Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 25 Recovering Encrypted Data

When data is stored in encrypted form, you must have the private key that corresponds to the public key that was used to encrypt the data in order to decrypt and read it. If the private key is lost, the data cannot be retrieved. A private key can be lost because of a hardware failure, for example, or because the key's owner forgets the password or loses the hardware token in which the key is stored. Similarly, encrypted data cannot be retrieved if the owner of the key is unavailable to supply it--for example, has left the organization that owns the data.

This chapter explains how to use the Data Recovery Manager to archive users' encryption private keys and how to use the archived keys later, in place of missing encryption keys, to recover encrypted data.

 The chapter has the following sections:
PKI Setup for Key Archival and Recovery
To be able to archive users' encryption private keys and recover them later, you need a PKI setup that includes the following elements:

 The sections that follow explain these elements in detail. For step-by-step instructions on setting up your PKI environment for key archival and recovery, see "Setting Up Key Archival and Recovery Process".

Clients That Can Generate Dual Key Pairs

Only keys that are used exclusively for encrypting data should be archived; signing keys in particular should never be archived. Having two copies of a signing key would defeat the certainty with which the key identifies its owner; a second copy could be used to impersonate the digital identity of the original key owner.

Clients that generate single key pairs use the same private key for both signing and encrypting data, so you cannot archive and recover a private key deriving from a single key pair. By contrast, clients that can generate dual key pairs use one private key for encrypting data and the other for signing data. Because the encryption private key is separate, you can archive it.

 In addition to generating dual key pairs, your users' clients must also support the encryption key archival option in certificate requests. This option triggers the key archival process at the time encryption private keys are generated as a part of certificate issuance.

 Future versions of Netscape Communicator support both dual key-pair generation and the key archival option.

 Data Recovery Manager

With the Data Recovery Manager, you can archive data encryption keys when they are created during dual key-pair generation. You can then recover the keys if they are lost or the key owner is unavailable.

The Data Recovery Manager can archive and recover keys only from clients that support dual key-pair generation and the key archival option in certificate requests.

 Certificate Management System does not provide any policy plug-in modules for the Data Recovery Manager. However, you can write custom policy plug-in modules (that is, write Java classes that implement these rules), register them in the Data Recovery Manager's policy framework, and create policy rules using these plug-in implementations.

 Forms for Users and Key Recovery Agents

End users' encryption private keys are archived by the Data Recovery Manager when they are generated. So, for key archival to occur, the enrollment form that users fill out to request dual certificates must have the JavaScript code for activating the key archival process embedded in it, along with a valid copy of the Data Recovery Manager's transport certificate. Then, when a Certificate Manager or Registration Manager that is processing the user's certificate issuance request detects the key archival option, it automatically requests the service of the Data Recovery Manager. For information on customizing this form, see "Step 3. Customize the Certificate Enrollment Form".

Initiating the key recovery process also requires its own HTML form. By default, the Data Recovery Manager Agent Services interface provides a form for initiating the process and retrieving keys. For information on customizing this form, see "Step 4. Customize the Key Recovery Form".


Key Archival Process
If your certificate infrastructure has been set up for key archival, the Data Recovery Manager automatically archives users' encryption private keys. For general information on the type of PKI setup needed for archiving keys, see "PKI Setup for Key Archival and Recovery". For specific instructions on setting up a key archival and recovery infrastructure, see "Setting Up Key Archival and Recovery Process".

Why You Should Archive Keys

If a user loses a private data-encryption key or is unavailable to use his or her private key, the key must be recovered before any data that was encrypted with the corresponding public key can be read. You can recover the private key if an archival copy of it was created when the key was generated.

Here are a few situations in which you might need to recover a user's encryption private key:

 Where the Keys are Stored

If configured properly, the Data Recovery Manager, stores your users' encryption private keys automatically whenever the associated or connected Registration Manager or Certificate Manager issues certificates to your users. The Data Recovery Manager stores encryption private keys in a secure key repository in its internal database; each key is stored as a key record.

The archived copy of the key remains encrypted (or wrapped) with the Data Recovery Manager's storage key; see "Storage Key Pair". It can be decrypted (or unwrapped) only by using the corresponding private key, to which no individual has direct access. A combination of one or more key recovery agents' passwords enables the Data Recovery Manager to retrieve its private storage key and use it to decrypt and recover an archived key. For details on how this process works, see "Key Recovery Agents and Their Passwords".

The Data Recovery Manager indexes stored keys by key number (or ID), owner name, and a hash of the public key, allowing for highly efficient searching by name or by public key. The key recovery agents have the privilege to insert, delete, and search for key records. The search feature works like this:

 How Key Archival Works

When a Certificate Manager or Registration Manager receives a certificate request that contains the key archival option, it automatically requests the service of the Data Recovery Manager to archive the user's encryption private key. The Data Recovery Manager receives an encrypted copy of the user's private key and stores the key in its key repository. To archive the key, the Data Recovery Manager uses two special key pairs:

Figure 25.1 illustrates how the key archival process occurs when a user requests a certificate. The deployment scenario shown in this figure has a Registration Manager acting as the trusted enrollment authority to a Certificate Manager and Data Recovery Manager.

Figure 25.1 How the key archival process works

These are the steps shown in Figure 25.1:

  1. A user uses a client capable of generating dual key pairs to access the certificate enrollment form served by the Registration Manager, fills in all the information, and submits the request.
    2.

    The Registration Manager detects the key archival option in the user's request and asks the client for the user's encryption private key.

    The client encrypts the user's encryption private key with the public key from the Data Recovery Manager's transport certificate; a copy of the transport certificate is embedded in the enrollment form.

  2. Upon receiving the encrypted key from the client, the Registration Manager sends it to the Data Recovery Manager for storage, along with some other information (including the user's public key). Then, the Registration Manager waits for verification from the Data Recovery Manager that the private key has been received and stored and that it corresponds to the user's public encryption key.
    3.

  3. Upon receiving the encrypted key from the Registration Manager, the Data Recovery Manager decrypts it with the private key that corresponds to the public key in its transport certificate. After confirming that the private encryption key corresponds to the user's public encryption key, the Data Recovery Manager encrypts it again with its storage key before storing it in its internal database. (The storage key either resides in a software or a hardware token and is never exposed to any other entity.)

  4. Once the user's private encryption key has been successfully stored, the Data Recovery Manager uses the private key of its transport key pair to sign a token confirming that the key has been successfully stored; the Data Recovery Manager then sends the token to the Registration Manager.

  5. After the Registration Manager receives and verifies the signed token, it sends the certificate request to the Certificate Manager for issuance.

  6. The Certificate Manager formulates two certificates, one each for signing and encryption key pairs, and returns them to the Registration Manager.

  7. The Registration Manager forwards the certificates to the client (the user).

Note that all three subsystems subject the request to configured policy rules at appropriate stages. If the request fails to meet any of the policy rules, the subsystem rejects the request.
Key Recovery Process
The Data Recovery Manager supports agent-initiated key recovery. In this method of key recovery, designated recovery agents use the Key Recovery form provided in the Data Recovery Manager Agent Services interface to process key recovery requests, list archived keys, and approve recovery. With the approval of a specified number of agents, an organization can recover keys when the key's owner is unavailable or when keys have been lost.

 Key Recovery Agents and Their Passwords

Key recovery agents have the authority to retrieve end users' encryption private keys. The recovery agent's role can be performed by any person in your organization. As system administrator, you can designate one or more individuals to be key recovery agents. These individuals need to do the following:

The first time you create key recovery agents and specify their passwords is during the installation of the Data Recovery Manager. However, you can change the number of recovery agents and their passwords later by modifying it in the Data Recovery Manager configuration; see "Changing Key Recovery Agents' Passwords".

Secret Sharing of Storage Key Password

The Data Recovery Manager uses the private key of its storage key pair to encrypt the repository where it store users' encryption private keys. This requires that the storage key be well protected. For the protection of the storage key pair, the Data Recovery Manager supports a password-splitting mechanism called m of n secret splitting or sharing, whereby it splits the PIN that protects the token in which the storage key pair resides among n number of key recovery agents and reconstructs the PIN only if m number of recovery agents provide their individual passwords; n must be an integer greater than 1 and m must be an integer less than or equal to n.

Here's how the m of n secret splitting mechanism gets built and works:

During the installation of a Data Recovery Manager, you generate the storage key pair and specify the hardware token in which the key pair is to be stored. At this time, you also specify a PIN (or password) to protect the token, the total number of key recovery agents (n), and how many of these agents (m) are required to perform a key recovery operation. You can change the m of n secret splitting later; for details, see "Key Recovery Agent Scheme".

The Data Recovery Manager splits the PIN for the token into n parts or pieces. It then encrypts these parts with the passwords that are provided by the authorized key recovery agents.

During the key recovery procedure, the required number of key recovery agents (m) provide their identifiers and passwords. After verifying the passwords, the Data Recovery Manager reconstructs the PIN for the token based on the given information.

Interface for the Key Recovery Process

With the Key Recovery form provided in the Data Recovery Manager Agent Services interface, key recovery agents can collectively unlock the key repository of the Data Recovery Manager and retrieve end users' encryption private keys and associated certificates in a PKCS #12 package, which can then be imported into the client. For an overview of this process, see "How Agent-Initiated Key Recovery Works".

Because key recovery agents use the Data Recovery Manager Agent Services interface, agent-initiated key recovery invariably involves the Data Recovery Manager agent and key recovery agents. The Data Recovery Manager agent's certificate is required to access the Key Recovery form, and key recovery agents' passwords are required to unlock the key repository. For information on Data Recovery Manager agents, see "Agents".

Your organization's PKI policy may require that the key recovery process be restricted to authorized recovery agents only, preventing any Data Recovery Manager agent from being involved. If so, you should ask all key recovery agents to get client certificates and set them up as Data Recovery Manager agents. For instructions, see "Setting Up Agents".

Local Versus Remote Key Recovery Authorization

Key recovery agents can authorize the recovery of a key locally or remotely. The overview of local and remote authorization provided in this section is intended to help you determine which to use for your organization. You may find it useful to go over the Data Recovery Manager agent-specific information in the Netscape Certificate Management System Agent's Guide. An online version of this guide is located here:

<server_root>/cert-<instance_id>/web/agent/manual/agt_gide

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this during installation.

Local Key Recovery Authorization

To initiate key recovery locally, the required number of recovery agents assemble in front of the host system that allows them to access the Data Recovery Manager Agent Services interface. Either a Data Recovery Manager agent or a key recovery agent with a Data Recovery Manager agent certificate accesses the Key Recovery form hosted by the Data Recovery Manager and initiates the key recovery process. All key recovery agents enter their IDs and passwords on the same Recovery Authorization form presented by the Data Recovery Manager. If the information presented is correct, the Data Recovery Manager retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package.

By default, key recovery authorization is local.

 Remote Key Recovery Authorization

To authorize key recovery remotely, the required number of recovery agents access the Data Recovery Manager Agent Services interface at their own locations and use the Authorize Recovery button to enter each authorization separately.

Before key recovery agents can authorize key recovery remotely, they must be set up to function as Data Recovery Manager agents. This role gives them the privilege to access the Data Recovery Manager's Agent Services interface directly.

 In remote key recovery authorization, one of the key recovery agents informs all required recovery agents about an impending remote key recovery process. All recovery agents access the Key Recovery page hosted by the Data Recovery Manager. One of the agents initiates the key recovery process. The Data Recovery Manager returns a notification to each agent. The notification includes a recovery authorization reference number identifying the particular key recovery request that the agent is required to authorize. Each agent uses the reference number and authorizes key recovery separately.

 The Data Recovery Manager informs the agent who initiated the key recovery process of the status of the authorizations. When all of the authorizations are entered, the Data Recovery Manager checks the information. If the information presented is correct, it retrieves the requested key and returns it along with the corresponding certificate in the form of a PKCS #12 package to the agent who initiated the key recovery process.

 Key recovery agents can switch to remote authorization by deselecting the local authorization option in the Key Recovery form.

 How Agent-Initiated Key Recovery Works

In an agent-initiated key recovery, the key is recovered by the collective efforts of a Data Recovery Manager agent and authorized key recovery agents. You may need to resort to this type of key recovery if the owner of a key cannot be reached and the authorities in the organization need to access that user's encrypted data (for example, S/MIME mail messages).

Upon retrieving the private encryption key (in the form of a PKCS #12 package), the agents may forward the key to the original user, the manager of the original owner, or some other authorities.

 Figure 25.2 illustrates how agent-initiated key recovery works.

Figure 25.2 The agent-initiated key recovery process

These are the steps shown in Figure 25.2:

  1. The Data Recovery Manager agent accesses the Key Recovery form using the appropriate client certificate, types the identification information pertaining to the person whose encryption private key needs to be recovered, and submits the request.
    2.

    The request is submitted to the Data Recovery Manager over HTTPS.

  2. The Data Recovery Manager subjects the key recovery request to its policy checks.
    3.

  3. If the request passes all the policy rules, the Data Recovery Manager sends a confirmation HTML page to the web browser the agent used. If the request fails any of the policy checks, the server logs an appropriate error message.

    4. The confirmation page contains information and input sections:

  4. The key recovery agents verify the information in the confirmation page and enter the certificate in MIME-64 format, the password for the PKCS #12 package, and their individual identifiers and passwords. The Data Recovery Manager agent submits the page to the Data Recovery Manager.
    5.

  5. The Data Recovery Manager matches the key recovery agent information with its m of n scheme (see "Key Recovery Agent Scheme"). After verifying that the required number of recovery agents entered their passwords, the server uses the agents' passwords to construct the PIN required to access the private key repository.

  6. The Data Recovery Manager then retrieves the user's private key from its key repository and decrypts it by using the private component of the storage key pair.

  7. The Data Recovery Manager packages the user's certificate and the corresponding private key as a PKCS #12 package and encrypts it with the PKCS #12 password provided by the recovery agent. It then delivers the package to the client the recovery agent used to initiate the key recovery process, and prompts the agent to store the encrypted package. The agent may choose to store the package in the local file system of the client machine (only if it has restricted access) or on a floppy diskette.

    8. The recovery agent can then send the encrypted PKCS #12 package and the corresponding password to an individual by any secure, out-of-band means.

Important The PKCS #12 package contains the private key. To minimize the risk of key compromise, the recovery agent must use any secure, out-of-band means to deliver the PKCS #12 package and password to the key recipient. As an administrator, you should recommend the recovery agent to use a good password for encrypting the PKCS #12 package, and also consider setting up an appropriate delivery mechanism.

Key Recovery Agent Scheme

The key recovery agent scheme consists of configuring the Data Recovery Manager to recognize a fixed number of key recovery agents (a minimum of one) and specifying how many of these agents are required to authorize a key recovery request before the archived key is restored. Each recovery agent provides the Data Recovery Manager with a password, which it uses to generate a unique PIN; the Data Recovery Manager uses the PIN to protect its storage key pair, which in turn protects users' keys.

The Data Recovery Manager tracks the key recovery agent password for each agent and allows you to facilitate changing agents' passwords; you do not have direct access to these passwords or the actual storage key password. Each password retrieves only a part of the private storage key.

 You first specified the key recovery agent scheme when you installed the Data Recovery Manager.

 Changing the Key Recovery Agent Scheme

You can change the total number of key recovery agents for a Data Recovery Manager and the number of key recovery agents required to retrieve an end user's encryption private key from the Data Recovery Manager's key repository.

To change the key recovery agent scheme:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab.

  3. In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Scheme Management tab.

    4. The Scheme Management tab shows the current key recovery scheme.

  4. Click Change scheme.
    5.

    The Change Recovery Key Scheme window appears.

  5. In the New Scheme section, make the appropriate changes:
    6.

    Number of recovery agents required. Type the number of agents required to authorize a key recovery process. The number cannot be zero and must be equal to or less than the total number of recovery agents.

    Total number of recovery agents. Specify the total number of key recovery agents. The number cannot be less than one and must be equal to or greater than the number of agents required to authorize the key recovery operation.

  6. Click Next.

  7. For each agent, enter a user name and password, then click Next.

    8. The number of screens depends on the total number of agents you have specified.

  8. When you have entered all agent information, click Finish.
    9.

    You are returned to the Scheme Management tab.

Changing Key Recovery Agents' Passwords

As administrator, you have the responsibility of safeguarding the security of each Data Recovery Manager installed in your PKI setup. One of the safety measures you can implement is to ask your key recovery agents to change their passwords periodically. This way, you will be sure that the required number of agents are available if a key needs to be recovered. If key recovery agents routinely change their passwords, they are less likely to forget them.

The CMS window allows you to view the list of currently designated key recover agents and, if necessary, change an agent's password.

 To change key recovery agents' passwords:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab.

  3. In the navigation tree, select the Data Recovery Manager, and in the right pane, click the Recovery Agent Password tab.

    4. The tab shows current key recovery agents in the Available Agents list.

  4. Select the agent whose password needs to be changed, and click Change Password.
    5.

    The Change Password dialog box appears.

  5. Allow the agent to enter the appropriate information.
    6.

    During installation, the Data Recovery Manager prompts you to enter key recovery agent passwords. The number of passwords you must enter depends on the key recovery agent scheme you chose; for details, see "Key Recovery Agent Scheme". If you are changing a password for the first time after installation, in the Old password field you must enter the recovery agent password you specified during installation. Then in the remaining fields, allow the key recovery agent to enter the new password information. If you have more than one key recovery agent, repeat this procedure for all the agents.

    Old Password. Type the current password for the key repository.

    New Password. Type the new password for the key repository.

    Confirm Password. Retype the new password exactly as you typed it in the previous field.

  6. Click OK.

    7. You are returned to the Recovery Agent Password tab.


Setting Up Key Archival and Recovery Process
By default, the Data Recovery Manager is not configured to archive or recover end users' encryption private keys. This section explains how to set up key archival and recovery processes.

 Setting Up the Key Archival Process

Before proceeding with this section, you should have read "Key Archival Process". In particular, you should be familiar with how the key archival process works. If you are not, see "How Key Archival Works".

Setting up key archival involves the following steps:

 Step 1. Deploy Clients That Can Generate Dual Key Pairs

You can use the Data Recovery Manager to archive and recover keys only from clients that support dual key-pair generation, the key archival option, and the CMC protocol. Clients that do not meet this criteria cannot be used with the Data Recovery Manager. To understand why you need to use clients that can generate dual key pairs, see "Clients That Can Generate Dual Key Pairs".

The domestic version of Certificate Management System includes a plug-in called Dual-Key Test Bed, which when plugged into Netscape Communicator version 4.5 enables it to support the CMC protocol and generate dual key pairs. For information on installing the plug-in, see the Dual-Key Test Bed Release Notes. It is at this location:

 <server_root>\bin\cert\nsm\NSM_RELNOTES.html

<server_root> is the directory where the Data Recovery Manager's binaries are kept. You first specified this directory during installation.

For the most current information on Dual-Key Test Bed, check this site:

http://home.netscape.com/eng/server/cms

 Step 2. Connect the Enrollment Authority and the Data Recovery Manager

Key archival occurs when dual key pairs are generated by the client. The client generates the key pairs when a user requests a certificate by filling out the appropriate certificate enrollment form served by an enrollment authority, which can be either a Certificate Manager or a Registration Manager. When the enrollment authority detects the key archival option in the request, it initiates the key archival process and requests the service of the Data Recovery Manager for archiving the key.

For the enrollment authority to be able to request the service of the Data Recovery Manager, the two subsystems must be configured to recognize, trust, and communicate with each other. When you installed the Data Recovery Manager, you were asked to connect it to a Certificate Manager or Registration Manager. You might have specified some of the configuration information required for the two subsystems to communicate with each other. Also, if the enrollment authority and the Data Recovery Manager are installed in the same CMS instance, certain configurations are done automatically.

 However, to ensure that key archival takes place successfully, you must make sure that the Data Recovery Manager is connected to the appropriate enrollment authority. Also verify whether the enrollment authority has been set up as a privileged user, with an appropriate SSL client authentication certificate, in the internal database of the Data Recovery Manager. By default, the Certificate Manager uses its SSL server certificate for SSL client authentication, whereas the Registration Manager uses its signing certificate for this purpose; for more information, see "Keys and Certificates for the Main Subsystems".

Otherwise, follow the instructions in "Setting Up Trusted Managers" and set up the enrollment authority as a trusted front end to the Data Recovery Manager.

Step 3. Customize the Certificate Enrollment Form

For the enrollment authority to automatically initiate the key archival process at the time key pairs are generated, a certificate request must include the following information:

All the three end user enrollment forms provided by Certificate Management System--the directory-based enrollment form (DirUserEnroll.html), directory- and PIN-based enrollment form (DirPinUserEnroll.html), and manual enrollment form (ManUserEnroll.html)--contain the necessary JavaScript code for initiating the key archival process; for details about these forms, see "Forms for Certificate Enrollment". If you are using any of these forms for end-user enrollment, make sure to update the generateCRMFRequest() JavaScript method. If you plan to use custom enrollment forms for users, be sure to include the required JavaScript code in those forms.

Figure 25.3 shows the default directory-based enrollment form with the information related to the generateCRMFRequest() JavaScript method highlighted. Note that the JavaScript method includes parameters for specifying various things. You are required to update the following information only:

The steps that follow explain how to do this.

Figure 25.3 Data Recovery Manager's transport certificate information in the default enrollment form

1. Copy the transport certificate in its base-64 encoded format

The transport certificate is stored in the Data Recovery Manager's certificate database. If the transport certificate is signed by a Certificate Manager, then a copy of the certificate is also available with the Certificate Manager. Follow the instructions as appropriate.

2. Update the JavaScript method in the enrollment form

  1. Go to the host system of the enrollment authority and locate the user-enrollment form. The default forms are at this location:
    2.

    <server_root>/cert-<instance_id>/web/ee/...

    <server_root> is the directory where the enrollment authority's binaries are kept. You first specified this directory during installation.

    <instance_id> is the ID for this instance of the enrollment authority. You first specified this when you installed this server.

  2. Open the enrollment form in an HTML or text editor.

  3. In the form, locate the generateCRMFRequest() JavaScript method (see Figure 25.3).

  4. Add a variable for the transport certificate.

    5. Below the commented text, add this line:

    var kraTransportCert =

  5. Open the text file that has the Data Recovery Manager's transport certificate (the one you copied earlier) and copy the certificate.
    6.

  6. Paste the certificate as the value of the kraTransportCert variable.

    7. Paste the certificate in front of the = sign, remove any line breaks, enclose the certificate within double-quotation marks, and end the string with a semicolon (;). When deleting line breaks, be sure not to delete any of the characters in the encoded blob.

    An example is shown below:

    var kraTransportCert = "MIICDjCCAXegAwIBAgICAfMwDQYJKoZIhvcNAQEEBQAwdzELMAkGA1UEBhMCVVMxLDAqBgNVB
    AoTI05ldHNjYXBlIENvbW11bmljYXRpb25zIENvcnBvcmF0aW9uMREwDwYDVQQLEwhIYXJkY29
    yZTEnMCUGA1UEAxMeSGFyZGNvcmUgQ2VydGlmaWNhdGUgU2VydmVyIElJMB4XDTk4MTExOTIzN
    DIxOVoXDTk5MDUxODIzNDIxOVowLjELMAkGA1UEBhMCVVMxETAPBgNVBAoTCG5ldHNjYXBlMQw
    wCgYDVQQDEwNLUmEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArrbDiYUI5SCdlCKKa0bEBn1m8
    3kX6bdhytRYNkdHB95Bp85SRadmdJV+0OyMxjYAtGCFrmcqEZ4sh2YSov6wIDAQABozYwNDARB
    glghkgBhvhCAQEEBAMCAEAwHwYDVR0jBBgwFoAUl7FtsrYCFlQMl9fjMm3LnNu3oAwDQYJKoZI
    hvcNAQEEBQADgYEApvzcUsVIOstaoYSiWb4+aMVH6s1jiJlr5iVHnOKzfsYxPVdUw6uz04AT8N
    +1KIarMTKxHPzGAFSLicKLEv4HG4vh6llc86uzRzWpUqqVHgeKN5A8Jyg56D4DkNrXEJ7QdKes
    Ap13dk5H5qvHelkSPLYYdMXNwNWP";

  7. Pass the kraTransportCert variable to the JavaScript method.

    8. Replace null (the fourth line in the method) with kraTransportCert.

  8. Specify the key algorithm and key type.
    9.

    For information on specifying key type, length, and algorithm, see "generateCRMFRequest()" in Javascript API for Client Certificate Management. The document is at this location:

    <server_root>/bin/cert/nsm/CMCJavascriptAPI.html

    <server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

    Below is an example that shows how the updated generateCRMFRequest() method would look:

    // generate keys for nsm.

    if (navigator.appName == "Netscape" && (navMajorVersion() >

    3) &&

    typeof(crypto.version) != "undefined") {

    certNickname.value = subject.value;

    crmfObject = crypto.generateCRMFRequest(subject.value,

    "regToken",

    "authenticator",

    kraTransportCert,

    "setCRMFRequest();",

    512, null, "rsa-ex",

    1024, null, "rsa-sign");

    }

    The method triggers the client to generate two RSA key pairs--one key of length 512 for encrypting data and another key of length 1024 for signing data.

  9. Save your changes.
    10.

Step 4. Configure Key Archival Policies

This step is optional.

Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policy modules for the Data Recovery Manager's key archival process, you should make sure that they are configured properly. For details on configuring policies for a subsystem, see "Configuring Policies".

Step 5. Test Your Key Archival Setup

To test whether you can successfully archive a key:

1. Enroll for dual certificates

    1. Open a web browser window using the client you deployed in Step 1.
      2.

    2. Go to the end-entity interface for the enrollment authority. The default URL is as follows:

      3. https://<host_name>:<end_entity_HTTPS_port> or

      http://<host_name>:<end_entity_HTTP_port>

    3. Open the enrollment form you customized in Step 3.

    4. Fill in all the values and submit the request.

      5. The client prompts you to enter the password for your key database.

    5. When you enter the correct password, the client generates the key pairs.

      6. Do not interrupt the key-generation process.

2. Approve the request

This step is required only if you used the manual enrollment form for requesting the certificates.

  1. Go to the enrollment authority's Agent Services interface.
    2.

    The default URL is as follows:

    https://<host_name>:<agent_port>

  2. Click the link that says List Requests.

  3. In the form that appears, select the "Show pending requests" option and click Find.

    4. You should see your request in the list of pending requests.

  4. Locate and approve the request.

3. Check if the certificates have been issued

    1. Click the List Requests link again.
      2.

    2. In the form that appears, select the "Show completed requests" option and click Find.

      3. You should see two new certificates with consecutive serial numbers.

4. Check if the key has been archived

    1. Go to the Data Recovery Manager's Agent Services interface.
      2.

    2. Click the link that says List Requests.

    3. In the form that appears, check the "Show completed requests" option and click Find.

    4. If the key has been archived successfully, you should see the information pertaining to that key.

Setting Up the Key Recovery Process

Before proceeding with this section, you should have read "Key Recovery Process". In particular, you should be familiar with how the key archival process works. If you are not, see "How Agent-Initiated Key Recovery Works".

The Data Recovery Manager supports agent-initiated key recovery process, in which end users' encryption private keys are recovered by designated key recovery agents. This section explains how to set up the key recovery process.

Setting up agent-initiated key recovery involves the following steps:

 Step 1. Verify the m of n scheme

During the installation of the Data Recovery Manager, you were asked to specify the total number of key recovery agents (a minimum of one) and the number of agents (of this total) required to authorize a key recovery operation. This combination is called m of n scheme. For more information about this, see "Key Recovery Agent Scheme".

Verify that the current m of n scheme is appropriate for your PKI setup. If it isn't, change the scheme following the instructions in "Changing the Key Recovery Agent Scheme".

Step 2. Facilitate the Key Recovery Agents to Change the Passwords

During the installation of Data Recovery Manager, after you specified the m of n scheme, you were also prompted to provide unique passwords for each recovery agent. It is quite likely that you specified these passwords yourself instead of it being done by those individuals who have been designated with the key recovery agents' role in your organization. Therefore, you must get the designated recovery agents to change the passwords entered during installation.

Step 3. Determine the Authorization Mode for Key Recovery

The Data Recovery Manager allows key recovery agents to authorize recovery of an end user's encryption private key locally or remotely. The default configuration is local authorization. It is important that you evaluate both the authorization modes, and choose the one that is appropriate for your organization. For more information about this, see "Local Versus Remote Key Recovery Authorization".

If want the key recovery agents to authorize key recovery remotely, be sure to set them up as Data Recovery Manager agents following the instructions in "Setting Up Agents".

Step 4. Customize the Key Recovery Form

Key recovery agents need an appropriate interface to initiate the key recovery process. By default, the Data Recovery Manager's Agent Services interface includes an HTML form (recoverKey.html) that allows key recovery agents to initiate the key recovery process and retrieve users' encryption keys; for details about this form, see "Summary of Agent Forms and Templates".

If you want to customize this form to suit your organization, be careful not to delete any of the information that is vital to the functioning of the form; it is recommended that you restrict your changes to the content presented in the form.

 Step 5. Configure Key Recovery Policies

This step is optional.

Unlike Certificate Manager and Registration Manager, no policy plug-in modules are provided for the Data Recovery Manager. If you have implemented any custom policies for the Data Recovery Manager's key recovery process, you should make sure that they are configured properly. For details on configuring policies for a subsystem, see "Configuring Policies".

Step 6. Test Your Key Recovery Setup

To test whether you can successfully recover an archived key:

  1. Open a web browser window.
    2.

  2. Go to the Data Recovery Manager's Agent Services interface.

  3. Click the Recover Keys link.

  4. In the form that appears, enter any of the following information for the encryption private key that has been archived:

    5. If you need more information about any of the fields in this form, click the Help button.

  5. Click Show Key.
    6.

    If the key has been archived successfully, you should see the information pertaining to that key.

  6. Click Recover.
    7.

  7. In the form that appears, enter the following information:

  8. Click Recover.
    9.

    If you entered the correct information, the Data Recovery Manager returns the private key packaged as a PKCS #12 blob (it contains the recovered key pair and the corresponding certificate) and prompts you to save it. Specify the path and filename for saving the encrypted file.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.