Public Key Infrastructure Configuration...

Tivoli®

SecureWay®

Public KeyInfrastructureConfiguration GuideVersion 3 Release 7.0 SH09-4529-02

Note!Before using this information and the product it supports, read the general information under “Notices” on page 49.

Third Edition (November 2000)

This edition applies to IBM SecureWay Trust Authority, program 5648-D09, version 3 release 7 modification 0, and toall subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1999, 2000. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. About Trust Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 3. How do I...? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Prepare for configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Set up the workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Collect configuration data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Configure the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Run the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Run CfgStart on AIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Run CfgStart on Windows NT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Import configuration data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Set up remote servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Specify DNs by typing them. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Use the DN Editor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

View configuration messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Verify the configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Prepare for production. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Secure the Setup Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Change Directory permissions on AIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Change server passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Edit configuration files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Authorize registrars. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Back up the Trust Authority system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Directory changes for DN flexibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Modify the ACL for new LDAP Suffix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Customize the registration domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Reconfigure the system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Use Trust Authority With Policy Director. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Uninstall Trust Authority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Uninstall from AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Uninstall from Windows NT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 4. Tell me about... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Certificate authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DB2® databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

iiiPublic Key Infrastructure Configuration Guide

Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Directory trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Root DNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Directory administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

PKIX CMP connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Registration domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

SSL connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Web servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4758 coprocessors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 5. Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Startup options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Import options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Trust Authority password options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

CA and Audit server options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

CA key options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Directory server options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Directory root options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Directory administrator options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Registration domain options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Public Web server options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Secure Web server options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Trust Authority Client options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuration summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Save configuration data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuration process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Keyboard alternatives for mouse actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

National language considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Trademarks and service marks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

iv Version 3 Release 7.0

About Trust Authority

IBM®

SecureWay®

Trust Authority provides applications with the means to authenticate usersand ensure trusted communications:

¶ It allows organizations to issue, publish, and administer digital certificates in accordancewith their registration and certification policies.

¶ Support for Public Key Infrastructure for X.509 version 3 (PKIX) and Common DataSecurity Architecture (CDSA) cryptographic standards allows for vendor interoperability.

¶ Digital signing and secure protocols provide the means to authenticate all parties in atransaction.

¶ Browser- and client-based registration capabilities provide maximum flexibility.

¶ Encrypted communications and secure storage of registration information helps ensureconfidentiality.

A Trust Authority system can run on IBM® AIX/6000®

and Microsoft® Windows NT® serverplatforms. It includes the following key features:

¶ A trusted Certificate Authority (CA) manages the life cycle of digital certification. Tovouch for the authenticity of a certificate, the CA digitally signs each one it issues. Italso signs certificate revocation lists (CRLs) to vouch for the fact that a certificate is nolonger valid. To further protect its signing key, you can use cryptographic hardware,such as the IBM SecureWay® 4758 PCI Cryptographic Coprocessor.

¶ A Registration Authority (RA) handles the administrative tasks behind user registration.The RA provides that only certificates that support your business activities are issued,and that they are issued only to authorized users. The administrative tasks can behandled through automated processes or human decision-making.

¶ A Web-based enrollment interface makes it easy to obtain certificates for browsers,servers, and other purposes, such as virtual private network (VPN) devices, smart cards,and secure e-mail.

¶ A Windows® application, the Trust Authority Client, enables end users to obtain andmanage certificates without using a Web browser.

¶ A Web-based administration interface, the RA Desktop, enables authorized registrars toapprove or reject enrollment requests and administer certificates after they have beenissued.

¶ An Audit subsystem computes a message authentication code (MAC) for each auditrecord. If audit data is altered or deleted after it has been written to the audit database,the MAC enables you to detect the intrusion.

¶ Policy exits enable application developers to customize the registration processes.

1

1Public Key Infrastructure Configuration Guide

1.A

boutTrustA

uthority

¶ Integrated support for a cryptographic engine. To authenticate communications, the coreTrust Authority components are signed with a factory-generated private key. Securityobjects, such as keys and MACs, are encrypted and stored in protected areas calledKeyStores.

¶ Integrated support for IBM SecureWay Directory. The Directory stores information aboutvalid and revoked certificates in an LDAP-compliant format.

¶ Integrated support for IBM WebSphere™

Application Server and IBM HTTP Server. TheWeb server works with the RA server to encrypt messages, authenticate requests, andtransfer certificates to the intended recipient.

¶ Integrated support for the award-winning IBM DB2®

Universal Database.

2 Version 3 Release 7.0

Overview

After installing the Trust Authority software, you must run the Setup Wizard to configure thesystem for your environment. For example, you need to specify where the different serverprograms were installed so that they can communicate.

¶ Select a″How do I...?″ topic to learn about configuration-related tasks, such as how todefine distinguished names, how to verify the configuration process, and how to preparethe system for release in a production environment.

¶ Select a″Tell me about...″ topic to learn about concepts you need to understand whenconfiguring the system. For example, you can learn about how Trust Authority interactswith the Directory or obtain guidelines for using cryptographic hardware.

¶ Select a″Reference″ topic to learn about the values you can or must specify whenrunning the Setup Wizard.

For the latest product information, you should review theReadmefile before you begin toconfigure the system. The latest version of theReadmefile is available at the IBMSecureWay Trust Authority Web site:http://www.tivoli.com/support

2


2.O

verview

http://www.tivoli.com/support


How do I...?

The topics in this section show you how to configure IBM SecureWay Trust Authority.Typical tasks include the following:¶ Collecting information that you need to configure your system¶ Using the Distinguished Name Editor to define DNs¶ Setting up Trust Authority server programs and databases on remote machines¶ Importing a set of configuration values to a new Trust Authority system¶ Verifying that the system is configured correctly

After you configure the system, you should review several topics that can help you put yournew Trust Authority system into production mode. Procedures are also available foruninstalling the product software, if you decide you need to remove it from your system.

Prepare for configurationBefore you begin to configure IBM SecureWay Trust Authority, you need to make sure thatyour workstation is set up correctly to run the Setup Wizard. You also need to gatherinformation about your environment so that you can provide appropriate responses in theSetup Wizard.

Review the guidelines in the following sections to make sure that you are ready to begin theconfiguration process.

Set up the workstationFor best performance, you should run the Setup Wizard on a machine that is separate fromthe Trust Authority server machine. Doing so helps ensure that the maximum amount ofsystem resources are available for running the applet.

To run the Setup Wizard, IBM recommends the following workstation configuration:

¶ The following physical machine setup:v Intel Pentium® processor with at least 96 MB of RAM, or betterv A computer display that supports 1024x768 or higher resolutions at 65536 colors, or

better

¶ One of the following operating systems:v IBM AIX ®

v Microsoft Windows 95, Windows 98, or Windows NT

¶ A Web browser that supports JDK 1.1–based applets, such as:v Netscape Navigator and Netscape Communicator, version 4.6 or laterv Microsoft Internet Explorer, version 5.0 or later

3


3.H

owdo

I...?

¶ The Java Swing Library (swingall.jar) version 1.1, locally installed. If you do notalready have this version of the library, you can download it when you access the URLfor the Setup Wizard. See “Run the Setup Wizard” on page 9 for details.

Browser Considerations:You must install the official version of the browser as distributed by Netscape orMicrosoft. Versions obtained from third-party vendors may not display informationcorrectly, especially when running the applet in a language other than English.

If you need to run the Wizard on the Trust Authority server, and are running it on aWindows NT platform, you should use Microsoft Internet Explorer version 5.0 orlater. The performance of the applet under a Netscape browser is much slower.

If you need to run the Setup Wizard with a Netscape browser, and are running it onan AIX platform, you will not be able to view the progress of the configurationprocess. Note that the configuration program runs to a successful completion, butyou will not be able to view the process status as it progresses.

Make sure that your browser does not use an HTTP proxy to access the TrustAuthority server. If it does, the applet may experience various time-outs that couldcause the configuration progress display to fail.

Collect configuration dataDuring configuration, the Setup Wizard prompts you for the information shown in the “TrustAuthority Configuration Data Form” on page 7. You should gather this information beforestarting the configuration process.

If you plan to install more than one Trust Authority server, you may want to print the formand record your choices. It may help you identify the particular set of configuration valuesthat you want to import to a new installation.

Note: The Setup Wizard provides default values for many of the configuration options. Inmost cases, you should accept these values. Change them only if you are sure youneed to do so.


Trust Authority Configuration Data Form

Window Description Default Value Your Value

Import Configuration Data File name of a configurationdata file you want toimport.

None.

Trust Authority Password Password for the servercomponents. Must contain 8characters.

None.

CA and Audit Server Server virtual host name orIP address.

Fully-qualified host name ofyour RA server

Listening port for the CAserver.

1830

Listening port for the Auditserver.

59998

DN for the CA. /C=US/O=YourOrganization/OU=TrustAuthority/CN=TrustAuthority CA

CA Key CA signature algorithm. sha–1WithRSAEncryption¶ sha-1WithRSAEncryption

CA key size. 1024 ¶ 1024

Should this CA use 4758hardware?

No ¶ Yes¶ No

If using 4758 hardware, theRSA key size.

1024 ¶ 512¶ 768¶ 1024¶ 2048

Do you want to store theCA key in 4758 hardware?

No (recommended) ¶ Yes¶ No

Directory Server Server virtual host name orIP address.


Listening port for Directoryrequests.

389

Do you want to use anexisting Directory?

No ¶ Yes¶ No

Directory Root DN Directory root DN. /C=US/O=YourOrganization/OU=TrustAuthority/CN=Ldap RootDN

Directory root password. None. If you previouslyinstalled the Directory, thismust match the existing rootpassword.


3.H

owdo

I...?

Window Description Default Value Your Value

Directory Administrator Directory administrator DN. /C=US/O=YourOrganization/OU=TrustAuthority/CN=DirAdmin

Directory administratorpassword.

None. If you previouslyinstalled the Directory, thismust match the existingadministrator password.

Should the Directoryadministrator update theDirectory?

Yes (recommended) ¶ Yes¶ No

Registration Domain Domain name. Cannotcontain spaces.

YourDomain

Domain language. English

Domain installationdirectory.

AIX: /usr/lpp/iau/pkrf/Domains

Windows NT: c:\ProgramFiles\IBM\TrustAuthority\pkrf\Domains

Public Web Server Server virtual host name orIP address.


Listening port for requeststhat do not requireencryption or authentication.

80

Secure Web Server, WithoutClient Authentication

Server virtual host name orIP address.


Listening port for SSLrequests that do not requireclient-authentication.

443

Secure Web Server, WithClient Authentication

Server virtual host name orIP address.


Listening port for SSLrequests that must beclient-authenticated.

1443

PKIX Client Listening port for PKIXCMP requests from clientapplications.

829

Save Configuration Data File name for theconfiguration data file. Typea name that supports AIX orWindows NT conventions.Do not type a file extension.

DatabaseBackup


Configure the systemWhen you configure IBM SecureWay Trust Authority, you specify options for setting up thesoftware in your environment. The topics in this section discuss the different ways that youcan configure the Trust Authority components. They also show you how to saveconfiguration values for reuse in a later Trust Authority installation. Topics you shouldreview include the following:

¶ Running the Setup Wizard

¶ Importing configuration data

¶ Setting up remote servers

¶ Specifying DNs by typing them

¶ Using the DN Editor to specify DNs

¶ Viewing configuration messages

¶ Verifying the configuration

Run the Setup WizardWhen you are ready to begin configuration, use this procedure to start and run the SetupWizard.

1. Make sure that your browser is ready to run the applet.This step is critical. See “Setup the workstation” on page 5 before proceeding.

2. Log in as the Trust Authority configuration user (typically, cfguser).

3. Access the URL where the index page for the applet was installed. In the followingexample,secure_Web_server identifies a secure Web server port on the machinewhere you installed the main Trust Authority code:https://secure_Web_server:81/

4. Respond to the browser prompts for accepting a self-signed certificate.

¶ If you are using a Netscape browser, you will be prompted to accept a New SiteCertificate. ClickNext repeatedly until you clickFinish to accept the certificate.When prompted, you should choose the option toAccept this certificate forever(until it expires) .

¶ If you are using Internet Explorer, you see a message that indicates that thecertificate issuer is unknown. ClickYes to accept the certificate and proceed.

5. Respond to the browser prompt for a username and password withcfguser for theusername prompt, and enter the cfguser password specified when the account wascreated for the password prompt.

6. The browser presents information about the Setup Wizard, such as information abouthow to download and install the version of Swing that is required for the applet.

Note: If you have not already done so, download and configure Swing on your systembefore proceeding. You must verify that the swingall.jar file was correctlyinstalled. After adding the CLASSPATH variable to your system environment,you must restart the browser before attempting to load the configuration applet.


3.H

owdo

I...?

In some instances, Microsoft Internet Explorer may rename the file toswingall..jar during the download. To resolve the problem, you can either renamethe file to swingall.jar or download the file again.

7. When you are sure that your workstation is ready to begin the configuration process,click the link to CfgSetupWizard.html.

Note: After starting the applet, be patient. You must wait until the applet completelyloads the configuration database before attempting to enter data in any fields.

Under Microsoft Internet Explorer, the Java Console (if you elect to display it)may show a lengthy security exception. This may happen if the Swing UIManager tries to load a property file that is not accessible to downloadableapplets. You can ignore this harmless exception.

8. Advance through the applet by specifying values and clickingNext to proceed. In manycases, you can accept the displayed default values.

¶ If you type an incorrect value, or if you attempt to proceed before providinginformation in a required field, the applet displays a message. Until you supply avalue, the following arrow symbol indicates that the field is missing required data:

¶ Occasionally, a text entry field may be selected even though it does not containtext. When this happens, you are prevented from entering characters in the field. Toresolve this problem, press theHome key to reset the selection of the text field andfree it to accept text.

¶ As you move your cursor over a field, the applet displays a brief line of help forthat field.

¶ To view more descriptive information about all the fields in a given window, clicka Help button at any time.

¶ To view detailed information about Trust Authority configuration, click thefollowing book icon while viewing online help. This action opens this book, theTrust Authority Configuration Guide.

9. After saving your configuration values, you must click theFinish button. This actionstarts the configuration program (CfgStart), updates the server configuration files, andcreates the required databases. See “Run CfgStart on AIX” on page 11 and “RunCfgStart on Windows NT” on page 11 for more information about the configurationprocess.

Note: If you do not clickFinish, the applet will be unable to export your values to aconfiguration file. It will also be unable to display a post-configuration page thatcontains information that can help you validate the configuration and start usingTrust Authority.

10. Review the status messages as the configuration programs run. If you installed anycomponents on remote machines, you will see messages that instruct you to perform anaction on the remote system before the process can continue.


11. There are several post-configuration steps you must take to verify and secure the systembefore using it. See “Verify the configuration” on page 18 and “Prepare for production”on page 19 for details.

Run CfgStart on AIXAfter specifying configuration values in the Setup Wizard and clickingFinish, the CfgStartprogram starts automatically.

If you installed Trust Authority in a multiple machine setup, you must review “Set upremote servers” on page 13 and ensure that you run CfgStart on each machine in the properorder.

The output of configuration process is saved in the following file:

/usr/lpp/iau/logs/instCfg.log. This is the file you should review in a typical productionsystem.

After CfgStart begins, the Setup Wizard may mistakenly return an error message indicatingthat the configuration process on the AIX server has failed. You should clickOK in themessage dialog box and ignore the message. Do not click theFinish button again. Instead,observe the AIXCfgStart.out file to make sure that configuration is proceeding. When themessages in the AIXCfgStart.out file indicate that Trust Authority configuration hascompleted successfully, click onFinish to export your values to a configuration file.

Note: If you determine that a real error has occurred (for example, if you need to add diskspace), address the problem. When you click onFinish again, configuration shouldproceed from the point where it left off.

If you set up the browser to use a proxy server, which is not recommended, it is possible toaccidentally start more than one instance of the CfgStart program. You can tell that this hasoccurred if you see multiple process description lines as the result of running the followingcommand:ps -deaf | grep -v grep | grep CfgStart

The result of the above command execution should look similar to the following line:root 24012 23502 60 16:51:02 - 0:48 /usr/lpp/iau/bin/CfgStart -i

If more than one instance is running, you should kill the extra CfgStart process (that is, theone with the later time stamp) by entering the following command, whereprocess_ID is thenumber that follows the word root in the preceding sample output:kill process_ID

Run CfgStart on Windows NTIf you installed Trust Authority on Windows NT, you must manually start the CfgStartprogram after you click theFinish button in the Setup Wizard.

If you installed Trust Authority in a multiple machine setup, you must review “Set upremote servers” on page 13 and ensure that you run CfgStart on each machine in the properorder.

Use the following procedure to run CfgStart. The example shows the default installationpath; your system may be different:


3.H

owdo

I...?

1. Open an MS DOS Command window.

2. Change to the bin subdirectory of the Trust Authority installation path. For example:cd "c:\Program Files\IBM\Trust Authority\bin"

3. If you want to capture verbose or detailed output, modify the properties of the MS DOSCommand window: Select theLayout tab, and increase theHeight of the Screen BufferSize to 9999.

4. Enter one of the following commands:CfgStart (use for standard processing)CfgStart -i (use to obtain verbose information)

While CfgStart is running, you may have problems with windows not being closed correctly.If this occurs, wait for the configuration process to end and then exit any open windows.

Additionally, if you are running the configuration process on an under-powered machine(such as one with less that 96 MB RAM), you might receive an error indicating thatCfgStart is unable to start the IBM HTTP Server instance for your registration domain.Actually, the HTTP Server instance (which is the final component configured by theCfgStart program) is correctly started, but the check command has timed out. All the TrustAuthority programs are running, but CfgStart is unable to clean up the passwords in theconfiguration database. If this problem occurs, you should take one of the following actions:

¶ Run CfgStart.exe again. This time it should complete and successfully clean up thepasswords in the database. This is because the HTTP Server instance for the registrationdomain is already running (from the previous call to CfgStart.exe), which prevents thecheck command from timing out.

¶ Ignore the problem and complete the procedures to verify the configuration and obtain acertificate.

Import configuration dataTo facilitate your ability to set up multiple Trust Authority systems with similarconfigurations, the Setup Wizard saves your configuration values into an exportable file.Later, you can import this file and use it as the baseline for setting up another TrustAuthority system.

If you plan to install Trust Authority on multiple servers and set up a similar configurationon each, you may want to take advantage of this feature. The ability to import configurationsalso facilitates the migration of an existing system that was configured for an earlier releaseof Trust Authority.

Notes:

¶ If you attempt to import configuration data to a system that is alreadyconfigured, you will destroy all existing data.

¶ When you import configuration data, you can import it only to a system that isrunning the same operating system. For example, you cannot import aconfiguration data file that contains values for an AIX platform and use it toconfigure Trust Authority under Windows NT.

Use the following procedure as a guideline for importing configuration data.

1. Install Trust Authority on one machine. Make a note of the name you give the data filewhen you save the configuration data.


2. Install a new instance of Trust Authority on a different machine.

3. Copy the configuration data file from the first Trust Authority machine to the secondmachine.

¶ In AIX, the default path for storing configuration data files is:/usr/lpp/iau/cfg/cfgdb/

¶ In Windows NT, the default path for storing configuration data files is:c:\Program Files\IBM\Trust Authority\cfg\cfgdb\

4. Start the Setup Wizard on the new machine. The first window asks you to specifywhether or not you want to import configuration data from a previous installation. Clickthe check box to indicate that you do.

5. The next window instructs you to select the configuration data file you want to use forthis installation. Select the file that you copied to this machine.

6. You must also specify whether you are installing a new Trust Authority server ormigrating data from a previous version of the product.

7. When you clickNext to continue, the Setup Wizard populates the remaining windows inthe applet with information from the file you imported.

8. Selectively change the few values that need to be different for this installation of TrustAuthority.

Set up remote serversIf you installed the CA, Audit, and Directory servers on the same machine as the main TrustAuthority and Registration Authority server, the configuration programs run withoutprompting for information.

If you installed any server components on a remote machine, the Setup Wizard pauses whenit reaches the point where that component needs to be configured. You must go to thatmachine and run the requested configuration program before continuing with configurationon the main Trust Authority server.

Use the following procedure as a guideline for configuring remote components after youclick the Finish button in the Setup Wizard:

1. Note the progress in theStatus column. When the applet reaches a point where acomponent that needs to be configured is not on the main Trust Authority server, itdisplays the messagePartially Configured . It also displays a message window that tellsyou which component needs to be configured next.

2. Follow the instructions in the displayed message and go to the specified remote machine.You should configure components in the following order:

a. RA Server (start configuration for the main Trust Authority server)

b. Directory Server (create a database for Directory data and configure the Directory)

c. CA and Audit Server (create databases for CA and Audit data)

d. RA Server (create a database for registration data and configure the RA)

e. CA and Audit Server (configure the CA and Audit subsystem; the CA starts at theend of this process)

f. RA Server (set up enrollment and configure the HTTP and WebSphere™ ApplicationServers)


3.H

owdo

I...?

3. If you are running AIX, enter the following commands at the remote machine to catalogthe configuration database, whereTrustAuthorityServerName is the host name of themain Trust Authority server:cd /usr/lpp/iau/bin (this is the default path for this program)CfgPostInstall -r

4. Change to the Trust Authority configuration program directory, and run the CfgStartprogram as cfguser.

¶ In AIX, the default path for this program is:/usr/lpp/iau/bin/CfgStart

¶ In Windows NT, the default path for this program is:c:\Program Files\IBM\Trust Authority\bin\CfgStart

The CfgStart program creates the needed database on the remote server and performsadditional configuration tasks. When it reaches the point where it cannot proceed, itdisplays a message that instructs you to return to the main Trust Authority server.

5. Go to the main server and clickContinue in the message window to proceed with theconfiguration process. If you set up any components on a third machine, configurationcontinues until it reaches the point where configuration of that remote component isrequired.

6. Repeat the preceding steps to run the requested configuration programs on that remotemachine, and then return to the main Trust Authority server.

The Setup Wizard displays a message when all the components have been successfullyconfigured.

Specify DNs by typing them

HintTo facilitate your ability to specify distinguished names (DNs), the Setup Wizardincludes a graphical user interface, the Distinguished Name Editor. For greatestaccuracy, you should use this tool to specify DNs for Trust Authority instead of typingthem.

During configuration, you must specify unique DNs for several Trust Authority components:the CA, the Directory root, and the Directory administrator. If you are not familiar with theformat of DNs in the X.509v3 standard, see “Use the DN Editor” on page 15 for assistance.

If you are familiar with the X.509v3 standard, you can type the DNs as you move throughthe Setup Wizard. Trust Authority supports the following DN attributes:

Entry Length Value

C= 4 The country where the object of the DN is located. This must matcha string defined in the ISO 3166 standard.

ST= 128 The state or province where the object of the DN is located.

L= 128 The locality (city or municipality) where the object of the DN islocated.

STREET= 128 The street address where the object of the DN is located.


Entry Length Value

O= 64 The name of the organization that the object of this DN is affiliatedwith.

OU= 64 The unit within the organization that the object of this DN isaffiliated with, such as a corporate division or a product name. Asingle DN can contain up to four OU attributes.

CN= 64 The common name for the object of this DN, such as a person’s fullname or the intended purpose of a device.

DC= 64 The domain component, which may consist of one or more relativedistinguished names (RDNs). Each RDN contains a component ofthe entity’s internet domain name, with the most-significantcomponent listed first. For example, the internet domain name″CS.UCL.AC.UK″ can be transformed into/DC=UK/DC=AC/DC=UCL/DC=CS.

When typing the DN, you must adhere to the following DN format requirements:

¶ You must assign a descriptive or common name to identify the object. All otherattributes are optional.

¶ Even though CN= is the only required attribute, a DN cannot be composed of the CNattribute only; the DN must contain another attribute in addition to the CN= attribute.

¶ Type the CN= attribute last.

¶ Precede each attribute by a forward slash (/), including the first entry.

¶ Do not use a closing separator.

¶ If a value contains special characters, enclose them in double quotation marks (″ ″).

¶ If you include location attributes, type them in this sequence: /ST= /L= /STREET=.

¶ If you include organization attributes, type them in this sequence: /O= /OU=.

¶ You can interleave the location and organization attributes, so long as you maintain theirrespective sequences.

Trust Authority suggests the following sequences:v /C=/DC=/ST=/L=/STREET=/O=/OU=/CN=(this is the preferred format)v /C=/DC=/ST=/L=/O=/OU=/STREET=/CN=v /C=/DC=/ST=/O=/OU=/L=/STREET=/CN=v /C=/DC=/O=/OU=/ST=/L=/STREET=/CN=

Shown below is an example of a DN entry that uses the preferred format and the domainname is TRUSTCA.IBM.COM:/C=US/DC=COM/DC=IBM/DC=TRUSTCA/ST=MD/L=Gaithersburg/STREET=800 N. Frederick Avenue/O=IBM/OU=PKI/CN=TrustCA

SeeTrust Authority Up and Runningfor more information about how Trust Authority usesthe Directory.

Use the DN EditorWhenever the Setup Wizard asks you to specify a distinguished name (DN), you can clickthe DN Editor icon to start the Distinguished Name Editor.


3.H

owdo

I...?

This graphical user interface makes it easy for you to specify the parts of the DN youwant to include. It also keeps you from having to be knowledgeable about the syntax of theDN. You simply fill in the blanks for the attributes you want to include in the DN, and thenselect from a list of attribute sequences.

The DN Editor divides the parts of the DN into several tabbed areas:

¶ One collects general information about the person, program, or device for which the DNis being created (the object of the DN)

¶ One collects information about the organization that owns the object of the DN

¶ One collects information about where the object of the DN is located

¶ One identifies the sequential format for the various parts of the DN

General Information

Common nameType a descriptive name for the object of this DN. For an individual, this istypically the person’s full name. For servers, applications, devices, or otherobjects, you should assign a name that will help you identify its function orpurpose.

CountrySelect the country where the object of this DN is located.

Domain nameType the internet domain name that identifies this entry.

Organization Information

Organization nameOptionally type the name of the organization that the object of this DN isaffiliated with. Typically this is the legally registered name of theorganization. To include an organizational unit, you must first specify theorganization name.

Organizational unitOptionally identify the unit within the organization that the object of this DNis affiliated with. For example, this could be an organizational division suchas Customer Accounts, or a category of work such as a product name. Youcan associate a given DN with up to four organizational units.

Location Information

State or provinceOptionally identify the state or province where the object of the DN isphysically located. This may also be a geographical area that the object isassociated with in some meaningful way. Typically, this is the location of theorganization that the DN is affiliated with.

Whether you spell out the full name of the state or province, or use astandard abbreviation, depends on your registration preferences. Forexample, use either New York or NY.

LocalityOptionally identify the city or municipality where the object of the DN isphysically located, such as Chicago or Paris. This may also be some


geographical area that is meaningful to the object of the DN in some way.To include information about the locality, you must first specify the state orprovince.

Street addressOptionally identify the street address where the object of the DN is located.Typically, this is the street address of the organization that the DN isaffiliated with. To include a street address, you must first specify the localityand the state or province name.

Format Type:After identifying the attributes that will make this DN unambiguous and unique, youmust select the attribute sequence. When you select an option, the DN Editordisplays an example of what the DN looks like in the selected order.

The sequence you choose depends entirely on how your organization views itsstructure, the entities it intends to include in a given administrative domain, and howit intends to use and search the Directory.

For example, if your organization has offices in multiple locations, you may want tospecify location information before organization information. In this approach, aDirectory query could be limited to entries that belong to a particular geographicalarea.

Note that the DN Editor may show truncated text in the right margin of Format areawhere it displays the format of the DN. This is a display error; it does not impactthe actual format of the DN being created.

Location firstThis is the default and preferred format, in which all location informationprecedes organization information. The sequence of the attributes is asfollows:/Domain name/Country/State or province/Locality/Street addressOrganization/Organizational unit/Common name

Street address follows organizationIn this format, information about the organization precedes the street addressthat is associated with the object of the DN. The sequence of the attributes isas follows:/Domain name/Country/State or province/Locality/Organization/Organizational unit/Street address/Common name

Locality follows organizationIn this format, information about the organization precedes the city ormunicipality that is associated with the object of the DN, and its streetaddress. The sequence of the attributes is as follows:/Domain name/Country/State or province/Organization/Organizational unit/Locality/Street address/Common name

State or province follows organizationIn this format, information about the organization precedes the locationinformation. The sequence of the attributes is as follows:/Domain name/Country/Organization/Organizational unit/State or province/Locality/Street address/Common name.


3.H

owdo

I...?

View configuration messagesAfter you click theFinish button to start the configuration process, a series of configurationprograms run. These programs apply the configuration values you specified to the variousTrust Authority server components and create the component databases.

While the configuration process is running, theStatus column provides the general status ofeach component as it is being configured.

For more detailed information about the progress of the programs, click theView AdvancedMessagesbutton.

Troubleshooting on Windows NTThere is a known file locking problem under Windows NT that may cause the SetupWizard to fail when it tries to retrieve the current contents of the configuration log filefrom an Windows NT server. When you click theView Advanced Messagesbutton,this problem results in a blank dialog window.

If you experience this problem, you should close the blank window, and clickViewAdvanced Messagesagain to allow the Setup Wizard to retrieve the contents of thelog file. If the problem persists, you can repeat this action until the window shows thecontents of the log file, or go to the Trust Authority server machine and view the logfile directly. The log file, instCfg.log, is located in the logs subdirectory of theinstallation root. The following example shows the default installation path:c:\Program Files\IBM\Trust Authority\logs\instCfg.log

Verify the configurationAfter the configuration process ends, you need to confirm that the system is correctlyconfigured. This procedure instructs you to verify your ability to obtain a certificate twice:once after the system has been initially configured and again after the system has beencompletely shut down and restarted.

1. When configuration is complete, clickExit to exit the Setup Wizard.

2. The applet exits to the Trust Authority Configuration Verification page. Click the link tothe enrollment Web site.

If the Configuration Verification page is not displayed, you can access the enrollmentWeb site at the following URL, whereMyPublicWebServer is the host name of yourpublic Web server andMyDomain is the name of your registration domain:http://MyPublicWebServer:80/MyDomain/index.jsp

The browser opens the enrollment index page, which in the default installation is namedCredential Central. Your organization may have named it something else.

3. Click the link to install our server’s CA certificate. This certificate enables yourbrowser to authenticate communications from the enrollment services. If you connect tothe enrollment services from this browser in the future, you can omit this step.

4. In theCertificate Enrollment area:

a. SelectEnrollment Type → Browser certificate.

b. SelectAction → Enroll .


c. Click OK .

5. Follow the online instructions to complete both parts of the registration form.

¶ When selecting theType of Certificate in the Registration Information part ofthe form, selectWeb Client Authentication (1 Year). In the default installation,this action allows the certificate request to be handled by an automated approvalprocess.

¶ Click Install CA Certificate to Browser . This certificate defines informationspecific to browser enrollment. When you enroll for browser certificates in thefuture, you can omit this step. Note that the first time you enroll for a server ordevice certificate, you must select this option again to install the CA certificate thatsupports that certificate type.

6. When satisfied with your enrollment data, clickSubmit Enrollment Request.

7. Follow the online instructions to check the status of your request. Be sure to bookmarkthe status page. This is the easiest way to return and check your status.

As a safeguard, you should record the request ID that is displayed after you submit therequest. If you specified that you wanted to receive an e-mail notification on theenrollment form, the request ID will be sent to you.

8. The first time you check your status after the request has been approved, the certificatewill be automatically downloaded and installed in your browser. Follow the onlineinstructions in the approval notification to confirm that it was correctly installed.

9. Follow the procedures in theTrust Authority System Administration Guideto stop allTrust Authority components. If you installed Trust Authority on multiple machines, besure to stop each server program in the proper order.

10. Stop the WebSphere Application Server and IBM HTTP Server instances associatedwith the Setup Wizard by enteringCtrl-C in the respective windows.

11. Reboot the main Trust Authority machine (the RA Server).

12. Follow the procedures in theTrust Authority System Administration Guideto start allTrust Authority components. If you installed Trust Authority on multiple machines, besure to start each server program in the proper order.

13. Repeat the preceding steps (step 2 on page 18 through step 8) to again confirm yourability to obtain a browser certificate.

After successfully installing this second certificate, your system is ready to begin processingrequests. For complete information about the enrollment process and the different types ofcertificates available to users, see theTrust Authority User’s Guide.

Prepare for productionAfter verifying the installation of your new Trust Authority system, there are several stepsyou should take to finalize the system’s setup and secure it for a production environment.

¶ Secure the Setup Wizard.

¶ Change Directory permissions (AIX only)

¶ Change the server passwords.

¶ Edit configuration files (only if necessary).


3.H

owdo

I...?

/iaus.htm

¶ Authorize registrars.

¶ Back up the newly configured system.

¶ Customize the registration domain.

¶ Educate your administrators and users. Refer to the following books for assistance:

v Trust Authority RA Desktop Guide, for information about how to access and use theRA Desktop to administer certificates.

v Trust Authority User’s Guide, for information about using the browser-basedenrollment forms and the Trust Authority Client application to obtain and managecertificates.

Secure the Setup WizardAfter running the Setup Wizard and applying configuration values, you should secure theapplet to protect it from being run on this Trust Authority server again. Once you haveconfigured a given Trust Authority system, you cannot reconfigure it. Although there areflags in the configuration programs to prevent certain components from being configuredagain, you may want to take additional steps to safeguard the applet.

To prevent the Setup Wizard from being run again, you should rename it or move it to adirectory where it cannot be readily accessed. During installation, the Setup Wizard isinstalled at the following locations:

¶ In AIX, the default path for the applet is:/usr/lpp/iau/cfg/CfgSetupWizard.html

¶ In Windows NT, the default path for the applet is:c:\Program Files\IBM\Trust Authority\cfg\CfgSetupWizard.html

Change Directory permissions on AIXIf you configured Trust Authority on an AIX platform, you need to change the ownershippermissions for the slapd.conf file. During configuration, Trust Authority sets the owner ofcertain Directory configuration files to cfguser.cfggrp. You need to change the owner toldap.ldap. Doing so will allow the Directory administrator to make changes necessary forother products that may share the Directory with Trust Authority. To do this, take thefollowing steps:

1. Log in as root.

2. Enter the following command to change directories:cd /usr/ldap/etc

3. Enter the following command to set the appropriate ownership permissions:chown ldap.ldap slapd.conf

Change server passwordsWhen you configure Trust Authority, you specify the following passwords:

¶ One to secure the Trust Authority server components

¶ One for the Directory root

¶ One for the Directory administrator

You need to remember these passwords to be able to run certain administrative tools.Furthermore, before putting your system into production mode, you must run the Change


Password utility and specify a password for each trusted component. To secure your system,control access to it, and allow the components to be started securely, this step is critical.

The keys that enable the server components to be authenticated are stored in separateencrypted KeyStores. The first time you run the utility, you must specify the passwords thatyou specified during configuration.

¶ You must specify the Trust Authority server password to access most of the componentKeyStores and change their passwords.

¶ You must specify the Directory administrator password to access the DirectoryAdministrator KeyStore and change its password.

After you change a password, only the authorized component can access the KeyStore andthe keys and encrypted data in it.

For complete information about using the Change Password utility, see theTrust AuthoritySystem Administration Guide.

Edit configuration filesAfter you save your configuration values and start the configuration process, theconfiguration programs update several configuration files. These files control the runtimebehavior of the product components.

You can and should use the configuration values as they are set during the configurationprocess. However, you may want to adjust certain values to better meet the needs of youroperational environment. For example, you may want to adjust a server timeout value oradjust a polling interval.

To facilitate your ability to change operational values, Trust Authority provides a utility forediting configuration files. Before using the IniEditor utility to make changes to aconfiguration file, be sure to create a backup copy of the file.

For information about editing Trust Authority configuration files, and information aboutwhich parameters you can or cannot change, see theTrust Authority System AdministrationGuide.

Authorize registrarsTrust Authority supports automated approval for registration requests. To permit a humanadministrator to review requests, and approve or reject them accordingly, you must designatethe user as a Trust Authority registrar. After being authorized, the registrar can run the RADesktop to administer certificates and enrollment requests. To support your registration workload, you can authorize any number of registrars.

To facilitate this process, Trust Authority provides a command line utility. When you use theadd_rauser utility to authorize an administrative user, you identify the registration domainand specify the user’s privileges. For example, you might authorize one registrar to approveand reject requests only, but authorize another registrar to revoke certificates as well.

¶ For information about adding registrars, see theTrust Authority System AdministrationGuide.

¶ For information about accessing and using the RA Desktop, see theTrust Authority RADesktop Guide.


3.H

owdo

I...?

Back up the Trust Authority systemBefore putting your system into production, make sure that you have a current backup of allserver components and their database repositories. This includes:

¶ The main Trust Authority server, including the Registration Authority, all Trust Authoritycore software and support utilities, and the databases created for configuration andregistration data.

¶ The Web server, including WebSphere Application Server and HTTP Server.

¶ The Directory server, including the Directory’s database.

¶ The CA and Audit server, including the databases created for CA and Audit data.

¶ The 4758 coprocessor, if installed and used with this installation of Trust Authority.

For information about backing up the components you need to protect in Trust Authority, seethe Trust Authority System Administration Guide.

Directory changes for DN flexibilityIf the production environment involves issuing certificates using domain names outside theCA’s branch, modify SecureWay Directory to allow Trust Authority to create the branches inthe Directory:

1. Determine which suffixes need to be added.

2. Modify the slapd.conf files to add the suffix to the Directory.

3. Restart slapd.

4. Add the object in the Directory database corresponding to the suffix.

5. Modify the Access Control List (ACL) for each suffix.

6. Ensure that theldap_autoCreate_entries in the raconfig.cfg file is set to true.

Modify the ACL for new LDAP SuffixTrust Authority binds to SecureWay Directory using the Directory Administrator userid andpassword. Each new suffix needs to include the Directory Administrator in it’s ACL. Forexample, an ACL where the Directory Administrator was added to a suffix would be:access-id:CN=DIRADMIN,OU=TRUST AUTHORITY,O=YOUR ORGANIZATION,C=US:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

Also, new suffixes for the anonymous user (CN=ANYBODY) need to have:group:CN=ANYBODY:normal:rsc:sensitive:rsc

where normal, sensitive and critical are the classes of ACLs and rwsc are the permissionlevels: read, write, search and compare.

Customize the registration domainYour registration domain can use the registration facility provided with Trust Authority asprovided. However, you may want to change some of the enrollment forms or registrationprocesses to reflect your organization’s specific goals for digital certification. For example,you may want to display your corporate logo on the browser enrollment forms. You mayalso want to create or customize a certificate profile so that it supports the particular class ofusers, servers, or devices being enrolled.


After you install Trust Authority and run the Setup Wizard, you can customize many of thefiles that define your registration domain for your business purposes. As with anycustomization task, be sure to make a backup copy of any file you plan to change.

You can customize the following files. During configuration, these files are created in thedirectory path for the registration domain.

¶ The configuration files (file type .cfg) installed in the etc subdirectory. For example, youmay want to adjust an operational setting for the RA server or RA Desktop.

¶ The sample notification letters (file type .ltr) installed in the etc subdirectory. TrustAuthority provides sample text to inform users when a request has been approved orrejected but you may want to write your own.

¶ The HTML files (file type .html), graphics (file type .gif), and Java Server Pages (filetype .jsp) installed in the webpages subdirectory. For example, you may want to alter thetext and graphics displayed in the browser enrollment forms. You can also customize anexisting certificate profile or define a new one to support your organization’s certificatepolicies.

¶ The policy exit (policy_exit) installed in the bin subdirectory. Trust Authority providesthis exit as an example of how to handle automated approval processing. You can writeother exits to integrate registration processing with your other applications or to callyour own processing actions.

For information about changes you can make to your registration and certification processes,and for instructions on how to do so, see theTrust Authority Customization Guide.

Reconfigure the systemAfter you apply configuration values and run the configuration programs for this installationof Trust Authority, you cannot reconfigure the system.

You can edit configuration values to change certain operational controls, but you cannotre-run the Setup Wizard to alter a previously configured system.

Note: If you attempt to reconfigure the system, you risk destroying all existingconfiguration data.

See theTrust Authority System Administration Guidefor information about the configurationparameters that you can update after you configure the system.

Use Trust Authority With Policy DirectorYou can set up IBM SecureWay Policy Director to share the Directory with Trust Authorityand accept certificates signed by a Trust Authority CA. The following steps summarize theprocedure you should follow to set up Trust Authority and Policy Director so that they caninteract and share secure resources.

1. Install and configure Trust Authority and make sure that it is working properly on itsown.

Note: To prepare for Policy Director, you should modify the default Directory root DNwhen running the Setup Wizard. For Policy Director, the root DN cannot contain


3.H

owdo

I...?

any spaces. Furthermore, the default root DN is long and created as a branch inthe Directory. Altering it will help you to achieve symmetry in the Directory tree.

If you configured Trust Authority on an AIX platform, be sure to follow the stepsin “Change Directory permissions on AIX” on page 20. Doing so is critical toyour ability to configure Policy Director to use the Directory.

2. Install and configure DCE. Make sure that it is working properly on its own and enterthe following command to confirm that the DCE services are available:dcecp -c cell ping

3. On the Directory server, create Directory the entries that are required by Policy Director.Make sure that there are no spaces following any commas in the DNs. Refer to thePolicy Director documentation for details about the required entries. As a generalguideline:

¶ Set up the Directory Admin port and launch the Admin pages to create the requiredadministrator entries.

¶ Use the Directory Management console to create the additional required entries.

4. Install Netseat and Policy Director. Make sure that the components are active, cancommunicate, and are working correctly on their own.

At this point, both Trust Authority and Policy Director are correctly configured to share thesame Directory.

Uninstall Trust AuthorityUse the following procedures if you need to uninstall the Trust Authority product. Forexample, you may want to uninstall a version of Trust Authority you set up for test purposesbefore installing a system you intend to use in production.

Separate procedures exist for the supported server platforms.

Uninstall from AIXIf you installed the Trust Authority server components on an AIX system, use the followingprocedure only if you need to uninstall the product. Review the following guidelines beforeremoving the Trust Authority software:

¶ If you installed the components on multiple machines, you must repeat the followingsteps to remove software from each machine.

¶ If you receive any error messages about processes not existing, you can ignore themessages and continue. This procedure provides general guidance; processes actuallyrunning on your system may be different.

¶ This procedure assumes that you use the default installation paths and database names. Ifyour installation is different, adapt the procedure accordingly.

1. Enter the following commands to stop the Trust Authority components:su - cfgusercd /usr/lpp/iau/bin./Stop_TA.sh


This command should stop the WebSphere Application Server, all httpd instancesassociated with Trust Authority , the RA Server, the CA Server, the Audit Server, andthe Directory Server.

2. Stop all remaining httpd instances. First, use the ps command to list the running httpdprocesses, and then use the kill command to stop them. Shown below are examples ofhow to use these commands along with sample output.$ ps -ef | grep httpdcfguser 22766 15664 0 15:57:00 pts/3 0:00 grep httpdcfguser 24440 27132 0 14:01:15 - 0:00 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.confcfguser 25752 27132 0 09:08:42 - 0:01 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.confroot 27132 1 0 Oct 09 - 0:12 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.conf$ suroot's Password: password# kill 24440 25752 27132

3. Use the ps and kill commands to identify and then stop any remaining slapd processesowned by cfguser. If there is no slapd in the process table, proceed to the next step.# ps -ef | grep slapdcfguser 13942 1 0 09:51:41 pts/1 0:00 /usr/bin/slapd -f /etc/slapd.confroot 24444 22768 0 15:58:48 pts/3 0:00 grep slapd# kill 13942

4. Use the ps and kill commands to identify and then stop all processes owned by cfguserother than DB2 processes and shells.# ps -ef | grep cfguser | grep -v db2

cfguser 15664 33842 0 15:54:58 pts/3 0:00 -kshcfguser 16270 31674 0 09:20:53 pts/1 0:00 -kshcfguser 20566 1 0 Oct 09 - 0:00 /usr/lpp/HTTPServer/sbin/siddcfguser 21978 1 0 13:59:16 pts/1 0:21 java com/ibm/servlet/engine/outofproc/OutOfProcEngine -nativelogfile /usr/lpp/iau/etc/logs/oop_native.log-native log level 14 -linktype remote -port 8081 -queuename ibmappserve -stublib/usr/WebSphere/AppServer/plugins/aix/libosestub.so -serverlib /usr/WebSphere/AppServer/plugins/aix/libasouts.so

cfguser 11868 1 13 10:21:33 pts/1 0:18 java com/ibm/servlet/engine/outofproc/OutOfProcEngine -nativelogfile /usr/lpp/iau/pkrf/Domains/YourDomain/etc/logs/oop_native.log -nativeloglevel 14 -linktype local -port 8081 -queuenameibmappserve -stublib /usr/WebSphere/AppServer/plugins/aix/libosestub.so-serverlib /usr/WebSphere/AppServer/plugins/aix/libasouts.so

root 22414 22768 0 16:00:23 pts/3 0:00 grep cfgusercfguser 26686 13570 0 15:54:05 pts/3 0:00 -kshcfguser 28748 16270 0 09:22:26 pts/1 0:00 -kshcfguser 29830 16772 0 15:49:54 pts/1 0:00 -kshcfguser 33842 26686 0 15:54:36 pts/3 0:00 -ksh# kill 20566 21978

5. As cfguser, drop the Trust Authority databases. Shown below are examples of how touse DB2 commands display and drop the databases, along with sample output.# su - cfguser$ db2(c) Copyright IBM Corporation 1993,1997Command Line Processor for DB2 SDK 5.2.0

You can issue database manager commands and SQL statements from the command prompt.For example:db2 => connect to sampledb2 => bind sample.bnd

For general help, type: ?.For command help, type: ? command, where command can be the first few keywordsof a database manager command. For example:


3.H

owdo

I...?

? CATALOG DATABASE for help on the CATALOG DATABASE command? CATALOG

for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt.Outside interactive mode, all commands must be prefixed with 'db2'.To list the current command option settings, type LIST COMMAND OPTIONS.For more detailed help, refer to the Online Reference Manual.

db2 => list db directory

System Database Directory

Number of entries in the directory = 5

Database 1 entry:Database alias = CFGDBDatabase name = CFGDBLocal database directory = /local/cfguserDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 2 entry:Database alias = LDAPDBDatabase name = LDAPDBLocal database directory = /local/cfguserDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 3 entry:Database alias = IBMDBDatabase name = IBMDBLocal database directory = /dbfsibmDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 4 entry:Database alias = ADTDBDatabase name = ADTDBLocal database directory = /dbfsadtDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 5 entry:Database alias = PKRFDBDatabase name = PKRFDBLocal database directory = /dbfspkrfDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

db2 => quitDB20000I The QUIT command completed successfully.$ db2 force application allDB20000I The FORCE APPLICATION command completed successfully.DB21024I This command is asynchronous and may not be effective immediately.$ db2 terminateDB20000I The TERMINATE command completed successfully.


$ db2 drop database cfgdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database ldapdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database ibmdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database adtdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database pkrfdb

6. Enter the following commands to stop DB2:$ db2stopSQL1064N DB2STOP processing was successful.

7. As root, enter the following commands to drop the cfguser database instance:$ suroot's Password: password# /usr/lpp/db2_05_00/instance/db2idrop cfguserDBI1070I Program db2idrop completed successfully.

8. Use the ps and kill commands to identify and then stop all shells that are running ascfguser:# ps -ef | grep cfgusercfguser 15664 33842 0 15:54:58 pts/3 0:00 -kshcfguser 16270 31674 0 09:20:53 pts/1 0:00 -kshcfguser 20570 22768 0 16:02:40 pts/3 0:00 -kshcfguser 26686 13570 0 15:54:05 pts/3 0:00 -kshcfguser 28748 16270 0 09:22:26 pts/1 0:00 -kshcfguser 29830 16772 0 15:49:54 pts/1 0:00 -kshroot 30274 21276 1 16:07:03 pts/3 0:00 grep cfgusercfguser 33842 26686 0 15:54:36 pts/3 0:00 -ksh# kill 15664 16270 20570 26686 28748 3384

9. Enter the following commands to remove cfguser and pkix files:rm -rf /local/cfguserrm -rf /usr/pkix

10. Enter the following command to uninstall the Trust Authority program filesets:installp -u 'ta.*' 'sway.*'

11. Enter the following command to remove Trust Authority files that were created:rm -rf /usr/lpp/iau

12. Enter the following command to shut down and restart the AIX machine:shutdown -Fr

Uninstall from Windows NTIf you installed the Trust Authority server components on a Windows NT system, use thefollowing procedure only if you need to uninstall the product. Review the followingguidelines before removing the Trust Authority software:

¶ If you installed the components on multiple machines, you must repeat the followingsteps to remove software from each machine.

¶ If you receive any error messages about processes not existing, you can ignore themessages and continue. This procedure provides general guidance; processes actuallyrunning on your system may be different.

¶ This procedure assumes the default installation drive (c:), Trust Authority configurationuser name (cfguser), and Trust Authority database names. If your installation is different,adapt the procedure accordingly.


3.H

owdo

I...?

1. SelectStart → Programs → IBM SecureWay Trust Authority → Stop Trust Authority .

2. After ensuring that all the components have stopped, selectStart → Settings→ ControlPanel.

3. Double-clickAdd/Remove Programs.

4. Select theIBM SecureWay Trust Authority program folder, and clickAdd/Remove.

5. When prompted to confirm that you want to delete the program, clickYes.

6. Open a DB2 command window: SelectStart → Programs → DB2 for Windows NT →Command Window.

7. Enter the following commands to uninstall the Trust Authority instance and databases:set db2instance=cfguserdb2 force application alldb2 terminatedb2 drop db adtdbdb2 drop db pkrfdbdb2 drop db ibmdbdb2 drop db cfgdbdb2stopdb2idrop cfguserrd /s c:\cfguser

8. Enter the following commands to uninstall the Directory instance and database. Notethat this procedure assumes that the Directory was installed and configured by TrustAuthority; if you configured Trust Authority for an existing Directory, adapt the stepsaccordingly.

Note: You do not need to uninstall the Directory. If you want to re-use it, be sure tospecify that you are using an existing Directory the next time you run the SetupWizard to configure Trust Authority.

set db2instance=ldapInstdb2 force application alldb2 drop db ldapDBdb2stopdb2idrop ldapInstrd /s c:\ldapInst

9. Ensure that all directories installed for Trust Authority have been removed. The defaultinstallation path is c:\Program Files\IBM\Trust Authority. Manually delete anydirectories in this path.

10. Shut down and restart Windows NT.


Tell me about...

The topics in this section may help you understand and use IBM SecureWay Trust Authority.They provide general information about Trust Authority features, and detailed informationabout the components you must configure when setting up a Trust Authority system.

AuditingIn Trust Authority, the Audit server supports the following activities:

¶ It receives audit events from audit clients, such as the Registration Authority andCertificate Authority.

¶ It writes the events to an audit log that is typically stored in a DB2 database (you canchoose to store the log as a data file). There is one record in the log per audit event.

¶ It allows the audit clients to mask certain audit events. Although some events are alwayslogged, you can employ masking to prevent other events from being reported. Thisallows you to control the size of the audit logs and ensure that the logged events areones that are of interest in your environment.

¶ It computes a message authentication code (MAC) for each audit record. The MAChelps ensure the integrity of the database contents. For example, you can determinewhether a record has been altered, tampered with, or deleted since it was logged.

¶ It provides a tool for performing integrity checks on the audit database and archivedaudit records.

¶ It provides a tool for archiving and signing the current state of the audit database. Forsecurity purposes, you should archive the audit database and store it off-site on aperiodic basis. Archiving the database can also provide performance benefits andconserve disk space.

When you run the Setup Wizard, you must identify the host name of the Audit server. Youmust also identify a free port where the Audit server can listen for client requests.

After configuring the system, see theTrust Authority System Administration Guideforinformation about the following tasks:

¶ Running the Change Password tool to change the Audit Administrator’s password. Thisstep is critical for ensuring that only the Audit server accesses the audit logs or runs theaudit administration tools.

¶ Running the AuditIntegrityCheck tool to check the integrity of the audit database andarchived audit files.

¶ Running the AuditArchiveAndSign tool to archive all records in the current auditdatabase table to a file, and then sign the file.

4


4.Tellm

eabout...

Certificate authoritiesA Certificate Authority (CA) acts as a trusted third party to ensure that users who engage ine-business can trust each other. It vouches for the identity of users through the certificates itissues. In addition to proving the identity of the user, the certificate includes a public keythat enables the user to verify and encrypt communications.

In such a security model, the trustworthiness of the parties depends on the trust that isplaced in the CA that issued the certificate. To ensure the integrity of a certificate, the CAdigitally signs the certificate as part of creating it. Attempts to alter a certificate willinvalidate the signature and render it unusable.

The Trust Authority, the CA supports the following activities:

¶ To ensure the uniqueness of a certificate, the CA generates a serial number for each newcertificate and for each renewed certificate. This serial number is a unique identifier thatis not stored as part of the distinguished name (DN) in the certificate.

¶ To track the certificates it issues, the CA maintains an issued certificate list (ICL). TheICL stores a secure copy of each certificate, indexed by serial number. Typically the ICLis created as a DB2 database.

¶ To track revoked certificates, the CA creates and updates certificate revocation lists(CRLs). Just as it signs certificates, the CA digitally signs all CRLs to vouch for theirintegrity.

¶ To protect against data tampering, the CA computes a message authentication code(MAC) for each record written to the database. The MAC helps ensure the integrity ofthe database by enabling you to detect when data in it has been altered or deleted.

¶ To further protect the CA’s signature, the CA can be integrated with the IBMSecureWay 4758 PCI Cryptographic Coprocessor. The 4758 uses a cryptographic keystored in hardware to encrypt and protect the CA’s signing key.

¶ To support auditing and data recovery, the CA generates audit records for numerousauditable events. These records are stored in a DB2 database by the Audit server.

For more information about the Trust Authority CA, see theTrust Authority SystemAdministration Guide. For example, that book contains guidelines for adjusting runtimeoptions for the CA server and procedures for establishing cross-certified and hierarchical CAtrust models.

DB2® databasesIBM SecureWay Trust Authority uses IBM DB2 Universal Database™ to store certificatedata, registration data, and audit logs. Before you run the Setup Wizard, you must ensurethat the correct level of DB2 software is available on each machine where you installed aTrust Authority server component.

As part of a post-installation process, Trust Authority creates the configuration database andpopulates it with default data. During configuration, it creates databases for the servercomponents. Listed below are the default database names:¶ cfgdb, for the configuration database¶ ibmdb, for the CA database¶ pkrfdb, for the registration database¶ adtdb, for the audit database


¶ ldapdb, for the Directory database (unless you use an existing one)¶ krbdb, for the private key backup and recovery database

If you installed any components on remote machines, you must follow the procedures in“Set up remote servers” on page 13 to ensure that the databases are set up correctly.

DirectoriesIBM SecureWay Trust Authority uses the IBM SecureWay Directory as its central repositoryfor public key certificates. Through its integration with DB2, the Directory can supportmillions of directory entries. It also enables a client application, such as Trust Authority, toperform storage, update, and retrieval transactions.

In Trust Authority, the RA server publishes the following information in the Directory:

¶ Public key certificates, which are used for encryption and authentication

¶ The attributes associated with a distinguished name (the owner’s roles and privileges)

¶ Certificate revocation lists that list the serial numbers for all revoked certificates

¶ Information about the CA that signs the certificates, including the business andcertificate policies associated with the certificate

The Directory provides the means to securely enroll and authenticate users and resources.The Directory defines a common directory schema; that is, the rules by which informationcan be stored in or retrieved from the Directory. The schema enforces uniformity of data. Italso ensures that information about a given user or resource is not stored in multiplelocations or formats across the network.

When you run the Setup Wizard, you must specify information that will enable the TrustAuthority components to read, store, and update data in the Directory. In addition toknowing where the Directory is installed in your network, you need to understand:

¶ The Directory tree

¶ The Directory root administrator

¶ The Directory administrator

For more information about how Trust Authority interacts with the Directory, see″Using theSecureWay Directory With Trust Authority″. This document is available at the IBMSecureWay Trust Authority Web site.

Directory treesEach entry in the Directory represents a single object (such as a person, organization,resource, or device) that is identified by a unique and unambiguous distinguished name. TheDN contains a set of attributes that help to uniquely identify the object and delineate theobject’s privileges. Attributes can specify the object’s country of origin, the organization theobject is affiliated with, and the name the object is known by.

All Directory entries are logically organized into a hierarchical structure that is called theDirectory tree. This tree has a single root and an unlimited number of cascading nodes. Eachnode corresponds to a Directory entry that helps to uniquely distinguish subordinate entriesfrom other subordinate entries at the same node.


|

4.Tellm

eabout...



The DN syntax is controlled by the Directory schema and the client that is attempting toaccess the Directory. When specifying DNs for Trust Authority, you can type them into dataentry fields or use a graphical user interface.

¶ See “Specify DNs by typing them” on page 14 for instructions on how to specify DNsby using the syntax that is required by Trust Authority.

¶ See “Use the DN Editor” on page 15 for instructions on how to use the DistinguishedName Editor to define DNs. Using the editor reduces the possibility for error, and keepsyou from having to be knowledgeable about the DN syntax.

Root DNsA root DN is a Directory agent that has the authority to update the entire Directory tree. It isa configured entity, but it does not actually exist in the Directory tree.

The root DN also allows Trust Authority to determine basic information about the Directoryserver. For example, attributes in the root DN provide the following characteristics about theDirectory:¶ The level of Directory software that is installed¶ The object classes and attribute schemas known to the server¶ The operations and controls that are supported by the server¶ The supported security protocols

When you run the Setup Wizard, you must specify a DN and password for the Directoryroot. If you are using a Directory that was in place before you installed Trust Authority, youmust specify the existing Directory root DN and its password.

Directory administratorsBecause the Trust Authority CA does not directly bind to the Directory, it uses an agent,called the Directory administrator, to manage the subtree where entries signed by the CA arestored. The Directory administrator, which is specific to a CA, has the authority to update allentries at or below the CA’s entry point in the Directory tree. This privilege includes theability to add, delete, change, read, search, and compare Directory entries.

When you run the Setup Wizard, you must specify a DN and password for the Directoryadministrator. If you are using a Directory that was in place before you installed TrustAuthority, you must specify the existing Directory administrator DN and its password.

PKIX CMP connectionsThe Public Key Infrastructure for X.509 version 3 standard (PKIX) evolved out of the needto provide a framework to facilitate the interoperability of e-business applications. Itsprimary advantage is that it enables organizations to conduct secure electronic transactionswithout regard for operating platform or application software package.

In Trust Authority, the Client application provides the user interface for handling requeststhat use the PKIX certificate management protocol (CMP). PKIX CMP uses TCP/IP as itsprimary transport mechanism. When you run the Setup Wizard, you must identify a free portwhere the RA server can listen for PKIX CMP connections.

When a user submits a request to obtain, renew, or revoke a certificate, the Clientcommunicates the request to the Registration Authority. When the certificate is issued, the


application stores it on the user’s virtual or physical smart card. Contrast this approach with“SSL connections”, in which a Web browser communicates the request to the RA to obtainthe certificate for the user.

The Trust Authority Client application allows users to export PKIX certificates to existingInternet–based or PKI-aware applications, such as Microsoft Internet Explorer and NetscapeNavigator. This feature provides flexible and extensible support for multipleInternet-accessible applications, such as secure e-mail.

See theTrust Authority User’s Guidefor information about using the Trust Authority Clientapplication to obtain and manage certificates.

Registration domainsEach Trust Authority system has a single registration domain. This domain defines thebusiness policies, certificate policies, and resources relating to your organization’sregistration and certification processes. Users who want to access a resource must beregistered in the domain that governs the use of that resource.

When the RA server software is installed, it contains the framework for the registrationfacility. When you run the Setup Wizard, you choose a domain name, domain language, anddomain path for the registration processes being run for this installation of Trust Authority.

After you save configuration data and start the configuration process, the configurationprograms create the registration domain. The system uses the domain name to formulate theURL through which users access the registration facility.

For example, if your public Web server is named MyPublicWebServer, and your domainname is MyDomain, you would use the following URL to access the registration site:http://MyPublicWebServer:80/MyDomain/index.jsp

The default Java Server Page (index.jsp) at this URL is named Credential Central. Itprovides the entry point for collecting enrollment data, registering users, and issuingcertificates that support the purposes defined in the default certificate profiles. As part ofcustomizing the registration facility for this domain, your organization may have renamedthis page and altered the enrollment forms. It may also have added, removed, or changed thecertificate profiles.

¶ See “Customize the registration domain” on page 22 for a summary of the ways inwhich your organization can customize the registration facility.

¶ See theTrust Authority Customization Guidefor complete information about how tocustomize registration processing to support your organization’s policies.

SSL connectionsThe Secure Sockets Layer (SSL) protocol uses public key signatures, digital certificates, andencryption to provide two communicating parties — typically a Web server and a browserclient — with a trustworthy and private environment for exchanging messages.

SSL provides the following advantages over a standard TCP/IP socket connection:

¶ Privacy. All messages exchanged between the client and server are encrypted, and onlythe two parties that engage in the transaction can decrypt the data.


4.Tellm

eabout...

¶ Integrity. An integrity check based on a secure hash function ensures that the corruptionof data will not go undetected.

¶ Authenticity. Through the exchange of digital certificates, the client can authenticate theidentity of the server and, optionally, the server can authenticate the client.

¶ Non-repudiation. Through digital signatures, all communications can be traced to theoriginating entity, allowing accountability to be proved as necessary.

In a Trust Authority system, separate ports exist for handling different levels ofauthentication. When you run the Setup Wizard, you identify one secure port to process SSLconnections that require server authentication. You identify a second secure port to processSSL connections that require both server and client authentication.

The registration facility includes a set of browser enrollment forms that enable users tocommunicate SSL requests or obtain certificates for use in SSL-enabled applications. Forexample, when a user submits a request to renew a certificate, the user’s Web browsercommunicates the request to the Registration Authority. When the new certificate is issued,the RA stores it in the user’s browser. Contrast this approach with “PKIX CMP connections”on page 32, in which the Client application communicates the request and installs thecertificate for the user.

SeeTrust Authority User’s Guidefor information about using the browser enrollment formsto obtain, renew, and revoke certificates. That book discusses the different types ofcertificates that you can obtain by using the default certificate profiles, and describes theintended purpose of each certificate type.

Web serversTrust Authority uses a model based on three virtual servers and three ports to process clientrequests. As part of configuring the system, you identify the host names and ports that youconfigured when installing the IBM HTTP Server.

The public Web server uses the HTTP protocol and a single port to handle non-SSLrequests. These requests do not require encryption or authentication.

Two secure Web servers use the HTTPS protocol to handle SSL requests. To ensureconfidentiality, all communication between a client and a secure server is encrypted.Additionally, public key cryptography inherent in an SSL connection enables the server to beauthenticated at session startup. In a Trust Authority system, you configure one of the secureserver ports to authenticate the client at session startup, too.

The following table summarizes this architecture and the default port values. Depending onhow your organization set up the firewall, you may need to use the same port number, suchas 443, to process both types of secure requests. If so, see theTrust Authority Up andRunningbook for information about setting up IP aliases for the different Web serverprocesses. You must define these aliases and ports before you run the Trust Authority SetupWizard.

Protocol SSLServer

AuthenticationClient

Authentication Port Number

HTTP No No No 80

HTTPS Yes Yes No 443


Protocol SSLServer

AuthenticationClient

Authentication Port Number

HTTPS Yes Yes Yes 1443

4758 coprocessorsAlthough it is optional, you are encouraged to use the IBM SecureWay 4758 PCICryptographic Coprocessor to maximize the security of the CA’s signing key.

As part of installing the 4758 coprocessor, the configuration program generates a master keyand stores it in hardware. In a Trust Authority system, the coprocessor can use this masterkey, and an RSA algorithm, to triple-encrypt the CA’s signing key. This step provides anextra layer of security against attempts to compromise or otherwise decipher the CA’ssignature.

If you decide to use the 4758 coprocessor, you must install it on the machine where youinstall the Trust Authority CA. When you run the Setup Wizard, you specify whether or notthe CA should use the coprocessor to protect its signing key.

In most Trust Authority systems, the CA’s key is not physically stored with the master key.However, a configuration option allows you override this default — an action that IBMdiscourages. If you choose to store the CA’s key in hardware, you need to assess thefollowing risks:

¶ When the 4758 coprocessor is backed up, only its master key is backed up, not anyother keys stored on the hardware card. Therefore, if the card is damaged or some otherhardware failure occurs,you will lose the CA’s signing key.

¶ If the CA’s key is lost or compromised, you must take the CA down and bring it upwith a new key. While the CA is unavailable, users whose certificates are signed by theCA cannot use them because there is no means to validate them.

¶ Because the certificates that were signed with the CA’s original key are no longer valid,you must issue new certificates signed with the new CA key after you re-establish theCA.

For information about installing, configuring, and cloning the 4758 coprocessor, see″Usingthe SecureWay 4758 Coprocessor With Trust Authority″. This document is available at theIBM SecureWay Trust Authority Web site.


4.Tellm

eabout...


Reference

The topics in this section describe the values you can specify when running the TrustAuthority Setup Wizard. Each topic describes a separate window in the applet.

The final two topics provide general information about the applet

¶ “Keyboard alternatives for mouse actions” on page 46 presents alternative ways tonavigate the applet.

¶ “National language considerations” on page 47 provides tips for running the applet in alanguage other than English.

Startup optionsWhen you first start the Setup Wizard, the system tells you the host name of the serverwhere the main Trust Authority software is installed. If this is not the server you intend toconfigure, clickExit to exit the Setup Wizard. If you exit the Setup Wizard beforeconfiguration is complete, no data will be saved.

Attention!If you run the Setup Wizard for a machine that is already configured, you will destroyall existing data. You cannot reconfigure an existing system or import configurationdata to a previously configured system.

Import data from an existing configurationSelect this option only if:

¶ You previously installed and configured a Trust Authority system

¶ You want to use the existing configuration data as the baseline for configuringthis system

¶ This new system is installed on the same operating system platform as theprevious system

If you plan to install Trust Authority on multiple servers and set up a similarconfiguration on each, you may want to take advantage of this feature.

If you check this check box, you will be prompted to select the name of the file thatcontains the configuration data you want to import.

5


5.R

eference

Import optionsIf you specified that you want to import data from an existing configuration, you mustspecify options about the configuration data you want to import.

Configuration dataThe list box contains a list of all configuration data files that were saved duringprevious installations of Trust Authority and copied to this machine. Scroll the listand select the file that contains the configuration values you want to apply to thisinstallation.

The Setup Wizard copies the imported values into the current applet session. As youadvance through the applet, you can keep the displayed values, or selectively changevalues that do not apply to this Trust Authority system.

New installation or migration

¶ Click New if you are configuring a new Trust Authority system.

The configuration programs will create a new configuration database to holddata for this new instance of Trust Authority.

¶ Click Migration if you are migrating configuration data. For example, youwould choose this option to migrate data from a previous version of TrustAuthority.

The configuration programs will copy the existing configuration database for usein this Trust Authority installation.

Trust Authority password optionsYou must specify a password to secure the Trust Authority server components. Thispassword enables the configuration programs to apply your configuration values, create therequired databases, and update the server configuration files.

Trust Authority passwordThe password you type here must match the password for the Trust Authorityconfiguration user.

¶ If you installed Trust Authority on AIX, this user is created as cfguser during thepost-installation configuration process. The default password is Secure99. If youchanged the password after this account was created, be sure to specify that newpassword here.

¶ If you installed Trust Authority on Windows NT, you should have created thisuser when setting up Windows before installing the Trust Authority software.The suggested value is cfguser but your installation may be different. There isno default password.

Attention!After the configuration process is complete, you must use the Change Passwordutility to specify passwords for several trusted server components. To use thatutility, you must specify this same Trust Authority password.

Confirm Trust Authority passwordType the same password again.


If you specified a password that includes a mix of uppercase and lowercasecharacters, be sure to type them in the same case here.

CA and Audit server optionsYou must specify options that will enable other Trust Authority components to communicatewith the Trust Authority certificate authority (CA) and auditing subsystem.

The Trust Authority CA and Audit server programs must exist on the same machine.Depending on how your organization installed the software, they may or may not be on thesame machine with the Registration Authority (RA) or the Directory server.

Host name or IP addressType the fully qualified host name of the machine where the CA and Audit serverprograms are installed. You cannot type the short name or alias, nor can you type theIP address.

This is the host name configured for this server in your network’s TCP/IP DomainName Service (DNS). The default value is the host name of the RegistrationAuthority server.

Port number for the CA serverIdentify a free port where the Trust Authority CA should listen for requests. Thedefault value is1830.

Port number for the Audit serverIdentify a free port where the Trust Authority Audit subsystem should listen forrequests. The default value is59998.

DN for the CAThis distinguished name identifies the CA in the Directory and allows users toreadily identify which CA signed a certificate they have been issued. The defaultvalue is:/C=US/O=Your Organization/OU=Trust Authority/CN=Trust Authority CA.

If you are familiar with the format of X.509v3 DNs, you can type a unique DN forthe Trust Authority CA. See “Specify DNs by typing them” on page 14 forinformation about how to specify DNs in the format required by Trust Authority.

To facilitate your ability to specify a unique DN, and to eliminate thepossibility of error, click the DN Editor icon. See “Use the DN Editor” on page 15for information about creating DNs with this tool.

CA key optionsYou must specify an encryption algorithm and key size for the CA’s private signing key. Ifyour organization installed the IBM SecureWay 4758 PCI Cryptographic Coprocessor, youcan optionally set up the CA so that it uses cryptographic hardware for key protection.

Algorithm for signing certificatesSelect an encryption algorithm for the Trust Authority CA’s digital signature. TheCA’s signature vouches for the authenticity and integrity of the certificates andcertificate revocation lists (CRLs) signed by the CA.

In this version of the product, you must selectsha–1WithRSAEncryption.


5.R

eference

This generates a signature by applying a SHA-1 hash function to the signaturecalculation defined in the RSA standard (as developed by Rivest, Shamir, andAdleman). With RSA, the verification of the signature is relatively fast. However,generation of the signature may take longer than when using other algorithms.

Certificate key sizeThe security of the CA’s digital signature is also a factor of the key size. Generally,the signature algorithm is considered secure when the key size is large enough toprevent a reverse computation. While larger key sizes enhance security, they alsoincrease the time needed to verify the signature when establishing a secure session.

In this version of the product, you must select1024.

Use cryptographic hardwareSelect this option only if:

¶ You installed Trust Authority on an IBM AIX platform

¶ You previously installed the 4758 cryptographic coprocessor on the TrustAuthority CA and Audit server machine

¶ You want to use the 4758 coprocessor to protect the CA’s key

If you do not use the 4758 coprocessor, the CA’s keys are encrypted and stored in asecure KeyStore as always. However, the 4758 coprocessor offers extended hardwareprotection by using its master key to encrypt the CA’s signing key.

RSA key sizeIf you specified that you want to use cryptographic hardware, the 4758 coprocessorwill automatically use an RSA algorithm to encrypt the CA’s signing key. You mustselect a key size to be used as input to the computation. A larger key size canenhance security, but it also increases the time that is needed to verify securetransactions.

Choose one of the following values. The default value is1024.¶ 512¶ 768¶ 1024¶ 2048

Store signing key in hardwareIf you specified that you want to use cryptographic hardware, you can choosewhether or not the CA’s signing key should be physically stored in hardware.

The default and recommended value isNo.

Attention!When the 4758 coprocessor is backed up, only its master key is backed up. Ifthe hardware is damaged,you will lose the CA’s key. To resolve the loss, youmust bring up the CA with a new key and then re-issue newly signedcertificates to your existing certificate holders.

SelectYes only if you understand the risks involved. See “4758 coprocessors” onpage 35 for a discussion of risks and corrective actions.


Directory server optionsYou must specify options that will enable Trust Authority to communicate with the IBMSecureWay Directory server. For example, the RA server publishes certificates and certificaterevocation lists (CRLs) in the Directory. Applications need to read information in theDirectory when assessing the validity of a certificate.

Host name or IP addressType the fully qualified host name of the machine where the Directory serversoftware is installed. You cannot type the short name or alias, nor can you type theIP address.

This is the host name that is configured for this server in your network’s TCP/IPDomain Name Service (DNS). It may be a Directory server that you use with otherapplications, or it may be one that you set up specifically for use with TrustAuthority. The default value is the host name of the Registration Authority server.

Port number for the DirectoryIdentify a free port where the Directory server should listen for requests. The defaultvalue is389.

Use an existing SecureWay DirectoryBy default, this check box is not enabled, which indicates that you want to create anew Directory database for use with Trust Authority.

You should check this check box only if you previously installed the SecureWayDirectory and want to use it to store information for Trust Authority.

If you plan to use Trust Authority with an existing Directory, see″Using theSecureWay Directory With Trust Authority.″ This document is available at the TrustAuthority Web site.

Directory root optionsYou must specify a distinguished name (DN) and password for the Directory root. The rootis a Directory agent that has the authority to administer all entries in the Directory tree. Italso enables Trust Authority to obtain information about the protocols and standardssupported by the Directory server.

Note: If your Directory server was in place before you installed Trust Authority, you mayalready have a Directory root configured for it. If so, specify the existing root DNand its password here.

Root DNIf you are familiar with the format of X.509v3 DNs, you can type a unique DN forthe Directory root. The default value is:/C=US/O=Your Organization/OU=Trust Authority/CN=Ldap Root DN.

See “Specify DNs by typing them” on page 14 for information about how to specifyDNs in the format that is required by Trust Authority.


Root passwordType a password for the Directory’s root.


5.R

eference



The password must contain 8 characters. To optimize security, you should specify astring that does not spell a real word. The password should also use a mix ofuppercase and lowercase characters and include at least one number.

If you specify the password for an existing root DN, be aware that Trust Authorityvalidates only the first 8 characters.

Confirm root passwordType the same password again.


Directory administrator optionsYou must specify a distinguished name (DN) and password for the Directory administrator.This agent creates and manages entries within the CA’s subtree in the Directory. It workswith the CA and RA servers to publish information about certificates and certificaterevocation lists.

Note: If your Directory server was in place before you installed Trust Authority, you mayalready have a Directory administrator configured for it. If so, specify the existingDN and its password here.

Directory administrator DNIf you are familiar with the format of X.509v3 DNs, you can type a unique DN forthe Trust Authority Directory administrator. The default value is:/C=US/O=Your Organization/OU=Trust Authority/CN=DirAdmin.

See “Specify DNs by typing them” on page 14 for information about how to specifyDNs in the format that is required by Trust Authority.


Directory administrator passwordType a password for the Directory administrator.

The password must contain 8 characters. To optimize security, you should specify astring that does not spell a real word. The password should also use a mix ofuppercase and lowercase characters and include at least one number.

If you specify the password for an existing Directory administrator, be aware thatTrust Authority validates only the first 8 characters.

Confirm Directory administrator passwordType the same password again.


Allow the Directory administrator to update the DirectoryThe Directory administrator should have update privileges so that it can add,remove, and alter entries in the Directory.


By default, this check box is enabled, which indicates that the Directoryadministrator can update the CA’s subtree in the Directory. Typically, you shouldleave this option enabled.

Registration domain optionsYou must specify information about the registration domain for this installation of TrustAuthority. The registration domain defines the business policies, certificate policies, andresources specific to a given instance of the registration facility.

Registration domain nameType the name that you want to use to identify your registration domain. The defaultvalue isYourDomain. You should change this name to something that is meaningfulto your organization or the purpose for which you are using the registration facility.

The domain name must conform to the directory naming requirements of youroperating system (AIX or Windows NT). Specifically, you must adhere to thefollowing rules when determining the name you want to use:

¶ The name must be a valid URL string.

¶ The name cannot contain more than 128 characters.

¶ The name cannot contain spaces or tabs.

¶ The name cannot contain the following special characters: back slash (\),forward slash (/), colon (:), asterisk (*), question mark (?), quotationmarks (″), angle brackets (< >), vertical bar (|), pound sign (#), dollar sign ($),or apostrophe (’).

Registration domain languageSelect the language for this registration domain.

When users submit a certificate request, or when administrators access the RADesktop, data will be presented and stored in the selected language. The defaultvalue isEnglish.

Choose one of the following values:¶ English¶ French¶ German¶ Italian¶ Spanish¶ Brazilian Portuguese¶ Japanese¶ Korean¶ Simplified Chinese¶ Traditional Chinese

Root installation directoryType the location of the registration domain on the RA server. You must specify thefully qualified path.

During configuration, the system sets up the registration domain at this location. Ifyou customize the registration facility, you customize files in this domain. Thisensures that any registration activity that addresses this domain is governed by thepolicies that you define for it.


5.R

eference

¶ In AIX, the default value for the domain path is:/usr/lpp/iau/pkrf/Domains

¶ In Windows NT, the default value for the domain path is:c:\Program Files\IBM\Trust Authority\pkrf\Domains

Public Web server optionsYou must specify options that will enable the Trust Authority components to communicatewith the public Web server. This server handles requests that do not require encryption orauthentication.

Host name or IP address for the public serverType the fully qualified host name of the server that is set up to handle publicrequests. You cannot type the short name or alias, nor can you type the IP address.

When you installed the IBM HTTP Server software, you should have configured avirtual host name for the server program that handles non-SSL requests. The defaultvalue is the host name of the Registration Authority server.

Port number for the public serverIdentify a free port where the public Web server should listen for requests. Thedefault value is80.

Secure Web server optionsYou must specify options that will enable the Trust Authority components to communicatewith the secure Web servers. These servers handle SSL connections that require encryptionand server authentication. You must configure one secure server to handle requests that alsorequire client authentication.

¶ Configure the secure server that handles requests that do not require clientauthentication:

Host name or IP addressType the fully qualified host name of the server that is set up to handle thesetypes of requests. You cannot type the short name or alias, nor can you type theIP address.

When you installed the IBM HTTP Server software, you should have configureda virtual host name for the server program that handles requests that do notrequire client authentication. The default value is the host name of theRegistration Authority server.

Port numberIdentify a free port where the secure Web server should listen for SSL requeststhat require encryption and server authentication, but not client authentication.The default value is443.

¶ Configure the secure server that handles requests that require client authentication:

Host name or IP addressType the fully qualified host name of the server that is set up to handle thesetypes of requests. You cannot type the short name or alias, nor can you type theIP address.


When you installed the IBM HTTP Server software, you should have configureda virtual host name for the server program that handles client-authenticatedrequests. The default value is the local host name of the Registration Authorityserver.

Port numberIdentify a free port where the secure Web server should listen for SSL requeststhat require encryption, server authentication, and client authentication. Thedefault value is1443.

Trust Authority Client optionsYou must identify a port on the RA server for processing requests from the Trust AuthorityClient application.

These connections, such as requests to obtain, renew, or revoke certificates, use the PKIXcertificate management protocol (PKIX CMP). Contrast this with requests that are handledby the secure Web servers, which use the HTTPS protocol to establish SSL connections.

Port number for Trust Authority Client requestsIdentify a free port where the Trust Authority RA server should listen for PKIXrequests from a Client application. The default value is829.

Configuration summaryScroll through the configuration options you specified for the various Trust Authoritycomponents.

If you want to alter any of the settings before applying them, clickPrevious until you returnto the component you want to change.

When you are ready to proceed with the configuration process, clickNext.

Save configuration dataSaving the configuration data provides you with a backup of your configuration values. Italso enables you to use the values as the baseline for setting up another Trust Authoritysystem.

When you start the Setup Wizard, you are asked whether you want to import data from aprevious configuration. If you do, you can then select the configuration data file thatcontains the values you want to import.

Configuration data nameType a file name for the configuration data. You do not need to type a file extension.The default value isDatabaseBackup.

Use a name that will allow you to identify this file as the one you want to importwhen you configure another Trust Authority system. The name can contain spaces,but it cannot contain symbols or any characters that are not permitted by youroperating system.

See “Import configuration data” on page 12 for information about the steps you musttake to import the data to a new Trust Authority server.


5.R

eference

To save the configuration data and proceed with the configuration process, clickNext. If youspecify a file name that is not permitted by your operating system, the Setup Wizard willprompt you to correct it. Note that if you clickExit to exit the Setup Wizard before youexplicitly save the configuration data, none of the values you specified will be saved.

Configuration processAfter saving configuration data for this installation of Trust Authority, you must apply thevalues to the system. When you apply the values, the CfgStart configuration program begins.During this process, the system creates the component databases and updates the componentconfiguration files.

Note: If you installed any of the server components on a remote machine, the configurationprograms will pause and prompt you take action on that remote machine beforecontinuing to the next step in the configuration process. See “Set up remote servers”on page 13 for details.

Finish buttonWhen you are ready to begin the configuration process, clickFinish.

The Status column displays the progress of the configuration process. As eachcomponent is updated, the status indicator changes as follows:

Yet to be configuredIndicates that configuration of this component has not begun.

ConfiguringIndicates that configuration of this component has begun.

Partially ConfiguredIndicates that manual intervention is required, such as running aconfiguration program on a remote machine.

ConfiguredIndicates that this component has been configured successfully.

Failed Indicates that this component could not be configured. View the messagelogs for more information about the failure.

View Advanced Messages buttonTo see more detailed messages about the configuration process, clickViewAdvanced Messages.

The applet opens a window to display the log messages that are produced by theconfiguration programs.

Keyboard alternatives for mouse actionsConsult the following table if you want to use the keyboard to make selections in the SetupWizard or Distinguished Name Editor instead of using a mouse.

Cursor Focus location Keystroke

Working within the DN Editor


Cursor Focus location Keystroke

Select another tab label and display that tab. Right arrow goes to the next tab. Leftarrow goes to the previous tab.

Scroll within a tab. Page Down scrolls downward. PageUp scrolls upward.

Exit the DN Editor. Escape.

Moving between fields

Move to the next field from most fields. Tab.

Move to the previous field from most fields. Shift-Tab.

Working with items in a combo box

Move through the list of items. Down arrow moves down. Up arrowmoves up.

Move to the next field; the currently displayeditem remains selected.

Tab.

Working with the items in a list box

Move through the list of items. Down arrow moves down. Up arrowmoves up.

Move to the next field; the currently displayeditem remains selected.

Tab.

Working with a set of radio buttons (a set is considered one field)

Move through the radio buttons and select one. Down arrow and Right arrow move tothe next selection. Up arrow and Leftarrow move to the previous selection.

Exit and move to the next field. Tab.

Work with check boxes

Select or deselect the check box. Space bar.

Exit and move to the next field. Tab.

Work with command buttons

Move to a command button. Tab.

Execute the command. Space bar or Enter key.

National language considerationsThis section summarizes the differences between the English version of Trust Authority andthe other languages that it supports. If you run the Setup Wizard using a non-English versionof Trust Authority, review this section to learn about differences in how information may bedisplayed or processed in your language.

Specifying Your Registration Domain LanguageIf you plan to run the registration facility in a language other than English, be sureto select your language when specifying configuration options for the registrationdomain. The default value is English. If you do not change this value duringconfiguration, you cannot change it later without re-installing the product.

Using ASCII CharactersWhen specifying directory paths or distinguished names (DNs) for the CA, Directory


5.R

eference

administrator, or Directory root, you must use ASCII characters. You cannot typepath names or DNs that contain non-ASCII or double-byte language characters, suchas Japanese or Chinese.

Running the Applet in Traditional ChineseIf you use a CHT version of Netscape Navigator or Netscape Communicator, version4.05 or version 4.5, the Setup Wizard index page may be returned in English ratherthan Traditional Chinese. You should ensure that the language preference in yourbrowser is set to use Traditional Chinese as the primary language, not English.

If you still have problems, it may be a browser limitation caused by how Netscapewas localized at your organization. As an alternative, try using Microsoft InternetExplorer to load the Setup Wizard.


Notices

This information was developed for products and services offered in the U.S.A. IBM maynot offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currentlyavailable in your area. Any reference to an IBM product, program, or service is not intendedto state or imply that only that IBM product, program, or service may be used. Anyfunctionally equivalent product, program, or service that does not infringe any IBMintellectual property right may be used instead. However, it is the user’s responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter in thisdocument. The furnishing of this document does not give you any license to these patents.You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other countrywhere such provisions are inconsistent with local law:INTERNATIONAL BUSINESSMACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do notallow disclaimer of express or implied warranties in certain transactions, therefore, thisstatement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in neweditions of the information. IBM may make improvements and/or changes in the product(s)and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience onlyand do not in any manner serve as an endorsement of those Web sites. The materials atthose Web sites are not part of the materials for this IBM product and use of those Web sitesis at your own risk.

IBM may use or distribute any of the information you supply in any way it believesappropriate without incurring any obligation to you.


Notices

Licensees of this program who wish to have information about it for the purpose ofenabling: (i) the exchange of information between independently created programs and otherprograms (including this one) and (ii) the mutual use of the information which has beenexchanged, should contact:

IBM CorporationDepartment LZKS11400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions, including insome cases, payment of a fee.

The licensed program described in this document and all licensed material available for itare provided by IBM under terms of the IBM Customer Agreement, IBM InternationalProgram License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment.Therefore, the results obtained in other operating environments may vary significantly. Somemeasurements may have been made on development-level systems and there is no guaranteethat these measurements will be the same on generally available systems. Furthermore, somemeasurement may have been estimated through extrapolation. Actual results may vary. Usersof this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of thoseproducts, their published announcements or other publicly available sources. IBM has nottested those products and cannot confirm the accuracy of performance, compatibility or anyother claims related to non-IBM products. Questions on the capabilities of non-IBM productsshould be addressed to the suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change or withdrawalwithout notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subject tochange without notice. Dealer prices may vary.

Trademarks and service marksThe following terms are trademarks of International Business Machines Corporation orTivoli Systems, Inc. in the United States, or other countries, or both:

IBMAIXAIX/6000DB2DB2 Universal DatabaseSecureWayTivoliWebSphere

The Trust Authority program (″the Program″) includes portions of the IBM WebSphereApplication Server and the IBM HTTP Web Server (″IBM Servers″). You are not authorized


to install or use the IBM Servers other than in connection with your licensed use of theProgram. The IBM Servers must reside on the same machine as the Program, and you arenot authorized to install or use the IBM Servers separate from the Program.

The Program includes portions of DB2 Universal Database. You are authorized to install anduse these components only in association with your licensed use of the Program and IBMWebSphere Application Server for the storage and management of data used or generated bythe Program and IBM WebSphere Application Server, and not for other data managementpurposes. For example, this license does not include inbound connections to the databasefrom other applications for queries or report generation. You are authorized to install and usethese components only with and on the same machine as the Program.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. inthe United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.

UNIX is a registered trademark in the United States, other countries, or both and is licensedexclusively through X/Open Company Limited.

Pentium is a trademark of Intel Corporation in the United States, other countries, or both.

This program contains security software from RSA Data Security, Inc.Copyright © 1994 RSA Data Security, Inc. All rights reserved.

This program contains Standard Template Library (STL) software from Hewlett-PackardCompany. Copyright (c) 1994.

¶ Permission to use, copy, modify, distribute and sell this software and its documentationfor any purpose is hereby granted without fee, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation. Hewlett-Packard Company makes no representations aboutthe suitability of this software for any purpose. It is provided″as is″ without express orimplied warranty.

This program contains Standard Template Library (STL) software from Silicon GraphicsComputer Systems, Inc. Copyright (c) 1996–1999.

¶ Permission to use, copy, modify, distribute and sell this software and its documentationfor any purpose is hereby granted without fee, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation. Silicon Graphics makes no representations about thesuitability of this software for any purpose. It is provided″as is″ without express orimplied warranty.

Other company, product, and service names may be trademarks or service marks of others.


Notices

Related information

The Trust Authority product documentation is available in Portable Document Format (PDF)and HTML format on theIBM SecureWay Trust Authority DocumentationCD-ROM. HTMLversions of some publications are installed with the product and are accessible from the userinterfaces.

Be aware that the product may have changed since the publications were produced. For thelatest product information, and for information about accessing a publication in the languageand format of your choice, see theReadmefile. The latest version of theReadmefile isavailable on theIBM SecureWay Trust Authority Web site:http://www.tivoli.com/support

The Trust Authority library includes the following documentation:

Up and RunningThis book provides an overview of the product. It lists the product requirements,includes installation procedures, and provides information about how to access theonline help available for each product component. This book is printed anddistributed with the product.

System Administration GuideThis book contains general information about administering the Trust Authoritysystem. It includes procedures for starting and stopping the servers, changingpasswords, administering the server components, performing audits, and running dataintegrity checks.

Configuration GuideThis book contains information about how to use the Setup Wizard to configure aTrust Authority system. You can access the HTML version of this guide whileviewing online help for the Wizard.

Registration Authority Desktop GuideThis book contains information about how to use the RA Desktop to administercertificates throughout the certificate life cycle. You can access the HTML version ofthis guide while viewing online help for the Desktop.

User’s GuideThis book contains information about how to obtain and manage certificates. Itprovides procedures for using the Trust Authority browser enrollment forms torequest, renew, and revoke certificates. It also discusses how to preregister forPKIX-compliant certificates, and how to use the Trust Authority Client to managethese certificates. You can access the HTML version of this guide while viewingonline help for the Client.

Customization GuideThis book shows you how to customize the Trust Authority registration facility tosupport the registration and certification goals of your business policies. Forexample, you can learn how to customize HTML and Java Server pages, notificationletters, certificate profiles, and policy exits.


Related

information


The Trust Authority Web site includes other documents that may help you install, administer,and use Trust Authority. For example, you can find supplemental guidelines on the Directoryschema and learn how to integrate Trust Authority with the IBM SecureWay 4758 PCICoprocessor.



Glossary

This glossary defines the terms and abbreviations in this book that may be new or unfamiliarand terms that may be of interest. It includes terms and definitions from:

¶ The IBM Dictionary of Computing, New York: McGraw-Hill, 1994.

¶ The American National Standard Dictionary for Information Systems, ANSIX3.172–1990, American National Standards Institute (ANSI), 1990.

¶ The Answers to Frequently Asked Questions, Version 3.0, California: RSA Data Security,Inc., 1998.

Numbers

4758 PCI Cryptographic CoprocessorA programmable, tamper-responding cryptographic PCI-bus card offering high performance DES and RSAcryptographic processing. The cryptographic processes occur within a secure enclosure on the card. The cardmeets the stringent requirements of the FIPS PUB 140-1 level 4 standard. Software can run within the secureenclosure. For example, credit card transaction processing can use the SET™ standard.

A

Abstract Syntax Notation One (ASN.1)An ITU notation that is used to define the syntax of information data. It defines a number of simple data typesand specifies a notation for identifying these types and for specifying values of these types. These notations canbe applied whenever it is necessary to define the abstract syntax of information without curbing how theinformation is encoded for transmission.

access control list (ACL)A mechanism for limiting the use of a specific resource to authorized users.

ACLAccess control list.

action historyAccumulated events in the life cycle of a credential.

American National Standard Code for Information Interchange (ASCII)The standard code that is used for information interchange among data processing systems, data communicationsystems, and associated equipment. The ASCII set uses a coded character set that consists of 7-bit codedcharacters (8 bits including a bit for parity checking). The character set consists of control characters and graphiccharacters.

American National Standards Institute (ANSI)An organization that establishes the procedures by which accredited organizations create and maintain voluntaryindustry standards in the United States. It consists of producers, consumers, and general interest groups.

ANSIAmerican National Standards Institute.

appletA computer program that is written in Java® and runs inside a Java-compatible Web browser. Also known as aJava applet.

ASCIIAmerican National Standard Code for Information Interchange.

ASN.1Abstract Syntax Notation One.


Glossary

asymmetric cryptographyCryptography that uses different, asymmetric keys for encryption and decryption. Each user receives a pair ofkeys: a public key accessible to all, and a private key known only to the user. A secure transaction can occurwhen the public key and the corresponding private key match, enabling the decryption of the transaction. This isalso known as key pair cryptography.Contrast withsymmetric cryptography.

asynchronous communicationA mode of communication that does not require the sender and recipient to be present simultaneously.

audit clientAny client in the system that sends audit events to the Trust Authority Audit server. Before an audit client sendsan event to the Audit server, it establishes a connection with the Audit server. After the connection is established,the client uses the audit subsystem client library to deliver events to the Audit server.

audit logIn Trust Authority, a table in a database that stores one record per audit event.

Audit serverA Trust Authority server that receives audit events from audit clients and writes them to an audit log.

audit subsystemIn Trust Authority, a subsystem that provides the support for logging security-relevant actions. It conforms torecommendations in standard X9.57, of the standards set forth inPublic Key Cryptography for the FinancialServices Industry.

audit trailData, in the form of a logical path, that links a sequence of events. An audit trail enables tracing of transactionsor the history of a given activity.

authenticationThe process of reliably determining the identity of a communicating party.

authorizationPermission to access a resource.

B

base64 encodingA common means of conveying binary data with MIME.

Basic Encoding Rules (BER)The rules specified in ISO 8825 for encoding data units described in abstract syntax notation 1 (ASN.1). Therules specify the encoding technique, not the abstract syntax.

BERBasic Encoding Rules.

browserSeeWeb browser.

browser certificateA digital certificate is also known as a client-side certificate. It is issued by a CA through an SSL-enabled Webserver. Keys in an encrypted file enable the holder of the certificate to encrypt, decrypt, and sign data. Typically,the Web browser stores these keys. Some applications permit storage of the keys on smart cards or other media.See alsodigital certificate.

business process objectsA set of code used to accomplish a specific registration operation, such as checking the status of an enrollmentrequest or verifying that a public key was sent.

business process templateA set of business process objects that are run in a specified order.


bytecodeMachine-independent code that is generated by the Java compiler and run by the Java interpreter.

C

CACertificate authority.

CA certificateA certificate your Web browser accepts, at your request, from a CA it does not recognize. The browser can thenuse this certificate to authenticate communications with servers that hold certificates issued by that CA.

CA hierarchyIn Trust Authority, a trust structure whereby one CA is located at the top of the structure and up to four layers ofsubordinate CAs are located below. When users or servers are registered with a CA, they receive a certificatesigned that is by that CA, and they inherit the certification hierarchy of the layers above.

CA serverThe server for the Trust Authority Certificate Authority (CA) component.

CAST-64A block cipher algorithm that uses a 64-bit block size and a 6-bit key. It was designed by Carlisle Adams andStafford Tavares.

CCAIBM Common Cryptographic Architecture.

CDSACommon Data Security Architecture.

certificate authority (CA)The software responsible for following an organization’s security policies and assigning secure electronicidentities in the form of certificates. The CA processes requests from RAs to issue, renew, and revoke certificates.The CA interacts with the RA to publish certificates and CRLs in the Directory.See alsodigital certificate.

certificate extensionAn optional feature of the X.509v3 certificate format that provides for the inclusion of additional fields in thecertificate. There are standard extensions and user-defined extensions. Standard extensions exist for variouspurposes, including key and policy information, subject and issuer attributes, and certification path constraints.

certificate policyA named set of rules that indicates the applicability of a certificate to a particular class of applications that havecommon security requirements. For example, a certificate policy might indicate whether a particular certificationtype allows a user to conduct transactions for goods within a given price range.

certificate profileA set of characteristics that define the type of certificate wanted (such as SSL certificates or IPSec certificates).The profile aids in managing certificate specification and registration. The issuer can change the names of theprofiles and specify characteristics of the desired certificate, such as the validity period, key usage, DNconstraints, and so forth.

certificate revocation list (CRL)A digitally signed, time-stamped list of certificates that the certificate authority has revoked. The certificates inthis list should be considered unacceptable.See alsodigital certificate.

certificationThe process during which a trusted third party issues an electronic credential that vouches for an individual,business, or organizational identity.

CGICommon Gateway Interface.


Glossary

chain validationThe validation of all CA signatures in the trust hierarchy through which a given certificate was issued. Forexample, if a CA was issued its signing certificate by another CA, both signatures are validated during validationof the certificate that the user presents.

classIn object-oriented design or programming, a group of objects that share a common definition and therefore sharecommon properties, operations, and behavior.

cleartextData that is not encrypted.Synonym forplaintext.

client(1) A functional unit that receives shared services from a server. (2) A computer or program that requests aservice of another computer or program.

client/serverA model in distributed processing in which a program at one site sends a request to a program at another site andwaits for a response. The requesting program is called a client; the answering one is called a server.

code signingA technique for signing executable programs with digital signatures. Code signing is designed to improve thereliability of software that is distributed over the Internet.

Common Cryptographic Architecture (CCA)IBM software that enables a consistent approach to cryptography on major IBM computing platforms. It supportsapplication software that is written in a variety of programming languages. Application software can call on CCAservices to perform a broad range of cryptographic functions, including DES and RSA encryption.

Common Data Security Architecture (CDSA )An initiative to define a comprehensive approach to security service and security management forcomputer-based security applications. It was designed by Intel, to make computer platforms more secure forapplications.

Common Gateway Interface (CGI)Standard method of transmitting information between Web pages and Web servers.

confidentialityThe property of not being divulged to unauthorized parties.

credentialConfidential information used to prove one’s identity in an authentication exchange. In environments for networkcomputing, the most common type of credential is a certificate that a CA has created and signed.

CRLCertificate revocation list.

CRL publication intervalSet in the CA configuration file, the interval of time between periodic publications of the CRL to the Directory.

cross-certificationA trust model whereby one CA issues to another CA a certificate that contains the public key associated with itsprivate signature key. A cross-certified certificate allows client systems or end entities in one administrativedomain to communicate securely with client systems or end entities in another domain.

cryptographicPertaining to the transformation of data to conceal its meaning.

cryptographyIn computer security, the principles, means, and methods for encrypting plaintext and decrypting encrypted text.


D

daemonA program that carries out tasks in the background. It is implicitly called when a condition occurs that requiresits help. A user need not be aware of a daemon, because the system usually spawns it automatically. A daemonmight live forever or the system might regenerate it at intervals.The term (pronounceddemon) comes from mythology. Later, it was rationalized as the acronym DAEMON: DiskAnd Execution MONitor.

Data Encryption Standard (DES)An encryption block cipher, defined and endorsed by the U.S. government in 1977 as an official standard. IBMdeveloped it originally. DES has been extensively studied since its publication and is a well-known and widelyused cryptographic system.DES is a symmetric cryptographic system. When it is used for communication, both the sender and receiver mustknow the same secret key. This key is used to encrypt and decrypt the message. DES can also be used forsingle-user encryption, such as to store files on a hard disk in encrypted form. DES has a 64-bit block size anduses a 56-bit key during encryption. It is was originally designed for implementation in hardware. NIST hasrecertified DES as an official U.S. government encryption standard every five years.

Data Storage Library (DL)A module that provides access to persistent data stores of certificates, CRLs, keys, policies, and othersecurity-related objects.

decryptTo undo the encryption process.

DEKDocument encrypting key.

DERDistinguished Encoding Rules.

DESData Encryption Standard.

Diffie-HellmanA method of establishing a shared key over an insecure medium, named after the inventors (Diffie and Hellman).

digital certificateAn electronic credential that is issued by a trusted third party to a person or entity. Each certificate is signed withthe private key of the CA. It vouches for an individual, business, or organizational identity.Depending on the role of the CA, the certificate can attest to the authority of the bearer to conduct e-businessover the Internet. In a sense, a digital certificate performs a similar role to a driver’s license or a medicaldiploma. It certifies that the bearer of the corresponding private key has authority to conduct certain e-businessactivities.A certificate contains information about the entity it certifies, whether person, machine, or computer program. Itincludes the certified public key of that entity.

digital certificationSeecertification.

digital signatureA coded message added to a document or data that guarantees the identity of the sender.A digital signature can provide a greater level of security than a physical signature. The reason for this is that adigital signature is not an encrypted name or series of simple identification codes. Instead, it is an encryptedsummary of the message that is being signed. Thus, affixing a digital signature to a message provides solididentification of the sender. (Only the sender’s key can create the signature.) It also fixes the content of themessage that is being signed (the encrypted message summary must match the message content or the signatureis not valid). Thus, a digital signature cannot be copied from one message and applied to another because thesummary, or hash, would not match. Any alterations to the signed message would also invalidate the signature.


Glossary

Digital Signature Algorithm (DSA)A public key algorithm that is used as part of the Digital Signature Standard. It cannot be used for encryption,only for digital signatures.

DirectoryA hierarchical structure intended as a global repository for information related to communications (such as e-mailor cryptographic exchanges). The Directory stores specific items that are essential to the PKI structure, includingpublic keys, certificates, and certificate revocation lists.Data in the Directory is organized hierarchically in the form of a tree, with the root at the top of the tree. Often,higher level organizations represent individual countries, governments, or companies. Users and devices aretypically represented as leaves of each tree. These users, organizations, localities, countries, and devices eachhave their own entry. Each entry consists of typed attributes. These provide information about the object that theentry represents.Each entry in the Directory is bound with an associated distinguished name (DN). This is unique when the entryincludes an attribute that is known to be unique to the real world object. Consider the following example DN. Init, the country (C) is US, the organization (O) is IBM, the organizational unit (OU) is Trust, and the commonname (CN) is CA1.

C=US/O=IBM/OU=Trust/CN=CA1

Directory serverIn Trust Authority, the IBM SecureWay Directory. This Directory supports LDAP standards and uses DB2 as itsbase.

Distinguished Encoding Rules (DER)Provides constraints on the BER. DER selects just one type of encoding from those that the encoding rules allow,eliminating all of the sender’s options.

distinguished name (DN)The unique name of a data entry that is stored in the Directory. The DN uniquely identifies the position of anentry in the hierarchical structure of the Directory.

DLData Storage Library.

DNDistinguished name.

document encrypting key (DEK)Typically, a symmetric encryption/decryption key, such as DES.

domainSeesecurity domainand registration domain.

DSADigital Signature Algorithm.

E

e-businessBusiness transactions over networks and through computers. It includes buying and selling goods and services. Italso includes transferring funds through digital communications.

e-commerceBusiness-to-business transactions. It includes buying and selling goods and services (with customers, suppliers,vendors, and others) on the Internet. It is a primary element of e-business.

end-entityThe subject of a certificate that is not a CA.

encryptTo scramble information so that only someone who has the appropriate decryption code can obtain the originalinformation through decryption.


encryption/decryptionUsing the public key of the intended recipient to encipher data for that person, who then uses the private key ofthe pair to decipher the data.

enrollmentIn Trust Authority, the process of obtaining credentials for use over the Internet. Enrollment encompasses therequesting, renewing, and revoking of certificates.

enrollment attributeAn enrollment variable that is contained in an enrollment form. Its value reflects the information that is capturedduring the enrollment. The value of the enrollment attribute remains the same throughout the lifetime of thecredential.

enrollment variableSeeenrollment attribute.

extranetA derivative of the Internet that uses similar technology. Companies are beginning to apply Web publishing,electronic commerce, message transmission, and groupware to multiple communities of customers, partners, andinternal staff.

F

File Transfer Protocol (FTP)An Internet client/server protocol for use in transferring files between computers.

firewallA gateway between networks that restricts the flow of information between networks. Typically, the purpose of afirewall is to protect internal networks from unauthorized use from the outside.

FTPFile Transfer Protocol.

G

gatewayA functional unit that allows incompatible networks or applications to communicate with each other.

H

hierarchyThe organization of Certificate Authorities (CA) in a trust chain, starting with the self-signed CA or root of rootsat the top, and ending with the CA that issues certificates to end users.

HTMLHypertext Markup Language.

HTTPHypertext Transaction Protocol.

HTTP serverA server that handles Web-based communications with browsers and other programs in a network.

hypertextText that contains words, phrases, or graphics that the reader can click with the mouse to retrieve and displayanother document. These words, phrases, or graphics are known as hyperlinks. Retrieving them is known aslinking to them.

Hypertext Markup Language (HTML)A markup language for coding Web pages. It is based on SGML.


|||

Glossary

Hypertext Transaction Protocol (HTTP)An Internet client/server protocol for transferring hypertext files across the Web.

I

ICLIssued certificate list.

IETF (Internet Engineering Task Force)A group that focuses on engineering and developing protocols for the Internet. It represents an internationalcommunity of network designers, operators, vendors, and researchers. The IETF is concerned with thedevelopment of the Internet architecture and the smooth use of the Internet.

IniEditorIn Trust Authority, a tool used to edit configuration files.

instanceIn DB2, an instance is a logical database management environment for storing data and running applications. Itallows definition of a common set of configuration parameters for multiple databases.

integrityA system protects the integrity of data if it prevents unauthorized modification (as opposed to protecting theconfidentiality of data, which prevents unauthorized disclosure).

integrity checkingThe checking of audit records that result from transactions with external components.

internal structureSeeschema.

International Standards Organization (ISO)An international organization tasked with developing and publishing standards for everything from wine glassesto computer network protocols.

International Telecommunication Union (ITU)An international organization within which governments and the private sector coordinate globaltelecommunication networks and services. It is the leading publisher of telecommunication technology, regulatory,and standards information.

InternetA worldwide collection of networks that provide electronic connection between computers. This enables them tocommunicate with each other via software devices such as electronic mail or Web browsers. For example, someuniversities are on a network that in turn links with other similar networks to form the Internet.

intranetA network within an enterprise that usually resides behind firewalls. It is a derivative of the Internet and usessimilar technology. Technically, intranet is a mere extension of the Internet. HTML and HTTP are some of thecommonalties.

IPSecAn Internet Protocol Security standard, developed by the IETF. IPSec is a network layer protocol, designed toprovide cryptographic security services that flexibly support combinations of authentication, integrity, accesscontrol, and confidentiality. Because of its strong authentication features, it has been adopted by many VPNproduct vendors as the protocol for establishing secure point-to-point connections over the Internet.

ISOInternational Standards Organization.

issued certificate list (ICL)A complete list of the certificates that have been issued and their current status. Certificates are indexed by serialnumber and state. This list is maintained by the CA and stored in the CA database.


ITUInternational Telecommunication Union.

J

JavaA set of network-aware, non-platform-specific computer technologies developed by Sun Microsystems,Incorporated. The Java environment consists of the Java OS, the virtual machines for various platforms, theobject-oriented Java programming language, and several class libraries.

Java appletSeeapplet.Contrast withJava application.

Java applicationA stand-alone program that is written in the Java language. It runs outside the context of a Web browser.

Java classA unit of Java program code.

Java languageA programming language, developed by Sun Microsystems, designed specifically for use in applet and agentapplications.

Java Virtual Machine (JVM)The part of the Java run-time environment responsible for interpreting bytecodes.

K

keyA quantity used in cryptography to encipher or decipher information.

Key Backup and RecoveryThis feature of Trust Authority enables you to backup and recover the end entity certificates and theircorresponding public and private keys certified by Trust Authority. The certificate and keys are stored in a PKCS#12 file. This file is protected by a password. The password is set at the time the certificate and keys are backedup.

key pairCorresponding keys that are used in asymmetric cryptography. One key is used to encrypt and the other todecrypt.

KeyStoreA DL for storing Trust Authority component credentials, such as keys and certificates, in an encrypted format.

L

LDAPLightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP )A protocol used to access the Directory.

M

MACMessage authentication code.

MD2A 128-bit message-digest hash function, designed by Ron Rivest. It is used with MD5 in the PEM protocols.

MD4A 128-bit message-digest hash function, designed by Ron Rivest. It is several times faster than MD2.


Glossary

MD5A one-way message-digest hash function, designed by Ron Rivest. It is an improved version of MD4. MD5processes input text in 512-bit blocks, divided into 16 32-bit sub-blocks. The output of the algorithm is a set offour 32-bit blocks, which concatenate to form a single 128-bit hash value. It is also used along with MD2 in thePEM protocols.

message authentication code (MAC)A secret key that is shared between the sender and the recipient. The sender authenticates, and the recipientverifies. In Trust Authority, MAC keys are stored in the KeyStores for the CA and Auditing components.

message digestAn irreversible function that takes an arbitrary-sized message and produces a fixed length quantity. MD5 is anexample of a message digest algorithm.

MIME (Multipurpose Internet Mail Extensions)A freely available set of specifications that allows the interchange of text in languages with different charactersets. it also allows multimedia e-mail among many different computer systems that use Internet mail standards.For example, the e-mail messages may contain character sets other than US-ASCII, enriched text, images, andsounds.

modulusIn the RSA public key cryptographic system, the product (n) of two large primes:p andq. The best size for anRSA modulus depends on one’s security needs. The larger the modulus, the greater the security. The current RSALaboratories–recommended key sizes depend on the planned use for the key: 768 bits for personal use, 1024 bitsfor corporate use, and 2048 bits for extremely valuable keys like the key pair of a CA. A 768-bit key is expectedto be secure until at least the year 2004.

N

National Language Support (NLS)Support within a product for differences in locales, including language, currency, date and time format, andnumeric presentation.

National Security Agency (NSA)The official security body of the U.S. government.

NISTNational Institute of Standards and Technology, formerly known as NBS (National Bureau of Standards). Itpromotes open standards and interoperability in computer-based industries.

NLSNational language support.

nonceA string that is sent down from a server or application, requesting user authorization. The user that is asked forauthentication signs the nonce with a private key. The user’s public key and the signed nonce are sent back to theserver or application that requested authentication. The server then attempts to decipher the signed nonce with theuser’s public key. If the deciphered nonce is the same as the original nonce that was sent, the user isauthenticated.

non-repudiationThe use of a digital private key to prevent the signer of a document from falsely denying having signed it.

NSANational Security Agency.

O

objectIn object-oriented design or programming, an abstraction encapsulating data and the operations associated withthat data.See alsoclass.


object identifier (OID)An administratively assigned data value of the type defined in abstract syntax notation 1 (ASN.1).

object typeThe kind of object that can be stored in the Directory. For example, an organization, meeting room, device,person, program, or process.

ODBCOpen Database Connectivity.

Open Database Connectivity (ODBC)A standard for accessing different database systems.

Open Systems Interconnect (OSI)The name of the computer networking standards that the ISO approved.

OSIOpen Systems Interconnect.

P

PC cardSimilar to a smart card, and sometimes called a PCMCIA card. This card is somewhat larger than a smart cardand usually has a greater capacity.

PEMPrivacy-enhanced mail.

PKCSPublic Key Cryptography Standards.

PKCS #1SeePublic Key Cryptography Standards.





PKIPublic key infrastructure.

PKIXAn X.509v3-based PKI.

PKIX certificate management protocol (CMP)A protocol that enables connections with PKIX-compliant applications. PKIX CMP uses TCP/IP as its primarytransport mechanism, but an abstraction layer over sockets exists. This enables support for additional pollingtransports.

PKIX CMPPKIX certificate management protocol.

PKIX listenerThe public HTTP server that a particular registration domain uses to listen for requests from the Trust AuthorityClient application.


Glossary

plaintextUnencrypted data.Synonym forcleartext.

policy exitIn a registration facility, an organization-defined program that is called by the registration application. The rulesspecified in a policy exit apply the organization’s business and security preferences to the enrollment process.

preregistrationIn Trust Authority, a process that allows one user, typically an administrator, to enroll other users. If the requestis approved, the RA provides information that allows the user to obtain the certificate at a later time using theTrust Authority Client application.

privacyProtection from the unauthorized disclosure of data.

privacy-enhanced mail (PEM)The Internet privacy-enhanced mail standard, that the Internet Architect Board (IAB) adopted to provide secureelectronic mail over the Internet. The PEM protocols provide for encryption, authentication, message integrity,and key management.

private keyThe key in a public/private key pair that is available only to its owner. It enables the owner to receive a privatetransaction or make a digital signature. Data signed with a private key can be verified only with thecorresponding public key.Contrast withpublic key.See alsopublic/private key pair.

protocolAn agreed-on convention for inter-computer communication.

proxy serverAn intermediary between the computer that is requesting access (computer A) and the computer that is beingaccessed (computer B). Thus, if an end user makes a request for a resource from computer A, this request isdirected to a proxy server. The proxy server makes the request, gets the response from computer B, and thenforwards the response to the end user. Proxy servers are useful for accessing World Wide Web resources frominside a firewall.

public keyThe key in a public/private key pair that is made available to others. It enables them to direct a transaction to theowner of the key or verify a digital signature. Data encrypted with the public key can be decrypted only with thecorresponding private key.Contrast withprivate key.See alsopublic/private key pair.

Public Key Cryptography Standards (PKCS)Informal inter-vendor standards developed in 1991 by RSA Laboratories with representatives from variouscomputer vendors. These standards cover RSA encryption, the Diffie-Hellman agreement, password-basedencryption, extended-certificate syntax, cryptographic message syntax, private-key information syntax, andcertification syntax.

¶ PKCS #1 describes a method for encrypting data by using the RSA public key cryptosystem. Its intended useis in the construction of digital signatures and digital envelopes.

¶ PKCS #7 specifies a general format for cryptographic messages.

¶ PKCS #10 specifies a standard syntax for certification requests.

¶ PKCS #11 defines a technology-independent programming interface for cryptographic devices such as smartcards.

¶ PKCS #12 specifies a portable format for storing or transporting a user’s private keys, certificates,miscellaneous secrets, and so forth.

public key infrastructure (PKI)A standard for security software that is based on public key cryptography. The PKI is a system of digitalcertificates, certificate authorities, registration authorities, certificate management services, and distributeddirectory services. It is used to verify the identity and authority of each party involved in any transaction over theInternet. These transactions might involve operations where identity verification is required. For example, theymight confirm the origin of proposal bids, authors of e-mail messages, or financial transactions.


The PKI achieves this by making the public encryption keys and certificates of users available for authenticationby a valid individual or organization. It provides on-line directories that contain the public encryption keys andcertificates that are used in verifying digital certificates, credentials, and digital signatures.The PKI provides a means for swift and efficient responses to verification queries and requests for publicencryption keys. It also identifies potential security threats to the system and maintains resources to deal withsecurity breaches. Lastly, the PKI provides a digital timestamping service for important business transactions.

public/private key pairA public/private key pair is part of the concept of key pair cryptography (introduced in 1976 by Diffie andHellman to solve the key management problem). In their concept, each person obtains a pair of keys, one calledthe public key and the other called the private key. Each person’s public key is made public while the private keyis kept secret. The sender and receiver do not need to share secret information: all communications involve onlypublic keys, and no private key is ever transmitted or shared. It is no longer necessary to trust somecommunications channel to be secure against eavesdropping or betrayal. The only requirement is that public keysmust be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory).Anyone can send a confidential message by using public information. However, the message can be decryptedonly with a private key, which is in the sole possession of the intended recipient. Furthermore, key paircryptography can be used not only for privacy (encryption), but also for authentication (digital signatures).

R

RARegistration authority.

RA DesktopA Java applet that provides RAs with a graphical interface for processing requests for credentials andadministering them throughout their lifetime.

RA serverThe server for the Trust Authority Registration Authority component.

RC2A variable key-size block cipher, designed by Ron Rivest for RSA Data Security.RC stands forRon’s CodeorRivest’s Cipher. It is faster than DES and is designed as a drop-in replacement for DES. It can be made moresecure or less secure against exhaustive key search than DES by using appropriate key sizes. It has a block sizeof 64 bits and is about two to three times faster than DES in software. RC2 can be used in the same modes asDES.An agreement between the Software Publishers Association (SPA) and the United States government gives RC2special status. This makes the export approval process simpler and quicker than the usual cryptographic exportprocess. However, to qualify for quick export approval a product must limit the RC2 key size to 40 bits withsome exceptions. An additional string can be used to thwart attackers who try to precompute a large look-uptable of possible encryptions.

registrarA user who has been authorized to access the RA Desktop, to administer certificates and requests for certificates.

registration authority (RA)The software that administers digital certificates to ensure that an organization’s business policies are appliedfrom the initial receipt of an enrollment request through certificate revocation.

registration databaseContains information about certificate requests and issued certificates. The database stores enrollment data and allchanges to the certificate data throughout its life cycle. The database can be updated by RA processes and policyexits, or by registrars.

registration domainA set of resources, policies, and configuration options related to specific certificate registration processes. Thedomain name is a subset of the URL that is used to run the registration facility.

registration facilityA Trust Authority application framework that provides specialized means of enrolling entities (such as browsers,routers, e-mail, and secure client applications) and managing certificates throughout their life cycle.


Glossary

registration processIn Trust Authority, the steps for validating a user, so that the user and the user’s public key can become certifiedand participate in transactions. This process can be local or Web-based, and can be automated or administered byhuman interaction.

repudiateTo reject as untrue; for example, to deny that you sent a specific message or submitted a specific request.

request IDA 24- to 32-character ASCII value that uniquely identifies a certificate request to the RA. This value can be usedon the certificate request transaction to retrieve the status of the request or the certificate that is associated withit.

RSAA public key cryptographic algorithm that is named for its inventors (Rivest, Shamir, and Adelman). It is used forencryption and digital signatures.

S

schemaAs relates to the Directory, the internal structure that defines the relationships between different object types.

Secure Electronic Transaction (SET)An industry standard that facilitates secure credit card or debit card payment over untrusted networks. Thestandard incorporates authentication of cardholders, merchants, and card-issuing banks because it calls for theissuance of certificates.

Secure Sockets Layer (SSL )An IETF standard communications protocol with built-in security services that are as transparent as possible tothe end user. It provides a digitally secure communications channel.An SSL-capable server usually accepts SSL connection requests on a different port than requests for standardHTTP requests. SSL creates a session during which the exchange signals to set up communications between twomodems need to occur only once. After that, communication is encrypted. Message integrity checking continuesuntil the SSL session expires.

security domainA group (a company, work group or team, educational or governmental) whose certificates have been certified bythe same CA. Users with certificates that are signed by a CA can trust the identity of another user that has acertificate signed by the same CA.

server(1) In a network, a data station that provides functions to other stations; for example, a file server. (2) In TCP/IP,a system in a network that handles the requests of a system at another site, called a client/server.

server certificateA digital certificate, issued by a CA to enable a Web server to conduct SSL-based transactions. When a browserconnects to the server by using the SSL protocol, the server sends the browser its public key. This enablesauthentication of the identity of the server. It also enables encrypted information to be sent to the server.See alsoCA certificate, digital certificate,and browser certificate.

servletA server-side program that gives Java-enabled servers additional functionality.

SETSecure Electronic Transaction.

SGMLStandard Generalized Markup Language.

SHA-1 (Secure Hash Algorithm)An algorithm that was designed by NIST and NSA for use with the Digital Signature Standard. The standard isthe Secure Hash Standard; SHA is the algorithm that the standard uses. SHA produces a 160-bit hash.


signTo use your private key to generate a signature. The signature is a means of proving that you are responsible forand approve of the message you are signing.

signing/verifyingTo sign is to use a private digital key to generate a signature. To verify is to use the corresponding public key toverify the signature.

Simple Mail Transfer Protocol (SMTP)A protocol that transfers electronic mail over the Internet.

site certificateSimilar to a CA certificate, but valid only for a specific Web site.See alsoCA certificate.

smart cardA piece of hardware, typically the size of a credit card, for storing a user’s digital keys. A smart card can bepassword-protected.

S/MIMEA standard that supports the signing and encryption of e-mail transmitted across the Internet.SeeMIME.

SMTPSimple Mail Transfer Protocol.

SSLSecure Sockets Layer.

Standard Generalized Markup Language (SGML)A standard for describing markup languages. HTML is based on SGML.

symmetric cryptographyCryptography that uses the same key for both encryption and decryption. Its security rests in the key — revealingthe key means that anyone could encipher and decipher messages. The communication remains secret only aslong as the key remains secret.Contrast withasymmetric cryptography.

symmetric keyA key that can be used for both encryption and decryption.See alsosymmetric cryptography.

T

targetA designated or selected data source.

TCP/IPTransmission Control Protocol/Internet Protocol.

top CAThe CA at the top of a PKI CA hierarchy.

TPTrust Policy.

transaction IDAn identifier provided by the RA in response to a preregistration enrollment request. It enables a user running theTrust Authority Client application to obtain the pre-approved certificate.

Transmission Control Protocol/Internet Protocol (TCP/IP )A set of communication protocols that support peer-to-peer connectivity functions for local and wide areanetworks.

triple DESA symmetric algorithm that encrypts the plaintext three times. Although many ways exist to do this, the mostsecure form of multiple encryption is triple-DES with three distinct keys.


Glossary

Trust AuthorityAn integrated IBM SecureWay security solution that supports the issuance, renewal, and revocation of digitalcertificates. These certificates can be used in a wide range of Internet applications, providing a means toauthenticate users and ensure trusted communications.

trust chainA set of certificates that consists of the trusted hierarchy from the user certificate to the root or self-signedcertificate.

trust domainA set of entities whose certificates have been certified by the same CA.

trusted computer base (TCB)The software and hardware elements that collectively enforce an organization’s computer security policy. Anyelement or part of an element that can effect security policy enforcement is security-relevant and part of theTCB. The TCB is an object that is bounded by the security perimeter. The mechanisms that carry out the securitypolicy must be non-circumventable, and must prevent programs from gaining access to system privileges towhich they are not authorized.

trust modelA structuring convention that governs how certificate authorities certify other certificate authorities.

tunnelIn VPN technology, an on-demand virtual point-to-point connection made through the Internet. While connected,remote users can use the tunnel to exchange secure, encrypted, and encapsulated information with servers on thecorporate private network.

typeSeeobject type.

U

UnicodeA 16-bit character set that is defined by ISO 10646. The Unicode character encoding standard is an internationalcharacter code for information processing. The Unicode standard encompasses the principal scripts of the worldand provides the foundation for the internationalization and localization of software. All source code in the Javaprogramming environment is written in Unicode.

Uniform Resource Locator (URL)A scheme for addressing resources on the Internet. The URL specifies the protocol, host name or IP address. Italso includes the port number, path, and resource details needed to access a resource from a particular machine.

URLUniform Resource Locator.

user authenticationThe process of validating that the originator of a message is the identifiable and legitimate owner of the message.It also validates that you are communicating with the end user or system you expected to.

UTF-8A transformation format. It enables information processing systems that handle only 8-bit character sets toconvert 16-bit Unicode to an 8-bit equivalent and back again without loss of information.

V

Virtual Private Network (VPN)A private data network that uses the Internet rather than phone lines to establish remote connections. Becauseusers access corporate network resources through an Internet Service Provider (ISP) rather than a telephonecompany, organizations can significantly reduce remote access costs. A VPN also enhances the security of dataexchanges. In traditional firewall technology, message content can be encrypted, but the source and destinationaddresses are not. In VPN technology, users can establish a tunnel connection in which the entire informationpacket (content and header) is encrypted and encapsulated.


|||

VPNVirtual Private Network.

W

Web browserClient software that runs on a desktop PC and enables the user to browse the World Wide Web or local HTMLpages. It is a retrieval tool that provides universal access to the large collection of hypermedia material availablein the Web and Internet. Some browsers can display text and graphics, and some can display only text. Mostbrowsers can handle the major forms of Internet communication, such as FTP transactions.

Web serverA server program that responds to requests for information resources from browser programs.See alsoserver.

WebSphere Application ServerAn IBM product that helps users develop and manage high-performance Web sites. It eases the transition fromsimple Web publishing to advanced e-business Web applications. The WebSphere Application Server consists of aJava-based servlet engine that is independent of both the Web server and its underlying operating system.

World Wide Web (WWW)That part of the Internet where a network of connections is established between computers that containhypermedia materials. These materials provide information and can provide links to other materials in the WWWand Internet. WWW resources are accessed through a Web browser program.

X

X.500A standard for putting into effect a multipurpose, distributed and replicated directory service by interconnectingcomputer systems. Jointly defined by the International Telecommunications Union (ITU), formerly known asCCITT, and the International Organization for Standardization and International Electro-Chemical Commission(ISO/IEC).

X.509 certificateA widely-accepted certificate standard designed to support secure management and distribution of digitally signedcertificates across secure Internet networks. The X.509 certificate defines data structures that accommodateprocedures for distributing public keys that are digitally signed by trusted third parties.

X.509 Version 3 certificateThe X.509v3 certificate has extended data structures for storing and retrieving certificate application information,certificate distribution information, certificate revocation information, policy information, and digital signatures.X.509v3 processes create time-stamped CRLs for all certificates. Each time a certificate is used, X.509v3capabilities allow the application to check the validity of the certificate. It also allows the application todetermine whether the certificate is on the CRL. X.509v3 CRLs can be constructed for a specific validity period.They can also be based on other circumstances that might invalidate a certificate. For example, if an employeeleaves an organization, their certificate would be put on the CRL.


Glossary

Index

Numerics4758 coprocessor

described 35enabling for the CA 39RSA key size 39storing keys in 35storing the CA key 39

Aaccessibility options 46add_rauser utility 21apply configuration values 46attributes, DN

example 14sequence 14

Audit serverdescribed 29host name 39port number 39

AuditArchiveAndSign tool 29AuditIntegrityCheck tool 29authorizing registrars 21

Bbacking up the system 22browser requirements 5, 47

CCA key

algorithm 39size 39storing in hardware 35, 39

CA server4758 coprocessor option 39described 30distinguished name 39host name 39key size 39port number 39signature algorithm 39

certificate management protocol (CMP) 32certificate requests, submitting 18certificate revocation list (CRL) 30CfgSetupWizard.html file 9

CfgStart programon AIX 11on NT 11on remote machines 13

cfguser username 9, 38Change Password utility 20Client application

described 32PKIX requests 32server port for 45

collecting configuration data 6common name, in DN 16configuration data

4758 coprocessor 39applying 46Audit server name 39Audit server port 39CA DN 39CA key 39CA server name 39CA server port 39Client application 45client authentication options 44Client requests 45Directory administrator 42Directory root 41Directory server name 41Directory server port 41form for recording options 7importing 12, 38migrating 38public Web server 44registration domain 43saving 45secure Web servers 44startup options 37summary 45Trust Authority password 38verifying 18

configuration data form 7configuration files, editing 21configuration process 46configuration user 9, 38configuring

remote servers 13status information 46Trust Authority database 46workstations 5

country, in DN 16Credential Central 18customizing registration domains 22


Index

Ddatabases. default DB2 30DB2, described 30Directory administrator

described 32DN 42password 42

Directory schema 31Directory server

described 31Directory administrator 42host name 41ownership permissions 20port number 41root DN 41

Directory tree 31DN editor

attribute sequence 17CA DN 39described 15Directory administrator DN 42Directory root DN 41format type 17general information 16icon 39, 41, 42keyboard controls 46location information 16organization information 16using 15

DN flexibility 22DNs

Certificate Authority 39common name 16country name 16Directory administrator 42Directory root 41Directory schema 31Directory tree 31example 14locality 16non-English 47organization name 16organizational unit 16rules for typing 14state or province 16street address 17using the DN Editor 15

downloading swingall.jar 9

Eediting configuration files 21editing DNs 15encryption keys, for the CA 39enrollment 18

FFinish button 46form for configuration data 7

Hhelp for the Setup Wizard 9, 10host names

CA and Audit server 39Directory server 41public Web server 44secure Web servers 44Trust Authority server 37

IIBM HTTP Server 34, 44importing configuration data 12, 38IniEditor program 21IP addresses

CA and Audit server 39Directory server 41public Web server 44secure Web server 44Trust Authority server 37

issued certificate list (ICL) 30

Kkeyboard controls 46

LLDAP standard 31locality, in DN 16log messages 18

MMAC (message authentication code)

in Audit processing 29in CA processing 30

machine requirements 5masking audit events 29messages, viewing 18, 46migrating configuration data 38Modifying ACLs 22mouse alternatives 46


Ooperating systems, supported 5organization name, in DN 16organizational unit, in DN 16

Ppasswords

changing 20Directory administrator 42root DN 41Trust Authority server 38

permissions, slapd.conf 20PKIX certificates

described 32port for processing 45

portsCA and Audit server 39Client application 45client-authentication 44Directory server 41public Web server 44secure Web servers 44

product overview 1production system, preparing for 19

RReadme file 3reconfiguring the system 23registrars, authorizing 21registration domains

customizing 22described 33installation directory 43language 43name 43non-English 47

remote configuration 13renaming the Setup Wizard 20root DN

described 32name 41password 41

RSA key 39

Ssaving configuration data 45securing the Setup Wizard 20servers

Audit 39CA 39Directory 41

servers(continued)IBM HTTP 44public 44RA 45secure 44Trust Authority 37uninstalling from AIX 24uninstalling from Windows NT 27

Setup Wizardaccessibility options 46configuration process 46exiting 37help for 9, 10installation location 20keyboard controls 46preparing to run 5securing 20starting 9, 37Web browser setup 5

sha–1WithRSAEncryption 39slapd.conf file 20smart cards 32SSL

described 33in Trust Authority 34secure Web servers 44

starting the Setup Wizard 9startup options 37state or province, in DN 16storing CA keys in hardware 39street address, in DN 17submitting certificate requests 18Swing library 5swingall.jar file 9system requirements 5

TTrust Authority configuration user 9, 38Trust Authority Web site 3typing DNs 14

Uuninstalling

server components from AIX 24server components from NT 27

URLsfor Credential Central 18for Readme file 3for registration domains 33for Setup Wizard 9for Trust Authority 3


Index

Vverifying the configuration 18View Advanced Messages button 46viewing

configuration messages 18, 46configuration status 46

WWeb servers

in Trust Authority 34public server name 44public server port 44secure server names 44secure server ports 44

Web site, Trust Authority 3workstation requirements 5


Program Number: 5648-D09

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

SH09-4529-02

Public Key Infrastructure Configuration...

Documents

Transcript of Public Key Infrastructure Configuration...