Netscape Certificate Management System Administrator's Guide: Configuring Ports, Database, and SMTP Settings

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Chapter 6 Configuring Ports, Database, and SMTP Settings

Subsystems installed in an instance of Netscape Certificate Management System (CMS) share certain configuration information. They use the same administration, agent, and end-entity ports; internal database for data storage; mail server for automated notifications; internal token and trust database for PKI operations; SSL ciphers during SSL negotiation; privileged users; and log files to log messages to. This chapter explains how to configure these ports, the internal database, and the mail server settings for a CMS instance.

The chapter has the following sections:

CMS Ports

Internal Database

SMTP Settings

Certificate Management System listens to different ports for requests from different users. As illustrated in Figure 6.1, it listens to the administration port, the agent port, and end-entity ports.

Figure 6.1 CMS ports for administration, agent, and end-entity operations

When choosing ports for Certificate Management System, be sure to choose ports that are unique on the host system--that is, no other application can be using, or attempting to use, the port numbers you assign to Certificate Management System. To verify that a port is available for use, check the appropriate file for your operating system. Port numbers for network-accessible services are maintained in the file named services.

On a Windows NT system, see SYSTEM32\DRIVERS\ETC\SERVICES.

On a Unix system, see /etc/services. (If you are not running as root or superuser when you install or start the server, you will have to use a port number higher than 1024.)

Remote Administration Port

The administration port is an SSL (encrypted) port at which Certificate Management System listens to requests from its administration interface; administrators make these requests from the CMS window. When you install Certificate Management System, it assigns a random number (greater than 1024) as the administration port number. You can change this port number at any time, to any number between 1 and 65535. For security reasons you should consider changing the administration port number periodically.

The agent port is an SSL (encrypted) port at which Certificate Management System listens to requests from agents; agents make these requests from the appropriate Agent Services interface.

The Certificate Manager and Registration Manager agents use the agent port to process certificate issuance and management requests from end entities and to perform certain other privileged operations over HTTPS.

Data Recovery Manager agents use the agent port for recovering end users' encryption private keys over HTTPS.

Agent functions always require SSL client authentication. For a list of supported agent operations, see "Agent Services".

When you install Certificate Management System, it assigns a random number (greater than 1024) as the agent port number and prompts you to change it, if necessary; the port number can be any number between 1 and 65535. The number you choose for the agent port affects your agent users--all agents access Certificate Management System by specifying the name of the server (the CMS instance) and the agent port number in the URL. For example, if you choose port number 4430, the URL would look like this:

https://<host_name>:4430/<subsystem>

<host_name> is in the form <machine_name>.<your_domain>.<domain>

<subsystem> is a prefix identifying the subsystem that hosts the agent interface:

ca for the Certificate Manager

ra for the Registration Manager

kra for the Data Recovery Manager

For example, the URL to a Certificate Manager agent interface would look like this:

https://testCA.netscape.com:5600/ca

If you change the agent port number, be sure to inform your agent users.

End-Entity Ports

For requests from end entities, Certificate Management System can listen to two ports, an SSL (encrypted) port and a non-SSL port. End entities make these requests from the end entity services interface; see "End-Entity Services".

Certificate Management System provides the following services through the HTTP and HTTPS ports:

The HTTP port can be used to service end-entity-initiated PKI requests, such as enrollment, renewal, and revocation; enrollment requests can include requests from Cisco routers (using the CEP protocol). You have the choice of keeping this port enabled or disabled.

The HTTPS port can be used to provide the following services for enforcing data privacy and client authentication:

End-entity-initiated PKI requests, such as enrollment, renewal, and revocation

General certificate retrieval requests, such as retrieving a single certificate identified by a serial number, listing certificates based on certain criteria (for example, an LDAP search filter defined over standard attributes), and getting a CA's certificate chain

Similar to the HTTP port, you can enable or disable the HTTP port. For example, if you don't want end-entity interaction with a Certificate Manager, you can disable the HTTPS port. For details, see "Configuring End-Entity Interaction with Subsystems".

Configuring Port Numbers

To change the administration, agent, or end-entity port numbers used by a CMS instance:

Access the CMS window (see "Accessing the CMS Window").

Click the Configuration tab.

The Network tab appears.

To change the administration port number, enter the port number in the Administration section:

Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the CMS window--that is, HTTPS requests from administrators. Make sure the port number you specify is unique on the host system.

Type the number of connections that can be waiting to be serviced at the administration port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

To change the agent port number, enter the port number in the Agent section:

SSL port. Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the Agent Services interface--that is, HTTPS requests from agents. Make sure the port number you specify is unique on the host system.

Backlog. Type the number of connections that can be waiting to be serviced at the agent port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

To change the end-entity port numbers, enter the port numbers in the End Entity section.

Certificate Management System is capable of simultaneous SSL and non-SSL communications at the end-entity port. This means that you do not have to choose between SSL and non-SSL communications; you can use both at the same time. But if you prefer, you can disable the non-SSL port by unchecking the "Enable" option.

Type a TCP/IP port number that is unique on the host system. Certificate Management System uses this port for non-SSL communications with the end entity services interface.

This port is provided to allow enrollments of end entities that do not support SSL; for example, HTTP requests from end entities such as routers. You can use the Enable check box to turn this port on or off. Keep in mind that if this port is enabled, end entities will be able to enroll over HTTP too, which means their certificate requests could be intercepted and replayed to the server.

Type the number of connections that can be waiting to be serviced at the end entity HTTP port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

Enable. This check box allows you to enable or disable the HTTP port. Uncheck the option if you want to disable the port.

For issuing certificates to routers (using the CEP protocol), the port must be enabled; see "Certificate Issuance to Routers".

Type a TCP/IP port number. Certificate Management System uses this port for SSL-enabled communications with the end entity services interface (that is, HTTPS requests from end entities during certificate enrollment, renewal, and revocation). Make sure the port number you specify is unique on the host system.

If you don't want end-entity interaction with a subsystem, for example, if you don't want end entities to interact with a Certificate Manager, you can disable this port too (in addition to the HTTP port). See "Configuring End- Entity Interaction with Subsystems".

Type the number of connections that can be waiting to be serviced at the end-entity HTTPS port. The default number is 15. The number you enter in this field is passed to the operating system's listen() call.

To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

Specifying IP Addresses for CMS Instances

You can configure CMS instances to listen to specific IP addresses. For example, you can install the Certificate Manager and Data Recovery Manager on a single host, in separate instances, and then configure the instances so that the Certificate Manager is served on one IP address and the Data Recovery Manager is served on another address.

To clarify this further, consider the machine that hosts the Certificate Manager and Data Recovery Manager has two Ethernet cards that respond to the IP addresses 197.1.137.97 and 197.1.137.98. You can set up the Certificate Manager to listen to port 443 for the IP address 197.1.137.97 and the Data Recovery Manager to listen to port 443 for the IP address 197.1.137.98.

To configure a CMS instance to listen to specific IP addresses:

Stop the CMS instance; see "Stopping Certificate Management System".

Open the configuration file in a text editor; to locate the file, see "Locating the Configuration File".

Add any of the following configuration parameters to the file:

For remote administration port, add radm.https.listenaddr=.

For agent port, add agentGateway.https.listenaddr=.

For end-entity HTTPS port, add eeGateway.https.listenaddr=.

For end-entity HTTP port, add eeGateway.http.listenaddr=.

Add the IP address as the value for the parameter you added. For example, after you enter the value, the parameter would look similar to this:

radm.https.listenaddr=197.1.137.97

If necessary, repeat steps 2 and 3 for the other ports.

Save your changes, and close the configuration file.

Start the CMS instance; see "Starting Certificate Management System".

Internal Database

Certificate Management System performs various certificate and key-management functions in response to the requests it receives. These functions include the following:

Storing and retrieving of certificate issuance requests

Storing and retrieving of certificate records

Storing of CRLs

Storing and retrieving of end users' encryption private key records

To fulfill these functions, Certificate Management System maintains a persistent store--a preconfigured Netscape Directory Server--referred to as the internal database or local database. The internal database is installed automatically as a part of the CMS installation. It is used as an embedded database exclusively by Certificate Management System.

The Directory Server instance used for the internal database is different from the LDAP-compliant directory that you use to manage your corporatewide data (users and groups, their certificates, CRLs, and so on). In Netscape Console, you can distinguish an internal database instance from other Directory Server instances. It is in this form:

slapd-<cms_instance_id>-db

<cms_instance_id> is the ID of the CMS instance that is using the database. You first specified this when you installed this server.

Keep in mind that the subsystems use the database for storing different objects. A Certificate Manager stores all the data, certificate issuance requests, certificates, CRLs, and related information; a Registration Manager only stores the certificate issuance requests it receives; and a Data Recovery Manager only stores key records and related data.

Configuring the Internal Database

Each instance of Certificate Management System uses a Netscape Directory Server instance as its internal database. All the subsystems that were installed in a CMS instance use the same Directory Server instance to store their data. For example, if you installed a Certificate Manager and Data Recovery Manager together, they use the same internal database for data storage.

Caution The internal database schema is preconfigured for storing CMS data only. Do not make any changes to it or configure Certificate Management System to use any other LDAP directory. Doing so can result in loss of data. Also, do not attempt to use this database for any other purpose.

To identify the Directory Server instance that a CMS instance should use as its internal database:

Access the CMS window (see "Accessing the CMS Window").

Click the Configuration tab, and then in the right pane, click the Internal Database tab.

Identify a Directory Server instance by providing the following details:

Host name. Type the full host name of the machine on which Netscape Directory Server is installed. Certificate Management System uses this name to access the directory. The format for the host name is as follows:

<machine_name>.<your_domain>.<domain>

By default, the host name of the Directory Server instance being used as the internal database is shown as localhost instead of the actual host name (for example, certificates.netscape.com). This is done on purpose to insulate the internal database from being visible outside the system--that is, a server on localhost can only be accessed from the local machine. Thus, the default configuration minimizes the risk of someone connecting to this Directory Server instance from outside the local machine.

You can configure the host name to something other than localhost if you know what you are doing and you think you can limit the visibility of the internal database to a local subnet. For example, if you installed Certificate Management System and Directory Server on separate machines for load balancing, you will have to specify the host name of the machine in which Directory Server is installed.

Port number.

Type a TCP/IP port number; Certificate Management System uses this port for non-SSL communications with the Directory Server instance that is functioning as the internal database. Make sure that the port you specify is unique on the host system.

Directory manager DN. Type the distinguished name (DN) of an entry in your LDAP directory that has read and write permission to the entire directory tree. Certificate Management System will use this DN when it accesses the directory tree to communicate with the directory. Keep in mind that the access control set up for this DN determines whether Certificate Management System can communicate with the directory. Typically, you would want to enter the directory manager's DN (the root DN) because this DN will have read/write permission to the entire directory tree; see "Root Distinguished Name".

To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

SMTP Settings

Certificate Management System can send email notifications automatically to users or agents when interesting events occur. For example, you can configure the server to send users email notifications of timed events, such as the expiration of their certificates; for details, see "Job Scheduling and Notification".

To identify the mail server that a CMS instance should use for routing email notifications:

Access the CMS window (see "Accessing the CMS Window").

Click the Configuration tab, and then in the right pane, click the SMTP tab.

Identify the mail server by providing the following details:

Server name. Type the full host name of the machine on which your mail server is installed. Certificate Management System uses this name to access the mail server. The format for the host name is as follows:

<machine_name>.<your_domain>.<domain>

By default, the host name of the mail server is shown as localhost instead of the actual host name (for example, mail.netscape.com).

Port number.

Type the port number at which the mail server is listening for requests.

To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.