Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 3 Configuration

The runtime properties of Netscape Certificate Management System (CMS) are governed by a set of configuration parameters. These parameters are stored in a file that is read by the server during startup.

When you install Certificate Management System, the installer creates an ASCII file, named CMS.cfg, and populates it with the appropriate configuration parameters. You can control the way Certificate Management System functions by making the appropriate changes to the configuration information.

 This chapter explains how the installation affects the number of configuration files created in your machine and their contents. It also explains ways in which you can modify the configuration and precautions you should take when doing so. The chapter ends with a road map to configuring individual subsystems.

 The chapter has the following sections:
Effects of Installation Type on Configuration
For each instance of Certificate Management System there is a configuration file, named CMF.cfg. The configuration file controls the runtime properties of the corresponding CMS instance.

 A CMS instance can include a single subsystem or two subsystems in one of the following combinations:

 Figure 3.1 illustrates a deployment scenario involving two instances of Certificate Management System running on the same host (Host A) and a single instance running on another host (Host B). Notice the two separate configuration files for the instances running on Host A, one for each CMS instance.

Although the names of both the configuration files are the same, the information included in the files differs according to the subsystems installed in each instance. For example, the configuration file for CMS Instance 1 includes only those parameters that govern the Registration Manager, whereas the configuration file for CMS Instance 2 includes parameters that control both the Certificate Manager and Data Recovery Manager.

 It is also important to understand that subsystems installed in a CMS instance share certain parts of the configuration. They use the same

 Duplicating a Configuration from One Instance to Another

If you have deployed a large number of CMS instances that are identical--for example, multiple Registration Managers--and you want all these instances to have the same configuration, you can accomplish this by configuring one of the instances and then replacing the configuration files of the other instances with the one that contains the required configuration. Figure 3.2 illustrates this quick way of deploying multiple Registration Managers with the same configuration.

Figure 3.2 Duplicating a configuration

Caution Be careful when replacing configuration of one instance with another. The configuration file for an instance contains instance-specific parameters. If you replace these parameters, the instance will fail to start or function properly.


Locating the Configuration File
Each instance of Certificate Management System has its own configuration file, CMF.cfg. The default location for this file is as follows:

 <server_root>/cert-<instance_id>/config/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.


Modifying the Configuration
You can modify the CMS configuration in two ways:

 Changing the Configuration from the CMS Window

The CMS window allows you to view the current configuration of a CMS instance and make the required changes. Because this is the recommended method for changing configuration, the chapters that follow focus on explaining how to change the various configuration parameter values from the CMS window.

Note You may find the road map provided in "Road Map to Configuring Subsystems" useful in setting up your CMS instances.

Changing the Configuration by Editing the Configuration File

This section explains how to change the CMS configuration by editing the configuration parameter values in the file CMF.cfg. This ASCII file is read by Certificate Management System when it is started.

Caution Do not edit the configuration file directly if you are not familiar with the configuration parameters or if you are not sure that the changes you intend to make are acceptable by the server. Certificate Management System will fail to start up if you make incorrect modifications to the configuration file. Incorrect configuration can also result in data loss.

Also, before you start editing the configuration file, be sure to read "Guidelines for Editing the Configuration File".

To modify the configuration file directly:

  1. Stop the CMS instance whose configuration file you want to edit (see "Stopping Certificate Management System").

  2. Open a terminal window.

  3. Locate the configuration file (CMF.cfg).

    4. The default location for this file is:

    <server_root>/cert-<instance_id>/config/...

    <server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

    <instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

  4. Open the configuration file in an ASCII editor.

  5. Edit information in the file and save your changes.

  6. Restart Certificate Management System (see "Restarting Certificate Management System").

Guidelines for Editing the Configuration File

The file-based, configuration-store implementation for Certificate Management System is based on java.util.Properties. The following guidelines may help you interpret the information in the configuration file.

Sample Configuration File

The following sample configuration is of a Certificate Manager and Data Recovery Manager installed in an instance.

Important This sample file includes some of the parameters used by Certificate Management System. However, there is no guarantee that an arbitrary set of options you create will work. 



_000=##

_001=## File Created On     : Thu Apr 29 12:43:05 PDT 1999

_002=##



	instanceRoot=C:/Netscape/Server4/cert-testCA-KRA



agentGateway._000=##

agentGateway._001=## Agent Gateway

agentGateway._002=##

	agentGateway.docRoot=C:/Netscape/Server4/cert-testCA-KRA/web/agent

	agentGateway.enableAdminEnroll=true

	agentGateway.enableBulkInterface=true

	agentGateway.enableConnector=true

	agentGateway.mimeTypeConf=C:/Netscape/Server4/

		cert-testCA-KRA/config/mime.types

	agentGateway.numServices=1

	agentGateway.service0=https

	agentGateway.CAGetBySerial.successTemplate=/ca/ImportCert.template

	agentGateway.adminEnroll.successTemplate=/ca/EnrollSuccess.template

	agentGateway.bulkissuance.errorTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.pendingTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.rejectedTemplate=/ca/bulkissuance.template

	agentGateway.bulkissuance.successTemplate=/ca/bulkissuance.

		template

	agentGateway.bulkissuance.svcpendingTemplate=/ca/

		bulkissuance.template

	agentGateway.bulkissuance.unauthorizedTemplate=/ca/

		bulkissuance.template

	agentGateway.bulkissuance.unexpectedErrorTemplate=/ca/

		bulkissuance.template

	agentGateway.https.backlog=15

	agentGateway.https.nickName=Server-Cert cert-testCA-KRA

	agentGateway.https.port=8100

	agentGateway.https.type=https



auths._000=##

auths._001=## new authentication

auths._002=##

auths.impl._000=##

auths.impl._001=## authentication manager implementations

auths.impl._002=##

	auths.impl.UidPwdDirAuth.class=com.netscape.certsrv.

		authentication.UidPwdDirAuthentication

	auths.impl.UidPwdPinDirAuth.class=com.netscape.certsrv.

		authentication.UidPwdPinDirAuthentication

	auths.revocationChecking.bufferSize=5

	auths.revocationChecking.ca=ca

	auths.revocationChecking.enabled=true

	auths.revocationChecking.kra=kra

	auths.revocationChecking.validityInterval=300



	ca.id=ca

	ca.local=true



	ca.Policy.order=KeyAlgRule, RSAKeyRule, DefaultValidityRule, 

		DefaultRenewalValidityRule, DefaultRevocationRule, NSCertTypeExt, 

		KeyUsageExt, SubjectKeyIdentifierExt, AuthorityKeyIdentifierExt, 

		BasicConstraintsExt

ca.Policy.impl._000=##

ca.Policy.impl._001=## Policy Implementations

ca.Policy.impl._002=##

	ca.Policy.impl.AuthorityKeyIdentifierExt.class=com.netscape.certsrv.

		policy.AuthorityKeyIdExt

	ca.Policy.impl.BasicConstraintsExt.class=com.netscape.certsrv.

		policy.BasicConstraintsExt

	ca.Policy.impl.DSAKeyConstraints.class=com.netscape.certsrv.policy.

		DSAKeyConstraints

	ca.Policy.impl.DefaultRevocation.class=com.netscape.certsrv.policy.

		DefaultRevocation

	ca.Policy.impl.KeyAlgorithmConstraints.class=com.netscape.certsrv.

		policy.KeyAlgorithmConstraints

	ca.Policy.impl.KeyUsageExt.class=com.netscape.certsrv.policy.

		KeyUsageExt

	ca.Policy.impl.NSCertTypeExt.class=com.netscape.certsrv.policy.

		NSCertTypeExt

	ca.Policy.impl.RSAKeyConstraints.class=com.netscape.certsrv.

		policy.RSAKeyConstraints

	ca.Policy.impl.RenewalValidityConstraints.class=com.netscape.

		certsrv.policy.RenewalValidityConstraints

	ca.Policy.impl.SubjectKeyIdentifierExt.class=com.netscape.

		certsrv.policy.SubjectKeyIdExt

	ca.Policy.impl.ValidityConstraints.class=com.netscape.certsrv.

		policy.ValidityConstraints

	ca.Policy.rule.AuthorityKeyIdentifierExt.enable=true

	ca.Policy.rule.AuthorityKeyIdentifierExt.implName=

		AuthorityKeyIdentifierExt

	ca.Policy.rule.AuthorityKeyIdentifierExt.predicate=

	ca.Policy.rule.BasicConstraintsExt.enable=true

	ca.Policy.rule.BasicConstraintsExt.implName=BasicConstraintsExt

	ca.Policy.rule.BasicConstraintsExt.predicate=

	ca.Policy.rule.DSAKeyRule.enable=true

	ca.Policy.rule.DSAKeyRule.implName=DSAKeyConstraints

	ca.Policy.rule.DSAKeyRule.maxSize=2048

	ca.Policy.rule.DSAKeyRule.minSize=512

	ca.Policy.rule.DSAKeyRule.predicate=

	ca.Policy.rule.DefaultRenewalValidityRule.enable=true

	ca.Policy.rule.DefaultRenewalValidityRule.implName=

		RenewalValidityConstraints

	ca.Policy.rule.DefaultRenewalValidityRule.maxValidity=365

	ca.Policy.rule.DefaultRenewalValidityRule.minValidity=30

	ca.Policy.rule.DefaultRenewalValidityRule.predicate=

	ca.Policy.rule.DefaultRenewalValidityRule.renewalInterval=15

	ca.Policy.rule.DefaultRevocationRule.enable=true

	ca.Policy.rule.DefaultRevocationRule.implName=DefaultRevocation

	ca.Policy.rule.DefaultRevocationRule.predicate=

	ca.Policy.rule.DefaultValidityRule.enable=true

	ca.Policy.rule.DefaultValidityRule.implName=ValidityConstraints

	ca.Policy.rule.DefaultValidityRule.maxValidity=365

	ca.Policy.rule.DefaultValidityRule.minValidity=30

	ca.Policy.rule.DefaultValidityRule.predicate=

	ca.Policy.rule.KeyAlgRule.algorithm=RSA

	ca.Policy.rule.KeyAlgRule.enable=true

	ca.Policy.rule.KeyAlgRule.implName=KeyAlgorithmConstraints

	ca.Policy.rule.KeyAlgRule.predicate=

	ca.Policy.rule.KeyUsageExt.enable=true

	ca.Policy.rule.KeyUsageExt.implName=KeyUsageExt

	ca.Policy.rule.KeyUsageExt.predicate=

	ca.Policy.rule.NSCertTypeExt.enable=true

	ca.Policy.rule.NSCertTypeExt.implName=NSCertTypeExt

	ca.Policy.rule.NSCertTypeExt.predicate=

	ca.Policy.rule.RSAKeyRule.enable=true

	ca.Policy.rule.RSAKeyRule.exponents=3,7,17,65537

	ca.Policy.rule.RSAKeyRule.implName=RSAKeyConstraints

	ca.Policy.rule.RSAKeyRule.maxSize=2048

	ca.Policy.rule.RSAKeyRule.minSize=512

	ca.Policy.rule.RSAKeyRule.predicate=

	ca.Policy.rule.SubjectKeyIdentifierExt.enable=true

ca.Policy.rule.SubjectKeyIdentifierExt.implName=

		SubjectKeyIdentifierExt

	ca.Policy.rule.SubjectKeyIdentifierExt.predicate=certType==ca



	ca.connector.KRA.id=kra

	ca.connector.KRA.local=true



ca.crl._000=##

ca.crl._001=## CA CRL

ca.crl._002=##

	ca.crl.MasterCRL.allowExtensions=false

	ca.crl.MasterCRL.autoUpdateInterval=0

	ca.crl.MasterCRL.class=com.netscape.certsrv.ca.CRLIssuingPoint

	ca.crl.MasterCRL.description=com.netscape.certsrv.ldap.

		LdapCrlPublisher

	ca.ldappublish.certPublish.class=com.netscape.certsrv.ldap.

		LdapUserCertPublisher

	ca.ldappublish.crlPublish.class=com.netscape.certsrv.ldap.

		LdapCrlPublisher

	ca.ldappublish.type.ca.mapper.baseDN= 

	ca.ldappublish.type.ca.mapper.class=com.netscape.certsrv.ldap.

		LdapCertCompsMap

	ca.ldappublish.type.ca.mapper.dnComps=O

	ca.ldappublish.type.ca.mapper.filterComps=CN

	ca.ldappublish.type.ca.publisher.class=com.netscape.certsrv.ldap.

		LdapCaCertPublisher

	ca.ldappublish.type.client.mapper.baseDN= 

	ca.ldappublish.type.client.mapper.class=com.netscape.certsrv.ldap.

		LdapCertCompsMap

	ca.ldappublish.type.client.mapper.dnComps=O 

	ca.ldappublish.type.client.mapper.filterComps=UID,CN

	ca.ldappublish.type.client.publisher.class=com.netscape.certsrv.

		ldap.LdapUserCertPublisher

		ca.ldappublish.type.crl.mapper.baseDN= 

	ca.ldappublish.type.crl.mapper.class=com.netscape.certsrv.ldap.

		LdapCrlIssuerCompsMap

	ca.ldappublish.type.crl.mapper.dnComps=O 

	ca.ldappublish.type.crl.mapper.filterComps=CN 

	ca.ldappublish.type.crl.publisher.class=com.netscape.certsrv.ldap.

		LdapCrlPublish



	ca.notification.certIssued.emailSubject=Your Certificate Request

	ca.notification.certIssued.emailTemplate=C:/Netscape/Server4/

		cert-testCA-KRA/emails/certIssued_CA.html

	ca.notification.certIssued.enabled=true

	ca.notification.certIssued.senderEmail=cert_central@netscape.com

	ca.notification.requestInQ.emailSubject=Certificate Request in Queue

	ca.notification.requestInQ.emailTemplate=C:/Netscape/Server4/

		cert-testCA-KRA/emails/reqInQueue.html

	ca.notification.requestInQ.enabled=true

	ca.notification.requestInQ.recipientEmail=CA_agent@netscape.com

	ca.notification.requestInQ.senderEmail=CA_admin@netscape.com

	ca.signing.cacertnickname=caSigningCert cert-testCA-KRA

	ca.signing.defaultSigningAlgorithm=MD5withRSA

	ca.signing.tokenname=Internal Key Storage Token



	dbs.ldap=internaldb



eeGateway._000=##

eeGateway._001=## End Entity Gateway

eeGateway._002=##

	eeGateway.authority=ca

	eeGateway.docRoot=C:/Netscape/Server4/cert-testCA-KRA/web/ee

	eeGateway.dynamicVariables=serverdate=serverdate(),subsystemname=

		subsystemname()

	eeGateway.enableConnector=true

	eeGateway.mimeTypeConf=C:/Netscape/Server4/cert-testCA-KRA/

		config/mime.types

	eeGateway.numServices=2

	eeGateway.service0=http

	eeGateway.service1=https

	eeGateway.http.backlog=15

	eeGateway.http.enable=true

	eeGateway.http.port=80

	eeGateway.http.type=http

	eeGateway.https.backlog=15

	eeGateway.https.nickName=Server-Cert cert-testCA-KRA

	eeGateway.https.port=443

	eeGateway.https.type=https



internaldb._000=##

internaldb._001=## Internal Database

internaldb._002=##

	internaldb.basedn=o=NetscapeCertificateServer

	internaldb.maxConns=10

	internaldb.minConns=3

	internaldb.ldapauth.authtype=BasicAuth

	internaldb.ldapauth.bindDN=cn=Directory Manager

	internaldb.ldapauth.bindPWPrompt=Internal LDAP Database

	internaldb.ldapconn.host=myHost.netscape.com

	internaldb.ldapconn.port=38900

	internaldb.ldapconn.secureConn=false



jobsScheduler._000=##

jobsScheduler._001=## jobScheduler

jobsScheduler._002=##

	jobsScheduler.enabled=true

	jobsScheduler.interval=1

	jobsScheduler.impl.RenewalNotificationJob.class=com.netscape.

		certsrv.jobs.RenewalNotificationJob

	jobsScheduler.impl.RequestInQueueJob.class=com.netscape.certsrv.

		jobs.RequestInQueueJob

	jobsScheduler.impl.UnpublishExpiredJob.class=com.netscape.certsrv.

		jobs.UnpublishExpiredJob

	jobsScheduler.job.certRenewalNotifier.cron=0 3 * * 1-5

	jobsScheduler.job.certRenewalNotifier.emailSubject=Certificate 

		Renewal Notification

	jobsScheduler.job.certRenewalNotifier.emailTemplate=C:/Netscape/

		Server4/cert-testCA-KRA/emails/rnJob1.txt

	jobsScheduler.job.certRenewalNotifier.enabled=false

	jobsScheduler.job.certRenewalNotifier.notifyEndOffset=30

	jobsScheduler.job.certRenewalNotifier.notifyTriggerOffset=30

	jobsScheduler.job.certRenewalNotifier.pluginName=

		RenewalNotificationJob

	jobsScheduler.job.certRenewalNotifier.senderEmail=

	jobsScheduler.job.certRenewalNotifier.summary.emailSubject=

		Certificate Renewal Notification Summary

	jobsScheduler.job.certRenewalNotifier.summary.emailTemplate=

		C:/Netscape/Server4/cert-testCA-KRA/emails/rnJob1Summary.txt

	jobsScheduler.job.certRenewalNotifier.summary.enabled=true

	jobsScheduler.job.certRenewalNotifier.summary.itemTemplate=

		C:/Netscape/Server4/cert-testCA-KRA/emails/rnJob1Item.txt

	jobsScheduler.job.certRenewalNotifier.summary.recipientEmail=

	jobsScheduler.job.certRenewalNotifier.summary.senderEmail=

	jobsScheduler.job.requestInQueueNotifier.cron=0 0 * * 0

	jobsScheduler.job.requestInQueueNotifier.enabled=false

	jobsScheduler.job.requestInQueueNotifier.pluginName=

		RequestInQueueJob

	jobsScheduler.job.requestInQueueNotifier.subsystemId=ca

	jobsScheduler.job.requestInQueueNotifier.summary.emailSubject=

		Requests in Queue Summary Report

	jobsScheduler.job.requestInQueueNotifier.summary.emailTemplate=

		C:/Netscape/Server4/cert-testCA-KRA/emails/riq1Summary.html

	jobsScheduler.job.requestInQueueNotifier.summary.enabled=true

	jobsScheduler.job.requestInQueueNotifier.summary.recipientEmail=

	jobsScheduler.job.requestInQueueNotifier.summary.senderEmail=

	jobsScheduler.job.unpublishExpiredCerts.cron=0 0 * * 6

	jobsScheduler.job.unpublishExpiredCerts.enabled=false

	jobsScheduler.job.unpublishExpiredCerts.pluginName=

		UnpublishExpiredJob

	jobsScheduler.job.unpublishExpiredCerts.summary.emailSubject=Expired 

		Certificates Unpublished Summary

	jobsScheduler.job.unpublishExpiredCerts.summary.emailTemplate=C:/

		Netscape/Server4/cert-testCA-KRA/emails/euJob1.html

	jobsScheduler.job.unpublishExpiredCerts.summary.enabled=true

	jobsScheduler.job.unpublishExpiredCerts.summary.itemTemplate=C:/

		Netscape/Server4/cert-testCA-KRA/emails/euJob1Item.html

	jobsScheduler.job.unpublishExpiredCerts.summary.recipientEmail=

	jobsScheduler.job.unpublishExpiredCerts.summary.senderEmail=



jss._000=##

jss._001=## JSS

jss._002=##

	jss.certdb=C:/Netscape/Server4/cert-testCA-KRA/config/cert7.db

	jss.enable=true

	jss.keydb=C:/Netscape/Server4/cert-testCA-KRA/config/key3.db

	jss.moddb=C:/Netscape/Server4/admin-serv/config/secmod.db

	jss.ssl.cipherfortezza=true

	jss.ssl.cipherpref=

	jss.ssl.cipherversion=cipherdomestic



	kra.storageUnit.certdb=C:/Netscape/Server4/cert-testCA-KRA/

		config/kra-cert.db

	kra.storageUnit.keydb=C:/Netscape/Server4/cert-testCA-KRA/

		config/kra-key.db

	kra.storageUnit.mn=C:/Netscape/Server4/cert-testCA-KRA/

	config/kra-mn.conf

	kra.storageUnit.nickName=kraStorageCert

	kra.transportUnit.nickName=kraTransportCert cert-testCA-KRA



logAudit._000=##

logAudit._001=## Logging

logAudit._002=##

	logAudit.bufferSize=512

	logAudit.expirationTime=2592000

	logAudit.fileName=C:/Netscape/Server4/cert-testCA-KRA/logs/audit

	logAudit.flushInterval=300

	logAudit.level=3

	logAudit.maxFileSize=100

	logAudit.on=true

	logAudit.rolloverInterval=2592000

logError._000=##

logError._001=## Logging

logError._002=##

	logError.bufferSize=512

	logError.expirationTime=2592000

	logError.fileName=C:/Netscape/Server4/cert-testCA-KRA/logs/error

	logError.flushInterval=300

	logError.level=3

	logError.maxFileSize=100

	logError.on=true

	logError.rolloverInterval=2592000

	logNTAudit.NTEventSourceName=cert-testCA-KRA

	logNTAudit.level=2

	logNTAudit.on=true

	logNTSystem.NTEventSourceName=cert-testCA-KRA

	logNTSystem.level=2

	logNTSystem.on=true

logSystem._000=##

logSystem._001=## Logging

logSystem._002=##

	logSystem.bufferSize=512

	logSystem.expirationTime=2592000

	logSystem.fileName=C:/Netscape/Server4/cert-testCA-KRA/logs/system

	logSystem.flushInterval=300

	logSystem.level=3

	logSystem.maxFileSize=100

	logSystem.on=true

	logSystem.rolloverInterval=2592000



	oidmap.challenge_password.class=com.netscape.certsrv.cmsgateway.

		cert.crs.ChallengePassword

	oidmap.challenge_password.oid=1.2.840.113549.1.9.7

	oidmap.extensions_requested.class=com.netscape.certsrv.cmsgateway.

		cert.crs.ExtensionsRequested

	oidmap.extensions_requested.oid=2.16.840.1.113733.1.9.8



	os.serverName=cert-testCA-KRA

	os.userid=nobody



radm._000=##

radm._001=## Remote Admin

radm._002=##

	radm.keepAliveOn=true

	radm.mimeTypeConf=C:/Netscape/Server4/cert-testCA-KRA/

		config/mime.types

	radm.numServices=1

	radm.service0=https

	radm.https.backlog=15

	radm.https.maxThreads=10

	radm.https.minThreads=3

	radm.https.nickName=Server-Cert cert-testCA-KRA

	radm.https.port=8200

	radm.https.timeout=10

	radm.https.type=https



	smtp.host=localhost

	smtp.port=25



subsystem._000=##

subsystem._001=## Loadable Subsystems

subsystem._002=##

	subsystem.0.class=com.netscape.certsrv.kra.KeyRecoveryAuthority

	subsystem.0.id=kra

	subsystem.1.class=com.netscape.certsrv.ca.CertificateAuthority

	subsystem.1.id=ca

	subsystem.2.class=com.netscape.certsrv.cmsgateway.EEGateway

	subsystem.2.id=eeGateway



usrgrp._000=##

usrgrp._001=## User/Group

usrgrp._002=##

	usrgrp.ldap=internaldb

Road Map to Configuring Subsystems
This section outlines how to configure an instance of Certificate Management System and indicates where to find the information required to accomplish the task.

 Step 1. Check Which Subsystems are Installed in the Instance

Open the CMS window for the CMS instance you installed, and check the navigation tree to see which subsystems are installed in that instance; this way you will know the subsystems you should configure. To open the CMS window, see "Accessing the CMS Window".

Step 2. Check the Port Numbers

Check the port numbers assigned for administration, agent, and end-entity operations. Make the appropriate modifications, if necessary. Keep in mind that all subsystems installed in an instance use the same ports. To change the ports, see "CMS Ports".

Step 3. Verify Key Pair and Certificates

When you install a CMS instance, the server prompts you to create the certificates required for the subsystems in that instance to function. You should check the certificates used by each subsystem, see if you need to get additional certificates, use hardware tokens, etc.

Step 4. Check the SMTP Settings

Check the mail server settings--Certificate Management System uses this information to send automated email notifications. If necessary, make the appropriate changes to the host name and port number. Keep in mind that all subsystems installed in an instance use the same mail server. To change the mail server-specific information, see "SMTP Settings".

Step 5. Set up Privileged Users

Set up required administrators and agents. This way you can delegate administration and agent tasks to other individuals. For details, see "Setting Up Privileged Users".

If you have installed remote Registration Managers that have certificates signed by third-party CAs (not a Certificate Manager) you should add their certificates to the Certificate Manager's database to facilitate SSL client authenticated communication. For details, see "Setting Up Trusted Managers".

Step 6. Customize End Entity and Agent Forms

End entities can interact with the Certificate Manager and Registration Manager with the help of end-entity forms; end entities cannot interact with the Data Recovery Manager. Similarly, agents can interact with the appropriate subsystem using the agent forms. Certificate Management System provides HTML forms-based interfaces for end entities and agents out of the box. For details, see "Introduction to End-Entity and Agent Interfaces".

Determine which forms you want to use for end-entity enrollment and whether they require any customization. You may also use your own forms for this purpose, provided you add the required JavaScript. For details, see "End-Entity Services".

When customizing end-entity forms, keep in mind the authentication scheme--manual- or directory-based--you want to employ for your end entities.

 Step 7. Setup Authentication for End Entities

Depending on your PKI setup, you may need to do this for a Certificate Manager or Registration Manager, or for both. For example, you may have a set up in which Registration Managers act as front ends to Certificate Managers--that is, end entities interact with Registration Managers only; they do not interact with the Certificate Manager.

  1. Determine whether you want to use any of the directory-based authentication plug-in modules provided out of the box. For details, see "End-Entity Authentication During Certificate Enrollment". If you don't, you either have to use the manual mode or will have to plug-in your own modules. For information on developing authentication plug-in modules and registering them in the CMS framework, see "End-Entity Authentication During Certificate Enrollment".

  2. Configure the Certificate Manager or Registration Manager to use a specific authentication module. For details, see "Adding an Authentication Instance".

  3. Update the end-entity enrollment forms to use this authentication mechanism.

  4. Enable end-entity interaction with the subsystem:

Step 8. Schedule Jobs

Each CMS instance includes a Job Scheduler component that can execute specific jobs at specified times. The Job Scheduler functions similar to a traditional Unix cron daemon in that it takes registered cron jobs and executes them at a preconfigured date and time. For details, see "Introduction to Job Scheduling and Notifications".

During installation, a few jobs are already created and enabled. Jobs that you might want to schedule include email notifications of timed events (such as the expiration of a certificate) that require action on the part of users, and periodic activities such as removing expired certificates from the publishing directory.
  1. Check each job and decide whether you want to use it. If you don't, you can either disable it or delete it altogether from the configuration. For those jobs that you want to use, check the configuration parameter values and make changes as appropriate. For details, see "Modifying a Job".

  2. Determine if you want to add any new jobs. Check the built-in job plug-in modules to see if they can be used to create the jobs you want. For details, see "Built-in Job Plug-in Modules". You can also plug in your own job modules in the CMS framework and use them.

  3. Add new jobs, if any. For details, see "Adding a Job".

Step 9: Enable Event-Driven Notifications

You can also configure both Certificate Manager and Registration Manager to send email notifications automatically to end entities, agents, or administrators when certain events occur. Unlike jobs that are executed at preconfigured schedule, these notifications are event-driven--that is, whenever an event occurs, the server notifies the user. Notifiable events include certificate issuance and pending requests in an agent queue.

Decide if you want to turn on any of the notifications. If you do, the server uses the mail server specified in the SMTP settings (Step 4) to send these notifications. For details, see "Event-Driven Notifications".

Step 10. Set up Policies

Each subsystem in a CMS instance has its own policy processor. If you have installed more than one subsystem in an instance, you should apply the instructions in this section to each subsystem. That is, you should configure the Certificate Manager or Registration Manager for certificate formulation, issuance, renewal, and revocation policies. Similarly, configure the Data Recovery Manager for key archival and recovery policies. To understand policy, see "Introduction to Policy".

  1. During installation, a few policy rules are already created and enabled. Check each policy rule and decide whether you want to use it. If you don't, you can either disable it or delete it altogether from the configuration. For those rules that you want to use, check the configuration parameter values and make changes as appropriate. For details, see "Modifying a Policy Rule".

  2. Determine if you want to add any new policy rules. Check the built-in policy plug-in modules to see if they can be used to create the rules you want. For details, see "Built-in Policy Plug-in Modules". You can also plug-in your own modules in the CMS framework and use them.

  3. Add new rules, if any. For details, see "Adding a Policy Rule".

Step 11. Set up LDAP Publishing

This step is optional, and is applicable to the Certificate Manager and Registration Manager only--you need to do this only if you want the Certificate Manager or Registration Manager to publish certificates and CRLs to an LDAP-compliant directory, such as Netscape Directory Server.

  1. Determine if you want to use any of the mapper and publisher classes provided out of the box. See "Directory Update Process". Otherwise, plug in your own modules in the CMS framework and use them.

  2. Set up the directory for publishing. See "Setting Up the Directory for Publishing".

  3. Configure the Certificate Manager or Registration Manager to publish certificate information to an LDAP-compliant directory using specific mapper and publisher plug-in modules.

  4. Configure the Certificate Manager to publish CRL information to an LDAP-compliant directory; the Registration Manager cannot publish CRLs. See "Updating CRLs Automatically".

Step 12. Set up Logging

Each instance of Certificate Management System maintains extensive audit, error, and system logs. By looking at these logs, you can monitor a server's activities. Also, by configuring these logs, you can control the information that gets written to the log files. Because Certificate Management System maintains the log files in the file system of the host machine, it is important that you configure the logs appropriately (so that the host machine doesn't get overloaded). Be sure to read "Introduction to Logs"; this chapter will help you decide log configuration.

Once you decide the configuration for server logs, follow the information in "Configuring Logs" and configure all the three logs. Then, start monitoring the server's activities as explained in "Monitoring Logs".

Step 13. Set up archival and recovery for end users' keys

If you have installed the Data Recovery Manager, follow the instructions in "Setting Up Key Archival and Recovery Process" and set up archival and recovery for end users' encryption private keys.

Step 14. Test your PKI Setup

Use the information in "Issuing and Managing End-Entity Certificates" and test that the certificate issuance, renewal, and revocation operations work satisfactorily.

If you have deployed the Data Recovery Manager, follow the information in "Step 5. Test Your Key Archival Setup" and "Step 6. Test Your Key Recovery Setup" to test the key archival and recovery operation respectively.

Step 15. Plan for Backing up CMS Configuration and Data

It is a good practice to periodically back up the CMS data on to some backup media. Creating backups will help you use them for data restoration in the event of data loss. For details, see "Backing Up and Restoring Data".
 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.