exchange, as described in Go Secure! for Microsoft Exchange v7.2 Administrator’s Guide.
4
Test the enrollment process.
5
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Configuration for VeriSign Go Secure! for Microsoft Exchange with VeriSign Registration Authority Figure 2-13 illustrates a typical VeriSign Go Secure! for Microsoft Exchange with the VeriSign Registration Authority server host.
Figure 2-13 Go Secure! for Microsoft Exchange with VeriSign Registration Authority
Requirements for Go Secure! for Microsoft Exchange with VeriSign Registration Authority 1
Complete the requirements in “Configuration for VeriSign Go Secure! for Microsoft Exchange with Local Hosting” on page 21. Then: + Enable the Local Hosting Web server to send outbound HTTP requests
on port 80 without being prompted for a proxy user ID or password. + Enable the Local Hosting Web server to initiate requests to the VeriSign
Registration Authority server on a TCP/IP port of your choice. The default port is 2003. 2
If you use the hardware signing option, install the necessary device and drivers on the VeriSign Registration Authority server, or a network appliance and appropriate drivers. Although the hardware signing option is not required, it is strongly recommended. Note
VeriSign, Inc.
March 2008
23
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
(Optional) If you need to customize the VeriSign Registration Authority verification or registration process beyond what is possible with the configuration file, then you will need to install a C++ development environment. See Managed PKI v7.2 Hardware/Software Requirements for the requirements for this environment. The C++ compiler can reside on the VeriSign Registration Authority server host or on a separate computer. To ensure the broadest usability for VeriSign’s customers, the sample code provided with the VeriSign Registration Authority option is written in C++.
4
5
6
If using an ODBC database: a
Install the database (if applicable) and create a VeriSign Registration Authority user with appropriate read/write access.
b
Prepare a database schema.
c
Install the proper ODBC drivers on the VeriSign Registration Authority server.
d
Create an ODBC connection to the database from the VeriSign Registration Authority server.
If using an LDAP directory: a
Ensure that the directory is LDAPv3-compliant.
b
Install and configure the directory service (if applicable) and create a VeriSign Registration Authority user with appropriate read/write access.
c
Prepare an LDAP schema.
d
Ensure that the VeriSign Registration Authority server can communicate with the LDAP directory over the standard ports (for example, 389 for LDAP or 636 for LDAP using SSL).
If you chose Windows authentication (Exchange Server 2003 only): + Ensure that the Local Hosting Web server is in the same domain as the
Exchange Server or in a mutually trusted domain (the domains must trust one another). + Enable the Local Hosting Web server to send outbound LDAP
connection requests to an Exchange Server on port 389 without being prompted for a proxy user ID or password. For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements.
24
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Installation Overview for Go Secure! for Microsoft Exchange with VeriSign Registration Authority 1
Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.”
2
(Optional) Implement Local Hosting, as described in Chapter 5, “Configuring Local Hosting.”
3
(Optional) Configure VeriSign Registration Authority, as described in Chapter 6, “Registration Authority.”
4
(Optional) Set up your signing option, as described in Chapter 8, “Signing Option.”
5
(Optional) Set up a secure channel, as described in Chapter 10, “Secure Channel.” Test the enrollment process.
6
(Optional) Modify the Digital ID Center pages, as described in Managed PKI Technical Reference.
7
Configure Local Hosting for Go Secure! for Microsoft Exchange with Local Hosting, as described in Go Secure! for Microsoft Exchange v7.2 Administrator’s Guide.
8
Test the enrollment process.
9
Move to production, as described in Chapter 12, “Moving to Production.”
10 Test the enrollment process.
VeriSign, Inc.
March 2008
25
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
11 Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout
strategies. Figure 2-14 provides an overview of the installation process for Managed PKI with Go Secure! for Microsoft Exchange with VeriSign Registration Authority.
Figure 2-14 Go Secure! for Microsoft Exchange with VeriSign Registration Authority
26
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Configuration for VeriSign Go Secure! for Web Applications Figure 2-15 illustrates a typical configuration for VeriSign Go Secure! for Web Applications.
Figure 2-15 Go Secure! for Web Applications
In Figure 2-15, the enrollment process occurs within the Certificate Issuing Center. The Certificate Issuing Center represents any of the other configurations listed in this chapter (for example, Passcode Authentication with Local Hosting). Note
Requirements for Go Secure! for Web Applications 1
Complete the “Basic Requirements” on page 6.
2
For Internet Explorer and Firefox, ActiveX and Firefox plug-in downloads for signed objects are enabled on end-user machines by default. However, you should ensure that they are enabled. For Java PTA, ensure that Sun Java Plug-in 1.4.1 is installed on end-user machines. Download and install the JRE (Java Runtime Environment) for J2SE v 1.4.1 for the platform(s) your end-user machines use.
VeriSign, Inc.
March 2008
27
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
For servers supported by Go Secure! for Web Applications, see Managed PKI v7.2 Hardware/Software Requirements.
4
Configure the PTA Application Web server with: + the fully qualified domain name assigned and registered + the paths configured to properly locate shared objects (Solaris and
Linux) 5
If you are using Client Authentication, SSL is required for the VeriSign Personal Trust Agent (PTA). Therefore, you must install the appropriate VeriSign server certificate on your Application Web server.
6
Based on the fully qualified domain name, decide on the URL (and directory, if applicable) that Go Secure! for Web Applications will use. You will need this URL when you configure Managed PKI with the Policy Wizard.
7
If you want to turn on revocation checking, you must enable the Web server to access the certificate revocation lists hosted at VeriSign using HTTP or LDAP, or else use Online Certificate Status Protocol (OCSP).
8
If you use the PTA for transaction signing, and you want to customize the authentication server code, you must install the appropriate development environment. See Managed PKI v7.2 Hardware/Software Requirements. The C++ compiler can reside on the Web server or on a separate computer. To ensure the broadest usability for VeriSign’s customers, the sample code provided with the VeriSign Registration Authority option is written in C++. For more information about Go Secure! for Web Applications, see Go Secure! for Web Applications v7.2 Installation and Configuration Guide. For further information on hardware and software requirements, see Managed PKI v7.2 Hardware/Software Requirements.
Installation Overview for Go Secure! for Web Applications
28
1
Follow the installation process for any of the other configurations in this chapter.
2
Install Go Secure! for Web Applications, as described in Go Secure! for Web Applications v7.2 Installation and Configuration Guide.
3
Test the enrollment process.
4
Begin rollout to end users. See Managed PKI v7.2 Getting Started for rollout strategies.
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuring Managed PKI 3 retpahC
This chapter provides instructions for configuring and testing your Managed PKI service. In addition, this chapter explains how to further customize your Managed PKI service with the Configuration Wizards. For this chapter, you should first: If you are using a token to store your administrator ID, install the Administrator Kit before you acquire your Managed PKI administrator ID. See Chapter 4, “Installing the Administrator Kit,” for more information. Acquire a Managed PKI administrator ID. Ensure that you have the appropriate rights to modify the administrator workstation. Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.”
Configuring Managed PKI This section provides instructions for configuring Managed PKI. To configure Managed PKI, you must: 1
Determine the fields that will appear in the enrollment page and/or the certificate (see below).
2
Run the Policy Wizard (see page 33).
3
Optionally, download the policy file (see page 56).
4
Perform additional configuration, if needed (see page 58).
VeriSign, Inc.
March 2008
29
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
This chapter includes directions for the Policy Wizard, Renewal Wizard, and other Configuration Wizards. Since Wizard pages typically include explanatory text and online help, the instructions in this chapter serve as a general guide, rather than providing full explanations of the content and purpose of each Wizard page. Note
Customizing Subscriber Enrollment and Certificate Content The Managed PKI administrator determines which information the user will enter in the enrollment page, and which information is included in the certificate. In the Customize the Subscriber Enrollment Page of the Policy Wizard (see Figure 3-7 on page 47), the Managed PKI administrator specifies the fields that appear on the subscriber enrollment page. For each field on the subscriber enrollment page, the Managed PKI administrator also indicates if the user must complete the field (required), or if the field can be skipped (optional). The Policy Wizard automatically includes and requires the First Name, Last Name, and Email Address fields on the enrollment page. Other standard fields, such as the employee ID number and mail stop, may be useful for authenticating users. Managed PKI also provides up to three optional fields that the Managed PKI administrator can define and add to the enrollment page. In the Customize the Subscriber Certificates page of the Policy Wizard (see Figure 3-13 on page 53), the Managed PKI administrator must decide which fields are to be included in a certificate. Fields that appear in the certificate, such as the subscriber’s name and email address, should identify the subscriber and, in some cases, the subscriber’s access level. However, since certificates may be viewed publicly, they should not include private or confidential information. It is important to note that once the certificate has been issued, the Managed PKI administrator cannot change the certificate fields. For all Managed PKI implementations, the Managed PKI administrator should determine whether each field: should appear in the enrollment page and/or certificate.
30
VeriSign, Inc.
March 2008
-----------------------------------------------------------
is required or optional for the user. To make these decisions for each field, fill out the following table: Field Name
On Enrollment Form?
Required or Optional Entry in Enrollment Form?
Show in Certificate?
(Yes/No)
(Required/Optional)
(Yes/No)
First Name Last Name Email Address Title Employee ID Number Mail Stop Country State Locality Telephone Companya Dept/Div/Projecta DUNS Numbera a. Business Authentication Service and Outsourced Authentication only
Enrollment page and certificate fields with VeriSign Registration Authority For enrollment pages in systems with VeriSign Registration Authority, the Managed PKI administrator must determine which fields are entered by the user, and which fields are supplied by the verification data source. The Managed PKI administrator must also determine which user-entered fields must match the verification data source records in order to issue a certificate. In designing the enrollment page, the Managed PKI administrator must ensure that only one record in the verification data source corresponds to each applicant’s enrollment information. Note
You can configure VeriSign Registration Authority to augment data from the verification data source, then, after the certificate is issued, store the certificate and other information in the registration data source. VeriSign Registration
VeriSign, Inc.
March 2008
31
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Authority also enables you to configure some enrollment fields so that their values get passed to your verification database during enrollments, but do not get passed back to VeriSign. This lets you authenticate your enrollees against sensitive data, or gather organization-specific information that does not get shared outside your organization or get placed in certificates. For information on installing and configuring VeriSign Registration Authority, see Chapter 6, “Registration Authority.” Additional information about VeriSign Registration Authority is also available in Managed PKI Technical Reference. Enrollment page and certificate fields with Passcode Authentication For enrollment pages in systems with Passcode Authentication, the Managed PKI administrator must determine which fields are entered by the user, and which fields are automatically provided with each enrollment. In the Customize the Subscriber Enrollment Page for Passcode Authentication (as seen in Figure 3-9 on page 49), the Managed PKI administrator determines the Applicant and Admin fields. Applicant fields are those the user must enter in the enrollment page. Admin fields are those the user does not need to enter. Admin fields are omitted from the enrollment page, as they are automatically appended to the enrollment data when the applicant submits the enrollment page. The Managed PKI administrator submits Admin field information to VeriSign before the applicant’s enrollment. With Passcode Authentication, the Managed PKI administrator must also indicate which fields are used as match fields (as seen in Figure 3-12 on page 52). Match fields are enrollment page fields that the user must provide for authentication. These fields are checked against the information entered by the Managed PKI administrator in the Managed PKI Control Center. If the values entered by the applicant in the match fields are the same as the values provided by the Managed PKI administrator, then the applicant is issued a certificate. In planning your enrollment system, select fields and data that will ensure that only one record corresponds to each applicant. Note
For Managed PKI implementations with Passcode Authentication, the Managed PKI administrator should determine whether: the applicant or the administrator should supply the value. the value will be used as a match field.
32
VeriSign, Inc.
March 2008
-----------------------------------------------------------
each field should appear in the enrollment page and/or certificate. The following table helps you make these decisions for each field. Field Name
On Enrollment Form?
Required or Optional Entry in Enrollment Form?
Provided by Applicant or by Administrator?
(Yes/No)
(Required/Optional)
(Applicant/ Admin)
Include in Match? (Yes/No)
Become Part of Certificate? (Yes/No)
First Name Last Name Email Address Title Employee ID Number Mail Stop Country State Locality Additional Field 1 Additional Field 2 Additional Field 3
Run the Policy Wizard Use the Policy Wizard to configure the contents of your certificates, the Digital ID Center and enrollment pages, and other Managed PKI options. Once you have completed the Policy Wizard, you are ready to install Managed PKI. To access the Policy Wizard: 1
Open the email that includes instructions for acquiring your Managed PKI administrator ID, and click the link to access the Welcome page.
2
Click the Continue button.
VeriSign, Inc.
March 2008
33
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
Click the link to the appropriate configuration page.
Alternatively, you can access the Policy Wizard at the following URL: For the pilot system: https://pilotonsite-admin.verisign.com/OnSiteHome.htm For the production system: https://onsite-admin.verisign.com/OnSiteHome.htm For either site: 4
Click the Configuration link to open the Configuration page.
5
Click the Policy link to start the Policy Wizard.
The appearance and sequence of Policy Wizard pages depends upon your input and your Managed PKI configuration. Some Wizard pages shown in this document may be omitted from your particular Policy Wizard session because of your configuration. Additional Policy Wizard pages may appear if you are configuring additional Managed PKI options (see that option’s documentation for a description of the pages). Note
In addition, because Managed PKI undergoes continuous improvement, your pages may differ slightly in appearance. Functionality is unchanged. See the online help (by clicking the Help button) for each page for additional assistance in configuring that page.
34
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Enter the Email Address for Subscriber Questions
Figure 3-1 Enter Email Address page
Enter the email address to which applicants and subscribers should send questions concerning certificates. You should enter an email address alias to which your Managed PKI administrator has access. Tip
VeriSign, Inc.
By entering an email alias, rather than the email address of a specific individual, you can avoid changing the address in the subscriber pages and email wizards if the Managed PKI administrator changes.
March 2008
35
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Wizard Page: Enable Application Integration The Enable Application Integration page appears only if you have purchased additional Managed PKI services, such as the Personal Trust Agent (PTA) or one of the Go Secure! products. If you are implementing any of the Go Secure! products, see the relevant Go Secure! manual for changes in the Policy Wizard. Note
Figure 3-2 Enable Application Integration page
Optional services appear in the Enable Application Integration page. Required services, such as your authentication method, are configured in subsequent Policy Wizard pages.
36
VeriSign, Inc.
March 2008
-----------------------------------------------------------
If you purchased a service and it does not appear in the Policy Wizard, contact your account representative. Note
In the Enable Application Integration page, you can: Configure each additional service, or Bypass the configuration option for now, and simply turn each service On or Off. If you are ready to configure an additional service, select Click to Configure. Wizard pages for the selected service appear. For more information about configuring additional services, see the documentation provided with that service. Wizard Page: Select Key Option This Wizard page only appears for Managed PKI configurations with Key Escrow and Recovery. Note
Figure 3-3 Select Key Option page
In the Select Key Option page, you must specify whether you want to issue single key pairs or dual key pairs to your subscribers. Table 3-1 indicates the
VeriSign, Inc.
March 2008
37
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
relationships between key pair types and certificate types. For further information, click Help to view the Control Center online Help. Table 3-1 Summary of key pair options Key Pair Type
Certificate Type
Key Generation
Private Key Storage Location
Certificate Usage
Single Key Pair
All-use certificate
VeriSign Registration Authority server
VeriSign Registration Authority secure database and subscriber's personal workstation
All uses (nonrepudiation is not applicable to this case)
Dual Key Pair
Encryption certificate
VeriSign Registration Authority server
VeriSign Registration Authority secure database and subscriber's personal workstation
Encryption and Authentication only (non-repudiation is not applicable to this case)
Signing certificate
Subscriber’s browser
Subscriber's personal workstation only
Signing only (nonrepudiation is possible)
38
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Specify the Cryptographic Service Provider Name and Key Size
Figure 3-1 Specify the Cryptographic Service Provider Name and Key Size page
Ignore this step if any of the following apply: None of the end users use Microsoft Internet Explorer. You are using the single key option of VeriSign Registration Authority. Simply accept the default settings and proceed to the next Wizard page. For all other Managed PKI configurations, use this page to indicate the appropriate Cryptographic Service Provider (CSP) used with the subscriber’s private key for signing and encryption operations. You must also specify the size of the keys generated by the subscriber’s browser. For further guidance in making a selection, see the Policy Wizard on-line help.
VeriSign, Inc.
March 2008
39
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Use a Microsoft CSP Module. This option provides the simplest and least error-prone experience for the subscriber. For this option, you can specify either the Microsoft Base CSP, the Microsoft Enhanced CSP, or another Microsoft CSP. However, some browsers do not support the Enhanced CSP. If you specify the Enhanced CSP, and the subscriber’s browser does not support Enhanced CSP, the browser will use the Base CSP. If you want to prevent the subscriber’s browser from downgrading to the Base CSP, consult VeriSign Customer Support. If your organization employs multiple CSPs, or if you are unsure of which option to select, you should allow users to choose the CSP module. While Microsoft CSPs do not determine the key size generated by the subscriber’s browser, they do determine whether you establish 128-bit (enhanced) or 40-bit (basic) session keys. For example, if you specify the Base CSP, the browser will use 40-bit session keys for SSL transactions. Note
Use Other CSP Module. This option allows you to specify an alternative CSP module, such as a token. If you select this option, then end users are limited to the specified CSP module; if the user does not have the specified CSP, they cannot enroll. Enter the CSP module name exactly as it appears in the CSP documentation. Be aware that the CSP name is case-sensitive. Allow Subscribers to Choose the CSP Module. This option allows end users to select the desired CSP module from a pull-down menu on the enrollment page. The menu will consist of every module installed on the user's system. Key Size. You must specify the size of the keys to be generated by your subscribers’ browsers. You can select 512, 1024, or 2048-bit keys for your user’s certificates. While generation of the key takes noticeably longer, once the key is generated there is no performance penalty for using a larger key size. For Firefox users, the key size specified in the browser overrides what you specify here. Firefox users can set the key size up to the maximum allowable by their version. Key Exportable. Do you want to allow users to export their private keys from Internet Explorer using the Certificate Export Wizard?
40
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Specify the Security Feature for Subscriber’s Private Key
Figure 3-2 Specify the Security Feature for Subscriber’s Private Key page
You may ignore this page if: None of the end users use Microsoft Internet Explorer. You are using the key escrow option of VeriSign Registration Authority. Simply accept the default setting and proceed to the next Wizard page. For all other Managed PKI configurations, simply indicate the level of security used with the subscriber’s private key for signing and encryption operations. Your selection here only prompts the user to enter a password. There is no way to force users to enter a password, or to ensure the quality of a password. If you want to force your users to use a password or provide specific requirements for password content, consider implementing Personal Trust Agent (PTA). For more information about PTA, see Go Secure! for Web Applications v7.2 Installation and Configuration Guide. Note
VeriSign, Inc.
March 2008
41
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Wizard Page: Specify the Character Set
Figure 3-3 Specify the Character Set page
UTF-8 is an optimized encoding of Unicode character-strings that allows computers to read and display both English and non-English character sets. IMPORTANT! Selecting UTF-8 Encoding has a number of implications for you and your end users that you must consider before enabling this feature. See Release Notes and the online help before enabling UTF-8 Encoding.
This page enables you to select the language encoding available to your end users to enroll for, search, revoke, and renew their certificates. The characters they use will appear in their certificates and in the Control Center wherever end-user certificate activity is reviewed (for example, in certificate requests, in reports, and in certificate search results). These characters will also appear in the Pick Up ID, Search, Revoke, and Renew links of the Digital ID Center. Select the appropriate language encoding from the drop-down list and click Continue. No UTF-8 Encoding. This is the default setting. This setting enables Latin-1 (Western European) characters only (ASCII used for English and several European languages).
42
VeriSign, Inc.
March 2008
-----------------------------------------------------------
UTF-8 Encoding. This selection allows subscribers to manage Digital IDs in their native language and characters. If you want to use UTF-8 character encoding, ensure that all your applications are UTF-8 compatible. Note
Wizard Page: Specify the Authentication Method
Figure 3-1 Specify the Authentication Method page for VeriSign Registration Authority
If you are implementing one of the following options, the Specify the Authentication Method page appears (this page does not appear if VeriSign has not enabled one of these options). This page allows you to specify the method used to authenticate certificate requests. Depending on the option you are implementing, you will see Manual Authentication, and either Automated Administration or Passcode Administration (Figure 3-1 shows Manual Authentication and Automated Administration). Make the appropriate selection. Business Authentication Service: select Manual Authentication Outsourced Authentication (OA): select Automated Administration VeriSign Registration Authority, with or without key escrow: select Automated Administration
VeriSign, Inc.
March 2008
43
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Passcode: select Passcode Authentication If you select the Passcode Authentication option, the subsequent Wizard pages allow you to specify the parameters for that option. Also, subsequent Wizard pages will allow you to define the fields that should appear on the certificate enrollment page. For information about Passcode Authentication, see Managed PKI Technical Reference. Wizard Page: Enter Passcode Authentication Parameters This Wizard page appears only for Managed PKI configurations with Passcode Authentication enabled. Note
Figure 3-4 Enter Passcode Authentication Parameters page
This page allows you to enter your specifications for Passcode Authentication. Specify the Passcode Generation Option. This determines who generates passcodes: your organization or VeriSign. To have VeriSign generate passcodes, select System-Generated and specify the Passcode Size (the number of characters in the passcode). Larger passcode sizes provide greater security. VeriSign strongly recommends a minimum of eight characters. Specify the Passcode Expiration. This is the amount of time during which the end user must enroll. This time period begins when the passcode is created.
44
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Specify the Lockout Threshold. This determines the number of times an end user can enter a passcode incorrectly before the passcode is frozen. Specify the Passcode Field Label. This text appears next to the passcode text box on the subscriber enrollment page. Typically, this field is named Passcode. Wizard Page: Enter Local Hosting Base URL Note
This Wizard page appears only if you are installing Local Hosting.
Figure 3-5 Enter Local Hosting Base URL page
Enter the full base URL for the Web server that will host the certificate lifecycle pages. This is the URL that you will provide to your customer to access the Digital ID Center. Include http:// or https:// as appropriate, and, if necessary, directory and port number. Do not use the underscore character (_)or a trailing slash character (/). For example: For a simple Web server URL, you might enter http://www.ACMEBank.com If you need to provide a specific port number, you might enter http://www.ACMEBank.com:996 If you are using secure HTTP, you might enter https://www.ACMEBank.com
VeriSign, Inc.
March 2008
45
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
If your Web server files are in a subdirectory, you might enter https://www.ACMEBank.com/certenroll Wizard Page: Specify the Wireless Parameters
Figure 3-6 Specify the Wireless Parameters page
Note
This Wizard page appears only if you have purchased this option.
This page enables you to specify the field names your end users see for the User ID and Password fields on your locally-hosted Wireless enrollment pages. Enter the names for both the User ID and Password fields, and click Continue.
46
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Customize the Subscriber Enrollment Page
Figure 3-7 Top half of the Customize the Subscriber Enrollment page
If you are not installing Passcode Authentication, Business Authentication Service, or Outsourced Authentication, the Customize the Subscriber Enrollment Page appears as seen in Figure 3-7 and Figure 3-8. In this Wizard page, you customize the end-user’s certificate enrollment page by specifying which fields are required and which fields are optional. You can also define up to three custom fields to accommodate the needs of your organization. In completing the Customize the Subscriber Enrollment Page, see the following guidelines: Include on Certificate Enrollment Page: Select this checkbox to have the field appear on the enrollment page. Required: Select Required to require the user to complete the field in order to obtain a certificate.
VeriSign, Inc.
March 2008
47
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Optional: If you select Optional for a given field, the user does not need to complete the field to obtain a certificate.
Figure 3-8 Bottom half of the Customize the Subscriber Enrollment page
If you selected Passcode Authentication in the Specify the Authentication Method page (see page 43), then the Customize the Subscriber Enrollment Page has a different set of options, as seen in Figure 3-9 and Figure 3-10. In this case, you specify which enrollment fields should be submitted by the applicant, and which should be supplied by the administrator (through the verification data file). To complete the Customize the Subscriber Enrollment Page for Passcode Authentication, see the following guidelines: Applicant: If you select Applicant for a given field, then the user must submit this information in the subscriber enrollment page. For all match fields, you must click the Use column checkbox, as well as select Applicant. Note
48
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Admin: If you select Admin for a given field, only the administrator can submit this information. If you want both the applicant and administrator to submit a match field, select Applicant.
Figure 3-9 Top half of Customize the Subscriber Enrollment page for Passcode Authentication
VeriSign, Inc.
March 2008
49
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Figure 3-10 Bottom half of Customize the Subscriber Enrollment page for Passcode Authentication
If your Managed PKI implementation includes Outsourced Authentication (OA) or Business Authentication Service (BAS), then the top half of the Customize the Subscriber Enrollment Page appears as seen in Figure 3-11. Note With Business Authentication Service and Outsourced Authentication, VeriSign is responsible for verifying the existence, name, and authorization of some parties requesting certificates.
For implementations of OA and Business Authentication Service, the Company/Agency/Org field and the Country field are always required. The State field may be required, and is highly recommended. The Company/Agency/Org field is also included on the enrollment form, as well as in the certificate. You can also include the Dept/Div/Proj and D-U-N-S Number fields on the enrollment page. The Company/Agency/Org, Dept/Div/Proj, and D-U-N-S Number fields are filled in by your subscribers, and refers to their company name, not yours.
50
VeriSign, Inc.
March 2008
-----------------------------------------------------------
VeriSign uses this information to verify the identity of a subscriber applying for a certificate.
Figure 3-11 Top half of Customize the Subscriber Enrollment page for Business Authentication Service
Figure 3-11 illustrates the top half of the Customize the Subscriber Enrollment page for Business Authentication Service. This page for OA is similar to the page for Business Authentication Service. Note
VeriSign, Inc.
March 2008
51
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Wizard Page: Configure Passcode Match Fields This Wizard page only appears for Managed PKI configurations with Passcode Authentication. Note
Figure 3-12 Configure Passcode Match Fields page
In the Configure Passcode Match Fields page, you specify the match fields to be used on the enrollment page. Match fields are enrollment fields that are checked against the information entered in the Managed PKI Control Center by the Managed PKI administrator. If the match field value entered by the applicant matches the value in the database, then the applicant is issued a certificate.
52
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Customize the Subscriber Certificates
Figure 3-13 Customize the Subscriber Certificates page
In the Customize the Subscriber Certificates page, you specify which fields from the certificate enrollment page also appear in the certificate. Since certificate contents are public information, do not include confidential information. Items in the large checkboxes are always selected. Note If you select Show in Certificate for the Employee ID Number, Mail Stop, or any additional field, the field will appear in the certificate in the following format: OU= -
If your Managed PKI implementation includes Outsourced Authentication, the Customize the Subscriber Certificates page includes the Company/Agency/Org field, as seen in Figure 3-14. If you elected to include the Dept/Div/Proj and D-U-N-S
VeriSign, Inc.
March 2008
53
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Number fields on the enrollment page, these fields are always included in the certificate.
Figure 3-14 Customize the Subscriber Certificates page for Outsourced Authentication
54
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Wizard Page: Display the Subscriber Agreement Policy Note
This Wizard page will not appear if you have a private CA.
Figure 3-15 Subscriber Agreement Displaying Policy page
If your organization will issue VeriSign Trust Network certificates from a public CA, this Wizard page allows you to display a link to the Subscriber Agreement in the end-user certificate enrollment page. VeriSign Trust Network Subscriber Agreements are contracts between end-user certificate applicants and VeriSign, and govern the terms and conditions under which an end user can obtain, use, revoke, and renew a public Digital ID. The Subscriber Agreement also stipulates the terms and conditions of VeriSign’s services. If you select Show Subscriber Agreement, text about the applicable Subscriber Agreement will appear on the end-user enrollment pages. The text indicates the URL where the applicant can access the applicable Subscriber Agreement. If you do not select this option, the text will not appear. This option is helpful in communicating the terms and conditions to end users. However, whether you select this option or not, your organization is responsible for ensuring that end users abide by the terms and conditions of the applicable Subscriber Agreement. Therefore, VeriSign recommends that you select this option to display the text.
VeriSign, Inc.
March 2008
55
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Wizard Page: Certificate Publishing Policy
Figure 3-16 Certificate Publishing Policy page
In the Certificate Publishing Policy page, you decide whether to have your organization’s certificates published through VeriSign's directory services and Web-based search engine. The default selection for this page depends upon which type of Managed PKI account you are implementing. Public Managed PKI is set by default to Always Publish. Private Managed PKI is set by default to Never Publish (although you can change this setting). The Certificate Publishing Policy you select is effective immediately. However, existing enrollments will remain as published or unpublished, depending on the setting at the time of enrollment. Download the Policy File The last page of the Policy Wizard includes a link that allows you to download the policy file (see Figure 3-17). The policy file is created in the following format: .policy
For example:
56
VeriSign, Inc.
March 2008
-----------------------------------------------------------
AcmeOperations.policy
The policy file contains a complete list of your configuration choices. The policy file also enables you to generate customized Digital ID Center pages—the pages used by your subscribers to request certificates and to perform certificate management activities.
Figure 3-17 Policy File Download page
With most Managed PKI configurations, you must download the policy file. However, with remote hosting, downloading of the policy file is optional if you use manual authentication or Passcode Authentication, and you do not use PTA. You must download the policy file to configure VeriSign Registration Authority with Local Hosting. In some cases, the download link will not appear on the Policy File Download page. This occurs, for instance, if your Managed PKI configuration does not include Local Hosting or the Personal Trust Agent. Note
If you decide to download the policy file at a later time, use the Download Policy File Wizard from the Control Center’s Configuration page. Each time that you run the Policy Wizard, VeriSign generates a new policy file. To implement your changes, you must download the new policy file. A newly generated policy file will have the same name as the older version. Once you have downloaded the policy file, return to the Control Center by clicking the Go to the Control Center link in the Policy Wizard.
VeriSign, Inc.
March 2008
57
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Tip
Create a directory where you will store the policy file for easy access. If you install an option that requires the policy file, you must supply the full path to the saved file.
(Optional) Perform Additional Configuration With the Managed PKI Configuration Wizards, you can further configure and customize your certificate service. In addition to the Policy Wizard, Managed PKI includes the following Configuration Wizards: Download Policy File
Administrator Roles Wizard
CSR Enrollment Wizard
Install CA Wizard
Logo Wizard
Renewal Wizard
Email Wizard
Key Recovery Wizard Download OCSP Cert Wizard
To access a Configuration Wizard, simply click the appropriate link in the list on the left side of the Managed PKI Control Center Configuration page (Figure 3-18).
Figure 3-18 Configuration page
58
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Since Wizard pages typically include explanatory text and online help, most of the Configuration Wizard discussions below include only a general introduction. For more information on the content and purpose of each Wizard, see the text and online help. Note
Download Policy File Wizard The Download Policy File wizard enables you to download your policy file any time after running the Policy Wizard. This wizard is available after you run the Policy Wizard for the first time. The option to download the policy file is available only to administrators who have been assigned the Security Administrator or Configuration Administrator role. Note
CSR Enrollment Wizard With CSR enrollment, subscribers paste their CSR (certificate signing request) file into the enrollment page when requesting certificates. Your end users are most likely to do this when enrolling for Managed PKI IPSec certificates. For more information about CSR enrollments, see Managed PKI Technical Reference. The CSR Enrollment Wizard enables you to add a link to the Digital ID Center that enables users to enroll for a Digital ID using a CSR. Follow these steps to configure CSR enrollment: Note
VeriSign, Inc.
Typically, this wizard is not required for VeriSign Registration Authority.
March 2008
59
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
60
1
On the Configuration page, click the CSR Enrollment link.
1
Select CSR-based Enrollment and click Continue.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
This step adds a link for CSR enrollment to the end-user certificate enrollment page. If the CSR Enrollment link does not appear when you test the enrollment page (in a subsequent step) call VeriSign Customer Support. Note
Logo Wizard For remote hosting only. With the Logo Wizard, you can place your organization’s logo on the certificate enrollment page (the page that applicants use to request certificates). Note
This wizard is not required for VeriSign Registration Authority.
Email Wizard With the Email Wizard (Figure 3-19), you can customize the automated email messages that Managed PKI sends to your subscribers. Automated email messages include enrollment confirmation, approval, rejection, and renewal notifications.
VeriSign, Inc.
March 2008
61
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Some spam filters may block emails sent by VeriSign to your end-users, for example, some filters may block email with a reply-to address in the header. If your anti-spam filters block email from VeriSign to subscribers you will need to arrange for alternate method of delivery. Note
The Email Wizard allows you to alter the email addressing information and the message text.
Figure 3-19 Email Wizard
The Email Wizard enables you to change the message text. If you wish to change the method that subscribers use to retrieve certificates, use the Authentication Wizard. Note
1
From the Configuration page, click Email to access the Email Wizard.
1
You may see a screen prompting you to enter the sender’s email address. Enter the email address to appear in all automated email messages sent to your subscribers, and click Continue.
By entering an email alias, rather than the email address of a specific individual, you can avoid changing the address in the subscriber pages and email wizards if the Managed PKI administrator changes. Note
62
VeriSign, Inc.
March 2008
-----------------------------------------------------------
2
Select the link to the email message you wish to configure. + Confirmation. This email message is sent after an applicant requests a
certificate, or requests a replacement or renewal certificate. The message confirms that the request was submitted properly. You specify whether to send the message to the applicant, to a specified email address, to both the applicant and the specified email address, or not to send it at all. + Approval. This email message is sent to subscribers if the administrator
approves the certificate enrollment, replacement or renewal request. It instructs them how to pick up the new certificate. It may also include a link to online Help pages that assist them with the certificate installation process. No approval email is sent if a certificate is issued instantly. For example, if you are using Managed PKI VeriSign Registration Authority or Passcode enrollments and the user supplies good enrollment data, the certificate is immediately placed in the subscriber’s browser. + Rejection. This email message is sent to the subscribers if the
enrollment, replacement, or renewal request is rejected. + Renewal. This email message is sent to notify the applicant that his or
her certificate is expiring and needs to be renewed. 3
Select where the email message should be sent and click Continue. + To send the message to the applicant, select Send to applicant. + To send the message to a specific email address, select Send to this
address, and enter the email address in the text box. + To send the message to both the applicant and the specified address,
select Send to both the applicant and the specified address. + If you do not want an automated email message sent, select Do not send
to anyone. 4
You can select Use Custom and edit the subject line and the email message text in the text boxes. Use the following guidelines: + The subject line does not support true multi-byte characters (there is no
conversion to a multi-byte character encoding scheme such as UTF-8). If a non-ASCII string is entered, it is treated like a string of special characters. + The message field is 80 columns wide. The lines do not automatically
wrap, so you must insert hard carriage returns at the end of each line. + Any text shown as $$variable_name$$ represents personalized
information for the message recipient. For example, the
VeriSign, Inc.
March 2008
63
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
$$NAME$$variable represents the applicant's name, and enables you to personalize the message. Do not otherwise use two dollar signs together ($$) in the message. Table 3-2 lists the variables, the template in which they appear, and whether the variable is required or optional. (Additional information about these variables is available on the Email Wizard screens.) Table 3-2 Email variables for templates Variable
Email Template
Required/Optional
$$NAME$$
Confirmation, Approval, Rejection, Renewal
Required
$$SUBDIR$$
Approval
Optional
$$PIN$$
Approval
Required
$$EXPDATE$$
Renewal
Required
+ The message body supports native language character sets, regardless of
whether you selected UTF-8 encoding in the Policy Wizard. Your end users will receive the email message in the same language you use to customize these email templates. + Enter a carriage return at the end of your email message text to avoid
having the text truncated. + When Local Hosting is implemented, you should edit the Renewal email
to include the locally hosted enrollment page URL. 5
When you are finished editing the email message, click Continue. The Control Center displays an example of the email message. Click Continue again to keep these settings.
Customize Email Messages for Passcode Authentication Managed PKI automatically generates and sends email messages regarding certificate status to subscribers and applications. Because Passcode Authentication processes and issues certificates immediately (with no intermediate confirmation and approval steps), several of the email messages are not used. Passcode Authentication uses only the Renewal email message, so this is the only email message you need to configure. Do not configure the following email messages for Passcode Authentication: Confirmation
64
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Approval Rejection Customize Email Messages for VeriSign Registration Authority If you are implementing VeriSign Registration Authority, the following guidelines also apply: If you selected the single key pair option, the Email Wizard lists the types of email messages and enables you to edit them. If you selected the dual key pair option, the Email Wizard includes a set of email messages for Signing certificates, as well as another set for Encryption/Authentication certificates. Edit both sets of messages. Confirmation Emails: Enrollment confirmation email templates are not used with VeriSign Registration Authority. Therefore, you do not need to configure them. Renewal Emails: Managed PKI requires users to enroll for a new certificate rather than reusing the existing key pair. The renewal email should point to the correct enrollment URL for each key type. The Dual Key Pair option uses two renewal emails. If you selected this option, you should customize both renewal emails. Authentication Wizard As a Managed PKI administrator, you are responsible for verifying the identity of the end-user certificate applicant. Once the identity of the applicant is validated, and the accuracy of the enrollment data is confirmed, the certificate request may be approved. This confirmation process is known as authentication. End-user authentication ensures that only the applicant, and no other person, can pick up their certificate. By default, Managed PKI sends email to each approved end-user applicant stating that their certificate is authorized, and that the applicant can pick it up. The message contains an authentication PIN (personal identification number) that the applicant must use to retrieve the certificate.
VeriSign, Inc.
March 2008
65
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
If all users receive their certificates automatically through Passcode Authentication or VeriSign Registration Authority, then there is no need to configure end-user authentication. Note
If your organization’s Statement of Practices requires another end-user authentication method, you can make the necessary changes with the Authentication Wizard (Figure 3-1). To access the Authentication Wizard, click the Authentication link in the Managed PKI Control Center Configuration page. Some spam filters may block emails sent by VeriSign to your end-users, for example, some filters may block email with a reply-to address in the header. If your anti-spam filters block email from VeriSign to subscribers you will need to arrange for alternate method of delivery. Note
Figure 3-1 Authentication Wizard
The Authentication Wizard offers the following options for certificate retrieval: Send to applicant. This is the most commonly used manual authentication option. With this option, the applicant receives a certificate approval email. The applicant then follows the enclosed instructions and uses the PIN to retrieve the certificate. Do not send to applicant. If you select this option, a certificate approval email is not sent to the applicant. This option allows you to enforce a
66
VeriSign, Inc.
March 2008
-----------------------------------------------------------
personal presence authentication model; that is, you may require applicants to appear in person in order to retrieve a certificate. Once you have approved the certificate, you may require a phone call or personal visit from the applicant to ensure delivery of the certificate to the correct party. However, this method may be impractical for organizations that issue large numbers of certificates. Always send to a specified email address. With this option, a third party (someone other than the applicant) is responsible for retrieving the PIN. This method allows you to distribute the workload by assigning some responsibilities to a third party. For instance, you may have a third party distribute PINs or certificates. Administrator Roles Wizard With the Administrator Roles Wizard, you can assign and remove Managed PKI administrative roles for other Managed PKI administrators. For information on appointing additional Managed PKI administrators, see Managed PKI v7.2 Administrator’s Handbook. By default, the first Managed PKI administrator registered by your organization is designated Security Administrator. The Security Administrator is responsible for assigning and removing all roles for other administrators. Although the original Security Administrator can assign the Security Administrator role to another Managed PKI administrator, Security Administrators cannot remove their own Security Administrator role. Only another Security Administrator within the same jurisdiction can remove the role. Table 3-3 lists the differing Managed PKI administrator roles and their capabilities. Table 3-3 Managed PKI administrator roles and capabilities Administrator Role
Allowed Tasks
Security Administrator
Assign roles (administrator privileges and wizard access) to other administrators.
Configuration Administrator
Configure Managed PKI; specify certificate and enrollment page contents; specify reporting features.
Certificate Management Administrator
Approve and reject certificate requests; revoke certificates; manage passcodes; assign requests to other administrators; and manage the certificate lifecycle. To facilitate the validation process, it may be helpful to assign the Certificate Management Administrator role to an administrator who knows a particular group of subscribers well.
VeriSign, Inc.
March 2008
67
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Table 3-3 Managed PKI administrator roles and capabilities (Continued) Administrator Role
Allowed Tasks
Read-only
View current requests, certificate data, and log files. This is the default role for all administrators designated after the first administrator. A Security Administrator must assign any additional roles to subsequent administrators.
Note Because there are more stringent rules governing Class 3 certificates issued from Business Authentication Service accounts, Business Authentication Service administrators only have configuration and revocation privileges.
Install CA Wizard From the Install CA Wizard page, you can install and entrust your organization’s Certificate Authority (CA) in your client and server applications. These applications will then “trust” certificates issued by your CA. If your organization is issuing Private end-user or Private IPSec certificates, you must embed this root in your applications. Renewal Wizard The Renewal Wizard enables you to specify how subscribers renew their certificates. Users can renew their certificates within 30 days of expiration. This 30-day window enables users to continue using their certificates without interruption. RA provides three methods by which your subscribers can request renewal of their certificates (Automatic Renewal, Re-Authentication Renewal, or Client Authentication Renewal). The Renewal Wizard does not configure these options. See Chapter 11, “Subscriber Renewal,” for configuration instructions for these options. Note
The renewal process may simply involve sending a Renewal Notice to the subscriber by email. The Renewal Notice can be sent to the subscriber sometime between one week and one month before expiration. Typically, the Renewal Notice includes: A message to notify the subscriber of the impending expiration of a certificate. Instructions for the renewal process.
68
VeriSign, Inc.
March 2008
-----------------------------------------------------------
A URL where the subscriber can enroll for the renewed certificate. While this arrangement is sufficient for most organizations, you can use the Renewal Wizard to add further requirements for enhanced security. To access the Renewal Wizard, click the Renewal link on the Managed PKI Control Center Configuration page. The Renewal Wizard guides you through the following configuration pages: 1
Specify the Authentication Mode for Certificate Renewal Requests Select one of the following options: + Instant Issue. With the Instant Issue option, Managed PKI will ask the
subscriber to prove that he or she requested the original certificate. Once the identity of the subscriber is validated, the new certificate is issued. Instant Issue is a good option if the authentication policy and user information for your organization has not changed since the certificate was issued. For Microsoft Internet Explorer users, the HTML form digitally signs the renewal request with the original private key. If the signature can be verified, then the subscriber has proven that he or she is still in possession of the original key pair. For applications that do not support the digital signing of data (such as Firefox), the subscriber is asked to enter: – A renewal PIN, and – The challenge phrase (password) that he or she used when enrolling for the original certificate. If necessary, you can reset the challenge phrase from the View Certificates page in the Managed PKI Control Center. Note
+ Manual Approval. With the Manual Approval option, the renewal
request is placed in the pending queue for review by the Managed PKI administrator. Use this option if your authentication policy has changed, or if the subscriber information is different. For users of VeriSign Registration Authority, VeriSign recommends Manual Approval, rather than Instant Issue. Manual Approval ensures that Managed PKI subscribers cannot renew their certificates through the VeriSign Web page. Note
VeriSign, Inc.
March 2008
69
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
1
Specify the Validity Period for Your Subscriber’s Certificates To enhance security, all certificates have a limited lifetime, known as the validity period. For most types of certificates, the period of time for which the certificate is valid is 365 days. With the Renewal Wizard, you can set the validity period to one year, shorten it, or specify the same validity period used by the previous certificate. If you choose to use a shorter validity period, that validity period will be in force only for those renewed certificates.
2
Specify Renewal Notice Delivery Option In this Wizard page, you can specify the method by which a subscriber is notified that the certificate will soon expire. VeriSign keeps track of the expiration date of all your subscribers’ certificates and automatically emails a renewal notice to each subscriber to warn him or her that the certificate will soon expire. The email message explains the renewal procedure, includes a personalized Renewal PIN, and informs the subscriber how much longer the current certificate will be valid. The message’s intent is to urge the subscriber to renew his or her certificate before it expires. + Send to applicant. On the Renewal Notice date (defined in the next
Wizard page), VeriSign automatically sends a Renewal Notice email to the subscriber. + Send to this address. VeriSign sends Renewal Notice emails to an email
address other than the subscriber’s. For instance, you can have the Renewal Notices sent to an individual responsible for tracking all renewal activity. + Send to both the applicant and the specified address. On the
Renewal Notice date, VeriSign sends a Renewal Notice email to both the subscriber and an email address other than the subscriber’s. + Do not send to anyone. VeriSign will not send a Renewal Notice to the
subscriber. This option will prevent redundant notifications if you have implemented another process for notifying subscribers. 3
Specify the Renewal Notice Period If you selected the Send to applicant, Send to this address, or Send to both the applicant and the specified address option on the preceding page, the Renewal Notice Period Wizard page opens. Here, you can specify the interval between the issuing of the renewal notice (the Renewal Notice date) and the expiration of the certificate. The default period is 30 days.
70
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Key Recovery Wizard The Key Recovery Wizard enables you to configure your Managed PKI account to use the dual control option for key recovery. In the dual control mode, two administrators need to approve a key recovery. Only a Managed PKI administrator with the Security Administrator role can run the Key Recovery Wizard and check the Dual Control check box to enable dual control. Once your account is set to dual control, a Security Administrator cannot change this setting. You must call VeriSign Customer Support to disable dual control. Note
See Managed PKI Key Escrow and Recovery Guide for detailed procedures on using the Dual Control option for key recovery. Download OCSP Cert Wizard The Download OCSP Cert Wizard provides a link where you can download a copy of your OCSP responder certificate in X.509 format. This link is only available if you have enabled Online Certificate Status Protocol (OCSP) as part of Premium Validation. Manual Authentication: Test Your Managed PKI Configuration This section only applies to manual authentication with remote hosting. If you are configuring Managed PKI with other modules, see “Next” on page 73 for further installation instructions. When you finish configuring Managed PKI, test the system by requesting an end-user certificate for yourself. A successful enrollment verifies that Managed PKI is installed and running properly. To confirm your configuration settings, you should closely inspect the Digital ID Center start page and the enrollment page. If, during this testing process, you discover that you need to make changes, you can reconfigure the service using the appropriate wizard and then re-test. To test your Managed PKI configuration, follow these steps: Step 1 Request a certificate
Click the User Services link in the Managed PKI Control Center Certificate Management page to locate and access the Digital ID Center URL. Your subscribers will use the Enrollment page to request certificates. Carefully review
VeriSign, Inc.
March 2008
71
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
the Digital ID Center start and enrollment pages to ensure they meet your needs. Follow the instructions on this page to enroll for an end-user certificate for yourself. You will receive email confirmation of your request. Step 2 Approve your certificate request
Now that you have submitted a request for a certificate, approve the request as follows (these are the same steps that you will follow to approve an applicant’s requests): 1
In the Certificate Management page, click Process Requests. The Process Requests page (Figure 3-1) displays all requests for certificates. The first time you submit a test request, it will be the only one on the page.
Figure 3-1 Certificate Management Process Requests page
72
2
To approve your certificate request, click Approve. The Control Center then sends the request to the VeriSign CA, where the certificate is generated. You will receive an email message that includes instructions for retrieving your certificate. Review these messages to ensure they meet your needs.
3
Pick up and review your certificate.
4
Following the instructions in the email message, retrieve your certificate and install it in your browser (see the browser documentation for instructions). You must use the same browser that you used to request the certificate.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
5
To confirm your configuration settings, review the certificate in your browser.
Next If you are using remote hosting without Passcode Authentication or any Go Secure! products (other than Go Secure! for Microsoft Exchange), then your Managed PKI implementation is complete. To view your end-user’s enrollment page URL, simply click the User Services link in the Managed PKI Control Center Certificate Management page. If you are not configuring Passcode Authentication, but wish to install Local Hosting, go to Chapter 5, “Configuring Local Hosting.” Local Hosting is required for VeriSign Registration Authority. If you are configuring Passcode Authentication, go to Chapter 7, “Configuring Passcode Authentication.”
VeriSign, Inc.
March 2008
73
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
74
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Installing the Administrator Kit 4 retpahC
You have the option of storing your Managed PKI administrator ID in your browser’s certificate store or on a token. As a security measure, VeriSign recommends that you store your administrator ID on the token. Tokens are portable and provide greater protection for your private key than browsers. Once you generate your private key on the token, it can never be removed, backed up, or accessed by an unauthorized individual or application. Thus, tokens ensure that your private key cannot be duplicated. Your Administrator Kit contains the token used to store your administrator ID, an installation CD, a manual, and a cable connector. This chapter provides instructions for installing your Administrator Kit. You must have the appropriate rights to modify the administrator workstation before installing the Administrator Kit. VeriSign believes these instructions to be accurate at the time of printing. However, you should consult the product documentation for the most complete and up-to-date information. Note
Installing and Configuring the Administrator Kit Complete these procedures to install and configure the Administrator Kit on your Windows system. Step 1
Install the Aladdin Software
Before connecting the token to a USB port, you must first install the Aladdin software. See the Aladdin documentation included on the CD for detailed information. 1
VeriSign, Inc.
Place the Aladdin CD in the CD-ROM drive.
March 2008
75
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
2
The Aladdin setup instructions should appear automatically. If Autorun is not supported on your computer system, select Start → Run, type D:\setup.exe (where D is the letter of the drive where you loaded the CD), and click OK.
3
Follow the instructions on the screen.
4
If prompted to do so, reboot your computer when the installation is finished.
Step 2
Connect the Token
Following the installation instructions included with the Aladdin documentation, connect the token to an available USB port on your computer. For convenience, a USB cable connector is included with the kit. Step 3
Download the Administrator ID into the Token
Once you have installed the Aladdin token, you can pick up your administrator ID and install it on the token. If you have already installed your administrator ID in your browser, you can import it to the token using the eToken Certificate Converter utility provided on the Aladdin CD or obtained directly from Aladdin. Note
1
With the token installed on your workstation, pick up your administrator ID using the instructions, URL, and pickup PIN provided in the Approval email you received from VeriSign. When picking up your administrator ID, select the cryptographic service provider associated with your token. Note
2
Verify that the administrator ID is automatically installed on your token.
Next Configure the Managed PKI account using the configuration wizards, as described in Chapter 3, “Configuring Managed PKI.”
76
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuring Local Hosting 5 retpahC
With the VeriSign Local Hosting option, the Managed PKI Digital ID Center pages are hosted on your local Web server. The Digital ID Center contains the Web pages subscribers use to enroll for certificates, and to perform other certificate management operations, such as renewal and revocation. With Local Hosting, you can customize the Digital ID Center pages for your organization. Although the Digital ID Center pages are locally hosted, the Managed PKI Control Center pages and certificate generation operations are still hosted by VeriSign’s secure site. Local Hosting is required for VeriSign Registration Authority and most of the Go Secure! applications. This chapter provides instructions for the implementation of Local Hosting on Microsoft Internet Information Server, Sun ONE Web Server, and Stronghold/Apache Web server. Before proceeding with this chapter, you should first complete the following tasks: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” If you are implementing Passcode Authentication, continue with Chapter 7, “Configuring Passcode Authentication.”
Local Hosting Overview This section provides an overview of the process involved in establishing Local Hosting with Microsoft IIS and Sun ONE Web Server. For detailed instructions, see the appropriate section: “Installing Local Hosting with Microsoft Internet Information Server (IIS)” on page 79
VeriSign, Inc.
March 2008
77
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
“Installing Local Hosting with Sun ONE Web Server” on page 96 Generate the customized Digital ID Center and enrollment pages Step 1
To generate the customized enrollment and Digital ID Center pages, you must first run the install program from the Managed PKI Local Hosting CD or from a copy of the CD contents that you obtain from a tar file. The install program reads your policy file, applies your configuration preferences to the standard pages, and generates a complete set of customized HTML enrollment and Digital ID Center pages. If your Managed PKI configuration does not include Local Hosting, the enrollment and Digital ID Center pages are hosted on VeriSign's Web server. Managed PKI applies your configuration specifications to those pages. If you want to add your logo to the Digital ID Center pages, use the Logo Wizard, described on page 61. Note
Step 2
Create a new Web site or virtual directory
Create a new Web site or virtual directory to host the enrollment and Digital ID Center pages. Step 3
Specify the CGI directory
In that location, create a virtual subdirectory to hold the CGI pages. Step 4
Specify an index page for the Web site
Specify the User Services index page for the Web site. This step does not apply to Stronghold/Apache servers. Step 5
Update MIME Type Settings
On Sun ONE Web servers running on Windows, you must update the MIME type settings. Step 6
Start the new Web server
Start the new Web server. Step 7
Verify operation of the Local Hosting Web server
Open the Web site hosting the enrollment and Digital ID Center pages. Review the functionality and appearance of each enrollment and Digital ID Center page.
78
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Installing Local Hosting with Microsoft Internet Information Server (IIS) The screenshots in this section are taken from a system running Microsoft IIS 5.0. The appearance, text, and titles of these screens will differ slightly when your system is running Microsoft IIS 6.0. However, the process for configuring Local Hosting is the same. Note
Follow these steps to implement Local Hosting with Microsoft IIS: Step 1
Generate the customized enrollment and Digital ID Center pages
In this step, you will run the install program from the Managed PKI Local Hosting CD. The install program reads your policy file, applies your configuration preferences to the standard pages, and generates a complete set of customized HTML enrollment and Digital ID Center pages. 1
Put the Managed PKI Local Hosting CD in the CD drive. At the command line, go to \\sitekit\engine
For example, for Windows, enter the following command at the command line: \Win\sitekit\engine
2
From the command line, run the install program using the following syntax:
install-nt
install-nt. The is the command for Windows.
source dir. This is the source directory for the files that are to be customized. The first time you install, the source directory is \sitekit\templates on the Managed PKI Local Hosting CD or unzipped files directory. The templates directory contains VeriSign’s default Managed PKI enrollment and Digital ID Center pages, which will be copied onto your Web server and customized according to your selected configurations. For example, the hierarchy of the Windows source directory is displayed in Figure 5-1 on page 81. The source directory on the CD differs depending on the operating system you are using. See the examples starting on page 80 to see which directory applies.
VeriSign, Inc.
March 2008
79
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
If you are simply changing your policy file, and want to preserve previous customization of the enrollment and Digital ID Center pages, you can use your existing Local Hosting directory as the source directory. See Managed PKI Technical Reference for more information. Note
dest dir. The destination directory is the path of the directory on your Web server where subscribers will access the pages. VeriSign recommends you create the directory: \VeriSign\MPKI\webroot. Figure 5-2 on page 81 shows a destination directory after installation. policyfile. This is the path and filename of your policy file (typically .policy). Install Command Examples The following are examples of how to use the install program to generate the customized enrollment and Digital ID Center pages on the IIS Web Server. Each install command example uses a policy file for the fictitious “ACME Bank.” Example: Windows (D:\ is the CD drive) C:\>D: D:\>cd Win\sitekit\engine D:\>install-nt D:\Win\sitekit\templates C:\VeriSign\MPKI\webroot C:\ACMEBank.policy
The install program copies the template files to the destination directory, and then applies your policy settings.
80
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Typically, a user only needs the platform, source directory, and destination directory when installing customized files. However, you can run customizer.exe to configure the install command with additional options. For further information, see “Appendix B, “Install Program Options.” Note
Figure 5-1 shows the contents of a sample Windows source directory from the Managed PKI Local Hosting CD.
Figure 5-1 Windows source directory hierarchy
Figure 5-2 shows an example of the destination directory for Windows after files are installed.
Figure 5-2 Destination directory for Windows
Text similar to the following appears after a successful customization. The total number of files will vary with the number of features on your Managed PKI account. If any errors occur, see the customizer.log file at \log\customizer.log. INFO INFO INFO INFO
VeriSign, Inc.
-
##### Customization Status ##### STATUS - Total files customized successfully: 115 STATUS - Total files customized with errors: 0 STATUS - Total files customized: 115
March 2008
81
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
The customization command may note errors and display the following message. The command is looking for files that are not used in your installation, so these errors can safely be ignored.
Note
The most probable cause for the above errors is that the files to be customized could not be found. Please check whether you have specified the correct directories. For more details on the errors you can check the log file. LOG File: C:\\log\customizer.log. Step 1
Create a new Web site or virtual directory
Depending on whether you want to install Local Hosting on an existing or new Web site, you must create a virtual directory to host the pages, or specify the root directory of the Web server. To create a new virtual directory for an existing Web site: If you are installing Local Hosting on an existing Web site, you should create a new virtual directory. To add a virtual directory to an existing Web site, follow these steps. If you are installing Local Hosting on a new server, see “To create a new Web site:” on page 86. Note
1
Open the Microsoft Management Console: For systems running IIS 5.0 on Windows, select Start→Programs→Administrative Tools→Internet Services Manager. For systems running IIS 6.0 on Windows, you can customize the interface. The default procedure for opening the Microsoft Management Console is to select Start→All Programs→Administrative Tools→Internet Information Services (IIS) Manager.
2
82
For systems running IIS 6.0 only: Set the access for Web services extensions:
VeriSign, Inc.
March 2008
-----------------------------------------------------------
a
In the left frame of the Microsoft Management Console, click Web Service Extensions (see Figure 5-3).
Figure 5-3 Web Services Extensions page
VeriSign, Inc.
b
In the right frame, select Add a new Web Service Extension. A New Web Service Extension dialog box appears.
c
Add the specific ISAPI and CGI extensions (haydn.exe, sophialite.exe, softbounce.exe and authsophialite.exe) by browsing to the actual paths in which the executables lie.
d
After adding the extensions, allow each one of them individually.
March 2008
83
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
From the left frame of the Microsoft Management Console, right-click the virtual directory or Web site, and select New→Virtual Directory (see Figure 5-4). The New Virtual Directory Wizard opens.
Figure 5-4 New→Virtual Directory command
4
In the Virtual Directory Alias page of the New Virtual Directory Wizard, enter a descriptive name for the virtual directory, then click Next (see Figure 5-5).
Figure 5-5 Virtual Directory Alias page
84
VeriSign, Inc.
March 2008
-----------------------------------------------------------
5
The Web Site Content Directory page opens (see Figure 5-6). Enter the path for the home directory of the Managed PKI Digital ID Center pages. This is the htmldocs subdirectory. The install program generated the htmldocs subdirectory under the destination directory specified in Step 1, “Generate the customized enrollment and Digital ID Center pages”. In Figure 5-6, the htmldocs subdirectory path is C:\VeriSign\MPKI\webroot\htmldocs. Click Next.
Figure 5-6 Web Site Content Directory page
6
VeriSign, Inc.
The Access Permissions page opens (see Figure 5-7). When the New Virtual Directory Wizard requests access permissions, select Read, Run scripts
March 2008
85
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
(such as ASP), and Execute (such as ISAPI applications or CGI), then click Finish.
Figure 5-7 Access Permissions page
Next Go to Step 1, “Specify the CGI directory” on page 89. To create a new Web site: If you are installing Local Hosting on a new server, follow these steps to create a new Web site. If you are installing Local Hosting on an existing Web site, then you should create a new virtual directory. To add a virtual directory to an existing Web site, see “To create a new virtual directory for an existing Web site:” on page 82. Note
1
Open the Microsoft Management Console: For systems running IIS 5.0 on Windows, select Start→Programs→Administrative Tools→Internet Services Manager. For systems running IIS 6.0 on Windows, you can customize the interface. The default procedure for opening the Microsoft Management Console is to select Start→All Programs→Administrative Tools→Internet Information Services (IIS) Manager.
86
VeriSign, Inc.
March 2008
-----------------------------------------------------------
2
Right-click the Web server on which you wish to host the Web site, and select New→Web Site (see Figure 5-8). The New Web Site Wizard opens.
Figure 5-8 New→Web Site command
3
In the Web Site Description page (see Figure 5-9), enter a descriptive name for the Web server. Click Next.
Figure 5-9 Web Site Description page
4
On the IP Address and Port Settings page, accept the default setting for the IP address and Host Header (see Figure 5-10). If required, enter nonstandard values for the TCP port or SSL port. Click Next. Note If you are planning on running multiple Web sites on the same IIS Web server, each of the TCP/IP Web server ports should be unique. For example, if you use SSL and
VeriSign, Inc.
March 2008
87
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
port 443 (the standard), enter a unique port for this new web site. If you use TCP and port 80 (the standard), enter a unique port for this new web site.
Figure 5-10 IP Address and Port Settings page
5
The Web Site Home Directory page opens. Enter the path for the home directory of the Managed PKI Digital ID Center pages (see Figure 5-11). This is the htmldocs subdirectory. The install program generated the htmldocs subdirectory in the destination directory specified in Step 1, “Generate the customized enrollment and Digital ID Center pages”. In the example below, the htmldocs subdirectory path is C:\VeriSign\MPKI\webroot\htmldocs. Click Next.
Figure 5-11 Web Site Home Directory Path page
88
VeriSign, Inc.
March 2008
-----------------------------------------------------------
6
The Access Permissions page opens. Select Read and Run scripts (such as ASP), then click Finish.
Figure 5-12 Access Permissions page
Step 1 1
Specify the CGI directory
From the Microsoft Management Console, right-click the new virtual directory or Web site, and select New→Virtual Directory. The New Virtual Directory Wizard opens.
Figure 5-13 New→Virtual Directory command
VeriSign, Inc.
March 2008
89
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
2
The Virtual Directory Alias page opens (see Figure 5-14). Enter cgi-bin as the virtual directory alias for the Digital ID Center pages. Click Next.
Figure 5-14 Virtual Directory Alias page
3
The Web Site Content Directory page opens (see Figure 5-15). In the CGI Directory text box, enter the path for the CGI directory of the Managed PKI Digital ID Center pages. Click OK. In Figure 5-15, the CGI directory path is C:\VeriSign\MPKI\webroot\cgi-bin.
Figure 5-15 Web Site Content Directory page
90
VeriSign, Inc.
March 2008
-----------------------------------------------------------
4
The Access Permissions page opens (see Figure 5-16). De-select Read, and select Run scripts (such as ASP) and Execute (such as ISAPI applications or CGI). Click Finish.
Figure 5-16 Access Permissions page
Step 2
Specify an index page for the Web site
In this step, you provide a filename for the Digital ID Center index page. This page is the page your end users will use to enroll for and manage their Managed PKI certificates. Figure 5-22 on page 95 shows an example of this page.
VeriSign, Inc.
March 2008
91
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
1
From the Microsoft Management Console, right-click the Web server and select Properties.
Figure 5-17 Properties command
92
VeriSign, Inc.
March 2008
-----------------------------------------------------------
2
The Properties window opens. Click the Documents tab, then click Add.
Figure 5-18 Documents tab in the Properties window
3
The Add Default Document dialog box opens. Enter digitalidCenter.htm, and then click OK.
Figure 5-19 Add Default Document dialog box
VeriSign, Inc.
March 2008
93
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
4
In the Documents tab, select digitalidCenter.htm, then click the button to move it to the top of the list (see Figure 5-20). Click OK.
Figure 5-20 Documents tab in the Properties window
5
(Optional) In the Home Directory tab, de-select Directory browsing allowed, then click OK (see Figure 5-21). This prevents users from accessing files in the cgi-bin directory.
Figure 5-21 Home Directory tab in the Properties window
94
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Step 3
Update MIME type settings
This step applies to Sun ONE and Stronghold/Apache servers only; it does not apply to Microsoft IIS. Continue with Step 4, “Start the new Web server”. Step 4
Start the new Web server
1
From the Microsoft Management Console, right-click the Web server and select Stop.
2
Right-click the new Local Hosting Web server and select Start.
Step 5 1
Verify operation of the Local Hosting Web server
Using your browser, access the base URL that you specified for the Local Hosting Web server. The Digital ID Center index page opens.
Figure 5-22 Digital ID Center page
2
Test the functionality of each page and link. Verify that the links are active and the pages are customized to your satisfaction. Although you can edit each page as needed, follow the guidelines listed in Managed PKI Technical Reference. If you are implementing VeriSign Registration Authority, you will not be able to do an end-to-end test of the certificate enrollment, Note
VeriSign, Inc.
March 2008
95
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
approval/rejection, pick-up, and revocation process until you complete the entire installation process. Next If you are installing VeriSign Registration Authority, go to “Additional Configuration for Managed PKI” on page 115. If you want to configure your certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Customize your Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of your implementation, you can begin using Managed PKI. To do so, notify your subscribers of the base URL that you specified for the Local Hosting Web server. Subscribers can now access this Web page to enroll for certificates or to perform other lifecycle functions.
Installing Local Hosting with Sun ONE Web Server Step 1 Generate the customized Digital ID Center pages
In this step, you will run the install program from the Managed PKI Local Hosting CD or from a copy of the CD contents that you obtain from a tar file. The install program reads your policy file, applies your configuration preferences to the standard pages, and generates a complete set of customized HTML enrollment and Digital ID Center pages. 1
Put the Managed PKI Local Hosting CD in the CD drive. At the command line, go to \\sitekit\engine
2
From the Windows or UNIX command line, run the install program using the following syntax:
install-sun|linux>
install-. The command’s structure depends on the operating system you use. – install-sun is for Solaris. – install-linux is for Linux. source dir. This is the source directory for the files that are to be customized. The first time you install, the source directory is \sitekit\templates on the Managed PKI Local
96
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Hosting CD or untarred files. The templates directory contains VeriSign’s default Managed PKI Digital ID Center pages, which will be copied onto your Web server and customized according to your selected configurations. For example, the hierarchy of the Windows source directory is displayed in Figure 5-23 on page 98. The source directory on the CD differs depending on the operating system you are using. See the examples starting on page 97 to see which directory applies. If you are simply changing your policy file, and want to preserve previous customization of the Digital ID Center pages, you can use your existing Local Hosting directory as the source directory. See Managed PKI Technical Reference for more information. Note
dest dir. The destination directory is the path of the directory on your Web server where subscribers will access the pages. VeriSign recommends you create the directory \VeriSign\MPKI\webroot. policyfile. This is the path and filename of your policy file (typically .policy). Install Command Examples
The following are examples of how to use the install program to generate the customized enrollment and Digital ID Center pages on the Sun ONE Web Server. Each install command example uses a policy file for the fictitious “ACME Bank.” Example: Solaris: cd solaris_basesitekit/sitekit/engine install-sun /solaris_basesitekit/sitekit/templates /VeriSign/MPKI/webroot ACMEBank.policy
Example: Linux: cd linux_basesitekit/sitekit/engine install-linux /linux_basesitekit/sitekit/templates /VeriSign/MPKI/webroot ACMEBank.policy
The install program copies the template files to the destination directory, and then applies your policy settings.
VeriSign, Inc.
March 2008
97
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Typically, you only need the platform, source directory, and destination directory when installing customized files. However, you can run customizer.exe to configure the install command with additional options. For further information, see “Appendix B, “Install Program Options.” Note
Figure 5-23 shows the contents of a sample Windows source directory from the Managed PKILocal Hosting CD.
Figure 5-23 Windows source directory hierarchy
Figure 5-24 shows an example of the destination directory for Windows after files are installed.
Figure 5-24 Destination directory for Windows
The following text appears after a successful customization. The total number of files will vary with the number of features on your Managed PKI account. If any errors occur, see the customizer.log file at \log\customizer.log. INFO INFO INFO INFO
98
-
##### Customization Status ##### STATUS - Total files customized successfully: 115 STATUS - Total files customized with errors: 0 STATUS - Total files customized: 115
VeriSign, Inc.
March 2008
-----------------------------------------------------------
The customization command may note errors and display the following message. The command is looking for files that are not used in your installation, so these errors can safely be ignored.
Note
The most probable cause for the above errors is that the files to be customized could not be found, please check if you have specified the correct directories. For more details on the errors you can check the log file. LOG File: C:\/log/customizer.log.
Step 1
Create a new Web site or virtual directory
Depending on whether you want to install Local Hosting on an existing or new Web site, you must specify the root directory of the Web server, or create a virtual directory to host the pages. If you are installing Local Hosting on a new server, create a new Web site, as described in “To create a new Web site” on page 102. If you are installing Local Hosting on an existing Web site, then you should create a new virtual directory. To add a virtual directory to an existing Web site, follow these steps. To add a virtual directory to an existing Web site 1
Start the Sun ONE Web Server Administration application. The Manage Servers page appears (see Figure 5-25).
Figure 5-25 Manage Servers page
2
VeriSign, Inc.
In the Manage Servers page, select the server you wish to modify, and click Manage. The Server On/Off page opens.
March 2008
99
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
Click Class Manager at the top of the page. The Manage Virtual Servers page opens.
4
Click the Content Mgmt tab at the top of the Manage Virtual Servers page, then click the Additional Document Directories link. The Additional Document Directories page opens (see Figure 5-26).
Figure 5-26 Additional Document Directories page
5
Complete the Additional Document Directories page as follows: a
100
In the URL Prefix text box, enter a descriptive name.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
a
In the Map to Directory text box, enter the path to the htmldocs subdirectory. The install program generated the htmldocs subdirectory under the destination directory specified in Step 1, “Generate the customized Digital ID Center and enrollment pages.” In the Solaris and Linux examples, the htmldocs subdirectory path is /VeriSign/MPKI/webroot/htmldocs. In the Windows example, the htmldocs subdirectory path is C:\VeriSign\MPKI\webroot\htmldocs.
b 6
Click OK.
The Save and Apply Changes page opens (see Figure 5-27). Review your changes for accuracy. If the changes are correct, click Save and Apply. If the changes are not correct, click Undo and make the necessary adjustments.
Figure 5-27 Save and Apply Changes page
7
The Success dialog box opens. When you click OK, the Additional Document Directories page reappears.
Next
Go to Step 1, “Specify the CGI directory” on page 104.
VeriSign, Inc.
March 2008
101
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
To create a new Web site 1
Start the Sun ONE Web Server Administration application. The Manage Servers page opens (see Figure 5-28).
Figure 5-28 Manage Servers page
2
Click Add Server. The Add Server page opens (see Figure 5-29).
Figure 5-29 Add Server page
3
102
In the Add Server page, follow these steps: a
If other Web servers already exist on this computer, enter a Server Port number.
a
Enter a descriptive Server Identifier.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
b
Enter a name for the ServerUser; for example, nobody.
c
In the Document Root text box, enter the path to the htmldocs subdirectory. The install program generated the htmldocs subdirectory in the destination directory specified in Step 1, “Generate the customized Digital ID Center and enrollment pages.” In the Solaris and Linux examples, the htmldocs subdirectory path is /VeriSign/MPKI/webroot/htmldocs. In our Windows example, the htmldocs subdirectory path is C:\VeriSign\MPKI\webroot\htmldocs.
d 4
Click OK.
The Success page opens (see Figure 5-30).
Figure 5-30 Success page
VeriSign, Inc.
March 2008
103
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
5
Click Configure your new server... in the Success page to display the Server On/Off page, then click Class Manager to display the Manage Servers page.
Figure 5-31 Server On/Off page
Step 1 1
Specify the CGI directory
Click the Programs tab at the top of the Manage Servers page. The CGI Directory page opens (see Figure 5-32).
Figure 5-32 CGI Directory page
2
104
Complete the CGI Directory page as follows:
VeriSign, Inc.
March 2008
-----------------------------------------------------------
a
If you set up a new Web site in Step 2, “Create a new Web site or virtual directory”, then enter cgi-bin in the URL Prefix text box. If you set up a new virtual directory in Step 2, “Create a new Web site or virtual directory”, then enter /cgi-bin.
a
In the CGI Directory text box, enter the path for the CGI directory of the Managed PKI Digital ID Center pages. – In the Solaris and Linux examples, the CGI directory path is /VeriSign/MPKI/webroot/cgi-bin. – In the Windows example, the CGI directory path is C:\VeriSign\MPKI\webroot\cgi-bin.
b 3
Click OK.
The Save and Apply Changes page opens (see Figure 5-33). Confirm your CGI settings, and then click Save and Apply.
Figure 5-33 Save and Apply Changes page
4
The Success dialog box opens. When you click OK, the CGI Directory page reappears.
Step 2
Specify an index page for the Web site
1
Click the Content Mgmt tab at the top of the page. The Content Management page opens.
2
Click the Document Preferences link. The Document Preferences page opens (see Figure 5-34). a
VeriSign, Inc.
In the Index Filename text box, enter digitalidCenter.htm.
March 2008
105
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
a
(Optional) Set Directory Indexing to None. This prevents users from accessing files in the cgi-bin directory. You may be prompted for the name of the error file users see if they attempt to access files in this directory.
b
Click OK.
Figure 5-34 Document Preferences page
106
VeriSign, Inc.
March 2008
-----------------------------------------------------------
3
The Save and Apply Changes window opens (see Figure 5-35). Review your changes for accuracy. If the changes are correct, click Save and Apply. If the changes are not correct, click Undo and make the necessary adjustments.
Figure 5-35 Save and Apply Changes page
4
The Success message appears. Click OK to return to the Document Preferences page.
Step 3
VeriSign, Inc.
Start the new Web server
March 2008
107
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
1
Select the newly created server from the Select a Virtual Server dropdown menu at the top of the Manage Servers page (ACMEBank Server, in this example). The settings for the newly created server appear.
Figure 5-36 Manage Servers page
2
Click Manage. The Server On/Off page appears. If the Web server is off, activate the new Web server by clicking Server On. When the Success message appears, click OK.
Step 4 1
108
Verify operation of the Local Hosting Web server
Using your browser, access the base URL that you specified for the Local Hosting Web server. The Digital ID Center page opens.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Figure 5-37 Digital ID Center page
2
Test the functionality of each page and link to ensure that your requirements are met. Although you can edit each page as needed, follow the guidelines in Managed PKI Technical Reference. If you are implementing VeriSign Registration Authority, you will not be able to do an end-to-end test of the certificate enrollment, approval/rejection, pick-up, and revocation process until you complete the entire installation process. Note
Next
If you are installing VeriSign Registration Authority, continue with “Additional Configuration for Managed PKI” on page 115. If you want to configure your certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Otherwise, customize your enrollment and Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of your implementation, you can begin using Managed PKI. To do so, notify your subscribers of the base URL that you specified for the Local Hosting Web server. Subscribers
VeriSign, Inc.
March 2008
109
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
can now access this Web page to enroll for certificates or to perform other lifecycle functions.
Installing Local Hosting with Stronghold/Apache Follow these steps to implement Local Hosting with Stronghold/Apache: Step 1 Generate the customized enrollment and Digital ID Center
pages In this step, you will run the install program from the Managed PKI Local Hosting CD or from a copy of the CD contents that you obtain from a tar file. The install program reads your policy file, applies your configuration preferences to the standard pages, and generates a complete set of customized HTML enrollment and Digital ID Center pages. 1
Put the Managed PKI Local Hosting CD in the CD drive. At the command line, go to \\sitekit\engine
2
From the Windows or UNIX command line, run the install program using the following syntax:
install-
install-. The command’s structure depends on the operating system you use. – install-win is for Windows. – install-sun is for Solaris. – install-linux is for Linux. source dir. This is the source directory for the files that are to be customized. The first time you install, the source directory is \sitekit\templates on the Managed PKI Local Hosting CD or untarred files. The templates directory contains VeriSign’s default Managed PKI Digital ID Center pages, which will be copied onto your Web server and customized according to your selected configurations. For example, the hierarchy of the Windows source directory is displayed in Figure 5-38 on page 112. The source directory on the CD differs depending on the operating system you are using. See the examples starting on page 97 to see which directory applies.
110
VeriSign, Inc.
March 2008
-----------------------------------------------------------
If you are simply changing your policy file, and want to preserve previous customization of the enrollment and Digital ID Center pages, you should use your existing Local Hosting directory as the source directory. See Managed PKI Technical Reference for more information. Note
dest dir. The destination directory is the path of the directory on your Web server where subscribers will access the pages. VeriSign recommends you create the directory \VeriSign\MPKI\webroot. Figure 5-39 on page 112 shows a destination directory after installation. policyfile. This is the path and filename of your policy file (typically .policy). Install Command Examples
The following examples show how to generate the customized enrollment and Digital ID Center pages on the Stronghold Server. Each install command example uses a policy file for the fictitious “ACME Bank.” Example: Windows (D:\ is the CD drive) C:\>D: D:\>cd windows_basesitekit\sitekit\engine D:\>install-win D:\Windows_basesitekitn\sitekit\templates C:\VeriSign\MPKI\webroot C:\ACMEBank.policy
Example: Solaris cd solaris_basesitekit/sitekit/engine install-sun /solaris_basesitekit/sitekit/templates /VeriSign/MPKI/webroot ACMEBank.policy
Example: Linux: cd linux_basesitekit/sitekit/engine install-linux /linux_basesitekit/sitekit/templates /VeriSign/MPKI/webroot ACMEBank.policy
The install program copies the template files to the destination directory, and then applies your policy settings.
VeriSign, Inc.
March 2008
111
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Typically, you only need the platform, source directory, and destination directory when installing customized files. However, you can run customizer.exe to configure the install command with additional options. For further information, see “Appendix B, “Install Program Options.” Note
Figure 5-38 shows the contents of a sample Windows source directory from the Managed PKI Local Hosting CD.
Figure 5-38 Windows source directory hierarchy
Figure 5-39 shows an example of the destination directory for Windows after files are installed.
Figure 5-39 Destination directory for Windows
The following text will appear after a successful customization. The total number of files will vary with the number of features on your Managed PKI account. If any errors occur, see the customizer.log file at \log\customizer.log. ##### Customization Status ##### STATUS - Total files customized successfully: 118 STATUS - Total files customized with errors: 0 STATUS - Total files customized: 118
112
VeriSign, Inc.
March 2008
-----------------------------------------------------------
The customization command may note errors and display the following message. The command is looking for files that are not used in your installation, so these errors can safely be ignored.
Note
The most probable cause for the above errors is that the files to be customized could not be found, please check if you have specified the correct directories. For more details on the errors you can check the log file. LOG File: C:\/log/customizer.log.
Step 1
Create a new Web site or virtual directory
Depending on whether you want to install Local Hosting on an existing or new Web site, you must specify the root directory of the Web server, or create a virtual directory to host the pages. If you are installing Local Hosting on a new server, see “To create a new Web site” on page 113. If you are installing Local Hosting on an existing Web site, then you should create a new virtual directory. To add a virtual directory to an existing Web site, follow these steps. To create a new virtual directory on an existing Web site
To create a new virtual directory, enter one of the following: Alias /myprefix "/htmldocs" DirectoryIndex digitalidCenter.htm
or
ScriptAlias /myprefix/cgi-bin/ "/cgi-bin" AllowOverride None Options None
To create a new Web site 1
At the command prompt, switch to the /conf directory.
2
In the httpd.conf file: a
Create a new Web site by adding a new virtual host section to the file.
a
Configure the document root by editing the document root directive for your virtual host, as follows:
DocumentRoot “/htmldocs” DirectoryIndex digitalidCenter.htm
VeriSign, Inc.
March 2008
113
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Step 1
Configure the CGI directory
In the httpd.conf file, configure the CGI bin directory, as follows: ScriptAlias /cgi-bin/ “/cgi-bin/” AllowOverride None Options None
(Optional) Add Index options=None to prevent users from accessing files in the cgi-bin directory. Step 2
Specify an index page for the Web site
An index page was already created in Step 1, “Create a new Web site or virtual directory”, above. Step 3
Update MIME Type Settings
This step does not apply to Stronghold/Apache servers. Step 4
Start the new Web server
To start the Web server: 1
Switch to the /bin directory.
2
Execute the start-server or ./apachectl start command., as appropriate.
Step 5
Verify operation of the Local Hosting Web server
1
Using your browser, access the base URL that you specified for the Local Hosting Web server. The Digital ID Center page opens.
2
Test the functionality of each page and link to ensure that your requirements are met. Although you can edit each page as needed, follow the guidelines listed in Managed PKI Technical Reference. Note If you are implementing VeriSign Registration Authority, you will not be able to do an end-to-end test of the certificate enrollment, approval/rejection, pick-up, and revocation process until you complete the entire installation process.
Next
If you are installing VeriSign Registration Authority, continue with “Additional Configuration for Managed PKI” on page 115.
114
VeriSign, Inc.
March 2008
-----------------------------------------------------------
If you want to configure your certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Otherwise, customize your enrollment and Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of your implementation, you can begin using Managed PKI. To do so, notify your subscribers of the base URL that you specified for the Local Hosting Web server. Subscribers can now access this Web page to enroll for certificates or to perform other lifecycle functions.
Additional Configuration for Managed PKI If your Managed PKI configuration includes Local Hosting with Registration Authority, you must also configure pestub and Sophialite. Configuring pestub The Local Hosting Web server uses the pestub.dll file to communicate with the VeriSign Registration Authority server. There are two versions of the pestub.dll: + pestub.dll.proxy. By default, the Local Hosting Web server uses pestub.dll.proxy. + pestub.dll.local. pestub.dll.local is only used for testing.
For more information about pestub.dll.local, see Appendix A, “pestub.dll.local.” Note
Before you configure pestub, select one of these versions, and rename it as pestub.dll. The pestub.dll uses a configuration file called pestub.cfg. The pestub.cfg file resides on the Local Hosting Web server in the /cgi-bin directory. Using a standard text editor such as vi or Notepad, edit pestub.cfg with the values appropriate for your implementation. The pestub.cfg file uses the following conventions: + A line starting with a pound character (#) is a comment:
Example: # This is a comment + A white space separates the parameter name from its value:
Example: PARAMETER value For guidance in editing the pestub.cfg file, see Table 5-1.
VeriSign, Inc.
March 2008
115
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
To disable encryption between the Local Hosting Web server host and the VeriSign Registration Authority server host, comment out or remove the KEY parameter definition line in the pestub.cfg file. Note
Table 5-1 pestub.cfg parameters for Local Hosting Parameter
Description
Sample Content
HOSTNAME
Your VeriSign Registration Authority server host name. If a secure channel is used, this value must exactly match the Common Name in the certificate used by the VeriSign Registration Authority server.
hostRA
PORT
The port number on which the VeriSign Registration Authority server is listening (configured in vsrasrv.cfg).
2003
KEY
The path to the root certificate of the secure channel certificate. If you are not using the secure channel, comment this line out. If you are using a VeriSign trial Secure Server certificate, use:
or hostRA.acme.com
../ssl/test_root.pem or ../ssl/SecureServerRoot.p em
../ssl/test_root.pem. If you are using a production Secure Server certificate, use: ../ssl/SecureServerRoot.p em.
116
LUNA
For local version of pestub.dll only. This is the path to the signer configuration file.
../signers/vsautoauth.conf
DBFILE
For local version of pestub.dll only. This is the path to the text file used for authentication.
validuser.txt
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Table 5-1 pestub.cfg parameters for Local Hosting (Continued) Parameter
Description
Sample Content
LOGFILE
Optional log file name.
pestub.out
If you comment this line out, then pestub.out is produced by default. LOG_HIDE_ATTR
The values of listed HTML tags from enrollment user-name pairs that are not to be displayed in the log file. The values are displayed with the '*' character.
challenge,PIN
VSAA_LOG_LEVEL
Enables you to set the level of logging for pestub.
1
0= log start and stop only 1= log return codes 2=log all data (enrollment name=value pairs) passed through pestub EXCHANGE_VERSI ON EXCHANGE_SERVE R
Go Secure! for Microsoft Exchange only. See the Go Secure! for Microsoft Exchange Administrator’s Guide.
EXCHANGE_DOMAI N ADSNAME ADSBASEDN
Some of the parameters in the pestub.cfg file relate to the secure channel, which is described in Chapter 10, “Secure Channel.” If you set up a secure channel, you must return to this section to reconfigure pestub.cfg. For directions on opting out of the secure channel, see “Opting Out of the Secure Channel” on page 167. Note
VeriSign, Inc.
March 2008
117
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuring Sophialite to use a Proxy Server Configure Sophialite only if your Managed PKI configuration includes Local Hosting with RA. Note
Sophialite.exe is the CGI program that the Local Hosting Web server uses to communicate with VeriSign if VeriSign Registration Authority is used. To configure Sophialite to use a proxy server, create a file named sophia.cfg in your cgi-bin directory. In the file, add a line with the following format: proxy [:]
Example: proxy proxyhost:1024
The proxy server name and proxy port must be separated by a colon, with no white space before or after the colon. If no proxy port is specified, port 80 is used. Note
Configuring Subscriber Search to Use a Proxy Server By default, Local Hosting with VeriSign Registration Authority directs subscriber search and revoke operations to VeriSign over an Internet connection. If your subscribers do not have Internet access, you can redirect search and revoke operations to a proxy server. Your subscribers will need access to the Local Hosting server (for example, over an extranet connection). To configure Local Hosting as a proxy server, do the following: 1
In a text editor, edit the following configuration file. /cgi-bin/proxy-search.cfg See Table 5-2 and the comments in the configuration file for additional information on editing this file.
Table 5-2 proxy-search.cfg parameters
118
Parameter
Description
Sample Content
HOST
HOST is the host name for the query. For pilot, it is pilotonsite.verisign.com. For production, it is onsite.verisign.com.
[pilotonsite.verisign.com]
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Table 5-2 proxy-search.cfg parameters Parameter
Description
Sample Content
PORT
PORT is the HTTPS port for the search query. The search query must be HTTPS. By default it is port 443.
[443]
URI_STRING
Change the value enclosed by angle brackets to your organization and organization unit (without spaces or punctuation). Only change the value enclosed by angle brackets .
[/services/MyCompanyIn cSales/cgi-bin/Xquery.ex e]
SSL_ROOT
SSL ROOT is the trusted root for SSL communication. For pilot and production, it is ../ssl/SecureServerRoot.p em.
[../ssl/SecureServerRoot. pem]
2
Back up the following five files in the /htmldocs/client directory. revokeConfirm.htm noCertFound.htm revoke.htm search.htm userQueryResult.htm
3
In these five files, edit the lines that contain the string “Xquery.exe” as follows. For a pilot account, replace:
https://pilotonsite.verisign.com:443/services//cgibin/Xquery.exe
with:
VeriSign, Inc.
March 2008
119
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
/cgi-bin/proxy-search.exe
For a production account, replace:
https://onsite.verisign.com:443/services//cgi-bin/X query.exe
with: /cgi-bin/proxy-search.exe
If you are not sure what your-local-hosting-server-port string is, you can find it in the search.htm file at this line: If you are installing VeriSign Registration Authority, go to “Additional Configuration for Managed PKI” on page 115. If you want to configure your certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Otherwise, customize your Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of your implementation, you can begin using Managed PKI. To do so, notify your subscribers of the base URL that you specified for the Local Hosting Web server. Subscribers can now access this Web page to enroll for certificates or to perform other lifecycle functions.
Next If you are implementing VeriSign Registration Authority, continue with Chapter 6, “Registration Authority.” If you are implementing Passcode Authentication, continue with Chapter 7, “Configuring Passcode Authentication.”
120
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Registration Authority 6 retpahC
In this chapter, you will install and configure VeriSign Registration Authority. As with Passcode Authentication, VeriSign Registration Authority automatically authenticates and approves certificate requests. However, the authorization information is accessed by an authentication server set up and maintained at your organization. For this chapter, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” To review the suggested implementation strategy for VeriSign Registration Authority, see “Implementation Strategy for VeriSign Registration Authority” on page 122. To install the VeriSign Registration Authority software, see “Installing VeriSign Registration Authority Software” on page 123. As a Managed PKI administrator, you are responsible for verifying the identity of the end-user certificate applicant. Once the identity of the applicant is validated, and the accuracy of the enrollment data is confirmed, the certificate request can be approved. This confirmation process is known as authentication. This chapter describes how to implement automatic certificate approval using authentication data stored at your site. If you have purchased the option, you can also enable key escrow and recovery at the same time.
VeriSign, Inc.
March 2008
121
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Implementation Strategy for VeriSign Registration Authority This section describes the recommended implementation strategy for the installation of VeriSign Registration Authority. For a smooth transition to VeriSign Registration Authority, VeriSign recommends that you employ the following implementation strategy: 1
Design the network topology taking into account the applicant browser, Local Hosting Web server host, your VeriSign Registration Authority server host, and your verification and registration data sources. For an example diagram of a VeriSign Registration Authority implementation, see Figure 2-9 on page 16.
2
Resolve any firewall/proxy issues that might prevent the front-end Web server from communicating with servers at VeriSign using HTTP over port 80. Optionally, secure the VeriSign Registration Authority server and database(s) behind a firewall. However, you should still allow access from the Local Hosting Web server over a specific TCP/IP port for processing of certificate requests.
3
Determine which data to use for user authentication. You should decide which data is required from the user during the enrollment process, and which data is acquired from the verification data source.
4
Decide if you will implement a separate registration data source, or if the verification and registration data sources will have the same directory or database. The registration data source is used to store certificates when they are returned from VeriSign.
5
Install and configure your verification, registration and key recovery data sources. This includes installing the correct drivers, setting the user environment, and testing the installation. See the documentation supplied by the vendor. Note For Solaris and Linux-based ODBC data sources, VeriSign recommends that you use the Wire protocol driver version to avoid having to install a database client on the VeriSign Registration Authority server.
6
122
Install the VeriSign Registration Authority option, as described in this chapter. Additional troubleshooting help is provided in Managed PKI v7.2 Error Codes and Troubleshooting Guide.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
7
Optionally, install a second VeriSign Registration Authority server instance on the same computer. See “Running Multiple VeriSign Registration Authority Servers on the Same Host” on page 125.
Installing VeriSign Registration Authority Software This section describes the procedures for installing the VeriSign Registration Authority software. Step 1 1
Install the VeriSign Registration Authority server software
Put the Managed PKI VeriSign Registration Authority CD in the CD drive. At the command line, go to \\sitekit\engine. Where is the directory corresponding to the operating system you are using (for example, Win2K\sitekit\engine). See page 124 for example commands.
2
From the Windows or UNIX command line, run the install-ra command using the following syntax: install-ra -
install-ra-. The command’s structure depends on the operating system you use. – install-ra-linux is for Linux. – install-ra-nt.bat is for Windows. – install-ra-sun is for Solaris. source dir. This is the source directory for the server files and supporting files, typically \sitekit\templates. The files will be copied onto your Web server. The source directory on the CD differs depending on the operating system you are using. See the examples starting on page 124 to see which directory applies. dest dir. The destination directory is the VeriSign Registration Authority server directory path where the VeriSign Registration Authority software will reside on the server. VeriSign recommends that you create the destination directory VeriSign\MPKI\AuthServer.
VeriSign, Inc.
March 2008
123
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Solaris and Linux platforms only: Due to limitations of the ps script used by the VeriSign Registration Authority start and stop scripts, the absolute path to the destination directory must be less than 60 characters long. Note
Example: Linux: cd linuxaa/sitekit/engine install-ra-linux /linuxaa/sitekit/templates /VeriSign/MPKI/AuthServer
Example: Windows (D:\ is the CD drive): C:\>D: D:\>cd winaa\sitekit\engine D:\>install-ra-nt.bat D:\winaa\sitekit\templates C:\VeriSign\MPKI\AuthServer
Example: Solaris: cd solaa/sitekit/engine install-ra-sun /solaa/sitekit/templates /VeriSign/MPKI/AuthServer
The install program copies the template files to the destination directory () on your VeriSign Registration Authority server. Step 2
Configure vsrasrv.cfg on the VeriSign Registration Authority Server host
vsrasrv.cfg is the configuration file for the vsrasrv program. The vsrasrv program specifies the system settings (for example, socket number) for the VeriSign Registration Authority server host, as well as the verification and registration data sources. The vsrasrv.cfg file is located in the /bin/ directory. Using a standard text editor such as vi or Notepad, edit the vsrasrv.cfg file on the VeriSign Registration Authority server host. For more information on configuring VeriSign Registration Authority, see Appendix D, “Configuration Files.” You can configure and enable Key Escrow and Recovery in the same file. After configuring VeriSign Registration Authority, continue with the steps below.
124
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Step 3
Install VeriSign Registration Authority (Windows
only) Complete the appropriate additional steps to install VeriSign Registration Authority on your VeriSign Registration Authority server platform. For Windows 1 On Windows systems, the VeriSign Registration Authority server runs as a Windows service. Install this service by running vsrasrv.exe -install from the binary directory \bin. 2
Select Control Panel from the Start menu, double-click the Administrative Tools icon, and open the Services control panel. Select VeriSign Registration Authority Service from the list of services, and click Startup. Choose Automatic to automatically access the service when the system is started.
3
Set the Log On As section appropriately. If you are using an ODBC database, then you must run the service as a user who has permissions to connect to the database through ODBC.
4
Configure your signing option. See Chapter 8, “Signing Option.” IMPORTANT! Do not proceed to the next step before you configure your signing option.
5
Click OK to close the Service settings window.
Running Multiple VeriSign Registration Authority Servers on the Same Host Step 1
As a backup or to facilitate maintenance, you may wish to run more than one separate instances of the VeriSign Registration Authority server on the same computer. Follow this procedure: For Sun Solaris and Linux If each instance of VeriSign Registration Authority will use hardware signing, you can either use one Luna token with one RA key pair for each instance or two Luna tokens, each with its own RA key pair. Alternatively, one instance of the VeriSign Registration Authority server can use a Luna token and the other can use software signing, or both instances can use software signing. 1
Install an VeriSign Registration Authority server instance in one directory.
2
Install another VeriSign Registration Authority server instance in another directory.
VeriSign, Inc.
March 2008
125
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
Modify vsautoauth.conf in the two different directories and ensure that each VeriSign Registration Authority instance is pointing to the appropriate RA certificate (hardware or software).
4
In vsrasrv.cfg for both servers, set SIGNER_GLOBAL_INIT to NO.
For Windows If each instance of VeriSign Registration Authority will use hardware signing, two Luna tokens (each with an RA key pair) are required. Alternatively, one instance of the VeriSign Registration Authority server can use a Luna token and the other can use software signing, or both can use software signing. 1
Create one VeriSign Registration Authority server directory for each separate instance of the VeriSign Registration Authority server that you want to run on the same host. For example: mkdir ...\ra1 mkdir ...\ra2
2
Configure the Windows Service section of each configuration file for each VeriSign Registration Authority server instance (...\ra1\bin\vsrasrv.cfg and ...\ra2\bin\vsrasrv.cfg). Specifically, configure WIN_SERVICE_NAME and WIN_SERVICE_DISPLAY_NAME for each configuration file. For example: For ...\ra1\bin\vsrasrv.cfg: – WIN_SERVICE_NAME [RA Service 1] – WIN_SERVICE_DISPLAY_NAME [Registration Authority Service 1] For ...\ra2\bin\vsrasrv.cfg: – WIN_SERVICE_NAME [RA Service 2] – WIN_SERVICE_DISPLAY_NAME [Registration Authority Service 2]
3
From the command prompt, type the following from each VeriSign Registration Authority server bin directory. For example: c:\...\ra1\bin>vsrasrv.exe -install c:\...\ra2\bin>vsrasrv.exe -install
4
126
Check vsautoauth.conf in each VeriSign Registration Authority server directory and ensure that each VeriSign Registration Authority instance is
VeriSign, Inc.
March 2008
-----------------------------------------------------------
pointing to the appropriate RA certificate (hardware or software). If two Luna tokens are used, ensure that the two VeriSign Registration Authority instances are pointing to different certificates. 5
In vsrasrv.cfg for both servers, set SIGNER_GLOBAL_INIT to NO.
Next Continue with Chapter 8, “Signing Option,” to set up the signing option.
VeriSign, Inc.
March 2008
127
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
128
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuring Passcode Authentication 7 retpahC
This chapter provides instructions for configuring Passcode Authentication. For this chapter, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI, as described in Chapter 3, “Configuring Managed PKI.” Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” As a Managed PKI administrator, you are responsible for verifying the identity of the end-user certificate applicant. Once the identity of the applicant is validated, and the accuracy of the enrollment data is confirmed, the certificate request can be approved. This confirmation process is known as authentication. This chapter details how to implement and configure the Passcode Authentication method for your organization. With Passcode Authentication, the Managed PKI administrator uploads authorization information to VeriSign. Managed PKI then automatically approves certificates by comparing the information in the enrollment form with the authorization information stored at VeriSign. For further information on Passcode Authentication, see Managed PKI Technical Reference. To configure Passcode Authentication, you provide a list of passcodes to VeriSign. You can either create these passcodes yourself or have VeriSign generate them. Managed PKI will use these to authenticate applicants. The following steps describe the procedures for configuring Passcode Authentication:
VeriSign, Inc.
March 2008
129
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Step 1
Get the names and order of verification fields
The verification fields you set in your passcode file must be in the correct order. Determine the order using these procedures. 1
On the Certificate Management page of the Control Center, click the Upload Passcodes link. The Decide Mode for Upload of Passcodes page opens (Figure 7-1). Select Asynchronous or Synchronous upload.
Figure 7-1 The Decide Mode for Upload of Passcodes page
2
The Upload Passcode page (Figure 7-8) displays the fields that will comprise the verification data source. The sample file lists all required fields in the required order. This file is the basis for the verification data source that you will submit to VeriSign in the next step. Copy the text and paste it into the application that you will use to generate the verification data source (spreadsheet, database, or text editor).
130
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Figure 7-2 The Upload Passcode page
Step 2
Generate and upload passcodes
You can either create and upload passcodes individually, or create and upload multiple passcodes with a CSV file. Tip
Some organizations have authentication systems already in place for customers or employees; for example, a login and password combination. In this case, to save the time and effort involved in distributing passcodes, you could upload existing authentication strings (for example, the passwords) to VeriSign. You can then use these authentication strings as passcodes. To create and upload passcodes individually, see “To add an applicant manually” on page 131. To create and upload multiple passcodes, see “To add a group of applicants” on page 132.
To add an applicant manually On the Certificate Management page of the Managed PKI Control Center, click the Create Passcodes link. The Create Passcode page appears (Figure 7-3). The Create Passcode page presents the match fields that you configured in the Policy Wizard. To have VeriSign generate the passcode, enter an asterisk (*) in
VeriSign, Inc.
March 2008
131
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
the Passcode field. Otherwise, enter your passcode. Passcodes must be a minimum of eight characters. All fields except Passcode are case-sensitive. Click Submit. The new information is securely transmitted to VeriSign and added to the verification database.
Figure 7-3 Create Passcode page
To add a group of applicants Using a spreadsheet, database application, or text editor, create the verification data source in comma-separated value (CSV) file format. CSV syntax VeriSign ignores any row beginning with the “#” character. This is useful for entering comments. VeriSign sets and strictly enforces the order of columns. Once set, the order of the columns cannot be changed. Do not use the comma character (“,”) within a field. With the CSV format commas are used to separate fields, so the use of commas within fields causes an error. Spaces within fields are allowed, and are treated like other characters. However, do not add spaces before or after commas in the CSV file. Generate the verification data source In a spreadsheet or database application, each column represents a new field, and each row represents a new subscriber. Using the field name and order
132
VeriSign, Inc.
March 2008
-----------------------------------------------------------
information displayed in the Upload Passcode page (see Figure 7-2 on page 131), follow these steps to generate the verification data source.
Figure 7-4 Spreadsheet field names
1
2
Prepare your verification data file. a
Enter the word add in the first column, first row (this instructs VeriSign that the data in the file should be added to the verification data source—other options are explained in later sections).
b
In the first column, second row, enter a # character to indicate that the row does not contain data. This row is treated as a comment.
c
To minimize errors, you can paste the field names that you copied from the example on the Upload Passcode page directly into the adjacent cells in the row. This ensures that the field names appear in the correct order.
Now enter the verification data for your enterprise. In the Passcode column, enter a * character to indicate that VeriSign should generate the passcode based on the settings that you specified in the Policy Wizard. To create your own passcode values, enter them in the Passcode column. Passcodes must be a minimum of eight characters. All fields are case-sensitive. Enter the data for each person who will apply for a certificate.
Figure 7-5 Spreadsheet verification data
VeriSign, Inc.
March 2008
133
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
Use the program’s Save As feature to name and save the file as a Comma-separated Value or CSV format file. The file must have a .csv file extension.
Figure 7-6 Save verification data file in CSV format
Generate the verification data source with a text editor Figure 7-7 illustrates a sample verification data file with three entries. To generate the verification data source with a text editor, follow the instructions and guidelines below.
Figure 7-7 Sample verification data file
CAUTION Enter values for any fields that you set as passcode match fields (for example, First Name, Last Name, and Email Address). Certificate generation will fail if you leave these fields blank. 1
134
On the first line, enter the word add and press . This word instructs VeriSign that the data in the file should be added to the verification data source—other options are explained in subsequent sections).
VeriSign, Inc.
March 2008
-----------------------------------------------------------
2
In the second line, enter a # character to indicate that the line does not contain data. Immediately after #, enter the name that you specified for the passcode field (typically Passcode). This is the Column heading for the first value in each subscriber’s entry.
3
Following the word Passcode, enter a comma, then enter each field name in the correct order. Separate field names using commas with no spaces before or after the commas. (The easiest way to do this is to use the field names provided in the sample file from the Upload Passcode page.) Press Return.
4
Enter the verification data for your enterprise. Each line represents a subscriber. Each value that makes up the enrollment data is separated by a comma. The first value is the passcode value, and the remaining values are the field values specified on the Upload Passcode page. The passcode value is either a * character, or a value that you supply, as follows: Enter a * character to indicate that VeriSign should generate the passcode based on the settings that you specified in the Policy WIzard. To create your own passcode values, enter them as the first value of each line. Passcodes must be a minimum of eight characters. All remaining fields are case-sensitive. Enter the value followed by a comma, followed by the next value. Enter the data for each person who will apply for a certificate. If a field was marked as “optional” in the Customize the Subscriber Enrollment page, you do not need to specify a value. Instead, just enter “,,”, as in the following example:
*,Chin,
[email protected],,CEO
Step 1
Upload the verification data source
Send the verification data source to VeriSign, as follows:
VeriSign, Inc.
March 2008
135
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Figure 7-8 Upload Passcodes page
1
On the Certificate Management page of the Control Center, click the Upload Passcodes link.
2
Select either Synchronous Upload of Passcode Tokens or Asynchronous Upload of Passcode Tokens, as appropriate, to avoid timeout issues with large files. If your verification data file exceeds 500 entries, break the file up into multiple files of up to 500 entries and use Synchronous upload. Use Asynchronous upload to upload a single file of up to 500 entries. You will receive notification by email, once the file has been uploaded.
136
3
Enter the name and location of the verification data source, or use the Browse button to locate the file.
4
Click Submit.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
5
If the file is configured correctly, the Passcode Operation Complete page opens with a message such as:
Your passcode operation has completed successfully. 3 rows processed 0 rows not processed
If the file is incorrectly configured, a message lists the errors. Correct the errors and re-submit the file. Step 2
View the verification data source and passcode
values Click the View Passcodes link in the Certificate Management page to view the verification data and passcodes uploaded to VeriSign. Review the verification records in the verification data source for accuracy and completeness. Next, generate the Passcode report. The Passcode report provides a complete history of passcode file activity, including the create, cancel, and reset actions within the specified time period. If you uploaded a file with an “*” in the passcode field, you will not know the passcode assigned by VeriSign until you download the Passcode report. Note
1
On the Certificate Management page, click the Reports link. The Passcode Reports search page appears.
2
Select the report type: Detail or Summary. The Summary report tells you how many tokens have been created, cancelled, reset, or edited. The Detail report provides full details.
3
Select the start date for the report (mm/dd/yyyy).
4
Select the end date for the report (mm/dd/yyyy).
5
Enter the email address to which the report notification should be sent.
6
Click Submit. The Report Submission Status page opens. This page notifies you that the system has submitted your request for a report. The file name for the report is listed on this page. When the report is ready for download, Managed PKI sends you an email with a URL to download the report file from the VeriSign Web site.
VeriSign, Inc.
March 2008
137
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
7
Download the report, and store it in a secure location to prevent unauthorized individuals from accessing it. The contents of the report are in CSV format and are extremely sensitive.
To enable applicants to request certificates, you must now securely distribute the report’s passcodes, as discussed in the next step. Step 3
Securely deliver each applicant’s passcode
For applicants to request certificates, they must have a passcode. Therefore, you need to ensure that they receive this passcode in a secure fashion; for example, in person. Avoid insecure methods of distribution, such as sending passcodes by unencrypted email. CAUTION Passcodes must be distributed in a secure manner. If the confidentiality of passcodes is compromised, then the integrity of the certificate is lost.
Next If you need to configure your subscriber certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Otherwise, customize your Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of your implementation, you can begin using Managed PKI.
138
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Signing Option 8 retpahC
VeriSign Registration Authority uses a Registration Authority (RA) certificate to identify itself to VeriSign’s Issuing Center. You can store the private key for RA certificates in one of two signing devices: a software-based certificate signing library (the software signing option) or a Luna token (the hardware signing option). The signing device must be installed on the VeriSign Registration Authority server host (except for the Luna SA network appliance). Although software signing is easier to set up, hardware signing is more secure. With hardware signing, the private key is generated on the Luna token, which prevents unauthorized parties from removing, reading, or duplicating it. Before proceeding with this chapter, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” Install VeriSign Registration Authority as described in Chapter 6, “Registration Authority.” Then, test the enrollment pages. Once satisfied with the operation of Managed PKI, you can move to production, as described in Chapter 12, “Moving to Production.”
VeriSign, Inc.
March 2008
139
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Installation Overview for the Signing Option Figure 8-1 provides an overview of the installation process for the signing option. The remainder of this chapter details the installation process. Once the signing option is installed, start the VeriSign Registration Authority server.
Figure 8-1 Installation overview for the signing option
To set up the software signing option, see “Using the Software Signing Option” on page 141. To set up the hardware signing option, see “Using the Hardware Signing Option” on page 144. To encrypt vsautoauth.conf, see “Encrypting the Contents of vsautoauth.conf” on page 196.
140
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Using the Software Signing Option 1
Move to the /signers directory on the VeriSign Registration Authority server host.
2
The vsautoauth.conf file specifies configuration parameters for the signing option. Each line contains a keyword and a value separated by a white space(s). Configure vsautoauth.conf to specify the locations of the certificates and the password. The default location is ../signers. Comment out (insert a # before) the slot line. For guidance in configuring the vsautoauth.conf file for the software signing option, see Table 8-1.
Table 8-1 vsautoauth.conf parameters for the software signing option Paramete r
Default
Description
certfile
../signers/cert.509
Specifies the full path and filename of the RA certificate.
encCert
../signers/AutoAdmin.509.pi lot
Specifies the full path and filename of the Managed PKI encryption certificate.
caCert
../signers/cacert.509.pilot
Specifies the full path and filename of the CA certificate used to sign the RA and Managed PKI encryption certificates.
rootCert
../signers/aaroot.509.pilot
Specifies the full path and filename of the root CA certificate.
password
password
The password that protects the private key corresponding to the "certfile" parameter For LUNA signer, the LUNA token PIN For software signer, the password to the "keyfile" (PKCS#8 file)
slot
1
For hardware signer
keyfile
../signers/key.p8b
For software signer
VeriSign, Inc.
March 2008
141
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Table 8-1 vsautoauth.conf parameters for the software signing option Paramete r
Default
Description
lock
Windows: luna.lock
The signing API and swkeygen create this file when they start executing, and remove it when done. Specify separate locations or lock file names for multiple tokens.
Solaris: /tmp/luna.lock
By default, the lock parameter does not appear in the vsautoauth.conf file. The lock file is used to prevent multiple processes accessing one Luna hardware token or any given software token. Each token must have its lock file in a different location, or use a different lock file name. Note
Example vsautoauth.conf (software signing option) certfile../signers/cert.509 encCert ../signers/AutoAdmin.509.production caCert ../signers/cacert.509.production rootCert../signers/raroot.509.production passwordpassword keyfile ../signers/key.p8b
3
From the command prompt, run the following command to generate the Registration Authority Certificate Signing Request (CSR). The resulting racert.req file contains a certificate signing request (CSR) in base64 format.
swkeygen -name -org -division -locality -state -country >racert.req
You can use the -policy parameter instead of the -org and -division parameters. The -policy parameter uses the organization name and division name in your VeriSign policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values. Note
+ You must use the identical, case-sensitive text values for org and orgUnit
that you used when you enrolled for the VeriSign Registration Authority. Set the attribute values as follows:
142
VeriSign, Inc.
March 2008
-----------------------------------------------------------
– org: Use the value that you submitted for Company/Department/Agency. – orgUnit: Use the value that you submitted for Division/Organization/Project. If you do not know your company and department, open the VeriSign Registration Authority Control Center. Your company and department are located in the upper right-hand corner. Your swkeygen command must exactly match this information, including case, spaces, and punctuation. + For country, use a two-character ISO country code, such as US. + To enter a parameter that contains a space character, use quotes to
surround the string (for example, “Mountain View”). For details on the swkeygen utility, see Managed PKI Technical Reference. 4
Open the Managed PKI VeriSign Registration Authority enrollment Web page with the appropriate URL: + Pilot System:
https://pilotonsite.verisign.com/OnSiteServiceEnrollRA.htm + Production System:
https://onsite.verisign.com/OnSiteServiceEnrollRA.htm 5
Paste the contents of the racert.req file in the field that requests a CSR. Fill in the rest of the information on the page, and submit the request.
6
Contact your VeriSign account representative to have your certificate approved.
7
You will receive an email response containing your RA certificate as an attachment. Save the attached cert.509 file to your signers directory. If you are skipping the pilot phase and preparing a production system, then make all .509 files read-only. Note
8
Using a text editor, ensure that the vsautoauth.conf file includes a reference to the Distinguished Name of your RA Certificate.
9
Using a text editor, ensure that /bin/vsrasrv.cfg uses the correct software signing library. See Appendix D, “Configuration Files,” for specific information about configuring the vsrasrv.cfg file.
Your certificate store is now ready for use by the signing library.
VeriSign, Inc.
March 2008
143
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Next
If you need to set up a secure channel, go to Chapter 10, “Secure Channel.” If you are not setting up a secure channel, and you need to configure your subscriber certificate renewal process, go to Chapter 11, “Subscriber Renewal.” Otherwise, customize your enrollment and Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of Managed PKI, you can move to production, as described in Chapter 12, “Moving to Production.”
Using the Hardware Signing Option This section describes how to implement hardware signing. Refer to Managed PKI v7.2 Hardware/Software Requirements for a list of supported Luna hardware security modules (HSMs). Installing the Hardware Signing Option 1 Before installing any hardware or software, remove any existing Luna drivers on the applicable computer(s). 2
Install the Luna hardware and drivers on the computer that runs your VeriSign Registration Authority server. See the installation documentation provided with your hardware to ensure proper installation. If you are using the Luna SA appliance, VeriSign Registration Authority needs only the client drivers. Note
3
Ensure the hardware is operating properly.
Configuring the Hardware Signing Option Once you have installed the hardware and drivers, configure your VeriSign Registration Authority settings with your signing hardware: 1
In the signers directory, open the vsautoauth.conf configuration parameter file.
2
For the slot parameter, set the slot ID: + Luna 2 - The slot ID is displayed on the Luna Dock next to the slot.
144
VeriSign, Inc.
March 2008
-----------------------------------------------------------
+ Luna SA - If you assigned only one partition of the Luna SA appliance
to the server running VeriSign Registration Authority, set slot to 1. + Luna PCI - If you have only one Luna PCI card, set slot to 1. + Luna PCM - The slot ID is displayed on the Luna Dock next to the slot. 3
The vsautoauth.conf file specifies configuration parameters for the signing option. Each line contains a keyword and a value separated by a white space(s). Configure vsautoauth.conf to specify the locations of the certificates and the password. The default location is ../signers. Comment out (insert a # before) the keyfile line.
4
For guidance in configuring the vsautoauth.conf file for the software signing option, see Table 8-2.
Table 8-2 vsautoauth.conf parameters for the hardware signing option Paramete r
Default
Description
certfile
../signers/cert.509
Specifies the full path and filename of the RA certificate.
encCert
../signers/AutoAdmin.509.pi lot
Specifies the full path and filename of the Managed PKI encryption certificate.
caCert
../signers/cacert.509.pilot
Specifies the full path and filename of the CA certificate used to sign the RA and Managed PKI encryption certificates.
rootCert
../signers/aaroot.509.pilot
Specifies the full path and filename of the root CA certificate.
password
password
The password that protects the private key corresponding to the "certfile" parameter For LUNA signer, the LUNA token PIN For software signer, the password to the "keyfile" (PKCS#8 file)
slot
VeriSign, Inc.
1
March 2008
Specifies the slot number on which the token reader is installed.
145
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Table 8-2 vsautoauth.conf parameters for the hardware signing option Paramete r
Default
Description
keyfile
../signers/key.p8b
For software signer
pkcs11_dll
eTpkcs11.dll
Only on Windows. If this dll is set, signer will use smart card token
Example vsautoauth.conf (hardware signing option)
encCert../signers/AutoAdmin.509.production caCert../signers/cacert.509.production rootCert../signers/aaroot.509.production certfile../signers/cert.509 passwordpassword slot1
Installing the RA Certificate 1 Generate a VeriSign RA key-pair on the token and the RA certificate signing request. To do this, run aakeygen with the following command. aakeygen -name -org -division -locality -state -country >racert.req
The resulting racert.req file contains a certificate signing request (CSR) in base64 format.
Note You can use the -policy parameter instead of the -org and -division parameters. The -policy parameter uses the organization name and division name in your VeriSign policy file to generate the CSR. If you use the -policy parameter and the -org and -division parameters, the values in the policy file will override the -org and -division values.
+ You must use the identical, case-sensitive text values for org and orgUnit
that you used when you enrolled for the Managed PKI service. Set the attribute values as follows: – org: Use the value that you submitted for Company/Department/Agency. – orgUnit: Use the value that you submitted for Division/Organization/Project.
If you do not know your company and department, open the Managed PKI Control Center. Your company and department are located in the upper right-hand corner. Your aakeygen command must exactly match this information, including case, spaces, and punctuation.
146
VeriSign, Inc.
March 2008
-----------------------------------------------------------
+ For country, use a two-character ISO country code, such as US. + To enter a parameter that contains a space character, use quotes to
surround the string (for example, “Mountain View”). For details on the swkeygen utility, see Managed PKI Technical Reference. 2
Access the Managed PKI RA enrollment Web page at the appropriate URL: + Pilot System:
https://pilotonsite.verisign.com/OnSiteServiceEnrollRA.htm + Production System:
https://onsite.verisign.com/OnSite ServiceEnrollRA.htm 3
Paste the contents of the racert.req file into the CSR field. Fill in the rest of the information on the page, and submit the request.
4
Contact your VeriSign account representative to have your certificate approved.
5
While you wait for approval, run the following command from a command window:
\signers\aakeygen -dump
If this process does not create a certificate request entry on the Luna token, check that the slot number in vsautoauth.conf is correct.
6
You will receive an email response containing your RA certificate. Save the attached file as cert.509 in your signers directory.
7
Using a text editor, ensure that /signers/vsautoauth.conf includes a reference to the path ../signers/cert.509.
8
Configure the /bin/vsrasrv.cfg file on the VeriSign Registration Authority server file for hardware key generation. For guidance in configuring the file, see “Configuring Key Generation” on page 202.
Next
Re-start the service. See “Starting and Stopping the Registration Authority Server” on page 149.
Renewing Expiring Certificates For security reasons, the certificates you use to secure communications between Managed PKI components and VeriSign expire and need to be renewed or replaced. This section describes how to renew and replace these certificates.
VeriSign, Inc.
March 2008
147
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Replacing Expiring AutoAdmin.509 Certificates Managed PKI uses the AutoAdmin.509 certificate to encrypt communication with VeriSign. This certificate expires every three years. If the AutoAdmn.509 certificate available from VeriSign is newer than the version in your implementation, Managed PKI will save the existing certificate with a .bak extension, and replace it with the new certificate automatically. Renewing your RA Certificate Your RA certificate’s validity period is 365 days from the date it was issued. If your RA certificate is due to expire soon, you must re-enroll for a new RA certificate to continue to use VeriSign Registration Authority without interruption. Before your organization’s RA certificate expires, VeriSign sends you an email notification to re-enroll. 1
Run the swkeygen command to create a new CSR for the RA certificate. The resulting racert.req file contains a certificate signing request (CSR) in base64 format.
swkeygen -name -policy -locality -state -country >racert.req
+ Except for the -name parameter, use the same information you used with
your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today’s date). + For country, use a two-character ISO country code, such as US. + To enter a parameter that contains a space character, use quotes to
surround the string (for example, “Mountain View”). For details on the swkeygen utility, see Managed PKI Technical Reference. 2
Access the Managed PKI RA enrollment Web page listed in the email notification sent by VeriSign. Paste the contents of the racert.req file into the CSR field, fill in the rest of the information on the page, and submit the request. Contact your VeriSign account representative to have the request approved.
3
Make a backup of the cert.509 file in the signers directory.
4
You will receive an email response containing your RA certificate. Save the attached file as cert.509 in your signers directory (overwrite the existing cert.509 file). Save the file as read-only.
148
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Renewing the RA Certificate with the Hardware Signing Option Complete the following steps to renew your RA certificate if you are using the hardware signing option: 1
Enter the following command to create a new CSR for the RA certificate. This also generates a VeriSign key pair on the Luna token. You must use the same Luna token that you used to generate the initial RA certificate CSR.
aakeygen -name -org -division -locality -state -country >racert.req
+ Except for the -name parameter, use the same information you used with
your initial RA certificate enrollment. For the -name parameter, use a unique value (such as your administrator name and today’s date). + If you do not know your company and department, open the Managed
PKI Control Center. Your company and department are located in the upper right-hand corner. Your aakeygen command must exactly match this information, including case, spaces, and punctuation. + For country, use a two-character ISO country code, such as US. + To enter a parameter that contains a space character, use quotes to
surround the string (for example, “Mountain View”). For details on the aakeygen utility, see Managed PKI Technical Reference. 2
Access the Managed PKI RA enrollment Web page listed in the email notification sent by VeriSign. Paste the contents of the racert.req file into the CSR field, fill in the rest of the information on the page, and submit the request. Contact your VeriSign account representative to have the request approved.
3
You will receive an email response containing your RA certificate. Save the attached file as cert.509 in your signers directory. This will overwrite the existing cert.509 file, so you should make a back up of the existing file first.
4
Save the new file as read-only.
Starting and Stopping the Registration Authority Server Start and stop the Registration Authority server according to the appropriate procedures:
VeriSign, Inc.
March 2008
149
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Windows The VeriSign Registration Authority server runs as a standard Windows 2000 service. Run it from the Windows 2000 Administrative Tools Services dialog box. 1
The first time you run the VeriSign Registration Authority server, you must run vsrasrv -install from the bin directory for that server instance. You only need to run this command once.
1
On the Windows Start menu, select Settings → Control Panel. The Control Panel opens.
2
Double-click the Administrative Tools icon. The Administrative Tools window opens.
3
Double-click the Services icon. The Services dialog box opens.
4
In the list, select VeriSign OnSite Registration Authority Service v7.2 (or the name of the VeriSign Registration Authority server, if you configured a unique service name).
5
Click Start or Stop as required.
Solaris or Linux To start the VeriSign Registration Authority server 1
Go to the bin directory for the VeriSign Registration Authority server.
2
On the command line, run ./start_vsrasrv
To stop the VeriSign Registration Authority server 1
Go to the bin directory for the VeriSign Registration Authority server.
2
On the command line, run ./stop_vsrasrv.
Remove the VeriSign Registration Authority Service (Windows only) To remove the VeriSign Registration Authority service from the Services panel on Windows, run vsrasrv.exe -remove from the \bin directory.
Next If you need to set up a secure channel, go to Chapter 10, “Secure Channel.” If you are not setting up a secure channel, and you need to configure your subscriber certificate renewal process, go to Chapter 11, “Subscriber Renewal.”
150
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Otherwise, customize your enrollment and Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of Managed PKI, you can move to production, as described in Chapter 12, “Moving to Production.”
VeriSign, Inc.
March 2008
151
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
152
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Outsourced Authentication 9 retpahC
With Managed PKI’s Outsourced Authentication (OA) option, your organization can outsource some or all of its authentication process to VeriSign. VeriSign will authenticate unknown parties who want to do business with your organization over the Internet. If desired, your organization can retain the authentication tasks for known applicants—those who either already have certificates, or those who meet your organization’s criteria. You decide how much of the authentication process to assign to VeriSign. For more information about Outsourced Authentication, see Managed PKI 7.2 Outsourced Authentication Administrator’s Guide. Note
Before running the Policy Wizard, you must ask VeriSign to enable OA. To install the OA service, your organization must implement Local Hosting and VeriSign Registration Authority. With the OA feature enabled, the Policy Wizard generates a policy file that includes all of the necessary specifications for OA. See Managed PKI 7.2 Outsourced Authentication Administrator’s Guide for a description of which Managed PKI features can be used with Outsourced Authentication. As with VeriSign Registration Authority, enrollment requests submitted by known, registered customers are automatically approved. However, rather than rejecting requests by unknown, external customers, Outsourced Authentication assigns them a Pending status. To configure Outsourced Authentication, you must change the VeriSign Registration Authority source code, and re-compile the corresponding libraries. This chapter describes how to change the VeriSign Registration Authority source code for Outsourced Administration. Configuring Outsourced Authentication for ODBC Open and edit the vsaaodbc.cpp file, as follows: 1
VeriSign, Inc.
In the DoVerifyUser(...) function, comment out the following lines:
March 2008
153
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
*/
else if (queryResultCnt == 0) { VS_Log(VS_LOG_ERROR, __LINE__, __FILE__, "No entry was found with the query SQL %s",pSelectSQLStatement); VSAAUTIL_Free(pWhereSQLStatement); VSAAUTIL_Free(pSelectSQLStatement) return VSAA_VERIFY_FAILED; } /*
2
After these lines:
else if (queryResultCnt > 1) { VS_Log(VS_LOG_ERROR, __LINE__, __FILE__, "Multiple entries were found with the query SQL%s", pSelectSQLStatement); VSAAUTIL_Free(pWhereSQLStatement); VSAAUTIL_Free(pSelectSQLStatement); return VSAA_VERIFY_FAILED; }
Enter the following: if(queryResultCnt == 0) { pszStatus = VSAA_PENDING; ODBC_InsertNewUserToDatabase(userInput); } else {
3
For all users that are not in the verification data source, add the ODBC_InsertNewUserToDatabase(...) function. The following example code adds a new user’s first name, last name, and email address to the data source: The following code is provided as an example; do not copy this code directly. You need to customize your code to match your implementation. Note
VSAA_STATUS ODBC_InsertNewUserToDatabase( const VSAA_NAME userInput[]) { const char *firstname, *lastname, *emailaddress; VSAA_STATUS status = VSAA_SUCCESS; char sql[5000]; RETCODE rc; do { firstname = FindName (MAIL_FIRSTNAME, strlen (MAIL_FIRSTNAME), userInput); if (firstname == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "first name not found in input list"); status = VSAA_VERIFY_FAILED; break; } lastname = FindName (MAIL_LASTNAME, strlen (MAIL_LASTNAME), userInput); if (lastname == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "last name not found in input
154
VeriSign, Inc.
March 2008
-----------------------------------------------------------
list"); status = VSAA_VERIFY_FAILED; break; } emailaddress = FindName (MAIL_MAIL, strlen (MAIL_MAIL), userInput); if (emailaddress == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "email address not found in input list"); status = VSAA_VERIFY_FAILED; break; }
The following code is an example of how to change the table name and column names to match the data source, based on the changes made above. Note
sprintf (sql, "INSERT INTO Addresses (FirstName, LastName, EmailAddress) VALUES ('%s', '%s', '%s')",firstname, lastname, emailaddress); rc = ODBCSQLExec( dbErrDesc, dbId, dbCursor, gODBCCfg.database, gODBCCfg.username, gODBCCfg.password, FT_UPDATE, sql, NULL); if (rc != SQL_SUCCESS) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "Error - %s", dbErrDesc); VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "Failed at the sql statement: %s", sql); status = VSAA_UPDATE_FAILED; break; } } while (0); return status;
Configuring Outsourced Authentication for Flat File Open and edit the vsaafile.cpp file. change authenticate to PENDING, as in the example below: /* if no matched data found, default to authenticate=PENDING */ if (status == VSAA_VERIFY_FAILED) { strcpy(augmentData, "authenticate=PENDING"); Augment(augmentData, augmentedData); status = VSAA_SUCCESS;
In the authenticate name-value pair, the value that follows authenticate= must be entered in all capitals. Note
VeriSign, Inc.
March 2008
155
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuring Outsourced Authentication for Lightweight Directory Access Protocol (LDAP) 1 Open and edit the vsaaldap.cpp file. The following example code adds a new user’s first name, last name, and email address to the data source. The bold text indicates lines added to existing code. The following code is provided as an example; do not copy this code directly. You need to customize your code to match your implementation. Note
#define MAIL_FIRSTNAME "mail_firstName" #define MAIL_LASTNAME"mail_lastName" #define MAIL_MAIL"mail_email" /* *** *** */
LDAP **ppLd - IN - pointer to LDAP directory const char *pszBaseD- IN - base DN
VSAA_STATUS DIM_CreateNewLDAPEntry( LDAP *ppLd, const char *pszBaseDN, const VSAA_NAME userInput[]) { char *firstname, *lastname, *emailaddress; LDAPMod *attrs[4]; int status; LDAPMod fnameAttribute, lnameAttribute, mailAttribute; char *fnameValues[2], *lnameValues[2], *mailValues[2];
firstname = (char *) FindName (MAIL_FIRSTNAME, strlen (MAIL_FIRSTNAME), userInput); if (firstname == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "first name not found in input list"); return VSAA_VERIFY_FAILED; } lastname = (char *) FindName (MAIL_LASTNAME, strlen (MAIL_LASTNAME), userInput); if (lastname == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "last name not found in input list"); return VSAA_VERIFY_FAILED; } emailaddress = (char *) FindName (MAIL_MAIL, strlen (MAIL_MAIL), userInput); if (emailaddress == NULL) { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "email address not found in input list"); return VSAA_VERIFY_FAILED;
156
VeriSign, Inc.
March 2008
-----------------------------------------------------------
} fnameValues[0] = firstname; fnameValues[1] = NULL; fnameAttribute.mod_op = 0; fnameAttribute.mod_type = "givename"; fnameAttribute.mod_values = fnameValues; lnameValues[0] = lastname; lnameValues[1] = NULL; lnameAttribute.mod_op = 0; lnameAttribute.mod_type = "sn"; lnameAttribute.mod_values = lnameValues; mailValues[0] = emailaddress; mailValues[1] = NULL; mailAttribute.mod_op = 0; mailAttribute.mod_type = "mail"; mailAttribute.mod_values = mailValues; attrs[0] attrs[1] attrs[2] attrs[3] //
= = = =
&fnameAttribute; &lnameAttribute; &mailAttribute; NULL;
char *dn = "cn=John Doe, ou=RATestDept, o=verisign.com"; char dn[200]; sprintf(dn, "cn=%s %s, ou=RATestDept, %s", firstname, lastname, pszBaseDN);
In the preceding line, assign a value for ou (RATestDept) for the customer. Note
status = ldap_add_s(ppLd, dn, attrs); if (status == LDAP_SUCCESS) return VSAA_SUCCESS; else { VS_Log (VS_LOG_ERROR, __LINE__, __FILE__, "Insert new entry to ldap failed"); return VSAA_HARD_ERROR; } } VSAA_STATUS VSAA_LINK DoVerifyUser( const VSAA_NAME userInput[], VSAA_NAME **augmentedData) { VSAA_STATUSstatus = VSAA_SUCCESS; LDAP *pLdapID=NULL; LDAPMessage*pResult=NULL, *pEntry=NULL; /* The value of the following variables might be from user's input, it should be allocated as needed rather than using a fixed size
VeriSign, Inc.
March 2008
157
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
buffer which might cause over-flow. */ char char char
*pszFilter = NULL; *pszUserDN = NULL; *pszUserPWD = NULL;
const char*pszStatus = VSAA_YES;
VSAA_BOOLuseExternalLDAPServer = DIM_IsExternalLDAPServerRequested(userInput); DIMCfgLDAPHost *pLdapHostCfg = (useExternalLDAPServer == VSAA_FALSE)?&gDIMCfg.verLDAPCfg:&gDIMCfg.verLDAPExternalCfg; DIM_TRACE("DoVerifyUser()");
/* preparing the search filter */ if( (status = DIM_BuildLDAPSearchFilter( &pszFilter, userInput, gDIMCfg.verAttrListPtr, gDIMCfg.setAttrListPtr, pLdapHostCfg->szObjClass) ) != VSAA_SUCCESS ) { return DIM_LogError(status); } /* preparing the bind DN and PWD */ if (!*pLdapHostCfg->szBindDN) { pszUserDN = pszUserPWD = NULL; } else { if( (status = DIM_BuildBindDNPassword( &pszUserDN, &pszUserPWD, userInput, pLdapHostCfg, pszFilter) ) != VSAA_SUCCESS ) { if(pszFilter) VSAAUTIL_Free(pszFilter); if(pszUserDN) VSAAUTIL_Free(pszUserDN); if(pszUserPWD) VSAAUTIL_Free(pszUserPWD); return DIM_LogError(status);
158
VeriSign, Inc.
March 2008
-----------------------------------------------------------
} } /* Use the binding information to connect to authentication LDAP server Query LDAP server for the entry to be verified. The successful query will return valid pResult and pEntry for given search filter. */ status = DIM_QueryLDAPServer( &pLdapID, &pResult, &pEntry, pLdapHostCfg->szHostName, pLdapHostCfg->nSSLEnabled?pLdapHostCfg->nSSLPort:pLdapHo sCfg->nPort, pLdapHostCfg->nSSLEnabled, pLdapHostCfg->szCertDB, pLdapHostCfg->szBaseDN, pszUserDN, pszUserPWD, pszFilter); if(pszFilter) VSAAUTIL_Free(pszFilter); if(pszUserDN) VSAAUTIL_Free(pszUserDN); if(pszUserPWD) VSAAUTIL_Free(pszUserPWD); if(status != VSAA_SUCCESS ) { if (status != VSAA_ERR_CFG_ENTRY_NOT_FOUND) return DIM_LogError(status); } /* If no entry is found in the LDAP server, create a new entry for this user and set status to VSAA_PENDING */ /* Determine whether all required match data are satisfied. If not, VSAA_PENDING should be reported for MANUAL_AUTH attributes, and VSAA_NO for AUTH attributes. */ if (status == VSAA_ERR_CFG_ENTRY_NOT_FOUND) { /* create a new entry for this user in the LDAP server */ DIM_CreateNewLDAPEntry(pLdapID, pLdapHostCfg->szBaseDN, userInput); /* set pszStatus to VVSAA_PENDING */ pszStatus = VSAA_PENDING; } else if(VSAA_TRUE != DIM_IsLDAPEntryAuthorized(pLdapID, pEntry, gDIMCfg.authAttrListPtr)) pszStatus = VSAA_NO; else if(VSAA_TRUE != DIM_CompareUserInputWithLDAPEntry(userInput, pLdapID, pEntry, gDIMCfg.manualAuthAttrListPtr)) pszStatus = VSAA_PENDING;
VeriSign, Inc.
March 2008
159
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
/* Validation is done, we are ready to augment user input data from information provided in LDAP server. */ status = DIM_AugmentUserDataWithLDAPEntry( augmentedData, pszStatus, pLdapID, pEntry, gDIMCfg.setAttrListPtr, gDIMCfg.getAttrListPtr); ldap_msgfree(pResult); ldap_unbind(pLdapID); return status;
Next Continue with Chapter 8, “Signing Option,” to set up the signing option.
160
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Secure Channel 01 retpahC
This chapter explains how to set up the secure communications channel between the Local Hosting Web server and the VeriSign Registration Authority server, or between the VeriSign Registration Authority server and the LDAP directory. The secure channel is used to authenticate a server and encrypt data. Before proceeding with this chapter, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Before Enrolling for Managed PKI.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” Install VeriSign Registration Authority, as described in Chapter 6, “Registration Authority.” If you are implementing Passcode Authentication, continue with Chapter 7, “Configuring Passcode Authentication.” Set up the signing option, as described in Chapter 8, “Signing Option.” If you are satisfied with the security of your internal network, and your enrollments will not include any sensitive data, then you may elect not to implement the secure channel. To opt out of the secure channel, see “Opting Out of the Secure Channel” on page 167. Note
VeriSign, Inc.
March 2008
161
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Installation Overview for the Secure Channel Figure 10-1 provides an overview of the installation process for the secure channel. The remainder of this chapter details the installation process.
Figure 10-1 Installation overview for the secure channel
162
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Setting Up the Secure Channel Figure 10-2 shows the components of the secure channel.
Figure 10-2 Secure channel components
To set up the secure channel between your Local Hosting Web server and your VeriSign Registration Authority server you complete the following general steps. For information on secure channel error descriptions, see Managed PKI v7.2 Error Codes and Troubleshooting Guide. Note
1
Generate a Secure Server certificate request for the server host. Since Secure Server certificates are not covered by the Managed PKI contract, your organization is assessed a charge.
2
Complete and submit the Secure Server certificate application for the server host.
3
When you receive the certificate, install it and configure other hosts to use SSL when communicating with the server host. To renew your SSL certificates, you must re-enroll and repeat the directions in this chapter. Note
These steps are described in detail below.
VeriSign, Inc.
March 2008
163
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Generate the Certificate Request 1 Move to the \ssl subdirectory of the directory on the VeriSign Registration Authority server host where you installed the VeriSign Registration Authority server (). 2
Generate an RSA key pair: a
Select a file at random on your VeriSign Registration Authority server host for use as raw seed data for the random number generation process. Choose a file that is unique to your system, contains at least 20 bytes, and is as random as possible. Larger files generate a more random number. No changes are made to the file.
b
Enter the following commands:
% openssl genrsa -des3 -out key.pem -rand 1024
The command returns text similar to the following example. Enter a PEM (Privacy Enhanced Message) pass phrase at the “Enter PEM pass phrase” prompt. 136 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ........+++++ ..+++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: Note
Remember your PEM pass phrase for later use.
The RSA key is generated in a file called key.pem. The key.pem file looks likethis: -----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,963E0712FA97DEFE W9KYU1IajalrqA8/2Mfvz5hsk6u1Ut14eEXOCkFXGZfK9XZQoFfwaohjzlOKE6FSL/AENLSVm5 GlV+QOsRAiMa8CJnOGkOGfbPn2bl66CRtv1bCYqvdaYkj2n2sE2MhtE8CJpZ4aEah2jWxjN1L +6vrYG/7MIdngtrKd5ksXJ3N9DlHnZIYtVKO7itjJdIVVx5tIK+KNQ5bnHGm+Yh/wEZ8CJq/I8tLb Y2E6UEApTH7UyZYSI8Qtk77w1UTMdYaypRKu2nvr4Wi3g5NxO97AQnryq3Ok7wQHqssfXY6 8pnQ+yUbWSvI9j+PFDd31ehfDkecLAGhWXzv8o4FLhh4nGxw4AWG+I5V6Y/jWkOfV5lUsta9n QWV6G+ji8CJx1go/x51RXsWeWgMzWL58CJMLe7GPcdiYXxIl3IRBU+XVVEsavgwNkpIo6fxY p8tSBz76VaSdGyQn1BKUSbNDAtdfq5cmpJwFKhlv7pVzY/bSCwAoDM7qOP8vTdjc0tsoWTP VA7QtEh5X/EpK/Rvy4JakXUO4uPgFGszv8CJ7h7LIl7gbRDpZnhhpjsqejZCNu8smHcYc+EpS Gh5KniVkRMQxx3ybVVKIs+uzO9LczOgA3aDmCcYvNXH/HKGB4oEbzKq9Su44QJHDZAl3E1 FUf4OYXdie9Rgjq3Rv8CJsoR13COpPiVPV96On2f6ym5kfKZ2oL92z/V2pDFleVLrKNXk8CJI/k U7sl2ts2uvPwQqI54MVOY4IRWRn04M/WbX2wp76atEQkRIOIOfDsaJfjkG2YJQKFtMBzzvu5c xJvS64O6tjEnoaOX3Ckw== -----END RSA PRIVATE KEY-----
164
VeriSign, Inc.
March 2008
-----------------------------------------------------------
3
Enter the following commands to generate a certificate signing request (CSR):
%openssl req -out pkcs10.pem -verify -key key.pem -config openssl.cnf -new
The system will generate informative text and a series of prompts, similar to the following example. Enter the requested information at each prompt. Using configuration from openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [US]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:Mountain View Organization Name (eg, company) [Your company name]:VeriSign Organizational Unit Name (eg, section) [Your department name]:Engineering Common Name (fully qualified server name) []:hostAA.acme.com verify OK
The Common Name in the certificate must exactly match the name of the host as it is entered in pestub.cfg on the Local Hosting Web server. For example, if you access the host by fully qualified domain name (host.domain.com), then use the fully qualified domain name here. If you access the host by host name only (host), then use just the host name here. Note
The certificate request is stored in the pkcs10.pem file, which has the following appearance: -----BEGIN CERTIFICATE REQUEST----MIIBPzCB6gIBADCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjA UBgNVBAcTDU1vdW50YWluIFZpZXcxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMQwwCgY DVQQLEwNFbmcxITAfBgNVBAMTGHRjaGV1bmctc3VuLnZlcmlzaWduLmNvbTBcMA0GCSq GSIb3DQEBAQUAA0sAMEgCQQC/FpEWizbO23/zkq0nI1HjctAy3r6AOuaow1IyUS30JeihblZgl RQA+oZ1cFlyCMc9lGjEJxembFuUiMXZg40hAgMBAAGgADANBgkqhkiG9w0BAQQFAANBAI u6M66u6SChBqxnKTaIPNETj+bukmgOZwp3Xn6bY9nskP13w8g7Al50LJGusl4OfNnx+OZAgQ zHdrlcw59hdlM= -----END CERTIFICATE REQUEST-----
Acquire and Install the Secure Server Certificate 1 Go to http://www.verisign.com to apply for a SSL ID. If your company has Managed PKI for SSL, contact your system administrator for the appropriate enrollment URL. To begin using the secure channel immediately, you can enroll for a trial SSL ID. The trial certificate is valid for
VeriSign, Inc.
March 2008
165
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
14 days. When you receive your production certificate, replace the trial SSL ID. 2
Ask your VeriSign account representative to have the SSL ID request approved (not required for trial SSL IDs).
3
You will receive an email response containing the SSL ID. Copy the SSL ID from the email to a file (for example, cert.pem). An example of an SSL ID appears below: -----BEGIN CERTIFICATE----MIIDqDCCA1KgAwIBAgIQA/6kgEq3b82ZBd4UfdDgkqhkiG9w0BAQQFADCBqTEWMBQGA1 UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+LnZlmlzaWduLmNvbS9yZXBvc2l0b3J5 L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExURC4xRjttBEBgNVBAsTPUZvciBWZXJpU2lnb iBhdXRob3JpemVkIHRlc3RpbmcgS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNOTkw NTA4MDAwMDAwWhcNMDEwNDI3M5WjCCATExFjAUBgNVBAoTDVZlcmlTIEluY29ycC4gQ nkgUmVmLiBMaMVEQuMUYwRAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0Z XN0aW5nIG9ubHkuIE5c3VyYW5jZXMgKEMpVlMxOTk3MUYwRAYDVQQLEz13d3cudmVyaX NpZ24uY29tL3JlcG9zaXRv1BTIElui29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk2MSYwJAY DVQQLEx1EaWdElEIENsYXNzIDEgLSBOZXRzY2FwZTEWMBQGA1UEAxMNVXNlcjkyNjEy ODMzNzBcMA0GC3DQEBAQUAA0sAMEgCQQC/FpEWizbO23/zUyBpbmNvcnAuIGJ5IHJlZ mVyZW5jZSBsaWFGQuIChjKTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBBAUAA0EAxGwFs0u yYdSeBCBUdk5XFiXbpLOa8/GJdbwkImnYnWbyPJ9yoTYmAexPY3hwELIzHnipXkcRo2izYLh A== -----END CERTIFICATE-----
4
Append key.pem and SecureServerRoot.pem (provided on the Managed PKI CD) to cert.pem, as follows:
Windows 2000: c:> type key.pem >> cert.pem c:> type SecureServerRoot.pem >> cert.pem
If using a VeriSign trial SSL ID with Windows, replace the second line with the following: Note
c:> type test_root.pem >> cert.pem
Windows 2003: 1
Open key.pem in Windows Word Pad (not Notepad) and copy the contents of the file into your clipboard. Close the file.
2
Open cert.pem in Windows Word Pad and paste the contents of your clipboard at the end of the cert.pem file. Save the file as cert.pem and close it.
3
Enter the following at a command line:
c:> type SecureServerRoot.pem >> cert.pem
If using a VeriSign trial SSL ID with Windows, replace this line with the following:
Note
166
VeriSign, Inc.
March 2008
-----------------------------------------------------------
c:> type test_root.pem >> cert.pem
Solaris and Linux: $ cat key.pem >> cert.pem $ cat SecureServerRoot.pem >> cert.pem
If using a VeriSign trial SSL ID with Solaris or Linux, replace the second line with the following: Note
$ cat test_root.pem >> cert.pem
Configure the Secure Channel To enable the Secure channel, you must configure the following configuration files: Local Hosting Web server host. Configure pestub.cfg on the Local Hosting Web server host. See Chapter 5, “Configuring Local Hosting,” for guidelines. VeriSign Registration Authority server host. Edit the /bin/vsrasrv.cfg file. See Appendix D “Configuration Files” for more information about configuring the vsrasrv.cfg file. Opting Out of the Secure Channel To opt out of the secure channel between your Local Hosting Web server and your server host: 1
Edit the /bin/vsrasrv.cfg file on the VeriSign Registration Authority server, and set the SSL_FLAG to off. When this flag is set to off, the configuration file ignores the other parameters in the Secure Channel Configuration section. See Appendix D “Configuration Files” for more information about configuring the vsrasrv.cfg file.
2
Comment out (place a ‘#’ before) the KEY parameters in the pestub.cfg file on the Local Hosting Web server.
Secure Channel Between the VeriSign Registration Authority Server Host and the LDAP Data Source If you are using an LDAP registration or verification data source, you can set up a secure channel between your server host and the data source(s). The SSL
VeriSign, Inc.
March 2008
167
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
encryption strength between the VeriSign Registration Authority server and the LDAP data source is 128-bit. See the following procedures: Use the procedures provided with your LDAP data source to complete Step 1, “Apply for and install a SSL ID (or Premium SSL ID) certificate for your verification and/or registration data source(s).” and Step 2, “Turn on Encryption and restart your LDAP server.” Note
1
Apply for and install a SSL ID (or Premium SSL ID) certificate for your verification and/or registration data source(s).
2
Turn on Encryption and restart your LDAP server.
3
Edit the LDAP Configuration section of the /bin/vsrasrv.cfg file on the VeriSign Registration Authority server. See Appendix D, “Configuration Files,” for more information about configuring the vsrasrv.cfg file.
4
Re-start the service. See “Starting and Stopping the Registration Authority Server” on page 149.
VeriSign has not tested and does not support the use of Premium SSL IDs to secure communication between the registration and authentication servers. Note
Next If you need to configure your subscriber certificate renewal process, go to Chapter 11, “Subscriber Renewal.” If you are installing any Go Secure! products, see the relevant installation documentation for each Go Secure! product and continue with the installation. Otherwise, customize your enrollment and Digital ID Center pages (optional), as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of Managed PKI, you can move to production, as described in Chapter 12, “Moving to Production.”
168
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Subscriber Renewal 1 retpahC
This chapter describes how to configure your certificate renewal method for subscribers. Managed PKI supports three renewal methods: Automatic Renewal Re-authentication Renewal, and Client Authentication renewal. Re-authentication Renewal and Client Authentication renewal require Local Hosting. For guidance in determining which renewal method to use, see Managed PKI Technical Reference. If you have customized your VeriSign Registration Authority or Passcode Authentication so that the subscriber email address is not included in the enrollment data submitted to VeriSign, the system cannot send a renewal notice to each individual subscriber. You must go to the Control Center and run the Renewal Wizard, specifying either to not send renewal notices, or to send them to a fixed recipient. Note
Before configuring your certificate renewal method, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” (If applicable) Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” Install VeriSign Registration Authority, as described in Chapter 6, “Registration Authority.” If you are implementing Passcode Authentication, continue with Chapter 7, “Configuring Passcode Authentication.”
VeriSign, Inc.
March 2008
169
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
(If applicable) Set up the signing option, as described in Chapter 8, “Signing Option.” (If applicable) Set up the secure channel, as described in Chapter 10, “Secure Channel.” How to Implement Automatic Renewal for Subscribers 1 Open the End-User Renewal Wizard by clicking the Renewal link in the Configuration page of the Managed PKI Control Center. 2
In “Step 1: Specify the Authentication Mode”, select Instant Issue.
3
Complete the remaining Wizard pages according to your requirements.
4
Download the policy file and configure your Managed PKI account according to the procedures in this document.
How to Implement Re-authentication Renewal for Subscribers To implement the re-authentication method for certificate renewal, you must be using VeriSign Registration Authority with Local Hosting. 1
Open the End-User Renewal Wizard by clicking the Renewal link in the Configuration page of the Managed PKI Control Center.
2
In “Step 1: Specify the Authentication Mode”, select Instant Issue.
3
Complete the remaining Wizard pages according to your requirements.
4
Download the policy file and configure your Managed PKI account according to the procedures in this document.
5
Open the Email Wizard by clicking the email link in the Configuration page of the Managed PKI Control Center.
6
Open and edit the email template for Managed PKI you are configuring, as follows: a
Redirect the URL of the Email Message template to your enrollment page.
b
Remove the paragraph referring to the Challenge Phrase.
How to Implement Client Authentication Renewal for Subscribers To implement the client authentication method for certificate renewal, you must be using VeriSign Registration Authority. Make the following changes to set up your account to use Client Authentication Renewal:
170
VeriSign, Inc.
March 2008
-----------------------------------------------------------
For users of Sun ONE Web Server: 1 Copy sophialite.exe and rename the copy to aarenew.exe. 2
Replace the references to sophialite.exe with aarenew.exe in userRenewalCertMS.htm and userRenewalCertNS.htm.
3
Change the digitalidCenter.htm file as follows: Change userRenewalNS.htm to userRenewalCertNS.htm. Change userRenewalMS.htm to userRenewalCertMS.htm.
4
Add the following six lines to the obj.conf file to require your server to request client certificates for the renewal HTML and CGI files.
Type exactly as shown below, using the appropriate values for your installation. Note
PathCheck fn="get-client-cert" method="*" dorequest="1" Path Check fn="get-client-cert" method="*" dorequest ="1"
5
Configure your Web server to require SSL and client certificates when accessing userRenewalCertNS.htm, userRenewalCertMS.htm, and aarenew.exe. See your Web server documentation for instructions.
For users of Microsoft IIS: 1 Copy sophialite.exe and rename the copy to aarenew.exe. 2
Replace the references to sophialite.exe with aarenew.exe in userRenewalCertMS.htm and userRenewalCertNS.htm.
3
Change the digitalidCenter.htm file as follows: Change userRenewalNS.htm to userRenewalCertNS.asp. Change userRenewalMS.htm to userRenewalCertMS.asp.
4
Configure your Web server to require SSL and client certificates when accessing userRenewalCertMS.asp, userRenwalCertNS.asp, and aarenew.exe. See your Web server documentation for instructions.
5
Restart your Web server.
VeriSign, Inc.
March 2008
171
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Next If needed, customize your enrollment and Digital ID Center pages, as described in Managed PKI Technical Reference. Then, test the enrollment pages. Once satisfied with the operation of Managed PKI, you can move to production, as described in Chapter 12, “Moving to Production.” If you are already on the production system, you can begin using Managed PKI.
172
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Moving to Production 21 retpahC
This chapter provides instructions for moving from a pilot environment to a production system. Before proceeding with this chapter, you should first: Complete the requirements for your Managed PKI configuration, as described in Chapter 2, “Configuring Your System.” (If applicable) Install the Administrator Kit. See Chapter 4, “Installing the Administrator Kit.” Configure Managed PKI and download your policy file, as described in Chapter 3, “Configuring Managed PKI.” Install Local Hosting, as described in Chapter 5, “Configuring Local Hosting.” If you are implementing Passcode Authentication, continue with Chapter 7, “Configuring Passcode Authentication.” (If applicable) Install VeriSign Registration Authority, as described in Chapter 6, “Registration Authority.” (If applicable) Set up the signing option, as described in Chapter 8, “Signing Option.” (If applicable) Set up the secure channel, as described in Chapter 10, “Secure Channel.” (If applicable) Configure your certificate renewal method for subscribers, as described in Chapter 11, “Subscriber Renewal.” VeriSign’s Pilot Managed PKI is a pre-production system recommended for customers implementing VeriSign Registration Authority or Personal Trust Agent (PTA). In creating a Pilot Managed PKI environment, you set up the hardware and software that you expect to use in your Production Managed PKI system. Pilot Managed PKI enables you to test your Managed PKI system before committing to a production system. Depending upon the amount of hardware and the complexity of your Managed PKI configuration, the testing
VeriSign, Inc.
March 2008
173
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
period for your Pilot Managed PKI configuration may last from a few days to six months. This chapter includes the following: An overview of the necessary preparations for moving to a Production Managed PKI system from Pilot Managed PKI appears on page 175. A list of steps you should complete before you move to production appears on page 175. Detailed procedures for moving to a Production Managed PKI system begin on page 176.
Overview: Moving to Production Figure 12-1 provides an overview of the process for moving to production. The remainder of this chapter details the process.
174
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Figure 12-1 Overview of steps for moving to production
Before You Start To prepare to move to a Production Managed PKI system, complete the following requirements: 1
Back up your Pilot Managed PKI system files. Although your Pilot Managed PKI system (if on a separate machine) will continue to run normally while you set up, test, and implement the
VeriSign, Inc.
March 2008
175
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Production Managed PKI system, you should back up the system files as a precaution. Critical files include the RA certificate, Auto Admin certificate, CA certificate, and Digital ID Center pages, as well as any modified configuration files. 2
Inform your VeriSign account representative that you are ready to move to the Production Managed PKI system.
3
Enroll for and obtain a Managed PKI administrator ID. CAUTION Use exactly the same values for Company and Division/Dept. as were used during enrollment for the Pilot Managed PKI system. By entering the same values for Company and Division/Dept. name, you will avoid extensive reconfiguration and retesting.
Moving to Production When you are ready, move to the Production Managed PKI system by completing the following steps: Run the Policy Wizard to configure your Managed PKI account for production Step 1
From the Production Control Center (https://onsite.verisign.com/OnSiteHome.htm), run the Policy Wizard by clicking the Policy link in the Configuration page. The options you select for your production service should exactly match the options selected for your pilot service. For more information about running the Policy Wizard, see Chapter 3, “Configuring Managed PKI.” Customize your Digital ID Center pages for production Step 2
In this step, you will re-run the install command described in Chapter 5, “Configuring Local Hosting” on your Local Hosting Web server. The install program will apply the policy file production settings to the files you have already installed and customized. 1
Put the Local Hosting CD in the CD drive. At the command line, go to \\sitekit\engine
For example, for Windows, enter the following command at the command line:
176
VeriSign, Inc.
March 2008
-----------------------------------------------------------
\Win\sitekit\engine
2
From the Windows or UNIX command line, run the install program using the following syntax:
install-
install-. The command’s structure depends on the operating system you use. – install-nt is for Windows. – install-sun is for Solaris – install-linux is for Linux source dir. This is the source directory for the files that are to be customized. Because the files were already customized once and you want to preserve those configurations, the source directory is the one you installed to during the procedures in Chapter 5 (for example, \VeriSign\MPKI\webroot). Make the source and destination the same. dest dir. The destination directory is the path of the directory on your Web server where subscribers will access the pages. This is the same as the source directory (for example \VeriSign\MPKI\webroot).
policyfile. The path and filename of your policy file (typically .policy). Step 3
Move any Go Secure! options to a production service
If you have implemented any Go Secure! options, see the documentation provided with that option for instructions for moving to a production system. Once you have completed those procedures, continue with Step 4, “Move your signing option to a production service” on page 177. Step 4
Move your signing option to a production service
This step explains how to move your signing option to a production service with VeriSign Registration Authority. 1
VeriSign, Inc.
Stop the VeriSign Registration Authority server. For procedures on stopping the VeriSign Registration Authority server, see “Starting and Stopping the Registration Authority Server” on page 149.
March 2008
177
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
2
Set up the signing option. For the hardware or software signing option: You do not need to erase your pilot private key before creating your production private key. The Luna token is capable of storing both your pilot private key and your production private key.
3
a
On the VeriSign Registration Authority server host, switch to the /signers subdirectory. On the VeriSign Registration Authority server host, change to the /Auto Admin/cfg subdirectory.
b
Rename cert.509 to cert.509.pilot.
Update vsautoauth.conf in the /signers directory on the VeriSign Registration Authority server host to replace the following root certificates: replace aaroot.509.pilot with aaroot.509.production replace cacert.509.pilot with cacert.509.production replace AutoAdmin.509.pilot with AutoAdmin.509.production
4
Enroll for and install a production Managed PKI RA certificate. For further information, see Chapter 8, “Signing Option.”
5
Re-start the service. See “Starting and Stopping the Registration Authority Server” on page 149.
Step 5
Begin rollout of your production system
Provide your users with the enrollment URL (the Digital ID Center), and instruct them to enroll for their certificates. Any certificates issued on the pilot system will not work in the production Digital ID Center pages. Use the enrollment URL you entered in the Local Hosting Base URL page of the Policy Wizard. The enrollment URL points to the htmldocs directory containing the Digital ID Center pages. See Managed PKI v7.2 Getting Started for additional information about rolling out Digital IDs to your end users.
178
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Enabling End-User Machines with Windows 31 retpahC
Managed PKI uses ActiveX controls to streamline and automate functions in the certificate lifecycle. Some Windows operating systems may prevent Managed PKI end users from installing ActiveX, thereby preventing them from enrolling for certificates or viewing other Web pages. When an end user uses Microsoft Internet Explorer to view a Web site that contains an ActiveX control in Windows, Internet Explorer determines whether the end user has the appropriate permission to install and run the control before downloading it. Internet Explorer does this by attempting to write to the HKEY_LOCAL_MACHINE registry hive. If the attempt to write to the registry is unsuccessful, Internet Explorer does not download the control. Members of the Users default group who have had a fresh installation of Windows (not an upgrade over Microsoft Windows NT 4.0 or Microsoft Windows 98) may not be able to download ActiveX controls and may experience errors with Managed PKI and Go Secure! for Web Applications. For example, these end users, when attempting to renew their Managed PKI certificates, might receive the following error message: Either your system administrator needs to install the OnSite MSI script on your machine or the following fields on previous page are not filled correctly. Please correct the errors and resubmit.
To avoid ActiveX problems for users on Windows, VeriSign provides an MSI package that delivers all required ActiveX controls for Managed PKI and can be installed on the end-users’ machines. The MSI package is called OnSiteMSI, and it is available in the ../sitekit/engine/ directory of the Managed PKI Local Hosting CD, or as a download from the Managed PKI Control Center’s Download page.
A similar set of packages is available for the latest version of Go Secure! for Web Applications. See the documentation for that product for information on those packages. Note
VeriSign, Inc.
March 2008
179
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Deploy the MSI Packages There are four methods for deploying the MSI packages: Publish software to a user. When you publish software to a user, you make it available to the user for installation through the Add/Remove Programs utility in the Control Panel the next time the user logs in. The user launches the Add/Remove Program utility, clicks Add New Programs, and chooses to add the published software. This completely installs the software on the user's machine. The user does not need to be a power user or have any special privileges to install published software. Assign software to a user. When you assign software to a user, it is partially installed the next time the user logs in. The installation is completed the first time the user tries to use the software. This feature provides an install-on-demand mode of installation. The user does not need to be a power user or have any special privileges to completely install assigned software. Assign software to a machine. When you assign software to a machine, it is completely installed on the machine when the machine is rebooted. Once installed, the software is available to all users on that machine. Launch the MSI package. By double-clicking the MSI package, a user can install the software contained within the MSI package. However, the user needs to be an administrator on the machine where the installation is being launched in this mode. This mode does not require active directory or group policy support. The first three methods of deployment, described in this section, require a Windows domain with an Active Directory. The administrator of this domain can specify how the software should be deployed (published to the user or assigned to user/machine) by specifying a group policy. The end-user machine where the software is installed must be one of the following: Windows XP Windows 2000 Publish the OnSiteMSI package to a user The following steps outline the process for publishing the OnSiteMSI package to a user: 1
180
In the Active Directory, right-click the OU corresponding to the users to whom the software is to be published.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
2
Select Properties.
3
In the Group Policy tab, select the Group Policy that applies to the OU if one exists, or create a new one if it does not.
4
Click Edit. This brings up another window that specifies the group policies.
5
Select User Configuration and expand the tree corresponding to this selection.
6
In the expanded tree, right-click Software Installation, then select New Package.
7
Select the MSI file that contains the software that should be published. A dialog box appears asking if the package should be published or assigned. Select Published.
Assign the OnSiteMSI package to a machine The following steps outline the process for assigning the OnSiteMSI package to a machine: 1
In the Active Directory, right-click the OU corresponding to the machine to which the software is to be published.
2
Select Properties.
3
In the Group Policy tab, select the Group Policy that applies to the OU if one exists, or create a new one if it does not.
4
Click Edit. This brings up another window that specifies the group policies.
5
Select Computer Configuration and expand the tree corresponding to this selection.
6
In the expanded tree, right-click Software Installation, then select New Package.
7
Select the MSI file that contains the software to be published. A dialog box appears asking if the package should be published or assigned. Select Assigned.
Assign the OnSiteMSI to a user The following steps outline the process for assigning the MSI packages: 1
In the Active Directory, right-click the OU corresponding to the users to whom the software is to be assigned.
2
Select Properties.
VeriSign, Inc.
March 2008
181
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
3
In the Group Policy tab, select the Group Policy that applies to the OU if one exists, or create a new one if it does not.
4
Click Edit. This brings up another window that specifies the group policies.
5
Select User Configuration and expand the tree corresponding to this selection.
6
In the expanded tree, right-click Software Installation, then select New Package.
7
Select the MSI file that contains the software to be assigned. A dialog box appears asking if the package should be published or assigned. Select Assigned.
ActiveX Settings for Vista If you are running the Microsoft Windows Vista operating system on an end-user machine, VeriSign recommends enabling the following ActiveX settings.
182
1
Open Internet Explorer.
2
Click Alt to open the menu bar.
3
Click Tools, and then click Internet Options....
4
Click the Security tab.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
5
On the Security tab, click Trusted sites and then Sites... (Figure 13-1).
Figure 13-1 Security Tab
6
Type the URL of your enrollment Web site in the Trusted sites dialog box (as illustrated in Figure 13-2), and then click Add. The URL is added to the Web sites display area.
Figure 13-2 Trusted sites dialog box
VeriSign, Inc.
March 2008
183
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Note
Uncheck “Require Server Verification” box for all non-HTTPS sites.
7
After you have added all the URLs to the zone that you want to, click OK.
8
The Security tab reappears. Click Custom Level.... The Security Settings dialog box appears (Figure 13-3).
Figure 13-3 Security Settings dialog box
9
184
Scroll through the list and click on the following radio buttons: a
Download signed ActiveX controls = Enable
b
Run ActiveX controls and plug-ins = Enable
c
Script ActiveX controls marked safe for scripting = Enable
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
pestub.dll.local A x idnepA
The pestub.dll file comes in two versions, local and proxy. Local Hosting uses pestub.dll to process the entries from user enrollment. The proxy version (pestub.dll.proxy) is used to pass the enrollment data to another server for processing. The local version (pestub.dll.local) does the processing itself on the server on which it is located. You must use pestub.dll.proxy on the Local Hosting Web server. The local version of the pestub.dll is typically used for testing only. Comparing enrollment information with a text file on the same server, the pestub.dll.local verifies the user input from the enrollment page. This verification process is similar to the verification done by the VeriSign Registration Authority vsrasrv process using a flat text file as a data source (vsaafile.dll). Since the use of a text file as a data source is neither robust nor secure, VeriSign recommends that the local version not be used in production, except for specific exceptions described below. To use the local version of pestub.dll, follow the steps below. In a default installation of Local Hosting, pestub.dll.local is located in C:\VeriSign\MPKI\webroot\cgi-bin. Step 1
Configure pestub.cfg
There are two parameters in the pestub.cfg file that are specific to the local pestub.dll file: LUNA and DBFILE. For a standard installation, the LUNA and DBFILE parameters can retain the default values. The DBFILE parameter points to the validation text file, typically the validuser.txt file in the same directory as pestub.dll. The LUNA parameter is only used for the Local Hosting version of pestub.dll. It points to the configuration file to be used for signing, typically vsautoauth.conf in the ..\signers directory. Since the local version does not communicate with another machine, signing must occur on the same machine as pestub.dll. With Managed PKI, signing always occurs on the VeriSign Registration Authority server, so the location of the signing configuration file is specified in the Managed PKI configuration file.
VeriSign, Inc.
March 2008
185
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Set up the Signing Option
Step 2
If you are using the local pestub.dll on a Local Hosting Web server, you'll need to set up the signing option on the Local Hosting Web server. See Chapter 8, “Signing Option,” for instructions. In a typical installation, the signing files are located in C:\VeriSign\MPKI\webroot\signers. Modify the validuser.txt file
Step 3
The local version of pestub.dll uses the validuser.txt file to decide whether users should get a certificate or not. It compares values in the file with values from the enrollment data. Enrollment data is composed of a list of name-value pairs in the format [name]=[value]. The validuser.txt file is configured to work with line pairs. The first line is used to match the name-value pairs from the enrollment data, the second line is a list of name-value pairs to augment to the enrollment data. For example, the first two lines of the sample validuser.txt file are:
[email protected] authenticate=YES
In the authenticate name-value pair, the value that follows authenticate=, must be all capital letters. Note
In this case, if the enrollment data contains an email address of
[email protected], then pestub.dll will add the name-value pair authenticate=YES to the enrollment data, and the user will automatically get a certificate. For a more detailed description about the validuser.txt file and flat file authentication, see Managed PKI Technical Reference. Configure your server to use the local version
Step 4
For Windows: 1
Delete pestub.dll.
2
Copy
pestub.dll.local to pestub.dll.
For Solaris or Linux:
186
1
Delete
pestub.so.
2
Copy pestub.so.local to pestub.so.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Step 5
Test enrollment
To ensure that the Local Hosting pages are operating properly, submit an enrollment with sample data. Using the sample validuser.txt file, complete an enrollment with the email addresses
[email protected] and
[email protected]. If you expect to use the pending case in your production setup, test an enrollment using
[email protected]. If everything behaves as expected, you can switch to the proxy version of pestub.dll and continue your installation.
Exceptions for using pestub.dll.local in Production In some cases, it makes sense to use the local version of pestub.dll in production. If you are using VeriSign Registration Authority with an authentication method other than the verification data source (for example, Windows authentication with Go Secure! for Microsoft Exchange), you can set up VeriSign Registration Authority to use the local version of pestub.dll with a validuser.txt file to approve all requests. An example of a validuser.txt file that approves all requests appears below (the authenticate= value must be all uppercase letters): operation=AutoAuthOSUserSubmit authenticate=YES
Similarly, if you want the Local Hosting Web server to set all requests to pending, your validuser.txt file might look like this: operation=AutoAuthOSUserSubmit authenticate=PENDING
These examples work because every VeriSign Registration Authority enrollment has a name-value pair of operation=AutoAuthOSUserSubmit, so every enrollment will get augmented with the name-value pair in the second line.
VeriSign, Inc.
March 2008
187
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
188
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Install Program Options B x idnepA
Typically, you only need the platform, source directory, and destination directory when installing customized files. However, you can run customizer.exe to configure the install program with additional options. To do so, open the sitekit\engine directory on the Managed PKI Local Hosting CD. Then, enter the customizer.exe command using the following syntax: This command must be typed as one line. Do not enter any returns or
Note
breaks. customizer.exe [-c ] [-v ] [-s ] [-d ] [-l ] [-f ] [-p ] [-q 1] [-u ]
For information on command options for customizer.exe, see Table B-1. Table B-1 Customizer.exe command options Flag
Description
Parameter
Default Value
win, sun, or linux, depending upon whether you are using a Windows, Solaris, or Linux operating system
-c
Specifies the file containing the list of files to be customized
../templates/sitekit.lst
-v
Run for the VeriSign or remote hosting case.
: host to which all POST operations should go
none
-s
The source directory of the files to be customized
: directory path relative to the current directory
../templates
VeriSign, Inc.
March 2008
189
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Table B-1 Customizer.exe command options (Continued) Flag
Description
Parameter
Default Value
-d
The destination directory for the files being customized
: directory path relative to the current directory
none
-l
File used for logging this operation
: log file path relative to the current directory
log/PolicyEngine.log
-f
Directory for fragment files
: directory for the fragment files
../fragments
-p
Location of the policy file
: policy file to use
none
-q
Quiet execution mode
1: No output is made to stdout. If this flag is not used, output goes to stdout
none
-u
Mode for updating newer versions of fragments and templates
quiet: Update the fragment without prompting the user and log the updates. check: Check for updated templates and fragments, log the updates, but do not perform any changes. (No files are customized in this case)
quiet
190
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuring Load Balancing and Failover C x idnepA
This appendix discusses the recommended architecture for load balancing and failover of the Local Hosting Web server host and the VeriSign Registration Authority host.
Typical Load Balancing/Failover Configuration for Local Hosting and VeriSign Registration Authority In general, to provide failover for Local Hosting Web servers and VeriSign Registration Authority servers you must install a load balancer ahead of the Local Hosting Web servers. You cannot use a load balancer between the Local Hosting Web servers and the VeriSign Registration Authority server hosts to fail over from one VeriSign Registration Authority server to another VeriSign Registration Authority server. Each VeriSign Registration Authority server uses a unique Registration Authority key pair on a Luna token and cannot decrypt messages encrypted with the public key of a Registration Authority from the token of another VeriSign Registration Authority server. Figure C-1 illustrates a typical configuration for load balancing and failover of the Local Hosting Web server and VeriSign Registration Authority server hosts. For clarity, the configuration shown uses only two Local Hosting Web server hosts and two VeriSign Registration Authority server hosts. You can add as many hosts as your application requires.
VeriSign, Inc.
March 2008
191
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Figure C-1 Typical load balancing/failover configuration for Local Hosting and VeriSign Registration Authority
192
VeriSign, Inc.
March 2008
---------------------------------------------------------------------
Configuration Files D x idnepA
This chapter discusses the VeriSign Registration Authority configuration file (vsrasrv.cfg) and the VeriSign Automated Authorization configuration file (vsautoauth.conf). The VeriSign Registration Authority configuration file is located in the bin directory of the VeriSign Registration Authority server (where you installed the VeriSign Registration Authority server from the VeriSign Registration Authority CD). Use the information in this chapter and the comments in the configuration file during your VeriSign Registration Authority configuration, and when configuring an LDAP directory for the verification, registration, and key recovery data sources. See the vsrasrv.cfg and vsautoauth.conf files on the Managed PKI Registration Authority CD for the latest version of these configuration files. Note
This appendix includes the following topics: “Encrypting Configuration Files” on page 194 “Conventions for the VeriSign Registration Authority Configuration File” on page 197 “Configuring the Windows Service Settings” on page 198 “Configuring Sockets” on page 198 “Configuring Channels” on page 198 “Configuring Key Recovery” on page 199 “Configuring the VeriSign Registration Authority” on page 200 “Configuring the Signer” on page 201 “Configuring Key Generation” on page 202 “Configuring Monitoring” on page 204 “Configuring the Log File” on page 205 “Configuring Data Source Character Encoding” on page 206
VeriSign, Inc.
March 2008
193
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
“Configuring Service Types” on page 207 “Configuring Flat File Verification” on page 209 “Configuring an ODBC Database” on page 209 “Configuring an LDAP Data Source” on page 213
Encrypting Configuration Files The vsrasrv.cfg file contains sensitive information about your ODBC and LDAP data sources and your keygen PIN. Similarly, the vsautoauth.conf file contains sensitive information about your passwords and certificates. After you have configured these files, you can use the encrypt_config utility prevent unauthorized individuals from reading them. The encrypt_config utility uses triple-DES encryption to mask information in the vsrasrv.cfg and autoauth.conf file. For example, after running encrypt_config the following lines in vsrasrv.cfg: RECOVER_LDAP_BIND_PWD “password” VER_LDAP_HOST_NAME verification.acme.com would look similar to this: RECOVER_LDAP_BIND_PWD 5dg0rlwhNCpDjVmZomhaaA== VER_LDAP_HOST_NAMEt8XpMuhzeDnK4=wuFj9qocN1n
Once encrypted, the data in the vsrasrv.cfg and vsautoauth.conf files can only be decrypted by the VeriSign Registration Authority software. VeriSign recommends that prior to encrypting your configuration files, you make a copy of them and store them in a secure location. This will make configuration changes easier, as you can work from the back-up copy instead of the masked data. Encrypting the Contents of vsrasrv.cfg 1 Stop the VeriSign Registration Authority Server according to the procedures in “Starting and Stopping the Registration Authority Server” on page 149.
194
2
(Optional) Create a text file called vsaaseed.txt in the working directory of the process using the signing library (typically, this is the directory containing the signing library). This file needs to be readable by VeriSign Registration Authority Server user. Place at least 30 characters of random data in this file. By providing data here, you will be using your own key to encrypt your configuration file, rather than the default key provided by VeriSign.
3
Back up your unencrypted vsrasrv.cfg file.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
4
Determine which line(s) of your configuration file you wish to encrypt. At a minimum, VeriSign recommends you encrypt all password lines. You may also wish to hide other sensitive configuration information such as port numbers, host names, bind DNs, etc. For each line you wish to encrypt, insert this exact comment line above it: # ENCRYPT VALUE ON THE FOLLOWING LINE
After it is encrypted, the comment will change to: # DECRYPT VALUE ON THE FOLLOWING LINE
5
From a command line prompt in the bin directory, run the encrypt_config utility using the following syntax: Windows: encrypt_config.exe -i inputfilename [-o outputfilename]
Solaris and Linux: encrypt_config -i inputfilename [-o outputfilename]
– -i inputfilename is your unencrypted vsrasrv.cfg file – -o outputfilename is the name of your newly encrypted vsrasrv.cfg file. If an output filename is not specified, the input file will be overwritten automatically with the encrypted file. If you use a different file name, either point the VeriSign Registration Authority server to the new configuration file, or replace the vsrasrv.cfg file with your encrypted version when you are finished. 6
Start the VeriSign Registration Authority according to the procedures in “Starting and Stopping the Registration Authority Server” on page 149.
7
Test your configuration by enrolling for a certificate and recovering it.
8
Once you are confident your setup is working properly, remove any unencrypted versions of your configuration files from the bin directory and any temporary files you created.
Note If you decide later that you need to encrypt more values in the same file, insert the same comment above the additional values, and run the encrypt_config utility again. Running this utility the second time will not change the values encrypted previously.
VeriSign, Inc.
March 2008
195
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Encrypting the Contents of vsautoauth.conf 1 Stop the VeriSign Registration Authority Server according to the procedures in “Starting and Stopping the Registration Authority Server” on page 149. 2
(Optional) If you do not have a seed file from the procedure described in “Encrypting the Contents of vsrasrv.cfg” on page 194, you can create a text file called vsaaseed.txt in \bin. This file needs to be readable by VeriSign Registration Authority Server user. Place at least 30 characters of random data in this file. By providing data here, you will be using your own key to encrypt your configuration file, rather than the default key provided by VeriSign.
3
Back up your unencrypted vsautoauth.conf file.
4
Determine which lines of your configuration file you wish to encrypt. At a minimum, VeriSign recommends you encrypt all password lines. You may also wish to hide other sensitive configuration information such as certificates. For each line you wish to encrypt, insert this exact comment line above it: # ENCRYPT VALUE ON THE FOLLOWING LINE
After it is encrypted, the comment will change to: # DECRYPT VALUE ON THE FOLLOWING LINE
5
From a command line prompt in the bin directory, run the encrypt_config utility using the following syntax: Windows: encrypt_config.exe -i inputfilename [-o outputfilename]
Solaris and Linux: encrypt_config -i inputfilename [-o outputfilename]
– -i inputfilename is your unencrypted vsautoauth.conf file – -o outputfilename is the name of your newly encrypted vsautoauth.conf file. If an output filename is not specified, the input file will be overwritten automatically with the encrypted file. If you use a different file name, either point the VeriSign Registration Authority server to the new configuration file, or replace the vsautoauth.conf file with your encrypted version when you are finished. 6
196
Start the VeriSign Registration Authority according to the procedures in “Starting and Stopping the Registration Authority Server” on page 149.
VeriSign, Inc.
March 2008
-----------------------------------------------------------
7
Test your configuration by enrolling for a certificate and recovering it.
8
Once you are confident your setup is working properly, remove any unencrypted versions of your configuration files from the bin directory and any temporary files you created.
If you decide later that you need to encrypt more values in the same file, insert the same comment above the additional values, and run the encrypt_config utility again. Running this utility the second time will not change the values encrypted previously. Note
Conventions for the VeriSign Registration Authority Configuration File Observe the following conventions when editing the VeriSign Registration Authority configuration file. Use the # character at the beginning of a line to comment the line. Use the space character as a delimiter between a name and its values, and between multiple values. If a value includes a space character, enclose the value with the "[ " and "]" characters. For example, to represent Susan Smith, use: [Susan Smith]
If a value includes a "[" character, denote it with "[[". Likewise, if a value includes a "]" character, denote it with "]]". For example, to represent Section [1], use: [Section "[["1"]]"]
For a setting that can be assigned either a hard-coded value or a value obtained from user input, use double quotes to denote a hard-coded value. For example, use one of the following: VER_LDAP_BIND_PWD "password" VER_LDAP_BIND_PWD userPassword
For a setting that can only be assigned a hard-coded value, do not use double quotes to denote the value. For example: VER_LDAP_HOST_NAME authenticate.acme.com
VeriSign, Inc.
March 2008
197
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Configuring the Windows Service Settings Configure the name of your VeriSign Registration Authority process (or processes) on Windows platforms by configuring the NT_SERVICE_NAME and NT_SERVICE_DISPLAY_NAME settings. This is critical if you have installed multiple VeriSign Registration Authority servers on one server machine. Although you can use the same service and display name for one VeriSign Registration Authority instance, different VeriSign Registration Authority server instances must have service name and display names unique to that instance. Do not configure this section if you are not running VeriSign Registration Authority on a Windows platform. Note
To set the internal name of the service, enter a unique name for the NT_SERVICE_NAME setting. If you use special characters such as spaces or punctuation, enclosed the name in square brackets. For example: NT_SERVICE_NAME [VeriSign RA Server]
To set the name that appears in your Windows Services panel, enter a unique name for the NT_SERVICE_DISPLAY_NAME setting. If you use special characters such as spaces or punctuation, enclosed the name in square brackets. For example: NT_SERVICE_DISPLAY_NAME [RA]
Configuring Sockets To configure the socket port, specify a port number for the PORT setting. PORT identifies the TCP/IP port with which the VeriSign Registration Authority server binds. For example: PORT 2003
Configuring Channels You can configure a channel either with secure SSL communications (network communication is encrypted) or without secure SSL communications (network communication is not encrypted). To configure a channel, you specify settings for SSL_FLAG, KEY, and KEY_PASSWORD. To configure a channel with secure communications, specify ON for the SSL_FLAG setting.
198
VeriSign, Inc.
March 2008
-----------------------------------------------------------
SSL_FLAG ON
To configure a secure channel, specify the private key file you want to use for secure channel SSL communications. For example: KEY ../ssl/test_cert.pem
Then, specify the password that enables access to the private key file. For example: KEY_PASSWORD test
To configure a channel without secure communications, specify OFF for the SSL_FLAG setting. If you specify OFF, the KEY and KEY_PASSWORD settings are ignored. SSL_FLAG OFF
Configuring Key Recovery Key recovery is turned on in the configuration file with the line KEY_MGR_SERVICE ON
This is set automatically during the installation process. If KEY_MGR_SERVICE is not defined, the default value, OFF, is used. You can configure the key recovery capabilities of the VeriSign Registration Authority by specifying the RECOVER_FLAG setting. To configure the VeriSign Registration Authority server to perform both lifecycle subscriber operations and key recovery operations, specify YES for the RECOVER_FLAG setting. RECOVER_FLAG YES
To configure the VeriSign Registration Authority server to perform lifecycle subscriber operations only, specify NO for the RECOVER_FLAG setting. RECOVER_FLAG NO
To configure the VeriSign Registration Authority server to perform key recovery operations only, specify EXCLUSIVE for the RECOVER_FLAG setting. (In this case, the VeriSign Registration Authority server does not require a Hardware Key Generation module, Signing module, Verification module, or Registration module. Also, you only need to configure the key recovery data
VeriSign, Inc.
March 2008
199
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
source in the ODBC or LDAP sections of the Managed PKI configuration file, depending on which data source you use for key recovery.) RECOVER_FLAG EXCLUSIVE
For added security in the key recovery process, you can configure the certificate serial numbers of administrators who are authorized to perform a key recovery operation. For two or more administrators, use a comma to separate their serial numbers. Remember to turn on client verification in the Web instance that operates this VeriSign Registration Authority instance. Note
For example: RECOVER_CERT_SERIAL 02C1046C68CADD62736622E04418E15B,3D55244C6E13DD15917458EE34F99357
If you do not want to enforce client verification in the key recovery process, leave the setting blank.
Configuring the VeriSign Registration Authority The CLIENT_CERT_ROOT_PATH setting specifies the directory location where the certificate and key database files are located. The CLIENT_CERT_ROOT_FILE setting specifies the client’s root certificate file name. For public accounts, VeriSign provides the client’s root certificate file for pilot and production accounts. CLIENT_CERT_ROOT_PATH defaults to the VeriSign Registration Authority bin directory. The root file is located in the signer’s directory. Do not change these locations. Note
For example: CLIENT_CERT_ROOT_PATH CLIENT_CERT_ROOT_FILE ../signers/root.509
The PKCS12 file can be configured by specifying settings for PKCS12_PASSWORD_LENGTH, PKCS12_FILE_PATH, and PKCS12_LIFETIME. The password for each PKCS12 file is randomly generated. To configure the password length for the PKCS12 file, specify a setting for
200
VeriSign, Inc.
March 2008
-----------------------------------------------------------
PKCS12_PASSWORD_LENGTH. The maximum length is 50 characters. For example: PKCS12_PASSWORD_LENGTH 16
To configure the directory location where PKCS12 files are written, specify a setting for PKCS12_FILE_PATH. PKCS12_FILE_PATH ../p12
To configure the number of days before the VeriSign Registration Authority process deletes PKCS12 files, specify a setting for PKCS12_LIFETIME. For security reasons, the VeriSign Registration Authority process is initially set to delete PKCS12 files daily. PKCS12_LIFETIME 7
Configuring the Signer Data for VeriSign Registration Authority is signed before it is sent back to the Local Hosting Web server. You must configure the signer by specifying the settings for SIGNING_DLL and LUNA. You must also configure whether the signing device is initialized once when the server is started or for each signing transaction, by setting SIGNER_GLOBAL_INIT. For Windows, specify swaasign.dll for software signing and hwaasign.dll for hardware signing. For Solaris and Linux, specify libswaasign.so for software signing and libhwaasign.so for hardware signing. For example: SIGNING_DLL swaasign.dll
The LUNA setting specifies the signer configuration file. This setting only applies to hardware signing. It will be ignored if software signing is specified. For example: LUNA ../signers/vsautoauth.conf
The SIGNER_GLOBAL_INIT specifies when the signing device is initialized: To configure the signing device to initialize once when the machine starts, set this value to YES. This is the default.
VeriSign, Inc.
March 2008
201
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
To configure the signing device to initialize each time it signs a transaction, set this value to NO. Use this setting if you are sharing Luna tokens between multiple instances of the VeriSign Registration Authority server. The FIELD_HIDE_ATTR setting specifies enrollment fields whose values will not be sent to VeriSign. These values are captured but are not sent to the signer. For instance, you might not want to send a password or PIN number that you obtain in one of the additional fields you configured on the enrollment page. You can specify HTML tags from enrollment user name-value pairs and from verification function-augmented user name/value pairs. The values are removed after the verification process, so company or employee verification values are not sent to the back end. Separate tags by commas; do not put a space between tags. For example: FIELD_HIDE_ATTR employeeID,password
You can test that the setting was applied correctly in one of two ways: Set the field as optional in the Policy Wizard, but hide the field in the vsrasrv.cfg file. The information the end user entered in this field during enrollment will not appear in the Control Center. Do not set the field as required in the Policy Wizard, as the back end will then expect the field information to be sent. Note
Review the vsrasrv.log file. The field you specify with the FIELD_HIDE_ATTR setting will not appear in the log file.
Configuring Key Generation To configure key generation you specify settings for the keywords described in Table D-1. Table D-1 vsrasrv.cfg keywords for the hardware signing option Keyword
Description
HARDWARE_KEYGEN_FLAG
Specifies if hardware key generation will be used (on or off). If set to off, software signing is used and the rest of the hardware key generation parameters are ignored.
HARDWARE_KEYGEN_DLL
Specifies the hardware key generation DLL: keygen.dll for Windows keygen.so for Solaris
202
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Table D-1 vsrasrv.cfg keywords for the hardware signing option (Continued) Keyword
Description
HARDWARE_KEYGEN_SLOT_ID
Specifies the slot number for the Luna token generating the hardware key.
HARDWARE_KEYGEN_PIN
The PIN for access to the hardware keygen token
To configure hardware key generation, specify ON for the HARDWARE_KEYGEN_FLAG setting. HARDWARE_KEYGEN_FLAG ON
a
Specify the hardware key generation DLL for the HARDWARE_KEYGEN_DLL setting, as follows: For Windows, specify keygen.dll. For Solaris or Linux, specify keygen.so.
For example: HARDWARE_KEYGEN_DLL keygen.dll
b
Specify the hardware key generation slot number for the HARDWARE_KEYGEN_SLOT_ID setting. If you are using the hardware key generation library that comes with Managed PKI, it is the slot number for a Luna VeriSign Registration Authority token (the slot numbers start at 1). For example:
HARDWARE_KEYGEN_SLOT_ID 1
To configure software key generation, specify OFF for the HARDWARE_KEYGEN_FLAG setting. (If you specify OFF, the HARDWARE_KEYGEN_DLL and HARDWARE_KEYGEN_SLOT_ID settings are ignored.) HARDWARE_KEYGEN_FLAG OFF
For both software and hardware key generation, specify a HARDWARE_KEYGEN_PIN HARDWARE_KEYGEN_PIN 123456
The KEYGEN_GLOBAL_INIT specifies when the key generation device is initialized: To configure the key generation device to initialize once when the machine starts, set this value to yes.
VeriSign, Inc.
March 2008
203
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
To configure the key generation device to initialize each time it creates a key pair, set this value to no. This is the default. Use this setting if you are sharing Luna tokens between multiple instances of the VeriSign Registration Authority server. Configuring vsrasrv.cfg (optional) In the vsrasrv.cfg file, uncomment HARDWARE_KEYGEN_TOKEN_MODEL and set it to the appropriate value for your key generation hardware: LunaRA, LunaSA, LunaPCI, or LunaPCM. For optimal performance, it is strongly recommended you set this value. For details on the swkeygen utility, see Managed PKI Technical Reference.
Configuring Monitoring The VeriSign Registration Authority includes a self-monitoring capability. The VeriSign Registration Authority monitor runs on an interval that you specify. Its purpose is to detect failures in the signing library, key generation module, verification data source connection, registration data source connection., and key recovery data source connection. When the VeriSign Registration Authority monitor detects a failure, it passes a hard-coded notification message to an alert batch file, which passes the message to a Perl script (mail.pl). The Perl script notifies the VeriSign Registration Authority administrator that a failure has been detected. VeriSign provides an example Perl script and two example alert batch files. For Solaris and Linux systems, the batch file is alertMail; for Windows systems, it is alertMail.bat. The script and batch files are located at /bin. The alert batch file must take one (and only one) parameter: the VeriSign Registration Authority notification message text. Modify the Perl script to specify the SMTP server, the From email address, the To address, and the text for the Subject. If you prefer, you can provide your own alert batch file. In either case, you should test the batch file to ensure that it emails notifications to the correct email address. For example: For Solaris and Linux systems type the following on the command line: alertMail "this is a test email"
204
VeriSign, Inc.
March 2008
-----------------------------------------------------------
For Windows systems, type the following in the Run window: alertMail.bat "this is a test email"
After you have successfully tested the batch file, specify the name of the alert batch file for VeriSign Registration Authority monitoring to use. For example: MONITOR_ALERT_COMMAND alertMail.bat
If you do not want to run VeriSign Registration Authority monitoring, leave this entry blank (but do not comment it out). Also, specify the VeriSign Registration Authority monitor run interval (in minutes). For example: MONITOR_RUN_PERIOD 10
If you do not want to run VeriSign Registration Authority monitoring, specify a 0 interval or just leave it blank (but do not comment it out).
Configuring the Log File VeriSign Registration Authority includes a log capability. You can configure where these log files are generated, how long they are kept, and the level of detail and information captured in them. Specify a name and location for the LOGFILE setting. The location is relative to /bin. For example: LOGFILE ..log/vsrasrv.out
The VSAA_LOG_LEVEL setting specifies the level of detail the log file will capture. Set the value to 0 to log no data: VSAA_LOG_LEVEL 0
Set the value to 1 to log basic transaction data: VSAA_LOG_LEVEL 1
Set the value to 2 to capture all transaction data: VSAA_LOG_LEVEL 2
The LOG_LIFETIME setting specifies how long the log file will be kept (in days) before it is deleted. The current day is not counted. Set the value to 0 to retain all log files. For example: LOG_LIFETIME 7
VeriSign, Inc.
March 2008
205
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
The LOG_HIDE_ATTR setting specifies enrollment fields whose values will not be sent to VeriSign. These values are captured but are displayed only as asterisks in log files. For instance, you might not want to send a password or PIN number that you obtain in one of the additional fields you configured on the enrollment page. You can specify HTML tags from enrollment user name-value pairs and from verification function-augmented user name/value pairs. Separate tags by commas; do not put a space between tags. For example: LOG_HIDE_ATTR employeeID,password
Configuring Data Source Character Encoding Your verification and registration data sources must be set up to use the same character set and encoding as Managed PKI. The combinations listed in Table D-2 are supported. Table D-2 Supported character sets Character Set
Encoding
Unicode (ISO/IEC 10646-1)
UTF-8
US-ASCII
7-bit
Western European ISO 8859-1 or Windows CP1252
8-bit
Japanese Shift-JIS
Double-byte (8-bit and 16-bit mixed)
Traditional Chinese Big5
Double-byte (8-bit and 16-bit mixed)
The US-ASCII encoding is a subset of UTF-8. ASCII files do not need conversion for use with UTF-8. Note
Managed PKI supports UTF-8 encoded characters in enrollments. If you previously configured your Managed PKI account for the Shift-JIS, Big5 or Western European (Windows CP1252 or ISO 8859-1) character sets and your data sources encoding formats are UTF-8, Managed PKI provides functionality to convert enrollment data in these character sets to and from UTF-8 encoding, as described below.
206
VeriSign, Inc.
March 2008
-----------------------------------------------------------
Enrollment data entered by your subscribers will be converted from the native encoding to UTF-8 for verification by your UTF-8 data source before being sent to VeriSign for processing. Any data you want added to the enrollment data from your UTF-8 data source is converted into the native character set and passed to VeriSign for processing. When the Digital ID is issued, the certificate data is returned to your registration data source in UTF-8 encoded format. You configure Managed PKI to perform this conversion by configuring DATA_SOURCE_USE_UTF8 setting. Both data sources must use the same encoding format. If your data source encoding format is UTF-8, set this value to yes: DATA_SOURCE_USE_UTF8 yes
If your data source encoding format is 7-bit ASCII, it is already in a subset of UTF-8, so Managed PKI does not need to convert data. You should set this value to yes: DATA_SOURCE_USE_UTF8 yes
Other data source encoding formats are not compatible with UTF-8. Managed PKI cannot convert the enrollment data, and you must set this value to no: DATA_SOURCE_USE_UTF8 no
Configuring Service Types Managed PKI provides services for verification, registration, and key recovery. Because Managed PKI needs to store data in the data sources during enrollment time, you must configure each VeriSign Registration Authority server for all three types of service—even if you use it for lifecycle subscriber operations only. In the ODBC and LDAP sections of the Managed PKI configuration file you must also configure the ODBC and/or LDAP data sources for all three Managed PKI service types. Note
To configure the VeriSign Registration Authority server, you must specify settings for the shared library files used to access the verification data source, the registration data source, and the key recovery data source, as follows, even if you do not implement that data source:
VeriSign, Inc.
March 2008
207
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
VER_SERVICE_DLL specifies the name of the shared library file used to access the verification data source. REG_SERVICE_DLL specifies the name of the shared library file used to access the registration data source. RECOVER_SERVICE_DLL specifies the name of the shared library file used to access the key recovery data source. Managed PKI supports flat file, ODBC and LDAP for verification and registration. For key recovery, it supports ODBC and LDAP. Specify the appropriate shared library file for the data source and platform in VER_SERVICE_DLL, REG_SERVICE_DLL, and RECOVER_SERVICE_DLL, as outlined in Table D-3. Table D-3 Data source shared library files Platform
Flat File
ODBC
LDAP
Windows
vsaafile.dll
vsaaodbc.dll
vsaaldap.dll
Solaris/Linux
libvsaafile.so
libvsaaodbc.so
libvsaaldap.so
For example, for Windows with all LDAP data sources, specify: VER_SERVICE_DLL vsaaldap.dll REG_SERVICE_DLL vsaaldap.dll RECOVER_SERVICE_DLL vsaaldap.dll
Or, for Solaris with flat file verification and registration, and an ODBC database for key recovery, specify: VER_SERVICE_DLL libvsaafile.so REG_SERVICE_DLL libvsaafile.so RECOVER_SERVICE_DLL libvsaaodbc.so
By default, Managed PKI passes an end-user’s request for certificate pick-up, revocation, or renewal to VeriSign without taking any action. You can configure Managed PKI to perform a custom process on the request inside VerifyUser() before it is sent to VeriSign. This is useful if you have a customized data source.
208
VeriSign, Inc.
March 2008
-----------------------------------------------------------
All user input name/value pairs will be sent through the VerifyUser() function before they are sent to the signing device and VeriSign, except for the operations of “ReceiveEncryptedResponse”, “register”, and “error_register”, which already have the corresponding functions. Note
You can customize the function to fit your needs. See Managed PKI Technical Reference for more information on the VerifyUser() function. To enable this setting, set the value of PRE_PICKUP_PROCESS, PRE_REVOKE_PROCESS, or PRE_RENEWAL_PROCESS to on: PRE_PICKUP_PROCESS on PRE_REVOKE_PROCESS on PRE_RENEWAL_PROCESS on
Configuring Flat File Verification To configure flat file verification, specify the DBFILE setting. Specify the name of the flat file that provides the verification data. For example: DBFILE validuser.txt
Configuring an ODBC Database You can use ODBC-compliant databases for verification, registration, and key recovery data sources. If you use ODBC for one or more of these data sources, you must configure the appropriate settings as explained in this section. To configure an ODBC database for your verification and registration data source, specify its name (DSN) for the VER_REG_DATABASE setting. For example: VER_REG_DATABASE verRegDSN
If you do not use ODBC as your verification and registration data source, leave the VER_REG_DATABASE setting blank. Note
To configure the database login username for verification and registration, specify the username for the VER_REG_DBUSERNAME setting. For example: VER_REG_DBUSERNAME Admin
To configure the database login password for verification and registration, specify the password for the VER_REG_DBPASSWORD setting. For example:
VeriSign, Inc.
March 2008
209
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
VER_REG_DBPASSWORD password
To configure an ODBC database for your key recovery data source, specify its name (DSN) for the RECOVER_DATABASE setting. For example: RECOVER_DATABASE recvDSN
If you do not use ODBC as your key recovery data source, leave the RECOVER_DATABASE setting blank. Note
To configure the database login username for key recovery, specify the username for the RECOVER_DBUSERNAME setting. For example: RECOVER_DBUSERNAME Admin
To configure the database login password for key recovery, specify the password for the RECOVER_DBPASSWORD setting. For example: RECOVER_DBPASSWORD password
If your ODBC database tables and their attributes have different names from the field names used in the enrollment pages, then you must configure settings for ODBC_ATTR_MAP. The field names used in the enrollment pages are specified in the FDF file on your Local Hosting server host. The ODBC_ATTR_MAP setting enables you to map FDF field names to database column names. The syntax of ODBC_ATTR_MAP is as follows: ODBC_ATTR_MAP
For example: ODBC_ATTR_MAP mail_firstName FirstName
The ODBC_SQL_FROM_WHERE, ODBC_ATTR_VER, and ODBC_ATTR_GET settings specify SQL statements that are used to find and verify a requester. These settings are critical to verification and registration functions. In order for verification to be successful, you must configure ODBC_SQL_FROM_WHERE, ODBC_ATTR_VER, and ODBC_ATTR_GET in such a way that the enrollment SQL calls meet the following requirements. SELECT Count(*) must return one and only one entry.
210
VeriSign, Inc.
March 2008
-----------------------------------------------------------
SELECT must return the same value as the user’s enrollment page input for each attribute specified in the ODBC_ATTR_VER setting. SELECT must return a non-empty value. An example ODBC_SQL_FROM_WHERE setting is shown below. (The square brackets are part of the required syntax.) ODBC_SQL_FROM_WHERE ["FROM Addresses \ WHERE EmailAddress = '%s' AND \ EmployeeID = %s"+mail_email+employeeID]
The ODBC_ATTR_VER setting enables you to set additional verification criteria. For example, if you require that the JobTitle field must have a value of Manager, then use: ODBC_ATTR_VER JobTitle Manager
The ODBC_ATTR_GET setting enables you to retrieve attribute values from the database. The values are mapped to the enrollment fields, and then served to the server. This enables you to populate the certificate request with data from the database, rather than have the user enter the data. For example: ODBC_ATTR_GET MailStop
The ODBC_ATTR_SET setting enables you to set default values. In the example below, the country code is set to a value of "US". ODBC_ATTR_SET country US
The ODBC_ATTR_MANUAL_VER setting enables you to trigger manual verification by the Managed PKI administrator when the user enters a value in a field you specify that does not match the data in the verification database. If the data does not match, the request is neither automatically approved nor rejected. Instead, the verification result is set to PENDING and the certificate request is placed in the queue for manual review in the Managed PKI Control Center by the administrator. For example: ODBC_ATTR_MANUAL_VER Country
For registration, both certificates and attribute values entered in the enrollment pages are inserted/updated in the database using the following SQL statement for each attribute specified in ODBC_ATTR_UPD. UPDATE SET [=,] =
VeriSign, Inc.
March 2008
211
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
Each attribute value entered in the enrollment pages by the user is mapped to ODBC_ATTR_UPD according to the ODBC_ATTR_MAP settings, as explained previously. Both ODBC_UPDATE_TABLE_NAME and ODBC_SQL_UPDATE_WHERE are required for the UPDATE setting. Do not comment out these settings even though you do not use ODBC for registration. Note
The ODBC_UPDATE_TABLE_NAME setting specifies the name of the table to update. For example: ODBC_UPDATE_TABLE_NAME Addresses
An example ODBC_SQL_UPDATE_WHERE setting is shown below. (The square brackets are part of the required syntax.) ODBC_SQL_UPDATE_WHERE ["WHERE EmailAddress = '%s' AND \EmployeeID = %s"+mail_email+employeeID]
ODBC_ATTR_UPD specifies a database attribute to update after the certificate is issued. If you use the database for certificate registration, then you must update the certificate value in the database. Use the database column name that corresponds to the cert_base64 enrollment field in the ODBC_ATTR_MAP mapping rules. ODBC_ATTR_MAP rules must be appear before ODBC_ATTR_UPD in the VeriSign Registration Authority configuration file. Note
ODBC_ATTR_UPD settings are of the string data type. For example: ODBC_ATTR_UPD CertSerialNumber
If your table contains a column that specifies certificate status (for example, to ensure that the revocation status of certificates is reliably reflected in the database), set ODBC_ATTR_CERT_STATUS to the name of that column (using data type string). The column used to hold certificate status is initially empty. The system changes it to ODBC_VALUE_CERT_STATUS_VALID once the certificate is approved or picked up, and
212
VeriSign, Inc.
March 2008
-----------------------------------------------------------
ODBC_VALUE_CERT_STATUS_REVOKED when the certificate is revoked through the VeriSign Registration Authority server. You can redefine ODBC_VALUE_CERT_STATUS_VALID, _REVOKED, and _INVALID to specify the values that you want to use to indicate these states. For example: ODBC_ATTR_CERT_STATUS CertificateStatus ODBC_VALUE_CERT_STATUS_VALID Valid ODBC_VALUE_CERT_STATUS_REVOKED Revoked ODBC_VALUE_CERT_STATUS_INVALID Invalid
If your table does not contain a column that specifies certificate status, then you must modify the standard release code to eliminate the code that updates it. You could also modify the code to delete the certificate when it is revoked, if you choose. This prevents the subscriber from using an invalid or revoked certificate. Certificates can also be revoked by an administrator through the Managed PKI Control Center. When that happens, your registration data source will not be updated. Note
Configuring an LDAP Data Source You can use an LDAP data source for verification, registration, and key recovery. If you use LDAP for one or more of these data sources, you must configure the appropriate settings as explained in this section. In most cases, you use a single LDAP directory to store both verification and registration data. You can, however, use one LDAP directory server as the verification data source and another LDAP directory server as the registration data source. Configuring the LDAP Verification Data Source If you want to use your existing customized LDAP DLL as the verification data source, you must replace all VER_LDAP_ keywords with AUTH_LDAP_ in order to maintain compatibility. For example, replace VER_LDAP_HOST_NAME with AUTH_LDAP_HOST_NAME. Note
VeriSign, Inc.
March 2008
213
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
To configure an LDAP host for your verification data source, specify its name for the VER_LDAP_HOST_NAME setting. The value for this setting must not be preceded or followed by any spaces. For example: VER_LDAP_HOST_NAME authenticate.acme.com
You must configure the verification data source listening port. If VER_LDAP_SSL is set to OFF (SL is not enabled), configure a setting for VER_LDAP_PORT. If VER_LDAP_SSL is set to ON (SSL is enabled), configure a setting for VER_LDAP_SSL_PORT. The value for this setting must not be preceded or followed by any spaces. For example: VER_LDAP_PORT 389 VER_LDAP_SSL_PORT 636
Specify the version of the LDAP protocol that you are using. For example: VER_PROTOCOL_VERSION 3
The VER_LDAP_SSL setting enables you to configure a secure SSL connection between the VeriSign Registration Authority server and the verification data source. The requirements to enable a secure connection are as follows: The VeriSign Registration Authority server must have access to a Mozilla certificate database. The Mozilla certificate database must contain one of the following: – The certificate of the CA that issued the verification data source's certificate. – If the CAs are organized in a hierarchy, the certificate of any of the CAs in the hierarchy. – The verification data source’s certificate. The VER_LDAP_SSL setting can be set to either ON or OFF. For example: VER_LDAP_SSL OFF
If VER_LDAP_SSL is set to on, VER_LDAP_CERT enables you to specify the Mozilla certificate database file the VeriSign Registration Authority Server host will access. – You must use the cert8.db certificate database that is generated by your Mozilla application.
214
VeriSign, Inc.
March 2008
-----------------------------------------------------------
VeriSign Registration Authority supports cert7.db files, but only for older versions of the Netscape browser. Note
– Do not use the original database. Instead, make a copy of the database and use the copy. – Do not use a cert8.db database if it is currently being used by your Mozilla application. Syntax: VER_LDAP_CERT .netscape/cert8.db For example: VER_LDAP_CERT [C:\Documents and Settings\user\Application Data\ Mozilla\Firefox\Profiles\random.default\cert8.db]
VER_LDAP_BIND_DN and VER_LDAP_BIND_PWD specify settings for binding the DN (distinguished name in LDAP) and the password used to connect to and log in to the LDAP server. If the enrollment pages do not provide password entry for LDAP access, you can specify a hard-coded administrator password for VER_LDAP_BIND_PWD, which will be used for bindings for both verification and registration. Use quotes to specify a value. Use the wildcard characters %s to replace the entry at runtime by the value of the attribute attached after the + character. For example: VER_LDAP_BIND_DN ["uid=%s,ou=Sample OrgUnit for DIM Test,o=verisign.com"+uid] VER_LDAP_BIND_DN ["uid=SampleBindID,ou=Sample OrgUnit for DIM Test,o=verisign.com"] VER_LDAP_BIND_DN ["uid=AdminDIMTester, ou=Directory Administrators, o=verisign.com"] VER_LDAP_BIND_DN ["cn=Directory Manager"] VER_LDAP_BIND_PWD "password"
If the enrollment pages require a user ID and password for LDAP access, the password will be used as the binding password for the DN name corresponding to the user ID. For such cases, comment out the previous VER_LDAP_BIND_* settings and set VER_LDAP_BIND_DN to NULL (VER_LDAP_READ_DN will be used to retrieve the user binding DN for the given user ID). For example: VER_LDAP_BIND_DN NULL VER_LDAP_BIND_PWD userPassword VER_LDAP_READ_DN ["cn=Directory Manager"] VER_LDAP_READ_PWD "password"
VeriSign, Inc.
March 2008
215
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
VER_LDAP_BASE_DN specifies the LDAP subtree entry point at which to begin a directory search. If you comment out the VER_LDAP_BASE_DN setting, the entire LDAP user directory is searched. To reduce the search space and improve performance, specify a setting for VER_LDAP_BASE_DN. Do not use quotes when specifying a value for VER_LDAP_BASE_DN. If the value contains spaces, add '[' and ']' respectively in the beginning and the end of the value. Note
For example: VER_LDAP_BASE_DN o=verisign.com
For SunONE Directory Server, use: VER_LDAP_BASE_DN dc=verisign,dc=com
VER_LDAP_OBJCLASS specifies the data object class name for the LDAP directory you want to use for verification. For example: VER_LDAP_OBJCLASS inetOrgPerson
For Microsoft Active Directory, use: VER_LDAP_OBJCLASS user
VER_LDAP_EMAIL_ATTR specifies the attribute name for the email address in the LDAP directory. The email address is used as the primary key for certificate renewal. (If REG_LDAP_EMAIL_ATTR is commented out, the VER_LDAP_EMAIL_ATTR setting is also used as the unique search key for manual pick-up.) For example: VER_LDAP_EMAIL_ATTR mail
Configuring the LDAP Registration Data Source In most cases, you should use a single directory to provide verification data and to store registration data. The REG_ prefix enables you to configure separate verification and registration data sources. If you use the same LDAP server for both verification and registration, comment out entries with the REG_ prefix. If VER_LDAP_BIND_DN depends on user input, you need to specify the REG_LDAP_BIND_DN and REG_LDAP_BIND_PWD parameters.
216
VeriSign, Inc.
March 2008
-----------------------------------------------------------
To configure an LDAP host for your registration data source, specify its name for the REG_LDAP_HOST_NAME setting. The value for this setting must not be preceded or followed by any spaces. For example: REG_LDAP_HOST_NAME register.acme.com
You must configure the registration data source listening port. If REG_LDAP_SSL is set to OFF (SSL is not enabled), configure a setting for REG_LDAP_PORT. If REG_LDAP_SSL is set to ON (SSL is enabled), configure a setting for REG_LDAP_SSL_PORT. The value for this setting must not be preceded or followed by any spaces. For example: REG_LDAP_PORT 389 REG_LDAP_SSL_PORT 636
Specify the version of the LDAP protocol you are using. For example: REG_PROTOCOL_VERSION 3
The REG_LDAP_SSL setting enables you to configure a secure SSL connection between the VeriSign Registration Authority server and the registration data source. The requirements to enable a secure connection are as follows: The VeriSign Registration Authority server must have access to a Mozilla certificate database. The Mozilla certificate database must contain one of the following: – The certificate of the CA that issued the registration data source's certificate. – If the CAs are organized in a hierarchy, the certificate of any of the CAs in the hierarchy. – The registration data source's certificate. The REG_LDAP_SSL setting can be set to either ON or OFF. For example: REG_LDAP_SSL OFF
If REG_LDAP_SSL is set to ON, the REG_LDAP_CERT setting enables you to specify the Mozilla certificate database file the VeriSign Registration Authority server host will access. – You must use the cert8.db certificate database that is generated by your Mozilla application.
VeriSign, Inc.
March 2008
217
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
VeriSign Registration Authority supports cert7.db files, but only for older versions of the Netscape browser. Note
– Do not use the original database. Instead, make a copy of the database and use the copy. – Do not use a cert8.db database if it is currently being used by Firefox. Syntax: REG_LDAP_CERT .netscape/cert8.db
For example: REG_LDAP_CERT [C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\ random.default\cert8.db]
REG_LDAP_BIND_DN and REG_LDAP_BIND_PWD specify settings for binding the DN (distinguished name in LDAP) and the password used to connect to and log in to the LDAP server. If the enrollment pages do not provide password entry for LDAP access, you can specify a hard-coded administrator password for REG_LDAP_BIND_PWD, which will be used for bindings for both verification and registration. Use quotes to specify a value. Use the wildcard characters %s to replace the entry at runtime by the value of the attribute attached after the + character. For example: REG_LDAP_BIND_DN ["uid=%s,ou=Sample OrgUnit for DIM Test,o=verisign.com"+uid] REG_LDAP_BIND_DN ["uid=SampleBindID,ou=Sample OrgUnit for DIM Test,o=verisign.com"] REG_LDAP_BIND_DN ["cn=Directory Manager"] REG_LDAP_BIND_PWD "password"
If the enrollment pages require a user ID and password for LDAP access, the password will be used as the binding password for the DN name corresponding to the user ID. For such cases, comment out the previous REG_LDAP_BIND_* settings and set REG_LDAP_BIND_DN to NULL (REG_LDAP_READ_DN will be used to retrieve the user binding DN for the given user ID). Also, note that the end user must have write permission to the registration LDAP server. For example: REG_LDAP_BIND_DN NULL REG_LDAP_BIND_PWD userPassword REG_LDAP_READ_DN ["cn=Directory Manager"] REG_LDAP_READ_PWD "password"
218
VeriSign, Inc.
March 2008
-----------------------------------------------------------
REG_LDAP_BASE_DN specifies the LDAP subtree entry point at which to begin a directory search when storing certificates. If you comment out the REG_LDAP_BASE_DN setting, the entire LDAP user directory is searched. To reduce the search space and improve performance, specify a setting for REG_LDAP_BASE_DN. Do not use quotes when specifying a value for REG_LDAP_BASE_DN. If the value contains spaces, add '[' and ']' respectively in the beginning and the end of the value. Note
For example: REG_LDAP_BASE_DN o=verisign.com
For SunONE Directory Server, use: REG_LDAP_BASE_DN dc=verisign,dc=com
REG_LDAP_OBJCLASS specifies the data object class name for the LDAP directory you want to use for registration. For example: REG_LDAP_OBJCLASS inetOrgPerson
For Microsoft Active Directory, use: VER_LDAP_OBJCLASS user
REG_LDAP_EMAIL_ATTR specifies the attribute name for the email address in the LDAP directory. The email address is used as the unique search key for certificate renewal and for the manual pickup process for updating certificates in the registration directory. For example: REG_LDAP_EMAIL_ATTR mail
Configure settings for LDAP_ATTR_MAP. These settings map names used in the enrollment pages to LDAP directory attribute names and are used during certificate registration. The field names used in the enrollment pages are specified in the FDF file on your Local Hosting server host. If necessary, new LDAP attributes are generated to accept certificate data. The LDAP_ATTR_MAP setting enables you to map FDF field names to LDAP attribute names. The syntax of LDAP_ATTR_MAP is as follows: LDAP_ATTR_MAP
For example:
VeriSign, Inc.
March 2008
219
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
LDAP_ATTR_MAP mail_firstName FirstName
The LDAP_ATTR_GET setting enables you to retrieve attribute values from the LDAP directory. The values are mapped to the enrollment fields, and then served to the Managed PKI server. This enables you to populate the certificate request with data from the directory, rather than have the user enter the data. For example: LDAP_ATTR_GET ou
The LDAP_ATTR_SET setting enables you to set default values in the enrollment pages. In the example below, the country code is set to a value of US. LDAP_ATTR_SET country US
LDAP_ATTR_VER enables you to specify the directory attribute to be used for comparison with user input. In the example below, the directory attribute is set to mail. LDAP_ATTR_VER mail
LDAP_ATTR_AUTH enables you to set extra authentication criteria. For example, if you require that the “title” enrollment field must have a value of “Manager,” then use: LDAP_ATTR_AUTH title Manager
The LDAP_ATTR_MANUAL_VER setting enables you to trigger manual verification by the Managed PKI administrator when the user enters a value in a field you specify that does not match the data in the LDAP verification directory. If the data does not match, the request is neither automatically approved nor rejected. Instead, the verification result is set to PENDING and the certificate request is placed in the queue for manual review by the administrator in the Managed PKI Control Center. For example: LDAP_ATTR_MANUAL_VER employeenumber
LDAP_ATTR_REG enables you to change the value of a directory attribute during registration. This setting takes three arguments: The X500 name of the attribute The static value of the attribute The LDAP directive to execute (LDAP_MOD_ADD, LDAP_MOD_DELETE or LDAP_MOD_REPLACE) Syntax:
220
VeriSign, Inc.
March 2008
-----------------------------------------------------------
LDAP_ATTR_REG
For example: LDAP_ATTR_REG pkirevokedate 11/01/2004 LDAP_MOD_REPLACE
Each attribute value entered in the enrollment pages by the user is mapped to LDAP_ATTR_UPD according to the LDAP_ATTR_MAP settings, as explained previously. LDAP_ATTR_UPD specifies a directory attribute to update after the certificate is issued. If you use the directory for certificate registration, then you must update the certificate value in the directory. Use the directory attribute name that corresponds to the cert_base64 enrollment field in the LDAP_ATTR_MAP mapping rules. To identify an entry whose certificate is revoked, the attribute name that corresponds to the cert_serial enrollment field in the LDAP_ATTR_MAP mapping rules should also be set to LDAP_ATTR_UPD. Otherwise, the revocation status cannot be reflected in the LDAP directory. For example: LDAP_ATTR_UPD userCertificate;binary LDAP_ATTR_UPD x500uniqueidentifier
If your table contains a column that specifies certificate status (for example, to ensure that the revocation status of certificates is reliably reflected in the database), set LDAP_ATTR_CERT_STATUS to the name of that column (using data type string). The column used to hold certificate status is initially empty. The system changes it to LDAP_VALUE_CERT_STATUS_VALID once the certificate is approved or picked up, and LDAP_VALUE_CERT_STATUS_REVOKED when the certificate is revoked through the VeriSign Registration Authority server. You can redefine LDAP_VALUE_CERT_STATUS_VALID, _REVOKED, and _INVALID to specify the values that you want to use to indicate these states. (_INVALID is not used by VeriSign Registration Authority; you can use it if you customize the LDAP source code.) For example: LDAP_ATTR_CERT_STATUS businesscategory LDAP_VALUE_CERT_STATUS_VALID Valid LDAP_VALUE_CERT_STATUS_REVOKED Revoked LDAP_VALUE_CERT_STATUS_INVALID Invalid
If your table does not contain a column that specifies certificate status, then you must modify the standard release code to eliminate the code that updates it. You could also modify the code to delete the certificate when it
VeriSign, Inc.
March 2008
221
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
is revoked, if you choose. This prevents the subscriber from using an invalid or revoked certificate. Certificates can also be revoked by an administrator through the Managed PKI Control Center. When that happens, your registration data source will not be updated. Note
Configuring an LDAP Key Recovery Data Source To configure an LDAP host for your key recovery data source, specify its name for the RECOVER_LDAP_HOST_NAME setting. The value for this setting must not be preceded or followed by any spaces. For example: RECOVER_LDAP_HOST_NAME recover.acme.com
You must configure the key recovery data source listening port. If RECOVER_LDAP_SSL is set to OFF (SSL is not enabled), configure a setting for RECOVER_LDAP_PORT. If RECOVER_LDAP_SSL is set to ON (SSL is enabled), configure a setting for RECOVER_LDAP_SSL_PORT. The value for this setting must not be preceded or followed by any spaces. For example: RECOVER_LDAP_PORT 389 RECOVER_LDAP_SSL_PORT 636
Specify the version of the LDAP protocol you are using. For example: RECOVER_PROTOCOL_VERSION 3
The RECOVER_LDAP_SSL setting enables you to configure a secure SSL connection between the VeriSign Registration Authority server and the key recovery data source. The requirements to enable a secure connection are as follows: The VeriSign Registration Authority server must have access to a Mozilla certificate database. The certificate database must contain one of the following: – The certificate of the CA that issued the key recovery data source’s certificate. – If the CAs are organized in a hierarchy, the certificate of any of the CAs in the hierarchy. – The key recovery data source's certificate. The RECOVER_LDAP_SSL setting can be set to either ON or OFF. For example:
222
VeriSign, Inc.
March 2008
-----------------------------------------------------------
RECOVER_LDAP_SSL OFF
If RECOVER_LDAP_SSL is set to ON, the RECOVER_LDAP_CERT setting enables you to specify the Mozilla certificate database file the VeriSign Registration Authority Server host will access. – You must use the cert8.db certificate database that is generated by Firefox. VeriSign Registration Authority supports cert7.db files, but only for older versions of the Netscape browser. Note
– Do not use the original database. Instead, make a copy of the database and use the copy. – Do not use a cert8.db database if it is currently being used by Firefox. Syntax: RECOVER_LDAP_CERT .netscape/cert8.db
For example: RECOVER_LDAP_CERT [C:\Documents and Settings\user\Application Data\Mozilla\Firefox\ Profiles\random.default\cert8.db]
RECOVER_LDAP_BIND_DN and RECOVER_LDAP_BIND_PWD specify settings for binding the DN (distinguished name in LDAP) and the password used to connect to and log in to the key recovery LDAP server. The specified DN must have write privileges to the subtree on the LDAP server that is specified by the RECOVER_LDAP_BASE_DN setting. For example: RECOVER_LDAP_BIND_DN ["cn=Directory Manager"] RECOVER_LDAP_BIND_PWD "password"
RECOVER_LDAP_BASE_DN specifies the LDAP subtree node where you store the key escrow data used for key recovery. In the example below, RECOVER_LDAP_BASE_DN specifies a an organization unit named KeyRecoveryData under the verisign.com subtree on the key recovery LDAP data source. RECOVER_LDAP_BASE_DN [ou=KeyRecoveryData,o=verisign .com]
For SunONE Directory Server 5.0, use: RECOVER_LDAP_BASE_DN [ou=KeyRecoveryData,dc=verisign ,dc=com]
VeriSign, Inc.
March 2008
223
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
If you are using Microsoft Active Directory for key recovery data source, use user object class. Un-comment out the following line. RECOVER_LDAP_OBJCLASS user
If you are using Novell eDirectory for your key recovery LDAP data source, specify the RECOVER_LDAP_ATTR_MAP setting for storing b64 certificates as follows: RECOVER_LDAP_ATTR_MAP cert postaladdress
If you are using IBM secureWay for key recovery data source, enable the following mappings. Un-comment out following lines: RECOVER_LDAP_ATTR_MAP vs_field1 cn RECOVER_LDAP_ATTR_MAP common_name sn RECOVER_LDAP_ATTR_MAP mask homepostaladdress RECOVER_LDAP_ATTR_MAP iv x500uniqueidentifier RECOVER_LDAP_ATTR_MAP pkcs12_password carlicense RECOVER_LDAP_ATTR_MAP private_key jpegphoto RECOVER_LDAP_ATTR_MAP cert usercertificate;binary RECOVER_LDAP_ATTR_MAP cert_status businesscategory RECOVER_LDAP_ATTR_MAP event_time mobile
CMS Verification Data Source Configuration There are three configurations possible for CMS (Card Management System) as a verification data source: flat file, ODBC, and LDAP. Flat file Here the VeriSign Registration Authority verification plug-in reads the verification data against the text file specified in the vsrasrv configuration file. The additional data that needs to be added to the text file for entries made against a user is as follows. superadmin= superadminpassword=
These values have to be entered while configuring the CMS with VeriSign Registration Authority. ODBC Verification Data Source: The ODBC_SQL_FROM_WHERE, ODBC_ATTR_VER, and ODBC_ATTR_GET settings specify SQL statements that are used to find and verify a requester. These setting must have the entries for the superadmin and superadminpassword attributes. These attributes are not for user verification
224
VeriSign, Inc.
March 2008
-----------------------------------------------------------
but are required for client authentication for CMS installation. Again this is a requirement only for CMS. LDAP Verification Data Source: VER_LDAP_BIND_DN and VER_LDAP_BIND_PWD specify settings for binding the DN (distinguished name in LDAP) and the password used to connect to and log in to the LDAP server. If the enrollment pages do not provide password entry for LDAP access, these will be the superadmin and superadminpassword credentials that must be provided at runtime in the request by the CMS. They will not be hard coded at the VeriSign Registration Authority end for CMS installation.
VeriSign, Inc.
March 2008
225
Managed PKI v7.2 Installation and Configuration
-----------------------------------------------------------
226
VeriSign, Inc.
March 2008
Index
-------------------------------------------------------------
Index
see Business Authentication Service
A aakeygen 143, 146, 147, 149
Authentication Wizard 65–67
ActiveX 179
Automatic Renewal 2, 170
administrator roles Certificate Management Administrator
B
67
Configuration Administrator 67 read-only 68 Security Administrator 67
BAS see Business Authentication Service billing contact 6
Administrator Roles Wizard 67
Business Authentication Service 50
Approval e-mail, configuring 63
C
ASB see Business Authentication Service
Card Management System 224
authentication see also VeriSign Registration Authority, manual authentication, Outsourced Authentication, Passcode Administration Authentication Wizard 66 Automatic Renewal 2, 170 client 28 Client Authentication Renewal 2, 170 DBFILE parameter 116 definition 65 end-user 65 flat file authentication 186 key pair options 38 match fields 32 personal presence model 67 Personal Trust Agent 28 PIN 65 Re-authentication Renewal 2, 170 Specify the Authentication Method Wizard Page 43 Windows authentication 24 authentication certificates E-mail Wizard 65
authentication policy 69 Instant Issue 69 Manual Approval 69 authentication servers 1 VeriSign Registration Authority 121 Authentication Service Bureau VeriSign, Inc.
March 2008
cert.pem 166 certificate see also key certificate lifecycle pages see Digital ID Center pages Certificate Management Administrator role 67 Certificate Publishing Policy 56 Certificate Publishing Policy page 56 certificate renewal 2, 3 authentication policy for 69 certificate requests 65, 121, 129, 147 generating 164 pkcs10.pem file 165 certificate revocation list 28 certificate signing request 142, 143, 146, 147, 148, 149, 165
certificates applying for Production Managed PKI 176
determining fields 30–33 fields 30 key size 40 pilot 6 Secure Server 163 Signing 65 validity period 70 227
Managed PKI v7.2 Installation and Configuration
------------------------------------------------------------Certification Authority 6
customizer.log 81, 98, 112 installing files with 189 program options 189
CGI scripts 11, 21 character encoding, Unicode 42 character set, Unicode 42
D
Client Authentication Renewal 2, 170
deploying MSI packages 180–182
CMS see Card Management System
Digital ID Center pages 33, 45, 57, 85, 88, 90, 105
customizing 176–177 locally hosting on Microsoft IIS 79–96 locally hosting on Stronghold/Apache
Configuration Administrator role 67 Configuration page 58
110–114
configuration planning 5 configuration wizards Administrator Roles Wizard 67 Authentication Wizard 65–67 CSR Enrollment Wizard 59 Download OCSP Cert 71 Download Policy File 57 Download Policy File Wizard 59 E-mail Wizard 61–65, 170 Install CA Wizard 68 Key Recovery Wizard 71 Logo Wizard 61, 78 Policy Wizard 33–57, 153, 176 Renewal Wizard 68–70 Configure Passcode Match Fields page 52
configuring Local Hosting overview 77–78 Local Hosting with IIS 79–95 Confirmation e-mail configuring 63 Control Center see Managed PKI Control Center CRL see certificate revocation list cryptographic service provider 39 CSR see certificate signing request
96–110
testing 95, 109, 114 domain name, fully qualified 11, 21, 28 Download OCSP Cert Wizard 71 Download Policy File Wizard 57, 59 dual key pair customizing the E-mail Wizard for 65 selecting 37 E e-mail Approval 63 Confirmation 63 rejection 63 Renewal 63 replacement 63 E-mail Wizard configuring 61–65 re-authentication renewal 170 Enable Application Integration page 36 encryption certificate E-mail Wizard 65 vsautoauth.conf 141, 145 Enter E-mail Address page 35
CSR Enrollment Wizard 59
Enter Local Hosting Base URL page 45
CSR-based enrollment 6
Enter Passcode Authentication Parameters page 44
Customize the Subscriber Certificates page 53 Customize the Subscriber Enrollment page 47 customizer 189 customizer.exe 81, 98, 112, 189 228
locally hosting on Sun ONE Web Server 96–109 locally hosting on SunOne Web Server
F failover Local Hosting and VeriSign Registration Authority servers 191 files VeriSign, Inc.
March 2008
Index
------------------------------------------------------------backing up in Pilot environment 175 firewall VeriSign Registration Authority with 122
flat file authentication 186 Outsourced Authentication with 155 fully qualified domain name 11, 21, 28 G Go Secure! for Microsoft Exchange CGI scripts with 21 Exchange server parameter 117 Local Hosting with 21–22 overview 20–26 Remote hosting with 20, 21, 23 VeriSign Registration Authority with 23–26
installing Automatic Renewal 170 Client Authentication Renewal 170 hardware signing option 144–147 Local Hosting on Microsoft IIS 79–96 Local Hosting on Stronghold 110–114 Local Hosting on Sun ONE Web Server 96–109 MSI packages 180–182 Re-authentication Renewal 170 secure channel 161–168 software signing option 141–143 token 75–76 VeriSign Registration Authority 123–127
installing Local Hosting with Sun ONE Web Server 96–120 installing Luna hardware and drivers 144 Instant Issue 69
Go Secure! for Web Applications 27–28 overview 27–28
iPlanet Server installing 96–109
H
K
hardware security modules see Luna Tokens
key private 1, 17, 38, 41, 69, 75, 139, 178 public 38
hardware signing 2, 139 example vsautoauth.conf 146 moving to production 178 requirements for Go Secure! for Microsoft Exchange with VeriSign Registration Authority 23 requirements for VeriSign Registration Authority 17 setting up 144–147 http 17, 23, 28, 45, 122 https 12, 22, 45 I IIS configuring Local Hosting with 79–95 Install CA Wizard 68 install program adding options with customizer.exe
Key Recovery Wizard 71 key.pem file 164, 166 L Latin-1 (West European) 42 LDAP 28 Outsourced Authentication with 156 LDAP directory requirements for VeriSign Registration Authority 17 lifecycle pages see Digital ID Center Lightweight Directory Access Protocol see LDAP
189
Linux VeriSign Registration Authority sitekit directory 124
79
Linux sitekit directory 97, 111
Microsoft Internet Information Server Sun ONE and iPlanet Server 96, 110, 177
VeriSign Registration Authority 123 installation overview for Managed PKI 8 VeriSign, Inc.
March 2008
Local Hosting 1 CGI scripts 11 installation overview 77–78 installing IIS with 79–95 229
Managed PKI v7.2 Installation and Configuration
------------------------------------------------------------installing on Microsoft IIS 79–96 installing on Stronghold 110–114 installing on Sun ONE Web Server 96–109
overview 11–12 Local Hosting requirements 11 Local Hosting server 11, 15, 21, 23, 116, 118, 176, 186
requirements for VeriSign Registration Authority 17 Logo Wizard 61, 78 LUNA parameter 116 Luna token 2, 17, 139, 178 configuring 144–147 installing the RA certificate on 144–147
N Netscape Enterprise Server see iPlanet server, Sun ONE server O OA see Outsourced Authentication ODBC database configuring with Outsourced Authentication 153 requirements for VeriSign Registration Authority 17 VeriSign Registration Authority with 125
OnSiteMSI package 180–182
M
opting out of secure channel 167
Managed PKI additional configuration 58–71 basic requirements 6–9 before enrolling 6 configuration testing 71–73 configuring 29–73 installation overview 8 Local Hosting 1 organizational requirements 6–9 pilot system 6 production system 6
organizational contact 6
Managed PKI Control Center 38, 72, 131
P
Managed PKI overview Go Secure! for Microsoft Exchange
Passcode Authentication adding 44 configuring 129–138 distributing passcodes 138 overview 13–15 Remote Hosting with 13 remote hosting with 13
20–26
Go Secure! for Web Applications 27–28 Local Hosting 11–12 Passcode Authentication 13–15 Remote Hosting 10 VeriSign Registration Authority 15–19 Manual Approval 69
output files key.pem 164, 166 pkcs10.pem 165 SecureServerRoot.pem 166 Outsourced Authentication 50, 153–160 configuring flat file 155 configuring for LDAP 156 configuring ODBC 153
PCA see Public Certification Authority
manual authentication policy file download 57
PCMCIA readers 17
Microsoft Internet Information Server installing Local Hosting on 79–96
Personal Trust Agent 28, 36, 41 Pilot Managed PKI with 173
Microsoft Management Console 82, 86
pestub.cfg configuring 115–117 LUNA parameter 116
moving to production 173–178 MSI packages deploying 180–182 multiple VeriSign Registration Authority 230
servers 125
personal presence model 67
pestub.dll.local 185–187 exceptions for using in production 187
VeriSign, Inc.
March 2008
Index
------------------------------------------------------------pilot certificates 6, 178 Pilot Managed PKI 173 backing up files for 175 Personal Trust Agent with 173 pilot system 6 moving from 173 Policy Wizard 34 RA certificate enrollment 143, 147 PIN, using to retrieve a certificate 65 pkcs10.pem file 165 planning your installation 5 Policy File Download page 57 policy file, downloading 56 Policy Wizard Certificate Publishing Policy page 56 Configure Passcode Match Fields page 52 Customize the Subscriber Certificates page 53 Customize the Subscriber Enrollment page 47 Enable Application Integration page 36 Enter E-mail Address page 35 Enter Local Hosting Base URL page 45 Enter Passcode Authentication Parameters page 44 moving to production with 176 Outsourced Authentication with 153 running 33–57 Select Key Option page 37 Specify Character Set page 42 Specify the Authentication Method page 43 Specify the Cryptographic Service Provider Name and Key Size page 39 Specify the Security Feature for Subscriber’s Private Key page 41 Specify the Wireless Parameters page 46
Subscriber Agreement Displaying Policy page 55 private Certification Authority 6 private key 1, 17, 38, 41, 69, 75, 139, 178 Private Managed PKI 56 Process Requests page 72 Production Managed PKI 176 applying for certificates in 176 production system moving to 173–178 VeriSign, Inc.
March 2008
organizational requirements 6 Policy Wizard 34 RA certificate enrollment 143, 147 VeriSign Registration Authority 7 Professional Services Organization 6 engagement 6, 7 PSO see Professional Services Organization 6 PTA see Personal Trust Agent Public Certification Authority 6 public key 38 Public Managed PKI 56 R RA certificate, renewing 149 read-only role 68 Re-authentication Renewal 2, 170 recovery data source 16 Red Hat Stronghold Server see Stronghold Server registration 16 Registration Authority 2, 139 CSR 142, 148, 149 enrollment web site 148, 149 Registration Authority certificate used by VeriSign Registration Authority 139 registration data source 16, 31, 122 setting up the secure channel for 167 rejection e-mail 63 Remote Hosting 1 overview 10 Passcode Authentication with 13 remote hosting Passcode Authentication with 13 renewal authentication policy for 69 Automatic Renewal 2, 170 Client Authentication Renewal 2, 170 Re-authentication Renewal 2, 170 Renewal e-mail configuring 63
231
Managed PKI v7.2 Installation and Configuration
------------------------------------------------------------renewal notice delivery of 70 period of 70 Renewal Wizard 68 Renewal Wizard 68–70 renewing your RA certificate hardware signing option 149 replacement e-mail 63 roles see administrator roles
Solaris site kit directory 97, 111 VeriSign Registration Authority sitekit directory 124 Sophialite configuring for proxy server 118 Specify the Authentication Method Wizard Page 43 Specify the Character Set page 42
S
Specify the Security Feature for Subscriber’s Private Key page 41
SafeNet 178
Specify the Wireless Parameters page
secure channel 2 acquiring a secure server certificate 163
components 163 configuring for VeriSign Registration Authority 163 generating the certificate request 164 set up 161–168
46
SSL see Secure Sockets Layer Statement of Practices 66 Stronghold Server installing Local Hosting on 110–114
Secure Server certificates 163
Subscriber Agreement Displaying Policy page 55
Secure Sockets Layer Go Secure! for Microsoft Exchange 21,
Sun ONE Server installing 96–109
24
Go Secure! for Web Applications 28 Local Hosting enrollment pages 11 secure channel 163 VeriSign Registration Authority 18 SecureServerRoot.pem 166 Security Administrator role 67 Select Key Option page 37 service provider cryptographic 39
Sun One Web Server, installing Local Hosting 96–120 Sun Solaris see Solaris swkeygen 142, 148 T test Managed PKI configuration 71 token, installing 75–76
signing certificates E-mail Wizard 65
U
signing device 139
Unicode character set 42
signing options setting up hardware signing 144–147 setting up software signing option
URL for Go Secure! for Web Applications 28 Local Hosting 11
141–143
232
moving to production 178 setting up 141–143
UTF-8 character encoding 42
single key pair customizing the E-mail Wizard for 65 selecting 37
V
software signing 2 example vsautoauth.conf 142
verification data source 16, 122 configuration 224
validity period 70
VeriSign, Inc.
March 2008
Index
------------------------------------------------------------setting up the secure channel for 167 VeriSign hosting 13 VeriSign Registration Authority 1 configuration file 124 configuring Luna hardware and drivers 144
Go Secure! for Microsoft Exchange with 23–26 implementation strategy 122 installing 123–127 Local Hosting with 15–19 organizational requirements 6 Outsourced Authentication 153–160 overview 15–19 Secure Server Certificate 165 signing options 139 VeriSign Registration Authority server Go Secure! for Microsoft Exchange with 23–26 installing 123–127 moving to production 178 opting out of secure channel 167 RA certificates for 2 secure channel 2 Secure Server certificate request 163 VeriSign Registration Authority servers running two simultaneously 125 vsautoauth.conf configuring 141, 145 vsautoauth.conf file 141, 145 hardware signing option 146 software signing option 142 vsrasrv.cfg 143, 193 configuring 124, 147 W Web server Local Hosting 11, 45, 77 Microsoft Internet Information Server 79–96
PTA 28 Stronghold Server 110–114 Sun ONE Web Server 96–109 Windows VeriSign Registration Authority site kit directory 124 wizards see configuration wizards
VeriSign, Inc.
March 2008
233
Managed PKI v7.2 Installation and Configuration
-------------------------------------------------------------
234
VeriSign, Inc.
March 2008
